sylv/scyther
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- Big restructuring of the directories

Browse Source
This commit is contained in:
Cas Cremers
2007-05-17 17:28:10 +02:00
parent f168778161
commit d622b14257
267 changed files with 26636 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
protocols/Demo/ns3.spdl Normal file
View File

@@ -0,0 +1,51 @@
/*
* Needham-Schroeder protocol
*/
// PKI infrastructure
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
// The protocol description
protocol ns3(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
send_1(I,R, {I,ni}pk(R) );
read_2(R,I, {ni,nr}pk(I) );
send_3(I,R, {nr}pk(R) );
claim_i1(I,Secret,ni);
claim_i2(I,Secret,nr);
claim_i3(I,Niagree);
claim_i4(I,Nisynch);
}
role R
{
var ni: Nonce;
const nr: Nonce;
read_1(I,R, {I,ni}pk(R) );
send_2(R,I, {ni,nr}pk(I) );
read_3(I,R, {nr}pk(R) );
claim_r1(R,Secret,ni);
claim_r2(R,Secret,nr);
claim_r3(R,Niagree);
claim_r4(R,Nisynch);
}
}
// An untrusted agent, with leaked information
const Eve: Agent;
untrusted Eve;
compromised sk(Eve);

52
protocols/Demo/nsl3-broken.spdl Normal file
View File

@@ -0,0 +1,52 @@
/*
* Needham-Schroeder-Lowe protocol,
* broken version (wrong role name in first message)
*/
// PKI infrastructure
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
// The protocol description
protocol nsl3-broken(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
send_1(I,R, {R,ni}pk(R) );
read_2(R,I, {ni,nr,R}pk(I) );
send_3(I,R, {nr}pk(R) );
claim_i1(I,Secret,ni);
claim_i2(I,Secret,nr);
claim_i3(I,Niagree);
claim_i4(I,Nisynch);
}
role R
{
var ni: Nonce;
const nr: Nonce;
read_1(I,R, {R,ni}pk(R) );
send_2(R,I, {ni,nr,R}pk(I) );
read_3(I,R, {nr}pk(R) );
claim_r1(R,Secret,ni);
claim_r2(R,Secret,nr);
claim_r3(R,Niagree);
claim_r4(R,Nisynch);
}
}
// An untrusted agent, with leaked information
const Eve: Agent;
untrusted Eve;
compromised sk(Eve);

103
protocols/Demo/nsl3-updated-both.spdl Normal file
View File

@@ -0,0 +1,103 @@
/*
* Needham-Schroeder-Lowe protocol,
* broken version (wrong role name in first message)
*/
// PKI infrastructure
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
// The protocol description
protocol nsl3-broken(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
send_1(I,R, {R,ni}pk(R) );
read_2(R,I, {ni,nr,R}pk(I) );
send_3(I,R, {nr}pk(R) );
claim_i1(I,Secret,ni);
claim_i2(I,Secret,nr);
claim_i3(I,Niagree);
claim_i4(I,Nisynch);
}
role R
{
var ni: Nonce;
const nr: Nonce;
read_1(I,R, {R,ni}pk(R) );
send_2(R,I, {ni,nr,R}pk(I) );
read_3(I,R, {nr}pk(R) );
claim_r1(R,Secret,ni);
claim_r2(R,Secret,nr);
claim_r3(R,Niagree);
claim_r4(R,Nisynch);
}
}
// An untrusted agent, with leaked information
const Eve: Agent;
untrusted Eve;
compromised sk(Eve);
/*
* Needham-Schroeder-Lowe protocol
*/
// PKI infrastructure
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
// The protocol description
protocol nsl3(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
send_1(I,R, {I,ni}pk(R) );
read_2(R,I, {ni,nr,R}pk(I) );
send_3(I,R, {nr}pk(R) );
claim_i1(I,Secret,ni);
claim_i2(I,Secret,nr);
claim_i3(I,Niagree);
claim_i4(I,Nisynch);
}
role R
{
var ni: Nonce;
const nr: Nonce;
read_1(I,R, {I,ni}pk(R) );
send_2(R,I, {ni,nr,R}pk(I) );
read_3(I,R, {nr}pk(R) );
claim_r1(R,Secret,ni);
claim_r2(R,Secret,nr);
claim_r3(R,Niagree);
claim_r4(R,Nisynch);
}
}
// An untrusted agent, with leaked information
const Eve: Agent;
untrusted Eve;
compromised sk(Eve);

51
protocols/Demo/nsl3.spdl Normal file
View File

@@ -0,0 +1,51 @@
/*
* Needham-Schroeder-Lowe protocol
*/
// PKI infrastructure
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
// The protocol description
protocol nsl3(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
send_1(I,R, {I,ni}pk(R) );
read_2(R,I, {ni,nr,R}pk(I) );
send_3(I,R, {nr}pk(R) );
claim_i1(I,Secret,ni);
claim_i2(I,Secret,nr);
claim_i3(I,Niagree);
claim_i4(I,Nisynch);
}
role R
{
var ni: Nonce;
const nr: Nonce;
read_1(I,R, {I,ni}pk(R) );
send_2(R,I, {ni,nr,R}pk(I) );
read_3(I,R, {nr}pk(R) );
claim_r1(R,Secret,ni);
claim_r2(R,Secret,nr);
claim_r3(R,Niagree);
claim_r4(R,Nisynch);
}
}
// An untrusted agent, with leaked information
const Eve: Agent;
untrusted Eve;
compromised sk(Eve);

23
protocols/SPORE/NotModelled.txt Normal file
View File

@@ -0,0 +1,23 @@
The following protocols have not been modelled for use in Scyther:
- CAM http://www.lsv.ens-cachan.fr/spore/cam.html
This protocol only consists of one message and corresponding database actions.
The description given in SPORE is unsuitable for formalisation.
- Diffie Helman http://www.lsv.ens-cachan.fr/spore/diffieHelman.html
This protocol relies on algebraic properties that can not be modelled in
scyther.
- GJM http://www.lsv.ens-cachan.fr/spore/gjm.html
This protocol contains complicated if-then-else constructions that can
not be modelled in scyther.
- Gong http://www.lsv.ens-cachan.fr/spore/gong.html
This protocol relies on algebraic properties that can not be modelled in
scyther.
- SK3
This protocol relies on algebraic properties that can not be modelled in
scyther. It also has the notion of channels that can not be attacked,
which can not be modelled in scyther either.

96
protocols/SPORE/andrew-ban-concrete.spdl Normal file
View File

@@ -0,0 +1,96 @@
# BAN concrete Andrew Secure RPC
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/andrewBAN2.html
#
# Note:
# The shared key between I and R is modelled as k(I,R) currently
# there is no way to express that this key is equal to k(R,I)
# In order to overcome this a 'dummy' role X has been hadded that recrypts
# a given term crypted with k(I,R) with k(R,I)
#
# Note:
# Read 4 by the Initatior has been placed after the synchronisation claim
# as it allows trivial synchronisation attacks otherwise (the message is
# completely fresh and can therefore always be replaced by an arbitrary value
# created by the intruder) which are not considered in SPORE
#
usertype SessionKey;
secret k: Function;
const Fresh: Function;
const Compromised: Function;
protocol @swapkey(X)
{
# Protocol added to work around the symmetry problems where k(I,R) != k(R,I)
role X
{
var I,R: Agent;
var T:Ticket;
read_!X1(X,X,I,R,{T}k(I,R));
send_!X2(X,X,{T}k(R,I));
}
}
protocol andrew-Concrete^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const ni,nr: Nonce;
const kir: SessionKey;
var I,R: Agent;
read_!C1(C,C, I,R);
send_!C2(C,C, (I,ni),
{ni,kir}k(I,R),
{ni}kir,
nr,
kir
);
claim_C3(C,Empty, (Compromised,kir));
}
}
protocol andrew-Concrete(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir: SessionKey;
send_1(I,R, I,ni );
read_2(R,I, {ni,kir}k(I,R) );
send_3(I,R, {ni}kir);
claim_I1(I,Secret,kir);
claim_I2(I,Nisynch);
claim_I3(I,Empty,(Fresh,kir));
read_6(R,I, nr);
}
role R
{
var ni: Nonce;
const nr: Nonce;
const kir: SessionKey;
read_1(I,R, I,ni );
send_2(R,I, {ni,kir}k(I,R) );
read_3(I,R, {ni}kir);
send_6(R,I, nr);
claim_R1(R,Secret,kir);
claim_R2(R,Nisynch);
claim_R3(R,Empty,(Fresh,kir));
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const kee: SessionKey;

86
protocols/SPORE/andrew-ban.spdl Normal file
View File

@@ -0,0 +1,86 @@
# BAN modified Andrew Secure RPC
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/andrewBAN.html
#
# Note:
# The shared key between I and R is modelled as k(I,R) currently
# there is no way to express that this key is equal to k(R,I)
# So it is possile that certain attacks that use this property are not found
#
# Note:
# According to SPORE there are no known attacks on this protocol
#
usertype SessionKey;
secret k: Function;
const Fresh: Function;
const Compromised: Function;
protocol andrew-Ban^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const ni,nr,nr2: Nonce;
const kir: SessionKey;
var I,R: Agent;
read_!C1(C,C, I,R);
send_!C2(C,C, (I,{ni}k(I,R)),
{ni,nr}k(I,R),
{nr}k(I,R),
{kir,nr2,ni}k(I,R),
kir
);
claim_C3(C,Empty, (Compromised,kir));
}
}
protocol andrew-Ban(I,R)
{
role I
{
const ni: Nonce;
var nr,nr2: Nonce;
var kir: SessionKey;
send_1(I,R, I,{ni}k(I,R) );
read_2(R,I, {ni,nr}k(I,R) );
send_3(I,R, {nr}k(I,R) );
read_4(R,I, {kir,nr2,ni}k(I,R) );
claim_I1(I,Nisynch);
claim_I2(I,Niagree);
claim_I3(I,Secret, kir);
claim_I4(I,Secret, k(I,R));
claim_I5(I,Empty, (Fresh,kir));
}
role R
{
var ni: Nonce;
const nr,nr2: Nonce;
const kir: SessionKey;
read_1(I,R, I,{ni}k(I,R) );
send_2(R,I, {ni,nr}k(I,R) );
read_3(I,R, {nr}k(I,R) );
send_4(R,I, {kir,nr2,ni}k(I,R) );
claim_R1(R,Nisynch);
claim_R2(R,Niagree);
claim_R3(R,Secret, kir);
claim_R4(R,Secret, k(I,R));
claim_R5(R,Empty, (Fresh,kir));
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const kee: SessionKey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Alice,Eve);
compromised k(Bob,Eve);

91
protocols/SPORE/andrew-lowe-ban.spdl Normal file
View File

@@ -0,0 +1,91 @@
# Lowe modified BAN concrete Andrew Secure RPC
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/andrewLowe.html
#
# Note:
# The shared key between I and R is modelled as k(I,R) currently
# there is no way to express that this key is equal to k(R,I)
# So it is possile that certain attacks that use this property are not found
#
# Note:
# Read 4 by the Initatior has been placed after the synchronisation claim
# as it allows trivial synchronisation attacks otherwise (the message is
# completely fresh and can therefore always be replaced by an arbitrary value
# created by the intruder) which are not considered in SPORE
#
# Note:
# According to SPORE there are no known attacks on this protocol
#
usertype SessionKey;
secret k: Function;
const Fresh: Function;
const Compromised: Function;
protocol andrew-LoweBan^KeyCompromise(C)
{
// Read the names of 2 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const ni,nr: Nonce;
const kir: SessionKey;
var I,R: Agent;
read_!C1(C,C, I,R);
send_!C2(C,C, (I,ni),
{ni,kir,R}k(I,R),
{ni}kir,
nr,
kir
);
claim_C3(C,Empty, (Compromised,kir));
}
}
protocol andrew-LoweBan(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir: SessionKey;
send_1(I,R, I,ni );
read_2(R,I, {ni,kir,R}k(I,R) );
send_3(I,R, {ni}kir );
claim_I1(I,Nisynch);
claim_I2(I,Secret, kir);
claim_I3(I,Empty, (Fresh,kir));
read_4(R,I, nr );
}
role R
{
var ni: Nonce;
const nr: Nonce;
const kir: SessionKey;
read_1(I,R, I,ni );
send_2(R,I, {ni,kir,R}k(I,R) );
read_3(I,R, {ni}kir );
send_4(R,I, nr );
claim_R1(R,Nisynch);
claim_R2(R,Secret, kir);
claim_R3(R,Empty, (Fresh,kir));
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const kee: SessionKey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Alice,Eve);
compromised k(Bob,Eve);

85
protocols/SPORE/andrew.spdl Normal file
View File

@@ -0,0 +1,85 @@
# Andrew Secure RPC
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/andrew.html
#
# Note:
# The shared key between I and R is modelled as k(I,R) currently
# there is no way to express that this key is equal to k(R,I)
# So it is possile that certain attacks that use this property are not found
#
usertype SessionKey;
secret k: Function;
const succ: Function;
const Fresh: Function;
const Compromised: Function;
protocol andrew^KeyCompromise(C)
{
// Read the names of 2 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const ni,nr,nr2: Nonce;
const kir: SessionKey;
var I,R: Agent;
read_!C1(C,C, I,R);
send_!C2(C,C, (I,{ni}k(I,R)),
{succ(ni),nr}k(I,R),
{succ(nr)}k(I,R),
{kir,nr2}k(I,R),
kir
);
claim_C3(C,Empty, (Compromised,kir));
}
}
protocol andrew(I,R)
{
role I
{
const ni: Nonce;
var nr,nr2: Nonce;
var kir: SessionKey;
send_1(I,R, I,{ni}k(I,R) );
read_2(R,I, {succ(ni),nr}k(I,R) );
send_3(I,R, {succ(nr)}k(I,R) );
read_4(R,I, {kir,nr2}k(I,R) );
claim_I1(I,Secret,kir);
claim_I2(I,Nisynch);
claim_I3(I,Niagree);
claim_I4(I,Empty,(Fresh,kir));
}
role R
{
var ni: Nonce;
const nr,nr2: Nonce;
const kir: SessionKey;
read_1(I,R, I,{ni}k(I,R) );
send_2(R,I, {succ(ni),nr}k(I,R) );
read_3(I,R, {succ(nr)}k(I,R) );
send_4(R,I, {kir,nr2}k(I,R) );
claim_R1(R,Secret,kir);
claim_R2(R,Nisynch);
claim_R3(R,Niagree);
claim_R4(R,Empty,(Fresh,kir));
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const kee: SessionKey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Alice,Eve);
compromised k(Bob,Eve);

46
protocols/SPORE/ccitt509-1.spdl Normal file
View File

@@ -0,0 +1,46 @@
# CCITT X.509 (1)
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/ccittx509_1.html
#
# Note:
# The attack in SPORE is not found as this is not an attack against
# synchronisation, but an attack against the freshness of Xa and Ya
# which can currently not be modelled in scyther
#
const pk: Function;
secret sk: Function;
inversekeys(pk,sk);
usertype Timestamp;
protocol ccitt509-1(I,R)
{
role I
{
const Ta: Timestamp;
const Na,Xa,Ya: Nonce;
send_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));
# claim_2(I,Nisynch);
# This claim is useless as there are no preceding read events
}
role R
{
var Ta: Timestamp;
var Na,Xa,Ya: Nonce;
read_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));
claim_3(R,Nisynch);
# There should also be Fresh Xa and Fresh Ya claims here
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const te: Timestamp;
compromised sk(Eve);

44
protocols/SPORE/ccitt509-1c.spdl Normal file
View File

@@ -0,0 +1,44 @@
# CCITT X.509 (1c)
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/ccittx509_1c.html
#
# Note:
# According to SPORE there are no known attacks on this protocol
#
const pk,hash: Function;
secret sk,unhash: Function;
inversekeys (hash,unhash);
inversekeys(pk,sk);
usertype Timestamp;
protocol ccitt509-1c(I,R)
{
role I
{
const Ta: Timestamp;
const Na,Xa,Ya: Nonce;
send_1(I,R, I,{Ta, Na, R, Xa,{Ya,{hash(Ya)}sk(I)}pk(R)}sk(I));
# claim_2(I,Nisynch);
# This claim is useless as there are no preceding read events
}
role R
{
var Ta: Timestamp;
var Na,Xa,Ya: Nonce;
read_1(I,R, I,{Ta, Na, R, Xa,{Ya,{hash(Ya)}sk(I)}pk(R)}sk(I));
claim_3(R,Nisynch);
# There should also be Fresh Xa and Fresh Ya claims here
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const te: Timestamp;
compromised sk(Eve);

55
protocols/SPORE/ccitt509-3.spdl Normal file
View File

@@ -0,0 +1,55 @@
# CCITT X.509 (3)
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/ccittx509_3.html
#
# Note:
# The protocol description also states that Xa and Ya should be fresh
# this can not be verified using scyther
#
const pk: Function;
secret sk: Function;
inversekeys(pk,sk);
usertype Timestamp;
protocol ccitt509-3(I,R)
{
role I
{
const Ta: Timestamp;
var Tb: Timestamp;
const Na,Xa,Ya: Nonce;
var Xb,Nb,Yb: Nonce;
send_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));
read_2(R,I, R,{Tb, Nb, I, Na, Xb,{Yb}pk(I)}sk(R));
send_3(I,R, I, {Nb}sk(I));
claim_I1(I,Nisynch);
claim_I2(I,Secret,Ya);
claim_I3(I,Secret,Yb);
}
role R
{
var Ta: Timestamp;
const Tb: Timestamp;
var Na,Xa,Ya: Nonce;
const Xb,Yb,Nb: Nonce;
read_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));
send_2(R,I, R,{Tb, Nb, I, Na, Xb,{Yb}pk(I)}sk(R));
read_3(I,R, I, {Nb}sk(I));
claim_R1(R,Nisynch);
claim_R2(R,Secret,Ya);
claim_R3(R,Secret,Yb);
# There should also be Fresh Xa and Fresh Ya claims here
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const te: Timestamp;
compromised sk(Eve);

49
protocols/SPORE/ccitt509-ban3.spdl Normal file
View File

@@ -0,0 +1,49 @@
# BAN modified version of CCITT X.509 (3)
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/ccittx509_3BAN.html
#
# Note:
# The protocol description also states that Xa and Ya should be fresh
# this can not be verified using scyther
#
# Note:
# According to SPORE there are no known attacks on this protocol
#
const pk: Function;
secret sk: Function;
inversekeys(pk,sk);
protocol ccitt509-ban3(I,R)
{
role I
{
const Na,Xa,Ya: Nonce;
var Xb,Nb,Yb: Nonce;
send_1(I,R, I,{Na, R, Xa,{Ya}pk(R)}sk(I));
read_2(R,I, R,{Nb, I, Na, Xb,{Yb}pk(I)}sk(R));
send_3(I,R, I,{R, Nb}sk(I));
claim_4(I,Nisynch);
}
role R
{
var Na,Xa,Ya: Nonce;
const Xb,Yb,Nb: Nonce;
read_1(I,R, I,{Na, R, Xa,{Ya}pk(R)}sk(I));
send_2(R,I, R,{Nb, I, Na, Xb,{Yb}pk(I)}sk(R));
read_3(I,R, I,{R, Nb}sk(I));
claim_5(R,Nisynch);
# There should also be Fresh Xa and Fresh Ya claims here
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);

