From ilvvli at 263.net Wed Aug 19 06:19:58 2009 From: ilvvli at 263.net (ilvvli) Date: Wed, 19 Aug 2009 18:19:58 +0800 Subject: [Avispa-users] A Problem About SPAN Message-ID: <200908191819544840160@263.net> Dear Friends, I have described a protocol using HLPSL as follows. When I do the protocol simulation in SPAN, why the last message can not be simulated ? And the structure of this protocol is like this. U -----> S S -----> KDC KDC -----> S S -----> U U -----> S ( This message can not be simulated,:-( ) Thanks for your help! Regards, Lv Chao %%%%% some codes of this protocol %%%%% role osnp_U(U, S, KDC : agent, Snd, Rcv : channel (dy), PWu : symmetric_key) played_by U def= .............. transition send_to_s. St = 0 /\ Rcv(start) =|> St':= 1 /\ Nu' := new() /\ OTKu' := Hash(U.Nu'.PWu) /\ AuthRQu' := U.Nu'.{U.Nu'}_OTKu' /\ Snd(AuthRQu') /\ witness(U, KDC, auth_kdc_u_nu, Nu') rcv_from_s. St = 1 /\ Rcv({Nu'.S.Kss'.Ktu'}_OTKu.{S.Nsp'}_Kss'.U.S.Nu'.{U.VTs'.Kss'}_OTKs') =|> St':= 2 /\ RESPs' := {U.Nsp'}_Kss' /\ VTu' := new() /\ Au' := {S.VTu'.Kss'}_Ktu' /\ Snd(U.S.RESPs'.Au') /\ witness(U, S, auth_s_u_nsp, Nsp') end role %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% role osnp_S(U, S, KDC : agent, Snd, Rcv : channel (dy), PWs : symmetric_key) played_by S def= .......... transition rcv_from_u. St = 0 /\ Rcv(U.Nu'.{U.Nu'}_OTKu') =|> St':= 1 /\ AuthRQu' := U.Nu'.{U.Nu'}_OTKu' /\ Ns' := new() /\ OTKs' := Hash(S.Ns'.PWs) /\ AuthRQs' := S.Ns'.{S.Ns'}_OTKs' /\ Snd(AuthRQs'.AuthRQu') /\ witness(S, KDC, auth_kdc_s_ns, Ns') rcv_from_kdc. St = 1 /\ Rcv(U.S.Nu'.{Ns'.U.Kss'}_OTKs'.AuthAKu') =|> St':= 2 /\ Nsp' := new() /\ CHs' := {S.Nsp'}_Kss' /\ VTs' := new() /\ TKTs' := U.S.Nu'.{U.VTs'.Kss'}_OTKs' /\ Snd(AuthAKu'.CHs'.TKTs') rcv_from_u. St = 2 /\ Rcv(U.S.{U.Nsp'}_Kss'.{S.VTu'.Kss'}_Ktu') =|> St':= 3 /\ request(S, U, auth_s_u_nsp, Nsp) end role %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% role osnp_KDC(U, S, KDC : agent, Snd, Rcv : channel (dy), PWu, Pws : symmetric_key) played_by KDC def= ............. transition rcv_from_s. St = 0 /\ Rcv(S.Ns'.{S.Ns'}_OTKs'.U.Nu'.{U.Nu'}_OTKu') =|> St':= 1 /\ Kss' := new() /\ Ktu' := new() /\ AuthAKs' := {Ns'.U.Kss'}_OTKs' /\ AuthAKu' := {Nu'.S.Kss'.Ktu'}_OTKu' /\ Sid' := U.S.Nu' /\ Snd(Sid'.AuthAKs'.AuthAKu') /\ secret(Kss', sec_kdc_u_s_kss, {KDC, U, S}) /\ secret(Ktu', sec_kdc_u_ktu, {KDC, U}) /\ request(KDC, U, auth_kdc_u_nu, Nu') /\ request(KDC, S, auth_kdc_s_ns, Ns') end role 2009-08-19 ilvvli -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090819/60c4dad4/attachment-0001.htm From ilvvli at 263.net Thu Aug 20 09:51:14 2009 From: ilvvli at 263.net (ilvvli) Date: Thu, 20 Aug 2009 21:51:14 +0800 Subject: [Avispa-users] A problem about how to model Hash function as a key? Message-ID: <200908202151108280993@263.net> Dear friends: Here is a part of protocol as follows, 1. A -------> B : A, Na, {A, Na}_Kas 2. B -------> S : B, Nb, {B, Nb}_Kbs, A, Na, {A, Na}_Kas Here, Kas = Hash(A, Na, pwa) Kbs = Hash(B, Nb, pwb) pwa is a shared key between A & S pwb is a shared key between B & S The question is how to describe the receive action of S ? Some code may be like this 0. State = 0 /\ Rcv(B.Nb'.