From alshadly09 at googlemail.com Tue Sep 1 05:19:21 2009 From: alshadly09 at googlemail.com (SALEH AL-SHADLY) Date: Tue, 01 Sep 2009 11:19:21 +0200 Subject: [Avispa-users] guessing attacks Message-ID: <4A9CE719.5070400@googlemail.com> Dear all, how to check a protocol against guessing attacks using AVISPA? i saw the EKE example in AVISPA lib. but that attack was found is not clear for me. can anyone help me? many regards Saleh From adam.walid28 at gmail.com Wed Sep 2 06:00:06 2009 From: adam.walid28 at gmail.com (walid Adam) Date: Wed, 2 Sep 2009 12:00:06 +0200 Subject: [Avispa-users] Templete description Message-ID: <76280150909020300t30498cdai77c47d4f0a6210d6@mail.gmail.com> Dear friends are you possible describe the content of Templete : % VARIANT: % PURPOSE: % LIMITATIONS: % PROBLEMS: *% CLASSIFICATION: *(where is the classification ?, G1,G2, ... etc) if AVISPA tools detect many attacks, is it written that all attacks ? I? am waiting your answer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090902/f3bb17c5/attachment.htm From David.von.Oheimb at siemens.com Wed Sep 2 09:23:23 2009 From: David.von.Oheimb at siemens.com (David von Oheimb) Date: Wed, 02 Sep 2009 15:23:23 +0200 Subject: [Avispa-users] replay attack but in avispa SAFE !!!! In-Reply-To: <575677.30227.qm@web24615.mail.ird.yahoo.com> References: <575677.30227.qm@web24615.mail.ird.yahoo.com> Message-ID: <4A9E71CB.4050400@siemens.com> Dear Adam, thanks for your questions and patience. AFAICS, the protocol you give does not have a replay attack, because A (the server) will only accept responses with the challenge (nonce) he sent. Any other session will use a difference challenge, so the intruder cannot successfully replay it in any such session. BTW, in order to check for replay attacks, you should have multiple sessions, e.g. replace composition session(a,b,k) by composition session(a,b,k) /\ session(a,b,k) Even if you do so, the AVISPA tools will (correctly) report that there is no attack. Best, David Adam Noureddine wrote: > > Dear friends, > > Here is a challenge/response protocol as follows, > 1. A --- > B : na > 2. B --- > A : {na}_K > K is shared key between A and B > > The specification of protocol in HLPSL is: > > role server ( A,B: agent, K: symmetric_key, Snd,Rec: channel(dy)) > played_by A > def= > local State : nat, > Na : text > init State := 0 > transition > 1. State = 0 > /\ Rec(start) > =|> > State' := 1 > /\ Na' := new() > /\ Snd(Na') > 2. State = 1 > /\ Rec({Na}_K) > =|> > State' := 2 > /\ request(A,B,auth_client,{Na}_K) > end role > > role client ( B,A: agent,K: symmetric_key, Snd, Rec: channel(dy)) > played_by B > def= > local State : nat, > Na : text > init State := 0 > transition > 1. State = 0 > /\ Rec(Na') > =|> > State' := 1 > /\ Snd({Na'}_K) > /\ witness(B,A,auth_client,{Na'}_K) > end role > > role session(A,B : agent,K : symmetric_key) > def= > local St,Rt,Sl,Rl : channel(dy) > composition > client(B,A,K,St,Rt) > /\ server(A,B,K,Sl,Rl) > end role > > role environment() def= > const a,b : agent, > k : symmetric_key, > auth_client:protocol_id > > intruder_knowledge = {a,b} > > composition > session(a,b,k) > > > end role > > goal > % server authenticates client > authentication_on auth_client > end goal > environment() > --------------------------------------------------------------- > > The verification this protocol with other tools detect attack "Replay > Attack" : > > A ---- > Na ----> I ------> B > B ---- > {Na}_K ----> I ------> A with I : Intrus > Please, why my verification no detect attack (SAFE)? , My specification > is it corect ? > I? am waiting your answer. > My best regards > > From David.von.Oheimb at siemens.com Wed Sep 2 09:24:48 2009 From: David.von.Oheimb at siemens.com (David von Oheimb) Date: Wed, 02 Sep 2009 15:24:48 +0200 Subject: [Avispa-users] update of symmetric key In-Reply-To: <100151.82907.qm@web24614.mail.ird.yahoo.com> References: <100151.82907.qm@web24614.mail.ird.yahoo.com> Message-ID: <4A9E7220.9040807@siemens.com> Dear Adam, > Here is same protocol as follows, > 1. A --- > B : na > 2. B --- > A : {na}_K > > *Question 1.* > K is shared (*symmetric*) key between A and B. > *If value of k is update in last transition.* > > What is declaration of k correct? > > role Alice ( A,B: agent, K: symmetric_key, Snd,Rec: channel(dy)) > played_by A > .... > > role Bob ( B,A: agent, K: symmetric_key, Snd,Rec: channel(dy)) > played_by B > ... > *Or* > > role Alice ( A,B: agent, Snd,Rec: channel(dy)) > played_by A > local State : nat, > K: symmetric_key .... > > role Bob ( B,A: agent, Snd,Rec: channel(dy)) > played_by B > def= > local State : nat, > K: symmetric_key ..... Usually, HLPSL roles learn shared keys via their parameters, i.e. the first variant is correct. (In the second variant you give, K would have two *different* values local to Alice and Bob, i.e. is not a shared value.). You may update the value of K (regardless whether K is a parameter or local variable) within the role, but this will not be used if the role's execution ends at this point. You might introduce a loop to the beginning of the role, but this will lead to non-termination. A workaround may be to unroll the loop finitely many times, e.g. two times or three times, within the roles. > *Question 2.* > If K is shared key (*private*) between A and B. > The type of private key not exist in HLPSL, how declarate of private key? Regarding types, there is only symmetric and asymmetric (public/private) keys. Symmetric keys are usually shared keys. For any (asymmetric) public key "K", which has type "public_key", the corresponding private key is denoted by "inv(K)", which has type "inv(public_key)". Hope this helps, David From David.von.Oheimb at siemens.com Wed Sep 2 09:25:05 2009 From: David.von.Oheimb at siemens.com (David von Oheimb) Date: Wed, 02 Sep 2009 15:25:05 +0200 Subject: [Avispa-users] New specification is detect replay attack In-Reply-To: <684738.93475.qm@web24608.mail.ird.yahoo.com> References: <684738.93475.qm@web24608.mail.ird.yahoo.com> Message-ID: <4A9E7231.6000300@siemens.com> Dear Adam, your new specification is more interesting than the original one because it contains three sessions that partially involve also the intruder. Yet the "witness(A,B,auth_client,Na')" must not occur in the server role. After moving it to the end of the client role where it belongs, no attack is found any more (which I believe is the right result). Cheers, David Adam Noureddine wrote: > Dear friends, > > for this protocol: > 1. A --- > B : na > 2. B --- > A : {na}_K > K is shared key between A and B > > The change of specification of this protocol in HLPSL is: > > role server ( A,B: agent, K: symmetric_key, Snd,Rec: channel(dy)) > played_by A > def= > local State : nat, > Na : text > init State := 0 > transition > 1. State = 0 > /\ Rec(start) > =|> > State' := 1 > /\ Na' := new() > /\ Snd(Na') > /\ witness(A,B,auth_client,Na') > 2. State = 1 > /\ Rec({Na}_K) > =|> > State' := 2 > /\ request(A,B,auth_client,Na) > end role > > role client ( B,A: agent,K: symmetric_key, Snd, Rec: channel(dy)) > played_by B > def= > local State : nat, > Na : text > init State := 0 > transition > 1. State = 0 > /\ Rec(Na') > =|> > State' := 1 > /\ Snd({Na'}_K) > > end role > > role session(A,B : agent,K : symmetric_key) > def= > local St,Rt,Sl,Rl : channel(dy) > composition > client(B,A,K,St,Rt) > /\ server(A,B,K,Sl,Rl) > end role > > role environment() def= > const a,b,i : agent, > k : symmetric_key, > auth_client:protocol_id > > intruder_knowledge = {a,b,k1,k2} > > composition > session(a,b,k) > /\ session(i,b,k1) > /\ session(a,i,k2) > > end role > > goal > % server authenticates client > authentication_on auth_client > end goal > environment() > --------------------------------------------------------------- > > After verification with AVISPA tools, the resultat is detect replay > attack such