scyther/spdl/bunava-1-3.spdl
ccremers 342d968895 - Better text.
- Added four-party version.
2005-07-01 09:32:53 +00:00

90 lines
1.7 KiB
Plaintext

# Buttyan Nagy Vajda protocol 1 (3-party)
#
# Modelled after the description in the paper
# "Efficient multi-party challenge-response protocols for entity
# authentication"
#
# Attacks:
# Does not satisfy ni-agree, because when Alice in the A role terminates
# it cannot be sure that the agent in role B is aware of having sent a
# reply for Alice.
# A type flaw attack exists in which there are only two agents active.
#
secret k: Function;
protocol intruderhelp(Swap)
{
role Swap
{
var T: Ticket;
var A,B: Agent;
read_1(Swap,Swap, { T }k(A,B) );
send_2(Swap,Swap, { T }k(B,A) );
}
}
protocol bunava13(A,B,C)
{
role A
{
const ra: Nonce;
var rb,rc: Nonce;
send_1(A,B, ra);
read_3(C,A, rc,{C,rb,B,ra}k(A,C) );
send_4(A,B, {A,rc,C,rb}k(A,B) );
claim_A1(A, Niagree);
claim_A2(A, Nisynch);
}
role B
{
const rb: Nonce;
var ra,rc: Nonce;
read_1(A,B, ra);
send_2(B,C, rb,{B,ra}k(B,C) );
read_4(A,B, {A,rc,C,rb}k(A,B) );
send_5(B,C, {B,A,rc}k(B,C) );
claim_B1(B, Niagree);
claim_B2(B, Nisynch);
}
role C
{
const rc: Nonce;
var ra,rb: Nonce;
read_2(B,C, rb,{B,ra}k(B,C) );
send_3(C,A, rc,{C,rb,B,ra}k(A,C) );
read_5(B,C, {B,A,rc}k(B,C) );
claim_C1(C, Niagree);
claim_C2(C, Nisynch);
}
}
const Alice,Bob,Charlie,Eve: Agent;
untrusted Eve;
const ne: Nonce;
compromised k(Alice,Eve);
compromised k(Bob,Eve);
compromised k(Charlie,Eve);
compromised k(Eve,Alice);
compromised k(Eve,Bob);
compromised k(Eve,Charlie);
# General scenario, 2 parallel runs of the protocol
run bunava13.A(Agent,Agent,Agent);
run bunava13.B(Agent,Agent,Agent);
run bunava13.C(Agent,Agent,Agent);
run bunava13.A(Agent,Agent,Agent);
run bunava13.B(Agent,Agent,Agent);
run bunava13.C(Agent,Agent,Agent);