{B.Nb'}_Kbs.A.Na'.{A.Na'}_Kas) This code can not pass the execution test of --ofmc -p. I have look through related documents and can't get any idea. (Kbs and Kas just can be computed after S received the message from B) Anyone can give some advice? Thanks for your help, :-) ! Regards, Lv Chao 2009-08-20 ilvvli -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090820/f02de24f/attachment.htm From ilvvli at 263.net Fri Aug 21 05:18:02 2009 From: ilvvli at 263.net (=?utf-8?B?aWx2dmxp?=) Date: Fri, 21 Aug 2009 17:18:02 +0800 Subject: [Avispa-users] =?utf-8?q?Fw=3A_Re=3A_Re=3A__A_problem_about_how_t?= =?utf-8?q?o_model_Hash_function_asa_key=3F?= References: <200908202151108280993@263.net>, <200908202329334215333@263.net> Message-ID: <200908211717586562771@263.net> 2009-08-21 ilvvli ???? ilvvli ????? 2009-08-20 23:29:33 ???? Laurent Vigneron ??? ??? Re: Re: [Avispa-users] A problem about how to model Hash function asa key? Dear Laurent, I declare Kas & Kbs as a message type like this: Kas, Kbs : message And this code can not pass the execution test. (The reception action of S) 0. State = 0 /\ Rcv(B.Nb'.{B.Nb'}_Kbs.A.Na'.{A.Na'}_Kas) =|> State' := 1 I also try this kind of type (the type of pwa & pwb is symmetric_key) Kab, Kab : hash(agent.text.symmetric_key) The code above also do not pass the execution test. Execution result shows that only A send message to B and no message has been sent from B to S. Thanks for your help! Best regards, Lv Chao 2009-08-20 ilvvli ???? Laurent Vigneron ????? 2009-08-20 22:04:12 ???? ilvvli ??? ??? Re: [Avispa-users] A problem about how to model Hash function asa key? Dear Ilvvli, How did you declare variables Kas and Kbs? They have to be declared of type message, or if you want to be more precise of type hash(agent.nonce.???) (I do not know the type of the third element). Please note that the hash applies to the concatenation of the three elements (this is not a functino with three arguments). Best regards, Laurent. > Dear friends: > Here is a part of protocol as follows, > > 1. A -------> B : A, Na, {A, Na}_Kas > > 2. B -------> S : B, Nb, {B, Nb}_Kbs, A, Na, {A, Na}_Kas > > Here, > Kas = Hash(A, Na, pwa) > Kbs = Hash(B, Nb, pwb) > pwa is a shared key between A & S > pwb is a shared key between B & S > > The question is how to describe the receive action of S ? > > Some code may be like this > > * * 0. State = 0 /\ Rcv(B.Nb'.{B.Nb'}_Kbs.A.Na'.{A.Na'}_Kas) > > This code can not pass the execution test of /--ofmc -p./ > // > / /I have look through related documents and can't get any idea. > (Kbs and Kas just can be computed after S received the message > from B) > > Anyone can give some advice? Thanks for your help, :-) ! > > Regards, > > Lv Chao > > > > > 2009-08-20 > ------------------------------------------------------------------------ > ilvvli -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090821/88286eac/attachment.htm From ilvvli at 263.net Fri Aug 21 08:45:35 2009 From: ilvvli at 263.net (=?utf-8?B?aWx2dmxp?