Process: ( {1}! {2}new new_rbc_id_19; {3}! {4}out(id, new_rbc_id_19) ) | ( {5}! {6}new train_etcs_id_20; {7}! {8}new session_21; {9}in(id, rbc_etcs_id_22); {10}new trainNonce_23; {11}event trainStartSession(rbc_etcs_id_22,train_etcs_id_20,trainNonce_23,SAF()); {12}out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20,SAF(),trainNonce_23)); {13}in(c, (=RBC_ETCS_ID_TYPE(),=AU2(),=DF_RESP(),in_rbc_etcs_id_24,rbcSaF_25,rbcNonce_26,inMAC_27)); {14}let trainKS_28 = genSessionKey(trainNonce_23,rbcNonce_26,getKey(in_rbc_etcs_id_24,train_etcs_id_20)) in {15}out(c, encrypt(SECRET,trainKS_28)); {16}out(c, encrypt(SECRET,getKey(in_rbc_etcs_id_24,train_etcs_id_20))); {17}if (inMAC_27 = mac(trainKS_28,((PAYLOAD_LENGTH(),train_etcs_id_20,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),in_rbc_etcs_id_24,rbcSaF_25),rbcNonce_26,trainNonce_23,train_etcs_id_20))) then {18}event trainFinishSession(in_rbc_etcs_id_24,train_etcs_id_20,trainNonce_23,rbcSaF_25,rbcNonce_26,trainKS_28); {19}out(c, (ZEROS(),AU3(),DF_SEND(),mac(trainKS_28,(PAYLOAD_LENGTH(),train_etcs_id_20,ZEROS(),AU3(),DF_SEND(),trainNonce_23,rbcNonce_26)))); {20}new time_29; {21}let msg1_30 = (DT(),time_29,MESSAGE_1()) in {22}event DataSent1(session_21,msg1_30); {23}out(c, msg1_30); {24}let msg2_31 = (DT(),inc(time_29),MESSAGE_2()) in {25}event DataSent2(session_21,msg2_31); {26}out(c, msg2_31); {27}let msg3_32 = (DT(),inc(inc(time_29)),MESSAGE_3()) in {28}event DataSent3(session_21,msg3_32); {29}out(c, msg3_32) ) | ( {30}! {31}in(id, rbc_etcs_id_36); {32}new rbcNonce_37; {33}in(c, (sent_ETCS_ID_TYPE_38,=AU1(),=DF_SEND(),in_train_etcs_id_39,trainSaF_40,trainNonce_41)); {34}event rbcStartSession(rbc_etcs_id_36,in_train_etcs_id_39,rbcNonce_37,trainSaF_40,trainNonce_41); {35}let rbcKS_42 = genSessionKey(trainNonce_41,rbcNonce_37,getKey(rbc_etcs_id_36,in_train_etcs_id_39)) in {36}out(c, encrypt(SECRET,rbcKS_42)); {37}out(c, encrypt(SECRET,getKey(rbc_etcs_id_36,in_train_etcs_id_39))); {38}out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),rbc_etcs_id_36,trainSaF_40,rbcNonce_37,mac(rbcKS_42,((PAYLOAD_LENGTH(),in_train_etcs_id_39,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),rbc_etcs_id_36,trainSaF_40),rbcNonce_37,trainNonce_41,in_train_etcs_id_39)))); {39}in(c, (=ZEROS(),=AU3(),=DF_SEND(),inMAC_43)); {40}if (inMAC_43 = mac(rbcKS_42,(PAYLOAD_LENGTH(),in_train_etcs_id_39,ZEROS(),AU3(),DF_SEND(),trainNonce_41,rbcNonce_37))) then {41}event rbcFinishSession(rbc_etcs_id_36,in_train_etcs_id_39,rbcNonce_37,trainSaF_40,trainNonce_41,rbcKS_42); {42}in(c, (=DT(),timeA_44,msgA_45)); {43}event DataReceived1((DT(),timeA_44,msgA_45)); {44}in(c, (=DT(),timeB_46,msgB_47)); {45}event DataReceived2((DT(),timeB_46,msgB_47)); {46}event MessagesReceived2((DT(),timeA_44,msgA_45),(DT(),timeB_46,msgB_47)); {47}in(c, (=DT(),timeC_48,msgC_49)); {48}event DataReceived3((DT(),timeC_48,msgC_49)); {49}event MessagesReceived3((DT(),timeA_44,msgA_45),(DT(),timeB_46,msgB_47),(DT(),timeC_48,msgC_49)) ) nounif greater:x_70,*y_71/-5000 -- Query evinj:MessagesReceived3(m1_58,m2_59,m3_60) ==> (evinj:DataSent1(s_61,m1_58) & evinj:DataSent2(s_61,m2_59) & evinj:DataSent3(s_61,m3_60)) Completing... Starting query evinj:MessagesReceived3(m1_58,m2_59,m3_60) ==> (evinj:DataSent1(s_61,m1_58) & evinj:DataSent2(s_61,m2_59) & evinj:DataSent3(s_61,m3_60)) goal reachable: attacker:timeC_2453 & attacker:msgC_2454 & attacker:timeB_2455 & attacker:msgB_2456 & attacker:timeA_2457 & attacker:msgA_2458 -> end:endsid_2459,MessagesReceived3((DT(),timeA_2457,msgA_2458),(DT(),timeB_2455,msgB_2456),(DT(),timeC_2453,msgC_2454)) Abbreviations: new_rbc_id_2628 = new_rbc_id_19[!1 = @sid_2491] trainNonce_2629 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_2628,!2 = @sid_2587,!1 = @sid_2588] new_rbc_id_2630 = new_rbc_id_19[!1 = @sid_2555] rbcNonce_2631 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_2630,!1 = endsid_2624] train_etcs_id_2632 = train_etcs_id_20[!1 = @sid_2588] rbcNonce_2633 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_2630,!1 = @sid_2526] new_rbc_id_2634 = new_rbc_id_19[!1 = @sid_2465] trainNonce_2635 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_2634,!2 = @sid_2469,!1 = @sid_2588] 1. The message new_rbc_id_2630 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_2630. 2. The message new_rbc_id_2628 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_2628. 3. The message new_rbc_id_2628 that may be sent on channel id[] by 2 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_2632,SAF(),trainNonce_2629) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_2632,SAF(),trainNonce_2629). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_2632,SAF(),trainNonce_2629). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_2629. attacker:trainNonce_2629. 5. The attacker has some term trainSaF_2623. attacker:trainSaF_2623. 6. The message new_rbc_id_2634 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_2634. 7. The message new_rbc_id_2634 that may be sent on channel id[] by 6 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_2632,SAF(),trainNonce_2635) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_2632,SAF(),trainNonce_2635). 8. By 7, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_2632,SAF(),trainNonce_2635). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_2632. attacker:train_etcs_id_2632. 9. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 10. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 11. The attacker has some term sent_ETCS_ID_TYPE_2622. attacker:sent_ETCS_ID_TYPE_2622. 12. By 11, the attacker may know sent_ETCS_ID_TYPE_2622. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_2632. By 5, the attacker may know trainSaF_2623. By 4, the attacker may know trainNonce_2629. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_2622,AU1(),DF_SEND(),train_etcs_id_2632,trainSaF_2623,trainNonce_2629). attacker:(sent_ETCS_ID_TYPE_2622,AU1(),DF_SEND(),train_etcs_id_2632,trainSaF_2623,trainNonce_2629). 13. The message new_rbc_id_2628 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_2628. 14. The message new_rbc_id_2630 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_2630. 15. The attacker has some term rbcSaF_2584. attacker:rbcSaF_2584. 16. The attacker has some term sent_ETCS_ID_TYPE_2563. attacker:sent_ETCS_ID_TYPE_2563. 17. By 16, the attacker may know sent_ETCS_ID_TYPE_2563. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_2632. By 15, the attacker may know rbcSaF_2584. By 4, the attacker may know trainNonce_2629. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_2563,AU1(),DF_SEND(),train_etcs_id_2632,rbcSaF_2584,trainNonce_2629). attacker:(sent_ETCS_ID_TYPE_2563,AU1(),DF_SEND(),train_etcs_id_2632,rbcSaF_2584,trainNonce_2629). 18. The message new_rbc_id_2630 that may be sent on channel id[] by 14 may be received at input {31}. The message (sent_ETCS_ID_TYPE_2563,AU1(),DF_SEND(),train_etcs_id_2632,rbcSaF_2584,trainNonce_2629) that the attacker may have by 17 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584,rbcNonce_2631,mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),((PAYLOAD_LENGTH(),train_etcs_id_2632,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584),rbcNonce_2631,trainNonce_2629,train_etcs_id_2632))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584,rbcNonce_2631,mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),((PAYLOAD_LENGTH(),train_etcs_id_2632,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584),rbcNonce_2631,trainNonce_2629,train_etcs_id_2632))). 19. By 18, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584,rbcNonce_2631,mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),((PAYLOAD_LENGTH(),train_etcs_id_2632,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584),rbcNonce_2631,trainNonce_2629,train_etcs_id_2632))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),((PAYLOAD_LENGTH(),train_etcs_id_2632,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584),rbcNonce_2631,trainNonce_2629,train_etcs_id_2632)). attacker:mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),((PAYLOAD_LENGTH(),train_etcs_id_2632,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584),rbcNonce_2631,trainNonce_2629,train_etcs_id_2632)). 20. The message new_rbc_id_2630 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_2630. 21. The attacker has some term trainNonce_2545. attacker:trainNonce_2545. 22. The attacker has some term trainSaF_2544. attacker:trainSaF_2544. 23. The attacker has some term in_train_etcs_id_2543. attacker:in_train_etcs_id_2543. 24. The attacker has some term sent_ETCS_ID_TYPE_2542. attacker:sent_ETCS_ID_TYPE_2542. 25. By 24, the attacker may know sent_ETCS_ID_TYPE_2542. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 23, the attacker may know in_train_etcs_id_2543. By 22, the attacker may know trainSaF_2544. By 21, the attacker may know trainNonce_2545. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_2542,AU1(),DF_SEND(),in_train_etcs_id_2543,trainSaF_2544,trainNonce_2545). attacker:(sent_ETCS_ID_TYPE_2542,AU1(),DF_SEND(),in_train_etcs_id_2543,trainSaF_2544,trainNonce_2545). 26. The message new_rbc_id_2630 that may be sent on channel id[] by 20 may be received at input {31}. The message (sent_ETCS_ID_TYPE_2542,AU1(),DF_SEND(),in_train_etcs_id_2543,trainSaF_2544,trainNonce_2545) that the attacker may have by 25 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,trainSaF_2544,rbcNonce_2631,mac(genSessionKey(trainNonce_2545,rbcNonce_2631,getKey(new_rbc_id_2630,in_train_etcs_id_2543)),((PAYLOAD_LENGTH(),in_train_etcs_id_2543,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,trainSaF_2544),rbcNonce_2631,trainNonce_2545,in_train_etcs_id_2543))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,trainSaF_2544,rbcNonce_2631,mac(genSessionKey(trainNonce_2545,rbcNonce_2631,getKey(new_rbc_id_2630,in_train_etcs_id_2543)),((PAYLOAD_LENGTH(),in_train_etcs_id_2543,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,trainSaF_2544),rbcNonce_2631,trainNonce_2545,in_train_etcs_id_2543))). 27. By 26, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,trainSaF_2544,rbcNonce_2631,mac(genSessionKey(trainNonce_2545,rbcNonce_2631,getKey(new_rbc_id_2630,in_train_etcs_id_2543)),((PAYLOAD_LENGTH(),in_train_etcs_id_2543,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,trainSaF_2544),rbcNonce_2631,trainNonce_2545,in_train_etcs_id_2543))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_2631. attacker:rbcNonce_2631. 28. The message new_rbc_id_2630 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_2630. 29. The attacker has some term trainNonce_2524. attacker:trainNonce_2524. 30. The attacker has some term trainSaF_2523. attacker:trainSaF_2523. 31. The attacker has some term in_train_etcs_id_2522. attacker:in_train_etcs_id_2522. 32. The attacker has some term sent_ETCS_ID_TYPE_2521. attacker:sent_ETCS_ID_TYPE_2521. 33. By 32, the attacker may know sent_ETCS_ID_TYPE_2521. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 31, the attacker may know in_train_etcs_id_2522. By 30, the attacker may know trainSaF_2523. By 29, the attacker may know trainNonce_2524. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_2521,AU1(),DF_SEND(),in_train_etcs_id_2522,trainSaF_2523,trainNonce_2524). attacker:(sent_ETCS_ID_TYPE_2521,AU1(),DF_SEND(),in_train_etcs_id_2522,trainSaF_2523,trainNonce_2524). 34. The message new_rbc_id_2630 that may be sent on channel id[] by 28 may be received at input {31}. The message (sent_ETCS_ID_TYPE_2521,AU1(),DF_SEND(),in_train_etcs_id_2522,trainSaF_2523,trainNonce_2524) that the attacker may have by 33 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,trainSaF_2523,rbcNonce_2633,mac(genSessionKey(trainNonce_2524,rbcNonce_2633,getKey(new_rbc_id_2630,in_train_etcs_id_2522)),((PAYLOAD_LENGTH(),in_train_etcs_id_2522,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,trainSaF_2523),rbcNonce_2633,trainNonce_2524,in_train_etcs_id_2522))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,trainSaF_2523,rbcNonce_2633,mac(genSessionKey(trainNonce_2524,rbcNonce_2633,getKey(new_rbc_id_2630,in_train_etcs_id_2522)),((PAYLOAD_LENGTH(),in_train_etcs_id_2522,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,trainSaF_2523),rbcNonce_2633,trainNonce_2524,in_train_etcs_id_2522))). 35. By 34, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,trainSaF_2523,rbcNonce_2633,mac(genSessionKey(trainNonce_2524,rbcNonce_2633,getKey(new_rbc_id_2630,in_train_etcs_id_2522)),((PAYLOAD_LENGTH(),in_train_etcs_id_2522,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,trainSaF_2523),rbcNonce_2633,trainNonce_2524,in_train_etcs_id_2522))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_2630. attacker:new_rbc_id_2630. 36. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 37. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 38. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 39. By 38, the attacker may know RBC_ETCS_ID_TYPE(). By 37, the attacker may know AU2(). By 36, the attacker may know DF_RESP(). By 35, the attacker may know new_rbc_id_2630. By 15, the attacker may know rbcSaF_2584. By 27, the attacker may know rbcNonce_2631. By 19, the attacker may know mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),((PAYLOAD_LENGTH(),train_etcs_id_2632,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584),rbcNonce_2631,trainNonce_2629,train_etcs_id_2632)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584,rbcNonce_2631,mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),((PAYLOAD_LENGTH(),train_etcs_id_2632,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584),rbcNonce_2631,trainNonce_2629,train_etcs_id_2632))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584,rbcNonce_2631,mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),((PAYLOAD_LENGTH(),train_etcs_id_2632,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584),rbcNonce_2631,trainNonce_2629,train_etcs_id_2632))). 40. The message new_rbc_id_2628 that may be sent on channel id[] by 13 may be received at input {9}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584,rbcNonce_2631,mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),((PAYLOAD_LENGTH(),train_etcs_id_2632,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_2630,rbcSaF_2584),rbcNonce_2631,trainNonce_2629,train_etcs_id_2632))) that the attacker may have by 39 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),(PAYLOAD_LENGTH(),train_etcs_id_2632,ZEROS(),AU3(),DF_SEND(),trainNonce_2629,rbcNonce_2631))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),(PAYLOAD_LENGTH(),train_etcs_id_2632,ZEROS(),AU3(),DF_SEND(),trainNonce_2629,rbcNonce_2631))). 41. By 40, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),(PAYLOAD_LENGTH(),train_etcs_id_2632,ZEROS(),AU3(),DF_SEND(),trainNonce_2629,rbcNonce_2631))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),(PAYLOAD_LENGTH(),train_etcs_id_2632,ZEROS(),AU3(),DF_SEND(),trainNonce_2629,rbcNonce_2631)). attacker:mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),(PAYLOAD_LENGTH(),train_etcs_id_2632,ZEROS(),AU3(),DF_SEND(),trainNonce_2629,rbcNonce_2631)). 42. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 43. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 44. By 43, the attacker may know ZEROS(). By 42, the attacker may know AU3(). By 9, the attacker may know DF_SEND(). By 41, the attacker may know mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),(PAYLOAD_LENGTH(),train_etcs_id_2632,ZEROS(),AU3(),DF_SEND(),trainNonce_2629,rbcNonce_2631)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),(PAYLOAD_LENGTH(),train_etcs_id_2632,ZEROS(),AU3(),DF_SEND(),trainNonce_2629,rbcNonce_2631))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),(PAYLOAD_LENGTH(),train_etcs_id_2632,ZEROS(),AU3(),DF_SEND(),trainNonce_2629,rbcNonce_2631))). 45. We assume as hypothesis that attacker:msgA_2617. 46. We assume as hypothesis that attacker:timeA_2616. 47. Using the function DT the attacker may obtain DT(). attacker:DT(). 48. By 47, the attacker may know DT(). By 46, the attacker may know timeA_2616. By 45, the attacker may know msgA_2617. Using the function 3-tuple the attacker may obtain (DT(),timeA_2616,msgA_2617). attacker:(DT(),timeA_2616,msgA_2617). 49. We assume as hypothesis that attacker:msgB_2615. 50. We assume as hypothesis that attacker:timeB_2614. 51. By 47, the attacker may know DT(). By 50, the attacker may know timeB_2614. By 49, the attacker may know msgB_2615. Using the function 3-tuple the attacker may obtain (DT(),timeB_2614,msgB_2615). attacker:(DT(),timeB_2614,msgB_2615). 52. We assume as hypothesis that attacker:msgC_2613. 53. We assume as hypothesis that attacker:timeC_2612. 54. By 47, the attacker may know DT(). By 53, the attacker may know timeC_2612. By 52, the attacker may know msgC_2613. Using the function 3-tuple the attacker may obtain (DT(),timeC_2612,msgC_2613). attacker:(DT(),timeC_2612,msgC_2613). 55. The message new_rbc_id_2630 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_2622,AU1(),DF_SEND(),train_etcs_id_2632,trainSaF_2623,trainNonce_2629) that the attacker may have by 12 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_2629,rbcNonce_2631,getKey(new_rbc_id_2630,train_etcs_id_2632)),(PAYLOAD_LENGTH(),train_etcs_id_2632,ZEROS(),AU3(),DF_SEND(),trainNonce_2629,rbcNonce_2631))) that the attacker may have by 44 may be received at input {39}. The message (DT(),timeA_2616,msgA_2617) that the attacker may have by 48 may be received at input {42}. The message (DT(),timeB_2614,msgB_2615) that the attacker may have by 51 may be received at input {44}. The message (DT(),timeC_2612,msgC_2613) that the attacker may have by 54 may be received at input {47}. So event MessagesReceived3((DT(),timeA_2616,msgA_2617),(DT(),timeB_2614,msgB_2615),(DT(),timeC_2612,msgC_2613)) may be executed at {49} in session endsid_2624. end:endsid_2624,MessagesReceived3((DT(),timeA_2616,msgA_2617),(DT(),timeB_2614,msgB_2615),(DT(),timeC_2612,msgC_2613)). Unified sent_ETCS_ID_TYPE_2542 with sent_ETCS_ID_TYPE_2622 Unified in_train_etcs_id_2543 with train_etcs_id_20[!1 = @sid_2588] Unified trainSaF_2544 with trainSaF_2623 Unified trainNonce_2545 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_2491],!2 = @sid_2587,!1 = @sid_2588] Unified sent_ETCS_ID_TYPE_2563 with sent_ETCS_ID_TYPE_2622 Unified rbcSaF_2584 with trainSaF_2623 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:msgA_2638 & attacker:timeA_2637 & attacker:msgB_2640 & attacker:timeB_2639 & attacker:msgC_2642 & attacker:timeC_2641 -> end:endsid_2636,MessagesReceived3((DT(),timeA_2637,msgA_2638),(DT(),timeB_2639,msgB_2640),(DT(),timeC_2641,msgC_2642)) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_2674 at {6} in copy a_2653 new session_21 creating session_21_2735 at {8} in copy a_2653, a_2652 new session_21 creating session_21_2736 at {8} in copy a_2653, a_2664 new new_rbc_id_19 creating new_rbc_id_19_2671 at {2} in copy a_2654 new new_rbc_id_19 creating new_rbc_id_19_2676 at {2} in copy a_2651 new new_rbc_id_19 creating new_rbc_id_19_2673 at {2} in copy a_2663 out(id, new_rbc_id_19_2673) at {4} in copy a_2663, a_2665 received at {9} in copy a_2653, a_2664 new trainNonce_23 creating trainNonce_23_2675 at {10} in copy a_2653, a_2664 event(trainStartSession(new_rbc_id_19_2673,train_etcs_id_20_2674,trainNonce_23_2675,SAF())) at {11} in copy a_2653, a_2664 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_2674,SAF(),trainNonce_23_2675)) at {12} in copy a_2653, a_2664 out(id, new_rbc_id_19_2676) at {4} in copy a_2651, a_2669 received at {9} in copy a_2653, a_2652 new trainNonce_23 creating trainNonce_23_2677 at {10} in copy a_2653, a_2652 event(trainStartSession(new_rbc_id_19_2676,train_etcs_id_20_2674,trainNonce_23_2677,SAF())) at {11} in copy a_2653, a_2652 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_2674,SAF(),trainNonce_23_2677)) at {12} in copy a_2653, a_2652 out(id, new_rbc_id_19_2671) at {4} in copy a_2654, a_2661 received at {31} in copy a_2657 new rbcNonce_37 creating rbcNonce_37_2672 at {32} in copy a_2657 in(c, (a_2660,AU1(),DF_SEND(),a_2659,a_2656,a_2658)) at {33} in copy a_2657 event(rbcStartSession(new_rbc_id_19_2671,a_2659,rbcNonce_37_2672,a_2656,a_2658)) at {34} in copy a_2657 out(c, encrypt(SECRET,genSessionKey(a_2658,rbcNonce_37_2672,getKey(new_rbc_id_19_2671,a_2659)))) at {36} in copy a_2657 out(c, encrypt(SECRET,getKey(new_rbc_id_19_2671,a_2659))) at {37} in copy a_2657 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_2671,a_2656,rbcNonce_37_2672,mac(genSessionKey(a_2658,rbcNonce_37_2672,getKey(new_rbc_id_19_2671,a_2659)),((PAYLOAD_LENGTH(),a_2659,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_2671,a_2656),rbcNonce_37_2672,a_2658,a_2659)))) at {38} in copy a_2657 out(id, new_rbc_id_19_2671) at {4} in copy a_2654, a_2667 received at {31} in copy a_2644 new rbcNonce_37 creating rbcNonce_37_2678 at {32} in copy a_2644 in(c, (a_2662,AU1(),DF_SEND(),train_etcs_id_20_2674,a_2655,trainNonce_23_2677)) at {33} in copy a_2644 event(rbcStartSession(new_rbc_id_19_2671,train_etcs_id_20_2674,rbcNonce_37_2678,a_2655,trainNonce_23_2677)) at {34} in copy a_2644 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_2677,rbcNonce_37_2678,getKey(new_rbc_id_19_2671,train_etcs_id_20_2674)))) at {36} in copy a_2644 out(c, encrypt(SECRET,getKey(new_rbc_id_19_2671,train_etcs_id_20_2674))) at {37} in copy a_2644 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_2671,a_2655,rbcNonce_37_2678,mac(genSessionKey(trainNonce_23_2677,rbcNonce_37_2678,getKey(new_rbc_id_19_2671,train_etcs_id_20_2674)),((PAYLOAD_LENGTH(),train_etcs_id_20_2674,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_2671,a_2655),rbcNonce_37_2678,trainNonce_23_2677,train_etcs_id_20_2674)))) at {38} in copy a_2644 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_2671,a_2655,rbcNonce_37_2678,mac(genSessionKey(trainNonce_23_2677,rbcNonce_37_2678,getKey(new_rbc_id_19_2671,train_etcs_id_20_2674)),((PAYLOAD_LENGTH(),train_etcs_id_20_2674,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_2671,a_2655),rbcNonce_37_2678,trainNonce_23_2677,train_etcs_id_20_2674)))) at {13} in copy a_2653, a_2652 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_2677,rbcNonce_37_2678,getKey(new_rbc_id_19_2671,train_etcs_id_20_2674)))) at {15} in copy a_2653, a_2652 out(c, encrypt(SECRET,getKey(new_rbc_id_19_2671,train_etcs_id_20_2674))) at {16} in copy a_2653, a_2652 event(trainFinishSession(new_rbc_id_19_2671,train_etcs_id_20_2674,trainNonce_23_2677,a_2655,rbcNonce_37_2678,genSessionKey(trainNonce_23_2677,rbcNonce_37_2678,getKey(new_rbc_id_19_2671,train_etcs_id_20_2674)))) at {18} in copy a_2653, a_2652 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_2677,rbcNonce_37_2678,getKey(new_rbc_id_19_2671,train_etcs_id_20_2674)),(PAYLOAD_LENGTH(),train_etcs_id_20_2674,ZEROS(),AU3(),DF_SEND(),trainNonce_23_2677,rbcNonce_37_2678)))) at {19} in copy a_2653, a_2652 new time_29 creating time_29_2847 at {20} in copy a_2653, a_2652 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_2677,rbcNonce_37_2678,getKey(new_rbc_id_19_2671,train_etcs_id_20_2674)),(PAYLOAD_LENGTH(),train_etcs_id_20_2674,ZEROS(),AU3(),DF_SEND(),trainNonce_23_2677,rbcNonce_37_2678)))) at {39} in copy a_2644 event(rbcFinishSession(new_rbc_id_19_2671,train_etcs_id_20_2674,rbcNonce_37_2678,a_2655,trainNonce_23_2677,genSessionKey(trainNonce_23_2677,rbcNonce_37_2678,getKey(new_rbc_id_19_2671,train_etcs_id_20_2674)))) at {41} in copy a_2644 in(c, (DT(),a_2645,a_2646)) at {42} in copy a_2644 event(DataReceived1((DT(),a_2645,a_2646))) at {43} in copy a_2644 in(c, (DT(),a_2647,a_2648)) at {44} in copy a_2644 event(DataReceived2((DT(),a_2647,a_2648))) at {45} in copy a_2644 event(MessagesReceived2((DT(),a_2645,a_2646),(DT(),a_2647,a_2648))) at {46} in copy a_2644 in(c, (DT(),a_2649,a_2650)) at {47} in copy a_2644 event(DataReceived3((DT(),a_2649,a_2650))) at {48} in copy a_2644 event(MessagesReceived3((DT(),a_2645,a_2646),(DT(),a_2647,a_2648),(DT(),a_2649,a_2650))) at {49} in copy a_2644 The event MessagesReceived3((DT(),a_2645,a_2646),(DT(),a_2647,a_2648),(DT(),a_2649,a_2650)) is executed in session a_2644. A trace has been found. RESULT evinj:MessagesReceived3(m1_58,m2_59,m3_60) ==> (evinj:DataSent1(s_61,m1_58) & evinj:DataSent2(s_61,m2_59) & evinj:DataSent3(s_61,m3_60)) is false. RESULT (even ev:MessagesReceived3(m1_2461,m2_2462,m3_2463) ==> (ev:DataSent1(s_2460,m1_2461) & ev:DataSent2(s_2460,m2_2462) & ev:DataSent3(s_2460,m3_2463)) is false.) nounif greater:x_2891,*y_2892/-5000 -- Query evinj:MessagesReceived2(m1_2880,m2_2881) ==> (evinj:DataSent1(s_2882,m1_2880) & evinj:DataSent2(s_2882,m2_2881)) | (evinj:DataSent1(s_2882,m1_2880) & evinj:DataSent3(s_2882,m2_2881)) | (evinj:DataSent2(s_2882,m1_2880) & evinj:DataSent3(s_2882,m2_2881)) Completing... Starting query evinj:MessagesReceived2(m1_2880,m2_2881) ==> (evinj:DataSent1(s_2882,m1_2880) & evinj:DataSent2(s_2882,m2_2881)) | (evinj:DataSent1(s_2882,m1_2880) & evinj:DataSent3(s_2882,m2_2881)) | (evinj:DataSent2(s_2882,m1_2880) & evinj:DataSent3(s_2882,m2_2881)) goal reachable: attacker:timeB_4959 & attacker:msgB_4960 & attacker:timeA_4961 & attacker:msgA_4962 -> end:endsid_4963,MessagesReceived2((DT(),timeA_4961,msgA_4962),(DT(),timeB_4959,msgB_4960)) Abbreviations: new_rbc_id_5127 = new_rbc_id_19[!1 = @sid_4996] trainNonce_5128 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_5127,!2 = @sid_5092,!1 = @sid_5093] new_rbc_id_5129 = new_rbc_id_19[!1 = @sid_5060] rbcNonce_5130 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_5129,!1 = endsid_5124] train_etcs_id_5131 = train_etcs_id_20[!1 = @sid_5093] rbcNonce_5132 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_5129,!1 = @sid_5031] new_rbc_id_5133 = new_rbc_id_19[!1 = @sid_4970] trainNonce_5134 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_5133,!2 = @sid_4974,!1 = @sid_5093] 1. The message new_rbc_id_5129 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_5129. 2. The message new_rbc_id_5127 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_5127. 3. The message new_rbc_id_5127 that may be sent on channel id[] by 2 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_5131,SAF(),trainNonce_5128) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_5131,SAF(),trainNonce_5128). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_5131,SAF(),trainNonce_5128). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_5128. attacker:trainNonce_5128. 5. The attacker has some term trainSaF_5123. attacker:trainSaF_5123. 6. The message new_rbc_id_5133 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_5133. 7. The message new_rbc_id_5133 that may be sent on channel id[] by 6 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_5131,SAF(),trainNonce_5134) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_5131,SAF(),trainNonce_5134). 8. By 7, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_5131,SAF(),trainNonce_5134). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_5131. attacker:train_etcs_id_5131. 9. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 10. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 11. The attacker has some term sent_ETCS_ID_TYPE_5122. attacker:sent_ETCS_ID_TYPE_5122. 12. By 11, the attacker may know sent_ETCS_ID_TYPE_5122. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_5131. By 5, the attacker may know trainSaF_5123. By 4, the attacker may know trainNonce_5128. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_5122,AU1(),DF_SEND(),train_etcs_id_5131,trainSaF_5123,trainNonce_5128). attacker:(sent_ETCS_ID_TYPE_5122,AU1(),DF_SEND(),train_etcs_id_5131,trainSaF_5123,trainNonce_5128). 13. The message new_rbc_id_5127 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_5127. 14. The message new_rbc_id_5129 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_5129. 15. The attacker has some term rbcSaF_5089. attacker:rbcSaF_5089. 16. The attacker has some term sent_ETCS_ID_TYPE_5068. attacker:sent_ETCS_ID_TYPE_5068. 17. By 16, the attacker may know sent_ETCS_ID_TYPE_5068. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_5131. By 15, the attacker may know rbcSaF_5089. By 4, the attacker may know trainNonce_5128. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_5068,AU1(),DF_SEND(),train_etcs_id_5131,rbcSaF_5089,trainNonce_5128). attacker:(sent_ETCS_ID_TYPE_5068,AU1(),DF_SEND(),train_etcs_id_5131,rbcSaF_5089,trainNonce_5128). 18. The message new_rbc_id_5129 that may be sent on channel id[] by 14 may be received at input {31}. The message (sent_ETCS_ID_TYPE_5068,AU1(),DF_SEND(),train_etcs_id_5131,rbcSaF_5089,trainNonce_5128) that the attacker may have by 17 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089,rbcNonce_5130,mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),((PAYLOAD_LENGTH(),train_etcs_id_5131,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089),rbcNonce_5130,trainNonce_5128,train_etcs_id_5131))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089,rbcNonce_5130,mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),((PAYLOAD_LENGTH(),train_etcs_id_5131,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089),rbcNonce_5130,trainNonce_5128,train_etcs_id_5131))). 19. By 18, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089,rbcNonce_5130,mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),((PAYLOAD_LENGTH(),train_etcs_id_5131,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089),rbcNonce_5130,trainNonce_5128,train_etcs_id_5131))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),((PAYLOAD_LENGTH(),train_etcs_id_5131,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089),rbcNonce_5130,trainNonce_5128,train_etcs_id_5131)). attacker:mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),((PAYLOAD_LENGTH(),train_etcs_id_5131,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089),rbcNonce_5130,trainNonce_5128,train_etcs_id_5131)). 20. The message new_rbc_id_5129 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_5129. 21. The attacker has some term trainNonce_5050. attacker:trainNonce_5050. 22. The attacker has some term trainSaF_5049. attacker:trainSaF_5049. 23. The attacker has some term in_train_etcs_id_5048. attacker:in_train_etcs_id_5048. 24. The attacker has some term sent_ETCS_ID_TYPE_5047. attacker:sent_ETCS_ID_TYPE_5047. 25. By 24, the attacker may know sent_ETCS_ID_TYPE_5047. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 23, the attacker may know in_train_etcs_id_5048. By 22, the attacker may know trainSaF_5049. By 21, the attacker may know trainNonce_5050. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_5047,AU1(),DF_SEND(),in_train_etcs_id_5048,trainSaF_5049,trainNonce_5050). attacker:(sent_ETCS_ID_TYPE_5047,AU1(),DF_SEND(),in_train_etcs_id_5048,trainSaF_5049,trainNonce_5050). 26. The message new_rbc_id_5129 that may be sent on channel id[] by 20 may be received at input {31}. The message (sent_ETCS_ID_TYPE_5047,AU1(),DF_SEND(),in_train_etcs_id_5048,trainSaF_5049,trainNonce_5050) that the attacker may have by 25 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,trainSaF_5049,rbcNonce_5130,mac(genSessionKey(trainNonce_5050,rbcNonce_5130,getKey(new_rbc_id_5129,in_train_etcs_id_5048)),((PAYLOAD_LENGTH(),in_train_etcs_id_5048,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,trainSaF_5049),rbcNonce_5130,trainNonce_5050,in_train_etcs_id_5048))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,trainSaF_5049,rbcNonce_5130,mac(genSessionKey(trainNonce_5050,rbcNonce_5130,getKey(new_rbc_id_5129,in_train_etcs_id_5048)),((PAYLOAD_LENGTH(),in_train_etcs_id_5048,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,trainSaF_5049),rbcNonce_5130,trainNonce_5050,in_train_etcs_id_5048))). 27. By 26, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,trainSaF_5049,rbcNonce_5130,mac(genSessionKey(trainNonce_5050,rbcNonce_5130,getKey(new_rbc_id_5129,in_train_etcs_id_5048)),((PAYLOAD_LENGTH(),in_train_etcs_id_5048,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,trainSaF_5049),rbcNonce_5130,trainNonce_5050,in_train_etcs_id_5048))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_5130. attacker:rbcNonce_5130. 28. The message new_rbc_id_5129 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_5129. 29. The attacker has some term trainNonce_5029. attacker:trainNonce_5029. 30. The attacker has some term trainSaF_5028. attacker:trainSaF_5028. 31. The attacker has some term in_train_etcs_id_5027. attacker:in_train_etcs_id_5027. 32. The attacker has some term sent_ETCS_ID_TYPE_5026. attacker:sent_ETCS_ID_TYPE_5026. 33. By 32, the attacker may know sent_ETCS_ID_TYPE_5026. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 31, the attacker may know in_train_etcs_id_5027. By 30, the attacker may know trainSaF_5028. By 29, the attacker may know trainNonce_5029. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_5026,AU1(),DF_SEND(),in_train_etcs_id_5027,trainSaF_5028,trainNonce_5029). attacker:(sent_ETCS_ID_TYPE_5026,AU1(),DF_SEND(),in_train_etcs_id_5027,trainSaF_5028,trainNonce_5029). 34. The message new_rbc_id_5129 that may be sent on channel id[] by 28 may be received at input {31}. The message (sent_ETCS_ID_TYPE_5026,AU1(),DF_SEND(),in_train_etcs_id_5027,trainSaF_5028,trainNonce_5029) that the attacker may have by 33 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,trainSaF_5028,rbcNonce_5132,mac(genSessionKey(trainNonce_5029,rbcNonce_5132,getKey(new_rbc_id_5129,in_train_etcs_id_5027)),((PAYLOAD_LENGTH(),in_train_etcs_id_5027,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,trainSaF_5028),rbcNonce_5132,trainNonce_5029,in_train_etcs_id_5027))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,trainSaF_5028,rbcNonce_5132,mac(genSessionKey(trainNonce_5029,rbcNonce_5132,getKey(new_rbc_id_5129,in_train_etcs_id_5027)),((PAYLOAD_LENGTH(),in_train_etcs_id_5027,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,trainSaF_5028),rbcNonce_5132,trainNonce_5029,in_train_etcs_id_5027))). 35. By 34, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,trainSaF_5028,rbcNonce_5132,mac(genSessionKey(trainNonce_5029,rbcNonce_5132,getKey(new_rbc_id_5129,in_train_etcs_id_5027)),((PAYLOAD_LENGTH(),in_train_etcs_id_5027,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,trainSaF_5028),rbcNonce_5132,trainNonce_5029,in_train_etcs_id_5027))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_5129. attacker:new_rbc_id_5129. 36. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 37. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 38. