# Lowe modified Denning-Sacco shared key # # Modelled after the description in the SPORE library # http://www.lsv.ens-cachan.fr/spore/denningSaccoLowe.html # # Note: # According to SPORE there are no attacks on this protocol, scyther # finds one however. This has to be investigated further. usertype Key; usertype SessionKey; usertype TimeStamp; usertype ExpiredTimeStamp; usertype PseudoFunction; const dec: PseudoFunction; const Fresh: Function; const Compromised: Function; protocol denningSacco-Lowe(I,R,S) { role I { var W: Ticket; var Kir: SessionKey; var T: TimeStamp; var Nr: Nonce; send_1(I,S, I,R ); read_2(S,I, {R, Kir, T, W}k(I,S) ); send_3(I,R, W); read_4(R,I, {Nr}Kir); send_5(I,R, {{Nr}dec}Kir); claim_I1(I,Niagree); claim_I2(I,Nisynch); claim_I3(I,Secret,Kir); claim_I4(I,Empty,(Fresh,Kir)); } role R { var Kir: SessionKey; var T: TimeStamp; fresh Nr: Nonce; read_3(I,R, {Kir,I,T}k(R,S)); send_4(R,I, {Nr}Kir); read_5(I,R, {{Nr}dec}Kir); claim_R1(R,Niagree); claim_R2(R,Nisynch); claim_R3(R,Secret,Kir); claim_R4(R,Empty,(Fresh,Kir)); } role S { var W: Ticket; fresh Kir: SessionKey; fresh T: TimeStamp; read_1(I,S, I,R ); send_2(S,I, {R, Kir, T, {Kir, I,T}k(R,S)}k(I,S)); claim_x(S, Secret, Kir); } }