=) Date: Fri, 21 Aug 2009 20:45:35 +0800 Subject: [Avispa-users] =?utf-8?q?A_problem_about_how_to_model_Hashfunctio?= =?utf-8?q?n_as_a_key=3F?= References: <200908202151108280993@263.net>, <200908202329334215333@263.net>, <200908211717586562771@263.net> Message-ID: <200908212045314378210@263.net> Dear friends, The full test code is attached. And this code can pass the execution test. The structure of this test protocol U --------> S : U.Nu'.{U.Nu'}_OTKu S --------> KDC : S.Ns'.{S.Ns'}_OTKs.U.Nu'.{U.Nu'}_OTKs OTKu = Hash(U.Nu'.PWu) PWu is a shared key between U and KDC OTKs = Hash(S.Ns'.PWs) PWs is a shared key between S and KDC The problem is (1) At line 63, if OTKs and OTKu are not primed, this step can not be executed. And I remembered you have said that they should not be primed. The real purpose of this step is that when KDC get the last message from S, itself can compute OTKu and OTKs can verify Nu' and Ns' separately. I also think them should not be primed, but how to describe this situation? 63. rcv_from_s. St = 0 /\ Rcv({S.Ns'}_OTKs'.{U.Nu'}_OTKu') =|> (2) The code I given bellow omit * part of the original protocol. However, if I add them all, execution test does not run well. U --------> S : *.{U.Nu'}_OTKu S --------> KDC : *.{S.Ns'}_OTKs.*.{U.Nu'}_OTKu Best regards, Lv Chao 1. % the simplified version of OP for span's protocol simulation test 2. role op_U(U, S, KDC : agent, 3. Snd, Rcv : channel (dy), 4. PWu : symmetric_key, 5. Hash : hash_func) 6. 7. played_by U def= 8. local St : nat, 9. Nu : text, 10. OTKu : message, 11. AuthRQu : message 12. 13. init St := 0 14. 15. transition 16. 17. send_to_s. St = 0 /\ Rcv(start) =|> 18. St':= 1 /\ Nu' := new() 19. /\ OTKu' := Hash(U.Nu'.PWu) 20. /\ Snd({U.Nu'}_OTKu') 21. 22.end role 23.%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 24.role op_S(U, S, KDC : agent, 25. Snd, Rcv : channel (dy), 26. PWs : symmetric_key, 27. Hash : hash_func) 28. 29.played_by S def= 30. local St : nat, 31. AuthRQu : message, 32. AuthRQs : message, 33. OTKs : message, 34. Ns : text 35. 36. init St := 0 37. 38. transition 39. 40. rcv_from_u. St = 0 /\ Rcv(AuthRQu') =|> 41. St':= 1 /\ Ns' := new() 42. /\ OTKs' := Hash(S.Ns'.PWs) 43. /\ AuthRQs' := {S.Ns'}_OTKs' 44. /\ Snd(AuthRQs'.AuthRQu') 45. 46.end role 47.%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 48.role op_KDC(U, S, KDC : agent, 49. Snd, Rcv : channel (dy), 50. PWu, PWs : symmetric_key, 51. Hash : hash_func) 52. 53.played_by KDC def= 54. 55. local St : nat, 56. Nu, Ns : text, 57. OTKu, OTKs : message 58. 59. init St := 0 60. 61. transition 62. 63. rcv_from_s. St = 0 /\ Rcv({S.Ns'}_OTKs'.{U.Nu'}_OTKu') =|> 64. St':= 1 65. 66.end role 67.