diff --git a/spdl/SPORE/NotModelled.txt b/spdl/SPORE/NotModelled.txt new file mode 100644 index 0000000..2c93c6c --- /dev/null +++ b/spdl/SPORE/NotModelled.txt @@ -0,0 +1,6 @@ +The following protocols have not been modelled for use in Scyther: + +- CAM http://www.lsv.ens-cachan.fr/spore/cam.html +This protocol only consists of one message and corresponding database actions. +The description given in SPORE is unsuitable for formalisation. + diff --git a/spdl/SPORE/ccitt509-1.spdl b/spdl/SPORE/ccitt509-1.spdl new file mode 100644 index 0000000..4f84af6 --- /dev/null +++ b/spdl/SPORE/ccitt509-1.spdl @@ -0,0 +1,51 @@ +# CCITT X.509 (1) +# +# Modelled after the description in the SPORE library +# http://www.lsv.ens-cachan.fr/spore/ccittx509_1.html +# +# Note: +# The attack in SPORE is not found as this is not an attack against +# synchronisation, but an attack against the freshness of Xa and Ya +# which can currently not be modelled in scyther +# + +const pk: Function; +secret sk: Function; +inversekeys(pk,sk); +usertype Timestamp; + +protocol ccitt5091(I,R) +{ + role I + { + const Ta: Timestamp; + const Na,Xa,Ya: Nonce; + send_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I)); + # claim_2(I,Nisynch); + # This claim is useless as there are no preceding read events + } + + role R + { + var Ta: Timestamp; + var Na,Xa,Ya: Nonce; + + read_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I)); + claim_3(R,Nisynch); + # There should also be Fresh Xa and Fresh Ya claims here + } +} + +const Alice,Bob,Eve: Agent; + +untrusted Eve; +const ne: Nonce; +const te: Timestamp; +compromised sk(Eve); + +# General scenario, 2 parallel runs of the protocol + +run ccitt5091.I(Agent,Agent); +run ccitt5091.R(Agent,Agent); +run ccitt5091.I(Agent,Agent); +run ccitt5091.R(Agent,Agent); diff --git a/spdl/SPORE/ccitt509-1c.spdl b/spdl/SPORE/ccitt509-1c.spdl new file mode 100644 index 0000000..98fa690 --- /dev/null +++ b/spdl/SPORE/ccitt509-1c.spdl @@ -0,0 +1,50 @@ +# CCITT X.509 (1c) +# +# Modelled after the description in the SPORE library +# http://www.lsv.ens-cachan.fr/spore/ccittx509_1c.html +# +# Note: +# According to SPORE there are no known attacks on this protocol +# + +const pk,hash: Function; +secret sk,unhash: Function; +inversekeys (hash,unhash); +inversekeys(pk,sk); +usertype Timestamp; + +protocol ccitt5091c(I,R) +{ + role I + { + const Ta: Timestamp; + const Na,Xa,Ya: Nonce; + send_1(I,R, I,{Ta, Na, R, Xa,{Ya,{hash(Ya)}sk(I)}pk(R)}sk(I)); + # claim_2(I,Nisynch); + # This claim is useless as there are no preceding read events + } + + role R + { + var Ta: Timestamp; + var Na,Xa,Ya: Nonce; + + read(I,R, I,{Ta, Na, R, Xa,{Ya,{hash(Ya)}sk(I)}pk(R)}sk(I)); + claim_3(R,Nisynch); + # There should also be Fresh Xa and Fresh Ya claims here + } +} + +const Alice,Bob,Eve: Agent; + +untrusted Eve; +const ne: Nonce; +const te: Timestamp; +compromised sk(Eve); + +# General scenario, 2 parallel runs of the protocol + +run ccitt5091c.I(Agent,Agent); +run ccitt5091c.R(Agent,Agent); +run ccitt5091c.I(Agent,Agent); +run ccitt5091c.R(Agent,Agent);