VerifHub

VerifHub allows Verifpal® users to easily share and discuss Verifpal models of cryptographic protocols. The VerifHub service provides unique URIs for each shared model which includes a syntax-highlighted model, an automatically generated diagram and a summary of the analysis results.

Switch to Diagram View

otr_ake.vp

Submitted on 15 May 23 19:18 UTC.

attacker[passive]

principal Bob[
	knows private priv_b
	pub_b = G^priv_b
]

Bob -> Alice: [pub_b]

principal Alice[
	knows private priv_a
	pub_a = G^priv_a
]

Alice -> Bob: [pub_a]

principal Bob[
	generates r, x
	g_x = G^x
	enc_gx = ENC(r, g_x)
	hash_gx = HASH(g_x)
]

Bob -> Alice: enc_gx, hash_gx

principal Alice[
	generates y
	g_y = G^y
]

Alice -> Bob: g_y

principal Bob[
	s = g_y^x
	c, c_ = HKDF(s, nil, nil)
	m1, m2, m1_, m2_ = HKDF(nil, s, nil)
	generates keyid_b
	mb = MAC(m1, CONCAT(g_x, g_y, pub_b, keyid_b))
	xb = CONCAT(pub_b, keyid_b, SIGN(priv_b, mb))
	enc_c_x_b = ENC(c, xb)
	mac_mc2_enc_c_x_b = MAC(m2, ENC(c, xb))
]

Bob -> Alice: [r], enc_c_x_b, mac_mc2_enc_c_x_b

principal Alice[
	dec_gx = DEC(r, enc_gx)
	_ = ASSERT(HASH(dec_gx), hash_gx)?
	s_ = dec_gx^y
	c_alice, c__alice = HKDF(s_, nil, nil)
	m1_alice, m2_alice, m1__alice, m2__alice = HKDF(nil, s_, nil)
	_ = ASSERT(mac_mc2_enc_c_x_b, MAC(m2_alice, enc_c_x_b))?
	xb_alice = DEC(c_alice, enc_c_x_b)
	pub_b_alice, keyd_b_alice, sig_b_mb_alice = SPLIT(xb_alice)
	mb_alice = MAC(m1_alice, CONCAT(dec_gx, g_y, pub_b_alice, keyd_b_alice))
	_ = SIGNVERIF(pub_b_alice, mb_alice, sig_b_mb_alice)?
	generates keyid_a
	ma = MAC(m1__alice, CONCAT(g_y, dec_gx, pub_a, keyid_a))
	xa = CONCAT(pub_a, keyid_a, SIGN(priv_a, ma))
	enc_c__x_a = ENC(c__alice, xa)
	mac_m2_enc_c__xa = MAC(m2__alice, ENC(c__alice, xa))
]

Alice -> Bob: enc_c__x_a, mac_m2_enc_c__xa

principal Bob[
	_ = ASSERT(mac_m2_enc_c__xa, MAC(m2_, enc_c__x_a))?
	xa_bob = DEC(c_, enc_c__x_a)
	pub_a_bob, keyid_a_bob, sig_a_ma_bob = SPLIT(xa_bob)
	ma_bob = MAC(m1_, CONCAT(g_y, g_x, pub_a_bob, keyid_a_bob))
	_ = SIGNVERIF(pub_a_bob, ma_bob, sig_a_ma_bob)?
	_ = ASSERT(pub_a_bob, pub_a)?
]

queries[
	equivalence? s, s_
	confidentiality? s
	freshness? s
	equivalence? pub_b, pub_b_alice
	equivalence? pub_a, pub_a_bob
]

Switch to Model View

Title:otr_ake.vp Note over Bob: knows private priv_b\n pub_b = G^priv_b\n Bob -> Alice: [pub_b] Note over Alice: knows private priv_a\n pub_a = G^priv_a\n Alice -> Bob: [pub_a] Note over Bob: generates r, x\n g_x = G^x\n enc_gx = ENC(r, g_x)\n hash_gx = HASH(g_x)\n Bob -> Alice: enc_gx, hash_gx Note over Alice: generates y\n g_y = G^y\n Alice -> Bob: g_y Note over Bob: s = g_y^x\n c, c_ = HKDF(s, nil, nil)\n m1, m2, m1_, m2_ = HKDF(nil, s, nil)\n generates keyid_b\n mb = MAC(m1, CONCAT(g_x, g_y, pub_b, keyid_b))\n xb = CONCAT(pub_b, keyid_b, SIGN(priv_b, mb))\n enc_c_x_b = ENC(c, xb)\n mac_mc2_enc_c_x_b = MAC(m2, ENC(c, xb))\n Bob -> Alice: [r], enc_c_x_b, mac_mc2_enc_c_x_b Note over Alice: dec_gx = DEC(r, enc_gx)\n _ = ASSERT(HASH(dec_gx), hash_gx)?\n s_ = dec_gx^y\n c_alice, c__alice = HKDF(s_, nil, nil)\n m1_alice, m2_alice, m1__alice, m2__alice = HKDF(nil, s_, nil)\n _ = ASSERT(mac_mc2_enc_c_x_b, MAC(m2_alice, enc_c_x_b))?\n xb_alice = DEC(c_alice, enc_c_x_b)\n pub_b_alice, keyd_b_alice, sig_b_mb_alice = SPLIT(xb_alice)\n mb_alice = MAC(m1_alice, CONCAT(dec_gx, g_y, pub_b_alice, keyd_b_alice))\n _ = SIGNVERIF(pub_b_alice, mb_alice, sig_b_mb_alice)?\n generates keyid_a\n ma = MAC(m1__alice, CONCAT(g_y, dec_gx, pub_a, keyid_a))\n xa = CONCAT(pub_a, keyid_a, SIGN(priv_a, ma))\n enc_c__x_a = ENC(c__alice, xa)\n mac_m2_enc_c__xa = MAC(m2__alice, ENC(c__alice, xa))\n Alice -> Bob: enc_c__x_a, mac_m2_enc_c__xa Note over Bob: _ = ASSERT(mac_m2_enc_c__xa, MAC(m2_, enc_c__x_a))?\n xa_bob = DEC(c_, enc_c__x_a)\n pub_a_bob, keyid_a_bob, sig_a_ma_bob = SPLIT(xa_bob)\n ma_bob = MAC(m1_, CONCAT(g_y, g_x, pub_a_bob, keyid_a_bob))\n _ = SIGNVERIF(pub_a_bob, ma_bob, sig_a_ma_bob)?\n _ = ASSERT(pub_a_bob, pub_a)?\n

Analysis Results

The model submitter provided the following analysis results:

Query 1 (Equivalence): PASS
Query 2 (Confidentiality): PASS
Query 3 (Freshness): PASS
Query 4 (Equivalence): PASS
Query 5 (Equivalence): PASS

Please note that these results are not verified to be accurate. The model submitter may choose to provide false analysis results if they so desire. It is strongly recommended that you re-run the analysis of this model locally if you wish to verify the authenticity of the analysis results above.

Discuss This Model

© Copyright 2019- Nadim Kobeissi. All Rights Reserved. “Verifpal” and the “Verifpal” logo/mascot are registered trademarks of Nadim Kobeissi. Verifpal software is provided as free and open source software, licensed under the GPLv3. Verifpal User Manual, as well as this website, are provided under the CC BY-NC-ND 4.0 license. Published by Symbolic Software.