%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% role session(U, S, KDC : agent, PWu, PWs : symmetric_key, Hash : hash_func) def= local U_SND, U_RCV, S_SND, S_RCV, KDC_SND, KDC_RCV : channel (dy) composition op_U(U, S, KDC, U_SND, U_RCV, PWu, Hash) /\ op_KDC(U, S, KDC, KDC_SND, KDC_RCV, PWu, PWs, Hash) /\ op_S(U, S, KDC, S_SND, S_RCV, PWs, Hash) end role %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% role environment() def= const u, s, kdc, i : agent, pwu, pws, pwi : symmetric_key, auth_kdc_u_nu : protocol_id intruder_knowledge = {i, u, s, kdc, pwi, hhash} composition session(u, s, kdc, pwu, pws, hhash) % /\ session(u, s, kdc, pwu, pws, hhash) % /\ session(i, s, kdc, pwi, pws, hhash) % /\ session(u, i, kdc, pwu, pwi, hhash) end role %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% goal % KDC authenticate U on Nu authentication_on auth_kdc_u_nu end goal %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% environment() 2009-08-21 ilvvli ???? Tigran S. Avanesov ????? 2009-08-21 18:25:21 ???? ilvvli ??? ??? Re: [Avispa-users] Fw: Re: Re: A problem about how to model Hashfunction asa key? Can you show your hlpsl (or more-or-less minimal problematic one)? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090821/4a6ca558/attachment-0001.htm From adamnour06 at yahoo.fr Fri Aug 21 10:07:24 2009 From: adamnour06 at yahoo.fr (Adam Noureddine) Date: Fri, 21 Aug 2009 14:07:24 +0000 (GMT) Subject: [Avispa-users] prime and symmetric key Message-ID: <57964.5825.qm@web24608.mail.ird.yahoo.com> Dear friends, ?????? Here is a part of protocol as follows, 1. A --- > B?: na?????????????????????? 2. B?--- >?A : {nb,na,B}_K????????? 3. A --- > B : {na,nb}_K???????????? K is shared key between A and B ? in?role A and transition 3. The specification in?HLPSL is: ? ?????? 2.? State = 1 /\ Rec({Nb'.Na.B}_K)? =|>?? State' := 2? /\ Snd({Na.Nb'}_K) ? Please, my specification is it corect ( use the prime " ' " in specification )??, if no,?correct my?specification? if it is possible. I? am waiting your answer. My best regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090821/ece6393d/attachment.htm From ilvvli at 263.net Fri Aug 21 11:01:47 2009 From: ilvvli at 263.net (=?utf-8?B?aWx2dmxp?=) Date: Fri, 21 Aug 2009 23:01:47 +0800 Subject: [Avispa-users] =?utf-8?q?prime_and_symmetric_key?= Message-ID: <200908212301434377221@263.net> I think your specification is correct. You can run protocol simulation with span and to see the values of variables. For "Priming Variables", you can reference "HLPSL Tutorial " page 41. Here are some guidelines from this document. ? In the RCV channel, if you are receiving a new value then the variable used to store this value should be primed. ? In the SND channel, if you are sending an old value, don?t prime the variable. ? If sending a value just received or computed in the same step, then prime the variable. ? A local variable should be assigned a value before first reading or sending it: either in the init section (without primes) or by assigning a value to its primed instance. Regards, Lv Chao 2009-08-21 ilvvli ???? Adam Noureddine ????? 