96
protocols/SPORE/denning-sacco-lowe.spdl Normal file
View File

@@ -0,0 +1,96 @@
# Lowe modified Denning-Sacco shared key
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/denningSaccoLowe.html
#
# Note:
# According to SPORE there are no attacks on this protocol, scyther
# finds one however. This has to be investigated further.
usertype Key;
usertype SessionKey;
usertype TimeStamp;
usertype ExpiredTimeStamp;
secret k: Function;
usertype PseudoFunction;
const dec: PseudoFunction;
const Fresh: Function;
const Compromised: Function;
protocol denningSacco-Lowe^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const Kir: SessionKey;
const T: ExpiredTimeStamp;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, (I,R),
{R,Kir,T,{Kir,I,T}k(R,S)}k(I,S),
{Kir,I,T}k(R,S),
{Nr}Kir,
{{Nr}dec}Kir,
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol denningSacco-Lowe(I,R,S)
{
role I
{
var W: Ticket;
var Kir: SessionKey;
var T: TimeStamp;
var Nr: Nonce;
send_1(I,S, I,R );
read_2(S,I, {R, Kir, T, W}k(I,S) );
send_3(I,R, W);
read_4(R,I, {Nr}Kir);
send_5(I,R, {{Nr}dec}Kir);
claim_I1(I,Niagree);
claim_I2(I,Nisynch);
claim_I3(I,Secret,Kir);
claim_I4(I,Empty,(Fresh,Kir));
}
role R
{
var Kir: SessionKey;
var T: TimeStamp;
const Nr: Nonce;
read_3(I,R, {Kir,I,T}k(R,S));
send_4(R,I, {Nr}Kir);
read_5(I,R, {{Nr}dec}Kir);
claim_R1(R,Niagree);
claim_R2(R,Nisynch);
claim_R3(R,Secret,Kir);
claim_R4(R,Empty,(Fresh,Kir));
}
role S
{
var W: Ticket;
const Kir: SessionKey;
const T: TimeStamp;
read_1(I,S, I,R );
send_2(S,I, {R, Kir, T, {Kir, I,T}k(R,S)}k(I,S));
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const kee: SessionKey;
const tee: TimeStamp;
compromised k(Eve,Simon);

83
protocols/SPORE/denning-sacco.spdl Normal file
View File

@@ -0,0 +1,83 @@
# Denning-Sacco shared key
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/denningSacco.html
#
usertype Key;
usertype SessionKey;
usertype TimeStamp;
usertype ExpiredTimeStamp;
secret k: Function;
const Fresh: Function;
const Compromised: Function;
protocol denningSacco^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const Kir: SessionKey;
const T: ExpiredTimeStamp;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, (I,R),
{R,Kir,T,{Kir,I,T}k(R,S)}k(I,S),
{Kir,I,T}k(R,S),
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol denningSacco(I,R,S)
{
role I
{
var W: Ticket;
var Kir: SessionKey;
var T: TimeStamp;
send_1(I,S, I,R );
read_2(S,I, {R, Kir, T, W}k(I,S) );
send_3(I,R, W);
claim_I1(I,Niagree);
claim_I2(I,Nisynch);
claim_I3(I,Secret,Kir);
claim_I4(I,Empty, (Fresh,Kir));
}
role R
{
var Kir: SessionKey;
var T: TimeStamp;
read_3(I,R, {Kir,I,T}k(R,S));
claim_R1(R,Niagree);
claim_R2(R,Nisynch);
claim_R3(R,Secret,Kir);
claim_R4(R,Empty, (Fresh,Kir));
}
role S
{
var W: Ticket;
const Kir: SessionKey;
const T: TimeStamp;
read_1(I,S, I,R );
send_2(S,I, {R, Kir, T, {Kir, I,T}k(R,S)}k(I,S));
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const kee: SessionKey;
const tee: TimeStamp;
compromised k(Eve,Simon);

93
protocols/SPORE/kaochow-v2.spdl Normal file
View File

@@ -0,0 +1,93 @@
# Kao Chow Authentication v.2
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/kaoChow2.html
#
usertype SessionKey;
secret k: Function;
const Fresh: Function;
const Compromised: Function;
protocol kaochow-2^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const Kir,Kt: SessionKey;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, (I,R,Ni),
{I,R,Ni,Kir,Kt}k(I,S),
{I,R,Ni,Kir,Kt}k(R,S),
R, Nr,
{Nr,Kir}Kt,
Kir
// Kt
);
claim_C3(C,Empty, (Compromised,Kir));
// claim_C4(C,Empty, (Compromised,Kt));
}
}
protocol kaochow-2(I,R,S)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir,kt: SessionKey;
send_1 (I,S, I,R,ni);
read_3 (R,I, R, {I,R,ni,kir,kt}k(I,S), {ni, kir}kt, nr );
send_4 (I,R, {nr,kir}kt );
claim_I1 (I, Nisynch);
claim_I2 (I, Niagree);
claim_I3 (I, Secret, kir);
claim_I4 (I, Empty, (Fresh,kir));
}
role R
{
var ni: Nonce;
const nr: Nonce;
var kir,kt: SessionKey;
var T: Ticket;
read_2 (S,R, T, { I,R,ni,kir,kt }k(R,S) );
send_3 (R,I, R, T, {ni, kir}kt, nr );
read_4 (I,R, {nr,kir}kt );
claim_R1 (R, Nisynch);
claim_R2 (R, Niagree);
claim_R3 (R, Secret, kir);
claim_R4 (R, Empty, (Fresh,kir));
}
role S
{
var ni: Nonce;
const kir, kt: SessionKey;
read_1 (I,S, I,R,ni);
send_2 (S,R, {I,R,ni,kir,kt}k(I,S), { I,R,ni,kir,kt }k(R,S) );
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const te: Ticket;
const ke: SessionKey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Simon);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Simon,Eve);

100
protocols/SPORE/kaochow-v3.spdl Normal file
View File

@@ -0,0 +1,100 @@
# Kao Chow Authentication v.3
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/kaoChow3.html
#
usertype SessionKey;
usertype ExpiredTimeStamp;
usertype TimeStamp;
secret k: Function;
const Fresh: Function;
const Compromised: Function;
protocol kaochow-3^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const Kir,Kt: SessionKey;
const T2: ExpiredTimeStamp;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, (I,R,Ni),
{I,R,Ni,Kir,Kt}k(I,S),
{I,R,Ni,Kir,Kt}k(R,S),
{Ni,Kir}Kt,
Nr,
{I,R,T2,Kir}k(R,S),
{Nr,Kir}Kt,
Kir
// Kt
);
claim_C3(C,Empty, (Compromised,Kir));
// claim_C4(C,Empty, (Compromised,Kt));
}
}
protocol kaochow-3(I,R,S)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir,kt: SessionKey;
var T2: Ticket;
send_1 (I,S, I,R,ni);
read_3 (R,I, {I,R,ni,kir,kt}k(I,S), {ni, kir}kt, nr, T2 );
send_4 (I,R, {nr,kir}kt, T2 );
claim_I1 (I, Nisynch);
claim_I2 (I, Niagree);
claim_I3 (I, Secret, kir);
claim_I4 (I, Empty, (Fresh,kir));
}
role R
{
var ni: Nonce;
const nr: Nonce;
var kir,kt: SessionKey;
var T: Ticket;
const tr: TimeStamp;
read_2 (S,R, T, { I,R,ni,kir,kt }k(R,S) );
send_3 (R,I, T, {ni, kir}kt, nr, {I,R,tr,kir}k(R,S) );
read_4 (I,R, {nr,kir}kt, {I,R,tr,kir}k(R,S) );
claim_R1 (R, Nisynch);
claim_R2 (R, Niagree);
claim_R3 (R, Secret, kir);
claim_R4 (R, Empty, (Fresh,kir));
}
role S
{
var ni: Nonce;
const kir, kt: SessionKey;
read_1 (I,S, I,R,ni);
send_2 (S,R, {I,R,ni,kir,kt}k(I,S), { I,R,ni,kir,kt }k(R,S) );
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const te: Ticket;
const ke: SessionKey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Simon);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Simon,Eve);

91
protocols/SPORE/kaochow.spdl Normal file
View File

@@ -0,0 +1,91 @@
# Kao Chow Authentication v.1
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/kaoChow1.html
#
usertype SessionKey;
secret k: Function;
const Fresh: Function;
const Compromised: Function;
protocol kaochow^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const Kir: SessionKey;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, (I,R,Ni),
{I,R,Ni,Kir}k(I,S),
{I,R,Ni,Kir}k(R,S),
{Ni}Kir, Nr,
{Nr}Kir,
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol kaochow(I,R,S)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir: SessionKey;
send_1 (I,S, I,R,ni);
read_3 (R,I, {I,R,ni,kir}k(I,S), {ni}kir, nr );
send_4 (I,R, {nr}kir );
claim_I1 (I, Nisynch);
claim_I2 (I, Niagree);
claim_I3 (I, Secret, kir);
claim_I4 (I, Empty, (Fresh,kir));
}
role R
{
var ni: Nonce;
const nr: Nonce;
var kir: SessionKey;
var T;
read_2 (S,R, T, { I,R,ni,kir }k(R,S) );
send_3 (R,I, T, {ni}kir, nr );
read_4 (I,R, {nr}kir );
claim_R1 (R, Nisynch);
claim_R2 (R, Niagree);
claim_R3 (R, Secret, kir);
claim_R4 (R, Empty, (Fresh,kir));
}
role S
{
var ni: Nonce;
const kir: SessionKey;
read_1 (I,S, I,R,ni);
send_2 (S,R, {I,R,ni,kir}k(I,S), { I,R,ni,kir }k(R,S) );
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const te: Ticket;
const ke: SessionKey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Simon);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Simon,Eve);

88
protocols/SPORE/key-compromise/needham-schroeder-sk.spdl Normal file
View File

@@ -0,0 +1,88 @@
# Needham Schroeder Symmetric Key
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/nssk.html
#
#
# Note:
# This protocol uses a ticket so scyther will only be able to verify
# the protocol using the ARACHNE engine (-a)
#
secret k: Function;
# Model dec that is invertible by inc
const dec,inc: Function;
inversekeys(dec,inc);
usertype SessionKey;
const Fresh: Function;
const Compromised: Function;
protocol needhamschroederSessionKeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const Kir: SessionKey;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, (I,R,Ni),
{Ni,R,Kir,{Kir,I}k(R,S)}k(I,S),
{Kir,I}k(R,S),
{Nr}Kir,
{{Nr}dec}Kir,
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol needhamschroedersk(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
var Kir: SessionKey;
var T: Ticket;
send_1(I,S,(I,R,Ni));
read_2(S,I, {Ni,R,Kir,T}k(I,S));
send_3(I,R,T);
read_4(R,I,{Nr}Kir);
send_5(I,R,{{Nr}dec}Kir);
claim_I2(I,Secret,Kir);
claim_I3(I,Nisynch);
claim_I4(I,Empty,(Fresh,Kir));
}
role R
{
const Nr: Nonce;
var Kir: SessionKey;
read_3(I,R,{Kir,I}k(R,S));
send_4(R,I,{Nr}Kir);
read_5(I,R,{{Nr}dec}Kir);
claim_R1(R,Secret,Kir);
claim_R3(R,Nisynch);
claim_R4(R,Empty,(Fresh,Kir));
}
role S
{
var Ni: Nonce;
const Kir: SessionKey;
read_1(I,S,(I,R,Ni));
send_2(S,I,{Ni,R,Kir,{Kir,I}k(R,S)}k(I,S));
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised k(Eve,Simon);

111
protocols/SPORE/ksl-lowe.spdl Normal file
View File

@@ -0,0 +1,111 @@
# Lowe modified KSL
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/kslLowe.html
#
# Note:
# According to SPORE there are no attacks on this protocol, scyther
# finds one however. This has to be investigated further.
usertype Server, SessionKey, TimeStamp, TicketKey;
usertype ExpiredTimeStamp;
secret k: Function;
const a, b, e: Agent;
const s: Server;
const Fresh: Function;
const Compromised: Function;
const ne: Nonce;
const kee: SessionKey;
untrusted e;
compromised k(e,s);
protocol ksl-Lowe^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr,Nc,Ma,Mb: Nonce;
const Kir: SessionKey;
const Kbb: TicketKey;
const Tr: ExpiredTimeStamp;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, (Ni,I),
(Ni,I,Nr,R),
{I,Nr,Kir}k(R,S),{Ni,R,Kir}k(I,S),
{Tr,I,Kir}Kbb,Nc,{R,Ni}k(I,R),
{Nc}Kir,
Ma,
Mb,{Ma,R}Kir,
{I,Mb}Kir,
Kir,
Kbb
);
claim_C3(C,Empty, (Compromised,Kir));
claim_C4(C,Empty, (Compromised,Kbb));
}
}
protocol ksl-Lowe(I,R,S)
{
role I
{
const Ni, Mi: Nonce;
var Nc, Mr: Nonce;
var T: Ticket;
var Kir: SessionKey;
send_1(I,R, Ni, I);
read_4(R,I, { Ni,R,Kir }k(I,S), T, Nc, {R,Ni}Kir );
send_5(I,R, { Nc }Kir );
send_6(I,R, Mi,T );
read_7(R,I, Mr,{Mi, R}Kir );
send_8(I,R, {I,Mr}Kir );
claim_I1(I,Secret, Kir);
claim_I2(I,Niagree);
claim_I3(I,Nisynch);
claim_I4(I,Empty, (Fresh,Kir));
}
role R
{
var Ni,Mi: Nonce;
const Nr,Nc,Mr: Nonce;
var Kir: SessionKey;
const Kbb: TicketKey;
const Tr: TimeStamp;
var T: Ticket;
read_1(I,R, Ni, I);
send_2(R,S, Ni, I, Nr, R );
read_3(S,R, { I, Nr, Kir }k(R,S), T );
send_4(R,I, T, { Tr, I, Kir }Kbb, Nc, {R, Ni}Kir );
read_5(I,R, { Nc }Kir );
read_6(I,R, Mi,{ Tr, I, Kir }Kbb );
send_7(R,I, Mr,{Mi,R}Kir );
read_8(I,R, {I,Mr}Kir );
claim_R1(R,Secret, Kir);
claim_R2(R,Niagree);
claim_R3(R,Nisynch);
claim_R4(R,Empty, (Fresh,Kir));
}
role S
{
var Ni, Nr: Nonce;
const Kir: SessionKey;
read_2(R,S, Ni, I, Nr, R );
send_3(S,R, { I, Nr, Kir }k(R,S), { Ni,R,Kir }k(I,S) );
}
}

83
protocols/SPORE/ksl.spdl Normal file
View File

@@ -0,0 +1,83 @@
# KSL
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/ksl.html
#
#
usertype Server, SessionKey, TimeStamp, TicketKey;
usertype ExpiredTimeStamp;
secret k: Function;
const a, b, e: Agent;
const s: Server;
const Fresh: Function;
const Compromised: Function;
const ne: Nonce;
const kee: SessionKey;
untrusted e;
compromised k(e,s);
protocol ksl(I,R,S)
{
role I
{
const Ni, Mi: Nonce;
var Nc, Mr: Nonce;
var T: Ticket;
var Kir: SessionKey;
send_1(I,R, Ni, I);
read_4(R,I, { Ni,R,Kir }k(I,S), T, Nc, {Ni}Kir );
send_5(I,R, { Nc }Kir );
send_6(I,R, Mi,T );
read_7(R,I, Mr,{Mi}Kir );
send_8(I,R, {Mr}Kir );
claim_I1(I,Secret, Kir);
claim_I2(I,Niagree);
claim_I3(I,Nisynch);
claim_I4(I,Empty, (Fresh, Kir));
}
role R
{
var Ni,Mi: Nonce;
const Nr,Nc,Mr: Nonce;
var Kir: SessionKey;
const Kbb: TicketKey;
const Tr: TimeStamp;
var T: Ticket;
read_1(I,R, Ni, I);
send_2(R,S, Ni, I, Nr, R );
read_3(S,R, { Nr, I, Kir }k(R,S), T );
send_4(R,I, T, { Tr, I, Kir }Kbb, Nc, {Ni}Kir );
read_5(I,R, { Nc }Kir );
read_6(I,R, Mi,{ Tr, I, Kir }Kbb );
send_7(R,I, Mr,{Mi}Kir );
read_8(I,R, {Mr}Kir );
claim_R1(R,Secret, Kir);
claim_R2(R,Niagree);
claim_R3(R,Nisynch);
claim_R4(R,Empty,(Fresh,Kir));
}
role S
{
var Ni, Nr: Nonce;
const Kir: SessionKey;
read_2(R,S, Ni, I, Nr, R );
send_3(S,R, { Nr, I, Kir }k(R,S), { Ni,R,Kir }k(I,S) );
}
}

66
protocols/SPORE/needham-schroeder-lowe.spdl Normal file
View File

@@ -0,0 +1,66 @@
# Lowe's fixed version of Needham Schroeder Public Key
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/nspkLowe.html
#
#
# Note:
# The modelling in SPORE includes a server to distribute the public keys
# of the agents, this is not necessary and it allows for attacks against
# synchronisation and agreement, because the keys that the server sends
# out can be replayed.
secret pk: Function; # For some reason SPORE models it such that the agents
# do not know the public keys of the other agents
secret sk: Function;
inversekeys(pk,sk);
protocol needhamschroederpk-Lowe(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
send_1(I,S, (I,R));
read_2(S,I, {pk(R), R}sk(S));
send_3(I,R,{Ni,I}pk(R));
read_6(R,I, {Ni,Nr,R}pk(I));
send_7(I,R, {Nr}pk(R));
claim_I1(I,Secret,Ni);
claim_I2(I,Secret,Nr);
claim_I3(I,Nisynch);
}
role R
{
const Nr: Nonce;
var Ni: Nonce;
read_3(I,R,{Ni,I}pk(R));
send_4(R,S,(R,I));
read_5(S,R,{pk(I),I}sk(S));
send_6(R,I,{Ni,Nr,R}pk(I));
read_7(I,R,{Nr}pk(R));
claim_R1(R,Secret,Nr);
claim_R2(R,Secret,Ni);
claim_R3(R,Nisynch);
}
role S
{
read_1(I,S,(I,R));
send_2(S,I,{pk(R),R}sk(S));
read_4(R,S,(R,I));
send_5(S,R,{pk(I),I}sk(S));
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);
compromised pk(Eve);
compromised pk(Simon); # Needed because of the way SPORE models nsl

97
protocols/SPORE/needham-schroeder-sk-amend.spdl Normal file
View File

@@ -0,0 +1,97 @@
# Amended Needham Schroeder Symmetric Key
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/nssk_amended.html
#
#
# Note:
# According to SPORE there are no attacks on this protocol, scyther
# finds one however. This has to be investigated further.
secret k: Function;
# Model dec that is invertible by inc
const dec,inc: Function;
inversekeys(dec,inc);
usertype SessionKey;
const Fresh: Function;
const Compromised: Function;
protocol needhamschroedersk-amend^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const Kir: SessionKey;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, I,
{I,Nr}k(R,S),
I,R,Ni,{I,Nr}k(R,S),
{Ni,R,Kir,{Kir,Nr,I}k(R,S)}k(I,S),
{Kir,Nr,I}k(R,S),
{Nr}Kir,
{{Nr}dec}Kir,
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol needhamschroedersk-amend(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
var Kir: SessionKey;
var T,T2: Ticket;
send_1(I,R,I);
read_2(R,I,T);
send_3(I,S,(I,R,Ni,T));
read_4(S,I, {Ni,R,Kir,T2}k(I,S));
send_5(I,R,T2);
read_6(R,I,{Nr}Kir);
send_7(I,R,{{Nr}dec}Kir);
claim_I2(I,Secret,Kir);
claim_I3(I,Nisynch);
claim_I4(I,Empty,(Fresh,Kir));
}
role R
{
const Nr: Nonce;
var Kir: SessionKey;
read_1(I,R,I);
send_2(R,I,{I,Nr}k(R,S));
read_5(I,R,{Kir,Nr,I}k(R,S));
send_6(R,I,{Nr}Kir);
read_7(I,R,{{Nr}dec}Kir);
claim_R1(R,Secret,Nr);
claim_R3(R,Nisynch);
claim_R4(R,Empty,(Fresh,Kir));
}
role S
{
var Ni,Nr: Nonce;
const Kir: SessionKey;
read_3(I,S,(I,R,Ni,{I,Nr}k(R,S)));
send_4(S,I,{Ni,R,Kir,{Kir,Nr,I}k(R,S)}k(I,S));
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised k(Eve,Simon);