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 39. By 38, the attacker may know RBC_ETCS_ID_TYPE(). By 37, the attacker may know AU2(). By 36, the attacker may know DF_RESP(). By 35, the attacker may know new_rbc_id_5129. By 15, the attacker may know rbcSaF_5089. By 27, the attacker may know rbcNonce_5130. By 19, the attacker may know mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),((PAYLOAD_LENGTH(),train_etcs_id_5131,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089),rbcNonce_5130,trainNonce_5128,train_etcs_id_5131)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089,rbcNonce_5130,mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),((PAYLOAD_LENGTH(),train_etcs_id_5131,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089),rbcNonce_5130,trainNonce_5128,train_etcs_id_5131))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089,rbcNonce_5130,mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),((PAYLOAD_LENGTH(),train_etcs_id_5131,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089),rbcNonce_5130,trainNonce_5128,train_etcs_id_5131))). 40. The message new_rbc_id_5127 that may be sent on channel id[] by 13 may be received at input {9}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089,rbcNonce_5130,mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),((PAYLOAD_LENGTH(),train_etcs_id_5131,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_5129,rbcSaF_5089),rbcNonce_5130,trainNonce_5128,train_etcs_id_5131))) that the attacker may have by 39 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),(PAYLOAD_LENGTH(),train_etcs_id_5131,ZEROS(),AU3(),DF_SEND(),trainNonce_5128,rbcNonce_5130))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),(PAYLOAD_LENGTH(),train_etcs_id_5131,ZEROS(),AU3(),DF_SEND(),trainNonce_5128,rbcNonce_5130))). 41. By 40, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),(PAYLOAD_LENGTH(),train_etcs_id_5131,ZEROS(),AU3(),DF_SEND(),trainNonce_5128,rbcNonce_5130))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),(PAYLOAD_LENGTH(),train_etcs_id_5131,ZEROS(),AU3(),DF_SEND(),trainNonce_5128,rbcNonce_5130)). attacker:mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),(PAYLOAD_LENGTH(),train_etcs_id_5131,ZEROS(),AU3(),DF_SEND(),trainNonce_5128,rbcNonce_5130)). 42. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 43. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 44. By 43, the attacker may know ZEROS(). By 42, the attacker may know AU3(). By 9, the attacker may know DF_SEND(). By 41, the attacker may know mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),(PAYLOAD_LENGTH(),train_etcs_id_5131,ZEROS(),AU3(),DF_SEND(),trainNonce_5128,rbcNonce_5130)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),(PAYLOAD_LENGTH(),train_etcs_id_5131,ZEROS(),AU3(),DF_SEND(),trainNonce_5128,rbcNonce_5130))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),(PAYLOAD_LENGTH(),train_etcs_id_5131,ZEROS(),AU3(),DF_SEND(),trainNonce_5128,rbcNonce_5130))). 45. We assume as hypothesis that attacker:msgA_5117. 46. We assume as hypothesis that attacker:timeA_5116. 47. Using the function DT the attacker may obtain DT(). attacker:DT(). 48. By 47, the attacker may know DT(). By 46, the attacker may know timeA_5116. By 45, the attacker may know msgA_5117. Using the function 3-tuple the attacker may obtain (DT(),timeA_5116,msgA_5117). attacker:(DT(),timeA_5116,msgA_5117). 49. We assume as hypothesis that attacker:msgB_5115. 50. We assume as hypothesis that attacker:timeB_5114. 51. By 47, the attacker may know DT(). By 50, the attacker may know timeB_5114. By 49, the attacker may know msgB_5115. Using the function 3-tuple the attacker may obtain (DT(),timeB_5114,msgB_5115). attacker:(DT(),timeB_5114,msgB_5115). 52. The message new_rbc_id_5129 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_5122,AU1(),DF_SEND(),train_etcs_id_5131,trainSaF_5123,trainNonce_5128) that the attacker may have by 12 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_5128,rbcNonce_5130,getKey(new_rbc_id_5129,train_etcs_id_5131)),(PAYLOAD_LENGTH(),train_etcs_id_5131,ZEROS(),AU3(),DF_SEND(),trainNonce_5128,rbcNonce_5130))) that the attacker may have by 44 may be received at input {39}. The message (DT(),timeA_5116,msgA_5117) that the attacker may have by 48 may be received at input {42}. The message (DT(),timeB_5114,msgB_5115) that the attacker may have by 51 may be received at input {44}. So event MessagesReceived2((DT(),timeA_5116,msgA_5117),(DT(),timeB_5114,msgB_5115)) may be executed at {46} in session endsid_5124. end:endsid_5124,MessagesReceived2((DT(),timeA_5116,msgA_5117),(DT(),timeB_5114,msgB_5115)). Unified sent_ETCS_ID_TYPE_5047 with sent_ETCS_ID_TYPE_5122 Unified in_train_etcs_id_5048 with train_etcs_id_20[!1 = @sid_5093] Unified trainSaF_5049 with trainSaF_5123 Unified trainNonce_5050 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_4996],!2 = @sid_5092,!1 = @sid_5093] Unified sent_ETCS_ID_TYPE_5068 with sent_ETCS_ID_TYPE_5122 Unified rbcSaF_5089 with trainSaF_5123 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:msgA_5137 & attacker:timeA_5136 & attacker:msgB_5139 & attacker:timeB_5138 -> end:endsid_5135,MessagesReceived2((DT(),timeA_5136,msgA_5137),(DT(),timeB_5138,msgB_5139)) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_5171 at {6} in copy a_5150 new session_21 creating session_21_5232 at {8} in copy a_5150, a_5149 new session_21 creating session_21_5233 at {8} in copy a_5150, a_5161 new new_rbc_id_19 creating new_rbc_id_19_5168 at {2} in copy a_5151 new new_rbc_id_19 creating new_rbc_id_19_5173 at {2} in copy a_5148 new new_rbc_id_19 creating new_rbc_id_19_5170 at {2} in copy a_5160 out(id, new_rbc_id_19_5170) at {4} in copy a_5160, a_5162 received at {9} in copy a_5150, a_5161 new trainNonce_23 creating trainNonce_23_5172 at {10} in copy a_5150, a_5161 event(trainStartSession(new_rbc_id_19_5170,train_etcs_id_20_5171,trainNonce_23_5172,SAF())) at {11} in copy a_5150, a_5161 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_5171,SAF(),trainNonce_23_5172)) at {12} in copy a_5150, a_5161 out(id, new_rbc_id_19_5173) at {4} in copy a_5148, a_5166 received at {9} in copy a_5150, a_5149 new trainNonce_23 creating trainNonce_23_5174 at {10} in copy a_5150, a_5149 event(trainStartSession(new_rbc_id_19_5173,train_etcs_id_20_5171,trainNonce_23_5174,SAF())) at {11} in copy a_5150, a_5149 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_5171,SAF(),trainNonce_23_5174)) at {12} in copy a_5150, a_5149 out(id, new_rbc_id_19_5168) at {4} in copy a_5151, a_5158 received at {31} in copy a_5154 new rbcNonce_37 creating rbcNonce_37_5169 at {32} in copy a_5154 in(c, (a_5157,AU1(),DF_SEND(),a_5156,a_5153,a_5155)) at {33} in copy a_5154 event(rbcStartSession(new_rbc_id_19_5168,a_5156,rbcNonce_37_5169,a_5153,a_5155)) at {34} in copy a_5154 out(c, encrypt(SECRET,genSessionKey(a_5155,rbcNonce_37_5169,getKey(new_rbc_id_19_5168,a_5156)))) at {36} in copy a_5154 out(c, encrypt(SECRET,getKey(new_rbc_id_19_5168,a_5156))) at {37} in copy a_5154 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_5168,a_5153,rbcNonce_37_5169,mac(genSessionKey(a_5155,rbcNonce_37_5169,getKey(new_rbc_id_19_5168,a_5156)),((PAYLOAD_LENGTH(),a_5156,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_5168,a_5153),rbcNonce_37_5169,a_5155,a_5156)))) at {38} in copy a_5154 out(id, new_rbc_id_19_5168) at {4} in copy a_5151, a_5164 received at {31} in copy a_5143 new rbcNonce_37 creating rbcNonce_37_5175 at {32} in copy a_5143 in(c, (a_5159,AU1(),DF_SEND(),train_etcs_id_20_5171,a_5152,trainNonce_23_5174)) at {33} in copy a_5143 event(rbcStartSession(new_rbc_id_19_5168,train_etcs_id_20_5171,rbcNonce_37_5175,a_5152,trainNonce_23_5174)) at {34} in copy a_5143 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_5174,rbcNonce_37_5175,getKey(new_rbc_id_19_5168,train_etcs_id_20_5171)))) at {36} in copy a_5143 out(c, encrypt(SECRET,getKey(new_rbc_id_19_5168,train_etcs_id_20_5171))) at {37} in copy a_5143 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_5168,a_5152,rbcNonce_37_5175,mac(genSessionKey(trainNonce_23_5174,rbcNonce_37_5175,getKey(new_rbc_id_19_5168,train_etcs_id_20_5171)),((PAYLOAD_LENGTH(),train_etcs_id_20_5171,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_5168,a_5152),rbcNonce_37_5175,trainNonce_23_5174,train_etcs_id_20_5171)))) at {38} in copy a_5143 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_5168,a_5152,rbcNonce_37_5175,mac(genSessionKey(trainNonce_23_5174,rbcNonce_37_5175,getKey(new_rbc_id_19_5168,train_etcs_id_20_5171)),((PAYLOAD_LENGTH(),train_etcs_id_20_5171,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_5168,a_5152),rbcNonce_37_5175,trainNonce_23_5174,train_etcs_id_20_5171)))) at {13} in copy a_5150, a_5149 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_5174,rbcNonce_37_5175,getKey(new_rbc_id_19_5168,train_etcs_id_20_5171)))) at {15} in copy a_5150, a_5149 out(c, encrypt(SECRET,getKey(new_rbc_id_19_5168,train_etcs_id_20_5171))) at {16} in copy a_5150, a_5149 event(trainFinishSession(new_rbc_id_19_5168,train_etcs_id_20_5171,trainNonce_23_5174,a_5152,rbcNonce_37_5175,genSessionKey(trainNonce_23_5174,rbcNonce_37_5175,getKey(new_rbc_id_19_5168,train_etcs_id_20_5171)))) at {18} in copy a_5150, a_5149 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_5174,rbcNonce_37_5175,getKey(new_rbc_id_19_5168,train_etcs_id_20_5171)),(PAYLOAD_LENGTH(),train_etcs_id_20_5171,ZEROS(),AU3(),DF_SEND(),trainNonce_23_5174,rbcNonce_37_5175)))) at {19} in copy a_5150, a_5149 new time_29 creating time_29_5344 at {20} in copy a_5150, a_5149 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_5174,rbcNonce_37_5175,getKey(new_rbc_id_19_5168,train_etcs_id_20_5171)),(PAYLOAD_LENGTH(),train_etcs_id_20_5171,ZEROS(),AU3(),DF_SEND(),trainNonce_23_5174,rbcNonce_37_5175)))) at {39} in copy a_5143 event(rbcFinishSession(new_rbc_id_19_5168,train_etcs_id_20_5171,rbcNonce_37_5175,a_5152,trainNonce_23_5174,genSessionKey(trainNonce_23_5174,rbcNonce_37_5175,getKey(new_rbc_id_19_5168,train_etcs_id_20_5171)))) at {41} in copy a_5143 in(c, (DT(),a_5144,a_5145)) at {42} in copy a_5143 event(DataReceived1((DT(),a_5144,a_5145))) at {43} in copy a_5143 in(c, (DT(),a_5146,a_5147)) at {44} in copy a_5143 event(DataReceived2((DT(),a_5146,a_5147))) at {45} in copy a_5143 event(MessagesReceived2((DT(),a_5144,a_5145),(DT(),a_5146,a_5147))) at {46} in copy a_5143 The event MessagesReceived2((DT(),a_5144,a_5145),(DT(),a_5146,a_5147)) is executed in session a_5143. A trace has been found. RESULT evinj:MessagesReceived2(m1_2880,m2_2881) ==> (evinj:DataSent1(s_2882,m1_2880) & evinj:DataSent2(s_2882,m2_2881)) | (evinj:DataSent1(s_2882,m1_2880) & evinj:DataSent3(s_2882,m2_2881)) | (evinj:DataSent2(s_2882,m1_2880) & evinj:DataSent3(s_2882,m2_2881)) is false. RESULT (even ev:MessagesReceived2(m1_4965,m2_4966) ==> (ev:DataSent1(s_4964,m1_4965) & ev:DataSent2(s_4964,m2_4966)) | (ev:DataSent1(s_4964,m1_4965) & ev:DataSent3(s_4964,m2_4966)) | (ev:DataSent2(s_4964,m1_4965) & ev:DataSent3(s_4964,m2_4966)) is false.) nounif greater:x_5383,*y_5384/-5000 -- Query evinj:DataReceived3(m_5373) ==> evinj:DataSent3(s_5374,m_5373) Completing... Starting query evinj:DataReceived3(m_5373) ==> evinj:DataSent3(s_5374,m_5373) goal reachable: attacker:timeC_7348 & attacker:msgC_7349 -> end:endsid_7350,DataReceived3((DT(),timeC_7348,msgC_7349)) Abbreviations: new_rbc_id_7515 = new_rbc_id_19[!1 = @sid_7380] trainNonce_7516 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_7515,!2 = @sid_7476,!1 = @sid_7477] new_rbc_id_7517 = new_rbc_id_19[!1 = @sid_7444] rbcNonce_7518 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_7517,!1 = endsid_7513] train_etcs_id_7519 = train_etcs_id_20[!1 = @sid_7477] rbcNonce_7520 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_7517,!1 = @sid_7415] new_rbc_id_7521 = new_rbc_id_19[!1 = @sid_7354] trainNonce_7522 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_7521,!2 = @sid_7358,!1 = @sid_7477] 1. The message new_rbc_id_7517 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_7517. 2. The message new_rbc_id_7515 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_7515. 3. The message new_rbc_id_7515 that may be sent on channel id[] by 2 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_7519,SAF(),trainNonce_7516) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_7519,SAF(),trainNonce_7516). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_7519,SAF(),trainNonce_7516). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_7516. attacker:trainNonce_7516. 5. The attacker has some term trainSaF_7512. attacker:trainSaF_7512. 6. The message new_rbc_id_7521 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_7521. 7. The message new_rbc_id_7521 that may be sent on channel id[] by 6 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_7519,SAF(),trainNonce_7522) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_7519,SAF(),trainNonce_7522). 8. By 7, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_7519,SAF(),trainNonce_7522). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_7519. attacker:train_etcs_id_7519. 9. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 10. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 11. The attacker has some term sent_ETCS_ID_TYPE_7511. attacker:sent_ETCS_ID_TYPE_7511. 12. By 11, the attacker may know sent_ETCS_ID_TYPE_7511. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_7519. By 5, the attacker may know trainSaF_7512. By 4, the attacker may know trainNonce_7516. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_7511,AU1(),DF_SEND(),train_etcs_id_7519,trainSaF_7512,trainNonce_7516). attacker:(sent_ETCS_ID_TYPE_7511,AU1(),DF_SEND(),train_etcs_id_7519,trainSaF_7512,trainNonce_7516). 13. The message new_rbc_id_7515 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_7515. 14. The message new_rbc_id_7517 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_7517. 15. The attacker has some term rbcSaF_7473. attacker:rbcSaF_7473. 16. The attacker has some term sent_ETCS_ID_TYPE_7452. attacker:sent_ETCS_ID_TYPE_7452. 17. By 16, the attacker may know sent_ETCS_ID_TYPE_7452. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_7519. By 15, the attacker may know rbcSaF_7473. By 4, the attacker may know trainNonce_7516. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_7452,AU1(),DF_SEND(),train_etcs_id_7519,rbcSaF_7473,trainNonce_7516). attacker:(sent_ETCS_ID_TYPE_7452,AU1(),DF_SEND(),train_etcs_id_7519,rbcSaF_7473,trainNonce_7516). 18. The message new_rbc_id_7517 that may be sent on channel id[] by 14 may be received at input {31}. The message (sent_ETCS_ID_TYPE_7452,AU1(),DF_SEND(),train_etcs_id_7519,rbcSaF_7473,trainNonce_7516) that the attacker may have by 17 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473,rbcNonce_7518,mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),((PAYLOAD_LENGTH(),train_etcs_id_7519,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473),rbcNonce_7518,trainNonce_7516,train_etcs_id_7519))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473,rbcNonce_7518,mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),((PAYLOAD_LENGTH(),train_etcs_id_7519,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473),rbcNonce_7518,trainNonce_7516,train_etcs_id_7519))). 19. By 18, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473,rbcNonce_7518,mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),((PAYLOAD_LENGTH(),train_etcs_id_7519,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473),rbcNonce_7518,trainNonce_7516,train_etcs_id_7519))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),((PAYLOAD_LENGTH(),train_etcs_id_7519,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473),rbcNonce_7518,trainNonce_7516,train_etcs_id_7519)). attacker:mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),((PAYLOAD_LENGTH(),train_etcs_id_7519,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473),rbcNonce_7518,trainNonce_7516,train_etcs_id_7519)). 20. The message new_rbc_id_7517 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_7517. 21. The attacker has some term trainNonce_7434. attacker:trainNonce_7434. 22. The attacker has some term trainSaF_7433. attacker:trainSaF_7433. 23. The attacker has some term in_train_etcs_id_7432. attacker:in_train_etcs_id_7432. 24. The attacker has some term sent_ETCS_ID_TYPE_7431. attacker:sent_ETCS_ID_TYPE_7431. 25. By 24, the attacker may know sent_ETCS_ID_TYPE_7431. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 23, the attacker may know in_train_etcs_id_7432. By 22, the attacker may know trainSaF_7433. By 21, the attacker may know trainNonce_7434. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_7431,AU1(),DF_SEND(),in_train_etcs_id_7432,trainSaF_7433,trainNonce_7434). attacker:(sent_ETCS_ID_TYPE_7431,AU1(),DF_SEND(),in_train_etcs_id_7432,trainSaF_7433,trainNonce_7434). 26. The message new_rbc_id_7517 that may be sent on channel id[] by 20 may be received at input {31}. The message (sent_ETCS_ID_TYPE_7431,AU1(),DF_SEND(),in_train_etcs_id_7432,trainSaF_7433,trainNonce_7434) that the attacker may have by 25 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,trainSaF_7433,rbcNonce_7518,mac(genSessionKey(trainNonce_7434,rbcNonce_7518,getKey(new_rbc_id_7517,in_train_etcs_id_7432)),((PAYLOAD_LENGTH(),in_train_etcs_id_7432,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,trainSaF_7433),rbcNonce_7518,trainNonce_7434,in_train_etcs_id_7432))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,trainSaF_7433,rbcNonce_7518,mac(genSessionKey(trainNonce_7434,rbcNonce_7518,getKey(new_rbc_id_7517,in_train_etcs_id_7432)),((PAYLOAD_LENGTH(),in_train_etcs_id_7432,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,trainSaF_7433),rbcNonce_7518,trainNonce_7434,in_train_etcs_id_7432))). 27. By 26, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,trainSaF_7433,rbcNonce_7518,mac(genSessionKey(trainNonce_7434,rbcNonce_7518,getKey(new_rbc_id_7517,in_train_etcs_id_7432)),((PAYLOAD_LENGTH(),in_train_etcs_id_7432,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,trainSaF_7433),rbcNonce_7518,trainNonce_7434,in_train_etcs_id_7432))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_7518. attacker:rbcNonce_7518. 28. The message new_rbc_id_7517 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_7517. 29. The attacker has some term trainNonce_7413. attacker:trainNonce_7413. 30. The attacker has some term trainSaF_7412. attacker:trainSaF_7412. 31. The attacker has some term in_train_etcs_id_7411. attacker:in_train_etcs_id_7411. 32. The attacker has some term sent_ETCS_ID_TYPE_7410. attacker:sent_ETCS_ID_TYPE_7410. 33. By 32, the attacker may know sent_ETCS_ID_TYPE_7410. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 31, the attacker may know in_train_etcs_id_7411. By 30, the attacker may know trainSaF_7412. By 29, the attacker may know trainNonce_7413. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_7410,AU1(),DF_SEND(),in_train_etcs_id_7411,trainSaF_7412,trainNonce_7413). attacker:(sent_ETCS_ID_TYPE_7410,AU1(),DF_SEND(),in_train_etcs_id_7411,trainSaF_7412,trainNonce_7413). 34. The message new_rbc_id_7517 that may be sent on channel id[] by 28 may be received at input {31}. The message (sent_ETCS_ID_TYPE_7410,AU1(),DF_SEND(),in_train_etcs_id_7411,trainSaF_7412,trainNonce_7413) that the attacker may have by 33 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,trainSaF_7412,rbcNonce_7520,mac(genSessionKey(trainNonce_7413,rbcNonce_7520,getKey(new_rbc_id_7517,in_train_etcs_id_7411)),((PAYLOAD_LENGTH(),in_train_etcs_id_7411,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,trainSaF_7412),rbcNonce_7520,trainNonce_7413,in_train_etcs_id_7411))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,trainSaF_7412,rbcNonce_7520,mac(genSessionKey(trainNonce_7413,rbcNonce_7520,getKey(new_rbc_id_7517,in_train_etcs_id_7411)),((PAYLOAD_LENGTH(),in_train_etcs_id_7411,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,trainSaF_7412),rbcNonce_7520,trainNonce_7413,in_train_etcs_id_7411))). 35. By 34, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,trainSaF_7412,rbcNonce_7520,mac(genSessionKey(trainNonce_7413,rbcNonce_7520,getKey(new_rbc_id_7517,in_train_etcs_id_7411)),((PAYLOAD_LENGTH(),in_train_etcs_id_7411,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,trainSaF_7412),rbcNonce_7520,trainNonce_7413,in_train_etcs_id_7411))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_7517. attacker:new_rbc_id_7517. 36. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 37. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 38. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 39. By 38, the attacker may know RBC_ETCS_ID_TYPE(). By 37, the attacker may know AU2(). By 36, the attacker may know DF_RESP(). By 35, the attacker may know new_rbc_id_7517. By 15, the attacker may know rbcSaF_7473. By 27, the attacker may know rbcNonce_7518. By 19, the attacker may know mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),((PAYLOAD_LENGTH(),train_etcs_id_7519,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473),rbcNonce_7518,trainNonce_7516,train_etcs_id_7519)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473,rbcNonce_7518,mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),((PAYLOAD_LENGTH(),train_etcs_id_7519,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473),rbcNonce_7518,trainNonce_7516,train_etcs_id_7519))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473,rbcNonce_7518,mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),((PAYLOAD_LENGTH(),train_etcs_id_7519,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473),rbcNonce_7518,trainNonce_7516,train_etcs_id_7519))). 40. The message new_rbc_id_7515 that may be sent on channel id[] by 13 may be received at input {9}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473,rbcNonce_7518,mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),((PAYLOAD_LENGTH(),train_etcs_id_7519,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_7517,rbcSaF_7473),rbcNonce_7518,trainNonce_7516,train_etcs_id_7519))) that the attacker may have by 39 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),(PAYLOAD_LENGTH(),train_etcs_id_7519,ZEROS(),AU3(),DF_SEND(),trainNonce_7516,rbcNonce_7518))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),(PAYLOAD_LENGTH(),train_etcs_id_7519,ZEROS(),AU3(),DF_SEND(),trainNonce_7516,rbcNonce_7518))). 41. By 40, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),(PAYLOAD_LENGTH(),train_etcs_id_7519,ZEROS(),AU3(),DF_SEND(),trainNonce_7516,rbcNonce_7518))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),(PAYLOAD_LENGTH(),train_etcs_id_7519,ZEROS(),AU3(),DF_SEND(),trainNonce_7516,rbcNonce_7518)). attacker:mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),(PAYLOAD_LENGTH(),train_etcs_id_7519,ZEROS(),AU3(),DF_SEND(),trainNonce_7516,rbcNonce_7518)). 42. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 43. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 44. By 43, the attacker may know ZEROS(). By 42, the attacker may know AU3(). By 9, the attacker may know DF_SEND(). By 41, the attacker may know mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),(PAYLOAD_LENGTH(),train_etcs_id_7519,ZEROS(),AU3(),DF_SEND(),trainNonce_7516,rbcNonce_7518)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),(PAYLOAD_LENGTH(),train_etcs_id_7519,ZEROS(),AU3(),DF_SEND(),trainNonce_7516,rbcNonce_7518))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),(PAYLOAD_LENGTH(),train_etcs_id_7519,ZEROS(),AU3(),DF_SEND(),trainNonce_7516,rbcNonce_7518))). 45. The attacker has some term msgA_7506. attacker:msgA_7506. 46. The attacker has some term timeA_7505. attacker:timeA_7505. 47. Using the function DT the attacker may obtain DT(). attacker:DT(). 48. By 47, the attacker may know DT(). By 46, the attacker may know timeA_7505. By 45, the attacker may know msgA_7506. Using the function 3-tuple the attacker may obtain (DT(),timeA_7505,msgA_7506). attacker:(DT(),timeA_7505,msgA_7506). 49. The attacker has some term msgB_7504. attacker:msgB_7504. 50. The attacker has some term timeB_7503. attacker:timeB_7503. 51. By 47, the attacker may know DT(). By 50, the attacker may know timeB_7503. By 49, the attacker may know msgB_7504. Using the function 3-tuple the attacker may obtain (DT(),timeB_7503,msgB_7504). attacker:(DT(),timeB_7503,msgB_7504). 52. We assume as hypothesis that attacker:msgC_7502. 53. We assume as hypothesis that attacker:timeC_7501. 54. By 47, the attacker may know DT(). By 53, the attacker may know timeC_7501. By 52, the attacker may know msgC_7502. Using the function 3-tuple the attacker may obtain (DT(),timeC_7501,msgC_7502). attacker:(DT(),timeC_7501,msgC_7502). 55. The message new_rbc_id_7517 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_7511,AU1(),DF_SEND(),train_etcs_id_7519,trainSaF_7512,trainNonce_7516) that the attacker may have by 12 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_7516,rbcNonce_7518,getKey(new_rbc_id_7517,train_etcs_id_7519)),(PAYLOAD_LENGTH(),train_etcs_id_7519,ZEROS(),AU3(),DF_SEND(),trainNonce_7516,rbcNonce_7518))) that the attacker may have by 44 may be received at input {39}. The message (DT(),timeA_7505,msgA_7506) that the attacker may have by 48 may be received at input {42}. The message (DT(),timeB_7503,msgB_7504) that the attacker may have by 51 may be received at input {44}. The message (DT(),timeC_7501,msgC_7502) that the attacker may have by 54 may be received at input {47}. So event DataReceived3((DT(),timeC_7501,msgC_7502)) may be executed at {48} in session endsid_7513. end:endsid_7513,DataReceived3((DT(),timeC_7501,msgC_7502)). Unified sent_ETCS_ID_TYPE_7431 with sent_ETCS_ID_TYPE_7511 Unified in_train_etcs_id_7432 with train_etcs_id_20[!1 = @sid_7477] Unified trainSaF_7433 with trainSaF_7512 Unified trainNonce_7434 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_7380],!2 = @sid_7476,!1 = @sid_7477] Unified sent_ETCS_ID_TYPE_7452 with sent_ETCS_ID_TYPE_7511 Unified rbcSaF_7473 with trainSaF_7512 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:msgC_7525 & attacker:timeC_7524 -> end:endsid_7523,DataReceived3((DT(),timeC_7524,msgC_7525)) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_7557 at {6} in copy a_7536 new session_21 creating session_21_7618 at {8} in copy a_7536, a_7535 new session_21 creating session_21_7619 at {8} in copy a_7536, a_7547 new new_rbc_id_19 creating new_rbc_id_19_7554 at {2} in copy a_7537 new new_rbc_id_19 creating new_rbc_id_19_7559 at {2} in copy a_7534 new new_rbc_id_19 creating new_rbc_id_19_7556 at {2} in copy a_7546 out(id, new_rbc_id_19_7556) at {4} in copy a_7546, a_7548 received at {9} in copy a_7536, a_7547 new trainNonce_23 creating trainNonce_23_7558 at {10} in copy a_7536, a_7547 event(trainStartSession(new_rbc_id_19_7556,train_etcs_id_20_7557,trainNonce_23_7558,SAF())) at {11} in copy a_7536, a_7547 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_7557,SAF(),trainNonce_23_7558)) at {12} in copy a_7536, a_7547 out(id, new_rbc_id_19_7559) at {4} in copy a_7534, a_7552 received at {9} in copy a_7536, a_7535 new trainNonce_23 creating trainNonce_23_7560 at {10} in copy a_7536, a_7535 event(trainStartSession(new_rbc_id_19_7559,train_etcs_id_20_7557,trainNonce_23_7560,SAF())) at {11} in copy a_7536, a_7535 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_7557,SAF(),trainNonce_23_7560)) at {12} in copy a_7536, a_7535 out(id, new_rbc_id_19_7554) at {4} in copy a_7537, a_7544 received at {31} in copy a_7540 new rbcNonce_37 creating rbcNonce_37_7555 at {32} in copy a_7540 in(c, (a_7543,AU1(),DF_SEND(),a_7542,a_7539,a_7541)) at {33} in copy a_7540 event(rbcStartSession(new_rbc_id_19_7554,a_7542,rbcNonce_37_7555,a_7539,a_7541)) at {34} in copy a_7540 out(c, encrypt(SECRET,genSessionKey(a_7541,rbcNonce_37_7555,getKey(new_rbc_id_19_7554,a_7542)))) at {36} in copy a_7540 out(c, encrypt(SECRET,getKey(new_rbc_id_19_7554,a_7542))) at {37} in copy a_7540 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_7554,a_7539,rbcNonce_37_7555,mac(genSessionKey(a_7541,rbcNonce_37_7555,getKey(new_rbc_id_19_7554,a_7542)),((PAYLOAD_LENGTH(),a_7542,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_7554,a_7539),rbcNonce_37_7555,a_7541,a_7542)))) at {38} in copy a_7540 out(id, new_rbc_id_19_7554) at {4} in copy a_7537, a_7550 received at {31} in copy a_7527 new rbcNonce_37 creating rbcNonce_37_7561 at {32} in copy a_7527 in(c, (a_7545,AU1(),DF_SEND(),train_etcs_id_20_7557,a_7538,trainNonce_23_7560)) at {33} in copy a_7527 event(rbcStartSession(new_rbc_id_19_7554,train_etcs_id_20_7557,rbcNonce_37_7561,a_7538,trainNonce_23_7560)) at {34} in copy a_7527 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_7560,rbcNonce_37_7561,getKey(new_rbc_id_19_7554,train_etcs_id_20_7557)))) at {36} in copy a_7527 out(c, encrypt(SECRET,getKey(new_rbc_id_19_7554,train_etcs_id_20_7557))) at {37} in copy a_7527 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_7554,a_7538,rbcNonce_37_7561,mac(genSessionKey(trainNonce_23_7560,rbcNonce_37_7561,getKey(new_rbc_id_19_7554,train_etcs_id_20_7557)),((PAYLOAD_LENGTH(),train_etcs_id_20_7557,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_7554,a_7538),rbcNonce_37_7561,trainNonce_23_7560,train_etcs_id_20_7557)))) at {38} in copy a_7527 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_7554,a_7538,rbcNonce_37_7561,mac(genSessionKey(trainNonce_23_7560,rbcNonce_37_7561,getKey(new_rbc_id_19_7554,train_etcs_id_20_7557)),((PAYLOAD_LENGTH(),train_etcs_id_20_7557,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_7554,a_7538),rbcNonce_37_7561,trainNonce_23_7560,train_etcs_id_20_7557)))) at {13} in copy a_7536, a_7535 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_7560,rbcNonce_37_7561,getKey(new_rbc_id_19_7554,train_etcs_id_20_7557)))) at {15} in copy a_7536, a_7535 out(c, encrypt(SECRET,getKey(new_rbc_id_19_7554,train_etcs_id_20_7557))) at {16} in copy a_7536, a_7535 event(trainFinishSession(new_rbc_id_19_7554,train_etcs_id_20_7557,trainNonce_23_7560,a_7538,rbcNonce_37_7561,genSessionKey(trainNonce_23_7560,rbcNonce_37_7561,getKey(new_rbc_id_19_7554,train_etcs_id_20_7557)))) at {18} in copy a_7536, a_7535 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_7560,rbcNonce_37_7561,getKey(new_rbc_id_19_7554,train_etcs_id_20_7557)),(PAYLOAD_LENGTH(),train_etcs_id_20_7557,ZEROS(),AU3(),DF_SEND(),trainNonce_23_7560,rbcNonce_37_7561)))) at {19} in copy a_7536, a_7535 new time_29 creating time_29_7730 at {20} in copy a_7536, a_7535 event(DataSent1(session_21_7618,(DT(),time_29_7730,MESSAGE_1()))) at {22} in copy a_7536, a_7535 out(c, (DT(),time_29_7730,MESSAGE_1())) at {23} in copy a_7536, a_7535 event(DataSent2(session_21_7618,(DT(),inc(time_29_7730),MESSAGE_2()))) at {25} in copy a_7536, a_7535 out(c, (DT(),inc(time_29_7730),MESSAGE_2())) at {26} in copy a_7536, a_7535 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_7560,rbcNonce_37_7561,getKey(new_rbc_id_19_7554,train_etcs_id_20_7557)),(PAYLOAD_LENGTH(),train_etcs_id_20_7557,ZEROS(),AU3(),DF_SEND(),trainNonce_23_7560,rbcNonce_37_7561)))) at {39} in copy a_7527 event(rbcFinishSession(new_rbc_id_19_7554,train_etcs_id_20_7557,rbcNonce_37_7561,a_7538,trainNonce_23_7560,genSessionKey(trainNonce_23_7560,rbcNonce_37_7561,getKey(new_rbc_id_19_7554,train_etcs_id_20_7557)))) at {41} in copy a_7527 in(c, (DT(),a_7532,a_7533)) at {42} in copy a_7527 event(DataReceived1((DT(),a_7532,a_7533))) at {43} in copy a_7527 in(c, (DT(),a_7530,a_7531)) at {44} in copy a_7527 event(DataReceived2((DT(),a_7530,a_7531))) at {45} in copy a_7527 event(MessagesReceived2((DT(),a_7532,a_7533),(DT(),a_7530,a_7531))) at {46} in copy a_7527 in(c, (DT(),a_7528,a_7529)) at {47} in copy a_7527 event(DataReceived3((DT(),a_7528,a_7529))) at {48} in copy a_7527 The event DataReceived3((DT(),a_7528,a_7529)) is executed in session a_7527. A trace has been found. RESULT evinj:DataReceived3(m_5373) ==> evinj:DataSent3(s_5374,m_5373) is false. RESULT (even ev:DataReceived3(m_7352) ==> ev:DataSent3(s_7351,m_7352) is false.) nounif greater:x_7774,*y_7775/-5000 -- Query evinj:DataReceived2(m_7764) ==> evinj:DataSent2(s_7765,m_7764) Completing... Starting query evinj:DataReceived2(m_7764) ==> evinj:DataSent2(s_7765,m_7764) goal reachable: attacker:timeB_9743 & attacker:msgB_9744 -> end:endsid_9745,DataReceived2((DT(),timeB_9743,msgB_9744)) Abbreviations: new_rbc_id_9905 = new_rbc_id_19[!1 = @sid_9775] trainNonce_9906 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_9905,!2 = @sid_9871,!1 = @sid_9872] new_rbc_id_9907 = new_rbc_id_19[!1 = @sid_9839] rbcNonce_9908 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_9907,!1 = endsid_9903] train_etcs_id_9909 = train_etcs_id_20[!1 = @sid_9872] rbcNonce_9910 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_9907,!1 = @sid_9810] new_rbc_id_9911 = new_rbc_id_19[!1 = @sid_9749] trainNonce_9912 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_9911,!2 = @sid_9753,!1 = @sid_9872] 1. The message new_rbc_id_9907 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_9907. 2. The message new_rbc_id_9905 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_9905. 3. The message new_rbc_id_9905 that may be sent on channel id[] by 2 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_9909,SAF(),trainNonce_9906) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_9909,SAF(),trainNonce_9906). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_9909,SAF(),trainNonce_9906). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_9906. attacker:trainNonce_9906. 5. The attacker has some term trainSaF_9902. attacker:trainSaF_9902. 6. The message new_rbc_id_9911 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_9911. 7. The message new_rbc_id_9911 that may be sent on channel id[] by 6 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_9909,SAF(),trainNonce_9912) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_9909,SAF(),trainNonce_9912). 8. By 7, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_9909,SAF(),trainNonce_9912). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_9909. attacker:train_etcs_id_9909. 9. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 10. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 11. The attacker has some term sent_ETCS_ID_TYPE_9901. attacker:sent_ETCS_ID_TYPE_9901. 12. By 11, the attacker may know sent_ETCS_ID_TYPE_9901. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_9909. By 5, the attacker may know trainSaF_9902. By 4, the attacker may know trainNonce_9906. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_9901,AU1(),DF_SEND(),train_etcs_id_9909,trainSaF_9902,trainNonce_9906). attacker:(sent_ETCS_ID_TYPE_9901,AU1(),DF_SEND(),train_etcs_id_9909,trainSaF_9902,trainNonce_9906). 13. The message new_rbc_id_9905 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_9905. 14. The message new_rbc_id_9907 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_9907. 15. The attacker has some term rbcSaF_9868. attacker:rbcSaF_9868. 16. The attacker has some term sent_ETCS_ID_TYPE_9847. attacker:sent_ETCS_ID_TYPE_9847. 17. By 16, the attacker may know sent_ETCS_ID_TYPE_9847. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_9909. By 15, the attacker may know rbcSaF_9868. By 4, the attacker may know trainNonce_9906. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_9847,AU1(),DF_SEND(),train_etcs_id_9909,rbcSaF_9868,trainNonce_9906). attacker:(sent_ETCS_ID_TYPE_9847,AU1(),DF_SEND(),train_etcs_id_9909,rbcSaF_9868,trainNonce_9906). 18. The message new_rbc_id_9907 that may be sent on channel id[] by 14 may be received at input {31}. The message (sent_ETCS_ID_TYPE_9847,AU1(),DF_SEND(),train_etcs_id_9909,rbcSaF_9868,trainNonce_9906) that the attacker may have by 17 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868,rbcNonce_9908,mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),((PAYLOAD_LENGTH(),train_etcs_id_9909,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868),rbcNonce_9908,trainNonce_9906,train_etcs_id_9909))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868,rbcNonce_9908,mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),((PAYLOAD_LENGTH(),train_etcs_id_9909,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868),rbcNonce_9908,trainNonce_9906,train_etcs_id_9909))). 19. By 18, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868,rbcNonce_9908,mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),((PAYLOAD_LENGTH(),train_etcs_id_9909,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868),rbcNonce_9908,trainNonce_9906,train_etcs_id_9909))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),((PAYLOAD_LENGTH(),train_etcs_id_9909,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868),rbcNonce_9908,trainNonce_9906,train_etcs_id_9909)). attacker:mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),((PAYLOAD_LENGTH(),train_etcs_id_9909,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868),rbcNonce_9908,trainNonce_9906,train_etcs_id_9909)). 20. The message new_rbc_id_9907 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_9907. 21. The attacker has some term trainNonce_9829. attacker:trainNonce_9829. 22. The attacker has some term trainSaF_9828. attacker:trainSaF_9828. 23. The attacker has some term in_train_etcs_id_9827. attacker:in_train_etcs_id_9827. 24. The attacker has some term sent_ETCS_ID_TYPE_9826. attacker:sent_ETCS_ID_TYPE_9826. 25. By 24, the attacker may know sent_ETCS_ID_TYPE_9826. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 23, the attacker may know in_train_etcs_id_9827. By 22, the attacker may know trainSaF_9828. By 21, the attacker may know trainNonce_9829. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_9826,AU1(),DF_SEND(),in_train_etcs_id_9827,trainSaF_9828,trainNonce_9829). attacker:(sent_ETCS_ID_TYPE_9826,AU1(),DF_SEND(),in_train_etcs_id_9827,trainSaF_9828,trainNonce_9829). 26. The message new_rbc_id_9907 that may be sent on channel id[] by 20 may be received at input {31}. The message (sent_ETCS_ID_TYPE_9826,AU1(),DF_SEND(),in_train_etcs_id_9827,trainSaF_9828,trainNonce_9829) that the attacker may have by 25 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,trainSaF_9828,rbcNonce_9908,mac(genSessionKey(trainNonce_9829,rbcNonce_9908,getKey(new_rbc_id_9907,in_train_etcs_id_9827)),((PAYLOAD_LENGTH(),in_train_etcs_id_9827,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,trainSaF_9828),rbcNonce_9908,trainNonce_9829,in_train_etcs_id_9827))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,trainSaF_9828,rbcNonce_9908,mac(genSessionKey(trainNonce_9829,rbcNonce_9908,getKey(new_rbc_id_9907,in_train_etcs_id_9827)),((PAYLOAD_LENGTH(),in_train_etcs_id_9827,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,trainSaF_9828),rbcNonce_9908,trainNonce_9829,in_train_etcs_id_9827))). 27. By 26, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,trainSaF_9828,rbcNonce_9908,mac(genSessionKey(trainNonce_9829,rbcNonce_9908,getKey(new_rbc_id_9907,in_train_etcs_id_9827)),((PAYLOAD_LENGTH(),in_train_etcs_id_9827,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,trainSaF_9828),rbcNonce_9908,trainNonce_9829,in_train_etcs_id_9827))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_9908. attacker:rbcNonce_9908. 28. The message new_rbc_id_9907 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_9907. 29. The attacker has some term trainNonce_9808. attacker:trainNonce_9808. 30. The attacker has some term trainSaF_9807. attacker:trainSaF_9807. 31. The attacker has some term in_train_etcs_id_9806. attacker:in_train_etcs_id_9806. 32. The attacker has some term sent_ETCS_ID_TYPE_9805. attacker:sent_ETCS_ID_TYPE_9805. 33. By 32, the attacker may know sent_ETCS_ID_TYPE_9805. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 31, the attacker may know in_train_etcs_id_9806. By 30, the attacker may know trainSaF_9807. By 29, the attacker may know trainNonce_9808. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_9805,AU1(),DF_SEND(),in_train_etcs_id_9806,trainSaF_9807,trainNonce_9808). attacker:(sent_ETCS_ID_TYPE_9805,AU1(),DF_SEND(),in_train_etcs_id_9806,trainSaF_9807,trainNonce_9808). 34. The message new_rbc_id_9907 that may be sent on channel id[] by 28 may be received at input {31}. The message (sent_ETCS_ID_TYPE_9805,AU1(),DF_SEND(),in_train_etcs_id_9806,trainSaF_9807,trainNonce_9808) that the attacker may have by 33 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,trainSaF_9807,rbcNonce_9910,mac(genSessionKey(trainNonce_9808,rbcNonce_9910,getKey(new_rbc_id_9907,in_train_etcs_id_9806)),((PAYLOAD_LENGTH(),in_train_etcs_id_9806,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,trainSaF_9807),rbcNonce_9910,trainNonce_9808,in_train_etcs_id_9806))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,trainSaF_9807,rbcNonce_9910,mac(genSessionKey(trainNonce_9808,rbcNonce_9910,getKey(new_rbc_id_9907,in_train_etcs_id_9806)),((PAYLOAD_LENGTH(),in_train_etcs_id_9806,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,trainSaF_9807),rbcNonce_9910,trainNonce_9808,in_train_etcs_id_9806))). 35. By 34, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,trainSaF_9807,rbcNonce_9910,mac(genSessionKey(trainNonce_9808,rbcNonce_9910,getKey(new_rbc_id_9907,in_train_etcs_id_9806)),((PAYLOAD_LENGTH(),in_train_etcs_id_9806,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,trainSaF_9807),rbcNonce_9910,trainNonce_9808,in_train_etcs_id_9806))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_9907. attacker:new_rbc_id_9907. 36. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 37. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 38. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 39. By 38, the attacker may know RBC_ETCS_ID_TYPE(). By 37, the attacker may know AU2(). By 36, the attacker may know DF_RESP(). By 35, the attacker may know new_rbc_id_9907. By 15, the attacker may know rbcSaF_9868. By 27, the attacker may know rbcNonce_9908. By 19, the attacker may know mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),((PAYLOAD_LENGTH(),train_etcs_id_9909,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868),rbcNonce_9908,trainNonce_9906,train_etcs_id_9909)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868,rbcNonce_9908,mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),((PAYLOAD_LENGTH(),train_etcs_id_9909,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868),rbcNonce_9908,trainNonce_9906,train_etcs_id_9909))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868,rbcNonce_9908,mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),((PAYLOAD_LENGTH(),train_etcs_id_9909,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868),rbcNonce_9908,trainNonce_9906,train_etcs_id_9909))). 40. The message new_rbc_id_9905 that may be sent on channel id[] by 13 may be received at input {9}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868,rbcNonce_9908,mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),((PAYLOAD_LENGTH(),train_etcs_id_9909,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_9907,rbcSaF_9868),rbcNonce_9908,trainNonce_9906,train_etcs_id_9909))) that the attacker may have by 39 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),(PAYLOAD_LENGTH(),train_etcs_id_9909,ZEROS(),AU3(),DF_SEND(),trainNonce_9906,rbcNonce_9908))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),(PAYLOAD_LENGTH(),train_etcs_id_9909,ZEROS(),AU3(),DF_SEND(),trainNonce_9906,rbcNonce_9908))). 41. By 40, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),(PAYLOAD_LENGTH(),train_etcs_id_9909,ZEROS(),AU3(),DF_SEND(),trainNonce_9906,rbcNonce_9908))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),(PAYLOAD_LENGTH(),train_etcs_id_9909,ZEROS(),AU3(),DF_SEND(),trainNonce_9906,rbcNonce_9908)). attacker:mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),(PAYLOAD_LENGTH(),train_etcs_id_9909,ZEROS(),AU3(),DF_SEND(),trainNonce_9906,rbcNonce_9908)). 42. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 43. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 44. By 43, the attacker may know ZEROS(). By 42, the attacker may know AU3(). By 9, the attacker may know DF_SEND(). By 41, the attacker may know mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),(PAYLOAD_LENGTH(),train_etcs_id_9909,ZEROS(),AU3(),DF_SEND(),trainNonce_9906,rbcNonce_9908)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),(PAYLOAD_LENGTH(),train_etcs_id_9909,ZEROS(),AU3(),DF_SEND(),trainNonce_9906,rbcNonce_9908))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),(PAYLOAD_LENGTH(),train_etcs_id_9909,ZEROS(),AU3(),DF_SEND(),trainNonce_9906,rbcNonce_9908))). 45. The attacker has some term msgA_9896. attacker:msgA_9896. 46. The attacker has some term timeA_9895. attacker:timeA_9895. 47. Using the function DT the attacker may obtain DT(). attacker:DT(). 48. By 47, the attacker may know DT(). By 46, the attacker may know timeA_9895. By 45, the attacker may know msgA_9896. Using the function 3-tuple the attacker may obtain (DT(),timeA_9895,msgA_9896). attacker:(DT(),timeA_9895,msgA_9896). 49. We assume as hypothesis that attacker:msgB_9894. 50. We assume as hypothesis that attacker:timeB_9893. 51. By 47, the attacker may know DT(). By 50, the attacker may know timeB_9893. By 49, the attacker may know msgB_9894. Using the function 3-tuple the attacker may obtain (DT(),timeB_9893,msgB_9894). attacker:(DT(),timeB_9893,msgB_9894). 52. The message new_rbc_id_9907 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_9901,AU1(),DF_SEND(),train_etcs_id_9909,trainSaF_9902,trainNonce_9906) that the attacker may have by 12 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_9906,rbcNonce_9908,getKey(new_rbc_id_9907,train_etcs_id_9909)),(PAYLOAD_LENGTH(),train_etcs_id_9909,ZEROS(),AU3(),DF_SEND(),trainNonce_9906,rbcNonce_9908))) that the attacker may have by 44 may be received at input {39}. The message (DT(),timeA_9895,msgA_9896) that the attacker may have by 48 may be received at input {42}. The message (DT(),timeB_9893,msgB_9894) that the attacker may have by 51 may be received at input {44}. So event DataReceived2((DT(),timeB_9893,msgB_9894)) may be executed at {45} in session endsid_9903. end:endsid_9903,DataReceived2((DT(),timeB_9893,msgB_9894)). Unified sent_ETCS_ID_TYPE_9826 with sent_ETCS_ID_TYPE_9901 Unified in_train_etcs_id_9827 with train_etcs_id_20[!1 = @sid_9872] Unified trainSaF_9828 with trainSaF_9902 Unified trainNonce_9829 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_9775],!2 = @sid_9871,!1 = @sid_9872] Unified sent_ETCS_ID_TYPE_9847 with sent_ETCS_ID_TYPE_9901 Unified rbcSaF_9868 with trainSaF_9902 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:msgB_9915 & attacker:timeB_9914 -> end:endsid_9913,DataReceived2((DT(),timeB_9914,msgB_9915)) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_9945 at {6} in copy a_9924 new session_21 creating session_21_10006 at {8} in copy a_9924, a_9923 new session_21 creating session_21_10007 at {8} in copy a_9924, a_9935 new new_rbc_id_19 creating new_rbc_id_19_9942 at {2} in copy a_9925 new new_rbc_id_19 creating new_rbc_id_19_9947 at {2} in copy a_9922 new new_rbc_id_19 creating new_rbc_id_19_9944 at {2} in copy a_9934 out(id, new_rbc_id_19_9944) at {4} in copy a_9934, a_9936 received at {9} in copy a_9924, a_9935 new trainNonce_23 creating trainNonce_23_9946 at {10} in copy a_9924, a_9935 event(trainStartSession(new_rbc_id_19_9944,train_etcs_id_20_9945,trainNonce_23_9946,SAF())) at {11} in copy a_9924, a_9935 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_9945,SAF(),trainNonce_23_9946)) at {12} in copy a_9924, a_9935 out(id, new_rbc_id_19_9947) at {4} in copy a_9922, a_9940 received at {9} in copy a_9924, a_9923 new trainNonce_23 creating trainNonce_23_9948 at {10} in copy a_9924, a_9923 event(trainStartSession(new_rbc_id_19_9947,train_etcs_id_20_9945,trainNonce_23_9948,SAF())) at {11} in copy a_9924, a_9923 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_9945,SAF(),trainNonce_23_9948)) at {12} in copy a_9924, a_9923 out(id, new_rbc_id_19_9942) at {4} in copy a_9925, a_9932 received at {31} in copy a_9928 new rbcNonce_37 creating rbcNonce_37_9943 at {32} in copy a_9928 in(c, (a_9931,AU1(),DF_SEND(),a_9930,a_9927,a_9929)) at {33} in copy a_9928 event(rbcStartSession(new_rbc_id_19_9942,a_9930,rbcNonce_37_9943,a_9927,a_9929)) at {34} in copy a_9928 out(c, encrypt(SECRET,genSessionKey(a_9929,rbcNonce_37_9943,getKey(new_rbc_id_19_9942,a_9930)))) at {36} in copy a_9928 out(c, encrypt(SECRET,getKey(new_rbc_id_19_9942,a_9930))) at {37} in copy a_9928 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_9942,a_9927,rbcNonce_37_9943,mac(genSessionKey(a_9929,rbcNonce_37_9943,getKey(new_rbc_id_19_9942,a_9930)),((PAYLOAD_LENGTH(),a_9930,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_9942,a_9927),rbcNonce_37_9943,a_9929,a_9930)))) at {38} in copy a_9928 out(id, new_rbc_id_19_9942) at {4} in copy a_9925, a_9938 received at {31} in copy a_9917 new rbcNonce_37 creating rbcNonce_37_9949 at {32} in copy a_9917 in(c, (a_9933,AU1(),DF_SEND(),train_etcs_id_20_9945,a_9926,trainNonce_23_9948)) at {33} in copy a_9917 event(rbcStartSession(new_rbc_id_19_9942,train_etcs_id_20_9945,rbcNonce_37_9949,a_9926,trainNonce_23_9948)) at {34} in copy a_9917 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_9948,rbcNonce_37_9949,getKey(new_rbc_id_19_9942,train_etcs_id_20_9945)))) at {36} in copy a_9917 out(c, encrypt(SECRET,getKey(new_rbc_id_19_9942,train_etcs_id_20_9945))) at {37} in copy a_9917 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_9942,a_9926,rbcNonce_37_9949,mac(genSessionKey(trainNonce_23_9948,rbcNonce_37_9949,getKey(new_rbc_id_19_9942,train_etcs_id_20_9945)),((PAYLOAD_LENGTH(),train_etcs_id_20_9945,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_9942,a_9926),rbcNonce_37_9949,trainNonce_23_9948,train_etcs_id_20_9945)))) at {38} in copy a_9917 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_9942,a_9926,rbcNonce_37_9949,mac(genSessionKey(trainNonce_23_9948,rbcNonce_37_9949,getKey(new_rbc_id_19_9942,train_etcs_id_20_9945)),((PAYLOAD_LENGTH(),train_etcs_id_20_9945,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_9942,a_9926),rbcNonce_37_9949,trainNonce_23_9948,train_etcs_id_20_9945)))) at {13} in copy a_9924, a_9923 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_9948,rbcNonce_37_9949,getKey(new_rbc_id_19_9942,train_etcs_id_20_9945)))) at {15} in copy a_9924, a_9923 out(c, encrypt(SECRET,getKey(new_rbc_id_19_9942,train_etcs_id_20_9945))) at {16} in copy a_9924, a_9923 event(trainFinishSession(new_rbc_id_19_9942,train_etcs_id_20_9945,trainNonce_23_9948,a_9926,rbcNonce_37_9949,genSessionKey(trainNonce_23_9948,rbcNonce_37_9949,getKey(new_rbc_id_19_9942,train_etcs_id_20_9945)))) at {18} in copy a_9924, a_9923 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_9948,rbcNonce_37_9949,getKey(new_rbc_id_19_9942,train_etcs_id_20_9945)),(PAYLOAD_LENGTH(),train_etcs_id_20_9945,ZEROS(),AU3(),DF_SEND(),trainNonce_23_9948,rbcNonce_37_9949)))) at {19} in copy a_9924, a_9923 new time_29 creating time_29_10118 at {20} in copy a_9924, a_9923 event(DataSent1(session_21_10006,(DT(),time_29_10118,MESSAGE_1()))) at {22} in copy a_9924, a_9923 out(c, (DT(),time_29_10118,MESSAGE_1())) at {23} in copy a_9924, a_9923 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_9948,rbcNonce_37_9949,getKey(new_rbc_id_19_9942,train_etcs_id_20_9945)),(PAYLOAD_LENGTH(),train_etcs_id_20_9945,ZEROS(),AU3(),DF_SEND(),trainNonce_23_9948,rbcNonce_37_9949)))) at {39} in copy a_9917 event(rbcFinishSession(new_rbc_id_19_9942,train_etcs_id_20_9945,rbcNonce_37_9949,a_9926,trainNonce_23_9948,genSessionKey(trainNonce_23_9948,rbcNonce_37_9949,getKey(new_rbc_id_19_9942,train_etcs_id_20_9945)))) at {41} in copy a_9917 in(c, (DT(),a_9920,a_9921)) at {42} in copy a_9917 event(DataReceived1((DT(),a_9920,a_9921))) at {43} in copy a_9917 in(c, (DT(),a_9918,a_9919)) at {44} in copy a_9917 event(DataReceived2((DT(),a_9918,a_9919))) at {45} in copy a_9917 The event DataReceived2((DT(),a_9918,a_9919)) is executed in session a_9917. A trace has been found. RESULT evinj:DataReceived2(m_7764) ==> evinj:DataSent2(s_7765,m_7764) is false. RESULT (even ev:DataReceived2(m_9747) ==> ev:DataSent2(s_9746,m_9747) is false.) nounif greater:x_10158,*y_10159/-5000 -- Query evinj:DataReceived1(m_10148) ==> evinj:DataSent1(s_10149,m_10148) Completing... Starting query evinj:DataReceived1(m_10148) ==> evinj:DataSent1(s_10149,m_10148) goal reachable: attacker:timeA_12185 & attacker:msgA_12186 -> end:endsid_12187,DataReceived1((DT(),timeA_12185,msgA_12186)) Abbreviations: new_rbc_id_12342 = new_rbc_id_19[!1 = @sid_12217] trainNonce_12343 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_12342,!2 = @sid_12313,!1 = @sid_12314] new_rbc_id_12344 = new_rbc_id_19[!1 = @sid_12281] rbcNonce_12345 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_12344,!1 = endsid_12340] train_etcs_id_12346 = train_etcs_id_20[!1 = @sid_12314] rbcNonce_12347 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_12344,!1 = @sid_12252] new_rbc_id_12348 = new_rbc_id_19[!1 = @sid_12191] trainNonce_12349 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_12348,!2 = @sid_12195,!1 = @sid_12314] 1. The message new_rbc_id_12344 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_12344. 2. The message new_rbc_id_12342 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_12342. 3. The message new_rbc_id_12342 that may be sent on channel id[] by 2 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_12346,SAF(),trainNonce_12343) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_12346,SAF(),trainNonce_12343). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_12346,SAF(),trainNonce_12343). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_12343. attacker:trainNonce_12343. 5. The attacker has some term trainSaF_12339. attacker:trainSaF_12339. 6. The message new_rbc_id_12348 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_12348. 7. The message new_rbc_id_12348 that may be sent on channel id[] by 6 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_12346,SAF(),trainNonce_12349) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_12346,SAF(),trainNonce_12349). 8. By 7, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_12346,SAF(),trainNonce_12349). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_12346. attacker:train_etcs_id_12346. 9. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 10. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 11. The attacker has some term sent_ETCS_ID_TYPE_12338. attacker:sent_ETCS_ID_TYPE_12338. 12. By 11, the attacker may know sent_ETCS_ID_TYPE_12338. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_12346. By 5, the attacker may know trainSaF_12339. By 4, the attacker may know trainNonce_12343. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_12338,AU1(),DF_SEND(),train_etcs_id_12346,trainSaF_12339,trainNonce_12343). attacker:(sent_ETCS_ID_TYPE_12338,AU1(),DF_SEND(),train_etcs_id_12346,trainSaF_12339,trainNonce_12343). 13. The message new_rbc_id_12342 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_12342. 14. The message new_rbc_id_12344 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_12344. 15. The attacker has some term rbcSaF_12310. attacker:rbcSaF_12310. 16. The attacker has some term sent_ETCS_ID_TYPE_12289. attacker:sent_ETCS_ID_TYPE_12289. 17. By 16, the attacker may know sent_ETCS_ID_TYPE_12289. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_12346. By 15, the attacker may know rbcSaF_12310. By 4, the attacker may know trainNonce_12343. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_12289,AU1(),DF_SEND(),train_etcs_id_12346,rbcSaF_12310,trainNonce_12343). attacker:(sent_ETCS_ID_TYPE_12289,AU1(),DF_SEND(),train_etcs_id_12346,rbcSaF_12310,trainNonce_12343). 18. The message new_rbc_id_12344 that may be sent on channel id[] by 14 may be received at input {31}. The message (sent_ETCS_ID_TYPE_12289,AU1(),DF_SEND(),train_etcs_id_12346,rbcSaF_12310,trainNonce_12343) that the attacker may have by 17 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310,rbcNonce_12345,mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),((PAYLOAD_LENGTH(),train_etcs_id_12346,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310),rbcNonce_12345,trainNonce_12343,train_etcs_id_12346))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310,rbcNonce_12345,mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),((PAYLOAD_LENGTH(),train_etcs_id_12346,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310),rbcNonce_12345,trainNonce_12343,train_etcs_id_12346))). 19. By 18, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310,rbcNonce_12345,mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),((PAYLOAD_LENGTH(),train_etcs_id_12346,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310),rbcNonce_12345,trainNonce_12343,train_etcs_id_12346))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),((PAYLOAD_LENGTH(),train_etcs_id_12346,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310),rbcNonce_12345,trainNonce_12343,train_etcs_id_12346)). attacker:mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),((PAYLOAD_LENGTH(),train_etcs_id_12346,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310),rbcNonce_12345,trainNonce_12343,train_etcs_id_12346)). 20. The message new_rbc_id_12344 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_12344. 21. The attacker has some term trainNonce_12271. attacker:trainNonce_12271. 22. The attacker has some term trainSaF_12270. attacker:trainSaF_12270. 23. The attacker has some term in_train_etcs_id_12269. attacker:in_train_etcs_id_12269. 24. The attacker has some term sent_ETCS_ID_TYPE_12268. attacker:sent_ETCS_ID_TYPE_12268. 25. By 24, the attacker may know sent_ETCS_ID_TYPE_12268. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 23, the attacker may know in_train_etcs_id_12269. By 22, the attacker may know trainSaF_12270. By 21, the attacker may know trainNonce_12271. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_12268,AU1(),DF_SEND(),in_train_etcs_id_12269,trainSaF_12270,trainNonce_12271). attacker:(sent_ETCS_ID_TYPE_12268,AU1(),DF_SEND(),in_train_etcs_id_12269,trainSaF_12270,trainNonce_12271). 26. The message new_rbc_id_12344 that may be sent on channel id[] by 20 may be received at input {31}. The message (sent_ETCS_ID_TYPE_12268,AU1(),DF_SEND(),in_train_etcs_id_12269,trainSaF_12270,trainNonce_12271) that the attacker may have by 25 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,trainSaF_12270,rbcNonce_12345,mac(genSessionKey(trainNonce_12271,rbcNonce_12345,getKey(new_rbc_id_12344,in_train_etcs_id_12269)),((PAYLOAD_LENGTH(),in_train_etcs_id_12269,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,trainSaF_12270),rbcNonce_12345,trainNonce_12271,in_train_etcs_id_12269))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,trainSaF_12270,rbcNonce_12345,mac(genSessionKey(trainNonce_12271,rbcNonce_12345,getKey(new_rbc_id_12344,in_train_etcs_id_12269)),((PAYLOAD_LENGTH(),in_train_etcs_id_12269,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,trainSaF_12270),rbcNonce_12345,trainNonce_12271,in_train_etcs_id_12269))). 27. By 26, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,trainSaF_12270,rbcNonce_12345,mac(genSessionKey(trainNonce_12271,rbcNonce_12345,getKey(new_rbc_id_12344,in_train_etcs_id_12269)),((PAYLOAD_LENGTH(),in_train_etcs_id_12269,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,trainSaF_12270),rbcNonce_12345,trainNonce_12271,in_train_etcs_id_12269))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_12345. attacker:rbcNonce_12345. 28. The message new_rbc_id_12344 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_12344. 29. The attacker has some term trainNonce_12250. attacker:trainNonce_12250. 30. The attacker has some term trainSaF_12249. attacker:trainSaF_12249. 31. The attacker has some term in_train_etcs_id_12248. attacker:in_train_etcs_id_12248. 32. The attacker has some term sent_ETCS_ID_TYPE_12247. attacker:sent_ETCS_ID_TYPE_12247. 33. By 32, the attacker may know sent_ETCS_ID_TYPE_12247. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 31, the attacker may know in_train_etcs_id_12248. By 30, the attacker may know trainSaF_12249. By 29, the attacker may know trainNonce_12250. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_12247,AU1(),DF_SEND(),in_train_etcs_id_12248,trainSaF_12249,trainNonce_12250). attacker:(sent_ETCS_ID_TYPE_12247,AU1(),DF_SEND(),in_train_etcs_id_12248,trainSaF_12249,trainNonce_12250). 34. The message new_rbc_id_12344 that may be sent on channel id[] by 28 may be received at input {31}. The message (sent_ETCS_ID_TYPE_12247,AU1(),DF_SEND(),in_train_etcs_id_12248,trainSaF_12249,trainNonce_12250) that the attacker may have by 33 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,trainSaF_12249,rbcNonce_12347,mac(genSessionKey(trainNonce_12250,rbcNonce_12347,getKey(new_rbc_id_12344,in_train_etcs_id_12248)),((PAYLOAD_LENGTH(),in_train_etcs_id_12248,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,trainSaF_12249),rbcNonce_12347,trainNonce_12250,in_train_etcs_id_12248))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,trainSaF_12249,rbcNonce_12347,mac(genSessionKey(trainNonce_12250,rbcNonce_12347,getKey(new_rbc_id_12344,in_train_etcs_id_12248)),((PAYLOAD_LENGTH(),in_train_etcs_id_12248,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,trainSaF_12249),rbcNonce_12347,trainNonce_12250,in_train_etcs_id_12248))). 35. By 34, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,trainSaF_12249,rbcNonce_12347,mac(genSessionKey(trainNonce_12250,rbcNonce_12347,getKey(new_rbc_id_12344,in_train_etcs_id_12248)),((PAYLOAD_LENGTH(),in_train_etcs_id_12248,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,trainSaF_12249),rbcNonce_12347,trainNonce_12250,in_train_etcs_id_12248))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_12344. attacker:new_rbc_id_12344. 36. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 37. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 38. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 39. By 38, the attacker may know RBC_ETCS_ID_TYPE(). By 37, the attacker may know AU2(). By 36, the attacker may know DF_RESP(). By 35, the attacker may know new_rbc_id_12344. By 15, the attacker may know rbcSaF_12310. By 27, the attacker may know rbcNonce_12345. By 19, the attacker may know mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),((PAYLOAD_LENGTH(),train_etcs_id_12346,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310),rbcNonce_12345,trainNonce_12343,train_etcs_id_12346)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310,rbcNonce_12345,mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),((PAYLOAD_LENGTH(),train_etcs_id_12346,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310),rbcNonce_12345,trainNonce_12343,train_etcs_id_12346))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310,rbcNonce_12345,mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),((PAYLOAD_LENGTH(),train_etcs_id_12346,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310),rbcNonce_12345,trainNonce_12343,train_etcs_id_12346))). 40. The message new_rbc_id_12342 that may be sent on channel id[] by 13 may be received at input {9}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310,rbcNonce_12345,mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),((PAYLOAD_LENGTH(),train_etcs_id_12346,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_12344,rbcSaF_12310),rbcNonce_12345,trainNonce_12343,train_etcs_id_12346))) that the attacker may have by 39 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),(PAYLOAD_LENGTH(),train_etcs_id_12346,ZEROS(),AU3(),DF_SEND(),trainNonce_12343,rbcNonce_12345))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),(PAYLOAD_LENGTH(),train_etcs_id_12346,ZEROS(),AU3(),DF_SEND(),trainNonce_12343,rbcNonce_12345))). 41. By 40, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),(PAYLOAD_LENGTH(),train_etcs_id_12346,ZEROS(),AU3(),DF_SEND(),trainNonce_12343,rbcNonce_12345))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),(PAYLOAD_LENGTH(),train_etcs_id_12346,ZEROS(),AU3(),DF_SEND(),trainNonce_12343,rbcNonce_12345)). attacker:mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),(PAYLOAD_LENGTH(),train_etcs_id_12346,ZEROS(),AU3(),DF_SEND(),trainNonce_12343,rbcNonce_12345)). 42. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 43. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 44. By 43, the attacker may know ZEROS(). By 42, the attacker may know AU3(). By 9, the attacker may know DF_SEND(). By 41, the attacker may know mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),(PAYLOAD_LENGTH(),train_etcs_id_12346,ZEROS(),AU3(),DF_SEND(),trainNonce_12343,rbcNonce_12345)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),(PAYLOAD_LENGTH(),train_etcs_id_12346,ZEROS(),AU3(),DF_SEND(),trainNonce_12343,rbcNonce_12345))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),(PAYLOAD_LENGTH(),train_etcs_id_12346,ZEROS(),AU3(),DF_SEND(),trainNonce_12343,rbcNonce_12345))). 45. We assume as hypothesis that attacker:msgA_12333. 46. We assume as hypothesis that attacker:timeA_12332. 47. Using the function DT the attacker may obtain DT(). attacker:DT(). 48. By 47, the attacker may know DT(). By 46, the attacker may know timeA_12332. By 45, the attacker may know msgA_12333. Using the function 3-tuple the attacker may obtain (DT(),timeA_12332,msgA_12333). attacker:(DT(),timeA_12332,msgA_12333). 49. The message new_rbc_id_12344 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_12338,AU1(),DF_SEND(),train_etcs_id_12346,trainSaF_12339,trainNonce_12343) that the attacker may have by 12 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_12343,rbcNonce_12345,getKey(new_rbc_id_12344,train_etcs_id_12346)),(PAYLOAD_LENGTH(),train_etcs_id_12346,ZEROS(),AU3(),DF_SEND(),trainNonce_12343,rbcNonce_12345))) that the attacker may have by 44 may be received at input {39}. The message (DT(),timeA_12332,msgA_12333) that the attacker may have by 48 may be received at input {42}. So event DataReceived1((DT(),timeA_12332,msgA_12333)) may be executed at {43} in session endsid_12340. end:endsid_12340,DataReceived1((DT(),timeA_12332,msgA_12333)). Unified sent_ETCS_ID_TYPE_12268 with sent_ETCS_ID_TYPE_12338 Unified in_train_etcs_id_12269 with train_etcs_id_20[!1 = @sid_12314] Unified trainSaF_12270 with trainSaF_12339 Unified trainNonce_12271 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_12217],!2 = @sid_12313,!1 = @sid_12314] Unified sent_ETCS_ID_TYPE_12289 with sent_ETCS_ID_TYPE_12338 Unified rbcSaF_12310 with trainSaF_12339 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:msgA_12352 & attacker:timeA_12351 -> end:endsid_12350,DataReceived1((DT(),timeA_12351,msgA_12352)) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_12380 at {6} in copy a_12359 new session_21 creating session_21_12441 at {8} in copy a_12359, a_12358 new session_21 creating session_21_12442 at {8} in copy a_12359, a_12370 new new_rbc_id_19 creating new_rbc_id_19_12377 at {2} in copy a_12360 new new_rbc_id_19 creating new_rbc_id_19_12382 at {2} in copy a_12357 new new_rbc_id_19 creating new_rbc_id_19_12379 at {2} in copy a_12369 out(id, new_rbc_id_19_12379) at {4} in copy a_12369, a_12371 received at {9} in copy a_12359, a_12370 new trainNonce_23 creating trainNonce_23_12381 at {10} in copy a_12359, a_12370 event(trainStartSession(new_rbc_id_19_12379,train_etcs_id_20_12380,trainNonce_23_12381,SAF())) at {11} in copy a_12359, a_12370 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_12380,SAF(),trainNonce_23_12381)) at {12} in copy a_12359, a_12370 out(id, new_rbc_id_19_12382) at {4} in copy a_12357, a_12375 received at {9} in copy a_12359, a_12358 new trainNonce_23 creating trainNonce_23_12383 at {10} in copy a_12359, a_12358 event(trainStartSession(new_rbc_id_19_12382,train_etcs_id_20_12380,trainNonce_23_12383,SAF())) at {11} in copy a_12359, a_12358 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_12380,SAF(),trainNonce_23_12383)) at {12} in copy a_12359, a_12358 out(id, new_rbc_id_19_12377) at {4} in copy a_12360, a_12367 received at {31} in copy a_12363 new rbcNonce_37 creating rbcNonce_37_12378 at {32} in copy a_12363 in(c, (a_12366,AU1(),DF_SEND(),a_12365,a_12362,a_12364)) at {33} in copy a_12363 event(rbcStartSession(new_rbc_id_19_12377,a_12365,rbcNonce_37_12378,a_12362,a_12364)) at {34} in copy a_12363 out(c, encrypt(SECRET,genSessionKey(a_12364,rbcNonce_37_12378,getKey(new_rbc_id_19_12377,a_12365)))) at {36} in copy a_12363 out(c, encrypt(SECRET,getKey(new_rbc_id_19_12377,a_12365))) at {37} in copy a_12363 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_12377,a_12362,rbcNonce_37_12378,mac(genSessionKey(a_12364,rbcNonce_37_12378,getKey(new_rbc_id_19_12377,a_12365)),((PAYLOAD_LENGTH(),a_12365,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_12377,a_12362),rbcNonce_37_12378,a_12364,a_12365)))) at {38} in copy a_12363 out(id, new_rbc_id_19_12377) at {4} in copy a_12360, a_12373 received at {31} in copy a_12354 new rbcNonce_37 creating rbcNonce_37_12384 at {32} in copy a_12354 in(c, (a_12368,AU1(),DF_SEND(),train_etcs_id_20_12380,a_12361,trainNonce_23_12383)) at {33} in copy a_12354 event(rbcStartSession(new_rbc_id_19_12377,train_etcs_id_20_12380,rbcNonce_37_12384,a_12361,trainNonce_23_12383)) at {34} in copy a_12354 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_12383,rbcNonce_37_12384,getKey(new_rbc_id_19_12377,train_etcs_id_20_12380)))) at {36} in copy a_12354 out(c, encrypt(SECRET,getKey(new_rbc_id_19_12377,train_etcs_id_20_12380))) at {37} in copy a_12354 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_12377,a_12361,rbcNonce_37_12384,mac(genSessionKey(trainNonce_23_12383,rbcNonce_37_12384,getKey(new_rbc_id_19_12377,train_etcs_id_20_12380)),((PAYLOAD_LENGTH(),train_etcs_id_20_12380,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_12377,a_12361),rbcNonce_37_12384,trainNonce_23_12383,train_etcs_id_20_12380)))) at {38} in copy a_12354 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_12377,a_12361,rbcNonce_37_12384,mac(genSessionKey(trainNonce_23_12383,rbcNonce_37_12384,getKey(new_rbc_id_19_12377,train_etcs_id_20_12380)),((PAYLOAD_LENGTH(),train_etcs_id_20_12380,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_12377,a_12361),rbcNonce_37_12384,trainNonce_23_12383,train_etcs_id_20_12380)))) at {13} in copy a_12359, a_12358 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_12383,rbcNonce_37_12384,getKey(new_rbc_id_19_12377,train_etcs_id_20_12380)))) at {15} in copy a_12359, a_12358 out(c, encrypt(SECRET,getKey(new_rbc_id_19_12377,train_etcs_id_20_12380))) at {16} in copy a_12359, a_12358 event(trainFinishSession(new_rbc_id_19_12377,train_etcs_id_20_12380,trainNonce_23_12383,a_12361,rbcNonce_37_12384,genSessionKey(trainNonce_23_12383,rbcNonce_37_12384,getKey(new_rbc_id_19_12377,train_etcs_id_20_12380)))) at {18} in copy a_12359, a_12358 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_12383,rbcNonce_37_12384,getKey(new_rbc_id_19_12377,train_etcs_id_20_12380)),(PAYLOAD_LENGTH(),train_etcs_id_20_12380,ZEROS(),AU3(),DF_SEND(),trainNonce_23_12383,rbcNonce_37_12384)))) at {19} in copy a_12359, a_12358 new time_29 creating time_29_12553 at {20} in copy a_12359, a_12358 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_12383,rbcNonce_37_12384,getKey(new_rbc_id_19_12377,train_etcs_id_20_12380)),(PAYLOAD_LENGTH(),train_etcs_id_20_12380,ZEROS(),AU3(),DF_SEND(),trainNonce_23_12383,rbcNonce_37_12384)))) at {39} in copy a_12354 event(rbcFinishSession(new_rbc_id_19_12377,train_etcs_id_20_12380,rbcNonce_37_12384,a_12361,trainNonce_23_12383,genSessionKey(trainNonce_23_12383,rbcNonce_37_12384,getKey(new_rbc_id_19_12377,train_etcs_id_20_12380)))) at {41} in copy a_12354 in(c, (DT(),a_12355,a_12356)) at {42} in copy a_12354 event(DataReceived1((DT(),a_12355,a_12356))) at {43} in copy a_12354 The event DataReceived1((DT(),a_12355,a_12356)) is executed in session a_12354. A trace has been found. RESULT evinj:DataReceived1(m_10148) ==> evinj:DataSent1(s_10149,m_10148) is false. RESULT (even ev:DataReceived1(m_12189) ==> ev:DataSent1(s_12188,m_12189) is false.) nounif greater:x_12586,*y_12587/-5000 -- Query evinj:DataReceived3(m_12576) ==> evinj:DataSent1(s_12577,m_12576) | evinj:DataSent2(s_12577,m_12576) | evinj:DataSent3(s_12577,m_12576) Completing... Starting query evinj:DataReceived3(m_12576) ==> evinj:DataSent1(s_12577,m_12576) | evinj:DataSent2(s_12577,m_12576) | evinj:DataSent3(s_12577,m_12576) goal reachable: attacker:timeC_14617 & attacker:msgC_14618 -> end:endsid_14619,DataReceived3((DT(),timeC_14617,msgC_14618)) Abbreviations: new_rbc_id_14786 = new_rbc_id_19[!1 = @sid_14651] trainNonce_14787 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_14786,!2 = @sid_14747,!1 = @sid_14748] new_rbc_id_14788 = new_rbc_id_19[!1 = @sid_14715] rbcNonce_14789 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_14788,!1 = endsid_14784] train_etcs_id_14790 = train_etcs_id_20[!1 = @sid_14748] rbcNonce_14791 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_14788,!1 = @sid_14686] new_rbc_id_14792 = new_rbc_id_19[!1 = @sid_14625] trainNonce_14793 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_14792,!2 = @sid_14629,!1 = @sid_14748] 1. The message new_rbc_id_14788 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_14788. 