2009-08-21 22:08:40 ???? avispa-users ??? ??? [Avispa-users] prime and symmetric key Dear friends, Here is a part of protocol as follows, 1. A --- > B : na 2. B --- > A : {nb,na,B}_K 3. A --- > B : {na,nb}_K K is shared key between A and B in role A and transition 3. The specification in HLPSL is: 2. State = 1 /\ Rec({Nb'.Na.B}_K) =|> State' := 2 /\ Snd({Na.Nb'}_K) Please, my specification is it corect ( use the prime " ' " in specification ) ?, if no, correct my specification if it is possible. I? am waiting your answer. My best regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090821/0f97c910/attachment.htm From adamnour06 at yahoo.fr Sun Aug 23 10:51:37 2009 From: adamnour06 at yahoo.fr (Adam Noureddine) Date: Sun, 23 Aug 2009 14:51:37 +0000 (GMT) Subject: [Avispa-users] replay attack but in avispa SAFE !!!! Message-ID: <575677.30227.qm@web24615.mail.ird.yahoo.com> Dear friends, ?????? Here is a challenge/response protocol as follows, 1. A --- > B?: na?????????????????????? 2. B?--- >?A : {na}_K????????? K is shared key between A and B ? The specification of protocol in?HLPSL is: ???? role server ( A,B: agent, K: symmetric_key, Snd,Rec: channel(dy)) ??? played_by A ??? def= ????? local? State???????? : nat, ????????????? Na??????????? : text??? ??????????? init State := 0 ????? transition ?????? 1. State = 0 ????????? /\ Rec(start) ????????? =|> ????????? State' := 1 ????????? /\ Na' := new() ????????? /\ Snd(Na') ?????? 2. State = 1 ????????? /\ Rec({Na}_K) ????????? =|> ????????? State' := 2 ????????? /\ request(A,B,auth_client,{Na}_K)???????? ??? end role ??? role client ( B,A: agent,K: symmetric_key, Snd, Rec: channel(dy)) ??? played_by B ??? def= ????? local? State?????????????? : nat, ???????????? Na????????????????? : text????????? ????? init State := 0 ????? transition ?????? 1. State = 0 ????????? /\ Rec(Na') ????????? =|> ????????? State' := 1 ????????? /\ Snd({Na'}_K)????????? ????????? /\ witness(B,A,auth_client,{Na'}_K)?? ??? end role ?? role session(A,B : agent,K : symmetric_key) def= local St,Rt,Sl,Rl : channel(dy) composition client(B,A,K,St,Rt) /\ server(A,B,K,Sl,Rl) end role role environment() def= const a,b : agent, k : symmetric_key, auth_client:protocol_id intruder_knowledge = {a,b} composition session(a,b,k) end role ??? goal ? ?? %? server authenticates client ?????? authentication_on auth_client ??? end goal ??? environment() --------------------------------------------------------------- The verification this protocol with other tools detect attack "Replay Attack" : A ---- > Na ----> I ------> B B ---- > {Na}_K? ----> I ------> A??????????????????? with I : Intrus Please, why my verification no detect attack (SAFE)? , My specification is it corect ? I? am waiting your answer. My best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090823/af2530ea/attachment.htm From adamnour06 at yahoo.fr Tue Aug 25 07:37:34 2009 From: adamnour06 at yahoo.fr (Adam Noureddine) Date: Tue, 25 Aug 2009 11:37:34 +0000 (GMT) Subject: [Avispa-users] update of symmetric key Message-ID: <100151.82907.qm@web24614.mail.ird.yahoo.com> ? Dear friends, ?????? Here is same protocol as follows, 1. A --- > B?: na?????????????????????? 2. B?