# BAN concrete Andrew Secure RPC # # Modelled after the description in the SPORE library # http://www.lsv.ens-cachan.fr/spore/andrewBAN2.html # # Note: # The shared key between I and R is modelled as k(I,R) currently # there is no way to express that this key is equal to k(R,I) # In order to overcome this a 'dummy' role X has been hadded that recrypts # a given term crypted with k(I,R) with k(R,I) # # Note: # Read 4 by the Initatior has been placed after the synchronisation claim # as it allows trivial synchronisation attacks otherwise (the message is # completely fresh and can therefore always be replaced by an arbitrary value # created by the intruder) which are not considered in SPORE # usertype SessionKey; const Fresh: Function; const Compromised: Function; protocol @swapkey(X) { # Protocol added to work around the symmetry problems where k(I,R) != k(R,I) role X { var I,R: Agent; var T:Ticket; read_!X1(X,X,I,R,{T}k(I,R)); send_!X2(X,X,{T}k(R,I)); } } protocol andrew-Concrete(I,R) { role I { fresh ni: Nonce; var nr: Nonce; var kir: SessionKey; send_1(I,R, I,ni ); read_2(R,I, {ni,kir}k(I,R) ); send_3(I,R, {ni}kir); claim_I1(I,Secret,kir); claim_I2(I,Nisynch); claim_I3(I,Empty,(Fresh,kir)); read_6(R,I, nr); } role R { var ni: Nonce; fresh nr: Nonce; fresh kir: SessionKey; read_1(I,R, I,ni ); send_2(R,I, {ni,kir}k(I,R) ); read_3(I,R, {ni}kir); send_6(R,I, nr); claim_R1(R,Secret,kir); claim_R2(R,Nisynch); claim_R3(R,Empty,(Fresh,kir)); } }