From ba47af0c42651e70e0df3e2a1f85c59aba85f797 Mon Sep 17 00:00:00 2001
From: gijs <gijs@4f7d145f-a0d4-0310-ae10-d96cc04433c1>
Date: Tue, 14 Jun 2005 13:51:51 +0000
Subject: [PATCH] - Test out a possible way to model key compromise:   Add a
 role that sends out all messages that would occur in a legit   run of the
 protocol including the session key (simulating a previously   recorded run
 with its compromised session key)

- Adding a directory to play around with key compromise
---
 .../key-compromise/needham-schroeder-sk.spdl  | 94 +++++++++++++++++++
 1 file changed, 94 insertions(+)
 create mode 100644 spdl/SPORE/key-compromise/needham-schroeder-sk.spdl

diff --git a/spdl/SPORE/key-compromise/needham-schroeder-sk.spdl b/spdl/SPORE/key-compromise/needham-schroeder-sk.spdl
new file mode 100644
index 0000000..81a6974
--- /dev/null
+++ b/spdl/SPORE/key-compromise/needham-schroeder-sk.spdl
@@ -0,0 +1,94 @@
+# Needham Schroeder Symmetric Key
+#
+# Modelled after the description in the SPORE library
+# http://www.lsv.ens-cachan.fr/spore/nssk.html
+#
+#
+# Note:
+# This protocol uses a ticket so scyther will only be able to verify
+# the protocol using the ARACHNE engine (-a)
+#
+
+
+secret k: Function;
+# Model dec that is invertible by inc
+const dec,inc: Function;
+inversekeys(dec,inc);
+usertype SessionKey;
+
+protocol needhamschroederSessionKeyCompromise(I,R,S)
+{
+    // Disclose an entire session and the corresponding session key
+    // to simulate key compromise
+    role I {
+        const Ni,Nr: Nonce;
+        const Kir: SessionKey;
+
+        send_D1(I,I,    (I,R,Ni),
+                        {Ni,R,Kir,{Kir,I}k(R,S)}k(I,S),
+                        {Kir,I}k(R,S),
+                        {Nr}Kir,
+                        {{Nr}dec}Kir,
+                        Kir
+               );
+    }
+
+    role R {
+    }
+
+    role S {
+    }
+}
+protocol needhamschroedersk(I,R,S)
+{
+    role I
+    {
+        const Ni: Nonce;
+        var Nr: Nonce;
+        var Kir: SessionKey;
+        var T: Ticket;
+        
+        send_1(I,S,(I,R,Ni));
+        read_2(S,I, {Ni,R,Kir,T}k(I,S));
+        send_3(I,R,T);
+        read_4(R,I,{Nr}Kir);
+        send_5(I,R,{{Nr}dec}Kir);
+        claim_I2(I,Secret,Kir);
+        claim_I3(I,Nisynch);
+    }    
+    
+    role R
+    {
+        const Nr: Nonce;
+        var Kir: SessionKey;
+        
+        read_3(I,R,{Kir,I}k(R,S));
+        send_4(R,I,{Nr}Kir);
+        read_5(I,R,{{Nr}dec}Kir);
+        claim_R1(R,Secret,Kir);
+        claim_R3(R,Nisynch);
+    }
+
+    role S
+    {
+        var Ni: Nonce;
+        const Kir: SessionKey;
+        read_1(I,S,(I,R,Ni));
+        send_2(S,I,{Ni,R,Kir,{Kir,I}k(R,S)}k(I,S));
+    }
+}
+
+const Alice,Bob,Simon,Eve: Agent;
+
+untrusted Eve;
+const ne: Nonce;
+compromised k(Eve,Simon);
+
+# General scenario, 2 parallel runs of the protocol
+ 
+run needhamschroedersk.I(Agent,Agent,Simon);
+run needhamschroedersk.R(Agent,Agent,Simon);
+run needhamschroedersk.S(Agent,Agent,Simon);
+run needhamschroedersk.I(Agent,Agent,Simon);
+run needhamschroedersk.R(Agent,Agent,Simon);
+run needhamschroedersk.S(Agent,Agent,Simon);