84
protocols/SPORE/needham-schroeder-sk.spdl Normal file
View File

@@ -0,0 +1,84 @@
# Needham Schroeder Symmetric Key
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/nssk.html
#
#
secret k: Function;
# Model dec that is invertible by inc
const dec,inc: Function;
inversekeys(dec,inc);
usertype SessionKey;
const Fresh: Function;
const Compromised: Function;
protocol needhamschroedersk^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const Kir: SessionKey;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, (I,R,Ni),
{Ni,R,Kir,{Kir,I}k(R,S)}k(I,S),
{Kir,I}k(R,S),
{Nr}Kir,
{{Nr}dec}Kir,
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol needhamschroedersk(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
var Kir: SessionKey;
var T: Ticket;
send_1(I,S,(I,R,Ni));
read_2(S,I, {Ni,R,Kir,T}k(I,S));
send_3(I,R,T);
read_4(R,I,{Nr}Kir);
send_5(I,R,{{Nr}dec}Kir);
claim_I2(I,Secret,Kir);
claim_I3(I,Nisynch);
claim_I4(I,Empty,(Fresh,Kir));
}
role R
{
const Nr: Nonce;
var Kir: SessionKey;
read_3(I,R,{Kir,I}k(R,S));
send_4(R,I,{Nr}Kir);
read_5(I,R,{{Nr}dec}Kir);
claim_R1(R,Secret,Kir);
claim_R3(R,Nisynch);
claim_R4(R,Empty,(Fresh,Kir));
}
role S
{
var Ni: Nonce;
const Kir: SessionKey;
read_1(I,S,(I,R,Ni));
send_2(S,I,{Ni,R,Kir,{Kir,I}k(R,S)}k(I,S));
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised k(Eve,Simon);

67
protocols/SPORE/needham-schroeder.spdl Normal file
View File

@@ -0,0 +1,67 @@
# Needham Schroeder Public Key
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/nspk.html
#
#
# Note:
# The modelling in SPORE includes a server to distribute the public keys
# of the agents, this is not necessary and it allows for attacks against
# synchronisation and agreement, because the keys that the server sends
# out can be replayed.
secret pk: Function; # For some reason SPORE models it such that the agents
# do not know the public keys of the other agents
secret sk: Function;
inversekeys(pk,sk);
protocol needhamschroederpk(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
send_1(I,S,(I,R));
read_2(S,I, {pk(R), R}sk(S));
send_3(I,R,{Ni,I}pk(R));
read_6(R,I, {Ni, Nr}pk(I));
send_7(I,R, {Nr}pk(R));
claim_I1(I,Secret,Ni);
claim_I2(I,Secret,Nr);
claim_I3(I,Nisynch);
}
role R
{
const Nr: Nonce;
var Ni: Nonce;
read_3(I,R,{Ni,I}pk(R));
send_4(R,S,(R,I));
read_5(S,R,{pk(I),I}sk(S));
send_6(R,I,{Ni,Nr}pk(I));
read_7(I,R,{Nr}pk(R));
claim_R1(R,Secret,Nr);
claim_R2(R,Secret,Ni);
claim_R3(R,Nisynch);
}
role S
{
read_1(I,S,(I,R));
send_2(S,I,{pk(R),R}sk(S));
read_4(R,S,(R,I));
send_5(S,R,{pk(I),I}sk(S));
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);
compromised pk(Eve);
compromised pk(Simon); # Needed because SPORE only assumes agents know their
# own public key and that of the server

112
protocols/SPORE/neumannstub-guttman-hwang.spdl Normal file
View File

@@ -0,0 +1,112 @@
# Neumann Stubblebine
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/neumannStubblebine.html
#
# Note:
# In SPORE this protocol is not described correctly, there are in fact 2
# different protocols (the key establishment protocol and the repeated
# authentication protocol)
usertype Server, SessionKey, TimeStamp, TicketKey;
usertype ExpiredTimeStamp;
secret k: Function;
const Alice, Bob, Simon, Eve: Agent;
const Fresh: Function;
const Compromised: Function;
const ne: Nonce;
const kee: SessionKey;
untrusted Eve;
compromised k(Eve,Simon);
protocol neustub-GuttmanHwang^Repeat(I,R,S)
{
const Kir: SessionKey;
role I
{
const Mi: Nonce;
var Mr: Nonce;
const Kir: SessionKey;
const Tr: TimeStamp;
send_5(I,R,Mi,{I,Kir,Tr}k(R,S));
read_6(R,I,{Mi,Mr}Kir);
send_7(I,R,{I,Mr}Kir);
claim_I1(I,Secret, Kir);
claim_I2(I,Niagree);
claim_I3(I,Nisynch);
claim_I4(I,Empty,(Fresh,Kir));
}
role R
{
const Mr: Nonce;
var Tr: TimeStamp;
var Kir: SessionKey;
var Mi: Nonce;
read_5(I,R,Mi,{I,Kir,Tr}k(R,S));
send_6(R,I,{Mi,Mr}Kir);
read_7(I,R,{I,Mr}Kir);
claim_R1(R,Secret, Kir);
claim_R2(R,Niagree);
claim_R3(R,Nisynch);
claim_R4(R,Empty,(Fresh,Kir));
}
role S
{
}
}
protocol neustub-GuttmanHwang(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
var T: Ticket;
var Tb: TimeStamp;
var Kir: SessionKey;
send_1(I,R, I, Ni);
read_!3(S,I, { R,Ni,Kir,Tb}k(I,S), T, Nr);
send_!4(I,R,T,{Nr}Kir);
claim_I1(I,Secret, Kir);
claim_I2(I,Niagree);
claim_I3(I,Nisynch);
claim_I4(I,Empty,(Fresh,Kir));
}
role R
{
var Ni,Mi: Nonce;
const Nr,Mr: Nonce;
var Kir: SessionKey;
const Tb: TimeStamp;
var T: Ticket;
read_1(I,R, I, Ni);
send_!2(R,S, R, {I, Ni, Tb ,Nr}k(R,S));
read_!4(I,R,{I,Kir,Tb}k(R,S),{Nr}Kir);
claim_R1(R,Secret, Kir);
claim_R2(R,Niagree);
claim_R3(R,Nisynch);
claim_R4(R,Empty,(Fresh,Kir));
}
role S
{
var Ni, Nr: Nonce;
const Kir: SessionKey;
var Tb: TimeStamp;
read_!2(R,S, R, {I,Ni,Tb,Nr}k(R,S));
send_!3(S,I, { R, Ni, Kir, Tb}k(I,S), { I,Kir,Tb}k(R,S),Nr );
}
}

112
protocols/SPORE/neumannstub-guttman.spdl Normal file
View File

@@ -0,0 +1,112 @@
# Neumann Stubblebine
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/neumannStubblebine.html
#
# Note:
# In SPORE this protocol is not described correctly, there are in fact 2
# different protocols (the key establishment protocol and the repeated
# authentication protocol)
usertype Server, SessionKey, TimeStamp, TicketKey;
usertype ExpiredTimeStamp;
secret k: Function;
const Alice, Bob, Simon, Eve: Agent;
const Fresh: Function;
const Compromised: Function;
const ne: Nonce;
const kee: SessionKey;
untrusted Eve;
compromised k(Eve,Simon);
protocol neustub^Repeat(I,R,S)
{
const Kir: SessionKey;
role I
{
const Mi: Nonce;
var Mr: Nonce;
const Kir: SessionKey;
const Tr: TimeStamp;
send_5(I,R,Mi,{I,Kir,Tr}k(R,S));
read_6(R,I,{Mi,Mr}Kir);
send_7(I,R,{I,Mr}Kir);
claim_I1(I,Secret, Kir);
claim_I2(I,Niagree);
claim_I3(I,Nisynch);
claim_I4(I,Empty,(Fresh,Kir));
}
role R
{
const Mr: Nonce;
var Tr: TimeStamp;
var Kir: SessionKey;
var Mi: Nonce;
read_5(I,R,Mi,{I,Kir,Tr}k(R,S));
send_6(R,I,{Mi,Mr}Kir);
read_7(I,R,{I,Mr}Kir);
claim_R1(R,Secret, Kir);
claim_R2(R,Niagree);
claim_R3(R,Nisynch);
claim_R4(R,Empty,(Fresh,Kir));
}
role S
{
}
}
protocol neustub(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
var T: Ticket;
var Tb: TimeStamp;
var Kir: SessionKey;
send_1(I,R, I, Ni);
read_!3(S,I, { R,Ni,Kir,Tb}k(I,S), T, Nr);
send_4(I,R,T,{Nr}Kir);
claim_I1(I,Secret, Kir);
claim_I2(I,Niagree);
claim_I3(I,Nisynch);
claim_I4(I,Empty,(Fresh,Kir));
}
role R
{
var Ni,Mi: Nonce;
const Nr,Mr: Nonce;
var Kir: SessionKey;
const Tb: TimeStamp;
var T: Ticket;
read_1(I,R, I, Ni);
send_!2(R,S, R, {I, Ni, Tb}k(R,S),Nr);
read_4(I,R,{I,Kir,Tb}k(R,S),{Nr}Kir);
claim_R1(R,Secret, Kir);
claim_R2(R,Niagree);
claim_R3(R,Nisynch);
claim_R4(R,Empty,(Fresh,Kir));
}
role S
{
var Ni, Nr: Nonce;
const Kir: SessionKey;
var Tb: TimeStamp;
read_!2(R,S, R, {I,Ni,Tb}k(R,S), Nr);
send_!3(S,I, { R, Ni, Kir, Tb}k(I,S), { I,Kir,Tb}k(R,S),Nr );
}
}

104
protocols/SPORE/neumannstub-hwang.spdl Normal file
View File

@@ -0,0 +1,104 @@
# Hwang modified Neumann Stubblebine
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/neumannStubblebineHwang.html
#
# Note:
# According to SPORE there are no attacks on this protocol, scyther
# finds one however. This has to be investigated further.
usertype Server, SessionKey, TimeStamp, TicketKey;
usertype ExpiredTimeStamp;
secret k: Function;
const a, b, e: Agent;
const s: Server;
const Fresh: Function;
const Compromised: Function;
const ne: Nonce;
const kee: SessionKey;
untrusted e;
compromised k(e,s);
protocol neustub-Hwang^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr,Mi,Mr: Nonce;
const Kir: SessionKey;
const Tr: ExpiredTimeStamp;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, I,Ni,
R,{I,Ni,Tr,Nr}k(R,S),
{R,Ni,Kir,Tr}k(I,S),
{I,Kir,Tr}k(R,S), Nr,
{Nr}Kir,
Mi,{I,Kir,Tr}k(R,S),
Mr,{Mi}Kir,
{Mr}Kir,
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol neustub-Hwang(I,R,S)
{
role I
{
const Ni,Mi: Nonce;
var Nr,Mr: Nonce;
var T: Ticket;
var Tb: TimeStamp;
var Kir: SessionKey;
send_1(I,R, I, Ni);
read_!3(S,I, { R,Ni,Kir,Tb}k(I,S), T, Nr);
send_4(I,R,T,{Nr}Kir);
send_5(I,R,Mi,T);
read_6(R,I,Mr,{Mi}Kir);
send_7(I,R,{Mr}Kir);
claim_I1(I,Secret, Kir);
claim_I2(I,Niagree);
claim_I3(I,Nisynch);
claim_I4(I,Empty,(Fresh,Kir));
}
role R
{
var Ni,Mi: Nonce;
const Nr,Mr: Nonce;
var Kir: SessionKey;
const Tb: TimeStamp;
var T: Ticket;
read_1(I,R, I, Ni);
send_!2(R,S, R, {I, Ni, Tb, Nr}k(R,S));
read_4(I,R,{I,Kir,Tb}k(R,S),{Nr}Kir);
read_5(I,R,Mi,T);
send_6(R,I,Mr,{Mi}Kir);
read_7(I,R,{Mr}Kir);
claim_R1(R,Secret, Kir);
claim_R2(R,Niagree);
claim_R3(R,Nisynch);
claim_R4(R,Empty,(Fresh,Kir));
}
role S
{
var Ni, Nr: Nonce;
const Kir: SessionKey;
var Tb: TimeStamp;
read_!2(R,S, R, {I,Ni,Tb,Nr}k(R,S));
send_!3(S,I, { R, Ni, Kir, Tb}k(I,S), { I,Kir,Tb}k(R,S),Nr );
}
}

137
protocols/SPORE/neumannstub-keycompromise.spdl Normal file
View File

@@ -0,0 +1,137 @@
# Neumann Stubblebine
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/neumannStubblebine.html
#
# Note:
# In SPORE this protocol is not described correctly, there are in fact 2
# different protocols (the key establishment protocol and the repeated
# authentication protocol)
usertype Server, SessionKey, TimeStamp, TicketKey;
usertype ExpiredTimeStamp;
secret k: Function;
const Alice, Bob, Simon, Eve: Agent;
const Fresh: Function;
const Compromised: Function;
const ne: Nonce;
const kee: SessionKey;
untrusted Eve;
compromised k(Eve,Simon);
protocol neustub^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr,Mi,Mr: Nonce;
const Kir: SessionKey;
const Tr: ExpiredTimeStamp;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, I,Ni,
R,{I,Ni,Tr}k(R,S),Nr,
{R,Ni,Kir,Tr}k(I,S),
{I,Kir,Tr}k(R,S), Nr,
{Nr}Kir,
Mi,{I,Kir,Tr}k(R,S),
Mr,{Mi}Kir,
{Mr}Kir,
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol neustub^Repeat(I,R,S)
{
const Kir: SessionKey;
role I
{
const Mi: Nonce;
var Mr: Nonce;
const Kir: SessionKey;
const Tr: TimeStamp;
send_5(I,R,Mi,{I,Kir,Tr}k(R,S));
read_6(R,I,Mr,{Mi}Kir);
send_7(I,R,{Mr}Kir);
claim_I1(I,Secret, Kir);
claim_I2(I,Niagree);
claim_I3(I,Nisynch);
claim_I4(I,Empty,(Fresh,Kir));
}
role R
{
const Mr: Nonce;
var Tr: TimeStamp;
var Kir: SessionKey;
var Mi: Nonce;
read_5(I,R,Mi,{I,Kir,Tr}k(R,S));
send_6(R,I,Mr,{Mi}Kir);
read_7(I,R,{Mr}Kir);
claim_R1(R,Secret, Kir);
claim_R2(R,Niagree);
claim_R3(R,Nisynch);
claim_R4(R,Empty,(Fresh,Kir));
}
role S
{
}
}
protocol neustub(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
var T: Ticket;
var Tb: TimeStamp;
var Kir: SessionKey;
send_1(I,R, I, Ni);
read_3(S,I, { R,Ni,Kir,Tb}k(I,S), T, Nr);
send_4(I,R,T,{Nr}Kir);
claim_I1(I,Secret, Kir);
claim_I2(I,Niagree);
claim_I3(I,Nisynch);
claim_I4(I,Empty,(Fresh,Kir));
}
role R
{
var Ni,Mi: Nonce;
const Nr,Mr: Nonce;
var Kir: SessionKey;
const Tb: TimeStamp;
var T: Ticket;
read_1(I,R, I, Ni);
send_2(R,S, R, {I, Ni, Tb}k(R,S),Nr);
read_4(I,R,{I,Kir,Tb}k(R,S),{Nr}Kir);
claim_R1(R,Secret, Kir);
claim_R2(R,Niagree);
claim_R3(R,Nisynch);
claim_R4(R,Empty,(Fresh,Kir));
}
role S
{
var Ni, Nr: Nonce;
const Kir: SessionKey;
var Tb: TimeStamp;
read_2(R,S, R, {I,Ni,Tb}k(R,S), Nr);
send_3(S,I, { R, Ni, Kir, Tb}k(I,S), { I,Kir,Tb}k(R,S),Nr );
}
}

106
protocols/SPORE/neumannstub.spdl Normal file
View File

@@ -0,0 +1,106 @@
# Neumann Stubblebine
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/neumannStubblebine.html
#
# Note:
# In SPORE this protocol is not described correctly, there are in fact 2
# different protocols (the key establishment protocol and the repeated
# authentication protocol)
usertype Server, SessionKey, TimeStamp, TicketKey;
usertype ExpiredTimeStamp;
secret k: Function;
const Alice, Bob, Simon, Eve: Agent;
const ne: Nonce;
const kee: SessionKey;
untrusted Eve;
compromised k(Eve,Simon);
protocol neustub^Repeat(I,R,S)
{
const Kir: SessionKey;
role I
{
const Mi: Nonce;
var Mr: Nonce;
const Kir: SessionKey;
const Tr: TimeStamp;
send_5(I,R,Mi,{I,Kir,Tr}k(R,S));
read_6(R,I,Mr,{Mi}Kir);
send_7(I,R,{Mr}Kir);
claim_I1(I,Secret, Kir);
claim_I2(I,Niagree);
claim_I3(I,Nisynch);
}
role R
{
const Mr: Nonce;
var Tr: TimeStamp;
var Kir: SessionKey;
var Mi: Nonce;
read_5(I,R,Mi,{I,Kir,Tr}k(R,S));
send_6(R,I,Mr,{Mi}Kir);
read_7(I,R,{Mr}Kir);
claim_R1(R,Secret, Kir);
claim_R2(R,Niagree);
claim_R3(R,Nisynch);
}
role S
{
}
}
protocol neustub(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
var T: Ticket;
var Tb: TimeStamp;
var Kir: SessionKey;
send_1(I,R, I, Ni);
read_!3(S,I, { R,Ni,Kir,Tb}k(I,S), T, Nr);
send_4(I,R,T,{Nr}Kir);
claim_I1(I,Secret, Kir);
claim_I2(I,Niagree);
claim_I3(I,Nisynch);
}
role R
{
var Ni,Mi: Nonce;
const Nr,Mr: Nonce;
var Kir: SessionKey;
const Tb: TimeStamp;
var T: Ticket;
read_1(I,R, I, Ni);
send_!2(R,S, R, {I, Ni, Tb}k(R,S),Nr);
read_4(I,R,{I,Kir,Tb}k(R,S),{Nr}Kir);
claim_R1(R,Secret, Kir);
claim_R2(R,Niagree);
claim_R3(R,Nisynch);
}
role S
{
var Ni, Nr: Nonce;
const Kir: SessionKey;
var Tb: TimeStamp;
read_!2(R,S, R, {I,Ni,Tb}k(R,S), Nr);
send_!3(S,I, { R, Ni, Kir, Tb}k(I,S), { I,Kir,Tb}k(R,S),Nr );
}
}

82
protocols/SPORE/otwayrees.spdl Normal file
View File

@@ -0,0 +1,82 @@
# Otway Rees
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/otwayRees.html
#
secret const k : Function;
const Fresh: Function;
const Compromised: Function;
usertype String,SessionKey;
protocol otwayRees^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const M: String;
const Kir: SessionKey;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, M,I,R,{Ni,M,I,R}k(I,S),
{Nr,M,I,R}k(R,S),
{Ni,Kir}k(I,S), {Nr,Kir}k(R,S),
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol otwayrees(I,R,S)
{
role I
{
const Ni : Nonce;
const M : String;
var Kir : SessionKey;
send_1(I,R, M,I,R,{Ni,M,I,R}k(I,S) );
read_4(R,I, M,{Ni,Kir}k(I,S) );
claim_I1(I, Secret,Kir);
claim_I2(I, Nisynch);
claim_I3(I, Empty, (Fresh,Kir));
}
role R
{
var M : String;
const Nr : Nonce;
var Kir : SessionKey;
var T1,T2: Ticket;
read_1(I,R, M,I,R, T1 );
send_2(R,S, M,I,R, T1, { Nr,M,I,R }k(R,S) );
read_3(S,R, M, T2, { Nr,Kir }k(R,S) );
send_4(R,I, M, T2 );
claim_R1(R, Secret,Kir);
claim_R2(R, Nisynch);
claim_R3(R, Empty, (Fresh,Kir));
}
role S
{
var Ni,Nr : Nonce;
var M : String;
const Kir : SessionKey;
read_2(R,S, M,I,R, { Ni,M,I,R}k(I,S), { Nr,M,I,R }k(R,S) );
send_3(S,R, M, { Ni,Kir }k(I,S) , { Nr,Kir }k(R,S) );
}
}
const Alice, Bob, Eve, Simon: Agent;
untrusted Eve;
compromised k(Eve,Simon);

54
protocols/SPORE/smartright.spdl Normal file
View File

@@ -0,0 +1,54 @@
# SmartRight view-only
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/smartright_viewonly.html
#
# Note:
# According to SPORE there are no known attacks on this protocol
#
# Note:
# Scyther finds an attack because the value of VoR in te last message can
# be replaced with an arbitrary value
const hash: Function;
secret unhash: Function;
secret k: Function;
inversekeys (hash,unhash);
usertype SessionKey;
usertype XorKey;
const Vor: XorKey;
protocol smartright(I,R)
{
role I
{
const VoKey: SessionKey;
const VoR: XorKey;
const CW;
var VoRi: Nonce;
send_1(I,R, {VoKey,{CW}VoR}k(I,R));
read_2(R,I, VoRi);
send_3(I,R, VoR, {{VoRi}hash}VoKey);
}
role R
{
var T: Ticket;
var VoR: XorKey;
var VoKey: SessionKey;
const VoRi: Nonce;
read_1(I,R, {VoKey,T}k(I,R));
send_2(R,I, VoRi);
read_3(I,R, VoR,{{VoRi}hash}VoKey);
claim_R1(R,Nisynch);
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;

