75 "[| evs: tls; A ~= B; Nonce NA ~: used evs |] |
88 "[| evs: tls; A ~= B; Nonce NA ~: used evs |] |
76 ==> Says A B {|Agent A, Nonce NA, Agent XA|} # evs : tls" |
89 ==> Says A B {|Agent A, Nonce NA, Agent XA|} # evs : tls" |
77 |
90 |
78 ServerHello |
91 ServerHello |
79 (*XB represents CLIENT_VERSION, CIPHER_SUITE and COMPRESSION_METHOD. |
92 (*XB represents CLIENT_VERSION, CIPHER_SUITE and COMPRESSION_METHOD. |
80 Na is returned in its role as SESSION_ID. A CERTIFICATE_REQUEST is |
93 NA is returned in its role as SESSION_ID. A CERTIFICATE_REQUEST is |
81 implied and a SERVER CERTIFICATE is always present.*) |
94 implied and a SERVER CERTIFICATE is always present.*) |
82 "[| evs: tls; A ~= B; Nonce NB ~: used evs; |
95 "[| evs: tls; A ~= B; Nonce NB ~: used evs; |
83 Says A' B {|Agent A, Nonce NA, Agent XA|} : set evs |] |
96 Says A' B {|Agent A, Nonce NA, Agent XA|} : set evs |] |
84 ==> Says B A {|Nonce NA, Nonce NB, Agent XB, |
97 ==> Says B A {|Nonce NA, Nonce NB, Agent XB, |
85 certificate B (pubK B)|} |
98 certificate B (pubK B)|} |
86 # evs : tls" |
99 # evs : tls" |
87 |
100 |
88 ClientCertKeyEx |
101 ClientCertKeyEx |
89 (*CLIENT CERTIFICATE and KEY EXCHANGE. M is the pre-master-secret. |
102 (*CLIENT CERTIFICATE and KEY EXCHANGE. The client, A, chooses M, |
90 Note that A encrypts using the supplied KB, not pubK B.*) |
103 the pre-master-secret. She encrypts M using the supplied KB, |
|
104 which ought to be pubK B, and also with her own public key, |
|
105 to record in the trace that she knows M (see NOTE at top).*) |
91 "[| evs: tls; A ~= B; Nonce M ~: used evs; |
106 "[| evs: tls; A ~= B; Nonce M ~: used evs; |
92 Says B' A {|Nonce NA, Nonce NB, Agent XB, certificate B KB|} |
107 Says B' A {|Nonce NA, Nonce NB, Agent XB, certificate B KB|} |
93 : set evs |] |
108 : set evs |] |
94 ==> Says A B {|certificate A (pubK A), Crypt KB (Nonce M)|} |
109 ==> Says A B {|certificate A (pubK A), Crypt KB (Nonce M)|} |
95 # evs : tls" |
110 # Notes A {|Agent B, Nonce M|} |
|
111 # evs : tls" |
96 |
112 |
97 CertVerify |
113 CertVerify |
98 (*The optional CERTIFICATE VERIFY message contains the specific |
114 (*The optional CERTIFICATE VERIFY message contains the specific |
99 components listed in the security analysis, Appendix F.1.1.2; |
115 components listed in the security analysis, Appendix F.1.1.2; |
100 it also contains the pre-master-secret. Checking the signature, |
116 it also contains the pre-master-secret. Checking the signature, |
101 which is the only use of A's certificate, assures B of A's presence*) |
117 which is the only use of A's certificate, assures B of A's presence*) |
102 "[| evs: tls; A ~= B; |
118 "[| evs: tls; A ~= B; |
103 Says B' A {|Nonce NA, Nonce NB, Agent XB, certificate B KB|} |
119 Says B' A {|Nonce NA, Nonce NB, Agent XB, certificate B KB|} |
104 : set evs; |
120 : set evs; |
105 Says A B {|certificate A (pubK A), Crypt KB (Nonce M)|} |
121 Notes A {|Agent B, Nonce M|} : set evs |] |
106 : set evs |] |
|
107 ==> Says A B (Crypt (priK A) |
122 ==> Says A B (Crypt (priK A) |
108 (Hash{|Nonce NB, certificate B KB, Nonce M|})) |
