17 Proc. Royal Soc. 426 |
17 Proc. Royal Soc. 426 |
18 |
18 |
19 This theory has the prototypical example of a secrecy relation, KeyCryptNonce. |
19 This theory has the prototypical example of a secrecy relation, KeyCryptNonce. |
20 *} |
20 *} |
21 |
21 |
22 consts yahalom :: "event list set" |
22 inductive_set yahalom :: "event list set" |
23 inductive "yahalom" |
23 where |
24 intros |
|
25 (*Initial trace is empty*) |
24 (*Initial trace is empty*) |
26 Nil: "[] \<in> yahalom" |
25 Nil: "[] \<in> yahalom" |
27 |
26 |
28 (*The spy MAY say anything he CAN say. We do not expect him to |
27 (*The spy MAY say anything he CAN say. We do not expect him to |
29 invent new nonces here, but he can also use NS1. Common to |
28 invent new nonces here, but he can also use NS1. Common to |
30 all similar protocols.*) |
29 all similar protocols.*) |
31 Fake: "[| evsf \<in> yahalom; X \<in> synth (analz (knows Spy evsf)) |] |
30 | Fake: "[| evsf \<in> yahalom; X \<in> synth (analz (knows Spy evsf)) |] |
32 ==> Says Spy B X # evsf \<in> yahalom" |
31 ==> Says Spy B X # evsf \<in> yahalom" |
33 |
32 |
34 (*A message that has been sent can be received by the |
33 (*A message that has been sent can be received by the |
35 intended recipient.*) |
34 intended recipient.*) |
36 Reception: "[| evsr \<in> yahalom; Says A B X \<in> set evsr |] |
35 | Reception: "[| evsr \<in> yahalom; Says A B X \<in> set evsr |] |
37 ==> Gets B X # evsr \<in> yahalom" |
36 ==> Gets B X # evsr \<in> yahalom" |
38 |
37 |
39 (*Alice initiates a protocol run*) |
38 (*Alice initiates a protocol run*) |
40 YM1: "[| evs1 \<in> yahalom; Nonce NA \<notin> used evs1 |] |
39 | YM1: "[| evs1 \<in> yahalom; Nonce NA \<notin> used evs1 |] |
41 ==> Says A B {|Agent A, Nonce NA|} # evs1 \<in> yahalom" |
40 ==> Says A B {|Agent A, Nonce NA|} # evs1 \<in> yahalom" |
42 |
41 |
43 (*Bob's response to Alice's message.*) |
42 (*Bob's response to Alice's message.*) |
44 YM2: "[| evs2 \<in> yahalom; Nonce NB \<notin> used evs2; |
43 | YM2: "[| evs2 \<in> yahalom; Nonce NB \<notin> used evs2; |
45 Gets B {|Agent A, Nonce NA|} \<in> set evs2 |] |
44 Gets B {|Agent A, Nonce NA|} \<in> set evs2 |] |
46 ==> Says B Server |
45 ==> Says B Server |
47 {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} |
46 {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} |
48 # evs2 \<in> yahalom" |
47 # evs2 \<in> yahalom" |
49 |
48 |
50 (*The Server receives Bob's message. He responds by sending a |
49 (*The Server receives Bob's message. He responds by sending a |
51 new session key to Alice, with a certificate for forwarding to Bob. |
50 new session key to Alice, with a certificate for forwarding to Bob. |
52 Both agents are quoted in the 2nd certificate to prevent attacks!*) |
51 Both agents are quoted in the 2nd certificate to prevent attacks!*) |
53 YM3: "[| evs3 \<in> yahalom; Key KAB \<notin> used evs3; |
52 | YM3: "[| evs3 \<in> yahalom; Key KAB \<notin> used evs3; |
54 Gets Server {|Agent B, Nonce NB, |
53 Gets Server {|Agent B, Nonce NB, |
55 Crypt (shrK B) {|Agent A, Nonce NA|}|} |
54 Crypt (shrK B) {|Agent A, Nonce NA|}|} |
56 \<in> set evs3 |] |
55 \<in> set evs3 |] |
57 ==> Says Server A |
56 ==> Says Server A |
58 {|Nonce NB, |
57 {|Nonce NB, |
60 Crypt (shrK B) {|Agent A, Agent B, Key KAB, Nonce NB|}|} |
59 Crypt (shrK B) {|Agent A, Agent B, Key KAB, Nonce NB|}|} |
61 # evs3 \<in> yahalom" |
60 # evs3 \<in> yahalom" |
62 |
61 |
63 (*Alice receives the Server's (?) message, checks her Nonce, and |
62 (*Alice receives the Server's (?) message, checks her Nonce, and |
64 uses the new session key to send Bob his Nonce.*) |
63 uses the new session key to send Bob his Nonce.*) |
65 YM4: "[| evs4 \<in> yahalom; |
64 | YM4: "[| evs4 \<in> yahalom; |
66 Gets A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, |
65 Gets A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, |
67 X|} \<in> set evs4; |
66 X|} \<in> set evs4; |
68 Says A B {|Agent A, Nonce NA|} \<in> set evs4 |] |
67 Says A B {|Agent A, Nonce NA|} \<in> set evs4 |] |
69 ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \<in> yahalom" |
68 ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \<in> yahalom" |
70 |
69 |
71 (*This message models possible leaks of session keys. The nonces |
70 (*This message models possible leaks of session keys. The nonces |
72 identify the protocol run. Quoting Server here ensures they are |
71 identify the protocol run. Quoting Server here ensures they are |
73 correct. *) |
72 correct. *) |
74 Oops: "[| evso \<in> yahalom; |
73 | Oops: "[| evso \<in> yahalom; |
75 Says Server A {|Nonce NB, |
74 Says Server A {|Nonce NB, |
76 Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, |
75 Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, |
77 X|} \<in> set evso |] |
76 X|} \<in> set evso |] |
78 ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \<in> yahalom" |
77 ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \<in> yahalom" |
79 |
78 |