2. The message new_rbc_id_14786 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_14786. 3. The message new_rbc_id_14786 that may be sent on channel id[] by 2 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_14790,SAF(),trainNonce_14787) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_14790,SAF(),trainNonce_14787). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_14790,SAF(),trainNonce_14787). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_14787. attacker:trainNonce_14787. 5. The attacker has some term trainSaF_14783. attacker:trainSaF_14783. 6. The message new_rbc_id_14792 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_14792. 7. The message new_rbc_id_14792 that may be sent on channel id[] by 6 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_14790,SAF(),trainNonce_14793) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_14790,SAF(),trainNonce_14793). 8. By 7, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_14790,SAF(),trainNonce_14793). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_14790. attacker:train_etcs_id_14790. 9. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 10. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 11. The attacker has some term sent_ETCS_ID_TYPE_14782. attacker:sent_ETCS_ID_TYPE_14782. 12. By 11, the attacker may know sent_ETCS_ID_TYPE_14782. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_14790. By 5, the attacker may know trainSaF_14783. By 4, the attacker may know trainNonce_14787. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_14782,AU1(),DF_SEND(),train_etcs_id_14790,trainSaF_14783,trainNonce_14787). attacker:(sent_ETCS_ID_TYPE_14782,AU1(),DF_SEND(),train_etcs_id_14790,trainSaF_14783,trainNonce_14787). 13. The message new_rbc_id_14786 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_14786. 14. The message new_rbc_id_14788 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_14788. 15. The attacker has some term rbcSaF_14744. attacker:rbcSaF_14744. 16. The attacker has some term sent_ETCS_ID_TYPE_14723. attacker:sent_ETCS_ID_TYPE_14723. 17. By 16, the attacker may know sent_ETCS_ID_TYPE_14723. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_14790. By 15, the attacker may know rbcSaF_14744. By 4, the attacker may know trainNonce_14787. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_14723,AU1(),DF_SEND(),train_etcs_id_14790,rbcSaF_14744,trainNonce_14787). attacker:(sent_ETCS_ID_TYPE_14723,AU1(),DF_SEND(),train_etcs_id_14790,rbcSaF_14744,trainNonce_14787). 18. The message new_rbc_id_14788 that may be sent on channel id[] by 14 may be received at input {31}. The message (sent_ETCS_ID_TYPE_14723,AU1(),DF_SEND(),train_etcs_id_14790,rbcSaF_14744,trainNonce_14787) that the attacker may have by 17 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744,rbcNonce_14789,mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),((PAYLOAD_LENGTH(),train_etcs_id_14790,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744),rbcNonce_14789,trainNonce_14787,train_etcs_id_14790))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744,rbcNonce_14789,mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),((PAYLOAD_LENGTH(),train_etcs_id_14790,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744),rbcNonce_14789,trainNonce_14787,train_etcs_id_14790))). 19. By 18, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744,rbcNonce_14789,mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),((PAYLOAD_LENGTH(),train_etcs_id_14790,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744),rbcNonce_14789,trainNonce_14787,train_etcs_id_14790))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),((PAYLOAD_LENGTH(),train_etcs_id_14790,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744),rbcNonce_14789,trainNonce_14787,train_etcs_id_14790)). attacker:mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),((PAYLOAD_LENGTH(),train_etcs_id_14790,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744),rbcNonce_14789,trainNonce_14787,train_etcs_id_14790)). 20. The message new_rbc_id_14788 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_14788. 21. The attacker has some term trainNonce_14705. attacker:trainNonce_14705. 22. The attacker has some term trainSaF_14704. attacker:trainSaF_14704. 23. The attacker has some term in_train_etcs_id_14703. attacker:in_train_etcs_id_14703. 24. The attacker has some term sent_ETCS_ID_TYPE_14702. attacker:sent_ETCS_ID_TYPE_14702. 25. By 24, the attacker may know sent_ETCS_ID_TYPE_14702. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 23, the attacker may know in_train_etcs_id_14703. By 22, the attacker may know trainSaF_14704. By 21, the attacker may know trainNonce_14705. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_14702,AU1(),DF_SEND(),in_train_etcs_id_14703,trainSaF_14704,trainNonce_14705). attacker:(sent_ETCS_ID_TYPE_14702,AU1(),DF_SEND(),in_train_etcs_id_14703,trainSaF_14704,trainNonce_14705). 26. The message new_rbc_id_14788 that may be sent on channel id[] by 20 may be received at input {31}. The message (sent_ETCS_ID_TYPE_14702,AU1(),DF_SEND(),in_train_etcs_id_14703,trainSaF_14704,trainNonce_14705) that the attacker may have by 25 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,trainSaF_14704,rbcNonce_14789,mac(genSessionKey(trainNonce_14705,rbcNonce_14789,getKey(new_rbc_id_14788,in_train_etcs_id_14703)),((PAYLOAD_LENGTH(),in_train_etcs_id_14703,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,trainSaF_14704),rbcNonce_14789,trainNonce_14705,in_train_etcs_id_14703))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,trainSaF_14704,rbcNonce_14789,mac(genSessionKey(trainNonce_14705,rbcNonce_14789,getKey(new_rbc_id_14788,in_train_etcs_id_14703)),((PAYLOAD_LENGTH(),in_train_etcs_id_14703,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,trainSaF_14704),rbcNonce_14789,trainNonce_14705,in_train_etcs_id_14703))). 27. By 26, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,trainSaF_14704,rbcNonce_14789,mac(genSessionKey(trainNonce_14705,rbcNonce_14789,getKey(new_rbc_id_14788,in_train_etcs_id_14703)),((PAYLOAD_LENGTH(),in_train_etcs_id_14703,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,trainSaF_14704),rbcNonce_14789,trainNonce_14705,in_train_etcs_id_14703))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_14789. attacker:rbcNonce_14789. 28. The message new_rbc_id_14788 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_14788. 29. The attacker has some term trainNonce_14684. attacker:trainNonce_14684. 30. The attacker has some term trainSaF_14683. attacker:trainSaF_14683. 31. The attacker has some term in_train_etcs_id_14682. attacker:in_train_etcs_id_14682. 32. The attacker has some term sent_ETCS_ID_TYPE_14681. attacker:sent_ETCS_ID_TYPE_14681. 33. By 32, the attacker may know sent_ETCS_ID_TYPE_14681. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 31, the attacker may know in_train_etcs_id_14682. By 30, the attacker may know trainSaF_14683. By 29, the attacker may know trainNonce_14684. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_14681,AU1(),DF_SEND(),in_train_etcs_id_14682,trainSaF_14683,trainNonce_14684). attacker:(sent_ETCS_ID_TYPE_14681,AU1(),DF_SEND(),in_train_etcs_id_14682,trainSaF_14683,trainNonce_14684). 34. The message new_rbc_id_14788 that may be sent on channel id[] by 28 may be received at input {31}. The message (sent_ETCS_ID_TYPE_14681,AU1(),DF_SEND(),in_train_etcs_id_14682,trainSaF_14683,trainNonce_14684) that the attacker may have by 33 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,trainSaF_14683,rbcNonce_14791,mac(genSessionKey(trainNonce_14684,rbcNonce_14791,getKey(new_rbc_id_14788,in_train_etcs_id_14682)),((PAYLOAD_LENGTH(),in_train_etcs_id_14682,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,trainSaF_14683),rbcNonce_14791,trainNonce_14684,in_train_etcs_id_14682))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,trainSaF_14683,rbcNonce_14791,mac(genSessionKey(trainNonce_14684,rbcNonce_14791,getKey(new_rbc_id_14788,in_train_etcs_id_14682)),((PAYLOAD_LENGTH(),in_train_etcs_id_14682,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,trainSaF_14683),rbcNonce_14791,trainNonce_14684,in_train_etcs_id_14682))). 35. By 34, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,trainSaF_14683,rbcNonce_14791,mac(genSessionKey(trainNonce_14684,rbcNonce_14791,getKey(new_rbc_id_14788,in_train_etcs_id_14682)),((PAYLOAD_LENGTH(),in_train_etcs_id_14682,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,trainSaF_14683),rbcNonce_14791,trainNonce_14684,in_train_etcs_id_14682))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_14788. attacker:new_rbc_id_14788. 36. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 37. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 38. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 39. By 38, the attacker may know RBC_ETCS_ID_TYPE(). By 37, the attacker may know AU2(). By 36, the attacker may know DF_RESP(). By 35, the attacker may know new_rbc_id_14788. By 15, the attacker may know rbcSaF_14744. By 27, the attacker may know rbcNonce_14789. By 19, the attacker may know mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),((PAYLOAD_LENGTH(),train_etcs_id_14790,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744),rbcNonce_14789,trainNonce_14787,train_etcs_id_14790)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744,rbcNonce_14789,mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),((PAYLOAD_LENGTH(),train_etcs_id_14790,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744),rbcNonce_14789,trainNonce_14787,train_etcs_id_14790))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744,rbcNonce_14789,mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),((PAYLOAD_LENGTH(),train_etcs_id_14790,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744),rbcNonce_14789,trainNonce_14787,train_etcs_id_14790))). 40. The message new_rbc_id_14786 that may be sent on channel id[] by 13 may be received at input {9}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744,rbcNonce_14789,mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),((PAYLOAD_LENGTH(),train_etcs_id_14790,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_14788,rbcSaF_14744),rbcNonce_14789,trainNonce_14787,train_etcs_id_14790))) that the attacker may have by 39 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),(PAYLOAD_LENGTH(),train_etcs_id_14790,ZEROS(),AU3(),DF_SEND(),trainNonce_14787,rbcNonce_14789))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),(PAYLOAD_LENGTH(),train_etcs_id_14790,ZEROS(),AU3(),DF_SEND(),trainNonce_14787,rbcNonce_14789))). 41. By 40, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),(PAYLOAD_LENGTH(),train_etcs_id_14790,ZEROS(),AU3(),DF_SEND(),trainNonce_14787,rbcNonce_14789))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),(PAYLOAD_LENGTH(),train_etcs_id_14790,ZEROS(),AU3(),DF_SEND(),trainNonce_14787,rbcNonce_14789)). attacker:mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),(PAYLOAD_LENGTH(),train_etcs_id_14790,ZEROS(),AU3(),DF_SEND(),trainNonce_14787,rbcNonce_14789)). 42. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 43. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 44. By 43, the attacker may know ZEROS(). By 42, the attacker may know AU3(). By 9, the attacker may know DF_SEND(). By 41, the attacker may know mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),(PAYLOAD_LENGTH(),train_etcs_id_14790,ZEROS(),AU3(),DF_SEND(),trainNonce_14787,rbcNonce_14789)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),(PAYLOAD_LENGTH(),train_etcs_id_14790,ZEROS(),AU3(),DF_SEND(),trainNonce_14787,rbcNonce_14789))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),(PAYLOAD_LENGTH(),train_etcs_id_14790,ZEROS(),AU3(),DF_SEND(),trainNonce_14787,rbcNonce_14789))). 45. The attacker has some term msgA_14777. attacker:msgA_14777. 46. The attacker has some term timeA_14776. attacker:timeA_14776. 47. Using the function DT the attacker may obtain DT(). attacker:DT(). 48. By 47, the attacker may know DT(). By 46, the attacker may know timeA_14776. By 45, the attacker may know msgA_14777. Using the function 3-tuple the attacker may obtain (DT(),timeA_14776,msgA_14777). attacker:(DT(),timeA_14776,msgA_14777). 49. The attacker has some term msgB_14775. attacker:msgB_14775. 50. The attacker has some term timeB_14774. attacker:timeB_14774. 51. By 47, the attacker may know DT(). By 50, the attacker may know timeB_14774. By 49, the attacker may know msgB_14775. Using the function 3-tuple the attacker may obtain (DT(),timeB_14774,msgB_14775). attacker:(DT(),timeB_14774,msgB_14775). 52. We assume as hypothesis that attacker:msgC_14773. 53. We assume as hypothesis that attacker:timeC_14772. 54. By 47, the attacker may know DT(). By 53, the attacker may know timeC_14772. By 52, the attacker may know msgC_14773. Using the function 3-tuple the attacker may obtain (DT(),timeC_14772,msgC_14773). attacker:(DT(),timeC_14772,msgC_14773). 55. The message new_rbc_id_14788 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_14782,AU1(),DF_SEND(),train_etcs_id_14790,trainSaF_14783,trainNonce_14787) that the attacker may have by 12 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_14787,rbcNonce_14789,getKey(new_rbc_id_14788,train_etcs_id_14790)),(PAYLOAD_LENGTH(),train_etcs_id_14790,ZEROS(),AU3(),DF_SEND(),trainNonce_14787,rbcNonce_14789))) that the attacker may have by 44 may be received at input {39}. The message (DT(),timeA_14776,msgA_14777) that the attacker may have by 48 may be received at input {42}. The message (DT(),timeB_14774,msgB_14775) that the attacker may have by 51 may be received at input {44}. The message (DT(),timeC_14772,msgC_14773) that the attacker may have by 54 may be received at input {47}. So event DataReceived3((DT(),timeC_14772,msgC_14773)) may be executed at {48} in session endsid_14784. end:endsid_14784,DataReceived3((DT(),timeC_14772,msgC_14773)). Unified sent_ETCS_ID_TYPE_14702 with sent_ETCS_ID_TYPE_14782 Unified in_train_etcs_id_14703 with train_etcs_id_20[!1 = @sid_14748] Unified trainSaF_14704 with trainSaF_14783 Unified trainNonce_14705 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_14651],!2 = @sid_14747,!1 = @sid_14748] Unified sent_ETCS_ID_TYPE_14723 with sent_ETCS_ID_TYPE_14782 Unified rbcSaF_14744 with trainSaF_14783 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:msgC_14796 & attacker:timeC_14795 -> end:endsid_14794,DataReceived3((DT(),timeC_14795,msgC_14796)) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_14830 at {6} in copy a_14809 new session_21 creating session_21_14891 at {8} in copy a_14809, a_14808 new session_21 creating session_21_14892 at {8} in copy a_14809, a_14820 new new_rbc_id_19 creating new_rbc_id_19_14827 at {2} in copy a_14810 new new_rbc_id_19 creating new_rbc_id_19_14832 at {2} in copy a_14807 new new_rbc_id_19 creating new_rbc_id_19_14829 at {2} in copy a_14819 out(id, new_rbc_id_19_14829) at {4} in copy a_14819, a_14821 received at {9} in copy a_14809, a_14820 new trainNonce_23 creating trainNonce_23_14831 at {10} in copy a_14809, a_14820 event(trainStartSession(new_rbc_id_19_14829,train_etcs_id_20_14830,trainNonce_23_14831,SAF())) at {11} in copy a_14809, a_14820 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_14830,SAF(),trainNonce_23_14831)) at {12} in copy a_14809, a_14820 out(id, new_rbc_id_19_14832) at {4} in copy a_14807, a_14825 received at {9} in copy a_14809, a_14808 new trainNonce_23 creating trainNonce_23_14833 at {10} in copy a_14809, a_14808 event(trainStartSession(new_rbc_id_19_14832,train_etcs_id_20_14830,trainNonce_23_14833,SAF())) at {11} in copy a_14809, a_14808 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_14830,SAF(),trainNonce_23_14833)) at {12} in copy a_14809, a_14808 out(id, new_rbc_id_19_14827) at {4} in copy a_14810, a_14817 received at {31} in copy a_14813 new rbcNonce_37 creating rbcNonce_37_14828 at {32} in copy a_14813 in(c, (a_14816,AU1(),DF_SEND(),a_14815,a_14812,a_14814)) at {33} in copy a_14813 event(rbcStartSession(new_rbc_id_19_14827,a_14815,rbcNonce_37_14828,a_14812,a_14814)) at {34} in copy a_14813 out(c, encrypt(SECRET,genSessionKey(a_14814,rbcNonce_37_14828,getKey(new_rbc_id_19_14827,a_14815)))) at {36} in copy a_14813 out(c, encrypt(SECRET,getKey(new_rbc_id_19_14827,a_14815))) at {37} in copy a_14813 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_14827,a_14812,rbcNonce_37_14828,mac(genSessionKey(a_14814,rbcNonce_37_14828,getKey(new_rbc_id_19_14827,a_14815)),((PAYLOAD_LENGTH(),a_14815,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_14827,a_14812),rbcNonce_37_14828,a_14814,a_14815)))) at {38} in copy a_14813 out(id, new_rbc_id_19_14827) at {4} in copy a_14810, a_14823 received at {31} in copy a_14800 new rbcNonce_37 creating rbcNonce_37_14834 at {32} in copy a_14800 in(c, (a_14818,AU1(),DF_SEND(),train_etcs_id_20_14830,a_14811,trainNonce_23_14833)) at {33} in copy a_14800 event(rbcStartSession(new_rbc_id_19_14827,train_etcs_id_20_14830,rbcNonce_37_14834,a_14811,trainNonce_23_14833)) at {34} in copy a_14800 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_14833,rbcNonce_37_14834,getKey(new_rbc_id_19_14827,train_etcs_id_20_14830)))) at {36} in copy a_14800 out(c, encrypt(SECRET,getKey(new_rbc_id_19_14827,train_etcs_id_20_14830))) at {37} in copy a_14800 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_14827,a_14811,rbcNonce_37_14834,mac(genSessionKey(trainNonce_23_14833,rbcNonce_37_14834,getKey(new_rbc_id_19_14827,train_etcs_id_20_14830)),((PAYLOAD_LENGTH(),train_etcs_id_20_14830,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_14827,a_14811),rbcNonce_37_14834,trainNonce_23_14833,train_etcs_id_20_14830)))) at {38} in copy a_14800 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_14827,a_14811,rbcNonce_37_14834,mac(genSessionKey(trainNonce_23_14833,rbcNonce_37_14834,getKey(new_rbc_id_19_14827,train_etcs_id_20_14830)),((PAYLOAD_LENGTH(),train_etcs_id_20_14830,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_14827,a_14811),rbcNonce_37_14834,trainNonce_23_14833,train_etcs_id_20_14830)))) at {13} in copy a_14809, a_14808 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_14833,rbcNonce_37_14834,getKey(new_rbc_id_19_14827,train_etcs_id_20_14830)))) at {15} in copy a_14809, a_14808 out(c, encrypt(SECRET,getKey(new_rbc_id_19_14827,train_etcs_id_20_14830))) at {16} in copy a_14809, a_14808 event(trainFinishSession(new_rbc_id_19_14827,train_etcs_id_20_14830,trainNonce_23_14833,a_14811,rbcNonce_37_14834,genSessionKey(trainNonce_23_14833,rbcNonce_37_14834,getKey(new_rbc_id_19_14827,train_etcs_id_20_14830)))) at {18} in copy a_14809, a_14808 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_14833,rbcNonce_37_14834,getKey(new_rbc_id_19_14827,train_etcs_id_20_14830)),(PAYLOAD_LENGTH(),train_etcs_id_20_14830,ZEROS(),AU3(),DF_SEND(),trainNonce_23_14833,rbcNonce_37_14834)))) at {19} in copy a_14809, a_14808 new time_29 creating time_29_15003 at {20} in copy a_14809, a_14808 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_14833,rbcNonce_37_14834,getKey(new_rbc_id_19_14827,train_etcs_id_20_14830)),(PAYLOAD_LENGTH(),train_etcs_id_20_14830,ZEROS(),AU3(),DF_SEND(),trainNonce_23_14833,rbcNonce_37_14834)))) at {39} in copy a_14800 event(rbcFinishSession(new_rbc_id_19_14827,train_etcs_id_20_14830,rbcNonce_37_14834,a_14811,trainNonce_23_14833,genSessionKey(trainNonce_23_14833,rbcNonce_37_14834,getKey(new_rbc_id_19_14827,train_etcs_id_20_14830)))) at {41} in copy a_14800 in(c, (DT(),a_14805,a_14806)) at {42} in copy a_14800 event(DataReceived1((DT(),a_14805,a_14806))) at {43} in copy a_14800 in(c, (DT(),a_14803,a_14804)) at {44} in copy a_14800 event(DataReceived2((DT(),a_14803,a_14804))) at {45} in copy a_14800 event(MessagesReceived2((DT(),a_14805,a_14806),(DT(),a_14803,a_14804))) at {46} in copy a_14800 in(c, (DT(),a_14801,a_14802)) at {47} in copy a_14800 event(DataReceived3((DT(),a_14801,a_14802))) at {48} in copy a_14800 The event DataReceived3((DT(),a_14801,a_14802)) is executed in session a_14800. A trace has been found. RESULT evinj:DataReceived3(m_12576) ==> evinj:DataSent1(s_12577,m_12576) | evinj:DataSent2(s_12577,m_12576) | evinj:DataSent3(s_12577,m_12576) is false. RESULT (even ev:DataReceived3(m_14621) ==> ev:DataSent1(s_14620,m_14621) | ev:DataSent2(s_14620,m_14621) | ev:DataSent3(s_14620,m_14621) is false.) nounif greater:x_15046,*y_15047/-5000 -- Query evinj:DataReceived2(m_15036) ==> evinj:DataSent1(s_15037,m_15036) | evinj:DataSent2(s_15037,m_15036) | evinj:DataSent3(s_15037,m_15036) Completing... Starting query evinj:DataReceived2(m_15036) ==> evinj:DataSent1(s_15037,m_15036) | evinj:DataSent2(s_15037,m_15036) | evinj:DataSent3(s_15037,m_15036) goal reachable: attacker:timeB_17075 & attacker:msgB_17076 -> end:endsid_17077,DataReceived2((DT(),timeB_17075,msgB_17076)) Abbreviations: new_rbc_id_17239 = new_rbc_id_19[!1 = @sid_17109] trainNonce_17240 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_17239,!2 = @sid_17205,!1 = @sid_17206] new_rbc_id_17241 = new_rbc_id_19[!1 = @sid_17173] rbcNonce_17242 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_17241,!1 = endsid_17237] train_etcs_id_17243 = train_etcs_id_20[!1 = @sid_17206] rbcNonce_17244 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_17241,!1 = @sid_17144] new_rbc_id_17245 = new_rbc_id_19[!1 = @sid_17083] trainNonce_17246 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_17245,!2 = @sid_17087,!1 = @sid_17206] 1. The message new_rbc_id_17241 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_17241. 2. The message new_rbc_id_17239 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_17239. 3. The message new_rbc_id_17239 that may be sent on channel id[] by 2 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_17243,SAF(),trainNonce_17240) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_17243,SAF(),trainNonce_17240). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_17243,SAF(),trainNonce_17240). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_17240. attacker:trainNonce_17240. 5. The attacker has some term trainSaF_17236. attacker:trainSaF_17236. 6. The message new_rbc_id_17245 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_17245. 7. The message new_rbc_id_17245 that may be sent on channel id[] by 6 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_17243,SAF(),trainNonce_17246) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_17243,SAF(),trainNonce_17246). 8. By 7, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_17243,SAF(),trainNonce_17246). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_17243. attacker:train_etcs_id_17243. 9. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 10. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 11. The attacker has some term sent_ETCS_ID_TYPE_17235. attacker:sent_ETCS_ID_TYPE_17235. 12. By 11, the attacker may know sent_ETCS_ID_TYPE_17235. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_17243. By 5, the attacker may know trainSaF_17236. By 4, the attacker may know trainNonce_17240. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_17235,AU1(),DF_SEND(),train_etcs_id_17243,trainSaF_17236,trainNonce_17240). attacker:(sent_ETCS_ID_TYPE_17235,AU1(),DF_SEND(),train_etcs_id_17243,trainSaF_17236,trainNonce_17240). 13. The message new_rbc_id_17239 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_17239. 14. The message new_rbc_id_17241 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_17241. 15. The attacker has some term rbcSaF_17202. attacker:rbcSaF_17202. 16. The attacker has some term sent_ETCS_ID_TYPE_17181. attacker:sent_ETCS_ID_TYPE_17181. 17. By 16, the attacker may know sent_ETCS_ID_TYPE_17181. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_17243. By 15, the attacker may know rbcSaF_17202. By 4, the attacker may know trainNonce_17240. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_17181,AU1(),DF_SEND(),train_etcs_id_17243,rbcSaF_17202,trainNonce_17240). attacker:(sent_ETCS_ID_TYPE_17181,AU1(),DF_SEND(),train_etcs_id_17243,rbcSaF_17202,trainNonce_17240). 18. The message new_rbc_id_17241 that may be sent on channel id[] by 14 may be received at input {31}. The message (sent_ETCS_ID_TYPE_17181,AU1(),DF_SEND(),train_etcs_id_17243,rbcSaF_17202,trainNonce_17240) that the attacker may have by 17 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202,rbcNonce_17242,mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),((PAYLOAD_LENGTH(),train_etcs_id_17243,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202),rbcNonce_17242,trainNonce_17240,train_etcs_id_17243))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202,rbcNonce_17242,mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),((PAYLOAD_LENGTH(),train_etcs_id_17243,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202),rbcNonce_17242,trainNonce_17240,train_etcs_id_17243))). 19. By 18, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202,rbcNonce_17242,mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),((PAYLOAD_LENGTH(),train_etcs_id_17243,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202),rbcNonce_17242,trainNonce_17240,train_etcs_id_17243))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),((PAYLOAD_LENGTH(),train_etcs_id_17243,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202),rbcNonce_17242,trainNonce_17240,train_etcs_id_17243)). attacker:mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),((PAYLOAD_LENGTH(),train_etcs_id_17243,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202),rbcNonce_17242,trainNonce_17240,train_etcs_id_17243)). 20. The message new_rbc_id_17241 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_17241. 21. The attacker has some term trainNonce_17163. attacker:trainNonce_17163. 22. The attacker has some term trainSaF_17162. attacker:trainSaF_17162. 23. The attacker has some term in_train_etcs_id_17161. attacker:in_train_etcs_id_17161. 24. The attacker has some term sent_ETCS_ID_TYPE_17160. attacker:sent_ETCS_ID_TYPE_17160. 25. By 24, the attacker may know sent_ETCS_ID_TYPE_17160. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 23, the attacker may know in_train_etcs_id_17161. By 22, the attacker may know trainSaF_17162. By 21, the attacker may know trainNonce_17163. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_17160,AU1(),DF_SEND(),in_train_etcs_id_17161,trainSaF_17162,trainNonce_17163). attacker:(sent_ETCS_ID_TYPE_17160,AU1(),DF_SEND(),in_train_etcs_id_17161,trainSaF_17162,trainNonce_17163). 26. The message new_rbc_id_17241 that may be sent on channel id[] by 20 may be received at input {31}. The message (sent_ETCS_ID_TYPE_17160,AU1(),DF_SEND(),in_train_etcs_id_17161,trainSaF_17162,trainNonce_17163) that the attacker may have by 25 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,trainSaF_17162,rbcNonce_17242,mac(genSessionKey(trainNonce_17163,rbcNonce_17242,getKey(new_rbc_id_17241,in_train_etcs_id_17161)),((PAYLOAD_LENGTH(),in_train_etcs_id_17161,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,trainSaF_17162),rbcNonce_17242,trainNonce_17163,in_train_etcs_id_17161))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,trainSaF_17162,rbcNonce_17242,mac(genSessionKey(trainNonce_17163,rbcNonce_17242,getKey(new_rbc_id_17241,in_train_etcs_id_17161)),((PAYLOAD_LENGTH(),in_train_etcs_id_17161,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,trainSaF_17162),rbcNonce_17242,trainNonce_17163,in_train_etcs_id_17161))). 27. By 26, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,trainSaF_17162,rbcNonce_17242,mac(genSessionKey(trainNonce_17163,rbcNonce_17242,getKey(new_rbc_id_17241,in_train_etcs_id_17161)),((PAYLOAD_LENGTH(),in_train_etcs_id_17161,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,trainSaF_17162),rbcNonce_17242,trainNonce_17163,in_train_etcs_id_17161))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_17242. attacker:rbcNonce_17242. 28. The message new_rbc_id_17241 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_17241. 29. The attacker has some term trainNonce_17142. attacker:trainNonce_17142. 30. The attacker has some term trainSaF_17141. attacker:trainSaF_17141. 31. The attacker has some term in_train_etcs_id_17140. attacker:in_train_etcs_id_17140. 32. The attacker has some term sent_ETCS_ID_TYPE_17139. attacker:sent_ETCS_ID_TYPE_17139. 33. By 32, the attacker may know sent_ETCS_ID_TYPE_17139. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 31, the attacker may know in_train_etcs_id_17140. By 30, the attacker may know trainSaF_17141. By 29, the attacker may know trainNonce_17142. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_17139,AU1(),DF_SEND(),in_train_etcs_id_17140,trainSaF_17141,trainNonce_17142). attacker:(sent_ETCS_ID_TYPE_17139,AU1(),DF_SEND(),in_train_etcs_id_17140,trainSaF_17141,trainNonce_17142). 34. The message new_rbc_id_17241 that may be sent on channel id[] by 28 may be received at input {31}. The message (sent_ETCS_ID_TYPE_17139,AU1(),DF_SEND(),in_train_etcs_id_17140,trainSaF_17141,trainNonce_17142) that the attacker may have by 33 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,trainSaF_17141,rbcNonce_17244,mac(genSessionKey(trainNonce_17142,rbcNonce_17244,getKey(new_rbc_id_17241,in_train_etcs_id_17140)),((PAYLOAD_LENGTH(),in_train_etcs_id_17140,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,trainSaF_17141),rbcNonce_17244,trainNonce_17142,in_train_etcs_id_17140))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,trainSaF_17141,rbcNonce_17244,mac(genSessionKey(trainNonce_17142,rbcNonce_17244,getKey(new_rbc_id_17241,in_train_etcs_id_17140)),((PAYLOAD_LENGTH(),in_train_etcs_id_17140,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,trainSaF_17141),rbcNonce_17244,trainNonce_17142,in_train_etcs_id_17140))). 35. By 34, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,trainSaF_17141,rbcNonce_17244,mac(genSessionKey(trainNonce_17142,rbcNonce_17244,getKey(new_rbc_id_17241,in_train_etcs_id_17140)),((PAYLOAD_LENGTH(),in_train_etcs_id_17140,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,trainSaF_17141),rbcNonce_17244,trainNonce_17142,in_train_etcs_id_17140))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_17241. attacker:new_rbc_id_17241. 36. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 37. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 38. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 39. By 38, the attacker may know RBC_ETCS_ID_TYPE(). By 37, the attacker may know AU2(). By 36, the attacker may know DF_RESP(). By 35, the attacker may know new_rbc_id_17241. By 15, the attacker may know rbcSaF_17202. By 27, the attacker may know rbcNonce_17242. By 19, the attacker may know mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),((PAYLOAD_LENGTH(),train_etcs_id_17243,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202),rbcNonce_17242,trainNonce_17240,train_etcs_id_17243)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202,rbcNonce_17242,mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),((PAYLOAD_LENGTH(),train_etcs_id_17243,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202),rbcNonce_17242,trainNonce_17240,train_etcs_id_17243))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202,rbcNonce_17242,mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),((PAYLOAD_LENGTH(),train_etcs_id_17243,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202),rbcNonce_17242,trainNonce_17240,train_etcs_id_17243))). 