scyther/spdl/SPORE/ccitt509-3.spdl
gijs 0f54f2ed23 - Update modeling of needham schroeder to better reflect the modelling in
SPORE:
    - pk is not known to all agents, only pk(Simon) is known
- Use new naming convention:
    - Protocol name starting with an @ means internal protocol
    - For non internal protocols naming is as follows:
      protocolname-variant^subprotocol
    For example: yahalom-Lowe^KeyCompromise meaning the key compromise sub
    protocol of the Lowe variant of the Yahalom protocol.
2005-08-15 13:31:48 +00:00

63 lines
1.5 KiB
Plaintext

# CCITT X.509 (3)
#
# Modelled after the description in the SPORE library
# http://www.lsv.ens-cachan.fr/spore/ccittx509_3.html
#
# Note:
# The protocol description also states that Xa and Ya should be fresh
# this can not be verified using scyther
#
const pk: Function;
secret sk: Function;
inversekeys(pk,sk);
usertype Timestamp;
protocol ccitt509-3(I,R)
{
role I
{
const Ta: Timestamp;
var Tb: Timestamp;
const Na,Xa,Ya: Nonce;
var Xb,Nb,Yb: Nonce;
send_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));
read_2(R,I, R,{Tb, Nb, I, Na, Xb,{Yb}pk(I)}sk(R));
send_3(I,R, I, {Nb}sk(I));
claim_4(I,Nisynch);
}
role R
{
var Ta: Timestamp;
const Tb: Timestamp;
var Na,Xa,Ya: Nonce;
const Xb,Yb,Nb: Nonce;
read_1(I,R, I,{Ta, Na, R, Xa,{Ya}pk(R)}sk(I));
send_2(R,I, R,{Tb, Nb, I, Na, Xb,{Yb}pk(I)}sk(R));
read_3(I,R, I, {Nb}sk(I));
claim_5(R,Nisynch);
# There should also be Fresh Xa and Fresh Ya claims here
}
}
const Alice,Bob,Eve: Agent;
untrusted Eve;
const ne: Nonce;
const te: Timestamp;
compromised sk(Eve);
# This scenario should find the attack described in SPORE
# run ccitt5093.I(Alice,Bob);
# run ccitt5093.I(Alice,Eve);
# run ccitt5093.R(Alice,Bob);
# General scenario, 2 parallel runs of the protocol
run ccitt509-3.I(Agent,Agent);
run ccitt509-3.R(Agent,Agent);
run ccitt509-3.I(Agent,Agent);
run ccitt509-3.R(Agent,Agent);