--- >?A : {na}_K????????? ? Question 1. K is shared (symmetric) key between A and B. ?If value of k is update in last transition. ? What?is declaration of k correct? ? ??? role?Alice ( A,B: agent, K: symmetric_key, Snd,Rec: channel(dy)) ??? played_by A ?????????????????????????????????? .... ? ??? role?Bob ( B,A: agent, K: symmetric_key, Snd,Rec: channel(dy)) ??? played_by?B ????????????????????????????????? ... Or ? ?role?Alice ( A,B: agent,?Snd,Rec: channel(dy)) ??? played_by A ????? local? State?????????????? : nat, ???????????? K: symmetric_key???????????????? .... ? ??? role?Bob ( B,A: agent,? Snd,Rec: channel(dy)) ??? played_by?B ??? def= ????? local? State?????????????? : nat, ???????????? K: symmetric_key??????????????? ..... ? ? Question 2. If K is shared?key (private)?between A and B. The type of private key not exist in HLPSL, how declarate of private key? ????? I? am waiting your answer.My best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090825/c30a7d20/attachment-0001.htm From Thomas.Genet at irisa.fr Tue Aug 25 09:18:34 2009 From: Thomas.Genet at irisa.fr (Thomas Genet) Date: Tue, 25 Aug 2009 15:18:34 +0200 Subject: [Avispa-users] A Problem About SPAN In-Reply-To: <200908191819544840160@263.net> References: <200908191819544840160@263.net> Message-ID: <4A93E4AA.2080501@irisa.fr> Hi, this is difficult to debug without the full HLPSL code... Can you send it? ilvvli a ?crit : > Dear Friends, > I have described a protocol using HLPSL as follows. When I do the > protocol simulation in SPAN, why the last message can not be simulated ? > And the structure of this protocol is like this. > > U -----> S > S -----> KDC > KDC -----> S > S -----> U > U -----> S ( This message can not be simulated,:-( ) > > Thanks for your help! > Regards, > > Lv Chao > > > %%%%% some codes of this protocol %%%%% > > role osnp_U(U, S, KDC : agent, > Snd, Rcv : channel (dy), > PWu : symmetric_key) > > played_by U def= > .............. > transition > > send_to_s. St = 0 /\ Rcv(start) =|> > St':= 1 /\ Nu' := new() > /\ OTKu' := Hash(U.Nu'.PWu) > /\ AuthRQu' := U.Nu'.{U.Nu'}_OTKu' > /\ Snd(AuthRQu') > /\ witness(U, KDC, auth_kdc_u_nu, Nu') > > rcv_from_s. St = 1 /\ Rcv({Nu'.S.Kss'.Ktu'}_OTKu.{S.Nsp'}_Kss'.U.S.Nu'.{U.VTs'.Kss'}_OTKs') =|> > St':= 2 /\ RESPs' := {U.Nsp'}_Kss' > /\ VTu' := new() > /\ Au' := {S.VTu'.Kss'}_Ktu' > /\ Snd(U.S.RESPs'.Au') > /\ witness(U, S, auth_s_u_nsp, Nsp') > end role > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > role osnp_S(U, S, KDC : agent, > Snd, Rcv : channel (dy), > PWs : symmetric_key) > > played_by S def= > ........... > transition > > rcv_from_u. St = 0 /\ Rcv(U.Nu'.{U.Nu'}_OTKu') =|> > St':= 1 /\ AuthRQu' := U.Nu'.{U.Nu'}_OTKu' > /\ Ns' := new() > /\ OTKs' := Hash(S.Ns'.PWs) > /\ AuthRQs' := S.Ns'.{S.Ns'}_OTKs' > /\ Snd(AuthRQs'.AuthRQu') > /\ witness(S, KDC, auth_kdc_s_ns, Ns') > > rcv_from_kdc. St = 1 /\ Rcv(U.S.Nu'.{Ns'.U.Kss'}_OTKs'.AuthAKu') =|> > St':= 2 /\ Nsp' := new() > /\ CHs' := {S.Nsp'}_Kss' > /\ VTs' := new() > /\ TKTs' := U.S.Nu'.{U.VTs'.Kss'}_OTKs' > /\ Snd(AuthAKu'.CHs'.TKTs') > > rcv_from_u. St = 2 /\ Rcv(U.S.{U.Nsp'}_Kss'.