40. The message new_rbc_id_17239 that may be sent on channel id[] by 13 may be received at input {9}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202,rbcNonce_17242,mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),((PAYLOAD_LENGTH(),train_etcs_id_17243,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_17241,rbcSaF_17202),rbcNonce_17242,trainNonce_17240,train_etcs_id_17243))) that the attacker may have by 39 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),(PAYLOAD_LENGTH(),train_etcs_id_17243,ZEROS(),AU3(),DF_SEND(),trainNonce_17240,rbcNonce_17242))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),(PAYLOAD_LENGTH(),train_etcs_id_17243,ZEROS(),AU3(),DF_SEND(),trainNonce_17240,rbcNonce_17242))). 41. By 40, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),(PAYLOAD_LENGTH(),train_etcs_id_17243,ZEROS(),AU3(),DF_SEND(),trainNonce_17240,rbcNonce_17242))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),(PAYLOAD_LENGTH(),train_etcs_id_17243,ZEROS(),AU3(),DF_SEND(),trainNonce_17240,rbcNonce_17242)). attacker:mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),(PAYLOAD_LENGTH(),train_etcs_id_17243,ZEROS(),AU3(),DF_SEND(),trainNonce_17240,rbcNonce_17242)). 42. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 43. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 44. By 43, the attacker may know ZEROS(). By 42, the attacker may know AU3(). By 9, the attacker may know DF_SEND(). By 41, the attacker may know mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),(PAYLOAD_LENGTH(),train_etcs_id_17243,ZEROS(),AU3(),DF_SEND(),trainNonce_17240,rbcNonce_17242)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),(PAYLOAD_LENGTH(),train_etcs_id_17243,ZEROS(),AU3(),DF_SEND(),trainNonce_17240,rbcNonce_17242))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),(PAYLOAD_LENGTH(),train_etcs_id_17243,ZEROS(),AU3(),DF_SEND(),trainNonce_17240,rbcNonce_17242))). 45. The attacker has some term msgA_17230. attacker:msgA_17230. 46. The attacker has some term timeA_17229. attacker:timeA_17229. 47. Using the function DT the attacker may obtain DT(). attacker:DT(). 48. By 47, the attacker may know DT(). By 46, the attacker may know timeA_17229. By 45, the attacker may know msgA_17230. Using the function 3-tuple the attacker may obtain (DT(),timeA_17229,msgA_17230). attacker:(DT(),timeA_17229,msgA_17230). 49. We assume as hypothesis that attacker:msgB_17228. 50. We assume as hypothesis that attacker:timeB_17227. 51. By 47, the attacker may know DT(). By 50, the attacker may know timeB_17227. By 49, the attacker may know msgB_17228. Using the function 3-tuple the attacker may obtain (DT(),timeB_17227,msgB_17228). attacker:(DT(),timeB_17227,msgB_17228). 52. The message new_rbc_id_17241 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_17235,AU1(),DF_SEND(),train_etcs_id_17243,trainSaF_17236,trainNonce_17240) that the attacker may have by 12 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_17240,rbcNonce_17242,getKey(new_rbc_id_17241,train_etcs_id_17243)),(PAYLOAD_LENGTH(),train_etcs_id_17243,ZEROS(),AU3(),DF_SEND(),trainNonce_17240,rbcNonce_17242))) that the attacker may have by 44 may be received at input {39}. The message (DT(),timeA_17229,msgA_17230) that the attacker may have by 48 may be received at input {42}. The message (DT(),timeB_17227,msgB_17228) that the attacker may have by 51 may be received at input {44}. So event DataReceived2((DT(),timeB_17227,msgB_17228)) may be executed at {45} in session endsid_17237. end:endsid_17237,DataReceived2((DT(),timeB_17227,msgB_17228)). Unified sent_ETCS_ID_TYPE_17160 with sent_ETCS_ID_TYPE_17235 Unified in_train_etcs_id_17161 with train_etcs_id_20[!1 = @sid_17206] Unified trainSaF_17162 with trainSaF_17236 Unified trainNonce_17163 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_17109],!2 = @sid_17205,!1 = @sid_17206] Unified sent_ETCS_ID_TYPE_17181 with sent_ETCS_ID_TYPE_17235 Unified rbcSaF_17202 with trainSaF_17236 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:msgB_17249 & attacker:timeB_17248 -> end:endsid_17247,DataReceived2((DT(),timeB_17248,msgB_17249)) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_17281 at {6} in copy a_17260 new session_21 creating session_21_17342 at {8} in copy a_17260, a_17259 new session_21 creating session_21_17343 at {8} in copy a_17260, a_17271 new new_rbc_id_19 creating new_rbc_id_19_17278 at {2} in copy a_17261 new new_rbc_id_19 creating new_rbc_id_19_17283 at {2} in copy a_17258 new new_rbc_id_19 creating new_rbc_id_19_17280 at {2} in copy a_17270 out(id, new_rbc_id_19_17280) at {4} in copy a_17270, a_17272 received at {9} in copy a_17260, a_17271 new trainNonce_23 creating trainNonce_23_17282 at {10} in copy a_17260, a_17271 event(trainStartSession(new_rbc_id_19_17280,train_etcs_id_20_17281,trainNonce_23_17282,SAF())) at {11} in copy a_17260, a_17271 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_17281,SAF(),trainNonce_23_17282)) at {12} in copy a_17260, a_17271 out(id, new_rbc_id_19_17283) at {4} in copy a_17258, a_17276 received at {9} in copy a_17260, a_17259 new trainNonce_23 creating trainNonce_23_17284 at {10} in copy a_17260, a_17259 event(trainStartSession(new_rbc_id_19_17283,train_etcs_id_20_17281,trainNonce_23_17284,SAF())) at {11} in copy a_17260, a_17259 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_17281,SAF(),trainNonce_23_17284)) at {12} in copy a_17260, a_17259 out(id, new_rbc_id_19_17278) at {4} in copy a_17261, a_17268 received at {31} in copy a_17264 new rbcNonce_37 creating rbcNonce_37_17279 at {32} in copy a_17264 in(c, (a_17267,AU1(),DF_SEND(),a_17266,a_17263,a_17265)) at {33} in copy a_17264 event(rbcStartSession(new_rbc_id_19_17278,a_17266,rbcNonce_37_17279,a_17263,a_17265)) at {34} in copy a_17264 out(c, encrypt(SECRET,genSessionKey(a_17265,rbcNonce_37_17279,getKey(new_rbc_id_19_17278,a_17266)))) at {36} in copy a_17264 out(c, encrypt(SECRET,getKey(new_rbc_id_19_17278,a_17266))) at {37} in copy a_17264 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_17278,a_17263,rbcNonce_37_17279,mac(genSessionKey(a_17265,rbcNonce_37_17279,getKey(new_rbc_id_19_17278,a_17266)),((PAYLOAD_LENGTH(),a_17266,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_17278,a_17263),rbcNonce_37_17279,a_17265,a_17266)))) at {38} in copy a_17264 out(id, new_rbc_id_19_17278) at {4} in copy a_17261, a_17274 received at {31} in copy a_17253 new rbcNonce_37 creating rbcNonce_37_17285 at {32} in copy a_17253 in(c, (a_17269,AU1(),DF_SEND(),train_etcs_id_20_17281,a_17262,trainNonce_23_17284)) at {33} in copy a_17253 event(rbcStartSession(new_rbc_id_19_17278,train_etcs_id_20_17281,rbcNonce_37_17285,a_17262,trainNonce_23_17284)) at {34} in copy a_17253 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_17284,rbcNonce_37_17285,getKey(new_rbc_id_19_17278,train_etcs_id_20_17281)))) at {36} in copy a_17253 out(c, encrypt(SECRET,getKey(new_rbc_id_19_17278,train_etcs_id_20_17281))) at {37} in copy a_17253 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_17278,a_17262,rbcNonce_37_17285,mac(genSessionKey(trainNonce_23_17284,rbcNonce_37_17285,getKey(new_rbc_id_19_17278,train_etcs_id_20_17281)),((PAYLOAD_LENGTH(),train_etcs_id_20_17281,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_17278,a_17262),rbcNonce_37_17285,trainNonce_23_17284,train_etcs_id_20_17281)))) at {38} in copy a_17253 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_17278,a_17262,rbcNonce_37_17285,mac(genSessionKey(trainNonce_23_17284,rbcNonce_37_17285,getKey(new_rbc_id_19_17278,train_etcs_id_20_17281)),((PAYLOAD_LENGTH(),train_etcs_id_20_17281,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_17278,a_17262),rbcNonce_37_17285,trainNonce_23_17284,train_etcs_id_20_17281)))) at {13} in copy a_17260, a_17259 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_17284,rbcNonce_37_17285,getKey(new_rbc_id_19_17278,train_etcs_id_20_17281)))) at {15} in copy a_17260, a_17259 out(c, encrypt(SECRET,getKey(new_rbc_id_19_17278,train_etcs_id_20_17281))) at {16} in copy a_17260, a_17259 event(trainFinishSession(new_rbc_id_19_17278,train_etcs_id_20_17281,trainNonce_23_17284,a_17262,rbcNonce_37_17285,genSessionKey(trainNonce_23_17284,rbcNonce_37_17285,getKey(new_rbc_id_19_17278,train_etcs_id_20_17281)))) at {18} in copy a_17260, a_17259 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_17284,rbcNonce_37_17285,getKey(new_rbc_id_19_17278,train_etcs_id_20_17281)),(PAYLOAD_LENGTH(),train_etcs_id_20_17281,ZEROS(),AU3(),DF_SEND(),trainNonce_23_17284,rbcNonce_37_17285)))) at {19} in copy a_17260, a_17259 new time_29 creating time_29_17454 at {20} in copy a_17260, a_17259 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_17284,rbcNonce_37_17285,getKey(new_rbc_id_19_17278,train_etcs_id_20_17281)),(PAYLOAD_LENGTH(),train_etcs_id_20_17281,ZEROS(),AU3(),DF_SEND(),trainNonce_23_17284,rbcNonce_37_17285)))) at {39} in copy a_17253 event(rbcFinishSession(new_rbc_id_19_17278,train_etcs_id_20_17281,rbcNonce_37_17285,a_17262,trainNonce_23_17284,genSessionKey(trainNonce_23_17284,rbcNonce_37_17285,getKey(new_rbc_id_19_17278,train_etcs_id_20_17281)))) at {41} in copy a_17253 in(c, (DT(),a_17256,a_17257)) at {42} in copy a_17253 event(DataReceived1((DT(),a_17256,a_17257))) at {43} in copy a_17253 in(c, (DT(),a_17254,a_17255)) at {44} in copy a_17253 event(DataReceived2((DT(),a_17254,a_17255))) at {45} in copy a_17253 The event DataReceived2((DT(),a_17254,a_17255)) is executed in session a_17253. A trace has been found. RESULT evinj:DataReceived2(m_15036) ==> evinj:DataSent1(s_15037,m_15036) | evinj:DataSent2(s_15037,m_15036) | evinj:DataSent3(s_15037,m_15036) is false. RESULT (even ev:DataReceived2(m_17079) ==> ev:DataSent1(s_17078,m_17079) | ev:DataSent2(s_17078,m_17079) | ev:DataSent3(s_17078,m_17079) is false.) nounif greater:x_17493,*y_17494/-5000 -- Query evinj:DataReceived1(m_17483) ==> evinj:DataSent1(s_17484,m_17483) | evinj:DataSent2(s_17484,m_17483) | evinj:DataSent3(s_17484,m_17483) Completing... Starting query evinj:DataReceived1(m_17483) ==> evinj:DataSent1(s_17484,m_17483) | evinj:DataSent2(s_17484,m_17483) | evinj:DataSent3(s_17484,m_17483) goal reachable: attacker:timeA_19520 & attacker:msgA_19521 -> end:endsid_19522,DataReceived1((DT(),timeA_19520,msgA_19521)) Abbreviations: new_rbc_id_19679 = new_rbc_id_19[!1 = @sid_19554] trainNonce_19680 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19679,!2 = @sid_19650,!1 = @sid_19651] new_rbc_id_19681 = new_rbc_id_19[!1 = @sid_19618] rbcNonce_19682 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19681,!1 = endsid_19677] train_etcs_id_19683 = train_etcs_id_20[!1 = @sid_19651] rbcNonce_19684 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19681,!1 = @sid_19589] new_rbc_id_19685 = new_rbc_id_19[!1 = @sid_19528] trainNonce_19686 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19685,!2 = @sid_19532,!1 = @sid_19651] 1. The message new_rbc_id_19681 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_19681. 2. The message new_rbc_id_19679 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_19679. 3. The message new_rbc_id_19679 that may be sent on channel id[] by 2 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_19683,SAF(),trainNonce_19680) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_19683,SAF(),trainNonce_19680). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_19683,SAF(),trainNonce_19680). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_19680. attacker:trainNonce_19680. 5. The attacker has some term trainSaF_19676. attacker:trainSaF_19676. 6. The message new_rbc_id_19685 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_19685. 7. The message new_rbc_id_19685 that may be sent on channel id[] by 6 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_19683,SAF(),trainNonce_19686) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_19683,SAF(),trainNonce_19686). 8. By 7, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_19683,SAF(),trainNonce_19686). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_19683. attacker:train_etcs_id_19683. 9. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 10. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 11. The attacker has some term sent_ETCS_ID_TYPE_19675. attacker:sent_ETCS_ID_TYPE_19675. 12. By 11, the attacker may know sent_ETCS_ID_TYPE_19675. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_19683. By 5, the attacker may know trainSaF_19676. By 4, the attacker may know trainNonce_19680. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_19675,AU1(),DF_SEND(),train_etcs_id_19683,trainSaF_19676,trainNonce_19680). attacker:(sent_ETCS_ID_TYPE_19675,AU1(),DF_SEND(),train_etcs_id_19683,trainSaF_19676,trainNonce_19680). 13. The message new_rbc_id_19679 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_19679. 14. The message new_rbc_id_19681 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_19681. 15. The attacker has some term rbcSaF_19647. attacker:rbcSaF_19647. 16. The attacker has some term sent_ETCS_ID_TYPE_19626. attacker:sent_ETCS_ID_TYPE_19626. 17. By 16, the attacker may know sent_ETCS_ID_TYPE_19626. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_19683. By 15, the attacker may know rbcSaF_19647. By 4, the attacker may know trainNonce_19680. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_19626,AU1(),DF_SEND(),train_etcs_id_19683,rbcSaF_19647,trainNonce_19680). attacker:(sent_ETCS_ID_TYPE_19626,AU1(),DF_SEND(),train_etcs_id_19683,rbcSaF_19647,trainNonce_19680). 18. The message new_rbc_id_19681 that may be sent on channel id[] by 14 may be received at input {31}. The message (sent_ETCS_ID_TYPE_19626,AU1(),DF_SEND(),train_etcs_id_19683,rbcSaF_19647,trainNonce_19680) that the attacker may have by 17 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647,rbcNonce_19682,mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),((PAYLOAD_LENGTH(),train_etcs_id_19683,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647),rbcNonce_19682,trainNonce_19680,train_etcs_id_19683))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647,rbcNonce_19682,mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),((PAYLOAD_LENGTH(),train_etcs_id_19683,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647),rbcNonce_19682,trainNonce_19680,train_etcs_id_19683))). 19. By 18, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647,rbcNonce_19682,mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),((PAYLOAD_LENGTH(),train_etcs_id_19683,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647),rbcNonce_19682,trainNonce_19680,train_etcs_id_19683))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),((PAYLOAD_LENGTH(),train_etcs_id_19683,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647),rbcNonce_19682,trainNonce_19680,train_etcs_id_19683)). attacker:mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),((PAYLOAD_LENGTH(),train_etcs_id_19683,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647),rbcNonce_19682,trainNonce_19680,train_etcs_id_19683)). 20. The message new_rbc_id_19681 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_19681. 21. The attacker has some term trainNonce_19608. attacker:trainNonce_19608. 22. The attacker has some term trainSaF_19607. attacker:trainSaF_19607. 23. The attacker has some term in_train_etcs_id_19606. attacker:in_train_etcs_id_19606. 24. The attacker has some term sent_ETCS_ID_TYPE_19605. attacker:sent_ETCS_ID_TYPE_19605. 25. By 24, the attacker may know sent_ETCS_ID_TYPE_19605. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 23, the attacker may know in_train_etcs_id_19606. By 22, the attacker may know trainSaF_19607. By 21, the attacker may know trainNonce_19608. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_19605,AU1(),DF_SEND(),in_train_etcs_id_19606,trainSaF_19607,trainNonce_19608). attacker:(sent_ETCS_ID_TYPE_19605,AU1(),DF_SEND(),in_train_etcs_id_19606,trainSaF_19607,trainNonce_19608). 26. The message new_rbc_id_19681 that may be sent on channel id[] by 20 may be received at input {31}. The message (sent_ETCS_ID_TYPE_19605,AU1(),DF_SEND(),in_train_etcs_id_19606,trainSaF_19607,trainNonce_19608) that the attacker may have by 25 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,trainSaF_19607,rbcNonce_19682,mac(genSessionKey(trainNonce_19608,rbcNonce_19682,getKey(new_rbc_id_19681,in_train_etcs_id_19606)),((PAYLOAD_LENGTH(),in_train_etcs_id_19606,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,trainSaF_19607),rbcNonce_19682,trainNonce_19608,in_train_etcs_id_19606))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,trainSaF_19607,rbcNonce_19682,mac(genSessionKey(trainNonce_19608,rbcNonce_19682,getKey(new_rbc_id_19681,in_train_etcs_id_19606)),((PAYLOAD_LENGTH(),in_train_etcs_id_19606,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,trainSaF_19607),rbcNonce_19682,trainNonce_19608,in_train_etcs_id_19606))). 27. By 26, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,trainSaF_19607,rbcNonce_19682,mac(genSessionKey(trainNonce_19608,rbcNonce_19682,getKey(new_rbc_id_19681,in_train_etcs_id_19606)),((PAYLOAD_LENGTH(),in_train_etcs_id_19606,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,trainSaF_19607),rbcNonce_19682,trainNonce_19608,in_train_etcs_id_19606))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_19682. attacker:rbcNonce_19682. 28. The message new_rbc_id_19681 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_19681. 29. The attacker has some term trainNonce_19587. attacker:trainNonce_19587. 30. The attacker has some term trainSaF_19586. attacker:trainSaF_19586. 31. The attacker has some term in_train_etcs_id_19585. attacker:in_train_etcs_id_19585. 32. The attacker has some term sent_ETCS_ID_TYPE_19584. attacker:sent_ETCS_ID_TYPE_19584. 33. By 32, the attacker may know sent_ETCS_ID_TYPE_19584. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 31, the attacker may know in_train_etcs_id_19585. By 30, the attacker may know trainSaF_19586. By 29, the attacker may know trainNonce_19587. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_19584,AU1(),DF_SEND(),in_train_etcs_id_19585,trainSaF_19586,trainNonce_19587). attacker:(sent_ETCS_ID_TYPE_19584,AU1(),DF_SEND(),in_train_etcs_id_19585,trainSaF_19586,trainNonce_19587). 34. The message new_rbc_id_19681 that may be sent on channel id[] by 28 may be received at input {31}. The message (sent_ETCS_ID_TYPE_19584,AU1(),DF_SEND(),in_train_etcs_id_19585,trainSaF_19586,trainNonce_19587) that the attacker may have by 33 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,trainSaF_19586,rbcNonce_19684,mac(genSessionKey(trainNonce_19587,rbcNonce_19684,getKey(new_rbc_id_19681,in_train_etcs_id_19585)),((PAYLOAD_LENGTH(),in_train_etcs_id_19585,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,trainSaF_19586),rbcNonce_19684,trainNonce_19587,in_train_etcs_id_19585))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,trainSaF_19586,rbcNonce_19684,mac(genSessionKey(trainNonce_19587,rbcNonce_19684,getKey(new_rbc_id_19681,in_train_etcs_id_19585)),((PAYLOAD_LENGTH(),in_train_etcs_id_19585,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,trainSaF_19586),rbcNonce_19684,trainNonce_19587,in_train_etcs_id_19585))). 35. By 34, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,trainSaF_19586,rbcNonce_19684,mac(genSessionKey(trainNonce_19587,rbcNonce_19684,getKey(new_rbc_id_19681,in_train_etcs_id_19585)),((PAYLOAD_LENGTH(),in_train_etcs_id_19585,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,trainSaF_19586),rbcNonce_19684,trainNonce_19587,in_train_etcs_id_19585))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_19681. attacker:new_rbc_id_19681. 36. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 37. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 38. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 39. By 38, the attacker may know RBC_ETCS_ID_TYPE(). By 37, the attacker may know AU2(). By 36, the attacker may know DF_RESP(). By 35, the attacker may know new_rbc_id_19681. By 15, the attacker may know rbcSaF_19647. By 27, the attacker may know rbcNonce_19682. By 19, the attacker may know mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),((PAYLOAD_LENGTH(),train_etcs_id_19683,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647),rbcNonce_19682,trainNonce_19680,train_etcs_id_19683)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647,rbcNonce_19682,mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),((PAYLOAD_LENGTH(),train_etcs_id_19683,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647),rbcNonce_19682,trainNonce_19680,train_etcs_id_19683))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647,rbcNonce_19682,mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),((PAYLOAD_LENGTH(),train_etcs_id_19683,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647),rbcNonce_19682,trainNonce_19680,train_etcs_id_19683))). 40. The message new_rbc_id_19679 that may be sent on channel id[] by 13 may be received at input {9}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647,rbcNonce_19682,mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),((PAYLOAD_LENGTH(),train_etcs_id_19683,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19681,rbcSaF_19647),rbcNonce_19682,trainNonce_19680,train_etcs_id_19683))) that the attacker may have by 39 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),(PAYLOAD_LENGTH(),train_etcs_id_19683,ZEROS(),AU3(),DF_SEND(),trainNonce_19680,rbcNonce_19682))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),(PAYLOAD_LENGTH(),train_etcs_id_19683,ZEROS(),AU3(),DF_SEND(),trainNonce_19680,rbcNonce_19682))). 41. By 40, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),(PAYLOAD_LENGTH(),train_etcs_id_19683,ZEROS(),AU3(),DF_SEND(),trainNonce_19680,rbcNonce_19682))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),(PAYLOAD_LENGTH(),train_etcs_id_19683,ZEROS(),AU3(),DF_SEND(),trainNonce_19680,rbcNonce_19682)). attacker:mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),(PAYLOAD_LENGTH(),train_etcs_id_19683,ZEROS(),AU3(),DF_SEND(),trainNonce_19680,rbcNonce_19682)). 42. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 43. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 44. By 43, the attacker may know ZEROS(). By 42, the attacker may know AU3(). By 9, the attacker may know DF_SEND(). By 41, the attacker may know mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),(PAYLOAD_LENGTH(),train_etcs_id_19683,ZEROS(),AU3(),DF_SEND(),trainNonce_19680,rbcNonce_19682)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),(PAYLOAD_LENGTH(),train_etcs_id_19683,ZEROS(),AU3(),DF_SEND(),trainNonce_19680,rbcNonce_19682))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),(PAYLOAD_LENGTH(),train_etcs_id_19683,ZEROS(),AU3(),DF_SEND(),trainNonce_19680,rbcNonce_19682))). 45. We assume as hypothesis that attacker:msgA_19670. 46. We assume as hypothesis that attacker:timeA_19669. 47. Using the function DT the attacker may obtain DT(). attacker:DT(). 48. By 47, the attacker may know DT(). By 46, the attacker may know timeA_19669. By 45, the attacker may know msgA_19670. Using the function 3-tuple the attacker may obtain (DT(),timeA_19669,msgA_19670). attacker:(DT(),timeA_19669,msgA_19670). 49. The message new_rbc_id_19681 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_19675,AU1(),DF_SEND(),train_etcs_id_19683,trainSaF_19676,trainNonce_19680) that the attacker may have by 12 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_19680,rbcNonce_19682,getKey(new_rbc_id_19681,train_etcs_id_19683)),(PAYLOAD_LENGTH(),train_etcs_id_19683,ZEROS(),AU3(),DF_SEND(),trainNonce_19680,rbcNonce_19682))) that the attacker may have by 44 may be received at input {39}. The message (DT(),timeA_19669,msgA_19670) that the attacker may have by 48 may be received at input {42}. So event DataReceived1((DT(),timeA_19669,msgA_19670)) may be executed at {43} in session endsid_19677. end:endsid_19677,DataReceived1((DT(),timeA_19669,msgA_19670)). Unified sent_ETCS_ID_TYPE_19605 with sent_ETCS_ID_TYPE_19675 Unified in_train_etcs_id_19606 with train_etcs_id_20[!1 = @sid_19651] Unified trainSaF_19607 with trainSaF_19676 Unified trainNonce_19608 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_19554],!2 = @sid_19650,!1 = @sid_19651] Unified sent_ETCS_ID_TYPE_19626 with sent_ETCS_ID_TYPE_19675 Unified rbcSaF_19647 with trainSaF_19676 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:msgA_19689 & attacker:timeA_19688 -> end:endsid_19687,DataReceived1((DT(),timeA_19688,msgA_19689)) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_19719 at {6} in copy a_19698 new session_21 creating session_21_19780 at {8} in copy a_19698, a_19697 new session_21 creating session_21_19781 at {8} in copy a_19698, a_19709 new new_rbc_id_19 creating new_rbc_id_19_19716 at {2} in copy a_19699 new new_rbc_id_19 creating new_rbc_id_19_19721 at {2} in copy a_19696 new new_rbc_id_19 creating new_rbc_id_19_19718 at {2} in copy a_19708 out(id, new_rbc_id_19_19718) at {4} in copy a_19708, a_19710 received at {9} in copy a_19698, a_19709 new trainNonce_23 creating trainNonce_23_19720 at {10} in copy a_19698, a_19709 event(trainStartSession(new_rbc_id_19_19718,train_etcs_id_20_19719,trainNonce_23_19720,SAF())) at {11} in copy a_19698, a_19709 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_19719,SAF(),trainNonce_23_19720)) at {12} in copy a_19698, a_19709 out(id, new_rbc_id_19_19721) at {4} in copy a_19696, a_19714 received at {9} in copy a_19698, a_19697 new trainNonce_23 creating trainNonce_23_19722 at {10} in copy a_19698, a_19697 event(trainStartSession(new_rbc_id_19_19721,train_etcs_id_20_19719,trainNonce_23_19722,SAF())) at {11} in copy a_19698, a_19697 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_19719,SAF(),trainNonce_23_19722)) at {12} in copy a_19698, a_19697 out(id, new_rbc_id_19_19716) at {4} in copy a_19699, a_19706 received at {31} in copy a_19702 new rbcNonce_37 creating rbcNonce_37_19717 at {32} in copy a_19702 in(c, (a_19705,AU1(),DF_SEND(),a_19704,a_19701,a_19703)) at {33} in copy a_19702 event(rbcStartSession(new_rbc_id_19_19716,a_19704,rbcNonce_37_19717,a_19701,a_19703)) at {34} in copy a_19702 out(c, encrypt(SECRET,genSessionKey(a_19703,rbcNonce_37_19717,getKey(new_rbc_id_19_19716,a_19704)))) at {36} in copy a_19702 out(c, encrypt(SECRET,getKey(new_rbc_id_19_19716,a_19704))) at {37} in copy a_19702 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_19716,a_19701,rbcNonce_37_19717,mac(genSessionKey(a_19703,rbcNonce_37_19717,getKey(new_rbc_id_19_19716,a_19704)),((PAYLOAD_LENGTH(),a_19704,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_19716,a_19701),rbcNonce_37_19717,a_19703,a_19704)))) at {38} in copy a_19702 out(id, new_rbc_id_19_19716) at {4} in copy a_19699, a_19712 received at {31} in copy a_19693 new rbcNonce_37 creating rbcNonce_37_19723 at {32} in copy a_19693 in(c, (a_19707,AU1(),DF_SEND(),train_etcs_id_20_19719,a_19700,trainNonce_23_19722)) at {33} in copy a_19693 event(rbcStartSession(new_rbc_id_19_19716,train_etcs_id_20_19719,rbcNonce_37_19723,a_19700,trainNonce_23_19722)) at {34} in copy a_19693 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_19722,rbcNonce_37_19723,getKey(new_rbc_id_19_19716,train_etcs_id_20_19719)))) at {36} in copy a_19693 out(c, encrypt(SECRET,getKey(new_rbc_id_19_19716,train_etcs_id_20_19719))) at {37} in copy a_19693 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_19716,a_19700,rbcNonce_37_19723,mac(genSessionKey(trainNonce_23_19722,rbcNonce_37_19723,getKey(new_rbc_id_19_19716,train_etcs_id_20_19719)),((PAYLOAD_LENGTH(),train_etcs_id_20_19719,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_19716,a_19700),rbcNonce_37_19723,trainNonce_23_19722,train_etcs_id_20_19719)))) at {38} in copy a_19693 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_19716,a_19700,rbcNonce_37_19723,mac(genSessionKey(trainNonce_23_19722,rbcNonce_37_19723,getKey(new_rbc_id_19_19716,train_etcs_id_20_19719)),((PAYLOAD_LENGTH(),train_etcs_id_20_19719,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_19716,a_19700),rbcNonce_37_19723,trainNonce_23_19722,train_etcs_id_20_19719)))) at {13} in copy a_19698, a_19697 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_19722,rbcNonce_37_19723,getKey(new_rbc_id_19_19716,train_etcs_id_20_19719)))) at {15} in copy a_19698, a_19697 out(c, encrypt(SECRET,getKey(new_rbc_id_19_19716,train_etcs_id_20_19719))) at {16} in copy a_19698, a_19697 event(trainFinishSession(new_rbc_id_19_19716,train_etcs_id_20_19719,trainNonce_23_19722,a_19700,rbcNonce_37_19723,genSessionKey(trainNonce_23_19722,rbcNonce_37_19723,getKey(new_rbc_id_19_19716,train_etcs_id_20_19719)))) at {18} in copy a_19698, a_19697 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_19722,rbcNonce_37_19723,getKey(new_rbc_id_19_19716,train_etcs_id_20_19719)),(PAYLOAD_LENGTH(),train_etcs_id_20_19719,ZEROS(),AU3(),DF_SEND(),trainNonce_23_19722,rbcNonce_37_19723)))) at {19} in copy a_19698, a_19697 new time_29 creating time_29_19892 at {20} in copy a_19698, a_19697 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_19722,rbcNonce_37_19723,getKey(new_rbc_id_19_19716,train_etcs_id_20_19719)),(PAYLOAD_LENGTH(),train_etcs_id_20_19719,ZEROS(),AU3(),DF_SEND(),trainNonce_23_19722,rbcNonce_37_19723)))) at {39} in copy a_19693 event(rbcFinishSession(new_rbc_id_19_19716,train_etcs_id_20_19719,rbcNonce_37_19723,a_19700,trainNonce_23_19722,genSessionKey(trainNonce_23_19722,rbcNonce_37_19723,getKey(new_rbc_id_19_19716,train_etcs_id_20_19719)))) at {41} in copy a_19693 in(c, (DT(),a_19694,a_19695)) at {42} in copy a_19693 event(DataReceived1((DT(),a_19694,a_19695))) at {43} in copy a_19693 The event DataReceived1((DT(),a_19694,a_19695)) is executed in session a_19693. A trace has been found. RESULT evinj:DataReceived1(m_17483) ==> evinj:DataSent1(s_17484,m_17483) | evinj:DataSent2(s_17484,m_17483) | evinj:DataSent3(s_17484,m_17483) is false. RESULT (even ev:DataReceived1(m_19524) ==> ev:DataSent1(s_19523,m_19524) | ev:DataSent2(s_19523,m_19524) | ev:DataSent3(s_19523,m_19524) is false.) nounif greater:x_19925,*y_19926/-5000 -- Query ev:DataReceived3(m_19915) ==> ev:DataSent1(s2_19916,m_19915) | ev:DataSent2(s2_19916,m_19915) | ev:DataSent3(s2_19916,m_19915) Completing... Starting query ev:DataReceived3(m_19915) ==> ev:DataSent1(s2_19916,m_19915) | ev:DataSent2(s2_19916,m_19915) | ev:DataSent3(s2_19916,m_19915) goal reachable: attacker:timeC_21949 & attacker:msgC_21950 -> end:DataReceived3((DT(),timeC_21949,msgC_21950)) Abbreviations: new_rbc_id_22113 = new_rbc_id_19[!1 = @sid_21979] trainNonce_22114 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_22113,!2 = @sid_22075,!1 = @sid_22076] new_rbc_id_22115 = new_rbc_id_19[!1 = @sid_22043] rbcNonce_22116 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_22115,!1 = @sid_22108] train_etcs_id_22117 = train_etcs_id_20[!1 = @sid_22076] rbcNonce_22118 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_22115,!1 = @sid_22014] new_rbc_id_22119 = new_rbc_id_19[!1 = @sid_21953] trainNonce_22120 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_22119,!2 = @sid_21957,!1 = @sid_22076] 1. The message new_rbc_id_22115 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_22115. 2. The message new_rbc_id_22113 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_22113. 3. The message new_rbc_id_22113 that may be sent on channel id[] by 2 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_22117,SAF(),trainNonce_22114) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_22117,SAF(),trainNonce_22114). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_22117,SAF(),trainNonce_22114). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_22114. attacker:trainNonce_22114. 5. The attacker has some term trainSaF_22111. attacker:trainSaF_22111. 6. The message new_rbc_id_22119 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_22119. 7. The message new_rbc_id_22119 that may be sent on channel id[] by 6 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_22117,SAF(),trainNonce_22120) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_22117,SAF(),trainNonce_22120). 8. By 7, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_22117,SAF(),trainNonce_22120). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_22117. attacker:train_etcs_id_22117. 9. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 10. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 11. The attacker has some term sent_ETCS_ID_TYPE_22110. attacker:sent_ETCS_ID_TYPE_22110. 12. By 11, the attacker may know sent_ETCS_ID_TYPE_22110. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_22117. By 5, the attacker may know trainSaF_22111. By 4, the attacker may know trainNonce_22114. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_22110,AU1(),DF_SEND(),train_etcs_id_22117,trainSaF_22111,trainNonce_22114). attacker:(sent_ETCS_ID_TYPE_22110,AU1(),DF_SEND(),train_etcs_id_22117,trainSaF_22111,trainNonce_22114). 13. The message new_rbc_id_22113 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_22113. 14. The message new_rbc_id_22115 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_22115. 15. The attacker has some term rbcSaF_22072. attacker:rbcSaF_22072. 16. The attacker has some term sent_ETCS_ID_TYPE_22051. attacker:sent_ETCS_ID_TYPE_22051. 17. By 16, the attacker may know sent_ETCS_ID_TYPE_22051. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_22117. By 15, the attacker may know rbcSaF_22072. By 4, the attacker may know trainNonce_22114. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_22051,AU1(),DF_SEND(),train_etcs_id_22117,rbcSaF_22072,trainNonce_22114). attacker:(sent_ETCS_ID_TYPE_22051,AU1(),DF_SEND(),train_etcs_id_22117,rbcSaF_22072,trainNonce_22114). 18. The message new_rbc_id_22115 that may be sent on channel id[] by 14 may be received at input {31}. The message (sent_ETCS_ID_TYPE_22051,AU1(),DF_SEND(),train_etcs_id_22117,rbcSaF_22072,trainNonce_22114) that the attacker may have by 17 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072,rbcNonce_22116,mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),((PAYLOAD_LENGTH(),train_etcs_id_22117,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072),rbcNonce_22116,trainNonce_22114,train_etcs_id_22117))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072,rbcNonce_22116,mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),((PAYLOAD_LENGTH(),train_etcs_id_22117,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072),rbcNonce_22116,trainNonce_22114,train_etcs_id_22117))). 19. By 18, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072,rbcNonce_22116,mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),((PAYLOAD_LENGTH(),train_etcs_id_22117,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072),rbcNonce_22116,trainNonce_22114,train_etcs_id_22117))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),((PAYLOAD_LENGTH(),train_etcs_id_22117,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072),rbcNonce_22116,trainNonce_22114,train_etcs_id_22117)). attacker:mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),((PAYLOAD_LENGTH(),train_etcs_id_22117,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072),rbcNonce_22116,trainNonce_22114,train_etcs_id_22117)). 