80 intrs |
80 intrs |
81 Nil (*Initial trace is empty*) |
81 Nil (*Initial trace is empty*) |
82 "[]: tls" |
82 "[]: tls" |
83 |
83 |
84 Fake (*The spy, an active attacker, MAY say anything he CAN say.*) |
84 Fake (*The spy, an active attacker, MAY say anything he CAN say.*) |
85 "[| evs: tls; B ~= Spy; |
85 "[| evs: tls; X: synth (analz (spies evs)) |] |
86 X: synth (analz (spies evs)) |] |
|
87 ==> Says Spy B X # evs : tls" |
86 ==> Says Spy B X # evs : tls" |
88 |
87 |
89 SpyKeys (*The spy may apply PRF & sessionK to available nonces*) |
88 SpyKeys (*The spy may apply PRF & sessionK to available nonces*) |
90 "[| evsSK: tls; |
89 "[| evsSK: tls; |
91 {Nonce NA, Nonce NB, Nonce M} <= analz (spies evsSK) |] |
90 {Nonce NA, Nonce NB, Nonce M} <= analz (spies evsSK) |] |
98 It is uninterpreted but will be confirmed in the FINISHED messages. |
97 It is uninterpreted but will be confirmed in the FINISHED messages. |
99 NA is CLIENT RANDOM, while SID is SESSION_ID. |
98 NA is CLIENT RANDOM, while SID is SESSION_ID. |
100 UNIX TIME is omitted because the protocol doesn't use it. |
99 UNIX TIME is omitted because the protocol doesn't use it. |
101 May assume NA ~: range PRF because CLIENT RANDOM is 28 bytes |
100 May assume NA ~: range PRF because CLIENT RANDOM is 28 bytes |
102 while MASTER SECRET is 48 bytes*) |
101 while MASTER SECRET is 48 bytes*) |
103 "[| evsCH: tls; A ~= B; Nonce NA ~: used evsCH; NA ~: range PRF |] |
102 "[| evsCH: tls; Nonce NA ~: used evsCH; NA ~: range PRF |] |
104 ==> Says A B {|Agent A, Nonce NA, Number SID, Number PA|} |
103 ==> Says A B {|Agent A, Nonce NA, Number SID, Number PA|} |
105 # evsCH : tls" |
104 # evsCH : tls" |
106 |
105 |
107 ServerHello |
106 ServerHello |
108 (*7.4.1.3 of the TLS Internet-Draft |
107 (*7.4.1.3 of the TLS Internet-Draft |
109 PB represents CLIENT_VERSION, CIPHER_SUITE and COMPRESSION_METHOD. |
108 PB represents CLIENT_VERSION, CIPHER_SUITE and COMPRESSION_METHOD. |
110 SERVER CERTIFICATE (7.4.2) is always present. |
109 SERVER CERTIFICATE (7.4.2) is always present. |
111 CERTIFICATE_REQUEST (7.4.4) is implied.*) |
110 CERTIFICATE_REQUEST (7.4.4) is implied.*) |
112 "[| evsSH: tls; A ~= B; Nonce NB ~: used evsSH; NB ~: range PRF; |
111 "[| evsSH: tls; Nonce NB ~: used evsSH; NB ~: range PRF; |
113 Says A' B {|Agent A, Nonce NA, Number SID, Number PA|} |
112 Says A' B {|Agent A, Nonce NA, Number SID, Number PA|} |
114 : set evsSH |] |
113 : set evsSH |] |
115 ==> Says B A {|Nonce NB, Number SID, Number PB|} # evsSH : tls" |
114 ==> Says B A {|Nonce NB, Number SID, Number PB|} # evsSH : tls" |
116 |
115 |
117 Certificate |
116 Certificate |
118 (*SERVER (7.4.2) or CLIENT (7.4.6) CERTIFICATE.*) |
117 (*SERVER (7.4.2) or CLIENT (7.4.6) CERTIFICATE.*) |
119 "[| evsC: tls; A ~= B |] |
118 "[| evsC: tls |] |
120 ==> Says B A (certificate B (pubK B)) # evsC : tls" |
119 ==> Says B A (certificate B (pubK B)) # evsC : tls" |
121 |
120 |
122 ClientKeyExch |
121 ClientKeyExch |
123 (*CLIENT KEY EXCHANGE (7.4.7). |
122 (*CLIENT KEY EXCHANGE (7.4.7). |
124 The client, A, chooses PMS, the PREMASTER SECRET. |
123 The client, A, chooses PMS, the PREMASTER SECRET. |
126 We assume PMS ~: range PRF because a clash betweem the PMS |
125 We assume PMS ~: range PRF because a clash betweem the PMS |
127 and another MASTER SECRET is highly unlikely (even though |
126 and another MASTER SECRET is highly unlikely (even though |
128 both items have the same length, 48 bytes). |
127 both items have the same length, 48 bytes). |