as: > > % OFMC > % Version of 2006/02/13 > SUMMARY > UNSAFE > DETAILS > ATTACK_FOUND > PROTOCOL > /home/avispa/web-interface-computation/./tempdir/workfileDubQFA.if > GOAL > authentication_on_auth_client > BACKEND > OFMC > COMMENTS > STATISTICS > parseTime: 0.00s > searchTime: 0.01s > visitedNodes: 9 nodes > depth: 2 plies > ATTACK TRACE > i -> (a,3): start > (a,3) -> i: Na(1) > i -> (b,3): Na(1) > (b,3) -> i: {Na(1)}_k > i -> (a,3): {Na(1)}_k > > > My question,My new specification is it correct ? > > I? am waiting your answer. > My best regards > > From David.von.Oheimb at siemens.com Wed Sep 2 09:25:46 2009 From: David.von.Oheimb at siemens.com (David von Oheimb) Date: Wed, 02 Sep 2009 15:25:46 +0200 Subject: [Avispa-users] Templete description In-Reply-To: <76280150909020300t30498cdai77c47d4f0a6210d6@mail.gmail.com> References: <76280150909020300t30498cdai77c47d4f0a6210d6@mail.gmail.com> Message-ID: <4A9E725A.2040007@siemens.com> Dear Adam, > are you possible describe the content of Templete : > > % VARIANT: > % PURPOSE: > % LIMITATIONS: > % PROBLEMS: > *% CLASSIFICATION: *(where is the classification ?, G1,G2, ... etc) all the above entries are just comments for documentation purposes and have no effect on the analysis. The classification line just describes the types of security goals, where the Gn are abbreviations defined in section 3 of http://www.avispa-project.org/delivs/6.1/d6-1.pdf > > if AVISPA tools detect many attacks, is it written that all attacks ? No, only the first attack found is written. After fixing this attack or removing the respective goal from the goals section, when you re-run the tools, any further attack will be written. Regards, David From adam.walid28 at gmail.com Wed Sep 2 10:07:11 2009 From: adam.walid28 at gmail.com (walid Adam) Date: Wed, 2 Sep 2009 16:07:11 +0200 Subject: [Avispa-users] user-contributed protocol specification Message-ID: <76280150909020707n61923ec3t8cc75969221d39f@mail.gmail.com> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090902/51084f09/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: tm.hlpsl Type: application/octet-stream Size: 876 bytes Desc: not available Url : http://mail63.csoft.net/pipermail/avispa-users/attachments/20090902/51084f09/attachment.obj From georgy3k at gmail.com Wed Sep 2 10:20:59 2009 From: georgy3k at gmail.com (George Stewart) Date: Wed, 2 Sep 2009 15:20:59 +0100 Subject: [Avispa-users] CAS+ Specifications Problems Message-ID: I've tried to complete the Geopriv protocol specified on the AVISPA website in the collection of security protocols in CAS+, I was having a few issues however with this! In the manual for CAS+ it specifies that the syntax is much the same as CASRUL which can be found in the paper JRV00, does anyone know where I could get my hands on this paper as I cannot find it anywhere? Also I have been having problems with the goal declaration, I cannot declare anything with secrecy without getting "Syntax error(26) line 26: bad definition of GOAL strategy", and there seems to be nothing in any of the examples I have found? Also in the following protocol the 5th and last message does not send in the protocol simulation in SPAN, was thinking this might be to do with not having the correct goal declarations but any idea would be helpful? protocol Geopriv; identifiers T, LR, LS : user; KTLR, KLR, KTLS : symmetric_key; KLS : public_key; NLR, PsiLR, PWLR, LI : number; PR : function; messages 1. LR -> T: LR,{LR,NLR}KTLR 2. T -> LR: PsiLR,{PWLR, NLR}KTLR 3. T -> LS: T,PsiLR,{PWLR,T,PR}KTLS 4. LR -> LS: PsiLR,{PWLR,KLR,T}KLS 5. LS -> LR: {PR(LI),T}KLR knowledge LR : T, LR, LS, KTLR, KLS, KLR; T : T, LS, KTLR, KTLS, LR; LS : LR, LS, KTLS, KLS, T, KLR; session_instances [LR:locationRecipient, T:target, LS:locationServer, KTLR:ktlr, KLR:klr, KTLS:ktls, KLS:kls]; goal LR authenticates LS on LI; LS authenticates LR on PWLR; T authenticates LR on NLR; Thanks in advance, George Stewart From adamnour06 at yahoo.fr Wed Sep 2 10:45:51 2009 From: adamnour06 at yahoo.fr (Adam Noureddine) Date: Wed, 2 Sep 2009 14:45:51 +0000 (GMT) Subject: [Avispa-users] protocol exemple for update of symmetric key Message-ID: <960301.68093.qm@web24604.mail.ird.yahoo.com> Dear friends, ?????? Here is a challenge/response protocol as follows, 1. A --- > B?: na?????????????????????? 2. B?--- >?A : {na}_K????????? K is shared key between A and B in the last transition: the update of symmetric key in role B then in role A.. ?? with K' := H(K) The specification of this protocol in?HLPSL is: ???? role server ( A,B: agent, K: symmetric_key, H: hash_func, Snd,Rec: channel(dy)) ??? played_by A ??? def= ????? local? State???????? : nat, ????????????? Na??????????? : text??? ??????????? init State := 0 ????? transition ?????? 1. State = 0 ????????? /\ Rec(start) ????????? =|> ????????? State' := 1 ????????? /\ Na' := new() ????????? /\ Snd(Na') ?????? 2. State = 1 ????????? /\ Rec({Na}_K) ????????? =|> ????????? State' := 2 ??? ? ? ? /\ K' := H(K) ????????? /\ request(A,B,auth_client,{Na}_K)???????? ??? end role ??? role client ( B,A: agent,K: symmetric_key,H: hash_func, Snd, Rec: channel(dy)) ??? played_by B ??? def= ????? local? State?????????????? : nat, ???????????? Na????????????????? : text????????? ????? init State := 0 ????? transition ?????? 1. State = 0 ????????? /\ Rec(Na') ????????? =|> ????????? State' := 1 ????????? /\ Snd({Na'}_K)????????? ????????? /\ K' := H(K)????????? ????????? /\ witness(B,A,auth_client,{Na'}_K)?? ??? end role ?? role session(A,B : agent,K : symmetric_key, H: hash_func) def= local St,Rt,Sl,Rl : channel(dy) composition client(B,A,K,H,St,Rt) /\ server(A,B,K,H,Sl,Rl) end role role environment() def= const a,b : agent, k : symmetric_key, h: hash_func, auth_client:protocol_id intruder_knowledge = {a,b,h} composition session(a,b,k,h) end role ??? goal ? ?? %? server authenticates client ?????? authentication_on auth_client ??? end goal ??? environment() --------------------------------------------------------------- Please, My specification is it corect ? , if no , corrected my specification I? am waiting your answer. My best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090902/a6cfd792/attachment.htm From adamnour06 at yahoo.fr Wed Sep 2 10:59:59 2009 From: adamnour06 at yahoo.fr (Adam Noureddine) Date: Wed, 2 Sep 2009 14:59:59 +0000 (GMT) Subject: [Avispa-users] protocol exemple for update of symmetric key (New) Message-ID: <762125.52145.qm@web24603.mail.ird.yahoo.com> Dear friends, ?????? Here is a challenge/response protocol as follows, 1. A --- > B?: na?????????????????????? 2. B?--- >?A : {na}_K????????? K is shared key between A and B Description: A sends a random number na to B. B? encrypts the random number with the shared key K and sends it back to A. A? proofs the result and can verify the identity (in other words the possession of K) of B. in the last transition: the update of symmetric key in role B then in role A. ?? with K' := H(K) The specification of this protocol in?HLPSL is: ???? role server ( A,B: agent, K: symmetric_key, H: hash_func, Snd,Rec: channel(dy)) ??? played_by A ??? def= ????? local? State???????? : nat, ????????????? Na??????????? : text??? ??????????? init State := 0 ????? transition ?????? 1. State = 0 ????????? /\ Rec(start) ????????? =|> ????????? State' := 1 ????????? /\ Na' := new() ????????? /\ Snd(Na') ?????? 2. State = 1 ????????? /\ Rec({Na}_K) ????????? =|> ????????? State' := 2 ??? ? ? ? /\ K' := H(K) ????????? /\ request(A,B,auth_client,{Na}_K)???????? ??? end role ??? role client ( B,A: agent,K: symmetric_key,H: hash_func, Snd, Rec: channel(dy)) ??? played_by B ??? def= ????? local? State?????????????? : nat, ???????????? Na????????????????? : text????????? ????? init State := 0 ????? transition ?????? 