20. The message new_rbc_id_22115 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_22115. 21. The attacker has some term trainNonce_22033. attacker:trainNonce_22033. 22. The attacker has some term trainSaF_22032. attacker:trainSaF_22032. 23. The attacker has some term in_train_etcs_id_22031. attacker:in_train_etcs_id_22031. 24. The attacker has some term sent_ETCS_ID_TYPE_22030. attacker:sent_ETCS_ID_TYPE_22030. 25. By 24, the attacker may know sent_ETCS_ID_TYPE_22030. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 23, the attacker may know in_train_etcs_id_22031. By 22, the attacker may know trainSaF_22032. By 21, the attacker may know trainNonce_22033. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_22030,AU1(),DF_SEND(),in_train_etcs_id_22031,trainSaF_22032,trainNonce_22033). attacker:(sent_ETCS_ID_TYPE_22030,AU1(),DF_SEND(),in_train_etcs_id_22031,trainSaF_22032,trainNonce_22033). 26. The message new_rbc_id_22115 that may be sent on channel id[] by 20 may be received at input {31}. The message (sent_ETCS_ID_TYPE_22030,AU1(),DF_SEND(),in_train_etcs_id_22031,trainSaF_22032,trainNonce_22033) that the attacker may have by 25 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,trainSaF_22032,rbcNonce_22116,mac(genSessionKey(trainNonce_22033,rbcNonce_22116,getKey(new_rbc_id_22115,in_train_etcs_id_22031)),((PAYLOAD_LENGTH(),in_train_etcs_id_22031,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,trainSaF_22032),rbcNonce_22116,trainNonce_22033,in_train_etcs_id_22031))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,trainSaF_22032,rbcNonce_22116,mac(genSessionKey(trainNonce_22033,rbcNonce_22116,getKey(new_rbc_id_22115,in_train_etcs_id_22031)),((PAYLOAD_LENGTH(),in_train_etcs_id_22031,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,trainSaF_22032),rbcNonce_22116,trainNonce_22033,in_train_etcs_id_22031))). 27. By 26, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,trainSaF_22032,rbcNonce_22116,mac(genSessionKey(trainNonce_22033,rbcNonce_22116,getKey(new_rbc_id_22115,in_train_etcs_id_22031)),((PAYLOAD_LENGTH(),in_train_etcs_id_22031,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,trainSaF_22032),rbcNonce_22116,trainNonce_22033,in_train_etcs_id_22031))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_22116. attacker:rbcNonce_22116. 28. The message new_rbc_id_22115 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_22115. 29. The attacker has some term trainNonce_22012. attacker:trainNonce_22012. 30. The attacker has some term trainSaF_22011. attacker:trainSaF_22011. 31. The attacker has some term in_train_etcs_id_22010. attacker:in_train_etcs_id_22010. 32. The attacker has some term sent_ETCS_ID_TYPE_22009. attacker:sent_ETCS_ID_TYPE_22009. 33. By 32, the attacker may know sent_ETCS_ID_TYPE_22009. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 31, the attacker may know in_train_etcs_id_22010. By 30, the attacker may know trainSaF_22011. By 29, the attacker may know trainNonce_22012. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_22009,AU1(),DF_SEND(),in_train_etcs_id_22010,trainSaF_22011,trainNonce_22012). attacker:(sent_ETCS_ID_TYPE_22009,AU1(),DF_SEND(),in_train_etcs_id_22010,trainSaF_22011,trainNonce_22012). 34. The message new_rbc_id_22115 that may be sent on channel id[] by 28 may be received at input {31}. The message (sent_ETCS_ID_TYPE_22009,AU1(),DF_SEND(),in_train_etcs_id_22010,trainSaF_22011,trainNonce_22012) that the attacker may have by 33 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,trainSaF_22011,rbcNonce_22118,mac(genSessionKey(trainNonce_22012,rbcNonce_22118,getKey(new_rbc_id_22115,in_train_etcs_id_22010)),((PAYLOAD_LENGTH(),in_train_etcs_id_22010,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,trainSaF_22011),rbcNonce_22118,trainNonce_22012,in_train_etcs_id_22010))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,trainSaF_22011,rbcNonce_22118,mac(genSessionKey(trainNonce_22012,rbcNonce_22118,getKey(new_rbc_id_22115,in_train_etcs_id_22010)),((PAYLOAD_LENGTH(),in_train_etcs_id_22010,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,trainSaF_22011),rbcNonce_22118,trainNonce_22012,in_train_etcs_id_22010))). 35. By 34, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,trainSaF_22011,rbcNonce_22118,mac(genSessionKey(trainNonce_22012,rbcNonce_22118,getKey(new_rbc_id_22115,in_train_etcs_id_22010)),((PAYLOAD_LENGTH(),in_train_etcs_id_22010,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,trainSaF_22011),rbcNonce_22118,trainNonce_22012,in_train_etcs_id_22010))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_22115. attacker:new_rbc_id_22115. 36. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 37. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 38. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 39. By 38, the attacker may know RBC_ETCS_ID_TYPE(). By 37, the attacker may know AU2(). By 36, the attacker may know DF_RESP(). By 35, the attacker may know new_rbc_id_22115. By 15, the attacker may know rbcSaF_22072. By 27, the attacker may know rbcNonce_22116. By 19, the attacker may know mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),((PAYLOAD_LENGTH(),train_etcs_id_22117,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072),rbcNonce_22116,trainNonce_22114,train_etcs_id_22117)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072,rbcNonce_22116,mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),((PAYLOAD_LENGTH(),train_etcs_id_22117,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072),rbcNonce_22116,trainNonce_22114,train_etcs_id_22117))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072,rbcNonce_22116,mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),((PAYLOAD_LENGTH(),train_etcs_id_22117,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072),rbcNonce_22116,trainNonce_22114,train_etcs_id_22117))). 40. The message new_rbc_id_22113 that may be sent on channel id[] by 13 may be received at input {9}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072,rbcNonce_22116,mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),((PAYLOAD_LENGTH(),train_etcs_id_22117,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_22115,rbcSaF_22072),rbcNonce_22116,trainNonce_22114,train_etcs_id_22117))) that the attacker may have by 39 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),(PAYLOAD_LENGTH(),train_etcs_id_22117,ZEROS(),AU3(),DF_SEND(),trainNonce_22114,rbcNonce_22116))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),(PAYLOAD_LENGTH(),train_etcs_id_22117,ZEROS(),AU3(),DF_SEND(),trainNonce_22114,rbcNonce_22116))). 41. By 40, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),(PAYLOAD_LENGTH(),train_etcs_id_22117,ZEROS(),AU3(),DF_SEND(),trainNonce_22114,rbcNonce_22116))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),(PAYLOAD_LENGTH(),train_etcs_id_22117,ZEROS(),AU3(),DF_SEND(),trainNonce_22114,rbcNonce_22116)). attacker:mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),(PAYLOAD_LENGTH(),train_etcs_id_22117,ZEROS(),AU3(),DF_SEND(),trainNonce_22114,rbcNonce_22116)). 42. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 43. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 44. By 43, the attacker may know ZEROS(). By 42, the attacker may know AU3(). By 9, the attacker may know DF_SEND(). By 41, the attacker may know mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),(PAYLOAD_LENGTH(),train_etcs_id_22117,ZEROS(),AU3(),DF_SEND(),trainNonce_22114,rbcNonce_22116)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),(PAYLOAD_LENGTH(),train_etcs_id_22117,ZEROS(),AU3(),DF_SEND(),trainNonce_22114,rbcNonce_22116))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),(PAYLOAD_LENGTH(),train_etcs_id_22117,ZEROS(),AU3(),DF_SEND(),trainNonce_22114,rbcNonce_22116))). 45. The attacker has some term msgA_22105. attacker:msgA_22105. 46. The attacker has some term timeA_22104. attacker:timeA_22104. 47. Using the function DT the attacker may obtain DT(). attacker:DT(). 48. By 47, the attacker may know DT(). By 46, the attacker may know timeA_22104. By 45, the attacker may know msgA_22105. Using the function 3-tuple the attacker may obtain (DT(),timeA_22104,msgA_22105). attacker:(DT(),timeA_22104,msgA_22105). 49. The attacker has some term msgB_22103. attacker:msgB_22103. 50. The attacker has some term timeB_22102. attacker:timeB_22102. 51. By 47, the attacker may know DT(). By 50, the attacker may know timeB_22102. By 49, the attacker may know msgB_22103. Using the function 3-tuple the attacker may obtain (DT(),timeB_22102,msgB_22103). attacker:(DT(),timeB_22102,msgB_22103). 52. We assume as hypothesis that attacker:msgC_22101. 53. We assume as hypothesis that attacker:timeC_22100. 54. By 47, the attacker may know DT(). By 53, the attacker may know timeC_22100. By 52, the attacker may know msgC_22101. Using the function 3-tuple the attacker may obtain (DT(),timeC_22100,msgC_22101). attacker:(DT(),timeC_22100,msgC_22101). 55. The message new_rbc_id_22115 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_22110,AU1(),DF_SEND(),train_etcs_id_22117,trainSaF_22111,trainNonce_22114) that the attacker may have by 12 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_22114,rbcNonce_22116,getKey(new_rbc_id_22115,train_etcs_id_22117)),(PAYLOAD_LENGTH(),train_etcs_id_22117,ZEROS(),AU3(),DF_SEND(),trainNonce_22114,rbcNonce_22116))) that the attacker may have by 44 may be received at input {39}. The message (DT(),timeA_22104,msgA_22105) that the attacker may have by 48 may be received at input {42}. The message (DT(),timeB_22102,msgB_22103) that the attacker may have by 51 may be received at input {44}. The message (DT(),timeC_22100,msgC_22101) that the attacker may have by 54 may be received at input {47}. So event DataReceived3((DT(),timeC_22100,msgC_22101)) may be executed at {48}. end:DataReceived3((DT(),timeC_22100,msgC_22101)). Unified sent_ETCS_ID_TYPE_22030 with sent_ETCS_ID_TYPE_22110 Unified in_train_etcs_id_22031 with train_etcs_id_20[!1 = @sid_22076] Unified trainSaF_22032 with trainSaF_22111 Unified trainNonce_22033 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_21979],!2 = @sid_22075,!1 = @sid_22076] Unified sent_ETCS_ID_TYPE_22051 with sent_ETCS_ID_TYPE_22110 Unified rbcSaF_22072 with trainSaF_22111 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:msgC_22122 & attacker:timeC_22121 -> end:DataReceived3((DT(),timeC_22121,msgC_22122)) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_22153 at {6} in copy a_22131 new session_21 creating session_21_22214 at {8} in copy a_22131, a_22130 new session_21 creating session_21_22215 at {8} in copy a_22131, a_22143 new new_rbc_id_19 creating new_rbc_id_19_22150 at {2} in copy a_22132 new new_rbc_id_19 creating new_rbc_id_19_22155 at {2} in copy a_22129 new new_rbc_id_19 creating new_rbc_id_19_22152 at {2} in copy a_22142 out(id, new_rbc_id_19_22152) at {4} in copy a_22142, a_22144 received at {9} in copy a_22131, a_22143 new trainNonce_23 creating trainNonce_23_22154 at {10} in copy a_22131, a_22143 event(trainStartSession(new_rbc_id_19_22152,train_etcs_id_20_22153,trainNonce_23_22154,SAF())) at {11} in copy a_22131, a_22143 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_22153,SAF(),trainNonce_23_22154)) at {12} in copy a_22131, a_22143 out(id, new_rbc_id_19_22155) at {4} in copy a_22129, a_22148 received at {9} in copy a_22131, a_22130 new trainNonce_23 creating trainNonce_23_22156 at {10} in copy a_22131, a_22130 event(trainStartSession(new_rbc_id_19_22155,train_etcs_id_20_22153,trainNonce_23_22156,SAF())) at {11} in copy a_22131, a_22130 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_22153,SAF(),trainNonce_23_22156)) at {12} in copy a_22131, a_22130 out(id, new_rbc_id_19_22150) at {4} in copy a_22132, a_22140 received at {31} in copy a_22136 new rbcNonce_37 creating rbcNonce_37_22151 at {32} in copy a_22136 in(c, (a_22139,AU1(),DF_SEND(),a_22138,a_22135,a_22137)) at {33} in copy a_22136 event(rbcStartSession(new_rbc_id_19_22150,a_22138,rbcNonce_37_22151,a_22135,a_22137)) at {34} in copy a_22136 out(c, encrypt(SECRET,genSessionKey(a_22137,rbcNonce_37_22151,getKey(new_rbc_id_19_22150,a_22138)))) at {36} in copy a_22136 out(c, encrypt(SECRET,getKey(new_rbc_id_19_22150,a_22138))) at {37} in copy a_22136 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_22150,a_22135,rbcNonce_37_22151,mac(genSessionKey(a_22137,rbcNonce_37_22151,getKey(new_rbc_id_19_22150,a_22138)),((PAYLOAD_LENGTH(),a_22138,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_22150,a_22135),rbcNonce_37_22151,a_22137,a_22138)))) at {38} in copy a_22136 out(id, new_rbc_id_19_22150) at {4} in copy a_22132, a_22146 received at {31} in copy a_22133 new rbcNonce_37 creating rbcNonce_37_22157 at {32} in copy a_22133 in(c, (a_22141,AU1(),DF_SEND(),train_etcs_id_20_22153,a_22134,trainNonce_23_22156)) at {33} in copy a_22133 event(rbcStartSession(new_rbc_id_19_22150,train_etcs_id_20_22153,rbcNonce_37_22157,a_22134,trainNonce_23_22156)) at {34} in copy a_22133 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_22156,rbcNonce_37_22157,getKey(new_rbc_id_19_22150,train_etcs_id_20_22153)))) at {36} in copy a_22133 out(c, encrypt(SECRET,getKey(new_rbc_id_19_22150,train_etcs_id_20_22153))) at {37} in copy a_22133 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_22150,a_22134,rbcNonce_37_22157,mac(genSessionKey(trainNonce_23_22156,rbcNonce_37_22157,getKey(new_rbc_id_19_22150,train_etcs_id_20_22153)),((PAYLOAD_LENGTH(),train_etcs_id_20_22153,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_22150,a_22134),rbcNonce_37_22157,trainNonce_23_22156,train_etcs_id_20_22153)))) at {38} in copy a_22133 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_22150,a_22134,rbcNonce_37_22157,mac(genSessionKey(trainNonce_23_22156,rbcNonce_37_22157,getKey(new_rbc_id_19_22150,train_etcs_id_20_22153)),((PAYLOAD_LENGTH(),train_etcs_id_20_22153,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_22150,a_22134),rbcNonce_37_22157,trainNonce_23_22156,train_etcs_id_20_22153)))) at {13} in copy a_22131, a_22130 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_22156,rbcNonce_37_22157,getKey(new_rbc_id_19_22150,train_etcs_id_20_22153)))) at {15} in copy a_22131, a_22130 out(c, encrypt(SECRET,getKey(new_rbc_id_19_22150,train_etcs_id_20_22153))) at {16} in copy a_22131, a_22130 event(trainFinishSession(new_rbc_id_19_22150,train_etcs_id_20_22153,trainNonce_23_22156,a_22134,rbcNonce_37_22157,genSessionKey(trainNonce_23_22156,rbcNonce_37_22157,getKey(new_rbc_id_19_22150,train_etcs_id_20_22153)))) at {18} in copy a_22131, a_22130 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_22156,rbcNonce_37_22157,getKey(new_rbc_id_19_22150,train_etcs_id_20_22153)),(PAYLOAD_LENGTH(),train_etcs_id_20_22153,ZEROS(),AU3(),DF_SEND(),trainNonce_23_22156,rbcNonce_37_22157)))) at {19} in copy a_22131, a_22130 new time_29 creating time_29_22326 at {20} in copy a_22131, a_22130 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_22156,rbcNonce_37_22157,getKey(new_rbc_id_19_22150,train_etcs_id_20_22153)),(PAYLOAD_LENGTH(),train_etcs_id_20_22153,ZEROS(),AU3(),DF_SEND(),trainNonce_23_22156,rbcNonce_37_22157)))) at {39} in copy a_22133 event(rbcFinishSession(new_rbc_id_19_22150,train_etcs_id_20_22153,rbcNonce_37_22157,a_22134,trainNonce_23_22156,genSessionKey(trainNonce_23_22156,rbcNonce_37_22157,getKey(new_rbc_id_19_22150,train_etcs_id_20_22153)))) at {41} in copy a_22133 in(c, (DT(),a_22127,a_22128)) at {42} in copy a_22133 event(DataReceived1((DT(),a_22127,a_22128))) at {43} in copy a_22133 in(c, (DT(),a_22125,a_22126)) at {44} in copy a_22133 event(DataReceived2((DT(),a_22125,a_22126))) at {45} in copy a_22133 event(MessagesReceived2((DT(),a_22127,a_22128),(DT(),a_22125,a_22126))) at {46} in copy a_22133 in(c, (DT(),a_22123,a_22124)) at {47} in copy a_22133 event(DataReceived3((DT(),a_22123,a_22124))) at {48} in copy a_22133 The event DataReceived3((DT(),a_22123,a_22124)) is executed. A trace has been found. RESULT ev:DataReceived3(m_19915) ==> ev:DataSent1(s2_19916,m_19915) | ev:DataSent2(s2_19916,m_19915) | ev:DataSent3(s2_19916,m_19915) is false. nounif greater:x_22369,*y_22370/-5000 -- Query ev:DataReceived2(m_22359) ==> ev:DataSent1(s2_22360,m_22359) | ev:DataSent2(s2_22360,m_22359) | ev:DataSent3(s2_22360,m_22359) Completing... Starting query ev:DataReceived2(m_22359) ==> ev:DataSent1(s2_22360,m_22359) | ev:DataSent2(s2_22360,m_22359) | ev:DataSent3(s2_22360,m_22359) goal reachable: attacker:timeB_24391 & attacker:msgB_24392 -> end:DataReceived2((DT(),timeB_24391,msgB_24392)) Abbreviations: new_rbc_id_24550 = new_rbc_id_19[!1 = @sid_24421] trainNonce_24551 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_24550,!2 = @sid_24517,!1 = @sid_24518] new_rbc_id_24552 = new_rbc_id_19[!1 = @sid_24485] rbcNonce_24553 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_24552,!1 = @sid_24545] train_etcs_id_24554 = train_etcs_id_20[!1 = @sid_24518] rbcNonce_24555 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_24552,!1 = @sid_24456] new_rbc_id_24556 = new_rbc_id_19[!1 = @sid_24395] trainNonce_24557 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_24556,!2 = @sid_24399,!1 = @sid_24518] 1. The message new_rbc_id_24552 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_24552. 2. The message new_rbc_id_24550 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_24550. 3. The message new_rbc_id_24550 that may be sent on channel id[] by 2 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_24554,SAF(),trainNonce_24551) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_24554,SAF(),trainNonce_24551). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_24554,SAF(),trainNonce_24551). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_24551. attacker:trainNonce_24551. 5. The attacker has some term trainSaF_24548. attacker:trainSaF_24548. 6. The message new_rbc_id_24556 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_24556. 7. The message new_rbc_id_24556 that may be sent on channel id[] by 6 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_24554,SAF(),trainNonce_24557) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_24554,SAF(),trainNonce_24557). 8. By 7, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_24554,SAF(),trainNonce_24557). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_24554. attacker:train_etcs_id_24554. 9. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 10. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 11. The attacker has some term sent_ETCS_ID_TYPE_24547. attacker:sent_ETCS_ID_TYPE_24547. 12. By 11, the attacker may know sent_ETCS_ID_TYPE_24547. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_24554. By 5, the attacker may know trainSaF_24548. By 4, the attacker may know trainNonce_24551. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_24547,AU1(),DF_SEND(),train_etcs_id_24554,trainSaF_24548,trainNonce_24551). attacker:(sent_ETCS_ID_TYPE_24547,AU1(),DF_SEND(),train_etcs_id_24554,trainSaF_24548,trainNonce_24551). 13. The message new_rbc_id_24550 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_24550. 14. The message new_rbc_id_24552 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_24552. 15. The attacker has some term rbcSaF_24514. attacker:rbcSaF_24514. 16. The attacker has some term sent_ETCS_ID_TYPE_24493. attacker:sent_ETCS_ID_TYPE_24493. 17. By 16, the attacker may know sent_ETCS_ID_TYPE_24493. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_24554. By 15, the attacker may know rbcSaF_24514. By 4, the attacker may know trainNonce_24551. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_24493,AU1(),DF_SEND(),train_etcs_id_24554,rbcSaF_24514,trainNonce_24551). attacker:(sent_ETCS_ID_TYPE_24493,AU1(),DF_SEND(),train_etcs_id_24554,rbcSaF_24514,trainNonce_24551). 18. The message new_rbc_id_24552 that may be sent on channel id[] by 14 may be received at input {31}. The message (sent_ETCS_ID_TYPE_24493,AU1(),DF_SEND(),train_etcs_id_24554,rbcSaF_24514,trainNonce_24551) that the attacker may have by 17 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514,rbcNonce_24553,mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),((PAYLOAD_LENGTH(),train_etcs_id_24554,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514),rbcNonce_24553,trainNonce_24551,train_etcs_id_24554))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514,rbcNonce_24553,mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),((PAYLOAD_LENGTH(),train_etcs_id_24554,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514),rbcNonce_24553,trainNonce_24551,train_etcs_id_24554))). 19. By 18, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514,rbcNonce_24553,mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),((PAYLOAD_LENGTH(),train_etcs_id_24554,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514),rbcNonce_24553,trainNonce_24551,train_etcs_id_24554))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),((PAYLOAD_LENGTH(),train_etcs_id_24554,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514),rbcNonce_24553,trainNonce_24551,train_etcs_id_24554)). attacker:mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),((PAYLOAD_LENGTH(),train_etcs_id_24554,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514),rbcNonce_24553,trainNonce_24551,train_etcs_id_24554)). 20. The message new_rbc_id_24552 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_24552. 21. The attacker has some term trainNonce_24475. attacker:trainNonce_24475. 22. The attacker has some term trainSaF_24474. attacker:trainSaF_24474. 23. The attacker has some term in_train_etcs_id_24473. attacker:in_train_etcs_id_24473. 24. The attacker has some term sent_ETCS_ID_TYPE_24472. attacker:sent_ETCS_ID_TYPE_24472. 25. By 24, the attacker may know sent_ETCS_ID_TYPE_24472. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 23, the attacker may know in_train_etcs_id_24473. By 22, the attacker may know trainSaF_24474. By 21, the attacker may know trainNonce_24475. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_24472,AU1(),DF_SEND(),in_train_etcs_id_24473,trainSaF_24474,trainNonce_24475). attacker:(sent_ETCS_ID_TYPE_24472,AU1(),DF_SEND(),in_train_etcs_id_24473,trainSaF_24474,trainNonce_24475). 26. The message new_rbc_id_24552 that may be sent on channel id[] by 20 may be received at input {31}. The message (sent_ETCS_ID_TYPE_24472,AU1(),DF_SEND(),in_train_etcs_id_24473,trainSaF_24474,trainNonce_24475) that the attacker may have by 25 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,trainSaF_24474,rbcNonce_24553,mac(genSessionKey(trainNonce_24475,rbcNonce_24553,getKey(new_rbc_id_24552,in_train_etcs_id_24473)),((PAYLOAD_LENGTH(),in_train_etcs_id_24473,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,trainSaF_24474),rbcNonce_24553,trainNonce_24475,in_train_etcs_id_24473))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,trainSaF_24474,rbcNonce_24553,mac(genSessionKey(trainNonce_24475,rbcNonce_24553,getKey(new_rbc_id_24552,in_train_etcs_id_24473)),((PAYLOAD_LENGTH(),in_train_etcs_id_24473,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,trainSaF_24474),rbcNonce_24553,trainNonce_24475,in_train_etcs_id_24473))). 27. By 26, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,trainSaF_24474,rbcNonce_24553,mac(genSessionKey(trainNonce_24475,rbcNonce_24553,getKey(new_rbc_id_24552,in_train_etcs_id_24473)),((PAYLOAD_LENGTH(),in_train_etcs_id_24473,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,trainSaF_24474),rbcNonce_24553,trainNonce_24475,in_train_etcs_id_24473))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_24553. attacker:rbcNonce_24553. 28. The message new_rbc_id_24552 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_24552. 29. The attacker has some term trainNonce_24454. attacker:trainNonce_24454. 30. The attacker has some term trainSaF_24453. attacker:trainSaF_24453. 31. The attacker has some term in_train_etcs_id_24452. attacker:in_train_etcs_id_24452. 32. The attacker has some term sent_ETCS_ID_TYPE_24451. attacker:sent_ETCS_ID_TYPE_24451. 33. By 32, the attacker may know sent_ETCS_ID_TYPE_24451. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 31, the attacker may know in_train_etcs_id_24452. By 30, the attacker may know trainSaF_24453. By 29, the attacker may know trainNonce_24454. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_24451,AU1(),DF_SEND(),in_train_etcs_id_24452,trainSaF_24453,trainNonce_24454). attacker:(sent_ETCS_ID_TYPE_24451,AU1(),DF_SEND(),in_train_etcs_id_24452,trainSaF_24453,trainNonce_24454). 34. The message new_rbc_id_24552 that may be sent on channel id[] by 28 may be received at input {31}. The message (sent_ETCS_ID_TYPE_24451,AU1(),DF_SEND(),in_train_etcs_id_24452,trainSaF_24453,trainNonce_24454) that the attacker may have by 33 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,trainSaF_24453,rbcNonce_24555,mac(genSessionKey(trainNonce_24454,rbcNonce_24555,getKey(new_rbc_id_24552,in_train_etcs_id_24452)),((PAYLOAD_LENGTH(),in_train_etcs_id_24452,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,trainSaF_24453),rbcNonce_24555,trainNonce_24454,in_train_etcs_id_24452))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,trainSaF_24453,rbcNonce_24555,mac(genSessionKey(trainNonce_24454,rbcNonce_24555,getKey(new_rbc_id_24552,in_train_etcs_id_24452)),((PAYLOAD_LENGTH(),in_train_etcs_id_24452,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,trainSaF_24453),rbcNonce_24555,trainNonce_24454,in_train_etcs_id_24452))). 35. By 34, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,trainSaF_24453,rbcNonce_24555,mac(genSessionKey(trainNonce_24454,rbcNonce_24555,getKey(new_rbc_id_24552,in_train_etcs_id_24452)),((PAYLOAD_LENGTH(),in_train_etcs_id_24452,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,trainSaF_24453),rbcNonce_24555,trainNonce_24454,in_train_etcs_id_24452))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_24552. attacker:new_rbc_id_24552. 36. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 37. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 38. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 39. By 38, the attacker may know RBC_ETCS_ID_TYPE(). By 37, the attacker may know AU2(). By 36, the attacker may know DF_RESP(). By 35, the attacker may know new_rbc_id_24552. By 15, the attacker may know rbcSaF_24514. By 27, the attacker may know rbcNonce_24553. By 19, the attacker may know mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),((PAYLOAD_LENGTH(),train_etcs_id_24554,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514),rbcNonce_24553,trainNonce_24551,train_etcs_id_24554)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514,rbcNonce_24553,mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),((PAYLOAD_LENGTH(),train_etcs_id_24554,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514),rbcNonce_24553,trainNonce_24551,train_etcs_id_24554))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514,rbcNonce_24553,mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),((PAYLOAD_LENGTH(),train_etcs_id_24554,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514),rbcNonce_24553,trainNonce_24551,train_etcs_id_24554))). 40. The message new_rbc_id_24550 that may be sent on channel id[] by 13 may be received at input {9}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514,rbcNonce_24553,mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),((PAYLOAD_LENGTH(),train_etcs_id_24554,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_24552,rbcSaF_24514),rbcNonce_24553,trainNonce_24551,train_etcs_id_24554))) that the attacker may have by 39 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),(PAYLOAD_LENGTH(),train_etcs_id_24554,ZEROS(),AU3(),DF_SEND(),trainNonce_24551,rbcNonce_24553))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),(PAYLOAD_LENGTH(),train_etcs_id_24554,ZEROS(),AU3(),DF_SEND(),trainNonce_24551,rbcNonce_24553))). 41. By 40, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),(PAYLOAD_LENGTH(),train_etcs_id_24554,ZEROS(),AU3(),DF_SEND(),trainNonce_24551,rbcNonce_24553))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),(PAYLOAD_LENGTH(),train_etcs_id_24554,ZEROS(),AU3(),DF_SEND(),trainNonce_24551,rbcNonce_24553)). attacker:mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),(PAYLOAD_LENGTH(),train_etcs_id_24554,ZEROS(),AU3(),DF_SEND(),trainNonce_24551,rbcNonce_24553)). 42. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 43. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 44. By 43, the attacker may know ZEROS(). By 42, the attacker may know AU3(). By 9, the attacker may know DF_SEND(). By 41, the attacker may know mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),(PAYLOAD_LENGTH(),train_etcs_id_24554,ZEROS(),AU3(),DF_SEND(),trainNonce_24551,rbcNonce_24553)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),(PAYLOAD_LENGTH(),train_etcs_id_24554,ZEROS(),AU3(),DF_SEND(),trainNonce_24551,rbcNonce_24553))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),(PAYLOAD_LENGTH(),train_etcs_id_24554,ZEROS(),AU3(),DF_SEND(),trainNonce_24551,rbcNonce_24553))). 45. The attacker has some term msgA_24542. attacker:msgA_24542. 46. The attacker has some term timeA_24541. attacker:timeA_24541. 47. Using the function DT the attacker may obtain DT(). attacker:DT(). 48. By 47, the attacker may know DT(). By 46, the attacker may know timeA_24541. By 45, the attacker may know msgA_24542. Using the function 3-tuple the attacker may obtain (DT(),timeA_24541,msgA_24542). attacker:(DT(),timeA_24541,msgA_24542). 49. We assume as hypothesis that attacker:msgB_24540. 50. We assume as hypothesis that attacker:timeB_24539. 51. By 47, the attacker may know DT(). By 50, the attacker may know timeB_24539. By 49, the attacker may know msgB_24540. Using the function 3-tuple the attacker may obtain (DT(),timeB_24539,msgB_24540). attacker:(DT(),timeB_24539,msgB_24540). 52. The message new_rbc_id_24552 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_24547,AU1(),DF_SEND(),train_etcs_id_24554,trainSaF_24548,trainNonce_24551) that the attacker may have by 12 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_24551,rbcNonce_24553,getKey(new_rbc_id_24552,train_etcs_id_24554)),(PAYLOAD_LENGTH(),train_etcs_id_24554,ZEROS(),AU3(),DF_SEND(),trainNonce_24551,rbcNonce_24553))) that the attacker may have by 44 may be received at input {39}. The message (DT(),timeA_24541,msgA_24542) that the attacker may have by 48 may be received at input {42}. The message (DT(),timeB_24539,msgB_24540) that the attacker may have by 51 may be received at input {44}. So event DataReceived2((DT(),timeB_24539,msgB_24540)) may be executed at {45}. end:DataReceived2((DT(),timeB_24539,msgB_24540)). Unified sent_ETCS_ID_TYPE_24472 with sent_ETCS_ID_TYPE_24547 Unified in_train_etcs_id_24473 with train_etcs_id_20[!1 = @sid_24518] Unified trainSaF_24474 with trainSaF_24548 Unified trainNonce_24475 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_24421],!2 = @sid_24517,!1 = @sid_24518] Unified sent_ETCS_ID_TYPE_24493 with sent_ETCS_ID_TYPE_24547 Unified rbcSaF_24514 with trainSaF_24548 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:msgB_24559 & attacker:timeB_24558 -> end:DataReceived2((DT(),timeB_24558,msgB_24559)) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_24588 at {6} in copy a_24566 new session_21 creating session_21_24649 at {8} in copy a_24566, a_24565 new session_21 creating session_21_24650 at {8} in copy a_24566, a_24578 new new_rbc_id_19 creating new_rbc_id_19_24585 at {2} in copy a_24567 new new_rbc_id_19 creating new_rbc_id_19_24590 at {2} in copy a_24564 new new_rbc_id_19 creating new_rbc_id_19_24587 at {2} in copy a_24577 out(id, new_rbc_id_19_24587) at {4} in copy a_24577, a_24579 received at {9} in copy a_24566, a_24578 new trainNonce_23 creating trainNonce_23_24589 at {10} in copy a_24566, a_24578 event(trainStartSession(new_rbc_id_19_24587,train_etcs_id_20_24588,trainNonce_23_24589,SAF())) at {11} in copy a_24566, a_24578 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_24588,SAF(),trainNonce_23_24589)) at {12} in copy a_24566, a_24578 out(id, new_rbc_id_19_24590) at {4} in copy a_24564, a_24583 received at {9} in copy a_24566, a_24565 new trainNonce_23 creating trainNonce_23_24591 at {10} in copy a_24566, a_24565 event(trainStartSession(new_rbc_id_19_24590,train_etcs_id_20_24588,trainNonce_23_24591,SAF())) at {11} in copy a_24566, a_24565 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_24588,SAF(),trainNonce_23_24591)) at {12} in copy a_24566, a_24565 out(id, new_rbc_id_19_24585) at {4} in copy a_24567, a_24575 received at {31} in copy a_24571 new rbcNonce_37 creating rbcNonce_37_24586 at {32} in copy a_24571 in(c, (a_24574,AU1(),DF_SEND(),a_24573,a_24570,a_24572)) at {33} in copy a_24571 event(rbcStartSession(new_rbc_id_19_24585,a_24573,rbcNonce_37_24586,a_24570,a_24572)) at {34} in copy a_24571 out(c, encrypt(SECRET,genSessionKey(a_24572,rbcNonce_37_24586,getKey(new_rbc_id_19_24585,a_24573)))) at {36} in copy a_24571 out(c, encrypt(SECRET,getKey(new_rbc_id_19_24585,a_24573))) at {37} in copy a_24571 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_24585,a_24570,rbcNonce_37_24586,mac(genSessionKey(a_24572,rbcNonce_37_24586,getKey(new_rbc_id_19_24585,a_24573)),((PAYLOAD_LENGTH(),a_24573,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_24585,a_24570),rbcNonce_37_24586,a_24572,a_24573)))) at {38} in copy a_24571 out(id, new_rbc_id_19_24585) at {4} in copy a_24567, a_24581 received at {31} in copy a_24568 new rbcNonce_37 creating rbcNonce_37_24592 at {32} in copy a_24568 in(c, (a_24576,AU1(),DF_SEND(),train_etcs_id_20_24588,a_24569,trainNonce_23_24591)) at {33} in copy a_24568 event(rbcStartSession(new_rbc_id_19_24585,train_etcs_id_20_24588,rbcNonce_37_24592,a_24569,trainNonce_23_24591)) at {34} in copy a_24568 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_24591,rbcNonce_37_24592,getKey(new_rbc_id_19_24585,train_etcs_id_20_24588)))) at {36} in copy a_24568 out(c, encrypt(SECRET,getKey(new_rbc_id_19_24585,train_etcs_id_20_24588))) at {37} in copy a_24568 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_24585,a_24569,rbcNonce_37_24592,mac(genSessionKey(trainNonce_23_24591,rbcNonce_37_24592,getKey(new_rbc_id_19_24585,train_etcs_id_20_24588)),((PAYLOAD_LENGTH(),train_etcs_id_20_24588,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_24585,a_24569),rbcNonce_37_24592,trainNonce_23_24591,train_etcs_id_20_24588)))) at {38} in copy a_24568 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_24585,a_24569,rbcNonce_37_24592,mac(genSessionKey(trainNonce_23_24591,rbcNonce_37_24592,getKey(new_rbc_id_19_24585,train_etcs_id_20_24588)),((PAYLOAD_LENGTH(),train_etcs_id_20_24588,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_24585,a_24569),rbcNonce_37_24592,trainNonce_23_24591,train_etcs_id_20_24588)))) at {13} in copy a_24566, a_24565 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_24591,rbcNonce_37_24592,getKey(new_rbc_id_19_24585,train_etcs_id_20_24588)))) at {15} in copy a_24566, a_24565 out(c, encrypt(SECRET,getKey(new_rbc_id_19_24585,train_etcs_id_20_24588))) at {16} in copy a_24566, a_24565 event(trainFinishSession(new_rbc_id_19_24585,train_etcs_id_20_24588,trainNonce_23_24591,a_24569,rbcNonce_37_24592,genSessionKey(trainNonce_23_24591,rbcNonce_37_24592,getKey(new_rbc_id_19_24585,train_etcs_id_20_24588)))) at {18} in copy a_24566, a_24565 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_24591,rbcNonce_37_24592,getKey(new_rbc_id_19_24585,train_etcs_id_20_24588)),(PAYLOAD_LENGTH(),train_etcs_id_20_24588,ZEROS(),AU3(),DF_SEND(),trainNonce_23_24591,rbcNonce_37_24592)))) at {19} in copy a_24566, a_24565 new time_29 creating time_29_24761 at {20} in copy a_24566, a_24565 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_24591,rbcNonce_37_24592,getKey(new_rbc_id_19_24585,train_etcs_id_20_24588)),(PAYLOAD_LENGTH(),train_etcs_id_20_24588,ZEROS(),AU3(),DF_SEND(),trainNonce_23_24591,rbcNonce_37_24592)))) at {39} in copy a_24568 event(rbcFinishSession(new_rbc_id_19_24585,train_etcs_id_20_24588,rbcNonce_37_24592,a_24569,trainNonce_23_24591,genSessionKey(trainNonce_23_24591,rbcNonce_37_24592,getKey(new_rbc_id_19_24585,train_etcs_id_20_24588)))) at {41} in copy a_24568 in(c, (DT(),a_24562,a_24563)) at {42} in copy a_24568 event(DataReceived1((DT(),a_24562,a_24563))) at {43} in copy a_24568 in(c, (DT(),a_24560,a_24561)) at {44} in copy a_24568 event(DataReceived2((DT(),a_24560,a_24561))) at {45} in copy a_24568 The event DataReceived2((DT(),a_24560,a_24561)) is executed. A trace has been found. RESULT ev:DataReceived2(m_22359) ==> ev:DataSent1(s2_22360,m_22359) | ev:DataSent2(s2_22360,m_22359) | ev:DataSent3(s2_22360,m_22359) is false. nounif greater:x_24800,*y_24801/-5000 -- Query ev:DataReceived1(m_24790) ==> ev:DataSent1(s2_24791,m_24790) | ev:DataSent2(s2_24791,m_24790) | ev:DataSent3(s2_24791,m_24790) Completing... Starting query ev:DataReceived1(m_24790) ==> ev:DataSent1(s2_24791,m_24790) | ev:DataSent2(s2_24791,m_24790) | ev:DataSent3(s2_24791,m_24790) goal reachable: attacker:timeA_26820 & attacker:msgA_26821 -> end:DataReceived1((DT(),timeA_26820,msgA_26821)) Abbreviations: new_rbc_id_26974 = new_rbc_id_19[!1 = @sid_26850] trainNonce_26975 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_26974,!2 = @sid_26946,!1 = @sid_26947] new_rbc_id_26976 = new_rbc_id_19[!1 = @sid_26914] rbcNonce_26977 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_26976,!1 = @sid_26969] train_etcs_id_26978 = train_etcs_id_20[!1 = @sid_26947] rbcNonce_26979 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_26976,!1 = @sid_26885] new_rbc_id_26980 = new_rbc_id_19[!1 = @sid_26824] trainNonce_26981 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_26980,!2 = @sid_26828,!1 = @sid_26947] 1. The message new_rbc_id_26976 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_26976. 