75
protocols/SPORE/splice-as-cj.spdl Normal file
View File

@@ -0,0 +1,75 @@
# Clark and Jacob modified Hwang and Chen modified SPLICE/AS
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/spliceas3.html
#
# Note:
# The assumptions made here do not comply with those in SPORE
# SPORE assumes that the agents do not know the pk function, but only
# their own public key values.
# This can currently not be modelled.
usertype TimeStamp, LifeTime;
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
const inc,dec: Function;
inversekeys (inc,dec);
protocol spliceAS-CJ(I,R,S)
{
role I
{
const N1,N2: Nonce;
const T: TimeStamp;
const L: LifeTime;
send_1(I,S, I, R, N1 );
read_2(S,I, S, {S, I, N1, R, pk(R)}sk(S) );
send_3(I,R, I, R, {T, L, {I, N2}pk(R)}sk(I) );
read_6(R,I, R, I, {{N2}inc}pk(I) );
claim_7(I, Secret, N2);
claim_9(I, Niagree);
claim_10(I, Nisynch);
}
role S
{
var N1,N3: Nonce;
read_1(I,S, I, R, N1 );
send_2(S,I, S, {S, I, N1, R, pk(R)}sk(S) );
read_4(R,S, R, I, N3 );
send_5(S,R, S, {S, R, N3, pk(I)}sk(S) );
}
role R
{
const N3: Nonce;
var N2: Nonce;
var T: TimeStamp;
var L: LifeTime;
var ni: Nonce;
const nr: Nonce;
read_3(I,R, I, R, {T, L, {I, N2}pk(R)}sk(I) );
send_4(R,S, R, I, N3 );
read_5(S,R, S, {S, R, N3, pk(I)}sk(S) );
send_6(R,I, R, I, {{N2}inc}pk(I) );
claim_8(R, Secret, N2);
claim_11(R, Niagree);
claim_12(R, Nisynch);
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);

72
protocols/SPORE/splice-as-hc.spdl Normal file
View File

@@ -0,0 +1,72 @@
# Hwang and Chen Modified SPLICE/AS
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/spliceas2.html
#
usertype TimeStamp, LifeTime;
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
const inc,dec: Function;
inversekeys (inc,dec);
protocol spliceAS-HC(I,R,S)
{
role I
{
const N1,N2: Nonce;
const T: TimeStamp;
const L: LifeTime;
send_1(I,S, I, R, N1 );
read_2(S,I, S, {S, I, N1, R, pk(R)}sk(S) );
send_3(I,R, I, R, {I, T, L, {N2}pk(R)}sk(I) );
read_6(R,I, R, I, {R, {N2}inc}pk(I) );
claim_7(I, Secret, N2);
claim_9(I, Niagree);
claim_10(I, Nisynch);
}
role S
{
var N1,N3: Nonce;
read_1(I,S, I, R, N1 );
send_2(S,I, S, {S, I, N1, R, pk(R)}sk(S) );
read_4(R,S, R, I, N3 );
send_5(S,R, S, {S, R, N3, I, pk(I)}sk(S) );
}
role R
{
const N3: Nonce;
var N2: Nonce;
var T: TimeStamp;
var L: LifeTime;
var ni: Nonce;
const nr: Nonce;
read_3(I,R, I, R, {I, T, L, {N2}pk(R)}sk(I) );
send_4(R,S, R, I, N3 );
read_5(S,R, S, {S, R, N3, I, pk(I)}sk(S) );
send_6(R,I, R, I, {R, {N2}inc}pk(I) );
claim_8(R, Secret, N2);
claim_11(R, Niagree);
claim_12(R, Nisynch);
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);

75
protocols/SPORE/splice-as.spdl Normal file
View File

@@ -0,0 +1,75 @@
# SPLICE/AS
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/spliceas.html
#
# Note:
# The assumptions made here do not comply with those in SPORE
# SPORE assumes that the agents do not know the pk function, but only
# their own public key values.
# This can currently not be modelled.
usertype TimeStamp, LifeTime;
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
const inc,dec: Function;
inversekeys (inc,dec);
protocol spliceAS(I,R,S)
{
role I
{
const N1,N2: Nonce;
const T: TimeStamp;
const L: LifeTime;
send_1(I,S, I, R, N1 );
read_2(S,I, S, {S, I, N1, pk(R)}sk(S) );
send_3(I,R, I, R, {I, T, L, {N2}pk(R)}sk(I) );
read_6(R,I, R, I, {R, {N2}inc}pk(I) );
claim_7(I, Secret, N2);
claim_9(I, Niagree);
claim_10(I, Nisynch);
}
role S
{
var N1,N3: Nonce;
read_1(I,S, I, R, N1 );
send_2(S,I, S, {S, I, N1, pk(R)}sk(S) );
read_4(R,S, R, I, N3 );
send_5(S,R, S, {S, R, N3, pk(I)}sk(S) );
}
role R
{
const N3: Nonce;
var N2: Nonce;
var T: TimeStamp;
var L: LifeTime;
var ni: Nonce;
const nr: Nonce;
read_3(I,R, I, R, {I, T, L, {N2}pk(R)}sk(I) );
send_4(R,S, R, I, N3 );
read_5(S,R, S, {S, R, N3, pk(I)}sk(S) );
send_6(R,I, R, I, {R, {N2}inc}pk(I) );
claim_8(R, Secret, N2);
claim_11(R, Niagree);
claim_12(R, Nisynch);
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);

82
protocols/SPORE/tmn.spdl Normal file
View File

@@ -0,0 +1,82 @@
# TMN
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/tmn.html
#
# Note:
# According to Boyd and Mathuria Kb is the session key this is not clear
# from the description in SPORE
usertype SessionKey;
const pk: Function;
secret sk: Function;
inversekeys(pk,sk);
const Fresh: Function;
const Compromised: Function;
protocol tmn^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const Kr,Ki: SessionKey;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, R,{Ki}pk(S),
I, {Kr}pk(S),
{Kr}Ki,
Kr
);
claim_C3(C,Empty, (Compromised,Kr));
}
}
protocol tmn(I,R,S)
{
role I
{
const Ki: SessionKey;
var Kr: SessionKey;
send_1(I,S, R,{Ki}pk(S) );
read_4(S,I, R,{Kr}Ki );
claim_I1(I,Secret,Kr);
claim_I2(I,Nisynch);
claim_I3(I,Empty,(Fresh,Kr));
}
role R
{
const Kr: SessionKey;
read_2(S,R, I );
send_3(R,S, I, { Kr }pk(S) );
claim_R1(R,Secret,Kr);
claim_R2(R,Nisynch);
claim_R3(R,Empty,(Fresh,Kr));
}
role S
{
var Ki,Kr: SessionKey;
read_1(I,S, R,{Ki}pk(S) );
send_2(S,R, I );
read_3(R,S, I, { Kr }pk(S) );
send_4(S,I, R,{Kr}Ki );
}
}
const Alice,Bob,Eve,Simon: Agent;
const Ke: SessionKey;
untrusted Eve;
compromised sk(Eve);

96
protocols/SPORE/wmf-lowe.spdl Normal file
View File

@@ -0,0 +1,96 @@
# Lowe modified Wide Mouthed Frog
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/wideMouthedFrogLowe.html
#
# Note:
# According to SPORE there are no known attacks on this protocol, scyther
# finds one however this has to do with the unusual assumption that every
# agent can recognise and will reject to read messages that it has created
# itself.
usertype SessionKey;
usertype TimeStamp;
usertype ExpiredTimeStamp;
const succ,pred: Function;
inversekeys (succ,pred);
const Fresh: Function;
const Compromised: Function;
secret k: Function;
protocol wmf-Lowe^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const Kir: SessionKey;
const Ti,Ts: ExpiredTimeStamp;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, I, {I,Ti,R,Kir}k(I,S),
{S,Ts,I,Kir}k(R,S),
{R,Nr}Kir,
{I,{Nr}succ}Kir,
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol wmf-Lowe(I,R,S)
{
role I
{
const Kir: SessionKey;
const Ti: TimeStamp;
var Kr: SessionKey;
var Nr: Nonce;
send_1(I,S, I, {Ti, R, Kir}k(I,S));
read_3(R,I,{Nr}Kir);
send_4(I,R,{{Nr}succ}Kir);
claim_I1(I,Secret,Kir);
claim_I2(I,Nisynch);
claim_I3(I,Empty,(Fresh,Kir));
}
role R
{
var Ts: TimeStamp;
var Kir: SessionKey;
const Nr: Nonce;
read_2(S,R, {Ts, I, Kir}k(R,S) );
send_3(R,I, {Nr}Kir);
read_4(I,R, {{Nr}succ}Kir);
claim_R1(R,Secret,Kir);
claim_R2(R,Nisynch);
claim_R3(R,Empty,(Fresh,Kir));
}
role S
{
var Kir: SessionKey;
const Ts: TimeStamp;
var Ti: TimeStamp;
read_1(I,S, I,{Ti, R, Kir}k(I,S) );
send_2(S,R, {Ts, I, Kir}k(R,S));
}
}
const Alice,Bob,Eve,Simon: Agent;
const Ke: SessionKey;
const Te: TimeStamp;
untrusted Eve;
compromised k(Eve,Simon);

84
protocols/SPORE/wmf.spdl Normal file
View File

@@ -0,0 +1,84 @@
# Wide Mouthed Frog
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/wideMouthedFrog.html
#
# Note
# The name of the party that has generated a message was added in order
# to model the property described in SPORE that an agent can identify
# its own messages and will reject them.
usertype SessionKey;
usertype TimeStamp;
usertype ExpiredTimeStamp;
secret k: Function;
const Fresh: Function;
const Compromised: Function;
protocol wmf^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const Kir: SessionKey;
const Ti,Ts: ExpiredTimeStamp;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, I, {I,Ti,R,Kir}k(I,S),
{S,Ts,I,Kir}k(R,S),
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol wmf(I,R,S)
{
role I
{
const Kir: SessionKey;
const Ti: TimeStamp;
var Kr: SessionKey;
send_1(I,S, I, {I, Ti, R, Kir}k(I,S));
claim_I1(I,Secret,Kir);
claim_I2(I,Empty,(Fresh,Kir));
}
role R
{
var Ts: TimeStamp;
var Kir: SessionKey;
read_2(S,R, {S, Ts, I, Kir}k(R,S) );
claim_R1(R,Secret,Kir);
claim_R2(R,Nisynch);
claim_R3(R,Empty,(Fresh,Kir));
}
role S
{
var Kir: SessionKey;
const Ts: TimeStamp;
var Ti: TimeStamp;
read_1(I,S, I,{I, Ti, R, Kir}k(I,S) );
send_2(S,R, {S, Ts, I, Kir}k(R,S));
}
}
const Alice,Bob,Eve,Simon: Agent;
const Ke: SessionKey;
const Te: TimeStamp;
untrusted Eve;
compromised k(Eve,Simon);

53
protocols/SPORE/woo-lam-pi-1.spdl Normal file
View File

@@ -0,0 +1,53 @@
# Woo and Lam Pi 1
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/wooLamPi1.html
#
secret k: Function;
protocol woolamPi-1(I,R,S)
{
role I
{
var Nr: Nonce;
send_1(I,R, I);
read_2(R,I, Nr);
send_3(I,R, {I,R,Nr}k(I,S));
}
role R
{
const Nr: Nonce;
var T: Ticket;
read_1(I,R, I);
send_2(R,I, Nr);
read_3(I,R, T);
send_4(R,S, {I,R, T}k(R,S));
read_5(S,R, {I,R, Nr}k(R,S));
claim_R1(R,Nisynch);
}
role S
{
var Nr: Nonce;
read_4(R,S, {I,R, {I,R,Nr}k(I,S)}k(R,S));
send_5(S,R, {I,R,Nr}k(R,S));
}
}
const Alice,Bob,Eve,Simon: Agent;
const Te: Ticket;
const Ne: Nonce;
untrusted Eve;
compromised k(Eve,Simon);

53
protocols/SPORE/woo-lam-pi-2.spdl Normal file
View File

@@ -0,0 +1,53 @@
# Woo and Lam Pi 2
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/wooLamPi2.html
#
secret k: Function;
protocol woolamPi-2(I,R,S)
{
role I
{
var Nr: Nonce;
send_1(I,R, I);
read_2(R,I, Nr);
send_3(I,R, {I,Nr}k(I,S));
}
role R
{
const Nr: Nonce;
var T: Ticket;
read_1(I,R, I);
send_2(R,I, Nr);
read_3(I,R, T);
send_4(R,S, {I, T}k(R,S));
read_5(S,R, {I, Nr}k(R,S));
claim_R1(R,Nisynch);
}
role S
{
var Nr: Nonce;
read_4(R,S, {I, {I,Nr}k(I,S)}k(R,S));
send_5(S,R, {I,Nr}k(R,S));
}
}
const Alice,Bob,Eve,Simon: Agent;
const Te: Ticket;
const Ne: Nonce;
untrusted Eve;
compromised k(Eve,Simon);

53
protocols/SPORE/woo-lam-pi-3.spdl Normal file
View File

@@ -0,0 +1,53 @@
# Woo and Lam Pi 2
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/wooLamPi3.html
#
secret k: Function;
protocol woolamPi-3(I,R,S)
{
role I
{
var Nr: Nonce;
send_1(I,R, I);
read_2(R,I, Nr);
send_3(I,R, {Nr}k(I,S));
}
role R
{
const Nr: Nonce;
var T: Ticket;
read_1(I,R, I);
send_2(R,I, Nr);
read_3(I,R, T);
send_4(R,S, {I, T}k(R,S));
read_5(S,R, {I, Nr}k(R,S));
claim_R1(R,Nisynch);
}
role S
{
var Nr: Nonce;
read_4(R,S, {I, {Nr}k(I,S)}k(R,S));
send_5(S,R, {I,Nr}k(R,S));
}
}
const Alice,Bob,Eve,Simon: Agent;
const Te: Ticket;
const Ne: Nonce;
untrusted Eve;
compromised k(Eve,Simon);

51
protocols/SPORE/woo-lam-pi-f.spdl Normal file
View File

@@ -0,0 +1,51 @@
# Woo and Lam Pi f
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/wooLamPif.html
#
secret k: Function;
protocol woolamPi-f(I,R,S)
{
role I
{
var Nr: Nonce;
send_1(I,R, I);
read_2(R,I, Nr);
send_3(I,R, {I,R,Nr}k(I,S));
}
role R
{
const Nr: Nonce;
var T: Ticket;
read_1(I,R, I);
send_2(R,I, Nr);
read_3(I,R, T);
send_4(R,S, {I, R, Nr, T}k(R,S));
read_5(S,R, {I, R, Nr}k(R,S));
claim_R1(R,Nisynch);
}
role S
{
var Nr: Nonce;
read_4(R,S, {I, R, Nr,{I,R,Nr}k(I,S)}k(R,S));
send_5(S,R, {I, R, Nr}k(R,S));
}
}
const Alice,Bob,Eve,Simon: Agent;
const Te: Ticket;
const Ne: Nonce;
untrusted Eve;
compromised k(Eve,Simon);

57
protocols/SPORE/woo-lam-pi.spdl Normal file
View File

@@ -0,0 +1,57 @@
# Woo and Lam Pi
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/wooLamPi.html
#
# Note:
# Scyther finds an attack that appears to be legit, but is not present in
# SPORE.
#
secret k: Function;
protocol woolamPi(I,R,S)
{
role I
{
var Nr: Nonce;
send_1(I,R, I);
read_2(R,I, Nr);
send_3(I,R, {Nr}k(I,S));
}
role R
{
const Nr: Nonce;
var T: Ticket;
read_1(I,R, I);
send_2(R,I, Nr);
read_3(I,R, T);
send_4(R,S, {I, T}k(R,S));
read_5(S,R, {Nr}k(R,S));
claim_R1(R,Nisynch);
}
role S
{
var Nr: Nonce;
read_4(R,S, {I,{Nr}k(I,S)}k(R,S));
send_5(S,R, {Nr}k(R,S));
}
}
const Alice,Bob,Eve,Simon: Agent;
const Te: Ticket;
const Ne: Nonce;
untrusted Eve;
compromised k(Eve,Simon);

98
protocols/SPORE/woo-lam.spdl Normal file
View File

@@ -0,0 +1,98 @@
# Woo and Lam Mutual Authentication
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/wooLamMutual.html
#
usertype SessionKey;
secret k: Function;
const Fresh: Function;
const Compromised: Function;
protocol woolam^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const N1,N2: Nonce;
const Kir: SessionKey;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, I,N1,
R,N2,
{I,R,N1,N2}k(I,S),
{I,R,N1,N2}k(R,S),
{R,N1,N2,Kir}k(I,S),
{I,N1,N2,Kir}k(R,S),
{N1,N2}Kir,
{N2}Kir,
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol woolam(I,R,S)
{
role I
{
const N1: Nonce;
var Kir: SessionKey;
var N2: Nonce;
send_1(I,R, I, N1);
read_2(R,I, R, N2);
send_3(I,R, {I, R, N1, N2}k(I,S));
read_6(R,I, {R, N1, N2, Kir}k(I,S), {N1,N2}Kir);
send_7(I,R, {N2}Kir);
claim_I1(I,Secret,Kir);
claim_I2(I,Nisynch);
claim_I3(I,Empty,(Fresh,Kir));
}
role R
{
const N2: Nonce;
var N1: Nonce;
var Kir: SessionKey;
var T1,T2: Ticket;
read_1(I,R, I, N1);
send_2(R,I, R, N2);
read_3(I,R, T1);
send_4(R,S, T1, {I, R, N1, N2}k(R,S));
read_5(S,R, T2, {I, N1, N2, Kir}k(R,S));
send_6(R,I, T2, {N1,N2}Kir);
read_7(I,R, {N2}Kir);
claim_R1(R,Secret,Kir);
claim_R2(R,Nisynch);
claim_R3(R,Empty,(Fresh,Kir));
}
role S
{
const Kir: SessionKey;
var N1,N2: Nonce;
read_4(R,S, {I, R, N1, N2}k(I,S), {I, R, N1, N2}k(R,S));
send_5(S,R, {R, N1, N2, Kir}k(I,S), {I, N1, N2, Kir}k(R,S));
}
}
const Alice,Bob,Eve,Simon: Agent;
const Ke: SessionKey;
const Te: Ticket;
const Ne: Nonce;
untrusted Eve;
compromised k(Eve,Simon);

81
protocols/SPORE/yahalom-ban.spdl Normal file
View File

@@ -0,0 +1,81 @@
# BAN simplified version of Yahalom
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/yahalomBAN.html
#
secret k : Function;
usertype SessionKey;
const Fresh: Function;
const Compromised: Function;
protocol yahalom-BAN^KeyCompromise(C)
{
// Read the names of 3 agents and disclose a session between them including
// corresponding session key to simulate key compromise
role C {
const Ni,Nr: Nonce;
const Kir: SessionKey;
var I,R,S: Agent;
read_!C1(C,C, I,R,S);
send_!C2(C,C, I,Ni,
R,Nr,{I,Ni}k(R,S),
Nr,{R,Kir,Ni}k(I,S),
{I,Kir,Nr}k(R,S),
{Nr}Kir,
Kir
);
claim_C3(C,Empty, (Compromised,Kir));
}
}
protocol yahalom-BAN(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
var T: Ticket;
var Kir: SessionKey;
send_1(I,R, I,Ni);
read_3(S,I, Nr, {R,Kir,Ni}k(I,S), T );
send_4(I,R, T, {Nr}Kir );
claim_I1(I, Secret,Kir);
claim_I2(I, Nisynch);
claim_I3(I, Empty, (Fresh,Kir));
}
role R
{
const Nr: Nonce;
var Ni: Nonce;
var T: Ticket;
var Kir: SessionKey;
read_1(I,R, I,Ni);
send_2(R,S, R, Nr, {I,Ni}k(R,S) );
read_4(I,R, {I,Kir,Nr}k(R,S) , {Nr}Kir );
claim_R1(R, Secret,Kir);
claim_R2(R, Nisynch);
claim_R3(R, Empty, (Fresh,Kir));
}
role S
{
const Kir: SessionKey;
var Ni,Nr: Nonce;
read_2(R,S, R, Nr, {I,Ni}k(R,S) );
send_3(S,I, Nr, {R,Kir,Ni}k(I,S), {I,Kir,Nr}k(R,S) );
}
}
const Alice,Bob,Charlie,David: Agent;

