# Buttyan Nagy Vajda protocol 1 (3-party) # # Modelled after the description in the paper # "Efficient multi-party challenge-response protocols for entity # authentication" # # Attacks: # Does not satisfy ni-agree, because when Alice in the R0 role terminates # it cannot be sure that the agent in role R1 is aware of having sent a # reply for Alice. # R0 type flaw attack exists in which there are only two agents active. # secret k: Function; protocol intruderhelp(Swap) { role Swap { var T: Ticket; var R0,R1: Agent; read_!1(Swap,Swap, { T }k(R0,R1) ); send_!2(Swap,Swap, { T }k(R1,R0) ); } } protocol bunava13(R0,R1,R2) { role R0 { fresh n0: Nonce; var n1,n2: Nonce; send_1(R0,R1, n0); read_3(R2,R0, n2,{R2,n1,R1,n0}k(R0,R2) ); send_4(R0,R1, {R0,n2,R2,n1}k(R0,R1) ); claim_A1(R0, Niagree); claim_A2(R0, Nisynch); } role R1 { fresh n1: Nonce; var n0,n2: Nonce; read_1(R0,R1, n0); send_2(R1,R2, n1,{R1,n0}k(R1,R2) ); read_4(R0,R1, {R0,n2,R2,n1}k(R0,R1) ); send_5(R1,R2, {R1,R0,n2}k(R1,R2) ); claim_B1(R1, Niagree); claim_B2(R1, Nisynch); } role R2 { fresh n2: Nonce; var n0,n1: Nonce; read_2(R1,R2, n1,{R1,n0}k(R1,R2) ); send_3(R2,R0, n2,{R2,n1,R1,n0}k(R0,R2) ); read_5(R1,R2, {R1,R0,n2}k(R1,R2) ); claim_C1(R2, Niagree); claim_C2(R2, Nisynch); } } # General scenario, 2 parallel runs of the protocol