2. The message new_rbc_id_26974 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_26974. 3. The message new_rbc_id_26974 that may be sent on channel id[] by 2 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_26978,SAF(),trainNonce_26975) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_26978,SAF(),trainNonce_26975). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_26978,SAF(),trainNonce_26975). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_26975. attacker:trainNonce_26975. 5. The attacker has some term trainSaF_26972. attacker:trainSaF_26972. 6. The message new_rbc_id_26980 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_26980. 7. The message new_rbc_id_26980 that may be sent on channel id[] by 6 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_26978,SAF(),trainNonce_26981) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_26978,SAF(),trainNonce_26981). 8. By 7, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_26978,SAF(),trainNonce_26981). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_26978. attacker:train_etcs_id_26978. 9. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 10. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 11. The attacker has some term sent_ETCS_ID_TYPE_26971. attacker:sent_ETCS_ID_TYPE_26971. 12. By 11, the attacker may know sent_ETCS_ID_TYPE_26971. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_26978. By 5, the attacker may know trainSaF_26972. By 4, the attacker may know trainNonce_26975. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_26971,AU1(),DF_SEND(),train_etcs_id_26978,trainSaF_26972,trainNonce_26975). attacker:(sent_ETCS_ID_TYPE_26971,AU1(),DF_SEND(),train_etcs_id_26978,trainSaF_26972,trainNonce_26975). 13. The message new_rbc_id_26974 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_26974. 14. The message new_rbc_id_26976 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_26976. 15. The attacker has some term rbcSaF_26943. attacker:rbcSaF_26943. 16. The attacker has some term sent_ETCS_ID_TYPE_26922. attacker:sent_ETCS_ID_TYPE_26922. 17. By 16, the attacker may know sent_ETCS_ID_TYPE_26922. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_26978. By 15, the attacker may know rbcSaF_26943. By 4, the attacker may know trainNonce_26975. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_26922,AU1(),DF_SEND(),train_etcs_id_26978,rbcSaF_26943,trainNonce_26975). attacker:(sent_ETCS_ID_TYPE_26922,AU1(),DF_SEND(),train_etcs_id_26978,rbcSaF_26943,trainNonce_26975). 18. The message new_rbc_id_26976 that may be sent on channel id[] by 14 may be received at input {31}. The message (sent_ETCS_ID_TYPE_26922,AU1(),DF_SEND(),train_etcs_id_26978,rbcSaF_26943,trainNonce_26975) that the attacker may have by 17 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943,rbcNonce_26977,mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),((PAYLOAD_LENGTH(),train_etcs_id_26978,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943),rbcNonce_26977,trainNonce_26975,train_etcs_id_26978))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943,rbcNonce_26977,mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),((PAYLOAD_LENGTH(),train_etcs_id_26978,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943),rbcNonce_26977,trainNonce_26975,train_etcs_id_26978))). 19. By 18, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943,rbcNonce_26977,mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),((PAYLOAD_LENGTH(),train_etcs_id_26978,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943),rbcNonce_26977,trainNonce_26975,train_etcs_id_26978))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),((PAYLOAD_LENGTH(),train_etcs_id_26978,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943),rbcNonce_26977,trainNonce_26975,train_etcs_id_26978)). attacker:mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),((PAYLOAD_LENGTH(),train_etcs_id_26978,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943),rbcNonce_26977,trainNonce_26975,train_etcs_id_26978)). 20. The message new_rbc_id_26976 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_26976. 21. The attacker has some term trainNonce_26904. attacker:trainNonce_26904. 22. The attacker has some term trainSaF_26903. attacker:trainSaF_26903. 23. The attacker has some term in_train_etcs_id_26902. attacker:in_train_etcs_id_26902. 24. The attacker has some term sent_ETCS_ID_TYPE_26901. attacker:sent_ETCS_ID_TYPE_26901. 25. By 24, the attacker may know sent_ETCS_ID_TYPE_26901. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 23, the attacker may know in_train_etcs_id_26902. By 22, the attacker may know trainSaF_26903. By 21, the attacker may know trainNonce_26904. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_26901,AU1(),DF_SEND(),in_train_etcs_id_26902,trainSaF_26903,trainNonce_26904). attacker:(sent_ETCS_ID_TYPE_26901,AU1(),DF_SEND(),in_train_etcs_id_26902,trainSaF_26903,trainNonce_26904). 26. The message new_rbc_id_26976 that may be sent on channel id[] by 20 may be received at input {31}. The message (sent_ETCS_ID_TYPE_26901,AU1(),DF_SEND(),in_train_etcs_id_26902,trainSaF_26903,trainNonce_26904) that the attacker may have by 25 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,trainSaF_26903,rbcNonce_26977,mac(genSessionKey(trainNonce_26904,rbcNonce_26977,getKey(new_rbc_id_26976,in_train_etcs_id_26902)),((PAYLOAD_LENGTH(),in_train_etcs_id_26902,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,trainSaF_26903),rbcNonce_26977,trainNonce_26904,in_train_etcs_id_26902))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,trainSaF_26903,rbcNonce_26977,mac(genSessionKey(trainNonce_26904,rbcNonce_26977,getKey(new_rbc_id_26976,in_train_etcs_id_26902)),((PAYLOAD_LENGTH(),in_train_etcs_id_26902,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,trainSaF_26903),rbcNonce_26977,trainNonce_26904,in_train_etcs_id_26902))). 27. By 26, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,trainSaF_26903,rbcNonce_26977,mac(genSessionKey(trainNonce_26904,rbcNonce_26977,getKey(new_rbc_id_26976,in_train_etcs_id_26902)),((PAYLOAD_LENGTH(),in_train_etcs_id_26902,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,trainSaF_26903),rbcNonce_26977,trainNonce_26904,in_train_etcs_id_26902))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_26977. attacker:rbcNonce_26977. 28. The message new_rbc_id_26976 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_26976. 29. The attacker has some term trainNonce_26883. attacker:trainNonce_26883. 30. The attacker has some term trainSaF_26882. attacker:trainSaF_26882. 31. The attacker has some term in_train_etcs_id_26881. attacker:in_train_etcs_id_26881. 32. The attacker has some term sent_ETCS_ID_TYPE_26880. attacker:sent_ETCS_ID_TYPE_26880. 33. By 32, the attacker may know sent_ETCS_ID_TYPE_26880. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 31, the attacker may know in_train_etcs_id_26881. By 30, the attacker may know trainSaF_26882. By 29, the attacker may know trainNonce_26883. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_26880,AU1(),DF_SEND(),in_train_etcs_id_26881,trainSaF_26882,trainNonce_26883). attacker:(sent_ETCS_ID_TYPE_26880,AU1(),DF_SEND(),in_train_etcs_id_26881,trainSaF_26882,trainNonce_26883). 34. The message new_rbc_id_26976 that may be sent on channel id[] by 28 may be received at input {31}. The message (sent_ETCS_ID_TYPE_26880,AU1(),DF_SEND(),in_train_etcs_id_26881,trainSaF_26882,trainNonce_26883) that the attacker may have by 33 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,trainSaF_26882,rbcNonce_26979,mac(genSessionKey(trainNonce_26883,rbcNonce_26979,getKey(new_rbc_id_26976,in_train_etcs_id_26881)),((PAYLOAD_LENGTH(),in_train_etcs_id_26881,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,trainSaF_26882),rbcNonce_26979,trainNonce_26883,in_train_etcs_id_26881))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,trainSaF_26882,rbcNonce_26979,mac(genSessionKey(trainNonce_26883,rbcNonce_26979,getKey(new_rbc_id_26976,in_train_etcs_id_26881)),((PAYLOAD_LENGTH(),in_train_etcs_id_26881,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,trainSaF_26882),rbcNonce_26979,trainNonce_26883,in_train_etcs_id_26881))). 35. By 34, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,trainSaF_26882,rbcNonce_26979,mac(genSessionKey(trainNonce_26883,rbcNonce_26979,getKey(new_rbc_id_26976,in_train_etcs_id_26881)),((PAYLOAD_LENGTH(),in_train_etcs_id_26881,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,trainSaF_26882),rbcNonce_26979,trainNonce_26883,in_train_etcs_id_26881))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_26976. attacker:new_rbc_id_26976. 36. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 37. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 38. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 39. By 38, the attacker may know RBC_ETCS_ID_TYPE(). By 37, the attacker may know AU2(). By 36, the attacker may know DF_RESP(). By 35, the attacker may know new_rbc_id_26976. By 15, the attacker may know rbcSaF_26943. By 27, the attacker may know rbcNonce_26977. By 19, the attacker may know mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),((PAYLOAD_LENGTH(),train_etcs_id_26978,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943),rbcNonce_26977,trainNonce_26975,train_etcs_id_26978)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943,rbcNonce_26977,mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),((PAYLOAD_LENGTH(),train_etcs_id_26978,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943),rbcNonce_26977,trainNonce_26975,train_etcs_id_26978))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943,rbcNonce_26977,mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),((PAYLOAD_LENGTH(),train_etcs_id_26978,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943),rbcNonce_26977,trainNonce_26975,train_etcs_id_26978))). 40. The message new_rbc_id_26974 that may be sent on channel id[] by 13 may be received at input {9}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943,rbcNonce_26977,mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),((PAYLOAD_LENGTH(),train_etcs_id_26978,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_26976,rbcSaF_26943),rbcNonce_26977,trainNonce_26975,train_etcs_id_26978))) that the attacker may have by 39 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),(PAYLOAD_LENGTH(),train_etcs_id_26978,ZEROS(),AU3(),DF_SEND(),trainNonce_26975,rbcNonce_26977))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),(PAYLOAD_LENGTH(),train_etcs_id_26978,ZEROS(),AU3(),DF_SEND(),trainNonce_26975,rbcNonce_26977))). 41. By 40, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),(PAYLOAD_LENGTH(),train_etcs_id_26978,ZEROS(),AU3(),DF_SEND(),trainNonce_26975,rbcNonce_26977))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),(PAYLOAD_LENGTH(),train_etcs_id_26978,ZEROS(),AU3(),DF_SEND(),trainNonce_26975,rbcNonce_26977)). attacker:mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),(PAYLOAD_LENGTH(),train_etcs_id_26978,ZEROS(),AU3(),DF_SEND(),trainNonce_26975,rbcNonce_26977)). 42. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 43. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 44. By 43, the attacker may know ZEROS(). By 42, the attacker may know AU3(). By 9, the attacker may know DF_SEND(). By 41, the attacker may know mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),(PAYLOAD_LENGTH(),train_etcs_id_26978,ZEROS(),AU3(),DF_SEND(),trainNonce_26975,rbcNonce_26977)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),(PAYLOAD_LENGTH(),train_etcs_id_26978,ZEROS(),AU3(),DF_SEND(),trainNonce_26975,rbcNonce_26977))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),(PAYLOAD_LENGTH(),train_etcs_id_26978,ZEROS(),AU3(),DF_SEND(),trainNonce_26975,rbcNonce_26977))). 45. We assume as hypothesis that attacker:msgA_26966. 46. We assume as hypothesis that attacker:timeA_26965. 47. Using the function DT the attacker may obtain DT(). attacker:DT(). 48. By 47, the attacker may know DT(). By 46, the attacker may know timeA_26965. By 45, the attacker may know msgA_26966. Using the function 3-tuple the attacker may obtain (DT(),timeA_26965,msgA_26966). attacker:(DT(),timeA_26965,msgA_26966). 49. The message new_rbc_id_26976 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_26971,AU1(),DF_SEND(),train_etcs_id_26978,trainSaF_26972,trainNonce_26975) that the attacker may have by 12 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_26975,rbcNonce_26977,getKey(new_rbc_id_26976,train_etcs_id_26978)),(PAYLOAD_LENGTH(),train_etcs_id_26978,ZEROS(),AU3(),DF_SEND(),trainNonce_26975,rbcNonce_26977))) that the attacker may have by 44 may be received at input {39}. The message (DT(),timeA_26965,msgA_26966) that the attacker may have by 48 may be received at input {42}. So event DataReceived1((DT(),timeA_26965,msgA_26966)) may be executed at {43}. end:DataReceived1((DT(),timeA_26965,msgA_26966)). Unified sent_ETCS_ID_TYPE_26901 with sent_ETCS_ID_TYPE_26971 Unified in_train_etcs_id_26902 with train_etcs_id_20[!1 = @sid_26947] Unified trainSaF_26903 with trainSaF_26972 Unified trainNonce_26904 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_26850],!2 = @sid_26946,!1 = @sid_26947] Unified sent_ETCS_ID_TYPE_26922 with sent_ETCS_ID_TYPE_26971 Unified rbcSaF_26943 with trainSaF_26972 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:msgA_26983 & attacker:timeA_26982 -> end:DataReceived1((DT(),timeA_26982,msgA_26983)) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_27010 at {6} in copy a_26988 new session_21 creating session_21_27071 at {8} in copy a_26988, a_26987 new session_21 creating session_21_27072 at {8} in copy a_26988, a_27000 new new_rbc_id_19 creating new_rbc_id_19_27007 at {2} in copy a_26989 new new_rbc_id_19 creating new_rbc_id_19_27012 at {2} in copy a_26986 new new_rbc_id_19 creating new_rbc_id_19_27009 at {2} in copy a_26999 out(id, new_rbc_id_19_27009) at {4} in copy a_26999, a_27001 received at {9} in copy a_26988, a_27000 new trainNonce_23 creating trainNonce_23_27011 at {10} in copy a_26988, a_27000 event(trainStartSession(new_rbc_id_19_27009,train_etcs_id_20_27010,trainNonce_23_27011,SAF())) at {11} in copy a_26988, a_27000 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_27010,SAF(),trainNonce_23_27011)) at {12} in copy a_26988, a_27000 out(id, new_rbc_id_19_27012) at {4} in copy a_26986, a_27005 received at {9} in copy a_26988, a_26987 new trainNonce_23 creating trainNonce_23_27013 at {10} in copy a_26988, a_26987 event(trainStartSession(new_rbc_id_19_27012,train_etcs_id_20_27010,trainNonce_23_27013,SAF())) at {11} in copy a_26988, a_26987 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_27010,SAF(),trainNonce_23_27013)) at {12} in copy a_26988, a_26987 out(id, new_rbc_id_19_27007) at {4} in copy a_26989, a_26997 received at {31} in copy a_26993 new rbcNonce_37 creating rbcNonce_37_27008 at {32} in copy a_26993 in(c, (a_26996,AU1(),DF_SEND(),a_26995,a_26992,a_26994)) at {33} in copy a_26993 event(rbcStartSession(new_rbc_id_19_27007,a_26995,rbcNonce_37_27008,a_26992,a_26994)) at {34} in copy a_26993 out(c, encrypt(SECRET,genSessionKey(a_26994,rbcNonce_37_27008,getKey(new_rbc_id_19_27007,a_26995)))) at {36} in copy a_26993 out(c, encrypt(SECRET,getKey(new_rbc_id_19_27007,a_26995))) at {37} in copy a_26993 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_27007,a_26992,rbcNonce_37_27008,mac(genSessionKey(a_26994,rbcNonce_37_27008,getKey(new_rbc_id_19_27007,a_26995)),((PAYLOAD_LENGTH(),a_26995,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_27007,a_26992),rbcNonce_37_27008,a_26994,a_26995)))) at {38} in copy a_26993 out(id, new_rbc_id_19_27007) at {4} in copy a_26989, a_27003 received at {31} in copy a_26990 new rbcNonce_37 creating rbcNonce_37_27014 at {32} in copy a_26990 in(c, (a_26998,AU1(),DF_SEND(),train_etcs_id_20_27010,a_26991,trainNonce_23_27013)) at {33} in copy a_26990 event(rbcStartSession(new_rbc_id_19_27007,train_etcs_id_20_27010,rbcNonce_37_27014,a_26991,trainNonce_23_27013)) at {34} in copy a_26990 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_27013,rbcNonce_37_27014,getKey(new_rbc_id_19_27007,train_etcs_id_20_27010)))) at {36} in copy a_26990 out(c, encrypt(SECRET,getKey(new_rbc_id_19_27007,train_etcs_id_20_27010))) at {37} in copy a_26990 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_27007,a_26991,rbcNonce_37_27014,mac(genSessionKey(trainNonce_23_27013,rbcNonce_37_27014,getKey(new_rbc_id_19_27007,train_etcs_id_20_27010)),((PAYLOAD_LENGTH(),train_etcs_id_20_27010,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_27007,a_26991),rbcNonce_37_27014,trainNonce_23_27013,train_etcs_id_20_27010)))) at {38} in copy a_26990 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_27007,a_26991,rbcNonce_37_27014,mac(genSessionKey(trainNonce_23_27013,rbcNonce_37_27014,getKey(new_rbc_id_19_27007,train_etcs_id_20_27010)),((PAYLOAD_LENGTH(),train_etcs_id_20_27010,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_27007,a_26991),rbcNonce_37_27014,trainNonce_23_27013,train_etcs_id_20_27010)))) at {13} in copy a_26988, a_26987 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_27013,rbcNonce_37_27014,getKey(new_rbc_id_19_27007,train_etcs_id_20_27010)))) at {15} in copy a_26988, a_26987 out(c, encrypt(SECRET,getKey(new_rbc_id_19_27007,train_etcs_id_20_27010))) at {16} in copy a_26988, a_26987 event(trainFinishSession(new_rbc_id_19_27007,train_etcs_id_20_27010,trainNonce_23_27013,a_26991,rbcNonce_37_27014,genSessionKey(trainNonce_23_27013,rbcNonce_37_27014,getKey(new_rbc_id_19_27007,train_etcs_id_20_27010)))) at {18} in copy a_26988, a_26987 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_27013,rbcNonce_37_27014,getKey(new_rbc_id_19_27007,train_etcs_id_20_27010)),(PAYLOAD_LENGTH(),train_etcs_id_20_27010,ZEROS(),AU3(),DF_SEND(),trainNonce_23_27013,rbcNonce_37_27014)))) at {19} in copy a_26988, a_26987 new time_29 creating time_29_27183 at {20} in copy a_26988, a_26987 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_27013,rbcNonce_37_27014,getKey(new_rbc_id_19_27007,train_etcs_id_20_27010)),(PAYLOAD_LENGTH(),train_etcs_id_20_27010,ZEROS(),AU3(),DF_SEND(),trainNonce_23_27013,rbcNonce_37_27014)))) at {39} in copy a_26990 event(rbcFinishSession(new_rbc_id_19_27007,train_etcs_id_20_27010,rbcNonce_37_27014,a_26991,trainNonce_23_27013,genSessionKey(trainNonce_23_27013,rbcNonce_37_27014,getKey(new_rbc_id_19_27007,train_etcs_id_20_27010)))) at {41} in copy a_26990 in(c, (DT(),a_26984,a_26985)) at {42} in copy a_26990 event(DataReceived1((DT(),a_26984,a_26985))) at {43} in copy a_26990 The event DataReceived1((DT(),a_26984,a_26985)) is executed. A trace has been found. RESULT ev:DataReceived1(m_24790) ==> ev:DataSent1(s2_24791,m_24790) | ev:DataSent2(s2_24791,m_24790) | ev:DataSent3(s2_24791,m_24790) is false. nounif greater:x_27217,*y_27218/-5000 -- Query not ev:MessagesReceived3(m1_27206,m2_27207,m3_27208) Completing... Starting query not ev:MessagesReceived3(m1_27206,m2_27207,m3_27208) goal reachable: attacker:timeC_29249 & attacker:msgC_29250 & attacker:timeB_29251 & attacker:msgB_29252 & attacker:timeA_29253 & attacker:msgA_29254 -> end:MessagesReceived3((DT(),timeA_29253,msgA_29254),(DT(),timeB_29251,msgB_29252),(DT(),timeC_29249,msgC_29250)) Abbreviations: new_rbc_id_29420 = new_rbc_id_19[!1 = @sid_29284] trainNonce_29421 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_29420,!2 = @sid_29380,!1 = @sid_29381] new_rbc_id_29422 = new_rbc_id_19[!1 = @sid_29348] rbcNonce_29423 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_29422,!1 = @sid_29413] train_etcs_id_29424 = train_etcs_id_20[!1 = @sid_29381] rbcNonce_29425 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_29422,!1 = @sid_29319] new_rbc_id_29426 = new_rbc_id_19[!1 = @sid_29258] trainNonce_29427 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_29426,!2 = @sid_29262,!1 = @sid_29381] 1. The message new_rbc_id_29422 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_29422. 2. The message new_rbc_id_29420 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_29420. 3. The message new_rbc_id_29420 that may be sent on channel id[] by 2 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_29424,SAF(),trainNonce_29421) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_29424,SAF(),trainNonce_29421). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_29424,SAF(),trainNonce_29421). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_29421. attacker:trainNonce_29421. 5. The attacker has some term trainSaF_29416. attacker:trainSaF_29416. 6. The message new_rbc_id_29426 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_29426. 7. The message new_rbc_id_29426 that may be sent on channel id[] by 6 may be received at input {9}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_29424,SAF(),trainNonce_29427) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_29424,SAF(),trainNonce_29427). 8. By 7, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_29424,SAF(),trainNonce_29427). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_29424. attacker:train_etcs_id_29424. 9. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 10. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 11. The attacker has some term sent_ETCS_ID_TYPE_29415. attacker:sent_ETCS_ID_TYPE_29415. 12. By 11, the attacker may know sent_ETCS_ID_TYPE_29415. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_29424. By 5, the attacker may know trainSaF_29416. By 4, the attacker may know trainNonce_29421. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_29415,AU1(),DF_SEND(),train_etcs_id_29424,trainSaF_29416,trainNonce_29421). attacker:(sent_ETCS_ID_TYPE_29415,AU1(),DF_SEND(),train_etcs_id_29424,trainSaF_29416,trainNonce_29421). 13. The message new_rbc_id_29420 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_29420. 14. The message new_rbc_id_29422 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_29422. 15. The attacker has some term rbcSaF_29377. attacker:rbcSaF_29377. 16. The attacker has some term sent_ETCS_ID_TYPE_29356. attacker:sent_ETCS_ID_TYPE_29356. 17. By 16, the attacker may know sent_ETCS_ID_TYPE_29356. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 8, the attacker may know train_etcs_id_29424. By 15, the attacker may know rbcSaF_29377. By 4, the attacker may know trainNonce_29421. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_29356,AU1(),DF_SEND(),train_etcs_id_29424,rbcSaF_29377,trainNonce_29421). attacker:(sent_ETCS_ID_TYPE_29356,AU1(),DF_SEND(),train_etcs_id_29424,rbcSaF_29377,trainNonce_29421). 18. The message new_rbc_id_29422 that may be sent on channel id[] by 14 may be received at input {31}. The message (sent_ETCS_ID_TYPE_29356,AU1(),DF_SEND(),train_etcs_id_29424,rbcSaF_29377,trainNonce_29421) that the attacker may have by 17 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377,rbcNonce_29423,mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),((PAYLOAD_LENGTH(),train_etcs_id_29424,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377),rbcNonce_29423,trainNonce_29421,train_etcs_id_29424))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377,rbcNonce_29423,mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),((PAYLOAD_LENGTH(),train_etcs_id_29424,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377),rbcNonce_29423,trainNonce_29421,train_etcs_id_29424))). 19. By 18, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377,rbcNonce_29423,mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),((PAYLOAD_LENGTH(),train_etcs_id_29424,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377),rbcNonce_29423,trainNonce_29421,train_etcs_id_29424))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),((PAYLOAD_LENGTH(),train_etcs_id_29424,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377),rbcNonce_29423,trainNonce_29421,train_etcs_id_29424)). attacker:mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),((PAYLOAD_LENGTH(),train_etcs_id_29424,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377),rbcNonce_29423,trainNonce_29421,train_etcs_id_29424)). 20. The message new_rbc_id_29422 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_29422. 21. The attacker has some term trainNonce_29338. attacker:trainNonce_29338. 22. The attacker has some term trainSaF_29337. attacker:trainSaF_29337. 23. The attacker has some term in_train_etcs_id_29336. attacker:in_train_etcs_id_29336. 24. The attacker has some term sent_ETCS_ID_TYPE_29335. attacker:sent_ETCS_ID_TYPE_29335. 25. By 24, the attacker may know sent_ETCS_ID_TYPE_29335. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 23, the attacker may know in_train_etcs_id_29336. By 22, the attacker may know trainSaF_29337. By 21, the attacker may know trainNonce_29338. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_29335,AU1(),DF_SEND(),in_train_etcs_id_29336,trainSaF_29337,trainNonce_29338). attacker:(sent_ETCS_ID_TYPE_29335,AU1(),DF_SEND(),in_train_etcs_id_29336,trainSaF_29337,trainNonce_29338). 26. The message new_rbc_id_29422 that may be sent on channel id[] by 20 may be received at input {31}. The message (sent_ETCS_ID_TYPE_29335,AU1(),DF_SEND(),in_train_etcs_id_29336,trainSaF_29337,trainNonce_29338) that the attacker may have by 25 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,trainSaF_29337,rbcNonce_29423,mac(genSessionKey(trainNonce_29338,rbcNonce_29423,getKey(new_rbc_id_29422,in_train_etcs_id_29336)),((PAYLOAD_LENGTH(),in_train_etcs_id_29336,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,trainSaF_29337),rbcNonce_29423,trainNonce_29338,in_train_etcs_id_29336))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,trainSaF_29337,rbcNonce_29423,mac(genSessionKey(trainNonce_29338,rbcNonce_29423,getKey(new_rbc_id_29422,in_train_etcs_id_29336)),((PAYLOAD_LENGTH(),in_train_etcs_id_29336,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,trainSaF_29337),rbcNonce_29423,trainNonce_29338,in_train_etcs_id_29336))). 27. By 26, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,trainSaF_29337,rbcNonce_29423,mac(genSessionKey(trainNonce_29338,rbcNonce_29423,getKey(new_rbc_id_29422,in_train_etcs_id_29336)),((PAYLOAD_LENGTH(),in_train_etcs_id_29336,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,trainSaF_29337),rbcNonce_29423,trainNonce_29338,in_train_etcs_id_29336))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_29423. attacker:rbcNonce_29423. 28. The message new_rbc_id_29422 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_29422. 29. The attacker has some term trainNonce_29317. attacker:trainNonce_29317. 30. The attacker has some term trainSaF_29316. attacker:trainSaF_29316. 31. The attacker has some term in_train_etcs_id_29315. attacker:in_train_etcs_id_29315. 32. The attacker has some term sent_ETCS_ID_TYPE_29314. attacker:sent_ETCS_ID_TYPE_29314. 33. By 32, the attacker may know sent_ETCS_ID_TYPE_29314. By 10, the attacker may know AU1(). By 9, the attacker may know DF_SEND(). By 31, the attacker may know in_train_etcs_id_29315. By 30, the attacker may know trainSaF_29316. By 29, the attacker may know trainNonce_29317. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_29314,AU1(),DF_SEND(),in_train_etcs_id_29315,trainSaF_29316,trainNonce_29317). attacker:(sent_ETCS_ID_TYPE_29314,AU1(),DF_SEND(),in_train_etcs_id_29315,trainSaF_29316,trainNonce_29317). 34. The message new_rbc_id_29422 that may be sent on channel id[] by 28 may be received at input {31}. The message (sent_ETCS_ID_TYPE_29314,AU1(),DF_SEND(),in_train_etcs_id_29315,trainSaF_29316,trainNonce_29317) that the attacker may have by 33 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,trainSaF_29316,rbcNonce_29425,mac(genSessionKey(trainNonce_29317,rbcNonce_29425,getKey(new_rbc_id_29422,in_train_etcs_id_29315)),((PAYLOAD_LENGTH(),in_train_etcs_id_29315,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,trainSaF_29316),rbcNonce_29425,trainNonce_29317,in_train_etcs_id_29315))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,trainSaF_29316,rbcNonce_29425,mac(genSessionKey(trainNonce_29317,rbcNonce_29425,getKey(new_rbc_id_29422,in_train_etcs_id_29315)),((PAYLOAD_LENGTH(),in_train_etcs_id_29315,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,trainSaF_29316),rbcNonce_29425,trainNonce_29317,in_train_etcs_id_29315))). 35. By 34, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,trainSaF_29316,rbcNonce_29425,mac(genSessionKey(trainNonce_29317,rbcNonce_29425,getKey(new_rbc_id_29422,in_train_etcs_id_29315)),((PAYLOAD_LENGTH(),in_train_etcs_id_29315,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,trainSaF_29316),rbcNonce_29425,trainNonce_29317,in_train_etcs_id_29315))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_29422. attacker:new_rbc_id_29422. 36. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 37. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 38. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 39. By 38, the attacker may know RBC_ETCS_ID_TYPE(). By 37, the attacker may know AU2(). By 36, the attacker may know DF_RESP(). By 35, the attacker may know new_rbc_id_29422. By 15, the attacker may know rbcSaF_29377. By 27, the attacker may know rbcNonce_29423. By 19, the attacker may know mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),((PAYLOAD_LENGTH(),train_etcs_id_29424,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377),rbcNonce_29423,trainNonce_29421,train_etcs_id_29424)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377,rbcNonce_29423,mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),((PAYLOAD_LENGTH(),train_etcs_id_29424,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377),rbcNonce_29423,trainNonce_29421,train_etcs_id_29424))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377,rbcNonce_29423,mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),((PAYLOAD_LENGTH(),train_etcs_id_29424,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377),rbcNonce_29423,trainNonce_29421,train_etcs_id_29424))). 40. The message new_rbc_id_29420 that may be sent on channel id[] by 13 may be received at input {9}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377,rbcNonce_29423,mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),((PAYLOAD_LENGTH(),train_etcs_id_29424,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_29422,rbcSaF_29377),rbcNonce_29423,trainNonce_29421,train_etcs_id_29424))) that the attacker may have by 39 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),(PAYLOAD_LENGTH(),train_etcs_id_29424,ZEROS(),AU3(),DF_SEND(),trainNonce_29421,rbcNonce_29423))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),(PAYLOAD_LENGTH(),train_etcs_id_29424,ZEROS(),AU3(),DF_SEND(),trainNonce_29421,rbcNonce_29423))). 41. By 40, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),(PAYLOAD_LENGTH(),train_etcs_id_29424,ZEROS(),AU3(),DF_SEND(),trainNonce_29421,rbcNonce_29423))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),(PAYLOAD_LENGTH(),train_etcs_id_29424,ZEROS(),AU3(),DF_SEND(),trainNonce_29421,rbcNonce_29423)). attacker:mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),(PAYLOAD_LENGTH(),train_etcs_id_29424,ZEROS(),AU3(),DF_SEND(),trainNonce_29421,rbcNonce_29423)). 42. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 43. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 44. By 43, the attacker may know ZEROS(). By 42, the attacker may know AU3(). By 9, the attacker may know DF_SEND(). By 41, the attacker may know mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),(PAYLOAD_LENGTH(),train_etcs_id_29424,ZEROS(),AU3(),DF_SEND(),trainNonce_29421,rbcNonce_29423)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),(PAYLOAD_LENGTH(),train_etcs_id_29424,ZEROS(),AU3(),DF_SEND(),trainNonce_29421,rbcNonce_29423))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),(PAYLOAD_LENGTH(),train_etcs_id_29424,ZEROS(),AU3(),DF_SEND(),trainNonce_29421,rbcNonce_29423))). 