\documentclass{book} \providecommand{\draftversion}{no} %---------------------------------------------------------------------------- \input{preamble} %---------------------------------------------------------------------------- \usepackage[paper=a4paper]{geometry} \usepackage{microtype} \usepackage{cite} \usepackage{makeidx} \usepackage{watermark} \usepackage{ifthen} \usepackage{tikz} \usepackage{environ} \usepackage{listings} \usetikzlibrary{fadings} \usetikzlibrary{calc} %---------------------------------------------------------------------------- %\usepackage{showidx} %%% NOTE: Only for DRAFT! %---------------------------------------------------------------------------- \makeindex %---------------------------------------------------------------------------- %---------------------------------------------------------------------------- \begin{document} \input{macros} \newcommand{\spdindex}[1]{\index{#1@\spd{#1}}} %---------------------------------------------------------------------------- % % NOTE TO FRIENDS: Please use the macro below to insert remarks at % various points. Usage: \remark{A friend}{This is great!} % \ifthenelse{\equal{\draftversion}{yes}} { \newcommand{\remark}[2]{ {\bf Draft note (#1)} : {\em #2} } \newcommand{\later}{ {\em More text will be supplied at a later stage.} } }{ \newcommand{\remark}[2]{} \newcommand{\later}{To be continued\ldots} } %---------------------------------------------------------------------------- %---------------------------------------------------------------------------- % Environments \newenvironment{example}{}{} \DefineVerbatimEnvironment {screen}{Verbatim} {fontsize=\small,frame=lines,fontfamily=courier} \DefineVerbatimEnvironment {ingraph}{Verbatim} {frame=single,xleftmargin=1.0cm,xrightmargin=1.0cm} \DefineVerbatimEnvironment {email}{Verbatim} {fontfamily=courier} \DefineVerbatimEnvironment {spdlFV}{Verbatim} {frame=single,xleftmargin=1.0cm,xrightmargin=1.0cm} \newcommand{\spd}[1]{{\tt #1}} \newcommand{\scr}[1]{{\tt #1}} \newcommand{\gra}[1]{{\tt #1}} \lstnewenvironment{spdl}{% \lstset{backgroundcolor=\color{verbgray}, frame=single, framerule=0.5pt, rulecolor=\color{verbgrayframe}, basicstyle=\small\ttfamily, xleftmargin=10pt, xrightmargin=10pt, columns=fullflexible}}{} %---------------------------------------------------------------------------- \pagestyle{headings} %---------------------------------------------------------------------------- % % FRONT PAGE % \thispagestyle{empty} \definecolor{verbgray}{HTML}{F0F0F0} % Background of code listings \definecolor{verbgrayframe}{HTML}{C0C0C0} % Background of code listings' frames \definecolor{lgrey}{HTML}{C0E0FF} % Background of "new since" tabs \definecolor{sblue}{HTML}{26546C} \definecolor{lblue}{HTML}{E8F8FF} \definecolor{gblue}{HTML}{6C6C6C} \definecolor{sorange}{HTML}{E67400} \definecolor{lorange}{HTML}{FFF8F0} \definecolor{gorange}{HTML}{E6E6E6} \definecolor{syellow}{HTML}{FBE115} \begin{tikzpicture}[remember picture,overlay, titletext/.style={text=black,inner sep=0pt,anchor=south west,font=\sf,align=left} ] % Define coordinates \node (a) at (current page.north west) {}; \node (b) at (current page.north east) {}; \node (e) at (current page.south west) {}; \node (f) at (current page.south east) {}; \node (c) at ($ (e) + (0mm,200mm) $) {}; \node (d) at ($ (f) + (0mm,200mm) $) {}; \node (x) at ($ (c) + (0mm, 4pt) $) {}; \node (y) at ($ (c) + (0mm,-4pt) $) {}; % Orange upper %\fill[top color=white, bottom color=lorange] % (a) rectangle ($ (d) + (0mm,-1mm) $); \fill[sorange] (x) rectangle ($ (d) + (0mm,-1mm) $); % Bottom blue % \fill[top color=lblue, bottom color=white] % (c) rectangle (f); % Blue center bar narrow \fill[sblue] (y) rectangle (d); % Yellow \fill [syellow] (y) rectangle ($ (y) + (8mm,-32mm) $); % Help grid %\draw[help lines,step=10mm] (e) grid (20,30); % Text \node[titletext,scale=10] at ($ (e) + (30mm,145mm) $) {Scyther}; \node[titletext,scale=6] at ($ (e) + (30mm,125mm) $) {User Manual}; \node[titletext,scale=3] at ($ (e) + (60mm,235mm) $) {Cas Cremers}; %{Cas Cremers\\Sjouke Mauw}; %% Until now, one man effort % Draft \node[titletext,scale=2,anchor=south] at ($ (e) + (105mm,30mm) $) {Draft \today}; \end{tikzpicture} %---------------------------------------------------------------------------- % % Headers % \newcommand{\mygheaderA}{ % Define coordinates \node (a) at ($ (current page.north west) + (0mm,-25mm) $) {}; \node (b) at ($ (current page.north east) + (0mm,-25mm) $) {}; \node (c) at ($ (a) + (0mm,-5mm) $) {}; \node (d) at ($ (b) + (0mm,-5mm) $) {}; \node (e) at ($ (c) + (0mm,-7mm) $) {}; \node (f) at ($ (d) + (0mm,-7mm) $) {}; % Orange upper \draw[draw=none] [fill=gorange] (a) rectangle ($ (d) + (0mm,-1mm) $); \draw[draw=none] [postaction={path fading=north,fill=sorange}] (a) rectangle ($ (d) + (0mm,-1mm) $); % Bottom blue % \draw[draw=none] % [fill=gblue] % (c) rectangle (f); \draw[draw=none] [postaction={path fading=south,fill=sblue}] (c) rectangle (f); % Yellow highlight \tikzfading[name=fade out, inner color=transparent!0, outer color=transparent!100] } \newcommand{\mygheaderB}{ \draw[draw=none] [postaction={path fading=north,fill=white}] (c) rectangle (f); } \newsavebox{\myheaderL} \newsavebox{\myheaderR} \savebox{\myheaderL}{ \begin{tikzpicture}[remember picture,overlay, titletext/.style={text=white,inner sep=0pt,anchor=south west,font=\sf,align=left} ] \mygheaderA \begin{scope} \draw[draw=none,clip] (c) rectangle (f); \fill [syellow,path fading=fade out] ($ (d) + -1.0*(30mm,90mm) $) rectangle ($ (d) + (30mm,90mm) $); \end{scope} \mygheaderB \end{tikzpicture} } \savebox{\myheaderR}{ \begin{tikzpicture}[remember picture,overlay, titletext/.style={text=white,inner sep=0pt,anchor=south west,font=\sf,align=left} ] \mygheaderA \begin{scope} \draw[draw=none,clip] (c) rectangle (f); \fill [syellow,path fading=fade out] ($ (c) + -1.0*(30mm,90mm) $) rectangle ($ (c) + (30mm,90mm) $); \end{scope} \mygheaderB \end{tikzpicture} } %\leftwatermark{\usebox{\myheaderL}} %\rightwatermark{\usebox{\myheaderR}} % NOTE for use of the 'supported' macro for denoting new features. % % \subsection[RealTitle]{RealTitle\supported{MyVersion and YourVersion}} % % The square-bracket version is needed, otherwise the 'new' bar shows up % in the table of contents. \newcommand{\supported}[1]{ \hfill \colorbox{lgrey}{{\text{\small New in version #1}} }} %---------------------------------------------------------------------------- \tableofcontents %---------------------------------------------------------------------------- %---------------------------------------------------------------------------- \chapter{Introduction} %---------------------------------------------------------------------------- \begin{center} \fbox{\parbox{0.8\textwidth}{ \sf {\bf Note:} This is a draft of the new version of the Scyther manual. The manual may therefore be incomplete at points. Any feedback is welcome and can be sent to Cas Cremers by e-mail: {\tt cas.cremers@cs.ox.ac.uk}. }} \end{center} \bigskip \noindent This is the user manual for the Scyther security protocol verification tool. The purpose of this manual is to explain the details of the Scyther input language, explain how to model basic protocols, and how to effectively use the Scyther tool. This manual does not detail the protocol execution model nor the adversary model used by the tool. It is therefore highly recommended to read the accompanying book~\cite{opsembook}. The book includes a detailed description of Scyther's underlying protocol model, security property specifications, and the algorithm. We proceed in the following way. Some background is given in Chapter~\ref{sec:background}. Chapter~\ref{sec:install} explains how to install the Scyther tool on various platforms. In Chapter~\ref{sec:tutorial} we give a brief tutorial using simple examples to show the basics of the tool. Then we discuss things in more detail as we introduce the input language of the tool in Chapter~\ref{sec:input}. Modeling of basic protocols is described in Chapter~\ref{sec:modeling}, and Chapter~\ref{sec:properties} describes how to specify security properties. The usage of the GUI version of tool is then explained in more detail in Section~\ref{sec:gui}. The underlying command-line tool is described in Section~\ref{sec:cli}. Advanced topics are discussed in Section~\ref{sec:advanced}. \section*{Online information} More help can be found online on the Scyther