56
protocols/SPORE/yahalom-lowe.spdl Normal file
View File

@@ -0,0 +1,56 @@
# Lowe's modified version of Yahalom
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/yahalomLowe.html
#
#
secret k : Function;
usertype SessionKey;
protocol yahalom-Lowe(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
var Kir: SessionKey;
send_1(I,R, I,Ni);
read_3(S,I, {R,Kir,Ni,Nr}k(I,S) );
send_5(I,R, {I, R, S, Nr}Kir );
claim_I1(I, Secret,Kir);
claim_I2(I, Nisynch);
}
role R
{
const Nr: Nonce;
var Ni: Nonce;
var Kir: SessionKey;
read_1(I,R, I,Ni);
send_2(R,S, {I,Ni,Nr}k(R,S) );
read_4(S,R, {I,Kir}k(R,S));
read_5(I,R, {I, R, S, Nr}Kir);
claim_R1(R, Secret,Kir);
claim_R2(R, Nisynch);
}
role S
{
const Kir: SessionKey;
var Ni,Nr: Nonce;
read_2(R,S, {I,Ni,Nr}k(R,S) );
send_3(S,I, {R,Kir,Ni,Nr}k(I,S));
send_4(S,R, {I,Kir}k(R,S));
}
}
const Alice,Bob,Simon : Agent;

81
protocols/SPORE/yahalom-paulson.spdl Normal file
View File

@@ -0,0 +1,81 @@
# Paulson's strengthened version of Yahalom
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/yahalomPaulson.html
#
#
secret k : Function;
const Fresh: Function;
const Compromised: Function;
usertype SessionKey;
//protocol yahalom-Paulson^KeyCompromise(C)
//{
// // Read the names of 3 agents and disclose a session between them including
// // corresponding session key to simulate key compromise
// role C {
// const Ni,Nr: Nonce;
// const Kir: SessionKey;
// var I,R,S: Agent;
//
// read_!C1(C,C, I,R,S);
// send_!C2(C,C, I,Ni,
// R,Nr,{I,Ni}k(R,S),
// Nr,{R,Kir,Ni}k(I,S),
// {I,R,Kir,Nr}k(R,S),
// {Nr}Kir,
// Kir
// );
// claim_C3(C,Empty, (Compromised,Kir));
// }
//}
protocol yahalom-Paulson(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
var T: Ticket;
var Kir: SessionKey;
send_1(I,R, I,Ni);
read_3(S,I, Nr, {R,Kir,Ni}k(I,S), T );
send_4(I,R, T, {Nr}Kir );
claim_I1(I, Secret,Kir);
claim_I2(I, Nisynch);
claim_I3(I, Empty, (Fresh,Kir));
}
role R
{
const Nr: Nonce;
var Ni: Nonce;
var T: Ticket;
var Kir: SessionKey;
read_1(I,R, I,Ni);
send_2(R,S, R, Nr, {I,Ni}k(R,S) );
read_4(I,R, {I,R, Kir, Nr}k(R,S) , {Nr}Kir );
claim_R1(R, Secret,Kir);
claim_R2(R, Nisynch);
claim_R3(R, Empty, (Fresh,Kir));
}
role S
{
const Kir: SessionKey;
var Ni,Nr: Nonce;
read_2(R,S, R, Nr, {I,Ni}k(R,S) );
send_3(S,I, Nr, {R,Kir,Ni}k(I,S), {I,R,Kir,Nr}k(R,S) );
}
}
const Alice,Bob,Simon : Agent;

61
protocols/SPORE/yahalom.spdl Normal file
View File

@@ -0,0 +1,61 @@
# Yahalom
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/yahalom.html
#
#
secret k : Function;
usertype SessionKey;
protocol yahalom(I,R,S)
{
role I
{
const Ni: Nonce;
var Nr: Nonce;
var T: Ticket;
var Kir: SessionKey;
send_1(I,R, I,Ni);
read_3(S,I, {R,Kir,Ni,Nr}k(I,S), T );
send_4(I,R, T, {Nr}Kir );
claim_I1(I, Secret,Kir);
}
role R
{
const Nr: Nonce;
var Ni: Nonce;
var T: Ticket;
var Kir: SessionKey;
read_1(I,R, I,Ni);
send_2(R,S, R, {I,Ni,Nr}k(R,S) );
read_4(I,R, {I,Kir}k(R,S) , {Nr}Kir );
claim_R1(R, Secret,Kir);
}
role S
{
const Kir: SessionKey;
var Ni,Nr: Nonce;
read_2(R,S, R, {I,Ni,Nr}k(R,S) );
send_3(S,I, {R,Kir,Ni,Nr}k(I,S), {I,Kir}k(R,S) );
claim(S, Secret, Ni);
claim(S, Secret, Nr);
}
}
const Alice,Bob,Simon : Agent;
const Eve: Agent;
untrusted Eve;
compromised k(Eve,Simon);

52
protocols/misc/2r890-ex3-a.spdl Normal file
View File

@@ -0,0 +1,52 @@
/*
* Course 2r890
*
* Assignment 0405-3
*
* Protocol a
*
* nisynch, niagree
*/
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol course2r890year0405ex3(X,Y,I)
{
role I
{
const nx: Nonce;
const ny: Nonce;
send_1(I,X, nx );
read_2(X,I, { I,nx }sk(X) );
send_3(I,Y, ny );
read_4(Y,I, { ny,I }sk(Y) );
claim_i1(I,Niagree);
claim_i2(I,Nisynch);
}
role X
{
var nx: Nonce;
read_1(I,X, nx );
send_2(X,I, { I,nx }sk(X) );
}
role Y
{
var ny: Nonce;
read_3(I,Y, ny );
send_4(Y,I, { ny,I }sk(Y) );
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);

51
protocols/misc/2r890-ex3-b.spdl Normal file
View File

@@ -0,0 +1,51 @@
/*
* Course 2r890
*
* Assignment 0405-3
*
* Protocol b
*
* not nisynch, but still niagree
*/
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol course2r890year0405ex3(X,Y,I)
{
role I
{
const ni: Nonce;
send_1(I,X, ni );
read_2(X,I, { I,ni }sk(X) );
send_3(I,Y, ni );
read_4(Y,I, { ni,I }sk(Y) );
claim_i1(I,Niagree);
claim_i2(I,Nisynch);
}
role X
{
var nx: Nonce;
read_1(I,X, nx );
send_2(X,I, { I,nx }sk(X) );
}
role Y
{
var ny: Nonce;
read_3(I,Y, ny );
send_4(Y,I, { ny,I }sk(Y) );
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);

53
protocols/misc/andrew-ban.spdl Normal file
View File

@@ -0,0 +1,53 @@
usertype SessionKey;
secret k: Function;
protocol andrewBan(I,R)
{
role I
{
const ni: Nonce;
var nr,nr2: Nonce;
var kir: SessionKey;
send_1(I,R, I,{ni}k(I,R) );
read_2(R,I, {ni,nr}k(I,R) );
send_3(I,R, {nr}k(I,R) );
read_4(R,I, {kir,nr2,ni}k(I,R) );
claim_5(I,Nisynch);
claim_5b(I,Niagree);
claim_6(I,Secret, kir);
claim_7(I,Secret, k(I,R));
}
role R
{
var ni: Nonce;
const nr,nr2: Nonce;
const kir: SessionKey;
read_1(I,R, I,{ni}k(I,R) );
send_2(R,I, {ni,nr}k(I,R) );
read_3(I,R, {nr}k(I,R) );
send_4(R,I, {kir,nr2,ni}k(I,R) );
claim_8(R,Nisynch);
claim_8b(R,Niagree);
claim_9(R,Secret, kir);
claim_10(R,Secret, k(I,R));
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const kee: SessionKey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
run andrewBan.I(Agent,Agent);
run andrewBan.R(Agent,Agent);
run andrewBan.I(Agent,Agent);
run andrewBan.R(Agent,Agent);

53
protocols/misc/andrew-lowe-ban.spdl Normal file
View File

@@ -0,0 +1,53 @@
usertype SessionKey;
secret k: Function;
protocol andrewLoweBan(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir: SessionKey;
send_1(I,R, I,ni );
read_2(R,I, {ni,kir,I}k(I,R) );
send_3(I,R, {ni}kir );
read_4(R,I, nr );
claim_5(I,Nisynch);
claim_5b(I,Niagree);
claim_6(I,Secret, kir);
claim_7(I,Secret, k(I,R));
}
role R
{
var ni: Nonce;
const nr: Nonce;
const kir: SessionKey;
read_1(I,R, I,ni );
send_2(R,I, {ni,kir,I}k(I,R) );
read_3(I,R, {ni}kir );
send_4(R,I, nr );
claim_8(R,Nisynch);
claim_8b(R,Niagree);
claim_9(R,Secret, kir);
claim_10(R,Secret, k(I,R));
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const kee: SessionKey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
run andrewLoweBan.I(Agent,Agent);
run andrewLoweBan.R(Agent,Agent);
run andrewLoweBan.I(Agent,Agent);
run andrewLoweBan.R(Agent,Agent);

48
protocols/misc/bke-broken.spdl Normal file
View File

@@ -0,0 +1,48 @@
/*
Bilateral Key Exchange with Public Key protocol (bkebroken)
Broken version with man in the middle attack.
*/
usertype Key;
const pk,h: Function;
secret sk,hinv: Function;
inversekeys (pk,sk);
inversekeys (h,hinv);
protocol bkebroken(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir: Key;
send_1 (I,R, { ni,I }pk(R) );
read_2 (R,I, { h(ni),nr,kir }pk(I) );
send_3 (I,R, { h(nr),kir }pk(R) );
claim_4 (I, Secret, kir );
}
role R
{
var ni: Nonce;
const nr: Nonce;
const kir: Key;
read_1 (I,R, { ni,I }pk(R) );
send_2 (R,I, { h(ni),nr,kir }pk(I) );
read_3 (I,R, { h(nr),kir }pk(R) );
claim_5 (R, Secret, kir );
}
}
const a,b,e: Agent;
untrusted e;
compromised sk(e);
const ne: Nonce;
run bkebroken.I(a,Agent);
run bkebroken.R(Agent,b);

58
protocols/misc/bke-one.spdl Normal file
View File

@@ -0,0 +1,58 @@
/*
Bilateral Key Exchange with Public Key protocol (bkeONE)
*/
usertype Key;
const pk,hash: Function;
secret sk,unhash: Function;
inversekeys (pk,sk);
inversekeys (hash,unhash);
protocol bkeONE(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir: Key;
send_1 (I,R, { ni,I }pk(R) );
read_2 (R,I, { hash(ni),nr,R,kir }pk(I) );
send_3 (I,R, { hash(nr) }kir );
claim_4 (I, Secret, kir );
}
role R
{
var ni: Nonce;
const nr: Nonce;
const kir: Key;
read_1 (I,R, { ni,I }pk(R) );
send_2 (R,I, { hash(ni),nr,R,kir }pk(I) );
read_3 (I,R, { hash(nr) }kir );
claim_5 (R, Secret, kir );
}
}
const a,e: Agent;
untrusted e;
compromised sk(e);
const ne: Nonce;
run bkeONE.I(a,Agent);
run bkeONE.R(Agent,a);
run bkeONE.I(a,Agent);
run bkeONE.R(Agent,a);
run bkeONE.I(a,Agent);
run bkeONE.R(Agent,a);
run bkeONE.I(a,Agent);
run bkeONE.R(Agent,a);
run bkeONE.I(a,Agent);
run bkeONE.R(Agent,a);

55
protocols/misc/bke-variation.spdl Normal file
View File

@@ -0,0 +1,55 @@
/*
Bilateral Key Exchange with Public Key protocol (BKEPK)
Variation for exercise 2r890
*/
usertype Key;
const pk,hash: Function;
secret sk,unhash: Function;
inversekeys (pk,sk);
inversekeys (hash,unhash);
protocol bkevariation(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir: Key;
send_1 (I,R, { ni,I }pk(R) );
read_2 (R,I, { hash(ni),nr,kir }pk(I) );
send_3 (I,R, { hash(nr) }kir );
claim_4 (I, Secret, kir );
claim_5 (I, Niagree );
claim_6 (I, Nisynch );
}
role R
{
var ni: Nonce;
const nr: Nonce;
const kir: Key;
read_1 (I,R, { ni,I }pk(R) );
send_2 (R,I, { hash(ni),nr,kir }pk(I) );
read_3 (I,R, { hash(nr) }kir );
claim_7 (R, Secret, kir );
claim_8 (R, Niagree );
claim_9 (R, Nisynch );
}
}
const a,b,e: Agent;
untrusted e;
compromised sk(e);
const ne: Nonce;
run bkevariation.I(a,Agent);
run bkevariation.R(Agent,b);
run bkevariation.I(a,Agent);
run bkevariation.R(Agent,b);

62
protocols/misc/bke.spdl Normal file
View File

@@ -0,0 +1,62 @@
/*
Bilateral Key Exchange with Public Key protocol (BKEPK)
*/
usertype Key;
const pk,hash: Function;
secret sk,unhash: Function;
inversekeys (pk,sk);
inversekeys (hash,unhash);
protocol bke(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir: Key;
send_1 (I,R, { ni,I }pk(R) );
read_2 (R,I, { hash(ni),nr,R,kir }pk(I) );
send_3 (I,R, { hash(nr) }kir );
claim_4 (I, Secret, kir );
claim_5 (I, Niagree );
claim_6 (I, Nisynch );
}
role R
{
var ni: Nonce;
const nr: Nonce;
const kir: Key;
read_1 (I,R, { ni,I }pk(R) );
send_2 (R,I, { hash(ni),nr,R,kir }pk(I) );
read_3 (I,R, { hash(nr) }kir );
claim_7 (R, Secret, kir );
claim_8 (R, Niagree );
claim_9 (R, Nisynch );
}
}
const a,b,e: Agent;
untrusted e;
compromised sk(e);
const ne: Nonce;
run bke.I(a,Agent);
run bke.R(Agent,b);
run bke.I(a,Agent);
run bke.R(Agent,b);
run bke.I(a,Agent);
run bke.R(Agent,b);
run bke.I(a,Agent);
run bke.R(Agent,b);
run bke.I(a,Agent);
run bke.R(Agent,b);

53
protocols/misc/bkepk-ce.spdl Normal file
View File

@@ -0,0 +1,53 @@
/*
Bilateral Key Exchange with Public Key protocol (bkeCE)
Version from Corin/Etalle: An Improved Constraint-Based System for the Verification of Security Protocols.
Tried to stay as close as possible to compare timing results.
*/
usertype Key;
const pk,hash: Function;
secret sk,unhash: Function;
inversekeys (pk,sk);
inversekeys (hash,unhash);
protocol bkeCE(A,B)
{
role A
{
var nb: Nonce;
const na: Nonce;
const kab: Key;
read_1 (B,A, B,{ nb,B }pk(A) );
send_2 (A,B, { hash(nb),na,A,kab }pk(B) );
read_3 (B,A, { hash(na) }kab );
claim_A1 (A, Secret, na);
claim_A2 (A, Secret, nb);
}
role B
{
const nb: Nonce;
var na: Nonce;
var kab: Key;
send_1 (B,A, B,{ nb,B }pk(A) );
read_2 (A,B, { hash(nb),na,A,kab }pk(B) );
send_3 (B,A, { hash(na) }kab );
claim_B1 (B, Secret, na);
claim_B2 (B, Secret, nb);
}
}
const Alice,Bob,Eve;
compromised sk(Eve);
untrusted Eve;

62
protocols/misc/bkepk-ce2.spdl Normal file
View File

@@ -0,0 +1,62 @@
/*
Bilateral Key Exchange with Public Key protocol (bkepkCE2)
Version from Corin/Etalle: An Improved Constraint-Based System for the Verification of Security Protocols.
Tried to stay as close as possible to compare timing results.
*/
usertype Key;
const pk,hash: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol bkepkCE2(A,B,testnonce)
{
role B
{
const nb: Nonce;
var na: Nonce;
var kab: Key;
send_1 (B,A, B,{ nb,B }pk(A) );
read_2 (A,B, { hash(nb),na,A,kab }pk(B) );
send_3 (B,A, { hash(na) }kab );
}
role A
{
var nb: Nonce;
const na: Nonce;
const kab: Key;
read_1 (B,A, B,{ nb,B }pk(A) );
send_2 (A,B, { hash(nb),na,A,kab }pk(B) );
read_3 (B,A, { hash(na) }kab );
}
role testnonce
{
var n: Nonce;
read_!4 (testnonce,testnonce, n);
}
}
const Alice,Bob,Eve;
compromised sk(Eve);
untrusted Eve;
run bkepkCE2.A(Alice,Bob,Alice);
run bkepkCE2.A(Alice,Bob,Alice);
run bkepkCE2.A(Alice,Bob,Alice);
run bkepkCE2.B(Alice,Bob,Alice);
run bkepkCE2.B(Alice,Bob,Alice);
run bkepkCE2.B(Alice,Bob,Alice);
run bkepkCE2.testnonce(Alice,Bob,Alice);
run bkepkCE2.testnonce(Alice,Bob,Alice);
run bkepkCE2.testnonce(Alice,Bob,Alice);

55
protocols/misc/boyd-nsl-fix.spdl Normal file
View File

@@ -0,0 +1,55 @@
/*
* Boyd fix for NS(L)
*
* From the paper "Towards Extensional Goals in Authentication
* Protocols"
*
* Broken. Best shown by attack id 4.
*/
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
const hash: Function;
secret unhash: Function;
inversekeys (hash,unhash);
protocol boydNS(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
send_1(I,R, {ni}pk(R),I );
read_2(R,I, {nr}pk(I),hash(ni,R) );
send_3(I,R, hash(nr, I,R) );
claim_i1(I,Secret,ni);
claim_i2(I,Secret,nr);
claim_i3(I,Niagree);
claim_i4(I,Nisynch);
}
role R
{
var ni: Nonce;
const nr: Nonce;
read_1(I,R, {ni}pk(R),I );
send_2(R,I, {nr}pk(I),hash(ni,R) );
read_3(I,R, hash(nr, I,R) );
claim_r1(R,Secret,ni);
claim_r2(R,Secret,nr);
claim_r3(R,Niagree);
claim_r4(R,Nisynch);
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);
run boydNS.I(Agent,Agent);
run boydNS.R(Agent,Agent);

81
protocols/misc/boyd.spdl Normal file
View File

@@ -0,0 +1,81 @@
usertype Sessionkey;
usertype Macseed;
secret k: Function;
const m: Function;
secret unm: Function;
const f: Function;
inversekeys (m, unm);
/*
* Boyd key agreement
*
* Boyd & Mathuria: Protocols for authentication and key establishment
* (2003) p. 101
*
* Note that MAC_ks(x) has been interpreted as MAC(x,ks); this
* assumption causes some possible false attacks.
*/
protocol boyd(I,R,S)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var ks: Macseed;
send_1 (I,S, I,R, ni );
read_3 (R,I, { I,R, ks }k(I,S), m(ni, m(ks,ni,nr)), nr );
send_4 (I,R, m(nr, m(ks,ni,nr)) );
claim_6 (I, Secret, m(ks,ni,nr) );
claim_7 (I, Niagree);
claim_8 (I, Nisynch);
}
role R
{
var ni: Nonce;
const nr: Nonce;
var ks: Macseed;
read_2 (S,R, { I,R, ks }k(I,S), { I,R, ks }k(R,S), ni );
send_3 (R,I, { I,R, ks }k(I,S), m(ni, m(ks,ni,nr)), nr );
read_4 (I,R, m(nr, m(ks,ni,nr)) );
claim_10 (R, Secret, m(ks,ni,nr));
claim_11 (R, Niagree);
claim_12 (R, Nisynch);
}
role S
{
var ni,nr: Nonce;
const ks: Macseed;
read_1 (I,S, I,R, ni );
send_2 (S,R, { I,R, ks }k(I,S), { I,R, ks }k(R,S), ni );
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const mcsde: Macseed;
const ke: Sessionkey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Simon);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Simon,Eve);
run boyd.I(Agent,Agent,Simon);
run boyd.R(Agent,Agent,Simon);
run boyd.S(Agent,Agent,Simon);
run boyd.I(Agent,Agent,Simon);
run boyd.R(Agent,Agent,Simon);
run boyd.S(Agent,Agent,Simon);

