- Test out a possible way to model key compromise:

Add a role that sends out all messages that would occur in a legit run of the protocol including the session key (simulating a previously recorded run with its compromised session key) - Adding a directory to play around with key compromise
2005-06-14 13:51:51 +00:00 · 2005-06-14 13:51:51 +00:00 · ba47af0c42
commit ba47af0c42
parent b212e0b1ec
1 changed files with 94 additions and 0 deletions
--- a/spdl/SPORE/key-compromise/needham-schroeder-sk.spdl
+++ b/spdl/SPORE/key-compromise/needham-schroeder-sk.spdl
@ -0,0 +1,94 @@
 # Needham Schroeder Symmetric Key
 #
 # Modelled after the description in the SPORE library
 # http://www.lsv.ens-cachan.fr/spore/nssk.html
 #
 #
 # Note:
 # This protocol uses a ticket so scyther will only be able to verify
 # the protocol using the ARACHNE engine (-a)
 #
 secret k: Function;
 # Model dec that is invertible by inc
 const dec,inc: Function;
 inversekeys(dec,inc);
 usertype SessionKey;
 protocol needhamschroederSessionKeyCompromise(I,R,S)
 {
    // Disclose an entire session and the corresponding session key
    // to simulate key compromise
    role I {
        const Ni,Nr: Nonce;
        const Kir: SessionKey;
        send_D1(I,I,    (I,R,Ni),
                        {Ni,R,Kir,{Kir,I}k(R,S)}k(I,S),
                        {Kir,I}k(R,S),
                        {Nr}Kir,
                        {{Nr}dec}Kir,
                        Kir
               );
    }
    role R {
    }
    role S {
    }
 }
 protocol needhamschroedersk(I,R,S)
 {
    role I
    {
        const Ni: Nonce;
        var Nr: Nonce;
        var Kir: SessionKey;
        var T: Ticket;
        send_1(I,S,(I,R,Ni));
        read_2(S,I, {Ni,R,Kir,T}k(I,S));
        send_3(I,R,T);
        read_4(R,I,{Nr}Kir);
        send_5(I,R,{{Nr}dec}Kir);
        claim_I2(I,Secret,Kir);
        claim_I3(I,Nisynch);
    }    
    role R
    {
        const Nr: Nonce;
        var Kir: SessionKey;
        read_3(I,R,{Kir,I}k(R,S));
        send_4(R,I,{Nr}Kir);
        read_5(I,R,{{Nr}dec}Kir);
        claim_R1(R,Secret,Kir);
        claim_R3(R,Nisynch);
    }
    role S
    {
        var Ni: Nonce;
        const Kir: SessionKey;
        read_1(I,S,(I,R,Ni));
        send_2(S,I,{Ni,R,Kir,{Kir,I}k(R,S)}k(I,S));
    }
 }
 const Alice,Bob,Simon,Eve: Agent;
 untrusted Eve;
 const ne: Nonce;
 compromised k(Eve,Simon);
 # General scenario, 2 parallel runs of the protocol
 run needhamschroedersk.I(Agent,Agent,Simon);
 run needhamschroedersk.R(Agent,Agent,Simon);
 run needhamschroedersk.S(Agent,Agent,Simon);
 run needhamschroedersk.I(Agent,Agent,Simon);
 run needhamschroedersk.R(Agent,Agent,Simon);
 run needhamschroedersk.S(Agent,Agent,Simon);