123 (Hash{|Nonce NB, certificate B KB, Nonce M|})) |
109 # evs : tls" |
124 # evs : tls" |
110 |
125 |
111 (*Finally come the FINISHED messages, confirming XA and XB among |
126 (*Finally come the FINISHED messages, confirming XA and XB among |
112 other things. The master-secret is the hash of NA, NB and M. |
127 other things. The master-secret is the hash of NA, NB and M. |
113 Either party may sent its message first.*) |
128 Either party may sent its message first.*) |
114 |
129 |
|
130 (*The occurrence of Crypt (pubK A) {|Agent B, Nonce M|} stops the |
|
131 rule's applying when the Spy has satisfied the "Says A B" by |
|
132 repaying messages sent by the true client; in that case, the |
|
133 Spy does not know M and could not sent CLIENT FINISHED. One |
|
134 could simply put A~=Spy into the rule, but one should not |
|
135 expect the spy to be well-behaved.*) |
115 ClientFinished |
136 ClientFinished |
116 "[| evs: tls; A ~= B; |
137 "[| evs: tls; A ~= B; |
117 Says A B {|Agent A, Nonce NA, Agent XA|} : set evs; |
138 Says A B {|Agent A, Nonce NA, Agent XA|} : set evs; |
118 Says B' A {|Nonce NA, Nonce NB, Agent XB, certificate B KB|} |
139 Says B' A {|Nonce NA, Nonce NB, Agent XB, certificate B KB|} |
119 : set evs; |
140 : set evs; |
120 Says A B {|certificate A (pubK A), Crypt KB (Nonce M)|} |
141 Notes A {|Agent B, Nonce M|} : set evs |] |
121 : set evs |] |
|
122 ==> Says A B (Crypt (clientK(NA,NB,M)) |
142 ==> Says A B (Crypt (clientK(NA,NB,M)) |
123 (Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|}, |
143 (Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|}, |
124 Nonce NA, Agent XA, |
144 Nonce NA, Agent XA, |
125 certificate A (pubK A), |
145 certificate A (pubK A), |
126 Nonce NB, Agent XB, Agent B|})) |
146 Nonce NB, Agent XB, Agent B|})) |
127 # evs : tls" |
147 # evs : tls" |
128 |
148 |
129 (*Keeping A' and A'' distinct means B cannot even check that the |
149 (*Keeping A' and A'' distinct means B cannot even check that the |
130 two messages originate from the same source.*) |
150 two messages originate from the same source. B does not attempt |
131 |
151 to read A's encrypted "note to herself".*) |
132 ServerFinished |
152 ServerFinished |
133 "[| evs: tls; A ~= B; |
153 "[| evs: tls; A ~= B; |
134 Says A' B {|Agent A, Nonce NA, Agent XA|} : set evs; |
154 Says A' B {|Agent A, Nonce NA, Agent XA|} : set evs; |
135 Says B A {|Nonce NA, Nonce NB, Agent XB, |
155 Says B A {|Nonce NA, Nonce NB, Agent XB, |
136 certificate B (pubK B)|} |
156 certificate B (pubK B)|} |
137 : set evs; |
157 : set evs; |
138 Says A'' B {|CERTA, Crypt (pubK B) (Nonce M)|} : set evs |] |
158 Says A'' B {|certificate A KA, Crypt (pubK B) (Nonce M)|} |
|
159 : set evs |] |
139 ==> Says B A (Crypt (serverK(NA,NB,M)) |
160 ==> Says B A (Crypt (serverK(NA,NB,M)) |
140 (Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|}, |
161 (Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|}, |
141 Nonce NA, Agent XA, Agent A, |
162 Nonce NA, Agent XA, Agent A, |
142 Nonce NB, Agent XB, |
163 Nonce NB, Agent XB, |
143 certificate B (pubK B)|})) |
164 certificate B (pubK B)|})) |