39
protocols/misc/broken1.spdl Normal file
View File

@@ -0,0 +1,39 @@
/*
* A broken protocol
*
* Cas Cremers
* Visualization challenge of the week.
* Can be checked withouth CL, please do so.
*/
usertype String, Key;
const PlainSight: String;
secret HelloWorld, HelloServer: String;
secret k: Key;
protocol broken1(I,R,S)
{
role I
{
send_1(I, R, PlainSight, {HelloWorld, I, R}k );
send_2(I, S, {HelloServer, I, S}k );
}
role R
{
read_3(S, R, {HelloWorld, S, I, R}k );
read_1(I, R, PlainSight, {HelloWorld, I, R}k );
claim_4(R, Secret, PlainSight);
}
role S
{
read_2(I, S, {HelloServer, I, S}k );
send_3(S, R, {HelloWorld, S, I, R}k );
}
}
const a, b, S: Agent;
run broken1.I(a, b, S);
run broken1.R(a, b, S);
run broken1.S(a, b, S);

89
protocols/misc/bunava-1-3.spdl Normal file
View File

@@ -0,0 +1,89 @@
# Buttyan Nagy Vajda protocol 1 (3-party)
#
# Modelled after the description in the paper
# "Efficient multi-party challenge-response protocols for entity
# authentication"
#
# Attacks:
# Does not satisfy ni-agree, because when Alice in the R0 role terminates
# it cannot be sure that the agent in role R1 is aware of having sent a
# reply for Alice.
# R0 type flaw attack exists in which there are only two agents active.
#
secret k: Function;
protocol intruderhelp(Swap)
{
role Swap
{
var T: Ticket;
var R0,R1: Agent;
read_!1(Swap,Swap, { T }k(R0,R1) );
send_!2(Swap,Swap, { T }k(R1,R0) );
}
}
protocol bunava13(R0,R1,R2)
{
role R0
{
const n0: Nonce;
var n1,n2: Nonce;
send_1(R0,R1, n0);
read_3(R2,R0, n2,{R2,n1,R1,n0}k(R0,R2) );
send_4(R0,R1, {R0,n2,R2,n1}k(R0,R1) );
claim_A1(R0, Niagree);
claim_A2(R0, Nisynch);
}
role R1
{
const n1: Nonce;
var n0,n2: Nonce;
read_1(R0,R1, n0);
send_2(R1,R2, n1,{R1,n0}k(R1,R2) );
read_4(R0,R1, {R0,n2,R2,n1}k(R0,R1) );
send_5(R1,R2, {R1,R0,n2}k(R1,R2) );
claim_B1(R1, Niagree);
claim_B2(R1, Nisynch);
}
role R2
{
const n2: Nonce;
var n0,n1: Nonce;
read_2(R1,R2, n1,{R1,n0}k(R1,R2) );
send_3(R2,R0, n2,{R2,n1,R1,n0}k(R0,R2) );
read_5(R1,R2, {R1,R0,n2}k(R1,R2) );
claim_C1(R2, Niagree);
claim_C2(R2, Nisynch);
}
}
const Alice,Bob,Charlie,David,Frodo,Gerard,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Charlie,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Charlie);
# General scenario, 2 parallel runs of the protocol
run bunava13.R0(Agent,Agent,Agent);
run bunava13.R1(Agent,Agent,Agent);
run bunava13.R2(Agent,Agent,Agent);
run bunava13.R0(Agent,Agent,Agent);
run bunava13.R1(Agent,Agent,Agent);
run bunava13.R2(Agent,Agent,Agent);

106
protocols/misc/bunava-1-4.spdl Normal file
View File

@@ -0,0 +1,106 @@
# Buttyan Nagy Vajda protocol 1 (4-party)
#
# Modelled after the description in the paper
# "Efficient multi-party challenge-response protocols for entity
# authentication"
#
# Attacks:
# Does not satisfy ni-agree, because when Alice in the A role terminates
# it cannot be sure that the agent in role B is aware of having sent a
# reply for Alice.
# A type flaw attack exists in which there are only three agents active.
# Especially -m2 attack 17 is nice, I think.
#
secret k: Function;
protocol intruderhelp(Swap)
{
role Swap
{
var T: Ticket;
var A,B: Agent;
read_!1(Swap,Swap, { T }k(A,B) );
send_!2(Swap,Swap, { T }k(B,A) );
}
}
protocol bunava14(A,B,C,D)
{
role A
{
const ra: Nonce;
var rb,rc,rd: Nonce;
send_1(A,B, ra);
read_4(D,A, rd,{D,rc,C,rb,B,ra}k(A,D) );
send_5(A,B, {A,rd,D,rc,C,rb}k(A,B) );
claim_A1(A, Niagree);
claim_A2(A, Nisynch);
}
role B
{
const rb: Nonce;
var ra,rc,rd: Nonce;
read_1(A,B, ra);
send_2(B,C, rb,{B,ra}k(B,C) );
read_5(A,B, {A,rd,D,rc,C,rb}k(A,B) );
send_6(B,C, {B,A,rd,D,rc}k(B,C) );
claim_B1(B, Niagree);
claim_B2(B, Nisynch);
}
role C
{
const rc: Nonce;
var ra,rb,rd: Nonce;
read_2(B,C, rb,{B,ra}k(B,C) );
send_3(C,D, rc,{C,rb,B,ra}k(C,D) );
read_6(B,C, {B,A,rd,D,rc}k(B,C) );
send_7(C,D, {C,B,A,rd}k(C,D) );
claim_C1(C, Niagree);
claim_C2(C, Nisynch);
}
role D
{
const rd: Nonce;
var ra,rb,rc: Nonce;
read_3(C,D, rc,{C,rb,B,ra}k(C,D) );
send_4(D,A, rd,{D,rc,C,rb,B,ra}k(A,D) );
read_7(C,D, {C,B,A,rd}k(C,D) );
claim_D1(D, Niagree);
claim_D2(D, Nisynch);
}
}
const Alice,Bob,Charlie,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Charlie,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Charlie);
# General scenario, 2 parallel runs of the protocol
run bunava14.A(Agent,Agent,Agent,Agent);
run bunava14.B(Agent,Agent,Agent,Agent);
run bunava14.C(Agent,Agent,Agent,Agent);
run bunava14.D(Agent,Agent,Agent,Agent);
run bunava14.A(Agent,Agent,Agent,Agent);
run bunava14.B(Agent,Agent,Agent,Agent);
run bunava14.C(Agent,Agent,Agent,Agent);
run bunava14.D(Agent,Agent,Agent,Agent);

88
protocols/misc/bunava-2-3.spdl Normal file
View File

@@ -0,0 +1,88 @@
# Buttyan Nagy Vajda protocol 2 (3-party)
#
# Modelled after the description in the paper
# "Efficient multi-party challenge-response protocols for entity
# authentication"
#
# Attacks:
#
secret k: Function;
protocol intruderhelp(Swap)
{
role Swap
{
var T: Ticket;
var R0,R1: Agent;
read_!1(Swap,Swap, { T }k(R0,R1) );
send_!2(Swap,Swap, { T }k(R1,R0) );
}
}
protocol bunava23(R0,R1,R2)
{
role R0
{
const n0: Nonce;
var n1,n2: Nonce;
var T0: Ticket;
send_1(R0,R1, n0);
read_3(R2,R0, n2, T0, { R2,{ R1,n0 }k(R0,R1) }k(R0,R2) );
send_4(R0,R1, { R0,n2 }k(R0,R2), { R0, T0 }k(R0,R1) );
claim_A1(R0, Niagree);
claim_A2(R0, Nisynch);
}
role R1
{
const n1: Nonce;
var n0,n2: Nonce;
var T1: Ticket;
read_1(R0,R1, n0);
send_2(R1,R2, n1,{R1,n0}k(R1,R2) );
read_4(R0,R1, T1, { R0, { R2,n1 }k(R1,R2) }k(R0,R1) );
send_5(R1,R2, { R1, T1 }k(R1,R2) );
claim_B1(R1, Niagree);
claim_B2(R1, Nisynch);
}
role R2
{
const n2: Nonce;
var n0,n1: Nonce;
var T2: Ticket;
read_2(R1,R2, n1, T2 );
send_3(R2,R0, n2,{ R2,n1 }k(R1,R2), { R2, T2 }k(R0,R2) );
read_5(R1,R2, { R1, { R0,n2 }k(R0,R2) }k(R1,R2) );
claim_C1(R2, Niagree);
claim_C2(R2, Nisynch);
}
}
const Alice,Bob,Charlie,David,Frodo,Gerard,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Charlie,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Charlie);
# General scenario
run bunava23.R0(Agent,Agent,Agent);
run bunava23.R1(Agent,Agent,Agent);
run bunava23.R2(Agent,Agent,Agent);
run bunava23.R0(Agent,Agent,Agent);
run bunava23.R1(Agent,Agent,Agent);
run bunava23.R2(Agent,Agent,Agent);

138
protocols/misc/bunava-2-4.spdl Normal file
View File

@@ -0,0 +1,138 @@
# Buttyan Nagy Vajda protocol 2 (4-party)
#
# Modelled after the description in the paper
# "Efficient multi-party challenge-response protocols for entity
# authentication"
#
# Note:
# Does not seem to reach the claim. I don't know why yet. TODO
# investigate.
#
secret k: Function;
# protocol intruderhelp(Swap)
# {
# role Swap
# {
# var T: Ticket;
# var A,B: Agent;
#
# read_1(Swap,Swap, { T }k(A,B) );
# send_2(Swap,Swap, { T }k(B,A) );
# }
# }
protocol bunava24(A,B,C,D)
{
role A
{
const ra: Nonce;
var rb,rc,rd: Nonce;
var Tacd, Tabd: Ticket;
send_1(A,B, ra);
read_4(D,A, rd,
Tacd,
Tabd,
{ D, { C, { B,ra }k(A,B) }k(A,C) }k(A,D)
);
# send_5(A,B,
# { A, rd }k(A,D),
# { A, Tacd }k(A,C),
# { A, Tabd }k(A,B)
# );
claim_A1(A, Niagree);
claim_A2(A, Nisynch);
}
role B
{
const rb: Nonce;
var ra,rc,rd: Nonce;
var Tbad, Tbac: Ticket;
read_1(A,B, ra);
send_2(B,C, rb,
{ B,ra }k(A,B)
);
# read_5(A,B,
# Tbad,
# Tbac,
# { A, { D, { C,rb }k(B,C) }k(B,D) }k(A,B)
# );
# send_6(B,C,
# { B, Tbad }k(B,D),
# { B, Tbac }k(B,C)
# );
#
# claim_B1(B, Niagree);
# claim_B2(B, Nisynch);
}
role C
{
const rc: Nonce;
var ra,rb,rd: Nonce;
var Tcab,Tcbd: Ticket;
read_2(B,C, rb, Tcab );
send_3(C,D, rc,
{ C, rb }k(B,C),
{ C, Tcab }k(A,C)
);
# read_6(B,C,
# Tcbd,
# { B, { A,{ D,rc }k(C,D) }k(A,C) }k(B,C)
# );
# send_7(C,D,
# { C, Tcbd }k(C,D)
# );
#
# claim_C1(C, Niagree);
# claim_C2(C, Nisynch);
}
role D
{
const rd: Nonce;
var ra,rb,rc: Nonce;
var Tdbc,Tdac: Ticket;
read_3(C,D, rc, Tdbc, Tdac );
send_4(D,A, rd,
{ D, rc }k(C,D),
{ D, Tdbc }k(B,D),
{ D, Tdac }k(A,D)
);
# read_7(C,D,
# { C, { B,{ A,rd }k(A,D) }k(B,D) }k(C,D)
# );
#
# claim_D1(D, Niagree);
# claim_D2(D, Nisynch);
}
}
const Alice,Bob,Charlie,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Charlie,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Charlie);
# General scenario
run bunava24.A(Agent,Agent,Agent,Agent);
run bunava24.B(Agent,Agent,Agent,Agent);
run bunava24.C(Agent,Agent,Agent,Agent);
run bunava24.D(Agent,Agent,Agent,Agent);
run bunava24.A(Agent,Agent,Agent,Agent);
run bunava24.B(Agent,Agent,Agent,Agent);
run bunava24.C(Agent,Agent,Agent,Agent);
run bunava24.D(Agent,Agent,Agent,Agent);

32
protocols/misc/carkey-broken-limited.spdl Normal file
View File

@@ -0,0 +1,32 @@
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol carkeybrokenlim(I,R)
{
role I
{
const ni: Nonce;
send_1(I,R, I,R );
}
role R
{
var ni: Nonce;
read_1(I,R, I,R );
claim_2(R,Nisynch);
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const nc: Nonce;
compromised sk(Eve);
run carkeybrokenlim.I(Alice,Bob);
run carkeybrokenlim.R(Alice,Bob);
run carkeybrokenlim.I(Alice,Bob);
run carkeybrokenlim.R(Alice,Bob);

32
protocols/misc/carkey-broken.spdl Normal file
View File

@@ -0,0 +1,32 @@
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol carkeybroken(I,R)
{
role I
{
const ni: Nonce;
send_1(I,R, {ni}sk(I) );
}
role R
{
var ni: Nonce;
read_1(I,R, {ni}sk(I) );
claim_2(R,Nisynch);
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const nc: Nonce;
compromised sk(Eve);
run carkeybroken.I(Agent,Agent);
run carkeybroken.R(Agent,Agent);
run carkeybroken.I(Agent,Agent);
run carkeybroken.R(Agent,Agent);

32
protocols/misc/carkey-ni.spdl Normal file
View File

@@ -0,0 +1,32 @@
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol carkeyni(I,R)
{
role I
{
const ni: Nonce;
send_1(I,R, {R,ni}sk(I) );
}
role R
{
var ni: Nonce;
read_1(I,R, {R,ni}sk(I) );
claim_2(R,Nisynch);
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const nc: Nonce;
compromised sk(Eve);
run carkeyni.I(Agent,Agent);
run carkeyni.R(Agent,Agent);
run carkeyni.I(Agent,Agent);
run carkeyni.R(Agent,Agent);

34
protocols/misc/carkey-ni2.spdl Normal file
View File

@@ -0,0 +1,34 @@
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol carkeyni2(I,R)
{
role I
{
const ni: Nonce;
send_1(I,R, {R,ni}sk(I) );
send_2(I,R, {R,ni}sk(I) );
}
role R
{
var ni: Nonce;
read_1(I,R, {R,ni}sk(I) );
read_2(I,R, {R,ni}sk(I) );
claim_4(R,Nisynch);
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const nc: Nonce;
compromised sk(Eve);
run carkeyni2.I(Agent,Agent);
run carkeyni2.R(Agent,Agent);
run carkeyni2.I(Agent,Agent);
run carkeyni2.R(Agent,Agent);

53
protocols/misc/ccitt509-ban.spdl Normal file
View File

@@ -0,0 +1,53 @@
usertype Data;
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol ccitt509(I,R)
{
role I
{
const xi,yi: Data;
const ni: Nonce;
var nr: Nonce;
var yr,xr: Data;
send_1(I,R, I,{ni, R, xi, {yi}pk(R) }sk(I) );
read_2(R,I, R,{nr, I, ni, xr, {yr}pk(I) }sk(R) );
send_3(I,R, I,{R,nr}sk(I) );
claim_4(I,Secret,yi);
claim_5(I,Secret,yr);
claim_6(I,Nisynch);
claim_7(I,Niagree);
}
role R
{
var xi,yi: Data;
var ni: Nonce;
const nr: Nonce;
const yr,xr: Data;
read_1(I,R, I,{ni, R, xi, {yi}pk(R) }sk(I) );
send_2(R,I, R,{nr, I, ni, xr, {yr}pk(I) }sk(R) );
read_3(I,R, I,{R,nr}sk(I) );
claim_8(R,Secret,yi);
claim_9(R,Secret,yr);
claim_10(R,Nisynch);
claim_11(R,Niagree);
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const de: Data;
compromised sk(Eve);
run ccitt509.I(Agent,Agent);
run ccitt509.R(Agent,Agent);
run ccitt509.I(Agent,Agent);
run ccitt509.R(Agent,Agent);

74
protocols/misc/denning-sacco-shared.spdl Normal file
View File

@@ -0,0 +1,74 @@
/*
* Denning-Sacco shared key
* CJ, but modeled after Sjouke's protocol list
*/
/* default includes */
/* asymmetric */
const pk,hash: Function;
secret sk,unhash: Function;
/* symmetric */
usertype SessionKey, Time, Ticket;
secret k: Function;
/* agents */
const a,b,e: Agent;
/* untrusted e */
untrusted e;
const ne: Nonce;
const kee: SessionKey;
compromised k(e,e);
compromised k(e,a);
compromised k(e,b);
compromised k(a,e);
compromised k(b,e);
protocol denningsaccosh(A,S,B)
{
role A
{
var t: Time;
var T: Ticket;
var kab: SessionKey;
send_1 (A,S, A,S );
read_2 (S,A, {B, kab, t, T}k(A,S) );
send_3 (A,B, T);
claim_4 (A, Secret, kab);
claim_5 (A, Nisynch);
claim_6 (A, Niagree);
}
role S
{
const t: Time;
const kab: SessionKey;
read_1 (A,S, A,S );
send_2 (S,A, {B, kab, t, { kab, A,t }k(B,S) }k(A,S) );
}
role B
{
var t: Time;
var kab: SessionKey;
read_3 (A,B, { kab, A,t }k(B,S) );
claim_7 (B, Secret, kab);
claim_8 (B, Nisynch);
claim_9 (B, Niagree);
}
}

42
protocols/misc/f4.spdl Normal file
View File

@@ -0,0 +1,42 @@
/*
* f4.spdl
*
* Tailored protocol to show that any number of runs can be required to
* find an attack.
*
* For this version, -m2 and -r4 are needed.
*
* April 2005, Cas Cremers
*/
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol f4(I,R)
{
role I
{
var nr: Nonce;
read_!1(R,I, nr );
send_!2(I,R, { nr }sk(I) );
read_!3(R,I, {{{{ nr }sk(R)}sk(R)}sk(R)}sk(R) );
claim_i1(I,Reachable);
}
role R
{
const nr: Nonce;
send_!1(R,I, nr );
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);

42
protocols/misc/f5.spdl Normal file
View File

@@ -0,0 +1,42 @@
/*
* f5.spdl
*
* Tailored protocol to show that any number of runs can be required to
* find an attack.
*
* For this version, -m2 and -r5 are needed.
*
* April 2005, Cas Cremers
*/
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol f5(I,R)
{
role I
{
var nr: Nonce;
read_!1(R,I, nr );
send_!2(I,R, { nr }sk(I) );
read_!3(R,I, {{{{{ nr }sk(R)}sk(R)}sk(R)}sk(R)}sk(R) );
claim_i1(I,Reachable);
}
role R
{
const nr: Nonce;
send_!1(R,I, nr );
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);

24
protocols/misc/five-run-bound.spdl Normal file
View File

@@ -0,0 +1,24 @@
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol r5bound(I,R)
{
role R
{
var k1: Nonce;
var ni: Nonce;
const k2: Nonce;
read_!1 (I,R, ni );
send_!2 (R,I, { ni }sk(R) );
read_!3 (I,R, {{{ {k1}pk(R) }sk(I)}sk(I)}sk(I) );
send_!4 (R,I, {k2}k1 );
claim_6 (R, Secret, k2);
}
}
const Alice, Bob: Agent;
const ne: Nonce;

