From ae7c5c653ff05e7bcc3c7c9fbf1d5efdf0f915de Mon Sep 17 00:00:00 2001
From: gijs <gijs@4f7d145f-a0d4-0310-ae10-d96cc04433c1>
Date: Thu, 12 May 2005 13:32:30 +0000
Subject: [PATCH] Adding the symmetric key variants of Needham Schroeder

---
 spdl/SPORE/needham-schroeder-sk-amend.spdl | 82 ++++++++++++++++++++++
 spdl/SPORE/needham-schroeder-sk.spdl       | 72 +++++++++++++++++++
 2 files changed, 154 insertions(+)
 create mode 100644 spdl/SPORE/needham-schroeder-sk-amend.spdl
 create mode 100644 spdl/SPORE/needham-schroeder-sk.spdl

diff --git a/spdl/SPORE/needham-schroeder-sk-amend.spdl b/spdl/SPORE/needham-schroeder-sk-amend.spdl
new file mode 100644
index 0000000..31c3dcf
--- /dev/null
+++ b/spdl/SPORE/needham-schroeder-sk-amend.spdl
@@ -0,0 +1,82 @@
+# Amended Needham Schroeder Symmetric Key
+#
+# Modelled after the description in the SPORE library
+# http://www.lsv.ens-cachan.fr/spore/nssk_amended.html
+#
+#
+# Note:
+# This protocol uses a ticket so scyther will only be able to verify
+# the protocol using the ARACHNE engine (-a) and type 2 matching (-m2)
+#
+# Note:
+# According to SPORE there are no attacks on this protocol, scyther
+# finds one however. This has to be investigated further.
+
+
+
+secret k: Function;
+# Model dec that is invertible by inc
+const dec,inc: Function;
+inversekeys(dec,inc);
+usertype SessionKey;
+usertype Ticket;
+
+protocol needhamschroederskamend(I,R,S)
+{
+	role I
+	{
+        const Ni: Nonce;
+        var Nr: Nonce;
+        var Kir: SessionKey;
+        var T,T2: Ticket;
+        
+        send_1(I,R,I);
+        read_2(R,I,T);
+        send_3(I,S,(I,R,Ni,T));
+        read_4(S,I, {Ni,R,Kir,T2}k(I,S));
+        send_5(I,R,T2);
+        read_6(R,I,{Nr}Kir);
+        send_7(I,R,{{Nr}dec}Kir);
+        
+        claim_I2(I,Secret,Kir);
+        claim_I3(I,Nisynch);
+	}	
+	
+	role R
+	{
+        const Nr: Nonce;
+        var Kir: SessionKey;
+        
+        read_1(I,R,I);
+        send_2(R,I,{I,Nr}k(R,S));
+        read_5(I,R,{Kir,Nr,I}k(R,S));
+        send_6(R,I,{Nr}Kir);
+        read_7(I,R,{{Nr}dec}Kir);
+        claim_R1(R,Secret,Nr);
+        claim_R3(R,Nisynch);
+	}
+
+    role S
+    {
+        var Ni,Nr: Nonce;
+        const Kir: SessionKey;
+        read_3(I,S,(I,R,Ni,{I,Nr}k(R,S)));
+        send_4(S,I,{Ni,R,Kir,{Kir,Nr,I}k(R,S)}k(I,S));
+    }
+    
+}
+
+const Alice,Bob,Simon,Eve: Agent;
+
+untrusted Eve;
+const ne: Nonce;
+compromised k(Eve,Simon);
+
+# General scenario, 2 parallel runs of the protocol
+ 
+run needhamschroederskamend.I(Agent,Agent,Simon);
+run needhamschroederskamend.R(Agent,Agent,Simon);
+run needhamschroederskamend.S(Agent,Agent,Simon);
+run needhamschroederskamend.I(Agent,Agent,Simon);
+run needhamschroederskamend.R(Agent,Agent,Simon);
+run needhamschroederskamend.S(Agent,Agent,Simon);
diff --git a/spdl/SPORE/needham-schroeder-sk.spdl b/spdl/SPORE/needham-schroeder-sk.spdl
new file mode 100644
index 0000000..26508ba
--- /dev/null
+++ b/spdl/SPORE/needham-schroeder-sk.spdl
@@ -0,0 +1,72 @@
+# Needham Schroeder Symmetric Key
+#
+# Modelled after the description in the SPORE library
+# http://www.lsv.ens-cachan.fr/spore/nssk.html
+#
+#
+# Note:
+# This protocol uses a ticket so scyther will only be able to verify
+# the protocol using the ARACHNE engine (-a) and type 2 matching (-m2)
+#
+
+
+secret k: Function;
+# Model dec that is invertible by inc
+const dec,inc: Function;
+inversekeys(dec,inc);
+usertype SessionKey;
+usertype Ticket;
+
+protocol needhamschroedersk(I,R,S)
+{
+	role I
+	{
+        const Ni: Nonce;
+        var Nr: Nonce;
+        var Kir: SessionKey;
+        var T: Ticket;
+        
+		send_1(I,S,(I,R,Ni));
+        read_2(S,I, {Ni,R,Kir,T}k(I,S));
+        send_3(I,R,T);
+        read_4(R,I,{Nr}Kir);
+        send_5(I,R,{{Nr}dec}Kir);
+        claim_I2(I,Secret,Kir);
+        claim_I3(I,Nisynch);
+	}	
+	
+	role R
+	{
+        const Nr: Nonce;
+        var Kir: SessionKey;
+        
+        read_3(I,R,{Kir,I}k(R,S));
+        send_4(R,I,{Nr}Kir);
+        read_5(I,R,{{Nr}dec}Kir);
+        claim_R1(R,Secret,Kir);
+        claim_R3(R,Nisynch);
+	}
+
+    role S
+    {
+        var Ni: Nonce;
+        const Kir: SessionKey;
+        read_1(I,S,(I,R,Ni));
+        send_2(S,I,{Ni,R,Kir,{Kir,I}k(R,S)}k(I,S));
+    }
+}
+
+const Alice,Bob,Simon,Eve: Agent;
+
+untrusted Eve;
+const ne: Nonce;
+compromised k(Eve,Simon);
+
+# General scenario, 2 parallel runs of the protocol
+ 
+run needhamschroedersk.I(Agent,Agent,Simon);
+run needhamschroedersk.R(Agent,Agent,Simon);
+run needhamschroedersk.S(Agent,Agent,Simon);
+run needhamschroedersk.I(Agent,Agent,Simon);
+run needhamschroedersk.R(Agent,Agent,Simon);
+run needhamschroedersk.S(Agent,Agent,Simon);