# KSL
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/ksl.html
#
# Note:
# This protocol uses a ticket so scyther will only be able to verify
# the protocol using the ARACHNE engine (-a)
#


usertype Server, SessionKey, GeneralizedTimestamp, TicketKey;
secret k: Function;

const a, b, e: Agent;
const s: Server;
const Fresh: Function;
const Compromised: Function;

const ne: Nonce;
const kee: SessionKey;
untrusted e;
compromised k(e,s);

protocol kslSessionKeyCompromise(C)
{
    // Read the names of 3 agents and disclose a session between them including
    // corresponding session key to simulate key compromise
    role C {
        const Ni,Nr,Nc,Ma,Mb: Nonce;
        const Kir: SessionKey;
        const Kbb: TicketKey;
        const Tr: GeneralizedTimestamp;
        var I,R,S: Agent;

        read_C1(C,C,    I,R,S);
        send_C2(C,C,    (Ni,I),
                        (Ni,I,Nr,R),
                        {Nr,I,Kir}k(R,S),{Ni,R,Kir}k(I,S),
                        {Tr,I,Kir}Kbb,Nc,{Ni}k(I,R),
                        {Nc}Kir,
                        Ma,
                        Mb,{Ma}Kir,
                        {Mb}Kir,
                        Kir,
                        Kbb
               );
        claim_C3(C,Empty, (Compromised,Kir));
        claim_C4(C,Empty, (Compromised,Kbb));
    }
}


protocol ksl(A,B,S)
{
    role A
    {
        const Na, Ma: Nonce;
        var Nc, Mb: Nonce;
        var T: Ticket;
        var Kab: SessionKey;
        
        send_1(A,B, Na, A);
        read_4(B,A, { Na,B,Kab }k(A,S), T, Nc, {Na}Kab );
        send_5(A,B, { Nc }Kab );
        
        send_6(A,B, Ma,T );
        read_7(B,A, Mb,{Ma}Kab );
        send_8(A,B, {Mb}Kab );

        claim_I1(A,Secret, Kab);
        claim_I2(A,Niagree);
        claim_I3(A,Nisynch);
        claim_I4(A,Empty, (Fresh, Kab));
    }

    role B
    {
        var Na,Ma: Nonce;
        const Nb,Nc,Mb: Nonce;
        var Kab: SessionKey;
        const Kbb: TicketKey;
        const Tb: GeneralizedTimestamp;
        var T: Ticket;
        
        read_1(A,B, Na, A);
        send_2(B,S, Na, A, Nb, B );
        read_3(S,B, { Nb, A, Kab }k(B,S), T );
        send_4(B,A, T, { Tb, A, Kab }Kbb, Nc, {Na}Kab );
        read_5(A,B, { Nc }Kab );
        
        read_6(A,B, Ma,{ Tb, A, Kab }Kbb );
        send_7(B,A, Mb,{Ma}Kab );
        read_8(A,B, {Mb}Kab );

        claim_B1(B,Secret, Kab);
        claim_B2(B,Niagree);
        claim_B3(B,Nisynch);
        claim_B4(B,Empty,(Fresh,Kab));
    }

    role S
    {
        var Na, Nb: Nonce;
        const Kab: SessionKey;

        read_2(B,S, Na, A, Nb, B );
        send_3(S,B, { Nb, A, Kab }k(B,S), { Na,B,Kab }k(A,S) );
    }
}

run ksl.A(a,b,s);
run ksl.B(a,b,s);
run ksl.S(a,b,s);