58
protocols/misc/fourway-HSDDM05.cpp Normal file
View File

@@ -0,0 +1,58 @@
/*
* This is a model of a version of the four-way handshake protocol as modeled
* by He,Sundararajan,Datta,Derek and Mitchell in the paper: "A modular
* correctness proof of IEEE 802.11i and TLS".
*/
#define ptk hash( pmk(X,Y),x,y )
/* below is just Scyther input and no further macro definitions */
usertype Params, String;
const hash: Function;
secret unhash: Function;
inversekeys(hash,unhash);
secret pmk: Function;
const msg1,msg2,msg3,msg4: String;
const Alice, Bob, Eve: Agent;
protocol fourway(X,Y)
{
role X
{
const x: Nonce;
var y: Nonce;
send_1( X,Y, x,msg1 );
read_2( Y,X, y,msg2,hash( ptk,y,msg2 ) );
send_3( X,Y, x,msg3,hash( ptk,x,msg3 ) );
read_4( Y,X, msg4,hash( ptk,msg4 ) );
claim_X1( X, Secret, ptk );
claim_X2( X, Niagree );
}
role Y
{
var x: Nonce;
const y: Nonce;
read_1( X,Y, x,msg1 );
send_2( Y,X, y,msg2,hash( ptk,y,msg2 ) );
read_3( X,Y, x,msg3,hash( ptk,x,msg3 ) );
send_4( Y,X, msg4,hash( ptk,msg4 ) );
claim_Y1( Y, Secret, ptk );
claim_Y2( Y, Niagree );
}
}
untrusted Eve;
compromised pmk(Eve,Alice);
compromised pmk(Eve,Bob);
compromised pmk(Alice,Eve);
compromised pmk(Bob,Eve);

53
protocols/misc/fourway-HSDDM05.spdl Normal file
View File

@@ -0,0 +1,53 @@
# 1 "fourway-HSDDM05.cpp"
# 1 "<built-in>"
# 1 "<command line>"
# 1 "fourway-HSDDM05.cpp"
# 10 "fourway-HSDDM05.cpp"
usertype Params, String;
const hash: Function;
secret unhash: Function;
inversekeys(hash,unhash);
secret pmk: Function;
const msg1,msg2,msg3,msg4: String;
const Alice, Bob, Eve: Agent;
protocol fourway(X,Y)
{
role X
{
const x: Nonce;
var y: Nonce;
send_1( X,Y, x,msg1 );
read_2( Y,X, y,msg2,hash( hash( pmk(X,Y),x,y ),y,msg2 ) );
send_3( X,Y, x,msg3,hash( hash( pmk(X,Y),x,y ),x,msg3 ) );
read_4( Y,X, msg4,hash( hash( pmk(X,Y),x,y ),msg4 ) );
claim_X1( X, Secret, hash( pmk(X,Y),x,y ) );
claim_X2( X, Niagree );
}
role Y
{
var x: Nonce;
const y: Nonce;
read_1( X,Y, x,msg1 );
send_2( Y,X, y,msg2,hash( hash( pmk(X,Y),x,y ),y,msg2 ) );
read_3( X,Y, x,msg3,hash( hash( pmk(X,Y),x,y ),x,msg3 ) );
send_4( Y,X, msg4,hash( hash( pmk(X,Y),x,y ),msg4 ) );
claim_Y1( Y, Secret, hash( pmk(X,Y),x,y ) );
claim_Y2( Y, Niagree );
}
}
untrusted Eve;
compromised pmk(Eve,Alice);
compromised pmk(Eve,Bob);
compromised pmk(Alice,Eve);
compromised pmk(Bob,Eve);

81
protocols/misc/gong-nonce-b.spdl Normal file
View File

@@ -0,0 +1,81 @@
usertype Sessionkey;
usertype Keypart;
secret k: Function;
const f: Function;
/*
* Gong nonce based alternative
*
* Boyd & Mathuria: Protocols for authentication and key establishment
* (2003) p. 101
*/
protocol gongnonceb(I,R,S)
{
role I
{
const ni: Nonce;
var nr: Nonce;
const ki: Keypart;
var kr: Keypart;
send_1 (I,S, I,R, { I,S,I, ki, R }k(I,S), ni );
read_4 (S,I, { S,I,R,kr,I }k(I,S), { R,I,ni }f(ki,kr), nr );
send_5 (I,R, { I,R,nr }f(ki,kr) );
claim_6 (I, Secret, ki);
claim_7 (I, Secret, kr);
claim_8 (I, Nisynch);
claim_9 (I, Niagree);
}
role R
{
var ni: Nonce;
const nr: Nonce;
const kr: Keypart;
var ki: Keypart;
read_2 (S,R, I,R, { S,R,I, ki, R }k(R,S), ni );
send_3 (R,S, { R,S,R,kr,I }k(R,S), { R,I, ni }f(ki,kr), nr );
read_5 (I,R, { I,R,nr }f(ki,kr) );
claim_10 (R, Secret, ki);
claim_11 (R, Secret, kr);
claim_12 (R, Nisynch);
claim_13 (R, Niagree);
}
role S
{
var ni,nr: Nonce;
var ki,kr: Keypart;
var T;
read_1 (I,S, I,R, { I,S,I, ki, R }k(I,S), ni );
send_2 (S,R, I,R, { S,R,I, ki, R }k(R,S), ni );
read_3 (R,S, { R,S,R,kr,I }k(R,S), T, nr );
send_4 (S,I, { S,I,R,kr,I }k(I,S), T, nr );
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const kpe: Keypart;
const ke: Sessionkey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Simon);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Simon,Eve);
run gongnonceb.I(Agent,Agent,Simon);
run gongnonceb.R(Agent,Agent,Simon);
run gongnonceb.S(Agent,Agent,Simon);
run gongnonceb.I(Agent,Agent,Simon);
run gongnonceb.R(Agent,Agent,Simon);
run gongnonceb.S(Agent,Agent,Simon);

72
protocols/misc/gong-nonce.spdl Normal file
View File

@@ -0,0 +1,72 @@
usertype Sessionkey;
usertype Keypart;
secret k: Function;
protocol gongnonce(I,R,S)
{
role I
{
const ni: Nonce;
var nr: Nonce;
const ki: Keypart;
var kr: Keypart;
send_1 (I,R, I,R,ni );
read_3 (S,I, { S,I,R, kr, I, ni }k(I,S), nr);
send_4 (I,S, { I,S,I, ki, R, nr }k(I,S) );
claim_6 (I, Secret, ki);
claim_7 (I, Secret, kr);
claim_8 (I, Nisynch);
claim_9 (I, Niagree);
}
role R
{
var ni: Nonce;
const nr: Nonce;
const kr: Keypart;
var ki: Keypart;
read_1 (I,R, I,R,ni );
send_2 (R,S, I,R, nr, { R,S,R, kr, I,ni }k(R,S));
read_5 (S,R, { S,R,I, ki, R, nr }k(R,S) );
claim_10 (R, Secret, ki);
claim_11 (R, Secret, kr);
claim_12 (R, Nisynch);
claim_13 (R, Niagree);
}
role S
{
var ni,nr: Nonce;
var ki,kr: Keypart;
read_2 (R,S, I,R, nr, { R,S,R, kr, I,ni }k(R,S));
send_3 (S,I, { S,I,R, kr, I, ni }k(I,S), nr);
read_4 (I,S, { I,S,I, ki, R, nr }k(I,S) );
send_5 (S,R, { S,R,I, ki, R, nr }k(R,S) );
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const kpe: Keypart;
const ke: Sessionkey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Simon);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Simon,Eve);
run gongnonce.I(Agent,Agent,Simon);
run gongnonce.R(Agent,Agent,Simon);
run gongnonce.S(Agent,Agent,Simon);
run gongnonce.I(Agent,Agent,Simon);
run gongnonce.R(Agent,Agent,Simon);
run gongnonce.S(Agent,Agent,Simon);

17
protocols/misc/helloworld.spdl Normal file
View File

@@ -0,0 +1,17 @@
usertype String, World;
secret HelloWorld, k: String;
protocol hw(initiator,world)
{
role initiator
{
send_1(initiator, world, HelloWorld);
/* claim_2(initiator, Secret, HelloWorld); */
}
}
const Alice, Bob: Agent;
const Earth, Mars: World;
run hw.initiator(Agent,World);

69
protocols/misc/ibe-ns.spdl Normal file
View File

@@ -0,0 +1,69 @@
// 12/05/06
// S. Mauw
// Using Identity Based Encryption primitive to make NSL authentication.
// The only requirement on the server communications is that the
// sending of the private key is secret.
const pk: Function; //public-private keys are used to model a secure channel
secret sk: Function; //from the keyserver to the parties
const ibepublic: Function; //publicly known key construction from server
//parameters and recipient name
secret ibesecret: Function;//secret key determined by server for recipient
const param: Function; //public security parameter of server
inversekeys (pk,sk);
inversekeys (ibepublic,ibesecret);
protocol ibe(I,R,S)
{
role I
{
const ni: Nonce;
var nr: Nonce;
//Note that we are not interested in the order of server messages.
read_!1(S,I, param(S) );
send_3(I,R, {I,ni}ibepublic(param(S),R) );
read_4(R,I, {ni,nr,R}ibepublic(param(S),I) );
send_5(I,R, {nr}ibepublic(param(S),R) );
claim_i1(I,Secret,ni);
claim_i2(I,Secret,nr);
claim_i3(I,Niagree);
claim_i4(I,Nisynch);
}
role R
{
var ni: Nonce;
const nr: Nonce;
read_!2(S,R, {ibesecret(param(S),R)}pk(R) );
read_3(I,R, {I,ni}ibepublic(param(S),R) );
send_4(R,I, {ni,nr,R}ibepublic(param(S),I) );
read_5(I,R, {nr}ibepublic(param(S),R) );
claim_r1(R,Secret,ni);
claim_r2(R,Secret,nr);
claim_r3(R,Niagree);
claim_r4(R,Nisynch);
}
role S
{
read_!0(S,S, R,S); // workaround for the fact that R & S are roles, so Scyther should not jump to conclusions (remove it and see what happens)
send_!1(S,I, param(S) );
send_!2(S,R, {ibesecret(param(S),R)}pk(R) );
claim_s1(S,Secret,ibesecret(param(S),R));
}
}
const Alice, Bob, Carol, Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);
compromised ibesecret(param(Eve),Alice);
compromised ibesecret(param(Eve),Bob);
compromised ibesecret(param(Eve),Carol);

50
protocols/misc/ibe.spdl Normal file
View File

@@ -0,0 +1,50 @@
// 12/05/06
// S. Mauw
// Modeling of Identity Based Encryption primitive.
const pk: Function;
secret sk: Function;
const ibepublic: Function;
secret ibesecret: Function;
const param: Function;
inversekeys (pk,sk);
inversekeys (ibepublic,ibesecret);
protocol ibe(I,R,S)
{
role I
{
const ni: Nonce;
read_1(S,I, param(S) );
send_3(I,R, {ni}ibepublic(param(S),R) );
claim_i1(I,Secret,ni);
}
role R
{
var ni: Nonce;
read_2(S,R, {ibesecret(param(S),R)}pk(R) );
read_3(I,R, {ni}ibepublic(param(S),R) );
claim_r1(R,Secret,ni);
//of course this claim is invalid
}
role S
{
send_1(S,I, param(S) );
send_2(S,R, {ibesecret(param(S),R)}pk(R) );
}
}
const Alice, Bob, Carol, Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);
compromised ibesecret(param(Eve),Alice);
compromised ibesecret(param(Eve),Bob);
compromised ibesecret(param(Eve),Carol);

63
protocols/misc/isoiec11770-2-13.spdl Normal file
View File

@@ -0,0 +1,63 @@
usertype Sessionkey;
usertype Ticket;
secret k: Function;
protocol isoiec11770213(I,R,S)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir: Sessionkey;
send_1 (I,R, ni);
read_4 (R,I, { ni,kir,R }k(I,S) );
claim_5 (I, Secret, kir);
}
role R
{
var ni: Nonce;
const nr: Nonce;
const kir: Sessionkey;
var T;
read_1 (I,R, ni);
send_2 (R,S, { nr,ni,I,kir }k(R,S) );
read_3 (S,R, { nr, I }k(R,S), T );
send_4 (R,I, T );
claim_6 (R, Secret, kir);
}
role S
{
var ni,nr: Nonce;
var kir: Sessionkey;
read_2 (R,S, { nr,ni,I,kir }k(R,S) );
send_3 (S,R, { nr, I }k(R,S), { ni,kir,R }k(I,S) );
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const te: Ticket;
const ke: Sessionkey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Simon);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Simon,Eve);
run isoiec11770213.I(Agent,Agent,Simon);
run isoiec11770213.R(Agent,Agent,Simon);
run isoiec11770213.S(Agent,Agent,Simon);
run isoiec11770213.I(Agent,Agent,Simon);
run isoiec11770213.R(Agent,Agent,Simon);
run isoiec11770213.S(Agent,Agent,Simon);

67
protocols/misc/kaochow-palm.spdl Normal file
View File

@@ -0,0 +1,67 @@
usertype Sessionkey;
usertype Ticket;
secret k: Function;
protocol kaochowPalm(I,R,S)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir: Sessionkey;
send_1 (I,S, I,R,ni);
read_3 (R,I, {I,R,ni,kir}k(I,S), {ni}kir, nr );
send_4 (I,R, {nr}kir );
claim_5 (I, Nisynch);
claim_6 (I, Niagree);
claim_7 (I, Secret, kir);
}
role R
{
var ni: Nonce;
const nr: Nonce;
var kir: Sessionkey;
var T;
read_2 (S,R, { T, { I,R,ni,kir }k(R,S) }k(R,S) );
send_3 (R,I, T, {ni}kir, nr );
read_4 (I,R, {nr}kir );
claim_8 (R, Nisynch);
claim_9 (R, Niagree);
claim_10 (R, Secret, kir);
}
role S
{
var ni: Nonce;
const kir: Sessionkey;
read_1 (I,S, I,R,ni);
send_2 (S,R, { {I,R,ni,kir}k(I,S), { I,R,ni,kir }k(R,S) }k(R,S) );
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const te: Ticket;
const ke: Sessionkey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Simon);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Simon,Eve);
run kaochowPalm.I(Agent,Agent,Simon);
run kaochowPalm.R(Agent,Agent,Simon);
run kaochowPalm.S(Agent,Agent,Simon);
run kaochowPalm.I(Agent,Agent,Simon);
run kaochowPalm.R(Agent,Agent,Simon);
run kaochowPalm.S(Agent,Agent,Simon);

67
protocols/misc/kaochow-v2.spdl Normal file
View File

@@ -0,0 +1,67 @@
usertype Sessionkey;
usertype Ticket;
secret k: Function;
protocol kaochow2(I,R,S)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir,kt: Sessionkey;
send_1 (I,S, I,R,ni);
read_3 (R,I, R, {I,R,ni,kir,kt}k(I,S), {ni, kir}kt, nr );
send_4 (I,R, {nr,kir}kt );
claim_5 (I, Nisynch);
claim_6 (I, Niagree);
claim_7 (I, Secret, kir);
}
role R
{
var ni: Nonce;
const nr: Nonce;
var kir,kt: Sessionkey;
var T: Ticket;
read_2 (S,R, T, { I,R,ni,kir,kt }k(R,S) );
send_3 (R,I, R, T, {ni, kir}kt, nr );
read_4 (I,R, {nr,kir}kt );
claim_8 (R, Nisynch);
claim_9 (R, Niagree);
claim_10 (R, Secret, kir);
}
role S
{
var ni: Nonce;
const kir, kt: Sessionkey;
read_1 (I,S, I,R,ni);
send_2 (S,R, {I,R,ni,kir,kt}k(I,S), { I,R,ni,kir,kt }k(R,S) );
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const te: Ticket;
const ke: Sessionkey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Simon);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Simon,Eve);
run kaochow2.I(Agent,Agent,Simon);
run kaochow2.R(Agent,Agent,Simon);
run kaochow2.S(Agent,Agent,Simon);
run kaochow2.I(Agent,Agent,Simon);
run kaochow2.R(Agent,Agent,Simon);
run kaochow2.S(Agent,Agent,Simon);

70
protocols/misc/kaochow-v3.spdl Normal file
View File

@@ -0,0 +1,70 @@
usertype Sessionkey;
usertype Ticket;
usertype Timestamp;
secret k: Function;
protocol kaochow3(I,R,S)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir,kt: Sessionkey;
var T2: Ticket;
send_1 (I,S, I,R,ni);
read_3 (R,I, R, {I,R,ni,kir,kt}k(I,S), {ni, kir}kt, nr, T2 );
send_4 (I,R, {nr,kir}kt, T2 );
claim_5 (I, Nisynch);
claim_6 (I, Niagree);
claim_7 (I, Secret, kir);
}
role R
{
var ni: Nonce;
const nr: Nonce;
var kir,kt: Sessionkey;
var T: Ticket;
const tr: Timestamp;
read_2 (S,R, T, { I,R,ni,kir,kt }k(R,S) );
send_3 (R,I, R, T, {ni, kir}kt, nr, {I,R,tr,kir}k(R,S) );
read_4 (I,R, {nr,kir}kt, {I,R,tr,kir}k(R,S) );
claim_8 (R, Nisynch);
claim_9 (R, Niagree);
claim_10 (R, Secret, kir);
}
role S
{
var ni: Nonce;
const kir, kt: Sessionkey;
read_1 (I,S, I,R,ni);
send_2 (S,R, {I,R,ni,kir,kt}k(I,S), { I,R,ni,kir,kt }k(R,S) );
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const te: Ticket;
const ke: Sessionkey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Simon);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Simon,Eve);
run kaochow3.I(Agent,Agent,Simon);
run kaochow3.R(Agent,Agent,Simon);
run kaochow3.S(Agent,Agent,Simon);
run kaochow3.I(Agent,Agent,Simon);
run kaochow3.R(Agent,Agent,Simon);
run kaochow3.S(Agent,Agent,Simon);

67
protocols/misc/kaochow.spdl Normal file
View File

@@ -0,0 +1,67 @@
usertype Sessionkey;
usertype Ticket;
secret k: Function;
protocol kaochow(I,R,S)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var kir: Sessionkey;
send_1 (I,S, I,R,ni);
read_3 (R,I, {I,R,ni,kir}k(I,S), {ni}kir, nr );
send_4 (I,R, {nr}kir );
claim_5 (I, Nisynch);
claim_6 (I, Niagree);
claim_7 (I, Secret, kir);
}
role R
{
var ni: Nonce;
const nr: Nonce;
var kir: Sessionkey;
var T;
read_2 (S,R, T, { I,R,ni,kir }k(R,S) );
send_3 (R,I, T, {ni}kir, nr );
read_4 (I,R, {nr}kir );
claim_8 (R, Nisynch);
claim_9 (R, Niagree);
claim_10 (R, Secret, kir);
}
role S
{
var ni: Nonce;
const kir: Sessionkey;
read_1 (I,S, I,R,ni);
send_2 (S,R, {I,R,ni,kir}k(I,S), { I,R,ni,kir }k(R,S) );
}
}
const Alice,Bob,Simon,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const te: Ticket;
const ke: Sessionkey;
compromised k(Eve,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Simon);
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Simon,Eve);
run kaochow.I(Agent,Agent,Simon);
run kaochow.R(Agent,Agent,Simon);
run kaochow.S(Agent,Agent,Simon);
run kaochow.I(Agent,Agent,Simon);
run kaochow.R(Agent,Agent,Simon);
run kaochow.S(Agent,Agent,Simon);

