theory KEA_plus_KCI
begin

builtin: hashing, diffie-hellman

section{* KEA+ *}
/*
 * Protocol:	KEA+
 * Modeler: 	Cas Cremers
 * Date: 	January 2012
 * Source:	"Security Analysis of KEA Authenticated Key Exchange Protocol"
 * 		Lauter, Mityagin, 2006
 * Property:	KI, KCI
 *
 * Status: 	working
 */

/* Protocol rules */

rule generate_ltk:
   [ Fr(~lk) ] 
   --[ RegKey($A) ]->
   [ !Ltk( $A, ~lk ), !Pk( $A, 'g'^~lk ), Out( 'g'^~lk ) ]

rule Init_1:
   [ Fr( ~ekI ), !Ltk( $I, ~lkI ) ]
   --[ SidI_1(~ekI,$I,$R, 'g'^~ekI ) ]->
   [ Init_1( ~ekI, $I, $R, ~lkI, 'g'^~ekI ),
     !Ephk(~ekI),
     Out( 'g'^~ekI ) ]

rule Init_2:
   [ Init_1( ~ekI, $I, $R, ~lkI , hkI), In( Y ), !Pk( $R,'g'^~lkR ) ]
   --[SidI_2( ~ekI, $I, $R, hkI, Y,
       h( <Y^~lkI, ('g'^~lkR)^~ekI, $I, $R > ) ) ]->
   [ !Sessk( ~ekI, 
       h( <Y^~lkI, ('g'^~lkR)^~ekI, $I, $R > ) ) ]


rule Resp_1:
   [ In( X ), Fr( ~ekR ), !Ltk($R, ~lkR), !Pk($I, 'g'^~lkI) ]
   --[ SidR_1( ~ekR, $I, $R, X, 'g'^~ekR ,
       h( <('g'^~lkI)^~ekR, X^~lkR, $I, $R > ) ) ]->
   [ Out( 'g'^~ekR ),
     !Ephk(~ekR),
     !Sessk( ~ekR, 
       h( <('g'^~lkI)^~ekR, X^~lkR, $I, $R > ) ) ]

rule Sessk_reveal: 
   [ !Sessk(~tid, k) ]
   --[ SesskRev(~tid) ]->
   [ Out(k) ]

rule Ephk_reveal:
   [ !Ephk(~ekI) ]
   --[ EphkRev(~ekI) ]->
   [ Out(~ekI) ]

rule Ltk_reveal:
   [ !Ltk($A, k) ]
   --[ LtkRev($A) ]->
   [ Out(k) ]


/* Security properties */

/*
lemma key_agreement_reachable:
  "not (Ex #i1 #i2 ekI ekR I R k hkI hkR.
          SidI_2(ekI, I, R, hkI, hkR, k) @ i1 & SidR_1(ekR, I, R, hkI, hkR, k) @ i2)"
*/

/* Security notion.
 *
 * We model the claims in the KEA+ paper except for the (non-standard)
 * weakened notion of wPFS, in which the adversary can learn A or B's
 * key after the test thread ends, but not both. "Real" wPFS does not
 * hold for this protocol anyway.
 * However, by modeling KCI attacks, we are also modeling half of
 * KEA+'s wPFS notion: the adversary can learn the long-term key of the
 * actor (and thus also after the end of the test session).
 *
 * We model ephemeral key reveals for non-partner threads.  This
 * corresponds to a session-state-reveal analysis where the
 * session-state is defined as the randomness generated by the parties.
 * This property is not implied by the proof (sketch) in the KEA+ paper.
 */

/* An attack is valid in the security notion if the session key of the test session is deduced and
   the test session is clean.
*/
lemma keaplus_initiator_key:
  " /* If every agent registered at most one public key */
    (All A #i #j. RegKey(A)@i & RegKey(A)@j ==> (#i = #j))
  ==>
    /* then there is not attack */
    (not(Ex #i1 #i2 ttest I R k hkI hkR.
            SidI_2(ttest, I, R, hkI, hkR, k) @ i1 & K( k ) @ i2

            /* No ephemeral-key-reveal of test thread */
            & (All #i3. EphkRev( ttest ) @ i3 ==> F)

            /* Not session-key-reveal of test thread. */
            & (All #i3. SesskRev( ttest ) @ i3 ==> F)

            /* Not ephemeral-key-reveal of partner thread. */
            & (All #i3 #i4 tpartner kpartner.
                   SidR_1( tpartner,I,R,hkI,hkR,kpartner ) @i3
                 & EphkRev( tpartner ) @ i4 ==> F)

            /* Not session-key-reveal of partner thread. */
            & (All #i3 #i4 tpartner kpartner.
                   SidR_1( tpartner,I,R,hkI,hkR,kpartner ) @i3
                 & SesskRev( tpartner ) @ i4 ==> F)

            /* Not longterm-key-reveal of intended peer. */
            & (All #i3. LtkRev( R ) @ i3 ==> F)
    )   )"

/* An attack is valid in the security notion if the session key of the test session is deduced and
   the test session is clean.
*/
lemma keaplus_responder_key:
  " /* If every agent registered at most one public key */
    (All A #i #j. RegKey(A)@i & RegKey(A)@j ==> (#i = #j))
  ==>
    /* then there is not attack */
    (not (Ex #i1 #i2 ttest I R k hkI hkR.
              SidR_1(ttest, I, R, hkI, hkR, k) @ i1 & K( k ) @ i2

              /* Not ephemeral-key-reveal of test thread. */
              & (All #i3. EphkRev( ttest ) @ i3 ==> F)

              /* Not session-key-reveal of test thread. */
              & (All #i3. SesskRev( ttest ) @ i3 ==> F)

              /* Not ephemeral-key-reveal of partner thread. */
              /* Note we distinguish explicitly between an incomplete
               * and complete partner thread case.
               */
              & (All #i3 #i4 tpartner lki.
                     SidI_1( tpartner,I,R,lki ) @i3
                     & EphkRev( tpartner ) @ i4 ==> F) 
              & (All #i3 #i4 tpartner kpartner.
                     SidI_2( tpartner,I,R,hkI,hkR,kpartner ) @i3
                     & EphkRev( tpartner ) @ i4 ==> F)

              /* Not session-key-reveal of partner thread. Note that we use SidI_2 here.
                 A session key reveal can only happen after SidI_2 is logged anyways.
              */
              & (All #i3 #i4 tpartner kpartner.
                     SidI_2( tpartner,I,R,hkI,hkR,kpartner ) @i3
                     & SesskRev( tpartner ) @ i4 ==> F)

              /* Not longterm-key-reveal of intended peer. */
              & (All #i3. LtkRev( I ) @ i3 ==> F)
    )   )"

end