13 Proc. Royal Soc. 426 |
13 Proc. Royal Soc. 426 |
14 |
14 |
15 This theory has the prototypical example of a secrecy relation, KeyCryptNonce. |
15 This theory has the prototypical example of a secrecy relation, KeyCryptNonce. |
16 *} |
16 *} |
17 |
17 |
18 consts yahalom :: "event list set" |
18 inductive_set yahalom :: "event list set" |
19 inductive "yahalom" |
19 where |
20 intros |
|
21 (*Initial trace is empty*) |
20 (*Initial trace is empty*) |
22 Nil: "[] \<in> yahalom" |
21 Nil: "[] \<in> yahalom" |
23 |
22 |
24 (*The spy MAY say anything he CAN say. We do not expect him to |
23 (*The spy MAY say anything he CAN say. We do not expect him to |
25 invent new nonces here, but he can also use NS1. Common to |
24 invent new nonces here, but he can also use NS1. Common to |
26 all similar protocols.*) |
25 all similar protocols.*) |
27 Fake: "[| evsf \<in> yahalom; X \<in> synth (analz (knows Spy evsf)) |] |
26 | Fake: "[| evsf \<in> yahalom; X \<in> synth (analz (knows Spy evsf)) |] |
28 ==> Says Spy B X # evsf \<in> yahalom" |
27 ==> Says Spy B X # evsf \<in> yahalom" |
29 |
28 |
30 (*A message that has been sent can be received by the |
29 (*A message that has been sent can be received by the |
31 intended recipient.*) |
30 intended recipient.*) |
32 Reception: "[| evsr \<in> yahalom; Says A B X \<in> set evsr |] |
31 | Reception: "[| evsr \<in> yahalom; Says A B X \<in> set evsr |] |
33 ==> Gets B X # evsr \<in> yahalom" |
32 ==> Gets B X # evsr \<in> yahalom" |
34 |
33 |
35 (*Alice initiates a protocol run*) |
34 (*Alice initiates a protocol run*) |
36 YM1: "[| evs1 \<in> yahalom; Nonce NA \<notin> used evs1 |] |
35 | YM1: "[| evs1 \<in> yahalom; Nonce NA \<notin> used evs1 |] |
37 ==> Says A B {|Agent A, Nonce NA|} # evs1 \<in> yahalom" |
36 ==> Says A B {|Agent A, Nonce NA|} # evs1 \<in> yahalom" |
38 |
37 |
39 (*Bob's response to Alice's message.*) |
38 (*Bob's response to Alice's message.*) |
40 YM2: "[| evs2 \<in> yahalom; Nonce NB \<notin> used evs2; |
39 | YM2: "[| evs2 \<in> yahalom; Nonce NB \<notin> used evs2; |
41 Gets B {|Agent A, Nonce NA|} \<in> set evs2 |] |
40 Gets B {|Agent A, Nonce NA|} \<in> set evs2 |] |
42 ==> Says B Server |
41 ==> Says B Server |
43 {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} |
42 {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} |
44 # evs2 \<in> yahalom" |
43 # evs2 \<in> yahalom" |
45 |
44 |
46 (*The Server receives Bob's message. He responds by sending a |
45 (*The Server receives Bob's message. He responds by sending a |
47 new session key to Alice, with a packet for forwarding to Bob.*) |
46 new session key to Alice, with a packet for forwarding to Bob.*) |
48 YM3: "[| evs3 \<in> yahalom; Key KAB \<notin> used evs3; KAB \<in> symKeys; |
47 | YM3: "[| evs3 \<in> yahalom; Key KAB \<notin> used evs3; KAB \<in> symKeys; |
49 Gets Server |
48 Gets Server |
50 {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} |
49 {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} |
51 \<in> set evs3 |] |
50 \<in> set evs3 |] |
52 ==> Says Server A |
51 ==> Says Server A |
53 {|Crypt (shrK A) {|Agent B, Key KAB, Nonce NA, Nonce NB|}, |
52 {|Crypt (shrK A) {|Agent B, Key KAB, Nonce NA, Nonce NB|}, |
54 Crypt (shrK B) {|Agent A, Key KAB|}|} |
53 Crypt (shrK B) {|Agent A, Key KAB|}|} |
55 # evs3 \<in> yahalom" |
54 # evs3 \<in> yahalom" |
56 |
55 |
57 YM4: |
56 | YM4: |
58 --{*Alice receives the Server's (?) message, checks her Nonce, and |
57 --{*Alice receives the Server's (?) message, checks her Nonce, and |
59 uses the new session key to send Bob his Nonce. The premise |
58 uses the new session key to send Bob his Nonce. The premise |
60 @{term "A \<noteq> Server"} is needed for @{text Says_Server_not_range}. |
59 @{term "A \<noteq> Server"} is needed for @{text Says_Server_not_range}. |
61 Alice can check that K is symmetric by its length.*} |
60 Alice can check that K is symmetric by its length.*} |
62 "[| evs4 \<in> yahalom; A \<noteq> Server; K \<in> symKeys; |
61 "[| evs4 \<in> yahalom; A \<noteq> Server; K \<in> symKeys; |
66 ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \<in> yahalom" |
65 ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \<in> yahalom" |
67 |
66 |
68 (*This message models possible leaks of session keys. The Nonces |
67 (*This message models possible leaks of session keys. The Nonces |
69 identify the protocol run. Quoting Server here ensures they are |
68 identify the protocol run. Quoting Server here ensures they are |
70 correct.*) |
69 correct.*) |
71 Oops: "[| evso \<in> yahalom; |
70 | Oops: "[| evso \<in> yahalom; |
72 Says Server A {|Crypt (shrK A) |
71 Says Server A {|Crypt (shrK A) |
73 {|Agent B, Key K, Nonce NA, Nonce NB|}, |
72 {|Agent B, Key K, Nonce NA, Nonce NB|}, |
74 X|} \<in> set evso |] |
73 X|} \<in> set evso |] |
75 ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \<in> yahalom" |
74 ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \<in> yahalom" |
76 |
75 |