167
protocols/misc/kerberos-rddm.spdl Normal file
View File

@@ -0,0 +1,167 @@
/*
* Scyther description of Kerberos as in RDDM'07
*
*/
usertype Sessionkey;
usertype Text;
secret ktk: Function;
secret kck: Function;
secret kst: Function;
protocol @swapkey-ktk(I,R)
{
# Protocol added to work around the symmetry problems where k(I,R) != k(R,I)
role I
{
var T:Ticket;
read_!X1(R,I,{T}ktk(I,R));
send_!X2(I,R,{T}ktk(R,I));
}
role R
{
}
}
protocol @swapkey-kck(I,R)
{
# Protocol added to work around the symmetry problems where k(I,R) != k(R,I)
role I
{
var T:Ticket;
read_!X1(R,I,{T}kck(I,R));
send_!X2(I,R,{T}kck(R,I));
}
role R
{
}
}
protocol @swapkey-kst(I,R)
{
# Protocol added to work around the symmetry problems where k(I,R) != k(R,I)
role I
{
var T:Ticket;
read_!X1(R,I,{T}kst(I,R));
send_!X2(I,R,{T}kst(R,I));
}
role R
{
}
}
protocol kerberos(C,K,T,S) {
role C {
const n1: Nonce;
const n2: Nonce;
var tgt: Ticket;
var st: Ticket;
var AKey: Sessionkey;
var SKey: Sessionkey;
const t: Text;
send_1(C,K, C,T,n1);
read_2(K,C, tgt, { AKey,n1,T }kck(C,K) );
// Stage boundary
send_3(C,T, tgt, { C }AKey,C,S,n2 );
read_4(T,C, C, st, { SKey, n2, S }AKey );
// Stage boundary
send_5(C,S, st, { C,t }SKey );
read_6(S,C, { t }SKey );
// Theorem 5 (a)
// If C,K are honest
claim(C,Reachable);
// Theorem 6 (a)
// If C,K,T are all honest
claim(C,Secret,AKey);
// Theorem 7 (a)
// If C,K,S are all honest
claim(C, Reachable);
// Theorem 8
// If C,K,S are all honest
claim(C, Secret, SKey);
}
role K {
var n1: Nonce;
const AKey: Sessionkey;
read_1(C,K, C,T,n1);
send_2(K,C, { AKey, C }ktk(T,K), { AKey,n1,T }kck(C,K) );
// Theorem 6 (a)
// If C,K,T are all honest
claim_K1(K,Secret,AKey);
}
role T {
var AKey: Sessionkey;
var n2: Nonce;
const SKey: Sessionkey;
read_3(C,T, { AKey, C }ktk(T,K), { C }AKey,C,S,n2 );
send_4(T,C, C,{ SKey, C }kst(S,T), { SKey, n2, S }AKey );
// Theorem 5 (a)
// If C,K are honest
claim(T,Reachable);
// Theorem 6 (a)
// If C,K,T are all honest
claim(T,Secret,AKey);
// My own
claim(T,Secret,SKey);
}
role S {
var t: Text;
var SKey: Sessionkey;
read_5(C,S, { SKey, C }kst(S,T), { C,t }SKey );
send_6(S,C, { t }SKey );
// Theorem 7 (b)
// If C,K,S,T are honest
claim(S, Reachable);
// My own
claim(S, Secret, t);
claim(S, Secret, SKey);
}
}
const Alice,Bob,Charlie,Eve: Agent;
untrusted Eve;
// C untrusted
compromised kck(Eve,Alice);
compromised kck(Alice,Eve);
// K untrusted
compromised kck(Eve,Alice);
compromised kck(Alice,Eve);
compromised ktk(Eve,Alice);
compromised ktk(Alice,Eve);
// T untrusted
compromised kst(Alice,Eve);
compromised kst(Eve,Alice);
compromised ktk(Eve,Alice);
compromised ktk(Alice,Eve);
// S untrusted
compromised kst(Alice,Eve);
compromised kst(Eve,Alice);

83
protocols/misc/ksl.spdl Normal file
View File

@@ -0,0 +1,83 @@
/*
* KSL from SPORE
*
* Messages 6-8 are intended for repeated authentication, and there are
* known attacks on this. However, we don't model that yet.
*
* Furthermore, it is interesting to experiment here with key
* compromise (of kab), when this is implemented in Scyther.
*/
usertype Server, SessionKey, GeneralizedTimestamp, Ticket, TicketKey;
secret k: Function;
const a, b, e: Agent;
const s: Server;
/* give the intruder something to work with */
const ne: Nonce;
const kee: SessionKey;
untrusted e;
compromised k(e,s);
protocol ksl(A,B,S)
{
role A
{
const Na, Ma: Nonce;
var Nc, Mb: Nonce;
var T: Ticket;
var Kab: SessionKey;
send_1(A,B, Na, A);
read_4(B,A, { Na,B,Kab }k(A,S), T, Nc, {Na}Kab );
send_5(A,B, { Nc }Kab );
send_6(A,B, Ma,T );
read_7(B,A, Mb,{Ma}Kab );
send_8(A,B, {Mb}Kab );
claim_A1(A,Secret, Kab);
claim_A2(A,Niagree);
claim_A3(A,Nisynch);
}
role B
{
var Na,Ma: Nonce;
const Nb,Nc,Mb: Nonce;
var Kab: SessionKey;
const Kbb: TicketKey;
const Tb: GeneralizedTimestamp;
var T: Ticket;
read_1(A,B, Na, A);
send_2(B,S, Na, A, Nb, B );
read_3(S,B, { Nb, A, Kab }k(B,S), T );
send_4(B,A, T, { Tb, A, Kab }Kbb, Nc, {Na}Kab );
read_5(A,B, { Nc }Kab );
read_6(A,B, Ma,{ Tb, A, Kab }Kbb );
send_7(B,A, Mb,{Ma}Kab );
read_8(A,B, {Mb}Kab );
claim_B1(B,Secret, Kab);
claim_B2(B,Niagree);
claim_B3(B,Nisynch);
}
role S
{
var Na, Nb: Nonce;
const Kab: SessionKey;
read_2(B,S, Na, A, Nb, B );
send_3(S,B, { Nb, A, Kab }k(B,S), { Na,B,Kab }k(A,S) );
}
}
run ksl.A(a,b,s);
run ksl.B(a,b,s);
run ksl.S(a,b,s);

56
protocols/misc/localclaims-breaker.spdl Normal file
View File

@@ -0,0 +1,56 @@
/*
* Breaker for localclaims protocol
*
* Starts out as NSL3; last message (label3) has added name to avoid
* confusion with the later messages.
*
* Added messages labeled with x1 and x2 to allow for breaking the other
* protocol.
*/
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol lcbreaker(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
var x: Nonce;
send_1(I,R, {I,ni}pk(R) );
read_2(R,I, {ni,nr,R}pk(I) );
send_3(I,R, {nr,I}pk(R) );
read_x1(R,I, { x }pk(I) );
send_x2(I,R, { x }ni );
claim_i1(I,Secret,ni);
claim_i2(I,Secret,nr);
}
role R
{
var ni: Nonce;
const nr: Nonce;
const x: Nonce;
read_1(I,R, {I,ni}pk(R) );
send_2(R,I, {ni,nr,R}pk(I) );
read_3(I,R, {nr,I}pk(R) );
send_x1(R,I, { x }pk(I) );
read_x2(I,R, { x }ni );
claim_r1(R,Secret,ni);
claim_r2(R,Secret,nr);
}
}
const Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);

63
protocols/misc/localclaims-seq1.spdl Normal file
View File

@@ -0,0 +1,63 @@
/*
* Breaker for localclaims protocol; sequential composition variant 1
*
* Starts out as NSL3; last message (label3) has added name to avoid
* confusion with the later messages.
*
* Added messages labeled with x1 and x2 to allow for breaking the other
* protocol.
*/
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol lcbreakerS1(I,R)
{
role I
{
const ni,ni2: Nonce;
var nr: Nonce;
var x: Nonce;
send_1(I,R, {I,ni}pk(R) );
read_2(R,I, {ni,nr,R}pk(I) );
send_3(I,R, {nr,I}pk(R) );
read_x1(R,I, { x }pk(I) );
send_x2(I,R, { x }ni );
send_lc(I,R, {ni2}pk(R) );
claim_i0(I,Secret,ni2);
claim_i1(I,Secret,ni);
claim_i2(I,Secret,nr);
}
role R
{
var ni,ni2: Nonce;
const nr: Nonce;
const x: Nonce;
read_1(I,R, {I,ni}pk(R) );
send_2(R,I, {ni,nr,R}pk(I) );
read_3(I,R, {nr,I}pk(R) );
send_x1(R,I, { x }pk(I) );
read_x2(I,R, { x }ni );
read_lc(I,R, {ni2}pk(R) );
claim_r0(R,Secret,ni2);
claim_r1(R,Secret,ni);
claim_r2(R,Secret,nr);
}
}
const Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);

45
protocols/misc/localclaims.spdl Normal file
View File

@@ -0,0 +1,45 @@
/*
* Local claims
*/
// PKI infrastructure
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
// The protocol description
protocol localclaims(I,R)
{
role I
{
const ni: Nonce;
send_1(I,R, {ni}pk(R) );
claim_i1(I,Secret,ni);
}
role R
{
var ni: Nonce;
read_1(I,R, {ni}pk(R) );
claim_r1(R,Secret,ni);
}
}
// The agents in the system
const Alice,Bob: Agent;
// An untrusted agent, with leaked information
const Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);

83
protocols/misc/ns-symmetric-amended.spdl Normal file
View File

@@ -0,0 +1,83 @@
/*
* Needham-Schroeder symmetric
* Amended version (from Sjouke's interpret.)
*/
/* symmetric */
usertype SessionKey;
secret k: Function;
/* agents */
const a,b,e: Agent;
/* untrusted e */
untrusted e;
const ne: Nonce;
const kee: SessionKey;
compromised k(e,e);
compromised k(e,a);
compromised k(e,b);
compromised k(a,e);
compromised k(b,e);
/* {}x used for public (invertible) function modeling */
usertype PseudoFunction;
const succ: PseudoFunction;
usertype Ticket;
protocol nssymmetricamended(A,S,B)
{
role A
{
const na: Nonce;
var T1: Ticket;
var T2: Ticket;
var kab: SessionKey;
var nb: Nonce;
send_1(A,B, A );
read_2(B,A, T1 );
send_3(A,S, A,B,na,T1 );
read_4(S,A, { na,B,kab,T2 }k(A,S) );
send_5(A,B, T2 );
read_6(B,A, { nb }kab );
send_7(A,B, { {nb}succ }kab );
claim_8(A, Secret, kab);
claim_8a(A, Niagree);
claim_8b(A, Nisynch);
}
role S
{
const kab: SessionKey;
var na: Nonce;
var nb: Nonce;
read_3(A,S, A,B,na, { A,nb }k(B,S) );
send_4(S,A, { na,B,kab, { kab,A }k(B,S) }k(A,S) );
}
role B
{
var kab: SessionKey;
const nb: Nonce;
read_1(A,B, A );
send_2(B,A, { A,nb }k(B,S) );
read_5(A,B, { kab,A }k(B,S) );
send_6(B,A, { nb }kab );
read_7(A,B, { {nb}succ }kab );
claim_9(B, Secret, kab);
claim_9a(B, Niagree);
claim_9b(B, Nisynch);
}
}

72
protocols/misc/ns-symmetric.spdl Normal file
View File

@@ -0,0 +1,72 @@
/*
* Needham-Schroeder symmetric
*/
/* symmetric */
usertype SessionKey;
secret k: Function;
/* agents */
const a,b,e: Agent;
/* untrusted e */
untrusted e;
const ne: Nonce;
const kee: SessionKey;
compromised k(e,e);
compromised k(e,a);
compromised k(e,b);
compromised k(a,e);
compromised k(b,e);
/* {}x used for public (invertible) function modeling */
usertype PseudoFunction;
const succ: PseudoFunction;
usertype Ticket;
protocol nssymmetric(A,S,B)
{
role A
{
const na: Nonce;
var T: Ticket;
var kab: SessionKey;
var nb: Nonce;
send_1(A,S, A,B,na );
read_2(S,A, { na,B,kab,T }k(A,S) );
send_3(A,B, T );
read_4(B,A, { nb }kab );
send_5(A,B, { {nb}succ }kab );
claim_6(A, Secret, kab);
}
role S
{
const kab: SessionKey;
var na: Nonce;
read_1(A,S, A,B,na );
send_2(S,A, { na,B,kab, { kab,A }k(B,S) }k(A,S) );
}
role B
{
var kab: SessionKey;
const nb: Nonce;
read_3(A,B, { kab,A }k(B,S) );
send_4(B,A, { nb }kab );
read_5(A,B, { {nb}succ }kab );
claim_7(B, Secret, kab);
}
}

50
protocols/misc/ns3-brutus.spdl Normal file
View File

@@ -0,0 +1,50 @@
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol ns3brutus(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
send_1(I,R, {I,ni}pk(R) );
read_2(R,I, {ni,nr}pk(I) );
send_3(I,R, {nr}pk(R) );
claim_4(I,Secret,nr);
}
role R
{
var ni: Nonce;
const nr: Nonce;
read_1(I,R, {I,ni}pk(R) );
send_2(R,I, {ni,nr}pk(I) );
read_3(I,R, {nr}pk(R) );
claim_5(R,Secret,ni);
}
}
const Alice,Bob,Eve : Agent;
/* something like this will later on all be implied by 'untrusted Eve' */
untrusted Eve;
/* const nc: Nonce; */
compromised sk(Eve);
/* pre-defined 10 runs, limit using --max-runs parameters */
/* to be nice to brutus, stupid scenario :( */
run ns3brutus.R(Agent,Bob);
run ns3brutus.I(Alice,Agent);
run ns3brutus.R(Agent,Bob);
run ns3brutus.I(Alice,Agent);
run ns3brutus.R(Agent,Bob);
run ns3brutus.I(Alice,Agent);
run ns3brutus.R(Agent,Bob);
run ns3brutus.I(Alice,Agent);
run ns3brutus.R(Agent,Bob);
run ns3brutus.I(Alice,Agent);

67
protocols/misc/ns3.spdl Normal file
View File

@@ -0,0 +1,67 @@
/*
* Needham-Schroeder protocol
*/
// PKI infrastructure
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
// The protocol description
protocol ns3(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
send_1(I,R, {I,ni}pk(R) );
read_2(R,I, {ni,nr}pk(I) );
send_3(I,R, {nr}pk(R) );
claim_i1(I,Secret,ni);
claim_i2(I,Secret,nr);
claim_i3(I,Niagree);
claim_i4(I,Nisynch);
}
role R
{
var ni: Nonce;
const nr: Nonce;
read_1(I,R, {I,ni}pk(R) );
send_2(R,I, {ni,nr}pk(I) );
read_3(I,R, {nr}pk(R) );
claim_r1(R,Secret,ni);
claim_r2(R,Secret,nr);
claim_r3(R,Niagree);
claim_r4(R,Nisynch);
}
}
// The agents in the system
const Alice,Bob: Agent;
// An untrusted agent, with leaked information
const Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);
// The runs (only needed for the modelchecker algorithm)
run ns3.I(Agent,Agent);
run ns3.R(Agent,Agent);
run ns3.I(Agent,Agent);
run ns3.R(Agent,Agent);
run ns3.I(Agent,Agent);
run ns3.R(Agent,Agent);
run ns3.I(Agent,Agent);
run ns3.R(Agent,Agent);
run ns3.I(Agent,Agent);
run ns3.R(Agent,Agent);

43
protocols/misc/nsl3-nisynch-rep.spdl Normal file
View File

@@ -0,0 +1,43 @@
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol nsl3rep(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
send_1(I,R, {I,ni}pk(R) );
send_6(I,R, {I,ni}pk(R) );
read_2(R,I, {ni,nr,R}pk(I) );
send_3(I,R, {nr}pk(R) );
claim_4(I,Niagree);
claim_7(I,Nisynch);
}
role R
{
var ni: Nonce;
const nr: Nonce;
read_1(I,R, {I,ni}pk(R) );
read_6(I,R, {I,ni}pk(R) );
send_2(R,I, {ni,nr,R}pk(I) );
read_3(I,R, {nr}pk(R) );
claim_5(R,Niagree);
claim_8(R,Nisynch);
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const nc: Nonce;
compromised sk(Eve);
run nsl3rep.I(Agent,Agent);
run nsl3rep.R(Agent,Agent);
run nsl3rep.I(Agent,Agent);
run nsl3rep.R(Agent,Agent);

43
protocols/misc/nsl3.spdl Normal file
View File

@@ -0,0 +1,43 @@
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
protocol nsl3(I,R)
{
role I
{
const ni: Nonce;
var nr: Nonce;
send_1(I,R, {I,ni}pk(R) );
read_2(R,I, {ni,nr,R}pk(I) );
send_3(I,R, {nr}pk(R) );
claim_i1(I,Secret,ni);
claim_i2(I,Secret,nr);
claim_i3(I,Niagree);
claim_i4(I,Nisynch);
}
role R
{
var ni: Nonce;
const nr: Nonce;
read_1(I,R, {I,ni}pk(R) );
send_2(R,I, {ni,nr,R}pk(I) );
read_3(I,R, {nr}pk(R) );
claim_r1(R,Secret,ni);
claim_r2(R,Secret,nr);
claim_r3(R,Niagree);
claim_r4(R,Nisynch);
}
}
const Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised sk(Eve);

18
protocols/misc/onetrace.spdl Normal file
View File

@@ -0,0 +1,18 @@
usertype String;
const Alice,Bob,Charlie: Agent;
const Hallo: String;
protocol onetrace(I)
{
role I
{
var input: String;
read_!1(I,I, input);
send_!2(I,I, Hallo);
read_!3(I,I, input);
claim_4(I, Secret, input);
}
}

66
protocols/misc/otwayrees.spdl Normal file
View File

@@ -0,0 +1,66 @@
secret const k : Function;
/* Version from the Spore Librairy
http://www.lsv.ens-cachan.fr/spore/otwayRees.html
*/
usertype String, SesKey, Ticket, Server;
protocol otwayrees(A,B,S)
{
role A
{
const na : Nonce;
const M : String;
var kab : SesKey;
send_1(A,B, M,A,B, { na,M,A,B }k(A,S) );
read_4(B,A, M, { na,kab }k(A,S) );
claim_5(A, Secret,kab);
claim_5b(A, Niagree);
claim_5c(A, Nisynch);
}
role B
{
var M : String;
const nb : Nonce;
var kab : SesKey;
var t1,t2;
read_1(A,B, M,A,B, t1 );
send_2(B,S, M,A,B, t1, { nb,M,A,B }k(B,S) );
read_3(S,B, M, t2, { nb,kab }k(B,S) );
send_4(B,A, M, t2 );
claim_6(B, Secret,kab);
claim_6a(B, Niagree);
claim_6b(B, Nisynch);
}
role S
{
var na,nb : Nonce;
var M : String;
const kab : SesKey;
read_2(B,S, M,A,B, { na,M,A,B }k(A,S), { nb,M,A,B }k(B,S) );
send_3(S,B, M, { na,kab }k(A,S) , { nb,kab }k(B,S) );
}
}
const Alice, Bob, Eve: Agent;
const Simon: Server;
untrusted Eve;
compromised k(Eve,Simon);
run otwayrees.A(Alice, Agent, Simon);
run otwayrees.B(Agent, Bob, Simon);
run otwayrees.S(Agent, Agent, Simon);
run otwayrees.A(Agent, Agent, Simon);
run otwayrees.B(Agent, Agent, Simon);
run otwayrees.S(Agent, Agent, Simon);

83
protocols/misc/problems-johanselst.spdl Normal file
View File

@@ -0,0 +1,83 @@
/*
* Some authentication protocol
*
* Version by Johan Selst. Seems to segfault at a simple -r4 execution
* with the modelchecker.
*
* Reported on 2005-05-11.
*/
// PKI infrastructure
const pk: Function;
secret sk: Function;
inversekeys (pk,sk);
// The protocol description
protocol as3a(X, I, Y)
{
role X
{
var nix: Nonce;
read_1(I, X, nix);
send_2(X, I, {I,nix}sk(X));
}
role I
{
const nix, niy: Nonce;
send_1(I, X, nix);
read_2(X, I, {I,nix}sk(X));
send_3(I, Y, niy);
read_4(Y, I, {niy,I}sk(Y));
claim_i1(I, Nisynch);
}
role Y
{
var niy: Nonce;
read_3(I, Y, niy);
send_4(Y, I, {niy,I}sk(Y));
}
}
// The trusted agents in the system
const Alice,Bob,Carol: Agent;
// An untrusted agent, with leaked information
const Eve: Agent;
untrusted Eve;
compromised sk(Eve);
// The runs (only needed for the modelchecker algorithm)
run as3a.X(Agent,Agent,Agent);
run as3a.I(Agent,Agent,Agent);
run as3a.Y(Agent,Agent,Agent);
run as3a.X(Agent,Agent,Agent);
run as3a.I(Agent,Agent,Agent);
run as3a.Y(Agent,Agent,Agent);
run as3a.X(Agent,Agent,Agent);
run as3a.I(Agent,Agent,Agent);
run as3a.Y(Agent,Agent,Agent);
run as3a.X(Agent,Agent,Agent);
run as3a.I(Agent,Agent,Agent);
run as3a.Y(Agent,Agent,Agent);
run as3a.X(Agent,Agent,Agent);
run as3a.I(Agent,Agent,Agent);
run as3a.Y(Agent,Agent,Agent);
run as3a.X(Agent,Agent,Agent);
run as3a.I(Agent,Agent,Agent);
run as3a.Y(Agent,Agent,Agent);

Some files were not shown because too many files have changed in this diff Show More