1. State = 0 ????????? /\ Rec(Na') ????????? =|> ????????? State' := 1 ????????? /\ Snd({Na'}_K)????????? ????????? /\ K' := H(K)????????? ????????? /\ witness(B,A,auth_client,{Na'}_K)?? ??? end role ?? role session(A,B : agent,K : symmetric_key, H: hash_func) def= local St,Rt,Sl,Rl : channel(dy) composition client(B,A,K,H,St,Rt) /\ server(A,B,K,H,Sl,Rl) end role role environment() def= const a,b : agent, k : symmetric_key, h: hash_func, auth_client:protocol_id intruder_knowledge = {a,b,h} composition session(a,b,k,h) end role ??? goal ? ?? %? server authenticates client ?????? authentication_on auth_client ??? end goal ??? environment() --------------------------------------------------------------- Please, My specification is it corect ? , if no , corrected my specification I? am waiting your answer. My best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090902/254e5fa5/attachment.htm From Thomas.Genet at irisa.fr Wed Sep 2 11:05:37 2009 From: Thomas.Genet at irisa.fr (Thomas Genet) Date: Wed, 02 Sep 2009 17:05:37 +0200 Subject: [Avispa-users] CAS+ Specifications Problems In-Reply-To: References: Message-ID: <4A9E89C1.3030604@irisa.fr> Hi, George Stewart a ?crit : > I've tried to complete the Geopriv protocol specified on the AVISPA > website in the collection of security protocols in CAS+, I was having > a few issues however with this! In the manual for CAS+ it specifies > that the syntax is much the same as CASRUL which can be found in the > paper JRV00, does anyone know where I could get my hands on this paper you can find it there: http://www.loria.fr/equipes/cassis/softwares/casrul/ > as I cannot find it anywhere? Also I have been having problems with > the goal declaration, I cannot declare anything with secrecy without > getting "Syntax error(26) line 26: bad definition of GOAL strategy", > and there seems to be nothing in any of the examples I have found? something that is not mentioned in the CAS_manual and that should be (I'll fix that with other errors) is that there is a collection of cas specification in /testsuite/CAS_Protocols I tried to declare a secrecy and succeeded with the following syntax: goal LR authenticates LS on LI; LS authenticates LR on PWLR; T authenticates LR on NLR; secrecy_of NLR [LR,T]; > Also in the following protocol the 5th and last message does not send > in the protocol simulation in SPAN, was thinking this might be to do > with not having the correct goal declarations but any idea would be > helpful? This is due to the fact that your agents use the hash function PR but don't know it. You have to add it to their knowledge: knowledge LR : T, LR, LS, KTLR, KLS, KLR, PR; T : T, LS, KTLR, KTLS, LR, PR; LS : LR, LS, KTLS, KLS, T, KLR, PR; I hope this helps, Best regards, Thomas -- Thomas Genet IFSIC/IRISA Campus de Beaulieu, 35042 Rennes cedex, France T?l: +33 (0) 2 99 84 73 44 E-mail: genet at irisa.fr http://www.irisa.fr/lande/genet From David.von.Oheimb at siemens.com Wed Sep 2 11:08:50 2009 From: David.von.Oheimb at siemens.com (David von Oheimb) Date: Wed, 02 Sep 2009 17:08:50 +0200 Subject: [Avispa-users] protocol exemple for update of symmetric key (New) In-Reply-To: <762125.52145.qm@web24603.mail.ird.yahoo.com> References: <762125.52145.qm@web24603.mail.ird.yahoo.com> Message-ID: <4A9E8A82.7050705@siemens.com> Dear Adam, your protocol is "correct", but as I wrote earlier, it does not help at all to update K at the end of the role, because the new value is not used thereafter. You need to add further transitions using it. Regards, David Adam Noureddine wrote: > > Dear friends, > > Here is a challenge/response protocol as follows, > 1. A --- > B : na > 2. B --- > A : {na}_K > K is shared key between A and B > > Description: > A sends a random number na to B. B encrypts the random number with > the shared key K and sends it back to A. A proofs the result and can > verify the > identity (in other words the possession of K) of B. > in the last transition: the update of symmetric key in role B then in > role A. > with K' := H(K) > > The specification of this protocol in HLPSL is: > > role server ( A,B: agent, K: symmetric_key, H: hash_func, Snd,Rec: > channel(dy)) > played_by A > def= > local State : nat, > Na : text > init State := 0 > transition > 1. State = 0 > /\ Rec(start) > =|> > State' := 1 > /\ Na' := new() > /\ Snd(Na') > 2. State = 1 > /\ Rec({Na}_K) > =|> > State' := 2 > /\ K' := H(K) > /\ request(A,B,auth_client,{Na}_K) > end role > > role client ( B,A: agent,K: symmetric_key,H: hash_func, Snd, Rec: > channel(dy)) > played_by B > def= > local State : nat, > Na : text > init State := 0 > transition > 1. State = 0 > /\ Rec(Na') > =|> > State' := 1 > /\ Snd({Na'}_K) > /\ K' := H(K) > /\ witness(B,A,auth_client,{Na'}_K) > end role > > role session(A,B : agent,K : symmetric_key, H: hash_func) > def= > local St,Rt,Sl,Rl : channel(dy) > composition > client(B,A,K,H,St,Rt) > /\ server(A,B,K,H,Sl,Rl) > end role > > role environment() def= > const a,b : agent, > k : symmetric_key, > h: hash_func, > auth_client:protocol_id > > intruder_knowledge = {a,b,h} > > composition > session(a,b,k,h) > > > end role > > goal > % server authenticates client > authentication_on auth_client > end goal > environment() > --------------------------------------------------------------- > > Please, My specification is it corect ? , if no , corrected my specification > I? am waiting your answer. > My best regards > > From ychevali at irit.fr Wed Sep 2 11:31:48 2009 From: ychevali at irit.fr (Yannick Chevalier) Date: Wed, 2 Sep 2009 17:31:48 +0200 Subject: [Avispa-users] CAS+ Specifications Problems In-Reply-To: <4A9E89C1.3030604@irisa.fr> References: <4A9E89C1.3030604@irisa.fr> Message-ID: Hi all, Also, I should say that for a long time (and I don't know if it has been corrected since) casrul was using authenticate instead of authenticates... (yes, having french native speakers to write a compiler is not always a good idea ;) ) cheers, Yannick On Wed, Sep 2, 2009 at 5:05 PM, Thomas Genet wrote: > > Hi, > > George Stewart a ?crit : >> I've tried to complete the Geopriv protocol specified on the AVISPA >> website in the collection of security protocols in CAS+, I was having >> a few issues however with this! In the manual for CAS+ it specifies >> that the syntax is much the same as CASRUL which can be found in the >> paper JRV00, does anyone know where I could get my hands on this paper > > you can find it there: > > http://www.loria.fr/equipes/cassis/softwares/casrul/ > > >> as I cannot find it anywhere? Also I have been having problems with >> the goal declaration, I cannot declare anything with secrecy without >> getting "Syntax error(26) line 26: bad definition of GOAL strategy", >> and there seems to be nothing in any of the examples I have found? > > something that is not mentioned in the CAS_manual and that should be > (I'll fix that with > other errors) is that there is a collection of cas specification in > > /testsuite/CAS_Protocols > > I tried to declare a secrecy and succeeded with the following syntax: > > goal > ?LR authenticates LS on LI; > ?LS authenticates LR on PWLR; > ?T authenticates LR on NLR; > ?secrecy_of NLR [LR,T]; > > >> Also in the following protocol the 5th and last message does not send >> in the protocol simulation in SPAN, was thinking this might be to do >> with not having the correct goal declarations but any idea would be >> helpful? > > ? ? ? ?This is due to the fact that your agents use the hash function PR but > don't know it. > You have to add it to their knowledge: > > knowledge > LR ? ? ?: T, LR, LS, KTLR, KLS, KLR, PR; > T ? ? ? : T, LS, KTLR, KTLS, LR, PR; > LS ? ? ?: LR, LS, KTLS, KLS, T, KLR, PR; > > > I hope this helps, > > Best regards, > > Thomas > -- > Thomas Genet > IFSIC/IRISA > Campus de Beaulieu, 35042 Rennes cedex, France > T?l: +33 (0) 2 99 84 73 44 ? E-mail: genet at irisa.fr > http://www.irisa.fr/lande/genet > _______________________________________________ > Avispa-users mailing