theory KEA_plus_eCK begin builtins: hashing, diffie-hellman section{* KEA+ *} /* * Protocol: KEA+ * Modeler: Cas Cremers * Date: January 2012 * Source: "Security Analysis of KEA Authenticated Key Exchange Protocol" * Lauter, Mityagin, 2006 * Property: eCK security * * Status: working */ /* Protocol rules */ rule generate_ltk: [ Fr(~lk) ] --[ RegKey($A) ]-> [ !Ltk( $A, ~lk ), !Pk( $A, 'g'^~lk ), Out( 'g'^~lk ) ] rule Init_1: [ Fr( ~ekI ), !Ltk( $I, ~lkI ) ] --[ SidI_1(~ekI,$I,$R, 'g'^~ekI ) ]-> [ Init_1( ~ekI, $I, $R, ~lkI, 'g'^~ekI ), !Ephk(~ekI), Out( 'g'^~ekI ) ] rule Init_2: [ Init_1( ~ekI, $I, $R, ~lkI , hkI), In( Y ), !Pk( $R,'g'^~lkR ) ] --[SidI_2( ~ekI, $I, $R, hkI, Y, h( ) ) ]-> [ !Sessk( ~ekI, h( ) ) ] rule Resp_1: [ In( X ), Fr( ~ekR ), !Ltk($R, ~lkR), !Pk($I, 'g'^~lkI) ] --[ SidR_1( ~ekR, $I, $R, X, 'g'^~ekR , h( <('g'^~lkI)^~ekR, X^~lkR, $I, $R > ) ) ]-> [ Out( 'g'^~ekR ), !Ephk(~ekR), !Sessk( ~ekR, h( <('g'^~lkI)^~ekR, X^~lkR, $I, $R > ) ) ] /* Key Reveals for the eCK model */ rule Sessk_reveal: [ !Sessk(~tid, k) ] --[ SesskRev(~tid) ]-> [ Out(k) ] rule Ltk_reveal: [ !Ltk($A, lkA) ] --[ LtkRev($A) ]-> [ Out(lkA) ] rule Ephk_reveal: [ !Ephk(~ekA) ] --[ EphkRev(~ekA) ]-> [ Out(~ekA) ] /* Security properties */ /* lemma key_agreement_reachable: "not (Ex #i1 #i2 ekI ekR I R k hkI hkR. SidI_2(ekI, I, R, hkI, hkR, k) @ i1 & SidR_1(ekR, I, R, hkI, hkR, k) @ i2)" */ /* An attack is valid in eCK if the session key of the test session is deduced and the test session is clean. */ lemma eCK_initiator_key: " /* If every agent registered at most one public key */ (All A #i #j. RegKey(A)@i & RegKey(A)@j ==> (#i = #j)) ==> /* then there is not attack */ (not(Ex #i1 #i2 ekI I R k hkI hkR. SidI_2(ekI, I, R, hkI, hkR, k) @ i1 & K( k ) @ i2 /* Not both longterm-key-reveal _and_ ephemeral-key-reveal * for test thread. */ & not(Ex #i3 #i4. LtkRev( I ) @ i3 & EphkRev( ekI ) @ i4) /* No session-key-reveal of test thread. */ & not(Ex #i3. SesskRev( ekI ) @ i3 ) /* No session-key-reveal for matching session. */ & not(Ex #i3 #i4 ekR kpartner. SidR_1( ekR,I,R,hkI,hkR,kpartner ) @i3 & SesskRev( ekR ) @ i4 ) /* Not both long-term-key-reveal and ephemeral-key-reveal * for matching session */ & not(Ex #i3 #i4 #i5 ekR kpartner. SidR_1( ekR,I,R,hkI,hkR,kpartner ) @i3 & LtkRev( R ) @ i4 & EphkRev( ekR ) @ i5 ) /* Longterm-key-reveal of partner only if there is a * matching session. */ /* (We model eCK-wpfs, for eCK-pfs, add i1 < i3 to conclusion) */ & (All #i3. LtkRev( R ) @ i3 ==> /* (i1 < i3) | */ (Ex #i4 ekR kpartner. SidR_1( ekR,I,R,hkI,hkR,kpartner ) @i4)) ) )" /* An attack is valid in eCK if the session key of the test session is deduced and the test session is clean. */ lemma eCK_responder_key: " /* If every agent registered at most one public key */ (All A #i #j. RegKey(A)@i & RegKey(A)@j ==> (#i = #j)) ==> /* then there is not attack */ (not (Ex #i1 #i2 ekR I R k hkI hkR. SidR_1(ekR, I, R, hkI, hkR, k) @ i1 & K( k ) @ i2 /* Not longterm-key-reveal _and_ ephemeral-key-reveal of actor . */ & not(Ex #i3 #i4. LtkRev( R ) @ i3 & EphkRev( ekR ) @ i4) /* Not session-key-reveal of test thread. */ & not(Ex #i3. SesskRev( ekR ) @ i3 ) /* Not session-key-reveal of partner thread. Note that we use SidI_2 here. A session key reveal can only happen after SidI_2 is logged anyways. */ & not(Ex #i3 #i4 ekI kpartner. SidI_2( ekI,I,R,hkI,hkR,kpartner ) @i3 & SesskRev( ekI ) @ i4 ) /* If there is a partner thread, then not long-term-key-reveal and ephemeral-key-reveal. */ & not(Ex #i3 #i4 #i5 ekI. SidI_1( ekI,I,R,hkI ) @i3 & LtkRev( I ) @ i4 & EphkRev( ekI ) @ i5 ) /* If there is no partner thread, then there is no longterm-key-reveal for the intended partner. (We model eCK-wpfs, for eCK-pfs, add i1 < i3 to conclusion) */ & (All #i3. LtkRev( I ) @ i3 ==> /* (i1 < i3) | */ (Ex #i4 ekI. SidI_1( ekI,I,R,hkI ) @i4) ) ) )" end