- Test out a possible way to model key compromise:

Add a role that sends out all messages that would occur in a legit run of the protocol including the session key (simulating a previously recorded run with its compromised session key) - Adding a directory to play around with key compromise
2005-06-14 13:51:51 +00:00 · 2005-06-14 13:51:51 +00:00 · ba47af0c42
commit ba47af0c42
parent b212e0b1ec
1 changed files with 94 additions and 0 deletions
--- a/spdl/SPORE/key-compromise/needham-schroeder-sk.spdl
+++ b/spdl/SPORE/key-compromise/needham-schroeder-sk.spdl
@ -0,0 +1,94 @@
+# Needham Schroeder Symmetric Key
+#
+# Modelled after the description in the SPORE library
+# http://www.lsv.ens-cachan.fr/spore/nssk.html
+#
+#
+# Note:
+# This protocol uses a ticket so scyther will only be able to verify
+# the protocol using the ARACHNE engine (-a)
+#
+
+
+secret k: Function;
+# Model dec that is invertible by inc
+const dec,inc: Function;
+inversekeys(dec,inc);
+usertype SessionKey;
+
+protocol needhamschroederSessionKeyCompromise(I,R,S)
+{
+    // Disclose an entire session and the corresponding session key
+    // to simulate key compromise
+    role I {
+        const Ni,Nr: Nonce;
+        const Kir: SessionKey;
+
+        send_D1(I,I,    (I,R,Ni),
+                        {Ni,R,Kir,{Kir,I}k(R,S)}k(I,S),
+                        {Kir,I}k(R,S),
+                        {Nr}Kir,
+                        {{Nr}dec}Kir,
+                        Kir
+               );
+    }
+
+    role R {
+    }
+
+    role S {
+    }
+}
+protocol needhamschroedersk(I,R,S)
+{
+    role I
+    {
+        const Ni: Nonce;
+        var Nr: Nonce;
+        var Kir: SessionKey;
+        var T: Ticket;
+        
+        send_1(I,S,(I,R,Ni));
+        read_2(S,I, {Ni,R,Kir,T}k(I,S));
+        send_3(I,R,T);
+        read_4(R,I,{Nr}Kir);
+        send_5(I,R,{{Nr}dec}Kir);
+        claim_I2(I,Secret,Kir);
+        claim_I3(I,Nisynch);
+    }    
+    
+    role R
+    {
+        const Nr: Nonce;
+        var Kir: SessionKey;
+        
+        read_3(I,R,{Kir,I}k(R,S));
+        send_4(R,I,{Nr}Kir);
+        read_5(I,R,{{Nr}dec}Kir);
+        claim_R1(R,Secret,Kir);
+        claim_R3(R,Nisynch);
+    }
+
+    role S
+    {
+        var Ni: Nonce;
+        const Kir: SessionKey;
+        read_1(I,S,(I,R,Ni));
+        send_2(S,I,{Ni,R,Kir,{Kir,I}k(R,S)}k(I,S));
+    }
+}
+
+const Alice,Bob,Simon,Eve: Agent;
+
+untrusted Eve;
+const ne: Nonce;
+compromised k(Eve,Simon);
+
+# General scenario, 2 parallel runs of the protocol
+ 
+run needhamschroedersk.I(Agent,Agent,Simon);
+run needhamschroedersk.R(Agent,Agent,Simon);
+run needhamschroedersk.S(Agent,Agent,Simon);
+run needhamschroedersk.I(Agent,Agent,Simon);
+run needhamschroedersk.R(Agent,Agent,Simon);
+run needhamschroedersk.S(Agent,Agent,Simon);