12 Burrows, Abadi and Needham (1989). A Logic of Authentication. |
12 Burrows, Abadi and Needham (1989). A Logic of Authentication. |
13 Proc. Royal Soc. 426 |
13 Proc. Royal Soc. 426 |
14 |
14 |
15 This is the original version, which encrypts Nonce NB.*} |
15 This is the original version, which encrypts Nonce NB.*} |
16 |
16 |
17 consts otway :: "event list set" |
17 inductive_set otway :: "event list set" |
18 inductive "otway" |
18 where |
19 intros |
|
20 (*Initial trace is empty*) |
19 (*Initial trace is empty*) |
21 Nil: "[] \<in> otway" |
20 Nil: "[] \<in> otway" |
22 |
21 |
23 (*The spy MAY say anything he CAN say. We do not expect him to |
22 (*The spy MAY say anything he CAN say. We do not expect him to |
24 invent new nonces here, but he can also use NS1. Common to |
23 invent new nonces here, but he can also use NS1. Common to |
25 all similar protocols.*) |
24 all similar protocols.*) |
26 Fake: "[| evsf \<in> otway; X \<in> synth (analz (knows Spy evsf)) |] |
25 | Fake: "[| evsf \<in> otway; X \<in> synth (analz (knows Spy evsf)) |] |
27 ==> Says Spy B X # evsf \<in> otway" |
26 ==> Says Spy B X # evsf \<in> otway" |
28 |
27 |
29 (*A message that has been sent can be received by the |
28 (*A message that has been sent can be received by the |
30 intended recipient.*) |
29 intended recipient.*) |
31 Reception: "[| evsr \<in> otway; Says A B X \<in>set evsr |] |
30 | Reception: "[| evsr \<in> otway; Says A B X \<in>set evsr |] |
32 ==> Gets B X # evsr \<in> otway" |
31 ==> Gets B X # evsr \<in> otway" |
33 |
32 |
34 (*Alice initiates a protocol run*) |
33 (*Alice initiates a protocol run*) |
35 OR1: "[| evs1 \<in> otway; Nonce NA \<notin> used evs1 |] |
34 | OR1: "[| evs1 \<in> otway; Nonce NA \<notin> used evs1 |] |
36 ==> Says A B {|Nonce NA, Agent A, Agent B, |
35 ==> Says A B {|Nonce NA, Agent A, Agent B, |
37 Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |} |
36 Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |} |
38 # evs1 : otway" |
37 # evs1 : otway" |
39 |
38 |
40 (*Bob's response to Alice's message. Note that NB is encrypted.*) |
39 (*Bob's response to Alice's message. Note that NB is encrypted.*) |
41 OR2: "[| evs2 \<in> otway; Nonce NB \<notin> used evs2; |
40 | OR2: "[| evs2 \<in> otway; Nonce NB \<notin> used evs2; |
42 Gets B {|Nonce NA, Agent A, Agent B, X|} : set evs2 |] |
41 Gets B {|Nonce NA, Agent A, Agent B, X|} : set evs2 |] |
43 ==> Says B Server |
42 ==> Says B Server |
44 {|Nonce NA, Agent A, Agent B, X, |
43 {|Nonce NA, Agent A, Agent B, X, |
45 Crypt (shrK B) |
44 Crypt (shrK B) |
46 {|Nonce NA, Nonce NB, Agent A, Agent B|}|} |
45 {|Nonce NA, Nonce NB, Agent A, Agent B|}|} |
47 # evs2 : otway" |
46 # evs2 : otway" |
48 |
47 |
49 (*The Server receives Bob's message and checks that the three NAs |
48 (*The Server receives Bob's message and checks that the three NAs |
50 match. Then he sends a new session key to Bob with a packet for |
49 match. Then he sends a new session key to Bob with a packet for |
51 forwarding to Alice.*) |
50 forwarding to Alice.*) |
52 OR3: "[| evs3 \<in> otway; Key KAB \<notin> used evs3; |
51 | OR3: "[| evs3 \<in> otway; Key KAB \<notin> used evs3; |
53 Gets Server |
52 Gets Server |
54 {|Nonce NA, Agent A, Agent B, |
53 {|Nonce NA, Agent A, Agent B, |
55 Crypt (shrK A) {|Nonce NA, Agent A, Agent B|}, |
54 Crypt (shrK A) {|Nonce NA, Agent A, Agent B|}, |
56 Crypt (shrK B) {|Nonce NA, Nonce NB, Agent A, Agent B|}|} |
55 Crypt (shrK B) {|Nonce NA, Nonce NB, Agent A, Agent B|}|} |
57 : set evs3 |] |
56 : set evs3 |] |
62 # evs3 : otway" |
61 # evs3 : otway" |
63 |
62 |
64 (*Bob receives the Server's (?) message and compares the Nonces with |
63 (*Bob receives the Server's (?) message and compares the Nonces with |
65 those in the message he previously sent the Server. |
64 those in the message he previously sent the Server. |
66 Need B \<noteq> Server because we allow messages to self.*) |
65 Need B \<noteq> Server because we allow messages to self.*) |
67 OR4: "[| evs4 \<in> otway; B \<noteq> Server; |
66 | OR4: "[| evs4 \<in> otway; B \<noteq> Server; |
68 Says B Server {|Nonce NA, Agent A, Agent B, X', |
67 Says B Server {|Nonce NA, Agent A, Agent B, X', |
69 Crypt (shrK B) |
68 Crypt (shrK B) |
70 {|Nonce NA, Nonce NB, Agent A, Agent B|}|} |
69 {|Nonce NA, Nonce NB, Agent A, Agent B|}|} |
71 : set evs4; |
70 : set evs4; |
72 Gets B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|} |
71 Gets B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|} |
73 : set evs4 |] |
72 : set evs4 |] |
74 ==> Says B A {|Nonce NA, X|} # evs4 : otway" |
73 ==> Says B A {|Nonce NA, X|} # evs4 : otway" |
75 |
74 |
76 (*This message models possible leaks of session keys. The nonces |
75 (*This message models possible leaks of session keys. The nonces |
77 identify the protocol run.*) |
76 identify the protocol run.*) |
78 Oops: "[| evso \<in> otway; |
77 | Oops: "[| evso \<in> otway; |
79 Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|} |
78 Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|} |
80 : set evso |] |
79 : set evso |] |
81 ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : otway" |
80 ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : otway" |
82 |
81 |
83 |
82 |