# Lowe modified KSL # # Modelled after the description in the SPORE library # http://www.lsv.ens-cachan.fr/spore/kslLowe.html # # Note: # This protocol uses a ticket so scyther will only be able to verify # the protocol using the ARACHNE engine (-a) # # Note: # According to SPORE there are no attacks on this protocol, scyther # finds one however. This has to be investigated further. usertype Server, SessionKey, GeneralizedTimestamp, TicketKey; secret k: Function; const a, b, e: Agent; const s: Server; const Fresh: Function; const ne: Nonce; const kee: SessionKey; untrusted e; compromised k(e,s); protocol kslLowe(A,B,S) { role A { const Na, Ma: Nonce; var Nc, Mb: Nonce; var T: Ticket; var Kab: SessionKey; send_1(A,B, Na, A); read_4(B,A, { Na,B,Kab }k(A,S), T, Nc, {B,Na}Kab ); send_5(A,B, { Nc }Kab ); send_6(A,B, Ma,T ); read_7(B,A, Mb,{Ma, B}Kab ); send_8(A,B, {A,Mb}Kab ); claim_A1(A,Secret, Kab); claim_A2(A,Niagree); claim_A3(A,Nisynch); claim_A4(A,Empty, (Fresh,Kab)); } role B { var Na,Ma: Nonce; const Nb,Nc,Mb: Nonce; var Kab: SessionKey; const Kbb: TicketKey; const Tb: GeneralizedTimestamp; var T: Ticket; read_1(A,B, Na, A); send_2(B,S, Na, A, Nb, B ); read_3(S,B, { A, Nb, Kab }k(B,S), T ); send_4(B,A, T, { Tb, A, Kab }Kbb, Nc, {B, Na}Kab ); read_5(A,B, { Nc }Kab ); read_6(A,B, Ma,{ Tb, A, Kab }Kbb ); send_7(B,A, Mb,{Ma,B}Kab ); read_8(A,B, {A,Mb}Kab ); claim_B1(B,Secret, Kab); claim_B2(B,Niagree); claim_B3(B,Nisynch); claim_B4(B,Empty, (Fresh,Kab)); } role S { var Na, Nb: Nonce; const Kab: SessionKey; read_2(B,S, Na, A, Nb, B ); send_3(S,B, { A, Nb, Kab }k(B,S), { Na,B,Kab }k(A,S) ); } } run kslLowe.A(a,b,s); run kslLowe.B(a,b,s); run kslLowe.S(a,b,s);