theory UM_eCK
begin

builtins: hashing, diffie-hellman

section{* The Unified Model (UM) Key-Exchange Protocol *}

/*
 * Protocol:	Unified Model (UM)
 * Modeler: 	Cas Cremers
 * Date: 	January 2012
 * Source:	"Authenticated Diffie-Hellman Key Agreement Protocols"
 * 		Simon Blake-Wilson and Alfred Menezes
 * 		LNCS 1556, 1999
 *
 * Status: 	working
 */

/* Protocol rules */

rule generate_ltk:
   [ Fr(~lk) ] -->
   [ !Ltk( $A, ~lk ), !Pk( $A, 'g'^~lk ), Out( 'g'^~lk ) ]

rule Init_1:
   [ Fr( ~ekI ), !Ltk( $I, ~lkI ) ]
   --[ SidI_1(~ekI,$I,$R, 'g'^~ekI ) ]->
   [ Init_1( ~ekI, $I, $R, ~lkI, 'g'^~ekI ),
     !Ephk(~ekI),
     Out( 'g'^~ekI ) ]

rule Init_2:
   [ Init_1( ~ekI, $I, $R, ~lkI , hkI), In( Y ), !Pk( $R,'g'^~lkR ) ]
   --[SidI_2( ~ekI, $I, $R, hkI, Y,
       h( <Y^~ekI, ('g'^~lkR)^~lkI > ) ) ]->
   [ !Sessk( ~ekI, 
       h( <Y^~ekI, ('g'^~lkR)^~lkI > ) ) ]


rule Resp_1:
   [ In( X ), Fr( ~ekR ), !Ltk($R, ~lkR), !Pk($I, 'g'^~lkI) ]
   --[ SidR_1( ~ekR, $I, $R, X, 'g'^~ekR ,
       h( <X^~ekR, ('g'^~lkI)^~lkR > ) ) ]->
   [ Out( 'g'^~ekR ),
     !Ephk(~ekR),
     !Sessk( ~ekR, 
       h( <X^~ekR, ('g'^~lkI)^~lkR > ) ) ]

rule Sessk_reveal: 
   [ !Sessk(~tid, k) ]
   --[ SesskRev(~tid) ]->
   [ Out(k) ]

rule Ephk_reveal:
   [ !Ephk(~ekI) ]
   --[ EphkRev(~ekI) ]->
   [ Out(~ekI) ]

rule Ltk_reveal:
   [ !Ltk($A, k) ]
   --[ LtkRev($A) ]->
   [ Out(k) ]


/* Security properties */

/*
lemma key_agreement_reachable:
  "not (Ex #i1 #i2 ekI ekR I R k hkI hkR.
          SidI_2(ekI, I, R, hkI, hkR, k) @ i1 & SidR_1(ekR, I, R, hkI, hkR, k) @ i2)"
*/

/* An attack is valid in eCK if the session key of the test session is deduced and
   the test session is clean.
*/
lemma eCK_initiator_key:
  "not (Ex #i1 #i2 ttest I R k hkI hkR.
            SidI_2(ttest, I, R, hkI, hkR, k) @ i1 & K( k ) @ i2

            /* Not longterm-key-reveal _and_ ephemeral-key-reveal of actor . */
            & (All #i3 #i4. LtkRev( I ) @ i3 & EphkRev( ttest ) @ i4 ==> F)

            /* Not session-key-reveal of test thread. */
            & (All #i3. SesskRev( ttest ) @ i3 ==> F)

            /* Not session-key-reveal of partner thread. */
            & (All #i3 #i4 tpartner kpartner.
                   SidR_1( tpartner,I,R,hkI,hkR,kpartner ) @i3
		   & SesskRev( tpartner ) @ i4 ==> F)

            /* If there is a partner thread, then not long-term-key-reveal and ephemeral-key-reveal */
            & (All #i4 #i5 #i6 tpartner kpartner.
                  SidR_1( tpartner,I,R,hkI,hkR,kpartner ) @i4
		  & LtkRev( R ) @ i5
		  & EphkRev( tpartner ) @ i6 ==> F)

	    /* If there is no partner thread, then there is no longterm-key-reveal for
	       the intended partner.
	       (We model eCK-wpfs, for eCK-pfs, add i1 < i3 to conclusion) */
            & (All #i3. LtkRev( R ) @ i3 ==>
	          (Ex #i4 tpartner kpartner.
                      /* (i1 < i3) | */
                      SidR_1( tpartner,I,R,hkI,hkR,kpartner ) @i4)))"

/* An attack is valid in eCK if the session key of the test session is deduced and
   the test session is clean.
*/
lemma eCK_responder_key:
  "not (Ex #i1 #i2 ttest I R k hkI hkR.
            SidR_1(ttest, I, R, hkI, hkR, k) @ i1 & K( k ) @ i2

            /* Not longterm-key-reveal _and_ ephemeral-key-reveal of actor . */
            & (All #i3 #i4. LtkRev( R ) @ i3 & EphkRev( ttest ) @ i4 ==> F)

            /* Not session-key-reveal of test thread. */
            & (All #i3. SesskRev( ttest ) @ i3 ==> F)

            /* Not session-key-reveal of partner thread. Note that we use SidI_2 here.
	       A session key reveal can only happen after SidI_2 is logged anyways.
	    */
            & (All #i3 #i4 tpartner kpartner.
                   SidI_2( tpartner,I,R,hkI,hkR,kpartner ) @i3
		   & SesskRev( tpartner ) @ i4 ==> F)

            /* If there is a partner thread, then not long-term-key-reveal and ephemeral-key-reveal. */
            & (All #i4 #i5 #i6 tpartner.
                  SidI_1( tpartner,I,R,hkI ) @i4
		  & LtkRev( I ) @ i5
		  & EphkRev( tpartner ) @ i6 ==> F)

	    /* If there is no partner thread, then there is no longterm-key-reveal for
	       the intended partner.
	       (We model eCK-wpfs, for eCK-pfs, add i1 < i3 to conclusion)
	       */
            & (All #i3. LtkRev( I ) @ i3 ==>
	          (Ex #i4 tpartner.
                       /* (i1 < i3) | */
                       SidI_1( tpartner,I,R,hkI ) @i4)))"

end