From b1ea3f6d4ba801aa470b108f04544584e78abacc Mon Sep 17 00:00:00 2001 From: Cas Cremers Date: Mon, 25 Feb 2008 23:28:52 +0100 Subject: [PATCH 1/2] Split up Neumann-Stubblebine. --- protocols/misc/nst1.spdl | 72 ++++++++++++++++++++++++++++++++++++++++ protocols/misc/nst2.spdl | 64 +++++++++++++++++++++++++++++++++++ 2 files changed, 136 insertions(+) create mode 100644 protocols/misc/nst1.spdl create mode 100644 protocols/misc/nst2.spdl diff --git a/protocols/misc/nst1.spdl b/protocols/misc/nst1.spdl new file mode 100644 index 0000000..c964682 --- /dev/null +++ b/protocols/misc/nst1.spdl @@ -0,0 +1,72 @@ +# Neumann Stubblebine +# +# Modelled after the description in the SPORE library +# http://www.lsv.ens-cachan.fr/spore/neumannStubblebine.html +# +# Note: +# In SPORE this protocol is not described correctly, there are in fact 2 +# different protocols (the key establishment protocol and the repeated +# authentication protocol) + +usertype Server, SessionKey, TimeStamp, TicketKey; +usertype ExpiredTimeStamp; +secret k: Function; + +const Alice, Bob, Simon, Eve: Agent; +const Fresh: Function; +const Compromised: Function; + +const ne: Nonce; +const kee: SessionKey; +untrusted Eve; +compromised k(Eve,Simon); + +protocol neustub(I,R,S) +{ + role I + { + const Ni: Nonce; + var Nr: Nonce; + var T: Ticket; + var Tb: TimeStamp; + var Kir: SessionKey; + + send_1(I,R, I, Ni); + read_!3(S,I, { R,Ni,Kir,Tb}k(I,S), T, Nr); + send_4(I,R,T,{Nr}Kir); + + claim_I1(I,Secret, Kir); + claim_I2(I,Niagree); + claim_I3(I,Nisynch); + claim_I4(I,Empty,(Fresh,Kir)); + } + + role R + { + var Ni,Mi: Nonce; + const Nr,Mr: Nonce; + var Kir: SessionKey; + const Tb: TimeStamp; + var T: Ticket; + + read_1(I,R, I, Ni); + send_!2(R,S, R, {I, Ni, Tb}k(R,S),Nr); + read_4(I,R,{I,Kir,Tb}k(R,S),{Nr}Kir); + + claim_R1(R,Secret, Kir); + claim_R2(R,Niagree); + claim_R3(R,Nisynch); + claim_R4(R,Empty,(Fresh,Kir)); + } + + role S + { + var Ni, Nr: Nonce; + const Kir: SessionKey; + var Tb: TimeStamp; + + read_!2(R,S, R, {I,Ni,Tb}k(R,S), Nr); + send_!3(S,I, { R, Ni, Kir, Tb}k(I,S), { I,Kir,Tb}k(R,S),Nr ); + } +} + diff --git a/protocols/misc/nst2.spdl b/protocols/misc/nst2.spdl new file mode 100644 index 0000000..32ef81c --- /dev/null +++ b/protocols/misc/nst2.spdl @@ -0,0 +1,64 @@ +# Neumann Stubblebine +# +# Modelled after the description in the SPORE library +# http://www.lsv.ens-cachan.fr/spore/neumannStubblebine.html +# +# Note: +# In SPORE this protocol is not described correctly, there are in fact 2 +# different protocols (the key establishment protocol and the repeated +# authentication protocol) + +usertype Server, SessionKey, TimeStamp, TicketKey; +usertype ExpiredTimeStamp; +secret k: Function; + +const Alice, Bob, Simon, Eve: Agent; +const Fresh: Function; +const Compromised: Function; + +const ne: Nonce; +const kee: SessionKey; +untrusted Eve; +compromised k(Eve,Simon); + +protocol neustub^Repeat(I,R,S) +{ + const Kir: SessionKey; + + role I + { + const Mi: Nonce; + var Mr: Nonce; + const Kir: SessionKey; + const Tr: