(*************************************************************
 *                                                           *
 *  Cryptographic protocol verifier                          *
 *                                                           *
 *  Bruno Blanchet, Vincent Cheval, and Marc Sylvestre       *
 *                                                           *
 *  Copyright (C) INRIA, CNRS 2000-2018                      *
 *                                                           *
 *************************************************************)

(*

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details (in file LICENSE).

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

*)
(* Needham Shroeder public key protocol.
   Original version, with Lowe's correction and changes
   to find an attack mentioned by Vitaly Shmatikov: 
	- the fields of the first message are swapped, 
	- the tuples are built from pairs such as (x, (y, (z, t))), and 
	- A and B both play the two roles of B and A
*)

pred c/1 decompData, elimVar.

fun host/1.
fun pk/1.
fun encrypt/2.

query c:secretA[].
query c:secretB[].

not c:sA[].
not c:sB[].

reduc

(* The attacker *)

c:x & c:encrypt(m,pk(x)) -> c:m;
c:pk(x);
c:host(x);
c:x & c:y -> c:encrypt(x,y);

(* The protocol *)

(* A *)

c:encrypt((host(sA[]), Na[pk(x)]), pk(x));
c:encrypt((Na[pk(x)], (y, host(x))), pk(sA[]))
   -> c:encrypt((y,kA[x]), pk(x));

(* B *)

c:encrypt((host(a),x), pk(sB[])) -> c:encrypt((x, (Nb[x,a], host(sB[]))), pk(a));
c:encrypt((x,host(sA[])), pk(sB[])) & c:encrypt((Nb[x, sA[]], z), pk(sB[]))
   -> c:encrypt(secretB[], pk(z));

(* B as A *)

c:encrypt((host(sB[]), Nb2[pk(x)]), pk(x));
c:encrypt((Nb2[pk(x)], (y, host(x))), pk(sB[]))
   -> c:encrypt((y,kB[x]), pk(x));

(* A as B *)

c:encrypt((host(a),x), pk(sA[])) -> c:encrypt((x, Na2[x,a], host(sA[])), pk(a));
c:encrypt((x,host(sB[])), pk(sA[])) & c:encrypt((Na2[x, sB[]], z), pk(sA[]))
   -> c:encrypt(secretA[], pk(z)).