list > Avispa-users at avispa-project.org > http://mail63.csoft.net/mailman/listinfo/avispa-users > From Thomas.Genet at irisa.fr Thu Sep 3 05:32:05 2009 From: Thomas.Genet at irisa.fr (Thomas Genet) Date: Thu, 03 Sep 2009 11:32:05 +0200 Subject: [Avispa-users] CAS+ Specifications Problems In-Reply-To: References: Message-ID: <4A9F8D15.50800@irisa.fr> Hi to you all, I fixed some problems in the CAS+ manual. A new version is available on SPAN's web page. Distributions should also be updated with the fixed manual. Thanks again for the comments, Best regards, Thomas -- Thomas Genet IFSIC/IRISA Campus de Beaulieu, 35042 Rennes cedex, France T?l: +33 (0) 2 99 84 73 44 E-mail: genet at irisa.fr http://www.irisa.fr/lande/genet From carbone at dist.unige.it Thu Sep 3 06:47:49 2009 From: carbone at dist.unige.it (Roberto Carbone) Date: Thu, 03 Sep 2009 12:47:49 +0200 Subject: [Avispa-users] user-contributed protocol specification In-Reply-To: <76280150909020707n61923ec3t8cc75969221d39f@mail.gmail.com> References: <76280150909020707n61923ec3t8cc75969221d39f@mail.gmail.com> Message-ID: <4A9F9ED5.4010208@dist.unige.it> Dear Adam, do you have doubts about user-contributed protocol specification? Please, let me know, Roberto walid Adam wrote: > > > ------------------------------------------------------------------------ > > _______________________________________________ > Avispa-users mailing list > Avispa-users at avispa-project.org > http://mail63.csoft.net/mailman/listinfo/avispa-users From zahisalima at yahoo.fr Thu Sep 3 07:23:18 2009 From: zahisalima at yahoo.fr (Zahi Salima) Date: Thu, 3 Sep 2009 11:23:18 +0000 (GMT) Subject: [Avispa-users] authentication with hash function or with nonce Message-ID: <490507.77812.qm@web24609.mail.ird.yahoo.com> Dear Friends The notation of the protocol is : C --- > S : C.Nc S --- > C : Ns,H(Nc,K) C ---> S : H(Ns,K) Description: The server verifies the client by performing the same hash function using its k with the nonce sent to the client. If this value matches the hashed result sent from the client, the sever authenticates the client. Please, what is the correct specification ? First propsition : role client ( C,S: agent,K: symmetric_key, H : hash_func, Snd,Rec: channel(dy)) played_by C def= .... transition 1. State = 0 ..... 2. State = 1 /\ Rec(Ns'.H(Nc.K)) =|> State' := 2 /\ Snd(H(Ns'.K)) /\ request(C,S,server_client,H(Nc.K)) end role role server ( S,C: agent, K: symmetric_key,H : hash_func,Snd,Rec: channel(dy)) played_by S .......... transition 1. State = 0 /\ Rec(C.Nc') =|> State' := 1 /\ Ns' := new() /\ Snd(H(Nc'.K).Ns') /\ witness(S,C,server_client, H(Nc'.K)) 1. State = 1 ..................... end role Second proposition: role client ( C,S: agent,K: symmetric_key, H : hash_func, Snd,Rec: channel(dy)) played_by C def= .... transition 1. State = 0 ..... 2.. State = 1 /\ Rec(Ns'.H(Nc.K)) =|> State' := 2 /\ Snd(H(Nr'.K)) /\ request(C,S,server_client,Ns') end role role server ( S,C: agent, K: symmetric_key,H : hash_func,Snd,Rec: channel(dy)) played_by S .......... transition 1. State = 0 /\ Rec(C.Nc') =|> State' := 1 /\ Ns' := new() /\ Snd(H(Nc'.K).Ns') /\ witness(S,C,server_client, Ns') 1. State = 1 ..................... end role The first proposition no detect attack, but the second proposition detect attack. I? am waiting your answer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090903/8fbc5c27/attachment.htm From georgy3k at gmail.com Thu Sep 3 09:39:36 2009 From: georgy3k at gmail.com (George Stewart) Date: Thu, 3 Sep 2009 14:39:36 +0100 Subject: [Avispa-users] NSPK Protocol Original Version Without Key Server in CAS+ Message-ID: Hi all, I've tried to complete the above protocol through CAS+, with the notation provided on the AVISPA website, there is a documented Man-in-the-middle attack on this protocol but my CAS+ specification does not pick it up in SPAN, anybody have any idea where I'm going wrong? protocol NSPKProtocolOriginalVersionWithoutKeyServer; identifiers A, B : user; Na, Nb : number; Ka, Kb : public_key; messages 1. A -> B : {Na, A}Kb 2. B -> A : {Na, Nb}Ka 3. A -> B : {Nb}Kb knowledge A : A, B, Ka, Kb; B : A, B, Ka, Kb; session_instances [A:alice,B:bob,Ka:ka,Kb:kb]; goal secrecy_of Na [A,B]; secrecy_of Nb [A,B]; B authenticates A on Nb; A authenticates B on Na; Thanks in advance, George From SMO at zurich.ibm.com Thu Sep 3 09:50:44 2009 From: SMO at zurich.ibm.com (Sebastian Moedersheim) Date: Thu, 3 Sep 2009 15:50:44 +0200 Subject: [Avispa-users] NSPK Protocol Original Version Without Key Server in CAS+ In-Reply-To: References: Message-ID: Hi George, for the famous attack, you need to specify another instantiation. (Alice talking also to Intruder: [A:alice, B:i ... ]) Actually, as part of the new AVANTSSAR project, a new version of OFMC and SATMC are available (www.avantssar.eu then "platform") and OFMC also includes since January an Alice-and-Bob-style notation called AnB. In AnB you do not have to specify session instances but just how many sessions you want to check. (We will soon release a version for unbounded sessions). Also AnB has a notation for authentic, confidential, and secure channels as well as support for algebraic properties (currently exponentiation and xor are included). The examples for AnB in the new OFMC include NSPK; actually OFMC finds a simple type-flaw attack first, to get Lowe's attack, you would call it with the option "-typed". Cheers, Sebastian >From: George Stewart To: avispa-users at avispa-project.org Date: 09/03/2009 03:40 PM Subject: [Avispa-users] NSPK Protocol Original Version Without Key Server in CAS+ Hi all, I've tried to complete the above protocol through CAS+, with the notation provided on the AVISPA website, there is a documented Man-in-the-middle attack on this protocol but my CAS+ specification does not pick it up in SPAN, anybody have any idea where I'm going wrong? protocol NSPKProtocolOriginalVersionWithoutKeyServer; identifiers A, B : user; Na, Nb : number; Ka, Kb : public_key; messages 1. A -> B : {Na, A}Kb 2. B -> A : {Na, Nb}Ka 3. A -> B : {Nb}Kb knowledge A : A, B, Ka, Kb; B : A, B, Ka, Kb; session_instances [A:alice,B:bob,Ka:ka,Kb:kb]; goal secrecy_of Na [A,B]; secrecy_of Nb [A,B]; B authenticates A on Nb; A authenticates B on Na; Thanks in advance, George _______________________________________________ Avispa-users mailing list Avispa-users at avispa-project.org http://mail63.csoft.net/mailman/listinfo/avispa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090903/a6da8f57/attachment-0001.htm From SMO at zurich.ibm.com Thu Sep 3 09:50:52 2009 From: SMO at zurich.ibm.com (Sebastian Moedersheim) Date: Thu, 3 Sep 2009 15:50:52 +0200 Subject: [Avispa-users] guessing attacks In-Reply-To: <4A9CE719.5070400@googlemail.com> References: <4A9CE719.5070400@googlemail.com> Message-ID: Hi, the AVISPA tools do not have any support for finding guessing attacks (though some people have been or are working on this topic). Probably a future version of the AVANTSSAR tools is going to support it. The attack against EKE (even for good passwords) is a classical reflection attack: an intruder routes every message of A back to A, making A believe to have participated in a session with B while A was actually talking to herself. Cheers, Sebastian >From: SALEH AL-SHADLY To: avispa-users at avispa-project.org Date: 09/01/2009 11:19 AM Subject: [Avispa-users] guessing attacks Dear all, how to check a protocol against guessing attacks using AVISPA? i saw the EKE example in AVISPA lib. but that attack was found is not clear for me. can anyone help me? many regards Saleh _______________________________________________ Avispa-users mailing list Avispa-users at avispa-project.org http://mail63.csoft.net/mailman/listinfo/avispa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090903/2c58ee37/attachment.htm From Thomas.Genet at irisa.fr Thu Sep 3 09:51:41 2009 From: Thomas.Genet at irisa.fr (Thomas Genet) Date: Thu, 03 Sep 2009 15:51:41 +0200 Subject: [Avispa-users] NSPK Protocol Original Version Without Key Server in CAS+ In-Reply-To: References: Message-ID: <4A9FC9ED.7030406@irisa.fr> Hi, George Stewart a ?crit : > Hi all, > > I've tried to complete the above protocol through CAS+, with the > notation provided on the AVISPA website, there is a documented > Man-in-the-middle attack on this protocol but my CAS+ specification > does not pick it up in SPAN, anybody have any idea where I'm going > wrong? For this protocol to have an attack you need another session instance [A:alice, B:bob, Ka:ka, Kb:ki] where ki is known to the intruder > > protocol NSPKProtocolOriginalVersionWithoutKeyServer; > identifiers > A, B : user; > Na, Nb : number; > Ka, Kb : public_key; > > messages > 1. A -> B : {Na, A}Kb > 2. B -> A : {Na, Nb}Ka > 3. A -> B : {Nb}Kb > > > knowledge > A : A, B, Ka, Kb; > B : A, B, Ka, Kb; > > session_instances > [A:alice,B:bob,Ka:ka,Kb:kb]; > > goal > secrecy_of Na [A,B]; > secrecy_of Nb [A,B]; > B authenticates A on Nb; > A authenticates B on Na; > > > > > Thanks in advance, > George > _______________________________________________ > Avispa-users mailing list > Avispa-users at avispa-project.org > http://mail63.csoft.net/mailman/listinfo/avispa-users -- Thomas Genet IFSIC/IRISA Campus de Beaulieu, 35042 Rennes cedex, France T?l: +33 (0) 2 99 84 73 44 E-mail: genet at irisa.fr http://www.irisa.fr/lande/genet From georgy3k at gmail.com Thu Sep 3 10:44:59 2009 From: georgy3k at gmail.com (George Stewart) Date: Thu, 3 Sep 2009 15:44:59 +0100 Subject: [Avispa-users] NSPK Protocol Original Version Without Key Server in CAS+ In-Reply-To: References: Message-ID: I'm still not sure on how to do this, I've tried including Ki into the session instance, however it still isn't documenting the man in the middle attack. I know its something small I am missing! I have looked at the generated HLPSL code of the previous code and with the modified version including the Ki in the session instance and noticed the following: role environment() def= const hash_0:function,ka:public_key,alice:agent,bob:agent,kb:public_key,sec_1:protocol_id,sec_2:protocol_id,auth_3:protocol_id,auth_4:protocol_id intruder_knowledge = {} composition session1(alice,bob,ka,kb) end role I see the intruder knowledge does not include any of the session instances, am I doing something wrong here? 2009/9/3 Sebastian Moedersheim : > > Hi George, > > for the famous attack, you need to specify another instantiation. (Alice > talking also to Intruder: [A:alice, B:i ... ]) > > Actually, as part of the new AVANTSSAR project, a new version of OFMC and > SATMC are available (www.avantssar.eu then "platform") and > OFMC also includes since January an Alice-and-Bob-style notation called AnB. > In AnB you do not have to specify session instances but just > how many sessions you want to check. (We will soon release a version for > unbounded sessions). Also AnB has a notation for authentic, confidential, > and secure channels as well as support for algebraic properties (currently > exponentiation and xor are included). > > The examples for AnB in the new OFMC include NSPK; actually OFMC finds a > simple type-flaw attack first, to get Lowe's attack, you would call it with > the option "-typed". > > Cheers, > Sebastian > > > > From: George Stewart > To: avispa-users at avispa-project.org > Date: 09/03/2009 03:40 PM > Subject: [Avispa-users] NSPK Protocol Original Version Without Key Server in > ? ? ? ?CAS+ > ________________________________ > > > > Hi all, > > I've tried to complete the above protocol through CAS+, with the > notation provided on the AVISPA website, there is a documented > Man-in-the-middle attack on this protocol but my CAS+ specification > does not pick it up in SPAN, anybody have any idea where I'm going > wrong? > > protocol NSPKProtocolOriginalVersionWithoutKeyServer; > identifiers > A, B ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? : user; > Na, Nb ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?: number; > Ka, Kb ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? : public_key; > > messages > 1. A -> B : {Na, A}Kb > 2. B -> A : {Na, Nb}Ka > 3. A -> B : {Nb}Kb > > > knowledge > A ? ? ? ? ? ? ? ? : A, B, Ka, Kb; > B ? ? ? ? ? ? ? ? : A, B, Ka, Kb; > > session_instances > [A:alice,B:bob,Ka:ka,Kb:kb]; > > goal > secrecy_of Na [A,B]; > secrecy_of Nb [A,B]; > B authenticates A on Nb; > A authenticates B on Na; > > > > > Thanks in advance, > George > _______________________________________________ > Avispa-users mailing list > Avispa-users at avispa-project.org > http://mail63.csoft.net/mailman/listinfo/avispa-users > > From chiknour28 at yahoo.fr Fri Sep 4 10:46:50 2009 From: chiknour28 at yahoo.fr (CHIKOUCHE Noureddine) Date: Fri, 4 Sep 2009 07:46:50 -0700 (PDT) Subject: [Avispa-users] Re : authentication with hash function or with nonce In-Reply-To: <490507.77812.qm@web24609.mail.ird.yahoo.com> Message-ID: <116509.41993.qm@web27206.mail.ukl.yahoo.com> Dear Zahi ? my proposition for authentication your client in this protocol is First proposition witn changes: ? role client ( C,S: agent,K: symmetric_key, H : hash_func, Snd,Rec: channel(dy)) ??? played_by C ??? def=? ? ? ? ? ? ? ? ? ?? .... ??? transition? ? ? ?? ??????? 1. State = 0 ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ..... ??? ?????? 2. State = 1 ????????? /\ Rec(Ns'.H(Nc.K)) ????????? =|> ????????? State' := 2 /\ Snd(H(Ns'.K)) ????? ??? /\ request(C,S,server_client,Ns'.H(Nc.K))????? ??? end role Dear Friends The notation of the protocol is : C --- > S? : C.Nc S --- > C? : Ns,H(Nc,K) C ---> S : H(Ns,K) Description: The server verifies the client? by performing the same hash function using its k with the nonce sent to the client. If this value matches the hashed result sent from the client, the sever authenticates the client. Please, what is the correct specification ? First propsition : role client ( C,S: agent,K: symmetric_key, H : hash_func, Snd,Rec: channel(dy)) ??? played_by C ??? def=? ? ? ? ? ? ? ? ? ?? .... ??? transition? ? ? ?? ??????? 1. State = 0 ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ..... ??? ?????? 2. State = 1 ????????? /\ Rec(Ns'.H(Nc.K)) ????????? =|> ????????? State' := 2 /\ Snd(H(Ns'.K)) ????? ??? /\ request(C,S,server_client,H(Nc.K))????? ??? end role ??? role server ( S,C: agent, K: symmetric_key,H : hash_func,Snd,Rec: channel(dy)) ??? played_by S ??????????????????????? .......... ????? transition ????? ? 1. State = 0 ????????? /\ Rec(C.Nc') ????????? =|> ????????? State' := 1 ???????? /\ Ns' := new()??? ??????? /\ Snd(H(Nc'.K).Ns') ????????? /\ witness(S,C,server_client, H(Nc'.K)) ?? 1. State = 1 ????????????????? .................... ??? end role Second proposition: role client ( C,S: agent,K: symmetric_key, H : hash_func, Snd,Rec: channel(dy)) ??? played_by C ??? def=? ? ? ? ? ? ? ? ? ?? .... ??? transition? ? ? ?? ??????? 1. State = 0 ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ..... ??? ?????? 2.. State = 1 ????????? /\ Rec(Ns'.H(Nc.K)) ????????? =|> ????????? State' := 2 /\ Snd(H(Nr'.K)) ????? ??? /\ request(C,S,server_client,Ns')????? ??? end role ??? role server ( S,C: agent, K: symmetric_key,H : hash_func,Snd,Rec: channel(dy)) ??? played_by S ??????????????????????? ........... ????? transition ????? ? 1. State = 0 ????????? /\ Rec(C.Nc') ????????? =|> ????????? State' := 1 ???????? /\ Ns' := new()??? ??????? /\ Snd(H(Nc'.K).Ns') ????????? /\ witness(S,C,server_client, Ns') ?? 