# Woo and Lam Mutual Authentication
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/wooLamMutual.html
#


usertype SessionKey;

const Fresh: Function;
const Compromised: Function;

protocol woolam(I,R,S)
{
    role I
    {
        fresh N1: Nonce;
        var Kir: SessionKey;
        var N2: Nonce;

        send_1(I,R, I, N1); 
        recv_2(R,I, R, N2);
        send_3(I,R, {I, R, N1, N2}k(I,S));
        recv_6(R,I, {R, N1, N2, Kir}k(I,S), {N1,N2}Kir);
        send_7(I,R, {N2}Kir);
        

        claim_I1(I,Secret,Kir);
        claim_I2(I,Nisynch);
        claim_I3(I,Empty,(Fresh,Kir));
    }    
    
    role R
    {
        fresh N2: Nonce;
        var N1: Nonce;
        var Kir: SessionKey;
        var T1,T2: Ticket;

        recv_1(I,R, I, N1);
        send_2(R,I, R, N2);
        recv_3(I,R, T1);
        send_4(R,S, T1, {I, R, N1, N2}k(R,S));
        recv_5(S,R, T2, {I, N1, N2, Kir}k(R,S));
        send_6(R,I, T2, {N1,N2}Kir);
        recv_7(I,R, {N2}Kir);
        
        claim_R1(R,Secret,Kir);
        claim_R2(R,Nisynch);
        claim_R3(R,Empty,(Fresh,Kir));
    }

    role S
    {
        fresh Kir: SessionKey;
        var N1,N2: Nonce;

        recv_4(R,S, {I, R, N1, N2}k(I,S), {I, R, N1, N2}k(R,S));
        send_5(S,R, {R, N1, N2, Kir}k(I,S), {I, N1, N2, Kir}k(R,S));
    }
}