VerifHub

VerifHub allows Verifpal® users to easily share and discuss Verifpal models of cryptographic protocols. The VerifHub service provides unique URIs for each shared model which includes a syntax-highlighted model, an automatically generated diagram and a summary of the analysis results.

Switch to Diagram View

lc-dp-3t.vp

Submitted on 28 Jun 20 21:25 UTC.

attacker[active]

principal Smartphonea[
	knows public broadcastkey
	generates sk0a
	ephid00a, ephid01a, ephid02a = HKDF(nil, sk0a, broadcastkey)
]

principal Smartphoneb[
	knows public broadcastkey
	generates sk0b
	ephid00b, ephid01b, ephid02b = HKDF(nil, sk0b, broadcastkey)
]

principal Smartphonec[
	knows public broadcastkey
	generates sk0c
	ephid00c, ephid01c, ephid02c = HKDF(nil, sk0c, broadcastkey)
]

Smartphonea -> Smartphoneb: ephid00a

Smartphoneb -> Smartphonea: ephid00b

Smartphonec -> Smartphoneb: ephid01c

Smartphoneb -> Smartphonec: ephid01b

principal Backendserver[
	knows private infectedpatients0
]

Backendserver -> Smartphonea: infectedpatients0

Backendserver -> Smartphoneb: infectedpatients0

Backendserver -> Smartphonec: infectedpatients0

principal Smartphonea[
	sk1a = HASH(sk0a)
	ephid10a, ephid11a, ephid12a = HKDF(nil, sk1a, broadcastkey)
]

principal Smartphoneb[
	sk1b = HASH(sk0b)
	ephid10b, ephid11b, ephid12b = HKDF(nil, sk1b, broadcastkey)
]

principal Smartphonec[
	sk1c = HASH(sk0c)
	ephid10c, ephid11c, ephid12c = HKDF(nil, sk1c, broadcastkey)
]

principal Smartphonea[
	sk2a = HASH(sk1a)
	ephid20a, ephid21a, ephid22a = HKDF(nil, sk2a, broadcastkey)
]

principal Healthcareauthority[
	generates triggertoken
	knows private ephemeral_sk
	m1 = ENC(ephemeral_sk, triggertoken)
]

Healthcareauthority -> Backendserver: [m1]

Healthcareauthority -> Smartphonea: m1

principal Smartphonea[
	knows private ephemeral_sk
	m1_dec = DEC(ephemeral_sk, m1)
	m2 = ENC(ephemeral_sk, sk1a)
]

Smartphonea -> Backendserver: m2

principal Backendserver[
	knows private ephemeral_sk
	m2_dec = DEC(ephemeral_sk, m2)
	infectedpatients1 = CONCAT(infectedpatients0, m2_dec)
]

Backendserver -> Smartphonea: infectedpatients1

Backendserver -> Smartphoneb: infectedpatients1

Backendserver -> Smartphonec: infectedpatients1

queries[
	confidentiality? ephid02a
	authentication? Smartphonea -> Backendserver: m2
	unlinkability? ephid02a, ephid00a, ephid01a
]

Switch to Model View

Title:lc-dp-3t.vp Note over Smartphonea: knows public broadcastkey\n generates sk0a\n ephid00a, ephid01a, ephid02a = HKDF(nil, sk0a, broadcastkey)\n Note over Smartphoneb: knows public broadcastkey\n generates sk0b\n ephid00b, ephid01b, ephid02b = HKDF(nil, sk0b, broadcastkey)\n Note over Smartphonec: knows public broadcastkey\n generates sk0c\n ephid00c, ephid01c, ephid02c = HKDF(nil, sk0c, broadcastkey)\n Smartphonea -> Smartphoneb: ephid00a Smartphoneb -> Smartphonea: ephid00b Smartphonec -> Smartphoneb: ephid01c Smartphoneb -> Smartphonec: ephid01b Note over Backendserver: knows private infectedpatients0\n Backendserver -> Smartphonea: infectedpatients0 Backendserver -> Smartphoneb: infectedpatients0 Backendserver -> Smartphonec: infectedpatients0 Note over Smartphonea: sk1a = HASH(sk0a)\n ephid10a, ephid11a, ephid12a = HKDF(nil, sk1a, broadcastkey)\n Note over Smartphoneb: sk1b = HASH(sk0b)\n ephid10b, ephid11b, ephid12b = HKDF(nil, sk1b, broadcastkey)\n Note over Smartphonec: sk1c = HASH(sk0c)\n ephid10c, ephid11c, ephid12c = HKDF(nil, sk1c, broadcastkey)\n Note over Smartphonea: sk2a = HASH(sk1a)\n ephid20a, ephid21a, ephid22a = HKDF(nil, sk2a, broadcastkey)\n Note over Healthcareauthority: generates triggertoken\n knows private ephemeral_sk\n m1 = ENC(ephemeral_sk, triggertoken)\n Healthcareauthority -> Backendserver: [m1] Healthcareauthority -> Smartphonea: m1 Note over Smartphonea: knows private ephemeral_sk\n m1_dec = DEC(ephemeral_sk, m1)\n m2 = ENC(ephemeral_sk, sk1a)\n Smartphonea -> Backendserver: m2 Note over Backendserver: knows private ephemeral_sk\n m2_dec = DEC(ephemeral_sk, m2)\n infectedpatients1 = CONCAT(infectedpatients0, m2_dec)\n Backendserver -> Smartphonea: infectedpatients1 Backendserver -> Smartphoneb: infectedpatients1 Backendserver -> Smartphonec: infectedpatients1

Analysis Results

The model submitter provided the following analysis results:

Query 1 (Confidentiality): PASS
Query 2 (Authentication): FAIL
Query 3 (Unlinkability): PASS

Please note that these results are not verified to be accurate. The model submitter may choose to provide false analysis results if they so desire. It is strongly recommended that you re-run the analysis of this model locally if you wish to verify the authenticity of the analysis results above.

Discuss This Model

© Copyright 2019- Nadim Kobeissi. All Rights Reserved. “Verifpal” and the “Verifpal” logo/mascot are registered trademarks of Nadim Kobeissi. Verifpal software is provided as free and open source software, licensed under the GPLv3. Verifpal User Manual, as well as this website, are provided under the CC BY-NC-ND 4.0 license. Published by Symbolic Software.