{S.VTu'.Kss'}_Ktu') =|> > St':= 3 /\ request(S, U, auth_s_u_nsp, Nsp) > end role > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > role osnp_KDC(U, S, KDC : agent, > Snd, Rcv : channel (dy), > PWu, Pws : symmetric_key) > > played_by KDC def= > > ............. > transition > > rcv_from_s. St = 0 /\ Rcv(S.Ns'.{S.Ns'}_OTKs'.U.Nu'.{U.Nu'}_OTKu') =|> > St':= 1 /\ Kss' := new() > /\ Ktu' := new() > /\ AuthAKs' := {Ns'.U.Kss'}_OTKs' > /\ AuthAKu' := {Nu'.S.Kss'.Ktu'}_OTKu' > /\ Sid' := U.S.Nu' > /\ Snd(Sid'.AuthAKs'.AuthAKu') > /\ secret(Kss', sec_kdc_u_s_kss, {KDC, U, S}) > /\ secret(Ktu', sec_kdc_u_ktu, {KDC, U}) > /\ request(KDC, U, auth_kdc_u_nu, Nu') > /\ request(KDC, S, auth_kdc_s_ns, Ns') > end role > > 2009-08-19 > ------------------------------------------------------------------------ > ilvvli > > > ------------------------------------------------------------------------ > > _______________________________________________ > Avispa-users mailing list > Avispa-users at avispa-project.org > http://mail63.csoft.net/mailman/listinfo/avispa-users -- Thomas Genet IFSIC/IRISA Campus de Beaulieu, 35042 Rennes cedex, France T?l: +33 (0) 2 99 84 73 44 E-mail: genet at irisa.fr http://www.irisa.fr/lande/genet From Thomas.Genet at irisa.fr Tue Aug 25 12:21:20 2009 From: Thomas.Genet at irisa.fr (Thomas Genet) Date: Tue, 25 Aug 2009 18:21:20 +0200 Subject: [Avispa-users] A Problem About SPAN In-Reply-To: <200908252251369214293@263.net> References: <200908191819544840160@263.net> <200908252251369214293@263.net> Message-ID: <4A940F80.3070505@irisa.fr> Hi, I found a way to overcome the problem... though I still do not know how to fix it in the tool. Instead of writing: ilvvli a ?crit : > role op_KDC(U, S, KDC : agent, > [...] > > rcv_from_s. St = 0 /\ Rcv(S.Ns'.{S.Ns'}_Hash(S.Ns'.PWs).U.Nu'.{U.Nu'}_Hash(U.Nu'.PWu)) =|> you can write rcv_from_s. St = 0 /\ Rcv(X') /\ X'= S.Ns'.{S.Ns'}_Hash(S.Ns'.PWs).U.Nu'.{U.Nu'}_Hash(U.Nu'.PWu) =|> Where X is of type message and declared in the local variables. I do not know yet if it is a bug in span or a bug in Mathieu Turuani's matching. To be continued... -- Thomas Genet IFSIC/IRISA Campus de Beaulieu, 35042 Rennes cedex, France T?l: +33 (0) 2 99 84 73 44 E-mail: genet at irisa.fr http://www.irisa.fr/lande/genet From ilvvli at 263.net Wed Aug 26 08:49:28 2009 From: ilvvli at 263.net (=?utf-8?B?aWx2dmxp?=) Date: Wed, 26 Aug 2009 20:49:28 +0800 Subject: [Avispa-users] =?utf-8?q?A_Problem_About_SPAN?= References: <200908191819544840160@263.net>, <200908252251369214293@263.net>, <4A940F80.3070505@irisa.fr> Message-ID: <200908262049235780110@263.net> Thanks for you advice. And it really works. Best regards, Lv Chao 2009-08-26 ilvvli ???? Thomas Genet ????? 2009-08-26 00:21:23 ???? ilvvli ??? avispa-users ??? Re: [Avispa-users] A Problem About SPAN Hi, I found a way to overcome the problem... though I still do not know how to fix it in the tool. Instead of writing: ilvvli a ?crit : > role op_KDC(U, S, KDC : agent, > [...] > > rcv_from_s. St = 0 /\ Rcv(S.Ns'.{S.Ns'}_Hash(S.Ns'.PWs).U.Nu'.