website: \index{Scyther website} \index{website|see{Scyther website}} \medskip \url{http://users.ox.ac.uk/~coml0529/scyther/index.html} \medskip \noindent Users are advised to subscribe to the Scyther mailing list, whose details can also be found on the Scyther website. %---------------------------------------------------------------------------- \chapter{Background} \label{sec:background} %---------------------------------------------------------------------------- Scyther is a tool for the formal analysis of security protocols under the \emph{perfect cryptography assumption}, in which it is assumed that all cryptographic functions are perfect: the adversary learns nothing from an encrypted message unless he knows the decryption key. The tool can be used to find problems that arise from the way the protocol is constructed. This problem is undecidable in general, but in practice many protocols can be either proven correct or attacks can be found. The full protocol model, its assumptions, the basic security properties, and the algorithm are described in~\cite{opsembook}. This manual serves as a companion to the book. Thus, in this manual we assume the reader is familiar with the formal modeling of security protocols and their properties. % Not only is knowledge of security protocol models needed to use the % Scyther tool, further knowledge is needed to know how to interpret the % results that the tool produces in any useful way. In fact, the reader % should be very cautious: security protocol models and their properties % are intricate and it is easy to misinterpret the results. % % Having said that, one of the main goals of Scyther is to help with the % analysis of a protocol in such a way that for example attacks can be % understood well. Thus, wherever possible the tool will give useful % information on the results. %---------------------------------------------------------------------------- \chapter{Installation} \label{sec:install} %---------------------------------------------------------------------------- Scyther can be downloaded from the following website: \index{downloading Scyther} \url{http://users.ox.ac.uk/~coml0529/scyther/} \medskip \noindent \index{installing Scyther} Installation instruction are included in the downloadable Scyther archives. Scyther is available for the Windows, Linux and Mac OS platforms. %\section{Linux} %\section{Windows} %\section{MAC OS X} %---------------------------------------------------------------------------- \chapter{Quick start tutorial} \label{sec:tutorial} %---------------------------------------------------------------------------- \index{quick start tutorial} Scyther takes as input a security protocol description that includes a specification of intended security properties, referred to as security claims, and evaluates these. Start Scyther by executing the \scr{scyther-gui.py} program in the Scyther directory. The program will launch two windows: the main window, in which files are edited, and the \scr{about} window, which shows some information about the tool. As an introductory example, we will verify the Needham-Schroeder protocol, and investigate an attack on it. Go to the file$\rightarrow$open dialog, and open the file \scr{ns3.spdl} in the Scyther directory. Your main window should look like the one in Figure~\ref{protocolwindow}. \begin{figure}[!htb] \begin{center} \includegraphics[height=0.90\textheight]{protocolwindow} \end{center} \label{protocolwindow} \caption{Scyther main window with the file ns3.spdl opened} \end{figure} By convention, protocol description files have the extension \scr{.spdl} (Security Protocol Description Language), but it can have any name. The file used in this example is shown in Appendix~\ref{app:ns3}. Run the verification tool by selecting verify$\rightarrow$verify\_claims in the menu. A new window will appear during the verification process. Once verification is completed, the window will be replaced by the result window, as shown in Figure~\ref{resultwindow}. \begin{figure}[!htb] \begin{center} \includegraphics[scale=0.5]{resultwindow} \end{center} \label{resultwindow} \caption{Scyther result window} \end{figure} The result window shows a summary of the