# BAN modified Andrew Secure RPC # # Modelled after the description in the SPORE library # http://www.lsv.ens-cachan.fr/spore/andrewBAN.html # # Note: # The shared key between I and R is modelled as k(I,R) currently # there is no way to express that this key is equal to k(R,I) # So it is possile that certain attacks that use this property are not found # # Note: # According to SPORE there are no known attacks on this protocol # usertype SessionKey; const Fresh: Function; const Compromised: Function; protocol andrew-Ban(I,R) { role I { fresh ni: Nonce; var nr,nr2: Nonce; var kir: SessionKey; send_1(I,R, I,{ni}k(I,R) ); recv_2(R,I, {ni,nr}k(I,R) ); send_3(I,R, {nr}k(I,R) ); recv_4(R,I, {kir,nr2,ni}k(I,R) ); claim_I1(I,Nisynch); claim_I2(I,Niagree); claim_I3(I,Secret, kir); claim_I5(I,Empty, (Fresh,kir)); } role R { var ni: Nonce; fresh nr,nr2: Nonce; fresh kir: SessionKey; recv_1(I,R, I,{ni}k(I,R) ); send_2(R,I, {ni,nr}k(I,R) ); recv_3(I,R, {nr}k(I,R) ); send_4(R,I, {kir,nr2,ni}k(I,R) ); claim_R1(R,Nisynch); claim_R2(R,Niagree); claim_R3(R,Secret, kir); claim_R5(R,Empty, (Fresh,kir)); } }