scyther/gui/Protocols/IKE/ikev2-child.cpp

88 lines
2.0 KiB
C++
Raw Normal View History

/**********************************************************************
* @protocol Internet Key Exchange Protocol (IKEv2)
* @subprotocol IKE Create Child SA
* @reference RFC 4306
* @variant Supports perfect forward secrecy
**********************************************************************/
/**
* MACRO DEFINITIONS
* Needs preprocessing by cpp before fed to scyther
*/
#define __IKEV2_CHILD__
#ifndef __ORACLE__
#include "common.h"
#endif
usertype SecurityAssociation;
const SA1 ,SA2, SA3: SecurityAssociation;
/**
* This role serves as an "oracle" to ensure the executability of the
* protocol by taking care of the problems that arise from our way of
* modelling k(I,R) = k(R,I).
*/
protocol @executability(O) {
#define Gi g(i)
#define Gr g(r)
role O {
var i, r, Ni, Nr: Nonce;
var I, R: Agent;
// msg 1
recv_!O1( O, O, {SA3, Ni, g(i)}k(I,R) );
send_!O2( O, O, {SA3, Ni, g(i)}k(R,I) );
// msg 2
recv_!O3( O, O, {SA3, Nr, Gr}k(R,I) );
send_!O4( O, O, {SA3, Nr, Gr}k(I,R) );
}
#undef Gi
#undef Gr
}
// Note: SPIs not modeled as they would lead to trivial attacks where the adversary
// tampers with the SPIs (they are not subsequently authenticated)
protocol ikev2-child(I, R)
{
role I {
fresh i, Ni: Nonce;
var Nr: Nonce;
var Gr: Ticket;
/* IKE_SA_INIT */
claim( I, Running, R,Ni,g(i) );
send_!1( I, R, {SA3, Ni, g(i)}k(I,R) );
recv_!2( R, I, {SA3, Nr, Gr}k(I,R) );
/* SECURITY CLAIMS */
claim( I, SKR, SKi );
claim( I, Alive );
claim( I, Weakagree );
claim( I, Commit, R,Ni,g(i),Nr,Gr );
}
role R {
fresh r, Nr: Nonce;
var Ni: Nonce;
var Gi: Ticket;
recv_!1( I, R, {SA3, Ni, Gi}k(R,I) );
claim( R, Running, I,Ni,Gi,Nr,g(r) );
send_!2( R, I, {SA3, Nr, g(r)}k(R,I) );
/* SECURITY CLAIMS */
claim( R, SKR, SKr );
claim( R, Alive );
claim( R, Weakagree );
claim( R, Commit, I,Ni,Gi );
}
}