1. State = 1 ????????????????? .................... ???? end role The first proposition no detect attack, but the second proposition detect attack. I? am waiting your answer. -----La pi?ce jointe associ?e suit----- _______________________________________________ Avispa-users mailing list Avispa-users at avispa-project.org http://mail63.csoft.net/mailman/listinfo/avispa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090904/f41b8389/attachment-0001.htm From David.von.Oheimb at siemens.com Fri Sep 4 11:22:20 2009 From: David.von.Oheimb at siemens.com (David von Oheimb) Date: Fri, 04 Sep 2009 17:22:20 +0200 Subject: [Avispa-users] Re : authentication with hash function or with nonce In-Reply-To: <116509.41993.qm@web27206.mail.ukl.yahoo.com> References: <116509.41993.qm@web27206.mail.ukl.yahoo.com> Message-ID: <4AA130AC.3020901@siemens.com> Hi folks, first of all, neither of the specifications is correct, because Snd(H(Nc'.K).Ns') of the server cannot match with Rec(Ns'.H(Nc.K)) of the client - the terms are twisted! Further, the description talks about the server authenticating the client, but the specification does the opposite direction. I suppose that *mutual* authentication is intended, such that each of the sender and receiver should have both a witness and request. For the check that the client authenticates the server (which is the direction already specified), the fourth argument of the event pair can be any value that uniquely identifies the session between the client and the server and that is known to both parties when the event is fired. So any of "Ns", "Nc", "H(Nc.K)" or "Ns.H(Nc.K)" (with primed names where needed) should work equally. The ideal one here is "Nc" because this is the value intended to identify the first authentication, while "Ns" is intended to identify the authentication of the client by the server. Best, David CHIKOUCHE Noureddine wrote: > Dear Zahi > > my proposition for authentication your client in this protocol is First > proposition witn changes: > > role client ( C,S: agent,K: symmetric_key, H : hash_func, Snd,Rec: > channel(dy)) > played_by C > def= ...... > transition > 1. State = 0 > ..... > 2. State = 1 > /\ Rec(Ns'.H(Nc.K)) > =|> > State' := 2 /\ Snd(H(Ns'.K)) > /\ request(C,S,server_client,Ns'.H(Nc.K)) > end role > > Dear Friends > > The notation of the protocol is : > C --- > S : C.Nc > S --- > C : Ns,H(Nc,K) > C ---> S : H(Ns,K) > Description: > The server verifies the client by performing the same hash function > using its k with the nonce sent to the client. If this value matches > the hashed result sent from the client, the sever authenticates the > client. > > Please, what is the correct specification ? > > First propsition : > > role client ( C,S: agent,K: symmetric_key, H : hash_func, Snd,Rec: > channel(dy)) > played_by C > def= .... > transition > 1. State = 0 > ..... > 2. State = 1 > /\ Rec(Ns'...H(Nc.K)) > =|> > State' := 2 /\ Snd(H(Ns'.K)) > /\ request(C,S,server_client,H(Nc.K)) > end role > > role server ( S,C: agent, K: symmetric_key,H : > hash_func,Snd,Rec: channel(dy)) > played_by S > .......... > transition > 1. State = 0 > /\ Rec(C.Nc') > =|> > State' := 1 > /\ Ns' := new() > /\ Snd(H(Nc'.K).Ns') > /\ witness(S,C,server_client, H(Nc'.K)) > 1. State = 1 > .................... > > end role > Second proposition: > > role client ( C,S: agent,K: symmetric_key, H : hash_func, Snd,Rec: > channel(dy)) > played_by C > def= .... > transition > 1. State = 0 > ..... > 2.. State = 1 > /\ Rec(Ns'.H(Nc.K)) > =|> > State' := 2 /\ Snd(H(Nr'.K)) > /\ request(C,S,server_client,Ns') > end role > > role server ( S,C: agent, K: symmetric_key,H : > hash_func,Snd,Rec: channel(dy)) > played_by S > ........... > transition > 1. State = 0 > /\ Rec(C.Nc') > =|> > State' := 1 > /\ Ns' := new() > /\ Snd(H(Nc'.K).Ns') > /\ witness(S,C,server_client, Ns') > 1. State = 1 > ...................... > end role > > The first proposition no detect attack, but the second proposition > detect attack. > > I? am waiting your answer. > > > > > -----La pi?ce jointe associ?e suit----- > > _______________________________________________ > Avispa-users mailing list > Avispa-users at avispa-project.org > > http://mail63.csoft.net/mailman/listinfo/avispa-users > > From carbone at dist.unige.it Fri Sep 4 12:08:25 2009 From: carbone at dist.unige.it (Roberto Carbone) Date: Fri, 04 Sep 2009 18:08:25 +0200 Subject: [Avispa-users] NSPK Protocol Original Version Without Key Server in CAS+ In-Reply-To: References: Message-ID: <4AA13B79.2010906@dist.unige.it> Dear George, the knowledge of the intruder is missing in the specification, you have to include the intruder_knowledge field in it, containing the private key of the intruder inv(ki) as well. Regards, Roberto George Stewart wrote: > I'm still not sure on how to do this, I've tried including Ki into the > session instance, however it still isn't documenting the man in the > middle attack. I know its something small I am missing! I have looked > at the generated HLPSL code of the previous code and with the modified > version including the Ki in the session instance and noticed the > following: > > role environment() > def= > const > hash_0:function,ka:public_key,alice:agent,bob:agent,kb:public_key,sec_1:protocol_id,sec_2:protocol_id,auth_3:protocol_id,auth_4:protocol_id > intruder_knowledge = {} > composition > session1(alice,bob,ka,kb) > end role > > I see the intruder knowledge does not include any of the session > instances, am I doing something wrong here? > > 2009/9/3 Sebastian Moedersheim : >> Hi George, >> >> for the famous attack, you need to specify another instantiation. (Alice >> talking also to Intruder: [A:alice, B:i ... ]) >> >> Actually, as part of the new AVANTSSAR project, a new version of OFMC and >> SATMC are available (www.avantssar.eu then "platform") and >> OFMC also includes since January an Alice-and-Bob-style notation called AnB. >> In AnB you do not have to specify session instances but just >> how many sessions you want to check. (We will soon release a version for >> unbounded sessions). Also AnB has a notation for authentic, confidential, >> and secure channels as well as support for algebraic properties (currently >> exponentiation and xor are included). >> >> The examples for AnB in the new OFMC include NSPK; actually OFMC finds a >> simple type-flaw attack first, to get Lowe's attack, you would call it with >> the option "-typed". >> >> Cheers, >> Sebastian >> >> >> >> From: George Stewart >> To: avispa-users at avispa-project.org >> Date: 09/03/2009 03:40 PM >> Subject: [Avispa-users] NSPK Protocol Original Version Without Key Server in >> CAS+ >> ________________________________ >> >> >> >> Hi all, >> >> I've tried to complete the above protocol through CAS+, with the >> notation provided on the AVISPA website, there is a documented >> Man-in-the-middle attack on this protocol but my CAS+ specification >> does not pick it up in SPAN, anybody have any idea where I'm going >> wrong? >> >> protocol NSPKProtocolOriginalVersionWithoutKeyServer; >> identifiers >> A, B : user; >> Na, Nb : number; >> Ka, Kb : public_key; >> >> messages >> 1. A -> B : {Na, A}Kb >> 2. B -> A : {Na, Nb}Ka >> 3. A -> B : {Nb}Kb >> >> >> knowledge >> A : A, B, Ka, Kb; >> B : A, B, Ka, Kb; >> >> session_instances >> [A:alice,B:bob,Ka:ka,Kb:kb]; >> >> goal >> secrecy_of Na [A,B]; >> secrecy_of Nb [A,B]; >> B authenticates A on Nb; >> A authenticates B on Na; >> >> >> >> >> Thanks in advance, >> George >> _______________________________________________ >> Avispa-users mailing list >> Avispa-users at avispa-project.org >> http://mail63.csoft.net/mailman/listinfo/avispa-users >> >> > _______________________________________________ > Avispa-users mailing list > Avispa-users at avispa-project.org > http://mail63.csoft.net/mailman/listinfo/avispa-users > From chiknour28 at yahoo.fr Mon Sep 7 07:38:47 2009 From: chiknour28 at yahoo.fr (CHIKOUCHE Noureddine) Date: Mon, 7 Sep 2009 04:38:47 -0700 (PDT) Subject: [Avispa-users] Description of attack trace Message-ID: <725623.24861.qm@web27203.mail.ukl.yahoo.com> Dear friends, ?????? Here is a protocol as follows, 1. A --- > B?: na?????????????????????? 2. B?--- >?A : H(xor(K,Na))??? 