22 Nil "[]: yahalom" |
22 Nil "[]: yahalom" |
23 |
23 |
24 (*The spy MAY say anything he CAN say. We do not expect him to |
24 (*The spy MAY say anything he CAN say. We do not expect him to |
25 invent new nonces here, but he can also use NS1. Common to |
25 invent new nonces here, but he can also use NS1. Common to |
26 all similar protocols.*) |
26 all similar protocols.*) |
27 Fake "[| evs: yahalom; X: synth (analz (spies evs)) |] |
27 Fake "[| evs: yahalom; X: synth (analz (knows Spy evs)) |] |
28 ==> Says Spy B X # evs : yahalom" |
28 ==> Says Spy B X # evs : yahalom" |
|
29 |
|
30 (*A message that has been sent can be received by the |
|
31 intended recipient.*) |
|
32 Reception "[| evsr: yahalom; Says A B X : set evsr |] |
|
33 ==> Gets B X # evsr : yahalom" |
29 |
34 |
30 (*Alice initiates a protocol run*) |
35 (*Alice initiates a protocol run*) |
31 YM1 "[| evs1: yahalom; Nonce NA ~: used evs1 |] |
36 YM1 "[| evs1: yahalom; Nonce NA ~: used evs1 |] |
32 ==> Says A B {|Agent A, Nonce NA|} # evs1 : yahalom" |
37 ==> Says A B {|Agent A, Nonce NA|} # evs1 : yahalom" |
33 |
38 |
34 (*Bob's response to Alice's message. Bob doesn't know who |
39 (*Bob's response to Alice's message.*) |
35 the sender is, hence the A' in the sender field.*) |
|
36 YM2 "[| evs2: yahalom; Nonce NB ~: used evs2; |
40 YM2 "[| evs2: yahalom; Nonce NB ~: used evs2; |
37 Says A' B {|Agent A, Nonce NA|} : set evs2 |] |
41 Gets B {|Agent A, Nonce NA|} : set evs2 |] |
38 ==> Says B Server |
42 ==> Says B Server |
39 {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} |
43 {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} |
40 # evs2 : yahalom" |
44 # evs2 : yahalom" |
41 |
45 |
42 (*The Server receives Bob's message. He responds by sending a |
46 (*The Server receives Bob's message. He responds by sending a |
43 new session key to Alice, with a certificate for forwarding to Bob. |
47 new session key to Alice, with a certificate for forwarding to Bob. |
44 Both agents are quoted in the 2nd certificate to prevent attacks!*) |
48 Both agents are quoted in the 2nd certificate to prevent attacks!*) |
45 YM3 "[| evs3: yahalom; Key KAB ~: used evs3; |
49 YM3 "[| evs3: yahalom; Key KAB ~: used evs3; |
46 Says B' Server {|Agent B, Nonce NB, |
50 Gets Server {|Agent B, Nonce NB, |
47 Crypt (shrK B) {|Agent A, Nonce NA|}|} |
51 Crypt (shrK B) {|Agent A, Nonce NA|}|} |
48 : set evs3 |] |
52 : set evs3 |] |
49 ==> Says Server A |
53 ==> Says Server A |
50 {|Nonce NB, |
54 {|Nonce NB, |
51 Crypt (shrK A) {|Agent B, Key KAB, Nonce NA|}, |
55 Crypt (shrK A) {|Agent B, Key KAB, Nonce NA|}, |
52 Crypt (shrK B) {|Agent A, Agent B, Key KAB, Nonce NB|}|} |
56 Crypt (shrK B) {|Agent A, Agent B, Key KAB, Nonce NB|}|} |
53 # evs3 : yahalom" |
57 # evs3 : yahalom" |
54 |
58 |
55 (*Alice receives the Server's (?) message, checks her Nonce, and |
59 (*Alice receives the Server's (?) message, checks her Nonce, and |
56 uses the new session key to send Bob his Nonce.*) |
60 uses the new session key to send Bob his Nonce.*) |
57 YM4 "[| evs4: yahalom; |
61 YM4 "[| evs4: yahalom; |
58 Says S A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, |
62 Gets A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, |
59 X|} : set evs4; |
63 X|} : set evs4; |
60 Says A B {|Agent A, Nonce NA|} : set evs4 |] |
64 Says A B {|Agent A, Nonce NA|} : set evs4 |] |
61 ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 : yahalom" |
65 ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 : yahalom" |
62 |
66 |
63 (*This message models possible leaks of session keys. The nonces |
67 (*This message models possible leaks of session keys. The nonces |
64 identify the protocol run. Quoting Server here ensures they are |
68 identify the protocol run. Quoting Server here ensures they are |