theory JKL_TS1_2004_KI
begin

builtins: hashing, diffie-hellman

section{* Jeong, Katz, Lee : TS1 (2004) *}

/*
 * Protocol:	JKL-TS1-2004
 * Modeler: 	Cas Cremers
 * Date: 	January 2012
 * Source:	"One-Round Protocols for Two-Party Authenticated Key Exchange"
 * 		Jeong, Katz, Lee, 2004.
 *
 * Status: 	working
 */

/* Protocol rules */

rule generate_ltk:
  let pkA = 'g'^~lkA
  in
   [ Fr(~lkA) ] -->
   [ !Ltk( $A, ~lkA ), !Pk( $A, pkA ), Out( pkA ) ]

rule Init_1:
   [ Fr( ~ekI ), !Ltk( $I, ~lkI ) ]
   --[ SidI_1(~ekI,$I,$R, ~ekI )
     , NotEq($I,$R) 			// Inequality of names required, enforced in the property
     ]->
   [ Init_1( ~ekI, $I, $R, ~lkI, ~ekI ),
     !Ephk(~ekI),
     Out( ~ekI ) ]

rule Init_2:
  let pkR = 'g'^~lkR
      key = h( < ~ekI, Y, pkR^~lkI > )
  in
   [ Init_1( ~ekI, $I, $R, ~lkI , ~ekI), In( Y ), !Pk( $R, pkR ) ]
   --[SidI_2( ~ekI, $I, $R, ~ekI, Y, key) ]->
   [ !Sessk( ~ekI, key ) ]

rule Resp_1:
  let pkI = 'g'^~lkI
      key = h( < X, ~ekR, pkI^~lkR > )
  in
   [ In( X ), Fr( ~ekR ), !Ltk($R, ~lkR), !Pk($I, pkI) ]
   --[ SidR_1( ~ekR, $I, $R, X, ~ekR, key)
     , NotEq($I,$R) 			// Inequality of names required, enforced in the property
     ]->
   [ Out( ~ekR ),
     !Ephk(~ekR),
     !Sessk( ~ekR, key) ]

rule Sessk_reveal: 
   [ !Sessk(~tid, k) ]
   --[ SesskRev(~tid) ]->
   [ Out(k) ]

rule Ephk_reveal:
   [ !Ephk(~ekI) ]
   --[ EphkRev(~ekI) ]->
   [ Out(~ekI) ]

rule Ltk_reveal:
   [ !Ltk($A, k) ]
   --[ LtkRev($A) ]->
   [ Out(k) ]

/* Security properties */

/*
lemma key_agreement_reachable:
  "not (Ex #i1 #i2 ekI ekR I R k hkI hkR.
          SidI_2(ekI, I, R, hkI, hkR, k) @ i1 & SidR_1(ekR, I, R, hkI, hkR, k) @ i2)"
*/

/* An attack is valid in the security model if the session key of the test session is deduced and
   the test session is clean.
*/
lemma JKL2008_1_initiator_key:
  "(not (Ex #i x . NotEq(x,x) @ i ) ) ==>		// Only consider traces in which the inequalities hold
   not (Ex #i1 #i2 ttest I R k hkI hkR.
            SidI_2(ttest, I, R, hkI, hkR, k) @ i1 & K( k ) @ i2

            /* Not ephemeral-key-reveal */
            & (All #i3 t. EphkRev( t ) @ i3 ==> F)

            /* Not longterm-key-reveal */
            & (All #i3 a. LtkRev( a ) @ i3 ==> F)

            /* Not session-key-reveal of test thread. */
            & (All #i3. SesskRev( ttest ) @ i3 ==> F)

            /* Not session-key-reveal of partner thread. */
            & (All #i3 #i4 tpartner kpartner.
                   SidR_1( tpartner,I,R,hkI,hkR,kpartner ) @i3
		   & SesskRev( tpartner ) @ i4 ==> F)
    )"

/* An attack is valid in the security model if the session key of the test session is deduced and
   the test session is clean.
*/
lemma JKL2008_1_responder_key:
  "(not (Ex #i x . NotEq(x,x) @ i ) ) ==>
   not (Ex #i1 #i2 ttest I R k hkI hkR.
            SidR_1(ttest, I, R, hkI, hkR, k) @ i1 & K( k ) @ i2

            /* Not ephemeral-key-reveal */
            & (All #i3 t. EphkRev( t ) @ i3 ==> F)

            /* Not longterm-key-reveal */
            & (All #i3 a. LtkRev( a ) @ i3 ==> F)

            /* Not session-key-reveal of test thread. */
            & (All #i3. SesskRev( ttest ) @ i3 ==> F)

            /* Not session-key-reveal of partner thread. Note that we use SidI_2 here.
	       A session key reveal can only happen after SidI_2 is logged anyways.
	    */
            & (All #i3 #i4 tpartner kpartner.
                   SidI_2( tpartner,I,R,hkI,hkR,kpartner ) @i3
		   & SesskRev( tpartner ) @ i4 ==> F)
    )"

end