3. A ----> B : H (xor(K,K1) ? K is shared key between A and B (A is server and B is client) , K1 is nonce goals :? client athenticates server After verification the trace attack is : UMMARY ? UNSAFE DETAILS ? ATTACK_FOUND ? TYPED_MODEL PROTOCOL ? /home/avispa/web-interface-computation/./tempdir/workfileeJNBcB.if GOAL ? Authentication attack on (b,a,aut_server,Na(1)) BACKEND ? CL-AtSe STATISTICS ? Analysed?? : 3 states ? Reachable? : 2 states ? Translation: 0.00 seconds ? Computation: 0.00 seconds ATTACK TRACE ?i -> (b,3):? Na(1) ?(b,3) -> i:? {xor(Na(1),k)}_h ?i -> (b,3):? xor() ?(b,3) -> i:? () ????????????? & Request(b,a,aut_server,Na(1)); ?how explainthe attack trace ?,? and the parentheses is empty ? I? am waiting your answer. My best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090907/a0d49025/attachment.htm From zahisalima at yahoo.fr Tue Sep 8 09:05:59 2009 From: zahisalima at yahoo.fr (Zahi Salima) Date: Tue, 8 Sep 2009 13:05:59 +0000 (GMT) Subject: [Avispa-users] simulate in HLPSL Message-ID: <988368.44587.qm@web24610.mail.ird.yahoo.com> Dear Friends as possible simulate in HLPSL the operators and functions : 1- Addition : Na + Nb mod 2 My proposition simulate with hash function G(Na.Nb) , is ot coorect?. 2-Function Shift, right or left. 3- Rotate I? am waiting your answer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090908/0aa0fe95/attachment.htm From jjnalli at gmail.com Tue Sep 8 13:25:00 2009 From: jjnalli at gmail.com (JISS J NALLIKUZHY) Date: Tue, 8 Sep 2009 22:55:00 +0530 Subject: [Avispa-users] analysis of long term evolution in avispa Message-ID: i'm currently working on a thesis project--"analysis of long term evolution protocols". i have modelled the protocol in hlpsl, but i'm having different results when executed in avispa (ie safe and unsafe) when declaring a key in message type and symmetric key type. what is the difference between the two. i'll be glad if anybody could help. thank you -- JISS J NALLIKUZHY M-Tech, Signal Processing College of Engineering, Trivandrum Kerala, India jjnalli at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090908/f66c22da/attachment.htm From chiknour28 at yahoo.fr Thu Sep 10 06:00:07 2009 From: chiknour28 at yahoo.fr (CHIKOUCHE Noureddine) Date: Thu, 10 Sep 2009 03:00:07 -0700 (PDT) Subject: [Avispa-users] Re : simulate in HLPSL In-Reply-To: <988368.44587.qm@web24610.mail.ird.yahoo.com> Message-ID: <136735.16319.qm@web27206.mail.ukl.yahoo.com> Dear Friends My proposition simulation function Shift(right, left) in HLPSL by the protocol. For example: A ---> B : Na B ---> A : Right(K,Na), Nb A ---> B:? Left(K,Na) The HLPSL no support the functions Shift because is not cryptographic primitives. my propsition is consider the function Right and Left as hash function. then two hash function Right and Left. see RPC Protocol in HLPSL Tutorial. I? am waiting your remarks. Best regards --- En date de?: Mar 8.9.09, Zahi Salima a ?crit?: De: Zahi Salima Objet: [Avispa-users] simulate in HLPSL ?: avispa-users at avispa-project.org Date: Mardi 8 Septembre 2009, 15h05 Dear Friends as possible simulate in HLPSL? the operators and functions : 1- Addition : Na + Nb mod 2 ?????? My proposition simulate with hash function G(Na.Nb) , is ot coorect?. 2-Function Shift, right or left. 3- Rotate I? am waiting your answer. -----La pi?ce jointe associ?e suit----- _______________________________________________ Avispa-users mailing list Avispa-users at avispa-project.org http://mail63.csoft.net/mailman/listinfo/avispa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090910/13d017ef/attachment-0001.htm From georgy3k at gmail.com Tue Sep 15 09:17:40 2009 From: georgy3k at gmail.com (George Stewart) Date: Tue, 15 Sep 2009 14:17:40 +0100 Subject: [Avispa-users] H530 protocol in CAS+ Message-ID: Hi all, I'm having problems specifying the H530 protocol in CAS+ as specified in the collection of security protocols on the AVISPA website, I'm receiving a syntax error so I know its something small but cant figure what the problem is? Also it involves using exp and xor functions which I haven't specified in previous protocols so I was wondering whether you could tell me if I have specified these correctly and whether I will be able to find the documented weakness using the following code? protocol H530; identifiers MT, VGK, AuF : user; NIL, G, X, Y, CH1, CH2, CH3, CH4 : number; ZZ, ZZVA : symmetric_key; F : function; messages 1. MT -> VGK : MT, VGK, NIL, CH1, G ^ X, F(ZZ, MT, VGK, NIL, CH1, G ^ X); 2. VGK -> AuF : MT,VGK,NIL,CH1,G^X,F(ZZ,MT,VGK,NIL,CH1,G^X),VGK,G^X # G^Y,F(ZZVA,MT,VGK,NIL,CH1,G^X,F(ZZ,MT,VGK,NIL,CH1,G^X),VGK,G^X # G^Y); 3. AuF -> VGK : VGK,MT,F(ZZ,VGK),F(ZZ,G^X # G^Y),F(ZZVA,VGK,MT,F(ZZ,VGK),F(ZZ,G^X # G^Y)); 4. VGK -> MT: VGK,MT,CH1,CH2,G^Y,F(ZZ,G^X # G^Y),F(ZZ,VGK),F((G^X)^Y),VGK,MT,CH1,CH2,G^Y,F(ZZ,G^X # G^Y),F(ZZ,VGK)); 5. MT -> VGK: MT,VGK,CH2,CH3,F(((G^X)^Y),MT,VGK,CH2,CH3); 6. VGK -> MT: VGK,MT,CH3,CH4,F((G^X)^Y),VGK,MT,CH3,CH4); knowledge MT : MT, VGK, AuF, F, ZZ, NIL, G, X, CH1, CH3, CH2, CH4; VGK : MT, VGK, AuF, F, ZZVA, NIL, G, Y, CH2, CH4, CH1, CH3; AUF : MT, VGK, AuF, F, ZZ, ZZVA, NIL, G, CH1; session_instances [MT:mobileTerminal,VGK:visitedGateKeeper,AuF:authenticationFacility,F:f,ZZ:zz,ZZVA:zzva]; goal MT authenticates VGK on G; secrecy_of ZZ [MT,VGK,AuF]; secrecy_of ZZVA [MT,VGK,AuF]; Thanks in advance, George From SMO at zurich.ibm.com Tue Sep 15 10:40:09 2009 From: SMO at zurich.ibm.com (Sebastian Moedersheim) Date: Tue, 15 Sep 2009 16:40:09 +0200 Subject: [Avispa-users] Alice and Bob Message-ID: Hi, AVANTSSAR is a successor project of AVISPA, and the AVANTSSAR website distributes the latest version of OFMC and SATMC: www.avantssar.eu -> platform The latest version of OFMC supports Alice and Bob notation and ships with several examples like H.530. I guess this could be of interest to all those AVISPA users who try to formulate the classical protocols in Alice and Bob notation and I include the spec of h530 and nspk as those were explicitly discussed here... Cheers, Sebastian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090915/38554e8d/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: h530.AnB Type: application/octet-stream Size: 918 bytes Desc: not available Url : http://mail63.csoft.net/pipermail/avispa-users/attachments/20090915/38554e8d/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: nspk.AnB Type: application/octet-stream Size: 234 bytes Desc: not available Url : http://mail63.csoft.net/pipermail/avispa-users/attachments/20090915/38554e8d/attachment-0001.obj From georgy3k at gmail.com Wed Sep 16 08:17:17 2009 From: georgy3k at gmail.com (George Stewart) Date: Wed, 16 Sep 2009 13:17:17 +0100 Subject: [Avispa-users] Geopriv with two self signatures Message-ID: Hi All, I'm trying to specify the Geopriv with two self signatures in CAS+ as documented on the AVISPA website but seem to be having problems finding the documented error, the weakness is said to be a useless attack, so this is why I'm thinking that SPAN might not be able to pick this up? I have however also tested the HLPSL code also in SPAN and have been getting an error saying "ofmc.exe: Parse error at end of file", however when the same code is tested with the AVISPA web tool no such error occurs? The web tool also does not document any weakness with the HLPSL! Code follows: CAS+ protocol GeoprivWithTwoSelfSignatures; identifiers T, LR, LS : user; PT, KLS, PLR, KT, KLR : public_key; N1, N2, LI, TS : number; H, GR : function; messages 1. LR -> T: {LR}KT,{{T,N1}KT,H(PLR)}KLR' 2. T -> LR: {{N1}KLR,H(PT)}KT' 3. T -> LS: {GR,H(PLR),H(PT)}PT',PT 4. T -> LS: {TS,{LI,H(PT)}KLS}PT',PT 5. LR -> LS: {H(PLR),H(PT),N2}PLR',PLR 6. LS -> LR: {{GR(LI)}PLR,N2}KLS' knowledge LR : T, LR, LS, KT, KLS, KLR, PLR, H; T : T, LS, LR, KT, KLS, KLR, PT, H, GR; LS : LR, LS, KLS, T, PT, PLR, H, GR; session_instances [LR:locationRecipient, T:target, LS:locationServer, PT:pt, KLS:kls, PLR:plr, KT:kt, KLR:klr]; goal T authenticates LR on N1; HLPSL: role target( T, LS, LR : agent, K_T, K_LS, K_LR : public_key, H : hash_func, Snd_LR, Snd_LS, Rcv: channel(dy)) played_by T def= local State : nat, N1 : text, P_T : public_key, Psi_LR : hash(public_key), LI, TS : text, GR : hash_func init State := 1 transition 1. State = 1 /\ Rcv({LR}_K_T.