64 "serverK (x)" == "sessionK(x,False)" |
64 "serverK (x)" == "sessionK(x,False)" |
65 |
65 |
66 rules |
66 rules |
67 inj_PRF "inj PRF" |
67 inj_PRF "inj PRF" |
68 |
68 |
69 (*sessionK is collision-free and makes symmetric keys*) |
69 (*sessionK is collision-free and makes symmetric keys. Also, no clientK |
|
70 clashes with any serverK.*) |
70 inj_sessionK "inj sessionK" |
71 inj_sessionK "inj sessionK" |
71 |
72 |
72 isSym_sessionK "isSymKey (sessionK x)" |
73 isSym_sessionK "isSymKey (sessionK x)" |
73 |
74 |
74 (*serverK is similar*) |
75 (*serverK is similar*) |
75 inj_serverK "inj serverK" |
76 inj_serverK "inj serverK" |
76 isSym_serverK "isSymKey (serverK x)" |
77 isSym_serverK "isSymKey (serverK x)" |
77 |
|
78 (*Clashes with pubK and priK are impossible, but this axiom is needed.*) |
|
79 clientK_range "range clientK <= Compl (range serverK)" |
|
80 |
78 |
81 |
79 |
82 consts tls :: event list set |
80 consts tls :: event list set |
83 inductive tls |
81 inductive tls |
84 intrs |
82 intrs |
88 Fake (*The spy, an active attacker, MAY say anything he CAN say.*) |
86 Fake (*The spy, an active attacker, MAY say anything he CAN say.*) |
89 "[| evs: tls; B ~= Spy; |
87 "[| evs: tls; B ~= Spy; |
90 X: synth (analz (spies evs)) |] |
88 X: synth (analz (spies evs)) |] |
91 ==> Says Spy B X # evs : tls" |
89 ==> Says Spy B X # evs : tls" |
92 |
90 |
93 SpyKeys (*The spy may apply PRF, clientK & serverK to available nonces*) |
91 SpyKeys (*The spy may apply PRF & sessionK to available nonces*) |
94 "[| evsSK: tls; |
92 "[| evsSK: tls; |
95 Says Spy B {|Nonce NA, Nonce NB, Nonce M|} : set evsSK |] |
93 Says Spy B {|Nonce NA, Nonce NB, Nonce M|} : set evsSK |] |
96 ==> Says Spy B {| Nonce (PRF(M,NA,NB)), |
94 ==> Says Spy B {| Nonce (PRF(M,NA,NB)), |
97 Key (clientK(NA,NB,M)), |
95 Key (sessionK((NA,NB,M),b)) |} # evsSK : tls" |
98 Key (serverK(NA,NB,M)) |} # evsSK : tls" |
|
99 |
96 |
100 ClientHello |
97 ClientHello |
101 (*(7.4.1.2) |
98 (*(7.4.1.2) |
102 XA represents CLIENT_VERSION, CIPHER_SUITES and COMPRESSION_METHODS. |
99 XA represents CLIENT_VERSION, CIPHER_SUITES and COMPRESSION_METHODS. |
103 It is uninterpreted but will be confirmed in the FINISHED messages. |
100 It is uninterpreted but will be confirmed in the FINISHED messages. |
194 # evsSF : tls" |
191 # evsSF : tls" |
195 |
192 |
196 ClientAccepts |
193 ClientAccepts |
197 (*Having transmitted ClientFinished and received an identical |
194 (*Having transmitted ClientFinished and received an identical |
198 message encrypted with serverK, the client stores the parameters |
195 message encrypted with serverK, the client stores the parameters |
199 needed to resume this session.*) |
196 needed to resume this session. The "Notes A ..." premise is |
|
197 used to prove Notes_master_imp_Crypt_PMS.*) |
200 "[| evsCA: tls; |
198 "[| evsCA: tls; |
201 Notes A {|Agent B, Nonce PMS|} : set evsCA; |
199 Notes A {|Agent B, Nonce PMS|} : set evsCA; |
202 M = PRF(PMS,NA,NB); |
200 M = PRF(PMS,NA,NB); |
203 X = Hash{|Nonce M, Number SID, |
201 X = Hash{|Nonce M, Number SID, |
204 Nonce NA, Number XA, Agent A, |
202 Nonce NA, Number XA, Agent A, |
209 Notes A {|Number SID, Agent A, Agent B, Nonce M|} # evsCA : tls" |
207 Notes A {|Number SID, Agent A, Agent B, Nonce M|} # evsCA : tls" |
210 |
208 |
211 ServerAccepts |
209 ServerAccepts |
212 (*Having transmitted ServerFinished and received an identical |
210 (*Having transmitted ServerFinished and received an identical |
213 message encrypted with clientK, the server stores the parameters |
211 message encrypted with clientK, the server stores the parameters |
214 needed to resume this session.*) |
212 needed to resume this session. The "Says A'' B ..." premise is |
|
213 used to prove Notes_master_imp_Crypt_PMS.*) |
215 "[| evsSA: tls; |
214 "[| evsSA: tls; |
216 Says A'' B {|certificate A KA, Crypt (pubK B) (Nonce PMS)|} |
215 Says A'' B {|certificate A KA, Crypt (pubK B) (Nonce PMS)|} |
217 : set evsSA; |
216 : set evsSA; |
218 M = PRF(PMS,NA,NB); |
217 M = PRF(PMS,NA,NB); |
219 X = Hash{|Nonce M, Number SID, |
218 X = Hash{|Nonce M, Number SID, |