claims in the protocol, and the verification results. Here one can find whether the protocol is correct, or false. In the next section there will be a full explanation of the possible outcomes of the verification process. Most importantly, if a protocol claim is incorrect, then there exists at least one attack on the protocol. A button is shown next to the claim: press this button to view the attacks on the claim, as in Figure~\ref{attackwindow}. \begin{figure}[!htb] \begin{center} \includegraphics[height=0.90\textheight]{attackwindow} \end{center} \label{attackwindow} \caption{Scyther attack window} \end{figure} %---------------------------------------------------------------------------- \chapter{Input Language} \label{sec:input} %---------------------------------------------------------------------------- Scyther's input language is loosely based on a C/Java-like syntax. The main purpose of the language is to describe protocols, which are defined by a set of roles. Roles, in turn, are defined by a sequence of events, most of which are events that denote the sending or receiving of terms. We describe these elements in the following sections. \index{comments} Comments can start with \spd{//} or \spd{\#} (for single-line comments) or be enclosed by \spd{/*} and \spd{*/} (for multi-line comments). Note that multi-line comments cannot be nested. \index{whitespace} Any whitespace between elements is ignored. It is therefore possible to use whitespace (spaces, tabs, newlines) to improve readability. \index{identifier} A basic identifier consists of a string of characters from the set of alphanumeric characters as well as the symbols \spd{\^{}} and \spd{-}. \index{case-sensitive} The language is case-sensitive, thus \spd{NS3} is not the same identifier as \spd{ns3}. %............................................................................ \section{A minimal input file} The core elements in a Scyther input file are protocol definitions. A minimal example is the following: \begin{spdl} protocol ExampleProtocol(I,R) { role I { }; role R { }; }; \end{spdl} In the above, we have defined a protocol called ``ExampleProtocol'' that has two roles, ``I'' and ``R'' by listing them between brackets after the protocol name. Note that we haven't defined the behaviour of these roles yet: such behaviours are defined within the curly brackets after the corresponding \spd{role I} and \spd{role R} commands. %............................................................................ \section{Terms} At the most basic level, Scyther manipulates terms. \subsection{Atomic terms} \index{atomic term} An atomic term can be any identifier, which is usually a string of alphanumeric characters. Atomic terms can be combined into more complex terms by operators such as pairing and encryption. \subsubsection{Constants} \index{constant} \index{global constant} \subsubsection{Freshly generated values} \index{freshly generated value} \index{nonce} \index{random value} Many security protocols rely on generating random values. They can be specified by declaring them inside a role definition using the \spd{fresh} declaration. For example, to generate a random value \scr{Na} of type \spd{Nonce}, we specify: \begin{spdl} role X(...) { fresh Na: Nonce; send_1(X,Y,Na); } \end{spdl} \subsubsection{Variables} \index{variable} \index{var} Agents can use variables to store received terms. For example, to receive a nonce into a variable with name \spd{Na}, we specify: \begin{spdl} role Y(...) { var Na: Nonce; recv_1(X,Y,Na); } \end{spdl} Local declarations, for both freshly generated values as well as variables such as \spd{Na}, are local to the role. Thus, one can specify a \emph{freshly generated nonce} \spd{Na} in one role and a variable \spd{Na} in another role without any conflicts. Variables are rigid: after the first receive event in which they occur has been executed, they are assigned a value. This value cannot be changed afterwards. Variables must occur first in receive events: it is not allowed to use uninitialized variables in send events. \subsection{Pairing} \index{pairing} \index{tupling} Any two terms can combined into a term pair: we write \spd{(x,y)} for the pair of terms \spd{x} and \spd{y}. It is also allowed to write n-tuples as \spd{(x,y,z)}, which is interpreted by Scyther as \spd{((x,y),z)}. \subsection{Symmetric keys} \index{symmetric keys} Any term can act as a key for symmetrical encryption. The encryption of \spd{ni} with a term \spd{kir} is written as: \begin{spdl} { ni }kir \end{spdl} Unless \spd{kir} is explicitly defined as being part of an asymmetric key pair (explained below), this is interpreted as symmetric encryption. \index{k(X,Y)@\spd{k(X,Y)}} A symmetric-key infrastructure is predefined: \spd{k(X,Y)} denotes the long-term symmetric key shared between $X$ and $Y$. \subsection{Asymmetric keys} \index{asymmetric keys} \index{sk(X)@\spd{sk(X)}} \index{pk(X)@\spd{pk(X)}} A public-key infrastructure (PKI) is predefined: \spd{sk(X)} denotes the long-term private key of $X$, and \spd{pk(X)} denotes the corresponding public key. \begin{example} As an example, consider the following term. It represents the encryption of some term \spd{ni} by the term \spd{pk(I)}. Under normal conventions, this means that the nonce of the initiator (\spd{ni}) is encrypted with the public key of the initiator. \begin{spdl} { ni }pk(I) \end{spdl} This term can only be decrypted by an agent who knows the secret key \spd{sk(I)}. \end{example} Section~\ref{adv:asymmetric} describes how to model more than one key pair per agent. \subsection{Hash functions} \index{hash functions} \index{hashfunction@\spd{hashfunction}} Hash functions are essentially encryptions with a function, of which the inverse is not known by anybody. They can be used by a global declaration of an identifier to be a hashfunction, \eg: \begin{spdl} hashfunction H1; \end{spdl} As all agents and protocols should have access to such a function, the declaration of hashfunction is usually global, \ie, defined outside of any protocol definition. \begin{example} Once declared, they can be used in protocol messages, \eg: \begin{spdl} H1(ni) \end{spdl} \end{example} \subsection{Predefined types} \begin{description} \item [\spd{Agent }] \spdindex{Agent} Type used for agents. \item [\spd{Function }] \spdindex{Function} A special type that defines a function term that can take a list of terms as parameter. By default, it behaves like a hash function: given the term \spd{h(x)} where \spd{h} is of type \spd{Function}, it is impossible to derive \spd{x}. \item [\spd{Nonce }] \spdindex{Nonce} A standard type that is often used and therefore defined inside the tool. \item [\spd{Ticket }] \spdindex{Ticket} A variable of type \spd{Ticket} can be substituted by any term. \end{description} \subsection{Usertypes} \spdindex{usertype} It is possible to define a new type. This can be done using the \spd{usertype} command: \begin{spdl} usertype MyAtomicMessage; protocol X(I,R) { role I { var y: MyAtomicMessage; recv_1(I,R, y ); \end{spdl} The effect of such a declaration is that variables of the new type can only be instantiated with messages \spd{m} of that type, \ie, that have been declared by the global declaration \spd{const m: MyAtomicMessage} or the freshly generated \spd{fresh m: MyAtomicMessage} within a role. In general, the tool can perform better if more is known about which messages might unify or not. By defining a usertype, the modeler can inform the tool that a variable can only be instantiated with terms of that type, and not with, \eg, terms of type Nonce. Conceptually, one can always write \spd{Ticket} (which corresponds to all possible messages) for each variable type, but then one may find false attacks (in case the implementation in fact does check the type of a message) and the tool will be less likely to verify the property (for an unbounded number of runs). \remark{CC}{Generic (local) declarations? Where is 'fresh' explained?} \remark{CC}{TODO: reverse order: first protocol context, then roles, then events. That way we can actually show what events can do.} %............................................................................ \section{Events} \index{events} \subsection{Receive and send events} \spdindex{send} \index{event!send} \index{event!recv} \spdindex{send} \spdindex{recv} The \spd{recv} and \spd{send} events mark receiving and sending a message, respectively. For example, we write: \begin{spdl} role MyRole(...) { recv_Label1(OtherRole, MyRole, m1); send_Label2(MyRole, OtherRole, m2); } \end{spdl} to specify that role \spd{MyRole} first receives message \spd{m1} from \spd{OtherRole} and then sends message \spd{m2} to \spd{OtherRole}. The receive event is labeled with label \spd{Label1} and the send event is labeled with \spd{Label2}. Usually each \spd{send} event will have a corresponding \spd{recv} event. We specify this correspondence by giving corresponding events the same label. \begin{spdl} role MyRole(...) { send_Label3(MyRole, OtherRole, m2); } role OtherRole(...) { recv_Label3(MyRole, OtherRole, m2); } \end{spdl} \subsubsection*{Bang prefix for labels} For some protocols we may want to model sending or receiving to the adversary directly, in which case we have no corresponding event. If a \spd{send} or \spd{recv} event has no corresponding event, Scyther will output a warning. To surpress this warning, the label can be prefixed by a bang \spd{!}, \eg: \index{20@{\tt "!}} \begin{spdl} send_!1(I,I, LeakToAdversary ); \end{spdl} \subsection{Claim events and Security properties} \index{event!claim} \index{claim event} \index{security properties} \spdindex{claim} Claim events are used in role specifications to model intended security properties. For example, the following claim event models that \spd{Ni} is meant to be secret. \begin{spdl} claim(I, Secret, Ni); \end{spdl} There are several predefined claim types. \begin{description} \item[\spd{Secret }] \spdindex{Secret} This claim requires a parameter term. Secrecy of this term is claimed as defined in~\cite{opsembook}. \item[\spd{SKR }] \spdindex{SKR} The verification condition for this claim is equivalent to the \spd{Secret} claim. The purpose of this claim is to additionally mark the parameter term as a session-key. The consequence is that using the \emph{session-key reveal} adversary rule will now reveal the parameter term. If the \emph{session-key reveal} rule is not enabled, this claim is identical to the \spd{Secret} claim. \item[\spd{Alive }] \spdindex{Alive} Aliveness (of all roles) as defined in~\cite{lowe97hierarchy}. \item[\spd{Weakagree }] \spdindex{Weakagree} Weak agreement (of all roles) as defined in~\cite{lowe97hierarchy}. \item[\spd{Commit}, \spd{Running } ] \spdindex{Commit} \spdindex{Running} \index{agreement on data} \index{data agreement} \index{non-injective agreement} Non-injective agreement with a role on a set of data items~\cite{lowe97hierarchy} can be defined by inserting the appropriate signal claims. In this context, \spd{Commit} marks the effective claim, whose correctness requires the existence of a corresponding \spd{Running} signal in the trace. These claims are used to model agreement over data, which is explained in Section~\ref{sec:agreement}. \item[\spd{Nisynch }] \spdindex{Nisynch} \index{synchronisaton} \index{non-injective synchronisation} Non-injective synchronisation as defined in~\cite{opsembook}. \item[\spd{Niagree }] \spdindex{Niagree} \index{agreement (on messages)} \index{message agreement} \index{non-injective agreement} Non-injective agreement on messages as defined in~\cite{opsembook}. \item[\spd{Reachable }] \spdindex{Reachable} When this claim is verified, Scyther will check whether this claim can be reached at all. It is true iff there exists a trace in which this claim occurs. This can be useful to check if there is no obvious error in the protocol specification, and is in fact inserted when the \scr{--check} mode of Scyther is used. \item[\spd{Empty }] \spdindex{Empty} This claim will not be verified, but simply ignored. It is only useful when Scyther is used as a back-end for other verification means. For more on this, see Section~\ref{sec:advanced}. \end{description} \subsection{Internal computation/pattern match events} \index{internal computation events} \index{pattern match events} We extend the basic set of events from~\cite{opsembook} with two events that can be used to model internal computations. \subsubsection[Match event]{Match event\supported{v1.1 and Compromise-0.8}} \index{match event} \index{event!match} The first new event is the \spd{match} event, that