20 Abadi and Needham (1996). |
20 Abadi and Needham (1996). |
21 Prudent Engineering Practice for Cryptographic Protocols. |
21 Prudent Engineering Practice for Cryptographic Protocols. |
22 IEEE Trans. SE 22 (1) |
22 IEEE Trans. SE 22 (1) |
23 *} |
23 *} |
24 |
24 |
25 consts otway :: "event list set" |
25 inductive_set otway :: "event list set" |
26 inductive "otway" |
26 where |
27 intros |
|
28 Nil: --{*The empty trace*} |
27 Nil: --{*The empty trace*} |
29 "[] \<in> otway" |
28 "[] \<in> otway" |
30 |
29 |
31 Fake: --{*The Spy may say anything he can say. The sender field is correct, |
30 | Fake: --{*The Spy may say anything he can say. The sender field is correct, |
32 but agents don't use that information.*} |
31 but agents don't use that information.*} |
33 "[| evsf \<in> otway; X \<in> synth (analz (knows Spy evsf)) |] |
32 "[| evsf \<in> otway; X \<in> synth (analz (knows Spy evsf)) |] |
34 ==> Says Spy B X # evsf \<in> otway" |
33 ==> Says Spy B X # evsf \<in> otway" |
35 |
34 |
36 |
35 |
37 Reception: --{*A message that has been sent can be received by the |
36 | Reception: --{*A message that has been sent can be received by the |
38 intended recipient.*} |
37 intended recipient.*} |
39 "[| evsr \<in> otway; Says A B X \<in>set evsr |] |
38 "[| evsr \<in> otway; Says A B X \<in>set evsr |] |
40 ==> Gets B X # evsr \<in> otway" |
39 ==> Gets B X # evsr \<in> otway" |
41 |
40 |
42 OR1: --{*Alice initiates a protocol run*} |
41 | OR1: --{*Alice initiates a protocol run*} |
43 "evs1 \<in> otway |
42 "evs1 \<in> otway |
44 ==> Says A B {|Agent A, Agent B, Nonce NA|} # evs1 \<in> otway" |
43 ==> Says A B {|Agent A, Agent B, Nonce NA|} # evs1 \<in> otway" |
45 |
44 |
46 OR2: --{*Bob's response to Alice's message.*} |
45 | OR2: --{*Bob's response to Alice's message.*} |
47 "[| evs2 \<in> otway; |
46 "[| evs2 \<in> otway; |
48 Gets B {|Agent A, Agent B, Nonce NA|} \<in>set evs2 |] |
47 Gets B {|Agent A, Agent B, Nonce NA|} \<in>set evs2 |] |
49 ==> Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} |
48 ==> Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} |
50 # evs2 \<in> otway" |
49 # evs2 \<in> otway" |
51 |
50 |
52 OR3: --{*The Server receives Bob's message. Then he sends a new |
51 | OR3: --{*The Server receives Bob's message. Then he sends a new |
53 session key to Bob with a packet for forwarding to Alice.*} |
52 session key to Bob with a packet for forwarding to Alice.*} |
54 "[| evs3 \<in> otway; Key KAB \<notin> used evs3; |
53 "[| evs3 \<in> otway; Key KAB \<notin> used evs3; |
55 Gets Server {|Agent A, Agent B, Nonce NA, Nonce NB|} |
54 Gets Server {|Agent A, Agent B, Nonce NA, Nonce NB|} |
56 \<in>set evs3 |] |
55 \<in>set evs3 |] |
57 ==> Says Server B |
56 ==> Says Server B |
58 {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key KAB|}, |
57 {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key KAB|}, |
59 Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key KAB|}|} |
58 Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key KAB|}|} |
60 # evs3 \<in> otway" |
59 # evs3 \<in> otway" |
61 |
60 |
62 OR4: --{*Bob receives the Server's (?) message and compares the Nonces with |
61 | OR4: --{*Bob receives the Server's (?) message and compares the Nonces with |
63 those in the message he previously sent the Server. |
62 those in the message he previously sent the Server. |
64 Need @{term "B \<noteq> Server"} because we allow messages to self.*} |
63 Need @{term "B \<noteq> Server"} because we allow messages to self.*} |
65 "[| evs4 \<in> otway; B \<noteq> Server; |
64 "[| evs4 \<in> otway; B \<noteq> Server; |
66 Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} \<in>set evs4; |
65 Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} \<in>set evs4; |
67 Gets B {|X, Crypt(shrK B){|Nonce NB,Agent A,Agent B,Key K|}|} |
66 Gets B {|X, Crypt(shrK B){|Nonce NB,Agent A,Agent B,Key K|}|} |
68 \<in>set evs4 |] |
67 \<in>set evs4 |] |
69 ==> Says B A X # evs4 \<in> otway" |
68 ==> Says B A X # evs4 \<in> otway" |
70 |
69 |
71 Oops: --{*This message models possible leaks of session keys. The nonces |
70 | Oops: --{*This message models possible leaks of session keys. The nonces |
72 identify the protocol run.*} |
71 identify the protocol run.*} |
73 "[| evso \<in> otway; |
72 "[| evso \<in> otway; |
74 Says Server B |
73 Says Server B |
75 {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}, |
74 {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}, |
76 Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key K|}|} |
75 Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key K|}|} |