Andrew D. Gordon
Microsoft Research

Christian Haack
Radboud University

Alan Jeffrey
Bell Labs

Cryptographic Protocol Type Checker

Introduction

Applet

Examples

Download

Research Papers

Changelog

To Do List

/* * This example is similar to part of an example from Bhargavan, Fournet * and Gordon's paper "A Model for Web Services Security". * It is a essentially a version of a one-way authentication procedure that * is included in the X509 recommendation. See, for instance, Chapter 14.2 * in Stalling's book "Cryptography and Network Security", or Section 6.9.1 * in the Clark-Jacob survey. * * A -> B M,A,B,Time,MsgId, * {| digest( hash( hash(M), hash(B), hash(Time), hash(MsgId) ) ) |}sA * * where * hash : a one-way hash function * digest : a message tag * sA : Alice's private signing key. * * Christian Haack, v1.1.0 2004/10/28 */
/* * Include the standard prelude. */
import prelude;
/* * Words used in correspondence assertions. */
public sending : Word; public to : Word; public and : Word; public with : Word;
/* * Message digest pattern. */
pattern Digest (a:Host) = ( hash( hash(text:Public), hash(b:Host), hash(time:Public), hash(msgid:Public) ) ) [ !begun(a sending text with msgid and time to b) ];
/* * Message digest tag. */
tag digest (Digest(a)) : Auth<a:Host>;
/* * We assume that principals are able to securely lookup the required keys. * We formally express this by assuming the existence of secure lookup * functions of the following dependent function types: */
fun lkupAuthKey (p:Any) : AuthKey(p);
/* * The initiator. */
client Initiator (a:Host, b:Host, sA:SignKey(a)) at a is { establish Receiver at b is (socket : Socket); new (text : Public); new (msgid : Public); new (time : Public); begin! (a sending text with msgid and time to b); output socket is (text, a, b, time, msgid, {| digest( hash( hash(text), hash(b), hash(time), hash(msgid) ) ) |}sA); }
/* * The receiver. */
server Receiver (b:Host) at b is (socket : Socket) { input socket is (text:Un, a:Un, b, time:Un, msgid:Un, signed:Un); let sA:AuthKey(a) = lkupAuthKey (a); match signed is {| digest( hash( hash(text), hash(b), hash(time), hash(msgid) ) ) |}sA^-1 [ !begun (a sending text with msgid and time to b) ]; end (a sending text with msgid and time to b); }
/* * That's all folks. */

Cryptyc implementation Copyright © 2001-2004, Alan Jeffrey and Christian Haack
Technical reports Copyright © 2000-2004 Microsoft Research, Alan Jeffrey and Christian Haack
This material is partly based upon work supported by the National Science Foundation under Grant No. 0208549.
Last modified: 2005-12-14 06:33:52