is used to specify pattern matching, \ie, \begin{spdl} match(pt,m) \end{spdl} In operational terms, if there exists a well-typed substitution $\sigma$ such that $\sigma pt = m$, then this event can be executed. Upon execution, the substitution is applied to the remaining events of the role. This event can be used to model various constructions, such as equality tests, delayed decryption, checking commitments. They can also be used to model internal computations to simplify specifications, \eg: \begin{spdl} var X: Nonce; var Y; recv(R,I, X); match(Y, hash(X,I,R) ); send(I,R, Y,{ Y }sk(I) ); \end{spdl} In the above example, we could have replaced \spd{Y} by \spd{hash(X,I,R)} throughout the specification, but this version avoid replication. \subsubsection[Not match event]{Not match event\supported{v1.1 and Compromise-0.8}} \index{not match event} \index{event!not match} The second new event is the \spd{not match} event, that is used to specify pattern matching, \ie, \begin{spdl} not match(pt,m) \end{spdl} The operational interpretation is the opposite of the previous event. If there is no substitution $\sigma$ such that $\sigma pt = m$, then the event can be executed. This event can be used to model, \eg, inequality constraints. For example, the execution model allows by default agents executing sessions with themselves. In some cases, we want to exclude such behaviour, because the protocol disallows it. For example, \begin{spdl} role A { not match(A,B); send (A,B, m1); } \end{spdl} models a role whose instances only send messages to other agents. As a more advanced usage, \spd{match} and \spd{not match} can be used together in two roles with a common starting sequence of events to model \emph{if ... then ... else} constructions. % LATER (advanced topics) % We will return to this issue in Section~\ref{} %............................................................................ \section{Role definitions} \index{role definition} Role definitions are sequences of events, \ie, declarations, send, receive, or claim events. \begin{spdl} role Server { var x,y,z: Nonce; fresh n,m: Nonce; send_1(Server,Init, m,n ); recv_2(Init,Server, x,y, { z }pk(Server) ); } \end{spdl} %............................................................................ \section{Protocol definitions} \index{protocol definition} A protocol definition takes as a parameter a sequence of roles, which are then defined within its body. \begin{spdl} protocol MyProt(Init,Resp,Server) { role Init { ... } role Resp { ... } role Server { ... } } \end{spdl} \subsection*{Helper protocols} \index{helper protocol|textbf} \index{19@"@} It is possible to prepend an ``@'' symbol before a protocol name. This has no effect on the protocol model, nor on the outcome of the analysis. The ``@'' is only used when rendering output graphs: the intent is to mark the protocol as a ``helper protocol''. Such protocols are often used to model additional adversary capabilities, see Section~\ref{sec:advanced} for examples. When rendering output graphs, Scyther collapses role instances of helper protocols into single nodes. This can make the graphs more readable. \subsection*{Symmetric-role protocols} \index{symmetric-role protocol|textbf} Some adversary-compromise rules, such as $\mathit{SKR}$ and $\mathit{LKR}_\mathit{aftercorrect}$ depend on a partnering function. For protocols that are entirely symmetric in their roles and key computations (such as HMQV), this is not the appropriate partnering function. To use the correct partnering function, the protocol needs to be annotated as a \emph{symmetric-role} protocol. This instructs Scyther to use the appropriate partnering function. \begin{spdl} symmetric-role protocol MyProt(Init,Resp) { role Init { ... } role Resp { ... } } \end{spdl} %............................................................................ \section{Global declarations} \index{global declarations} In many applications global constants are used. These include, for example, string constants, labels, or protocol identifiers. \spdindex{const} They are modeled and used in the following way: \begin{spdl} usertype String; const HelloWorld: String; protocol hello(I,R) { role I { send_1(I,R, HelloWorld); } role R { recv_1(I,R, HelloWorld); } } \end{spdl} %............................................................................ \section{Miscellaneous} \subsection[Macro]{Macro\supported{v1.1 and Compromise-0.8}} \spdindex{macro} \index{abbreviate} \index{define macro} It is possible to define \emph{macros}, \ie, abbreviations for particular term. The syntax used to define these abbreviations is the following: \begin{spdl} macro MyShortCut = LargeTerm; \end{spdl} For example, for a protocol that contains complex messages or repeating elements, macros can be used to simplify the protocol specification: \begin{spdl} hashfunction h; protocol macro-example-one(I,R) { role I { fresh nI: Nonce; macro m1 = h(I,ni); send_1(I,R, { m1 }pk(R) ); claim(I, Secret, m1); } role R { var X: Ticket; recv_1(I,R, { X }pk(R) ); } } \end{spdl} Note that macros have \emph{global scope}, and are handled at the \emph{syntactical} level. This also allows for global abbreviations of protocol messages, \eg: \begin{spdl} hashfunction h; macro m1 = { I,R, nI, h(nI,R) }pk(R); protocol macro-example-two(I,R) { role I { fresh nI: Nonce; send_1(I,R, m1 ); } role R { var nI: Nonce; recv_1(I,R, m1 ); } } \end{spdl} Note that in the above example, \spd{nI} is a freshly generated nonce in the I role, and a variable in the R role. Because the macro definitions are unfolded syntactically, the same macro can be used to refer to both terms. \subsection{Include} It is possible to import other files in a protocol specification: \spdindex{include} \index{import file} \index{input file} \begin{spdl} include "filename"; \end{spdl} where {\em filename} denotes the name of the file that will be included at this point. Using this command, it is possible to share, \eg, a set of common definitions between files. Typically this will include definitions for the key structures, and (untrusted) agent names. Nested use of this command is possible. \subsection[one-role-per-agent]{one-role-per-agent\supported{v1.1 and Compromise-0.8}} \spdindex{one-role-per-agent} \index{one role per agent} \index{multiple roles per agent} The operational semantics allow agents to perform any roles, and even multiple different roles in parallel. This modeling choice corresponds to the worst possible scenario, in which the adversary has the most options to exploit. However, in many concrete settings, agents perform only one role. For example, the set of servers may be disjoint from the set of clients, or the set of RFID tags may be disjoint from the set of readers. In such cases, we do not need to consider attacks that exploit that an agent can perform multiple roles. This can be modeled by the following statement: \begin{spdl} option "--one-role-per-agent"; // disallow agents in multiple roles \end{spdl} This causes Scyther to ignore attacks in which agents perform multiple roles. Phrased differently, this corresponds to the situation in which each role is performed by a dedicated set of agents. %............................................................................ \section{Language BNF} \index{BNF} The full BNF grammar for the input language is given below. In the strict language definition, there are no claim terms such as \spd{Niagree} and \spd{Nisynch}, and neither are there any predefined type classes such as \spd{Agent}. Instead, they are predefined constant terms in the Scyther tool itself. \subsection{Input file} An input file is simply a list of spdl constructions, which are global declarations or protocol descriptions. \begin{grammar} ::= \{ ';' \} ::= \alt % Only needed for modelchecker %\alt `run' `(' `)' `;' \end{grammar} \subsection{Protocols} A protocol is simply a container for a set of roles. Because we use a role-based approach to describing roles, the protocol container in fact only affects the naming of the roles: a role ``I'' in a protocol ``ns3'' will internally be assigned the name ``ns3.I''. This is used to make role names globally unique. \begin{grammar} ::= `protocol' `(' `)' `{' `}' [ `;' ] \end{grammar} \subsection{Roles} \begin{grammar} ::= [ ] \alt [ ] ::= [ `singular' ] `role' `{' `}' [ `;' ] ::= [ ] \alt [ ] \end{grammar} \subsection{Events} \begin{grammar} ::= `recv'