{{T.N1'}_K_T.Psi_LR'}_inv(K_LR)) =|> State':= 3 /\ P_T' := new() /\ Snd_LR({{N1'}_K_LR.H(P_T')}_inv(K_T)) /\ witness (T, LR, lr_T_N1, N1') /\ wrequest(T, LR, t_LR_Psi_LR, Psi_LR') % could be new transition here, but not done for efficiency /\ GR' := new() % chooses some granularity (accuracy) /\ Snd_LS({GR'.Psi_LR'.H(P_T')}_inv(P_T').P_T') /\ witness(T, LS, ls_T_GR, GR') % could be new transition here, but not done for efficiency /\ LI' := new() /\ secret(LI', li, {T, LS, LR}) /\ secret((GR'(LI')), filtered_LI, {T, LS, LR}) /\ TS' := new() /\ Snd_LS({TS'.{LI'.H(P_T')}_K_LS}_inv(P_T').P_T') /\ witness (T, LR, lr_T_filtered_LI, (GR'(LI'))) /\ witness(LS, LR, ls_LR_P_LR, LS) end role role locationServer( T, LS, LR: agent, % but LS does not actually use identity of T and LR Psi_Table: (hash(public_key).hash(public_key).hash_func) set, K_LS : public_key, H : hash_func, Snd, Rcv : channel(dy)) played_by LS def= local State : nat, P_T,P_LR : public_key, N2 : text, Psi_LR : hash(public_key), LI, TS : text, GR : hash_func init State := 5 transition 5. State = 5 /\ Rcv({GR'.Psi_LR'.H(P_T')}_inv(P_T').P_T') =|> State':= 7 /\ Psi_Table':= cons(Psi_LR'.H(P_T').GR', Psi_Table) 7. State = 7 /\ Rcv({TS'.{LI'.H(P_T)}_K_LS}_inv(P_T).P_T) =|> State':= 9 9. State = 9 /\ Rcv({H(P_LR').H(P_T).N2'}_inv(P_LR').P_LR') /\ in(H(P_LR').H(P_T).GR', Psi_Table) % uses Psi_LR and Psi_T to look up GR in the table =|> State':=11 /\ Snd({{(GR'(LI))}_P_LR'.N2'}_inv(K_LS)) /\ wrequest(LS, T , ls_T_GR, GR') % delayed /\ wrequest(LS, LR, ls_LR_P_LR, P_LR') /\ witness (LS, LS, lr_LS_N2, N2') % to any LR! end role role locationRecipient( T, LS, LR : agent, K_T, K_LS, K_LR : public_key, H : hash_func, Snd, Rcv : channel(dy)) played_by LR def= local State : nat, N1, N2 : text, Psi_T : hash(public_key), P_LR : public_key, Filtered_LI : hash(text) init State := 0 transition 0. State = 0 /\ Rcv(start) =|> State':= 2 /\ N1' := new() /\ P_LR' := new() /\ Snd({LR}_K_T.{{T.N1'}_K_T.H(P_LR')}_inv(K_LR)) /\ witness(LR, T, t_LR_Psi_LR, H(P_LR')) 2. State = 2 /\ Rcv({{N1}_K_LR.Psi_T'}_inv(K_T)) =|> State':= 8 /\ N2' := new() /\ Snd({H(P_LR).Psi_T'.N2'}_inv(P_LR).P_LR) /\ witness(LR, LS, ls_LR_P_LR, P_LR) /\ request(LR, T , lr_T_N1, N1) /\ witness(LS, T , ls_T_GR, LS) 8. State = 8 /\ Rcv({{Filtered_LI'}_P_LR.N2}_inv(K_LS)) =|> State':= 10/\ request(LR, T, lr_T_filtered_LI, Filtered_LI') /\ request(LS, LS, lr_LS_N2, N2) end role role session(T, LS, LR : agent, K_T, K_LS, K_LR : public_key, H : hash_func, Psi_Table : (hash(public_key).hash(public_key).hash_func) set) def= local STLR, STLS, RT, SLR, RLR, SLS, RLS: channel(dy) composition target (T, LS, LR, K_T, K_LS, K_LR, H, STLR, STLS, RT) /\ locationServer (T, LS, LR, Psi_Table, K_LS, H, SLS, RLS) /\ locationRecipient(T, LS, LR, K_T, K_LS, K_LR, H, SLR, RLR) end role role environment() def= local Psi_Table: (hash(public_key).hash(public_key).hash_func) set % shared between all instances of LS const li, filtered_LI, ls_T_GR, lr_T_N1, t_LR_Psi_LR, ls_LR_P_LR, lr_LS_N2, lr_T_filtered_LI : protocol_id, t, ls, lr : agent, k_T, k_LS, k_LR, k_i : public_key, h : hash_func init Psi_Table := {} intruder_knowledge = {t, ls, lr, k_T, k_LS, k_LR, k_i, inv(k_i), h} composition session(t, ls, lr, k_T, k_LS, k_LR, h, Psi_Table) % /\ session(t, ls, lr, k_T, k_LS, k_LR, h, Psi_Table) % repeat session to check for replay attacks /\ session(i, ls, lr, k_i, k_LS, k_LR, h, Psi_Table) % It does not make much sense to let the intruder play the role of T % since then the intruder knows its location information anyway. /\ session(t, ls, i , k_T, k_LS, k_i , h, Psi_Table) % It does not make much sense to let the intruder play the role of LR % since then the intruder is allowed to know the (secret) location of T. end role goal secrecy_of li, filtered_LI % addresses G12 % strong authentication and integrity of the Location Information, % (including replay protection): authentication_on lr_T_filtered_LI % addresses G2 and G3 % the Location Recipient Location authenticates the Location Server: authentication_on lr_LS_N2 % addresses G2 and G3 % the Location Server (weakly) authenticates the Location Recipient: weak_authentication_on ls_LR_P_LR % addresses G2 % weak authentication and integrity of Granularity weak_authentication_on ls_T_GR % addresses G1 % additional authentication goals, not in RFC3693: authentication_on lr_T_N1 % addresses G1 and G3 weak_authentication_on t_LR_Psi_LR % addresses G1 % and G20: T authorizes LR to receive the location via LS end goal environment() Thanks in advance, George From chiknour28 at yahoo.fr Tue Sep 22 10:47:39 2009 From: chiknour28 at yahoo.fr (CHIKOUCHE Noureddine) Date: Tue, 22 Sep 2009 07:47:39 -0700 (PDT) Subject: [Avispa-users] Re : Simulate in HLPSL - Note Message-ID: <773119.98647.qm@web27202.mail.ukl.yahoo.com> Dear Friends My proposition simulation function Shift(right, left) in HLPSL by the protocol. For example: A ---> B : Na B ---> A : Right(K,Na), Nb A ---> B:? Left(K,Na) Note: Right (x): Right half of input message x Left(x) : Left half of input message x The HLPSL no support the functions Shift because is not cryptographic primitives. my propsition is consider the function Right and Left as hash function. then two hash function Right and Left. see RPC Protocol in HLPSL Tutorial. I? am waiting your remarks. Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail63.csoft.net/pipermail/avispa-users/attachments/20090922/328dd302/attachment.htm From rlupu at elcom.pub.ro Wed Sep 30 03:54:14 2009 From: rlupu at elcom.pub.ro (Radu Lupu) Date: Wed, 30 Sep 2009 10:54:14 +0300 Subject: [Avispa-users] conjunction over elements in a set Message-ID: <4AC30EA6.7060101@elcom.pub.ro> Hi all, It is the /\_ operator functional within a transition step ? I need to encrypt a list of nonces stored in a set. Currently, I am using the web version of the AVISPA tool. Best regards, Radu -- Radu LUPU, assistant, member of CCSRST Research Centre Telecommunication Department, University Politehnica of Bucharest 1-3, Ave. Iuliu Maniu, Bucharest, Sector 6 Phone: +40 21 4024893 Email: rlupu at elcom.pub.ro; GnuPG key on http://pgpkeys.mit.edu:11371 Web: www.elcom.pub.ro/~rlupu From laurent.vigneron at loria.fr Wed Sep 30 07:50:06 2009 From: laurent.vigneron at loria.fr (Laurent Vigneron) Date: Wed, 30 Sep 2009 13:50:06 +0200 Subject: [Avispa-users] conjunction over elements in a set In-Reply-To: <4AC30EA6.7060101@elcom.pub.ro> References: <4AC30EA6.7060101@elcom.pub.ro> Message-ID: <4AC345EE.9070209@loria.fr> Dear Radu, Operations over sets are restricted in AVISPA: - creation: Set':={ a, b } or Set':={} - tests: in(Element,Set) or not(in(Element,Set)) - addition: Set':=cons(Element,Set) - deletion: Set':=delete(Element,Set) You cannot do the union of sets, for example. The /\_ operator can only be used in composition roles, so not in transition steps of agents roles. Encrypting all the elements of a set is not trivial: you would need to loop on a transition that chooses an elements of the set (not yet encrypted), that encrypts it and puts it either in a new set, or in the old set (after removing the initial element). As you see, the HLPSL is not a complete programming language. Good luck if you try anyway! ;) Laurent. Radu Lupu a ?crit : > Hi all, > > It is the /\_ operator functional within a transition step ? > I need to encrypt a list of nonces stored in a set. > Currently, I am using the web version of the AVISPA tool. > Best regards, > Radu