scyther/spdl/SPORE/ccitt509-3.spdl

# CCITT X.509 (3)
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/ccittx509_3.html
#
# Note:
# The protocol description also states that Xa and Ya should be fresh
# this can not be verified using scyther
#

const pk: Function;
secret sk: Function;
inversekeys(pk,sk);
usertype Timestamp;

protocol ccitt509-3(I,R)
{
    role I
    {
        const Ta: Timestamp;
        var Tb: Timestamp;
        const Na,Xa,Ya: Nonce;
        var Xb,Nb,Yb: Nonce;
        send_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));
        read_2(R,I, R,{Tb, Nb, I, Na, Xb,{Yb}pk(I)}sk(R));
        send_3(I,R, I, {Nb}sk(I));
        claim_I1(I,Nisynch);
        claim_I2(I,Secret,Ya);
        claim_I3(I,Secret,Yb);
    }    
    
    role R
    {
        var Ta: Timestamp;
        const Tb: Timestamp;
        var Na,Xa,Ya: Nonce;
        const Xb,Yb,Nb: Nonce;

        read_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));
        send_2(R,I, R,{Tb, Nb, I, Na, Xb,{Yb}pk(I)}sk(R));
        read_3(I,R, I, {Nb}sk(I));
        claim_R1(R,Nisynch);
        claim_R2(R,Secret,Ya);
        claim_R3(R,Secret,Yb);
        # There should also be Fresh Xa and Fresh Ya claims here
    }
}

const Alice,Bob,Eve: Agent;

untrusted Eve;
const ne: Nonce;
const te: Timestamp;
compromised sk(Eve);

# This scenario should find the attack described in SPORE
# run ccitt5093.I(Alice,Bob);
# run ccitt5093.I(Alice,Eve);
# run ccitt5093.R(Alice,Bob);

# General scenario, 2 parallel runs of the protocol
 
run ccitt509-3.I(Agent,Agent);
run ccitt509-3.R(Agent,Agent);
run ccitt509-3.I(Agent,Agent);
run ccitt509-3.R(Agent,Agent);
- Adding 2 more CCITT509 derived protocols 2005-04-29 15:19:07 +01:00			`# CCITT X.509 (3)`
			`#`
			`# Modelled after the description in the SPORE library`
			`# http://www.lsv.ens-cachan.fr/spore/ccittx509_3.html`
			`#`
			`# Note:`
			`# The protocol description also states that Xa and Ya should be fresh`
			`# this can not be verified using scyther`
			`#`

			`const pk: Function;`
			`secret sk: Function;`
			`inversekeys(pk,sk);`
			`usertype Timestamp;`

- Update modeling of needham schroeder to better reflect the modelling in SPORE: - pk is not known to all agents, only pk(Simon) is known - Use new naming convention: - Protocol name starting with an @ means internal protocol - For non internal protocols naming is as follows: protocolname-variant^subprotocol For example: yahalom-Lowe^KeyCompromise meaning the key compromise sub protocol of the Lowe variant of the Yahalom protocol. 2005-08-15 14:31:48 +01:00			`protocol ccitt509-3(I,R)`
- Adding 2 more CCITT509 derived protocols 2005-04-29 15:19:07 +01:00			`{`
Replaced all tabs by spaces. 2005-05-23 13:35:58 +01:00			`role I`
			`{`
			`const Ta: Timestamp;`
- Adding 2 more CCITT509 derived protocols 2005-04-29 15:19:07 +01:00			`var Tb: Timestamp;`
			`const Na,Xa,Ya: Nonce;`
			`var Xb,Nb,Yb: Nonce;`
Replaced all tabs by spaces. 2005-05-23 13:35:58 +01:00			`send_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));`
- Adding 2 more CCITT509 derived protocols 2005-04-29 15:19:07 +01:00			`read_2(R,I, R,{Tb, Nb, I, Na, Xb,{Yb}pk(I)}sk(R));`
			`send_3(I,R, I, {Nb}sk(I));`
- Fix 2 incomplete/incorrect modellings 2005-08-22 14:52:29 +01:00			`claim_I1(I,Nisynch);`
			`claim_I2(I,Secret,Ya);`
			`claim_I3(I,Secret,Yb);`
Replaced all tabs by spaces. 2005-05-23 13:35:58 +01:00			`}`

			`role R`
			`{`
			`var Ta: Timestamp;`
- Adding 2 more CCITT509 derived protocols 2005-04-29 15:19:07 +01:00			`const Tb: Timestamp;`
			`var Na,Xa,Ya: Nonce;`
			`const Xb,Yb,Nb: Nonce;`

Replaced all tabs by spaces. 2005-05-23 13:35:58 +01:00			`read_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));`
- Adding 2 more CCITT509 derived protocols 2005-04-29 15:19:07 +01:00			`send_2(R,I, R,{Tb, Nb, I, Na, Xb,{Yb}pk(I)}sk(R));`
			`read_3(I,R, I, {Nb}sk(I));`
- Fix 2 incomplete/incorrect modellings 2005-08-22 14:52:29 +01:00			`claim_R1(R,Nisynch);`
			`claim_R2(R,Secret,Ya);`
			`claim_R3(R,Secret,Yb);`
- Adding 2 more CCITT509 derived protocols 2005-04-29 15:19:07 +01:00			`# There should also be Fresh Xa and Fresh Ya claims here`
Replaced all tabs by spaces. 2005-05-23 13:35:58 +01:00			`}`
- Adding 2 more CCITT509 derived protocols 2005-04-29 15:19:07 +01:00			`}`

			`const Alice,Bob,Eve: Agent;`

			`untrusted Eve;`
			`const ne: Nonce;`
			`const te: Timestamp;`
			`compromised sk(Eve);`

			`# This scenario should find the attack described in SPORE`
			`# run ccitt5093.I(Alice,Bob);`
			`# run ccitt5093.I(Alice,Eve);`
			`# run ccitt5093.R(Alice,Bob);`

			`# General scenario, 2 parallel runs of the protocol`

- Update modeling of needham schroeder to better reflect the modelling in SPORE: - pk is not known to all agents, only pk(Simon) is known - Use new naming convention: - Protocol name starting with an @ means internal protocol - For non internal protocols naming is as follows: protocolname-variant^subprotocol For example: yahalom-Lowe^KeyCompromise meaning the key compromise sub protocol of the Lowe variant of the Yahalom protocol. 2005-08-15 14:31:48 +01:00			`run ccitt509-3.I(Agent,Agent);`
			`run ccitt509-3.R(Agent,Agent);`
			`run ccitt509-3.I(Agent,Agent);`
			`run ccitt509-3.R(Agent,Agent);`