Amended-Needham-Schroeder.psl 2.35 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100
spec NEEDHAM-SCHROEDER is
Theory
  types   SName Name Key Nonce Masterkey Sessionkey .
  subtypes Masterkey  Sessionkey < Key .
  subtype SName < Name .
  subtype Name < Public .

  // Nonce operator
  op n : Name Fresh -> Nonce .

  // Principals
  op a : -> Name . // Alice
  op b : -> Name . // Bob
  op i : -> Name . // Intruder
  
  // Server name
  op s : ->  SName . 

 
  // MKey
  op mkey : Name Name -> Masterkey .
 
  // Seskey
  op seskey : Name Name Nonce -> Sessionkey .

  //encrypt
  op e : Key Msg -> Msg .
  op d : Key Msg -> Msg .

  // successor
  op dec : Nonce -> Msg .
  op null : -> Msg .

  // Concatenation
  op _;_ : Msg Msg -> Msg [gather (e E)] .
  
  eq d(K:Key, e (K:Key, Z:Msg )) = Z:Msg .
  eq e(K:Key, d (K:Key, Z:Msg )) = Z:Msg .

Protocol
  vars ANAME BNAME SNAME A1NAME A2NAME B2NAME : Name .  
  var r r0 r1 r2 : Fresh .
  vars M1 M2 : Msg .
  vars KA KB : Key . 
  vars NA2 NB NB2 : Nonce .

  roles A B S .

  Def(A) =      na := n(ANAME, r),      keyAS := mkey(ANAME, SNAME) .
  Def(B) =      nb := n(BNAME, r0),     keyBS := mkey(BNAME, SNAME), 
               nb1 := n(BNAME, r2) .
  Def(S) = keyA2S  := mkey(A2NAME, SNAME), keyB2S := mkey(B2NAME, SNAME),
            sesKey := seskey(A2NAME, B2NAME, n(SNAME, r1)) .

  In(A) = ANAME, SNAME, BNAME .
  In(B) = SNAME, BNAME .
  In(S) = SNAME .

  1 . A -> B : ANAME |- A1NAME .

  2 . B -> A : e(keyBS, A1NAME ; nb) |- M1 .

  3 . A -> S : ANAME  ; BNAME  ; na  ; M1  |- 
               A2NAME ; B2NAME ; NA2 ; e(keyB2S, A2NAME ; NB2) .

  4 . S -> A : e(keyA2S, NA2 ; B2NAME ; sesKey ; e(keyB2S, sesKey ; NB2 ; A2NAME)) |-
               e(keyAS,  na  ; BNAME  ; KA     ; M2) . 

  5 . A -> B : M2 |- e(keyBS, KB ; nb ; A1NAME) .

  6 . B -> A : e(KB, nb1) |- e(KA, NB) . 

  7 . A -> B : e(KA, dec(NB)) |- e(KB, dec(nb1)) . 

  Out(A) = KA .
  Out(B) = KB .
  Out(S) = sesKey .
                    

Intruder
    var A : Name . 
    var r : Fresh .
    var K : Key .
    vars M M1 : Msg .
    var N : Nonce .

           => A, s, n(i, r) .
           => mkey(i, A), mkey(A, i) . 
           => mkey(i, s), mkey(s, i) . 
    M, M1 <=> M ; M1 .
    K, M   => d(K, M), e(K, M) .
    N     <=> dec(N) .

Attacks
    0 .
        //Get rid of In(), Out() and replace it with
        //Subst() that looks at all the variables.
        B executes protocol .
        Subst(B) = A1NAME |-> a, BNAME |-> b, SNAME |-> s .
ends