VerifHub

VerifHub

VerifHub allows Verifpal® users to easily share and discuss Verifpal models of cryptographic protocols. The VerifHub service provides unique URIs for each shared model which includes a syntax-highlighted model, an automatically generated diagram and a summary of the analysis results.

Switch to Diagram View

signal_unguarded.vp

Submitted on 10 Feb 26 17:44 UTC. attacker[active] principal Alice[ knows private alongterm galongterm = G^alongterm ] principal Bob[ knows private blongterm, bs generates bo gblongterm = G^blongterm gbs = G^bs gbo = G^bo gbssig = SIGN(blongterm, gbs) ] Bob -> Alice: gblongterm, gbssig, gbs, gbo principal Alice[ generates ae1 gae1 = G^ae1 amaster = HASH(gbs^alongterm, gblongterm^ae1, gbs^ae1, gbo^ae1) arkba1, ackba1 = HKDF(amaster, nil, nil) ] principal Alice[ generates m1, ae2 gae2 = G^ae2 _ = SIGNVERIF(gblongterm, gbs, gbssig)? akshared1 = gbs^ae2 arkab1, ackab1 = HKDF(akshared1, arkba1, nil) akenc1, akenc2 = HKDF(MAC(ackab1, nil), nil, nil) e1 = AEAD_ENC(akenc1, m1, HASH(galongterm, gblongterm, gae2)) ] Alice -> Bob: galongterm, gae1, gae2, e1 principal Bob[ bmaster = HASH(galongterm^bs, gae1^blongterm, gae1^bs, gae1^bo) brkba1, bckba1 = HKDF(bmaster, nil, nil) ] principal Bob[ bkshared1 = gae2^bs brkab1, bckab1 = HKDF(bkshared1, brkba1, nil) bkenc1, bkenc2 = HKDF(MAC(bckab1, nil), nil, nil) m1_d = AEAD_DEC(bkenc1, e1, HASH(galongterm, gblongterm, gae2)) ] principal Bob[ generates m2, be gbe = G^be bkshared2 = gae2^be brkba2, bckba2 = HKDF(bkshared2, brkab1, nil) bkenc3, bkenc4 = HKDF(MAC(bckba2, nil), nil, nil) e2 = AEAD_ENC(bkenc3, m2, HASH(gblongterm, galongterm, gbe)) ] Bob -> Alice: gbe, e2 principal Alice[ akshared2 = gbe^ae2 arkba2, ackba2 = HKDF(akshared2, arkab1, nil) akenc3, akenc4 = HKDF(MAC(ackba2, nil), nil, nil) m2_d = AEAD_DEC(akenc3, e2, HASH(gblongterm, galongterm, gbe)) ] principal Alice[ generates m3, ae3 gae3 = G^ae3 akshared3 = gbe^ae3 arkab3, ackab3 = HKDF(akshared3, arkba2, nil) akenc5, akenc6 = HKDF(MAC(ackab3, nil), nil, nil) e3 = AEAD_ENC(akenc5, m3, HASH(gblongterm, galongterm, gae3)) ] Alice -> Bob: gae3, e3 principal Bob[ bkshared3 = gae3^be brkab3, bckab3 = HKDF(bkshared3, brkba2, nil) bkenc5, bkenc6 = HKDF(MAC(bckab3, nil), nil, nil) m3_d = AEAD_DEC(bkenc5, e3, HASH(gblongterm, galongterm, gae3)) ] phase[1] principal Alice[ leaks alongterm ] principal Bob[ leaks blongterm ] queries[ confidentiality? m1 authentication? Alice -> Bob: e1 confidentiality? m2 authentication? Bob -> Alice: e2 confidentiality? m3 authentication? Alice -> Bob: e3 ]
Switch to Model View
Title:signal_unguarded.vp Note over Alice: knows private alongterm\n galongterm = G^alongterm\n Note over Bob: knows private blongterm, bs\n generates bo\n gblongterm = G^blongterm\n gbs = G^bs\n gbo = G^bo\n gbssig = SIGN(blongterm, gbs)\n Bob -> Alice: gblongterm, gbssig, gbs, gbo Note over Alice: generates ae1\n gae1 = G^ae1\n amaster = HASH(gbs^alongterm, gblongterm^ae1, gbs^ae1, gbo^ae1)\n arkba1, ackba1 = HKDF(amaster, nil, nil)\n Note over Alice: generates m1, ae2\n gae2 = G^ae2\n _ = SIGNVERIF(gblongterm, gbs, gbssig)?\n akshared1 = gbs^ae2\n arkab1, ackab1 = HKDF(akshared1, arkba1, nil)\n akenc1, akenc2 = HKDF(MAC(ackab1, nil), nil, nil)\n e1 = AEAD_ENC(akenc1, m1, HASH(galongterm, gblongterm, gae2))\n Alice -> Bob: galongterm, gae1, gae2, e1 Note over Bob: bmaster = HASH(galongterm^bs, gae1^blongterm, gae1^bs, gae1^bo)\n brkba1, bckba1 = HKDF(bmaster, nil, nil)\n Note over Bob: bkshared1 = gae2^bs\n brkab1, bckab1 = HKDF(bkshared1, brkba1, nil)\n bkenc1, bkenc2 = HKDF(MAC(bckab1, nil), nil, nil)\n m1_d = AEAD_DEC(bkenc1, e1, HASH(galongterm, gblongterm, gae2))\n Note over Bob: generates m2, be\n gbe = G^be\n bkshared2 = gae2^be\n brkba2, bckba2 = HKDF(bkshared2, brkab1, nil)\n bkenc3, bkenc4 = HKDF(MAC(bckba2, nil), nil, nil)\n e2 = AEAD_ENC(bkenc3, m2, HASH(gblongterm, galongterm, gbe))\n Bob -> Alice: gbe, e2 Note over Alice: akshared2 = gbe^ae2\n arkba2, ackba2 = HKDF(akshared2, arkab1, nil)\n akenc3, akenc4 = HKDF(MAC(ackba2, nil), nil, nil)\n m2_d = AEAD_DEC(akenc3, e2, HASH(gblongterm, galongterm, gbe))\n Note over Alice: generates m3, ae3\n gae3 = G^ae3\n akshared3 = gbe^ae3\n arkab3, ackab3 = HKDF(akshared3, arkba2, nil)\n akenc5, akenc6 = HKDF(MAC(ackab3, nil), nil, nil)\n e3 = AEAD_ENC(akenc5, m3, HASH(gblongterm, galongterm, gae3))\n Alice -> Bob: gae3, e3 Note over Bob: bkshared3 = gae3^be\n brkab3, bckab3 = HKDF(bkshared3, brkba2, nil)\n bkenc5, bkenc6 = HKDF(MAC(bckab3, nil), nil, nil)\n m3_d = AEAD_DEC(bkenc5, e3, HASH(gblongterm, galongterm, gae3))\n Note left of Alice:phase 1 Note over Alice: leaks alongterm\n Note over Bob: leaks blongterm\n

Analysis Results

The model submitter provided the following analysis results:

Please note that these results are not verified to be accurate. The model submitter may choose to provide false analysis results if they so desire. It is strongly recommended that you re-run the analysis of this model locally if you wish to verify the authenticity of the analysis results above.

© Copyright 2019- Nadim Kobeissi. All Rights Reserved. “Verifpal” and the “Verifpal” logo/mascot are registered trademarks of Nadim Kobeissi. Verifpal software is provided as free and open source software, licensed under the GPLv3. Verifpal User Manual, as well as this website, are provided under the CC BY-NC-ND 4.0 license. Published by Symbolic Software.