TimeStamp; + + send_5(I,R,Mi,{I,Kir,Tr}k(R,S)); + read_6(R,I,{Mi,Mr}Kir); + send_7(I,R,{I,Mr}Kir); + claim_I1(I,Secret, Kir); + claim_I2(I,Niagree); + claim_I3(I,Nisynch); + claim_I4(I,Empty,(Fresh,Kir)); + } + + role R + { + const Mr: Nonce; + var Tr: TimeStamp; + var Kir: SessionKey; + var Mi: Nonce; + + read_5(I,R,Mi,{I,Kir,Tr}k(R,S)); + send_6(R,I,{Mi,Mr}Kir); + read_7(I,R,{I,Mr}Kir); + claim_R1(R,Secret, Kir); + claim_R2(R,Niagree); + claim_R3(R,Nisynch); + claim_R4(R,Empty,(Fresh,Kir)); + } + + role S + { + } +} + From bea1c85d9d319e664d55c8837ce77cf1e73003b8 Mon Sep 17 00:00:00 2001 From: Cas Cremers Date: Mon, 25 Feb 2008 23:46:22 +0100 Subject: [PATCH 2/2] Tried to model Guttman variants, found multi-protocol attack. --- protocols/misc/nst1.spdl | 11 +++++++++-- protocols/misc/nst2.spdl | 27 +++++++++++++++++++++------ 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/protocols/misc/nst1.spdl b/protocols/misc/nst1.spdl index c964682..c915f61 100644 --- a/protocols/misc/nst1.spdl +++ b/protocols/misc/nst1.spdl @@ -34,6 +34,8 @@ protocol neustub(I,R,S) send_1(I,R, I, Ni); read_!3(S,I, { R,Ni,Kir,Tb}k(I,S), T, Nr); send_4(I,R,T,{Nr}Kir); + + send_!chain(I,R, { R,Tb,Kir }k(I,S), T); claim_I1(I,Secret, Kir); claim_I2(I,Niagree); @@ -48,12 +50,15 @@ protocol neustub(I,R,S) var Kir: SessionKey; const Tb: TimeStamp; var T: Ticket; + + const g: Ticket; read_1(I,R, I, Ni); - send_!2(R,S, R, {I, Ni, Tb}k(R,S),Nr); + send_!2(R,S, R, {I, Ni, Tb, g}k(R,S),Nr); read_4(I,R,{I,Kir,Tb}k(R,S),{Nr}Kir); claim_R1(R,Secret, Kir); + claim_R5(R,Secret, g); claim_R2(R,Niagree); claim_R3(R,Nisynch); claim_R4(R,Empty,(Fresh,Kir)); @@ -65,7 +70,9 @@ protocol neustub(I,R,S) const Kir: SessionKey; var Tb: TimeStamp; - read_!2(R,S, R, {I,Ni,Tb}k(R,S), Nr); + var g: Ticket; + + read_!2(R,S, R, {I,Ni,Tb, g}k(R,S), Nr); send_!3(S,I, { R, Ni, Kir, Tb}k(I,S), { I,Kir,Tb}k(R,S),Nr ); } } diff --git a/protocols/misc/nst2.spdl b/protocols/misc/nst2.spdl index 32ef81c..431c36d 100644 --- a/protocols/misc/nst2.spdl +++ b/protocols/misc/nst2.spdl @@ -29,12 +29,21 @@ protocol neustub^Repeat(I,R,S) { const Mi: Nonce; var Mr: Nonce; - const Kir: SessionKey; - const Tr: TimeStamp; + var Kir: SessionKey; + var Tr: TimeStamp; - send_5(I,R,Mi,{I,Kir,Tr}k(R,S)); - read_6(R,I,{Mi,Mr}Kir); + var Tb: Ticket; + const g: Ticket; + var h: Ticket; + + read_!chain(R,I, { R,Tr,Kir }k(I,S), Tb); + + send_5(I,R,Mi,{I,Kir,Tr}k(R,S),g); + read_6(R,I,{Mi,Mr,g,h}Kir); send_7(I,R,{I,Mr}Kir); + + claim_I0(I,Secret, g); + claim_I5(I,Secret, h); claim_I1(I,Secret, Kir); claim_I2(I,Niagree); claim_I3(I,Nisynch); @@ -47,11 +56,17 @@ protocol neustub^Repeat(I,R,S) var Tr: TimeStamp; var Kir: SessionKey; var Mi: Nonce; + + var g: Ticket; + const h: Ticket; - read_5(I,R,Mi,{I,Kir,Tr}k(R,S)); - send_6(R,I,{Mi,Mr}Kir); + read_5(I,R,Mi,{I,Kir,Tr}k(R,S),g); + send_6(R,I,{Mi,Mr,g,h}Kir); read_7(I,R,{I,Mr}Kir); + claim_R1(R,Secret, Kir); + claim_R5(R,Secret, g); + claim_R6(R,Secret, h); claim_R2(R,Niagree); claim_R3(R,Nisynch); claim_R4(R,Empty,(Fresh,Kir));