{U.Nu'}_Hash(U.Nu'.PWu)) =|> you can write rcv_from_s. St = 0 /\ Rcv(X') /\ X'= S.Ns'.{S.Ns'}_Hash(S.Ns'.PWs).U.Nu'.{U.Nu'}_Hash(U.Nu'.PWu) =|> Where X is of type message and declared in the local variables. I do not know yet if it is a bug in span or a bug in Mathieu Turuani's matching. To be continued... -- Thomas Genet IFSIC/IRISA Campus de Beaulieu, 35042 Rennes cedex, France T?l: +33 (0) 2 99 84 73 44 E-mail: genet at irisa.fr http://www.irisa.fr/lande/genet -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090826/6a6be98b/attachment.htm From adamnour06 at yahoo.fr Thu Aug 27 11:27:44 2009 From: adamnour06 at yahoo.fr (Adam Noureddine) Date: Thu, 27 Aug 2009 15:27:44 +0000 (GMT) Subject: [Avispa-users] New specification is detect replay attack Message-ID: <684738.93475.qm@web24608.mail.ird.yahoo.com> Dear friends, for this protocol: 1. A --- > B?: na?????????????????????? 2. B?--- >?A : {na}_K????????? K is shared key between A and B ? The change of specification of this protocol in?HLPSL is: ???? role server ( A,B: agent, K: symmetric_key, Snd,Rec: channel(dy)) ??? played_by A ??? def= ????? local? State???????? : nat, ????????????? Na??????????? : text??? ??????????? init State := 0 ????? transition ?????? 1. State = 0 ????????? /\ Rec(start) ????????? =|> ????????? State' := 1 ????????? /\ Na' := new() ????????? /\ Snd(Na') ?? /\ witness(A,B,auth_client,Na')??? ?????? 2. State = 1 ????????? /\ Rec({Na}_K) ????????? =|> ????????? State' := 2 ????????? /\ request(A,B,auth_client,Na)???????? ??? end role ??? role client ( B,A: agent,K: symmetric_key, Snd, Rec: channel(dy)) ??? played_by B ??? def= ????? local? State?????????????? : nat, ???????????? Na????????????????? : text????????? ????? init State := 0 ????? transition ?????? 1. State = 0 ????????? /\ Rec(Na') ????????? =|> ????????? State' := 1 ????????? /\ Snd({Na'}_K)????????? ?????? ??? end role ?? role session(A,B : agent,K : symmetric_key) def= local St,Rt,Sl,Rl : channel(dy) composition client(B,A,K,St,Rt) /\ server(A,B,K,Sl,Rl) end role role environment() def= const a,b,i : agent, k : symmetric_key, auth_client:protocol_id intruder_knowledge = {a,b,k1,k2} composition session(a,b,k) /\ session(i,b,k1) /\ session(a,i,k2) end role ??? goal ? ?? %? server authenticates client ?????? authentication_on auth_client ??? end goal ??? environment() --------------------------------------------------------------- After verification with AVISPA tools, the resultat is detect replay attack such as: % OFMC % Version of 2006/02/13 SUMMARY ? UNSAFE DETAILS ? ATTACK_FOUND PROTOCOL ? /home/avispa/web-interface-computation/./tempdir/workfileDubQFA.if GOAL ? authentication_on_auth_client BACKEND ? OFMC COMMENTS STATISTICS ? parseTime: 0.00s ? searchTime: 0.01s ? visitedNodes: 9 nodes ? depth: 2 plies ATTACK TRACE i -> (a,3): start (a,3) -> i: Na(1) i -> (b,3): Na(1) (b,3) -> i: {Na(1)}_k i -> (a,3): {Na(1)}_k My question,My new specification is it correct ? I? am waiting your answer. My best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090827/7814a9d8/attachment-0001.htm