/*
 * Modeled from ISO/IEC 9798
 * Modeler: Cas Cremers, Dec. 2010
 *
 * symmetric
 * two-pass
 * mutual
 *
 * Note: the identity inside the encryption may be ommitted, if
 *   (a) the environment disallows such attacks, or
 *   (b) a unidirectional key is used
 *
 * In case (b), modeled here, the second key is reversed.
 *
 */
protocol isoiec-9798-2-3-udkey(A,B)
{
	role A
	{
		fresh TNA: Nonce;
		var TNB: Nonce;
		fresh Text1,Text2: Ticket;
		var Text3,Text4: Ticket;

		claim(A,Running,B,TNA,Text1);
		send_1(A,B, Text2, { TNA, Text1 }k(A,B) );
		recv_2(B,A, Text4, { TNB, Text3 }k(B,A) );

		claim(A,Commit,B,TNB,Text3);
		claim(A,Alive);
		claim(A,Weakagree);
	}
	role B
	{
		var TNA: Nonce;
		fresh TNB: Nonce;
		var Text1,Text2: Ticket;
		fresh Text3,Text4: Ticket;

		recv_1(A,B, Text2, { TNA, Text1 }k(A,B) );
		claim(B,Running,A,TNB,Text3);
		send_2(B,A, Text4, { TNB, Text3 }k(B,A) );

		claim(B,Commit,A,TNA,Text1);
		claim(B,Alive);
		claim(B,Weakagree);
	}
}