129 The Note event records in the trace that she knows PMS |
128 The Note event records in the trace that she knows PMS |
130 (see REMARK at top). *) |
129 (see REMARK at top). *) |
131 "[| evsCX: tls; A ~= B; Nonce PMS ~: used evsCX; PMS ~: range PRF; |
130 "[| evsCX: tls; Nonce PMS ~: used evsCX; PMS ~: range PRF; |
132 Says B' A (certificate B KB) : set evsCX |] |
131 Says B' A (certificate B KB) : set evsCX |] |
133 ==> Says A B (Crypt KB (Nonce PMS)) |
132 ==> Says A B (Crypt KB (Nonce PMS)) |
134 # Notes A {|Agent B, Nonce PMS|} |
133 # Notes A {|Agent B, Nonce PMS|} |
135 # evsCX : tls" |
134 # evsCX : tls" |
136 |
135 |
138 (*The optional Certificate Verify (7.4.8) message contains the |
137 (*The optional Certificate Verify (7.4.8) message contains the |
139 specific components listed in the security analysis, F.1.1.2. |
138 specific components listed in the security analysis, F.1.1.2. |
140 It adds the pre-master-secret, which is also essential! |
139 It adds the pre-master-secret, which is also essential! |
141 Checking the signature, which is the only use of A's certificate, |
140 Checking the signature, which is the only use of A's certificate, |
142 assures B of A's presence*) |
141 assures B of A's presence*) |
143 "[| evsCV: tls; A ~= B; |
142 "[| evsCV: tls; |
144 Says B' A {|Nonce NB, Number SID, Number PB|} : set evsCV; |
143 Says B' A {|Nonce NB, Number SID, Number PB|} : set evsCV; |
145 Notes A {|Agent B, Nonce PMS|} : set evsCV |] |
144 Notes A {|Agent B, Nonce PMS|} : set evsCV |] |
146 ==> Says A B (Crypt (priK A) (Hash{|Nonce NB, Agent B, Nonce PMS|})) |
145 ==> Says A B (Crypt (priK A) (Hash{|Nonce NB, Agent B, Nonce PMS|})) |
147 # evsCV : tls" |
146 # evsCV : tls" |
148 |
147 |
204 (*Having transmitted ServerFinished and received an identical |
203 (*Having transmitted ServerFinished and received an identical |
205 message encrypted with clientK, the server stores the parameters |
204 message encrypted with clientK, the server stores the parameters |
206 needed to resume this session. The "Says A'' B ..." premise is |
205 needed to resume this session. The "Says A'' B ..." premise is |
207 used to prove Notes_master_imp_Crypt_PMS.*) |
206 used to prove Notes_master_imp_Crypt_PMS.*) |
208 "[| evsSA: tls; |
207 "[| evsSA: tls; |
|
208 A ~= B; |
209 Says A'' B (Crypt (pubK B) (Nonce PMS)) : set evsSA; |
209 Says A'' B (Crypt (pubK B) (Nonce PMS)) : set evsSA; |
210 M = PRF(PMS,NA,NB); |
210 M = PRF(PMS,NA,NB); |
211 X = Hash{|Number SID, Nonce M, |
211 X = Hash{|Number SID, Nonce M, |
212 Nonce NA, Number PA, Agent A, |
212 Nonce NA, Number PA, Agent A, |
213 Nonce NB, Number PB, Agent B|}; |
213 Nonce NB, Number PB, Agent B|}; |
243 : tls" |
243 : tls" |
244 |
244 |
245 Oops |
245 Oops |
246 (*The most plausible compromise is of an old session key. Losing |
246 (*The most plausible compromise is of an old session key. Losing |
247 the MASTER SECRET or PREMASTER SECRET is more serious but |
247 the MASTER SECRET or PREMASTER SECRET is more serious but |
248 rather unlikely.*) |
248 rather unlikely. The assumption A ~= Spy is essential: otherwise |
249 "[| evso: tls; A ~= Spy; |
249 the Spy could learn session keys merely by replaying messages!*) |
|
250 "[| evso: tls; A ~= Spy; |
250 Says A B (Crypt (sessionK((NA,NB,M),b)) X) : set evso |] |
251 Says A B (Crypt (sessionK((NA,NB,M),b)) X) : set evso |] |
251 ==> Says A Spy (Key (sessionK((NA,NB,M),b))) # evso : tls" |
252 ==> Says A Spy (Key (sessionK((NA,NB,M),b))) # evso : tls" |
252 |
253 |
253 end |
254 end |