2005-04-29 14:14:23 +01:00
|
|
|
# CCITT X.509 (1)
|
|
|
|
|
#
|
|
|
|
|
# Modelled after the description in the SPORE library
|
|
|
|
|
# http://www.lsv.ens-cachan.fr/spore/ccittx509_1.html
|
|
|
|
|
#
|
|
|
|
|
# Note:
|
|
|
|
|
# The attack in SPORE is not found as this is not an attack against
|
|
|
|
|
# synchronisation, but an attack against the freshness of Xa and Ya
|
|
|
|
|
# which can currently not be modelled in scyther
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
const pk: Function;
|
|
|
|
|
secret sk: Function;
|
|
|
|
|
inversekeys(pk,sk);
|
|
|
|
|
usertype Timestamp;
|
|
|
|
|
|
2005-08-15 14:31:48 +01:00
|
|
|
protocol ccitt509-1(I,R)
|
2005-04-29 14:14:23 +01:00
|
|
|
{
|
2005-05-23 13:35:58 +01:00
|
|
|
role I
|
|
|
|
|
{
|
|
|
|
|
const Ta: Timestamp;
|
2005-04-29 14:14:23 +01:00
|
|
|
const Na,Xa,Ya: Nonce;
|
2005-05-23 13:35:58 +01:00
|
|
|
send_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));
|
2005-04-29 14:14:23 +01:00
|
|
|
# claim_2(I,Nisynch);
|
|
|
|
|
# This claim is useless as there are no preceding read events
|
2005-05-23 13:35:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
role R
|
|
|
|
|
{
|
|
|
|
|
var Ta: Timestamp;
|
2005-04-29 14:14:23 +01:00
|
|
|
var Na,Xa,Ya: Nonce;
|
|
|
|
|
|
2005-05-23 13:35:58 +01:00
|
|
|
read_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));
|
|
|
|
|
claim_3(R,Nisynch);
|
2005-04-29 14:14:23 +01:00
|
|
|
# There should also be Fresh Xa and Fresh Ya claims here
|
2005-05-23 13:35:58 +01:00
|
|
|
}
|
2005-04-29 14:14:23 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const Alice,Bob,Eve: Agent;
|
|
|
|
|
|
|
|
|
|
untrusted Eve;
|
|
|
|
|
const ne: Nonce;
|
|
|
|
|
const te: Timestamp;
|
|
|
|
|
compromised sk(Eve);
|
|
|
|
|
|
|
|
|
|
# General scenario, 2 parallel runs of the protocol
|
|
|
|
|
|
2005-08-15 14:31:48 +01:00
|
|
|
run ccitt509-1.I(Agent,Agent);
|
|
|
|
|
run ccitt509-1.R(Agent,Agent);
|
|
|
|
|
run ccitt509-1.I(Agent,Agent);
|
|
|
|
|
run ccitt509-1.R(Agent,Agent);
|
