(************************************************************* * * * Cryptographic protocol verifier * * * * Bruno Blanchet and Xavier Allamigeon * * * * Copyright (C) INRIA, LIENS, MPII 2000-2006 * * * *************************************************************) (* This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details (in file LICENSE). You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *) (* Needham Shroeder publi-key protocol Corrected version of Lowe *) pred c/1 elimVar,decompData. nounif c:x. fun pk/1. fun encrypt/2. (* fun sencrypt/2. *) (* reduc sdecrypt(sencrypt(x,y),y) = x. *) query c:secret[]. reduc (* Initialization *) c:c[]; c:pk(sA[]); c:pk(sB[]); c:x & c:encrypt(m,pk(x)) -> c:m; c:x -> c:pk(x); c:x & c:y -> c:encrypt(x,y); (* The protocol *) (* A *) c:pk(x) -> c:encrypt((Na[pk(x)], pk(sA[])), pk(x)); c:pk(x) & c:encrypt((Na[pk(x)], y), pk(sA[])) -> c:encrypt((y,k[pk(x)]), pk(x)); (* B *) c:encrypt((x,y), pk(sB[])) -> c:encrypt((x, Nb[x,y]), y); c:encrypt((x,pk(sA[])), pk(sB[])) & c:encrypt((Nb[x, pk(sA[])], z), pk(sB[])) -> c:encrypt(secret[], pk(z)).