45. We assume as hypothesis that attacker:msgA_29410. 46. We assume as hypothesis that attacker:timeA_29409. 47. Using the function DT the attacker may obtain DT(). attacker:DT(). 48. By 47, the attacker may know DT(). By 46, the attacker may know timeA_29409. By 45, the attacker may know msgA_29410. Using the function 3-tuple the attacker may obtain (DT(),timeA_29409,msgA_29410). attacker:(DT(),timeA_29409,msgA_29410). 49. We assume as hypothesis that attacker:msgB_29408. 50. We assume as hypothesis that attacker:timeB_29407. 51. By 47, the attacker may know DT(). By 50, the attacker may know timeB_29407. By 49, the attacker may know msgB_29408. Using the function 3-tuple the attacker may obtain (DT(),timeB_29407,msgB_29408). attacker:(DT(),timeB_29407,msgB_29408). 52. We assume as hypothesis that attacker:msgC_29406. 53. We assume as hypothesis that attacker:timeC_29405. 54. By 47, the attacker may know DT(). By 53, the attacker may know timeC_29405. By 52, the attacker may know msgC_29406. Using the function 3-tuple the attacker may obtain (DT(),timeC_29405,msgC_29406). attacker:(DT(),timeC_29405,msgC_29406). 55. The message new_rbc_id_29422 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_29415,AU1(),DF_SEND(),train_etcs_id_29424,trainSaF_29416,trainNonce_29421) that the attacker may have by 12 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_29421,rbcNonce_29423,getKey(new_rbc_id_29422,train_etcs_id_29424)),(PAYLOAD_LENGTH(),train_etcs_id_29424,ZEROS(),AU3(),DF_SEND(),trainNonce_29421,rbcNonce_29423))) that the attacker may have by 44 may be received at input {39}. The message (DT(),timeA_29409,msgA_29410) that the attacker may have by 48 may be received at input {42}. The message (DT(),timeB_29407,msgB_29408) that the attacker may have by 51 may be received at input {44}. The message (DT(),timeC_29405,msgC_29406) that the attacker may have by 54 may be received at input {47}. So event MessagesReceived3((DT(),timeA_29409,msgA_29410),(DT(),timeB_29407,msgB_29408),(DT(),timeC_29405,msgC_29406)) may be executed at {49}. end:MessagesReceived3((DT(),timeA_29409,msgA_29410),(DT(),timeB_29407,msgB_29408),(DT(),timeC_29405,msgC_29406)). Unified sent_ETCS_ID_TYPE_29335 with sent_ETCS_ID_TYPE_29415 Unified in_train_etcs_id_29336 with train_etcs_id_20[!1 = @sid_29381] Unified trainSaF_29337 with trainSaF_29416 Unified trainNonce_29338 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_29284],!2 = @sid_29380,!1 = @sid_29381] Unified sent_ETCS_ID_TYPE_29356 with sent_ETCS_ID_TYPE_29415 Unified rbcSaF_29377 with trainSaF_29416 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:msgA_29429 & attacker:timeA_29428 & attacker:msgB_29431 & attacker:timeB_29430 & attacker:msgC_29433 & attacker:timeC_29432 -> end:MessagesReceived3((DT(),timeA_29428,msgA_29429),(DT(),timeB_29430,msgB_29431),(DT(),timeC_29432,msgC_29433)) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_29464 at {6} in copy a_29442 new session_21 creating session_21_29525 at {8} in copy a_29442, a_29441 new session_21 creating session_21_29526 at {8} in copy a_29442, a_29454 new new_rbc_id_19 creating new_rbc_id_19_29461 at {2} in copy a_29443 new new_rbc_id_19 creating new_rbc_id_19_29466 at {2} in copy a_29440 new new_rbc_id_19 creating new_rbc_id_19_29463 at {2} in copy a_29453 out(id, new_rbc_id_19_29463) at {4} in copy a_29453, a_29455 received at {9} in copy a_29442, a_29454 new trainNonce_23 creating trainNonce_23_29465 at {10} in copy a_29442, a_29454 event(trainStartSession(new_rbc_id_19_29463,train_etcs_id_20_29464,trainNonce_23_29465,SAF())) at {11} in copy a_29442, a_29454 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_29464,SAF(),trainNonce_23_29465)) at {12} in copy a_29442, a_29454 out(id, new_rbc_id_19_29466) at {4} in copy a_29440, a_29459 received at {9} in copy a_29442, a_29441 new trainNonce_23 creating trainNonce_23_29467 at {10} in copy a_29442, a_29441 event(trainStartSession(new_rbc_id_19_29466,train_etcs_id_20_29464,trainNonce_23_29467,SAF())) at {11} in copy a_29442, a_29441 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_29464,SAF(),trainNonce_23_29467)) at {12} in copy a_29442, a_29441 out(id, new_rbc_id_19_29461) at {4} in copy a_29443, a_29451 received at {31} in copy a_29447 new rbcNonce_37 creating rbcNonce_37_29462 at {32} in copy a_29447 in(c, (a_29450,AU1(),DF_SEND(),a_29449,a_29446,a_29448)) at {33} in copy a_29447 event(rbcStartSession(new_rbc_id_19_29461,a_29449,rbcNonce_37_29462,a_29446,a_29448)) at {34} in copy a_29447 out(c, encrypt(SECRET,genSessionKey(a_29448,rbcNonce_37_29462,getKey(new_rbc_id_19_29461,a_29449)))) at {36} in copy a_29447 out(c, encrypt(SECRET,getKey(new_rbc_id_19_29461,a_29449))) at {37} in copy a_29447 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_29461,a_29446,rbcNonce_37_29462,mac(genSessionKey(a_29448,rbcNonce_37_29462,getKey(new_rbc_id_19_29461,a_29449)),((PAYLOAD_LENGTH(),a_29449,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_29461,a_29446),rbcNonce_37_29462,a_29448,a_29449)))) at {38} in copy a_29447 out(id, new_rbc_id_19_29461) at {4} in copy a_29443, a_29457 received at {31} in copy a_29444 new rbcNonce_37 creating rbcNonce_37_29468 at {32} in copy a_29444 in(c, (a_29452,AU1(),DF_SEND(),train_etcs_id_20_29464,a_29445,trainNonce_23_29467)) at {33} in copy a_29444 event(rbcStartSession(new_rbc_id_19_29461,train_etcs_id_20_29464,rbcNonce_37_29468,a_29445,trainNonce_23_29467)) at {34} in copy a_29444 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_29467,rbcNonce_37_29468,getKey(new_rbc_id_19_29461,train_etcs_id_20_29464)))) at {36} in copy a_29444 out(c, encrypt(SECRET,getKey(new_rbc_id_19_29461,train_etcs_id_20_29464))) at {37} in copy a_29444 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_29461,a_29445,rbcNonce_37_29468,mac(genSessionKey(trainNonce_23_29467,rbcNonce_37_29468,getKey(new_rbc_id_19_29461,train_etcs_id_20_29464)),((PAYLOAD_LENGTH(),train_etcs_id_20_29464,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_29461,a_29445),rbcNonce_37_29468,trainNonce_23_29467,train_etcs_id_20_29464)))) at {38} in copy a_29444 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_29461,a_29445,rbcNonce_37_29468,mac(genSessionKey(trainNonce_23_29467,rbcNonce_37_29468,getKey(new_rbc_id_19_29461,train_etcs_id_20_29464)),((PAYLOAD_LENGTH(),train_etcs_id_20_29464,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_29461,a_29445),rbcNonce_37_29468,trainNonce_23_29467,train_etcs_id_20_29464)))) at {13} in copy a_29442, a_29441 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_29467,rbcNonce_37_29468,getKey(new_rbc_id_19_29461,train_etcs_id_20_29464)))) at {15} in copy a_29442, a_29441 out(c, encrypt(SECRET,getKey(new_rbc_id_19_29461,train_etcs_id_20_29464))) at {16} in copy a_29442, a_29441 event(trainFinishSession(new_rbc_id_19_29461,train_etcs_id_20_29464,trainNonce_23_29467,a_29445,rbcNonce_37_29468,genSessionKey(trainNonce_23_29467,rbcNonce_37_29468,getKey(new_rbc_id_19_29461,train_etcs_id_20_29464)))) at {18} in copy a_29442, a_29441 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_29467,rbcNonce_37_29468,getKey(new_rbc_id_19_29461,train_etcs_id_20_29464)),(PAYLOAD_LENGTH(),train_etcs_id_20_29464,ZEROS(),AU3(),DF_SEND(),trainNonce_23_29467,rbcNonce_37_29468)))) at {19} in copy a_29442, a_29441 new time_29 creating time_29_29637 at {20} in copy a_29442, a_29441 event(DataSent1(session_21_29525,(DT(),time_29_29637,MESSAGE_1()))) at {22} in copy a_29442, a_29441 out(c, (DT(),time_29_29637,MESSAGE_1())) at {23} in copy a_29442, a_29441 event(DataSent2(session_21_29525,(DT(),inc(time_29_29637),MESSAGE_2()))) at {25} in copy a_29442, a_29441 out(c, (DT(),inc(time_29_29637),MESSAGE_2())) at {26} in copy a_29442, a_29441 event(DataSent3(session_21_29525,(DT(),inc(inc(time_29_29637)),MESSAGE_3()))) at {28} in copy a_29442, a_29441 out(c, (DT(),inc(inc(time_29_29637)),MESSAGE_3())) at {29} in copy a_29442, a_29441 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_29467,rbcNonce_37_29468,getKey(new_rbc_id_19_29461,train_etcs_id_20_29464)),(PAYLOAD_LENGTH(),train_etcs_id_20_29464,ZEROS(),AU3(),DF_SEND(),trainNonce_23_29467,rbcNonce_37_29468)))) at {39} in copy a_29444 event(rbcFinishSession(new_rbc_id_19_29461,train_etcs_id_20_29464,rbcNonce_37_29468,a_29445,trainNonce_23_29467,genSessionKey(trainNonce_23_29467,rbcNonce_37_29468,getKey(new_rbc_id_19_29461,train_etcs_id_20_29464)))) at {41} in copy a_29444 in(c, (DT(),a_29434,a_29435)) at {42} in copy a_29444 event(DataReceived1((DT(),a_29434,a_29435))) at {43} in copy a_29444 in(c, (DT(),a_29436,a_29437)) at {44} in copy a_29444 event(DataReceived2((DT(),a_29436,a_29437))) at {45} in copy a_29444 event(MessagesReceived2((DT(),a_29434,a_29435),(DT(),a_29436,a_29437))) at {46} in copy a_29444 in(c, (DT(),a_29438,a_29439)) at {47} in copy a_29444 event(DataReceived3((DT(),a_29438,a_29439))) at {48} in copy a_29444 event(MessagesReceived3((DT(),a_29434,a_29435),(DT(),a_29436,a_29437),(DT(),a_29438,a_29439))) at {49} in copy a_29444 The event MessagesReceived3((DT(),a_29434,a_29435),(DT(),a_29436,a_29437),(DT(),a_29438,a_29439)) is executed. A trace has been found. RESULT not ev:MessagesReceived3(m1_27206,m2_27207,m3_27208) is false. nounif greater:x_29687,*y_29688/-5000 -- Query evinj:rbcFinishSession(rbc_id_29671,train_id_29672,rbc_nonce_29673,saf_29674,train_nonce_29675,ks_29676) ==> evinj:trainStartSession(rbc_id2_29677,train_id_29672,train_nonce_29675,saf2_29678) Completing... Starting query evinj:rbcFinishSession(rbc_id_29671,train_id_29672,rbc_nonce_29673,saf_29674,train_nonce_29675,ks_29676) ==> evinj:trainStartSession(rbc_id2_29677,train_id_29672,train_nonce_29675,saf2_29678) goal reachable: attacker:rbcSaF_32033 & attacker:saf_32034 & begin:trainStartSession(new_rbc_id_19[!1 = @sid_32035],train_etcs_id_20[!1 = @sid_32037],trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_32035],!2 = @sid_32036,!1 = @sid_32037],SAF()), inMAC_27 = mac(genSessionKey(trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_32035],!2 = @sid_32036,!1 = @sid_32037],rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_32038],!1 = endsid_32039],getKey(new_rbc_id_19[!1 = @sid_32038],train_etcs_id_20[!1 = @sid_32037])),((PAYLOAD_LENGTH(),train_etcs_id_20[!1 = @sid_32037],RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19[!1 = @sid_32038],rbcSaF_32033),rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_32038],!1 = endsid_32039],trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_32035],!2 = @sid_32036,!1 = @sid_32037],train_etcs_id_20[!1 = @sid_32037])), rbcNonce_26 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_32038],!1 = endsid_32039], rbcSaF_25 = rbcSaF_32033, in_rbc_etcs_id_24 = new_rbc_id_19[!1 = @sid_32038], rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_32035], @sid_435 = @sid_32036, @sid_434 = @sid_32037, @occ11_29960 = @occ_cst() -> end:endsid_32039,rbcFinishSession(new_rbc_id_19[!1 = @sid_32038],train_etcs_id_20[!1 = @sid_32037],rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_32038],!1 = endsid_32039],saf_32034,trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_32035],!2 = @sid_32036,!1 = @sid_32037],genSessionKey(trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_32035],!2 = @sid_32036,!1 = @sid_32037],rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_32038],!1 = endsid_32039],getKey(new_rbc_id_19[!1 = @sid_32038],train_etcs_id_20[!1 = @sid_32037]))) RESULT evinj:rbcFinishSession(rbc_id_29671,train_id_29672,rbc_nonce_29673,saf_29674,train_nonce_29675,ks_29676) ==> evinj:trainStartSession(rbc_id2_29677,train_id_29672,train_nonce_29675,saf2_29678) is true. nounif greater:x_32082,*y_32083/-5000 -- Query evinj:rbcFinishSession(rbc_id_32068,train_id_32069,rbc_nonce_32070,saf_32071,train_nonce_32072,ks_32073) ==> evinj:trainStartSession(rbc_id_32068,train_id_32069,train_nonce_32072,saf_32071) Completing... Starting query evinj:rbcFinishSession(rbc_id_32068,train_id_32069,rbc_nonce_32070,saf_32071,train_nonce_32072,ks_32073) ==> evinj:trainStartSession(rbc_id_32068,train_id_32069,train_nonce_32072,saf_32071) goal reachable: attacker:rbcSaF_34427 & attacker:saf_34428 & begin:trainStartSession(new_rbc_id_19[!1 = @sid_34429],train_etcs_id_20[!1 = @sid_34431],trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_34429],!2 = @sid_34430,!1 = @sid_34431],SAF()), inMAC_27 = mac(genSessionKey(trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_34429],!2 = @sid_34430,!1 = @sid_34431],rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_34432],!1 = endsid_34433],getKey(new_rbc_id_19[!1 = @sid_34432],train_etcs_id_20[!1 = @sid_34431])),((PAYLOAD_LENGTH(),train_etcs_id_20[!1 = @sid_34431],RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19[!1 = @sid_34432],rbcSaF_34427),rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_34432],!1 = endsid_34433],trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_34429],!2 = @sid_34430,!1 = @sid_34431],train_etcs_id_20[!1 = @sid_34431])), rbcNonce_26 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_34432],!1 = endsid_34433], rbcSaF_25 = rbcSaF_34427, in_rbc_etcs_id_24 = new_rbc_id_19[!1 = @sid_34432], rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_34429], @sid_435 = @sid_34430, @sid_434 = @sid_34431, @occ11_29960 = @occ_cst() -> end:endsid_34433,rbcFinishSession(new_rbc_id_19[!1 = @sid_34432],train_etcs_id_20[!1 = @sid_34431],rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_34432],!1 = endsid_34433],saf_34428,trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_34429],!2 = @sid_34430,!1 = @sid_34431],genSessionKey(trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_34429],!2 = @sid_34430,!1 = @sid_34431],rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_34432],!1 = endsid_34433],getKey(new_rbc_id_19[!1 = @sid_34432],train_etcs_id_20[!1 = @sid_34431]))) Abbreviations: new_rbc_id_34592 = new_rbc_id_19[!1 = @sid_34531] train_etcs_id_34593 = train_etcs_id_20[!1 = @sid_34564] rbcNonce_34594 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_34592,!1 = endsid_34585] new_rbc_id_34595 = new_rbc_id_19[!1 = @sid_34467] trainNonce_34596 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_34595,!2 = @sid_34563,!1 = @sid_34564] rbcNonce_34597 = rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_34592,!1 = @sid_34502] 1. The message new_rbc_id_34592 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_34592. 2. The message new_rbc_id_34595 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_34595. 3. The message new_rbc_id_34595 that may be sent on channel id[] by 2 may be received at input {9}. The event trainStartSession(new_rbc_id_34595,train_etcs_id_34593,trainNonce_34596,SAF()) (with environment rbc_etcs_id_22 = new_rbc_id_34595, @sid_435 = @sid_34563, @sid_434 = @sid_34564, @occ11_29960 = @occ_cst()) may be executed at {11}. So the message (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_34593,SAF(),trainNonce_34596) may be sent to the attacker at output {12}. attacker:(TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_34593,SAF(),trainNonce_34596). 4. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_34593,SAF(),trainNonce_34596). Using the function 6-proj-6-tuple the attacker may obtain trainNonce_34596. attacker:trainNonce_34596. 5. We assume as hypothesis that attacker:saf_34589. 6. By 3, the attacker may know (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_34593,SAF(),trainNonce_34596). Using the function 4-proj-6-tuple the attacker may obtain train_etcs_id_34593. attacker:train_etcs_id_34593. 7. Using the function DF_SEND the attacker may obtain DF_SEND(). attacker:DF_SEND(). 8. Using the function AU1 the attacker may obtain AU1(). attacker:AU1(). 9. The attacker has some term sent_ETCS_ID_TYPE_34583. attacker:sent_ETCS_ID_TYPE_34583. 10. By 9, the attacker may know sent_ETCS_ID_TYPE_34583. By 8, the attacker may know AU1(). By 7, the attacker may know DF_SEND(). By 6, the attacker may know train_etcs_id_34593. By 5, the attacker may know saf_34589. By 4, the attacker may know trainNonce_34596. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_34583,AU1(),DF_SEND(),train_etcs_id_34593,saf_34589,trainNonce_34596). attacker:(sent_ETCS_ID_TYPE_34583,AU1(),DF_SEND(),train_etcs_id_34593,saf_34589,trainNonce_34596). 11. The message new_rbc_id_34595 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_34595. 12. The message new_rbc_id_34592 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_34592. 13. We assume as hypothesis that attacker:rbcSaF_34560. 14. The attacker has some term sent_ETCS_ID_TYPE_34539. attacker:sent_ETCS_ID_TYPE_34539. 15. By 14, the attacker may know sent_ETCS_ID_TYPE_34539. By 8, the attacker may know AU1(). By 7, the attacker may know DF_SEND(). By 6, the attacker may know train_etcs_id_34593. By 13, the attacker may know rbcSaF_34560. By 4, the attacker may know trainNonce_34596. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_34539,AU1(),DF_SEND(),train_etcs_id_34593,rbcSaF_34560,trainNonce_34596). attacker:(sent_ETCS_ID_TYPE_34539,AU1(),DF_SEND(),train_etcs_id_34593,rbcSaF_34560,trainNonce_34596). 16. The message new_rbc_id_34592 that may be sent on channel id[] by 12 may be received at input {31}. The message (sent_ETCS_ID_TYPE_34539,AU1(),DF_SEND(),train_etcs_id_34593,rbcSaF_34560,trainNonce_34596) that the attacker may have by 15 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560,rbcNonce_34594,mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),((PAYLOAD_LENGTH(),train_etcs_id_34593,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560),rbcNonce_34594,trainNonce_34596,train_etcs_id_34593))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560,rbcNonce_34594,mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),((PAYLOAD_LENGTH(),train_etcs_id_34593,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560),rbcNonce_34594,trainNonce_34596,train_etcs_id_34593))). 17. By 16, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560,rbcNonce_34594,mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),((PAYLOAD_LENGTH(),train_etcs_id_34593,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560),rbcNonce_34594,trainNonce_34596,train_etcs_id_34593))). Using the function 7-proj-7-tuple the attacker may obtain mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),((PAYLOAD_LENGTH(),train_etcs_id_34593,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560),rbcNonce_34594,trainNonce_34596,train_etcs_id_34593)). attacker:mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),((PAYLOAD_LENGTH(),train_etcs_id_34593,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560),rbcNonce_34594,trainNonce_34596,train_etcs_id_34593)). 18. The message new_rbc_id_34592 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_34592. 19. The attacker has some term trainNonce_34521. attacker:trainNonce_34521. 20. The attacker has some term trainSaF_34520. attacker:trainSaF_34520. 21. The attacker has some term in_train_etcs_id_34519. attacker:in_train_etcs_id_34519. 22. The attacker has some term sent_ETCS_ID_TYPE_34518. attacker:sent_ETCS_ID_TYPE_34518. 23. By 22, the attacker may know sent_ETCS_ID_TYPE_34518. By 8, the attacker may know AU1(). By 7, the attacker may know DF_SEND(). By 21, the attacker may know in_train_etcs_id_34519. By 20, the attacker may know trainSaF_34520. By 19, the attacker may know trainNonce_34521. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_34518,AU1(),DF_SEND(),in_train_etcs_id_34519,trainSaF_34520,trainNonce_34521). attacker:(sent_ETCS_ID_TYPE_34518,AU1(),DF_SEND(),in_train_etcs_id_34519,trainSaF_34520,trainNonce_34521). 24. The message new_rbc_id_34592 that may be sent on channel id[] by 18 may be received at input {31}. The message (sent_ETCS_ID_TYPE_34518,AU1(),DF_SEND(),in_train_etcs_id_34519,trainSaF_34520,trainNonce_34521) that the attacker may have by 23 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,trainSaF_34520,rbcNonce_34594,mac(genSessionKey(trainNonce_34521,rbcNonce_34594,getKey(new_rbc_id_34592,in_train_etcs_id_34519)),((PAYLOAD_LENGTH(),in_train_etcs_id_34519,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,trainSaF_34520),rbcNonce_34594,trainNonce_34521,in_train_etcs_id_34519))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,trainSaF_34520,rbcNonce_34594,mac(genSessionKey(trainNonce_34521,rbcNonce_34594,getKey(new_rbc_id_34592,in_train_etcs_id_34519)),((PAYLOAD_LENGTH(),in_train_etcs_id_34519,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,trainSaF_34520),rbcNonce_34594,trainNonce_34521,in_train_etcs_id_34519))). 25. By 24, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,trainSaF_34520,rbcNonce_34594,mac(genSessionKey(trainNonce_34521,rbcNonce_34594,getKey(new_rbc_id_34592,in_train_etcs_id_34519)),((PAYLOAD_LENGTH(),in_train_etcs_id_34519,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,trainSaF_34520),rbcNonce_34594,trainNonce_34521,in_train_etcs_id_34519))). Using the function 6-proj-7-tuple the attacker may obtain rbcNonce_34594. attacker:rbcNonce_34594. 26. The message new_rbc_id_34592 may be sent on channel id[] at output {4}. mess:id[],new_rbc_id_34592. 27. The attacker has some term trainNonce_34500. attacker:trainNonce_34500. 28. The attacker has some term trainSaF_34499. attacker:trainSaF_34499. 29. The attacker has some term in_train_etcs_id_34498. attacker:in_train_etcs_id_34498. 30. The attacker has some term sent_ETCS_ID_TYPE_34497. attacker:sent_ETCS_ID_TYPE_34497. 31. By 30, the attacker may know sent_ETCS_ID_TYPE_34497. By 8, the attacker may know AU1(). By 7, the attacker may know DF_SEND(). By 29, the attacker may know in_train_etcs_id_34498. By 28, the attacker may know trainSaF_34499. By 27, the attacker may know trainNonce_34500. Using the function 6-tuple the attacker may obtain (sent_ETCS_ID_TYPE_34497,AU1(),DF_SEND(),in_train_etcs_id_34498,trainSaF_34499,trainNonce_34500). attacker:(sent_ETCS_ID_TYPE_34497,AU1(),DF_SEND(),in_train_etcs_id_34498,trainSaF_34499,trainNonce_34500). 32. The message new_rbc_id_34592 that may be sent on channel id[] by 26 may be received at input {31}. The message (sent_ETCS_ID_TYPE_34497,AU1(),DF_SEND(),in_train_etcs_id_34498,trainSaF_34499,trainNonce_34500) that the attacker may have by 31 may be received at input {33}. So the message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,trainSaF_34499,rbcNonce_34597,mac(genSessionKey(trainNonce_34500,rbcNonce_34597,getKey(new_rbc_id_34592,in_train_etcs_id_34498)),((PAYLOAD_LENGTH(),in_train_etcs_id_34498,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,trainSaF_34499),rbcNonce_34597,trainNonce_34500,in_train_etcs_id_34498))) may be sent to the attacker at output {38}. attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,trainSaF_34499,rbcNonce_34597,mac(genSessionKey(trainNonce_34500,rbcNonce_34597,getKey(new_rbc_id_34592,in_train_etcs_id_34498)),((PAYLOAD_LENGTH(),in_train_etcs_id_34498,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,trainSaF_34499),rbcNonce_34597,trainNonce_34500,in_train_etcs_id_34498))). 33. By 32, the attacker may know (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,trainSaF_34499,rbcNonce_34597,mac(genSessionKey(trainNonce_34500,rbcNonce_34597,getKey(new_rbc_id_34592,in_train_etcs_id_34498)),((PAYLOAD_LENGTH(),in_train_etcs_id_34498,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,trainSaF_34499),rbcNonce_34597,trainNonce_34500,in_train_etcs_id_34498))). Using the function 4-proj-7-tuple the attacker may obtain new_rbc_id_34592. attacker:new_rbc_id_34592. 34. Using the function DF_RESP the attacker may obtain DF_RESP(). attacker:DF_RESP(). 35. Using the function AU2 the attacker may obtain AU2(). attacker:AU2(). 36. Using the function RBC_ETCS_ID_TYPE the attacker may obtain RBC_ETCS_ID_TYPE(). attacker:RBC_ETCS_ID_TYPE(). 37. By 36, the attacker may know RBC_ETCS_ID_TYPE(). By 35, the attacker may know AU2(). By 34, the attacker may know DF_RESP(). By 33, the attacker may know new_rbc_id_34592. By 13, the attacker may know rbcSaF_34560. By 25, the attacker may know rbcNonce_34594. By 17, the attacker may know mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),((PAYLOAD_LENGTH(),train_etcs_id_34593,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560),rbcNonce_34594,trainNonce_34596,train_etcs_id_34593)). Using the function 7-tuple the attacker may obtain (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560,rbcNonce_34594,mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),((PAYLOAD_LENGTH(),train_etcs_id_34593,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560),rbcNonce_34594,trainNonce_34596,train_etcs_id_34593))). attacker:(RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560,rbcNonce_34594,mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),((PAYLOAD_LENGTH(),train_etcs_id_34593,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560),rbcNonce_34594,trainNonce_34596,train_etcs_id_34593))). 38. The message new_rbc_id_34595 that may be sent on channel id[] by 11 may be received at input {9}. The event trainStartSession(new_rbc_id_34595,train_etcs_id_34593,trainNonce_34596,SAF()) (with environment rbc_etcs_id_22 = new_rbc_id_34595, @sid_435 = @sid_34563, @sid_434 = @sid_34564, @occ11_29960 = @occ_cst()) may be executed at {11}. The message (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560,rbcNonce_34594,mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),((PAYLOAD_LENGTH(),train_etcs_id_34593,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_34592,rbcSaF_34560),rbcNonce_34594,trainNonce_34596,train_etcs_id_34593))) that the attacker may have by 37 may be received at input {13}. So the message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),(PAYLOAD_LENGTH(),train_etcs_id_34593,ZEROS(),AU3(),DF_SEND(),trainNonce_34596,rbcNonce_34594))) may be sent to the attacker at output {19}. attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),(PAYLOAD_LENGTH(),train_etcs_id_34593,ZEROS(),AU3(),DF_SEND(),trainNonce_34596,rbcNonce_34594))). 39. By 38, the attacker may know (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),(PAYLOAD_LENGTH(),train_etcs_id_34593,ZEROS(),AU3(),DF_SEND(),trainNonce_34596,rbcNonce_34594))). Using the function 4-proj-4-tuple the attacker may obtain mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),(PAYLOAD_LENGTH(),train_etcs_id_34593,ZEROS(),AU3(),DF_SEND(),trainNonce_34596,rbcNonce_34594)). attacker:mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),(PAYLOAD_LENGTH(),train_etcs_id_34593,ZEROS(),AU3(),DF_SEND(),trainNonce_34596,rbcNonce_34594)). 40. Using the function AU3 the attacker may obtain AU3(). attacker:AU3(). 41. Using the function ZEROS the attacker may obtain ZEROS(). attacker:ZEROS(). 42. By 41, the attacker may know ZEROS(). By 40, the attacker may know AU3(). By 7, the attacker may know DF_SEND(). By 39, the attacker may know mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),(PAYLOAD_LENGTH(),train_etcs_id_34593,ZEROS(),AU3(),DF_SEND(),trainNonce_34596,rbcNonce_34594)). Using the function 4-tuple the attacker may obtain (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),(PAYLOAD_LENGTH(),train_etcs_id_34593,ZEROS(),AU3(),DF_SEND(),trainNonce_34596,rbcNonce_34594))). attacker:(ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),(PAYLOAD_LENGTH(),train_etcs_id_34593,ZEROS(),AU3(),DF_SEND(),trainNonce_34596,rbcNonce_34594))). 43. The message new_rbc_id_34592 that may be sent on channel id[] by 1 may be received at input {31}. The message (sent_ETCS_ID_TYPE_34583,AU1(),DF_SEND(),train_etcs_id_34593,saf_34589,trainNonce_34596) that the attacker may have by 10 may be received at input {33}. The message (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593)),(PAYLOAD_LENGTH(),train_etcs_id_34593,ZEROS(),AU3(),DF_SEND(),trainNonce_34596,rbcNonce_34594))) that the attacker may have by 42 may be received at input {39}. So event rbcFinishSession(new_rbc_id_34592,train_etcs_id_34593,rbcNonce_34594,saf_34589,trainNonce_34596,genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593))) may be executed at {41} in session endsid_34585. end:endsid_34585,rbcFinishSession(new_rbc_id_34592,train_etcs_id_34593,rbcNonce_34594,saf_34589,trainNonce_34596,genSessionKey(trainNonce_34596,rbcNonce_34594,getKey(new_rbc_id_34592,train_etcs_id_34593))). Unified sent_ETCS_ID_TYPE_34518 with sent_ETCS_ID_TYPE_34583 Unified in_train_etcs_id_34519 with train_etcs_id_20[!1 = @sid_34564] Unified trainSaF_34520 with saf_34589 Unified trainNonce_34521 with trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_34467],!2 = @sid_34563,!1 = @sid_34564] Unified sent_ETCS_ID_TYPE_34539 with sent_ETCS_ID_TYPE_34583 Unified rbcSaF_34560 with saf_34589 Iterating unifyDerivation. Fixpoint reached: nothing more to unify. The clause after unifyDerivation is attacker:saf_34601 & begin:trainStartSession(new_rbc_id_19[!1 = @sid_34602],train_etcs_id_20[!1 = @sid_34600],trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_34602],!2 = @sid_34603,!1 = @sid_34600],SAF()), rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_34602], @sid_435 = @sid_34603, @sid_434 = @sid_34600, @occ11_29960 = @occ_cst() -> end:endsid_34598,rbcFinishSession(new_rbc_id_19[!1 = @sid_34599],train_etcs_id_20[!1 = @sid_34600],rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_34599],!1 = endsid_34598],saf_34601,trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_34602],!2 = @sid_34603,!1 = @sid_34600],genSessionKey(trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_34602],!2 = @sid_34603,!1 = @sid_34600],rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_34599],!1 = endsid_34598],getKey(new_rbc_id_19[!1 = @sid_34599],train_etcs_id_20[!1 = @sid_34600]))) This clause still contradicts the query. A more detailed output of the traces is available with param traceDisplay = long. new train_etcs_id_20 creating train_etcs_id_20_34624 at {6} in copy a_34607 new session_21 creating session_21_34676 at {8} in copy a_34607, a_34610 new new_rbc_id_19 creating new_rbc_id_19_34623 at {2} in copy a_34606 new new_rbc_id_19 creating new_rbc_id_19_34626 at {2} in copy a_34609 out(id, new_rbc_id_19_34626) at {4} in copy a_34609, a_34621 received at {9} in copy a_34607, a_34610 new trainNonce_23 creating trainNonce_23_34627 at {10} in copy a_34607, a_34610 event(trainStartSession(new_rbc_id_19_34626,train_etcs_id_20_34624,trainNonce_23_34627,SAF())) at {11} in copy a_34607, a_34610 out(c, (TRAIN_ETCS_ID_TYPE(),AU1(),DF_SEND(),train_etcs_id_20_34624,SAF(),trainNonce_23_34627)) at {12} in copy a_34607, a_34610 out(id, new_rbc_id_19_34623) at {4} in copy a_34606, a_34616 received at {31} in copy a_34612 new rbcNonce_37 creating rbcNonce_37_34628 at {32} in copy a_34612 in(c, (a_34615,AU1(),DF_SEND(),a_34614,a_34611,a_34613)) at {33} in copy a_34612 event(rbcStartSession(new_rbc_id_19_34623,a_34614,rbcNonce_37_34628,a_34611,a_34613)) at {34} in copy a_34612 out(c, encrypt(SECRET,genSessionKey(a_34613,rbcNonce_37_34628,getKey(new_rbc_id_19_34623,a_34614)))) at {36} in copy a_34612 out(c, encrypt(SECRET,getKey(new_rbc_id_19_34623,a_34614))) at {37} in copy a_34612 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_34623,a_34611,rbcNonce_37_34628,mac(genSessionKey(a_34613,rbcNonce_37_34628,getKey(new_rbc_id_19_34623,a_34614)),((PAYLOAD_LENGTH(),a_34614,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_34623,a_34611),rbcNonce_37_34628,a_34613,a_34614)))) at {38} in copy a_34612 out(id, new_rbc_id_19_34623) at {4} in copy a_34606, a_34619 received at {31} in copy a_34605 new rbcNonce_37 creating rbcNonce_37_34625 at {32} in copy a_34605 in(c, (a_34617,AU1(),DF_SEND(),train_etcs_id_20_34624,a_34608,trainNonce_23_34627)) at {33} in copy a_34605 event(rbcStartSession(new_rbc_id_19_34623,train_etcs_id_20_34624,rbcNonce_37_34625,a_34608,trainNonce_23_34627)) at {34} in copy a_34605 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_34627,rbcNonce_37_34625,getKey(new_rbc_id_19_34623,train_etcs_id_20_34624)))) at {36} in copy a_34605 out(c, encrypt(SECRET,getKey(new_rbc_id_19_34623,train_etcs_id_20_34624))) at {37} in copy a_34605 out(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_34623,a_34608,rbcNonce_37_34625,mac(genSessionKey(trainNonce_23_34627,rbcNonce_37_34625,getKey(new_rbc_id_19_34623,train_etcs_id_20_34624)),((PAYLOAD_LENGTH(),train_etcs_id_20_34624,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_34623,a_34608),rbcNonce_37_34625,trainNonce_23_34627,train_etcs_id_20_34624)))) at {38} in copy a_34605 in(c, (RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_34623,a_34608,rbcNonce_37_34625,mac(genSessionKey(trainNonce_23_34627,rbcNonce_37_34625,getKey(new_rbc_id_19_34623,train_etcs_id_20_34624)),((PAYLOAD_LENGTH(),train_etcs_id_20_34624,RBC_ETCS_ID_TYPE(),AU2(),DF_RESP(),new_rbc_id_19_34623,a_34608),rbcNonce_37_34625,trainNonce_23_34627,train_etcs_id_20_34624)))) at {13} in copy a_34607, a_34610 out(c, encrypt(SECRET,genSessionKey(trainNonce_23_34627,rbcNonce_37_34625,getKey(new_rbc_id_19_34623,train_etcs_id_20_34624)))) at {15} in copy a_34607, a_34610 out(c, encrypt(SECRET,getKey(new_rbc_id_19_34623,train_etcs_id_20_34624))) at {16} in copy a_34607, a_34610 event(trainFinishSession(new_rbc_id_19_34623,train_etcs_id_20_34624,trainNonce_23_34627,a_34608,rbcNonce_37_34625,genSessionKey(trainNonce_23_34627,rbcNonce_37_34625,getKey(new_rbc_id_19_34623,train_etcs_id_20_34624)))) at {18} in copy a_34607, a_34610 out(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_34627,rbcNonce_37_34625,getKey(new_rbc_id_19_34623,train_etcs_id_20_34624)),(PAYLOAD_LENGTH(),train_etcs_id_20_34624,ZEROS(),AU3(),DF_SEND(),trainNonce_23_34627,rbcNonce_37_34625)))) at {19} in copy a_34607, a_34610 new time_29 creating time_29_34776 at {20} in copy a_34607, a_34610 event(DataSent1(session_21_34676,(DT(),time_29_34776,MESSAGE_1()))) at {22} in copy a_34607, a_34610 out(c, (DT(),time_29_34776,MESSAGE_1())) at {23} in copy a_34607, a_34610 event(DataSent2(session_21_34676,(DT(),inc(time_29_34776),MESSAGE_2()))) at {25} in copy a_34607, a_34610 out(c, (DT(),inc(time_29_34776),MESSAGE_2())) at {26} in copy a_34607, a_34610 event(DataSent3(session_21_34676,(DT(),inc(inc(time_29_34776)),MESSAGE_3()))) at {28} in copy a_34607, a_34610 out(c, (DT(),inc(inc(time_29_34776)),MESSAGE_3())) at {29} in copy a_34607, a_34610 in(c, (ZEROS(),AU3(),DF_SEND(),mac(genSessionKey(trainNonce_23_34627,rbcNonce_37_34625,getKey(new_rbc_id_19_34623,train_etcs_id_20_34624)),(PAYLOAD_LENGTH(),train_etcs_id_20_34624,ZEROS(),AU3(),DF_SEND(),trainNonce_23_34627,rbcNonce_37_34625)))) at {39} in copy a_34605 event(rbcFinishSession(new_rbc_id_19_34623,train_etcs_id_20_34624,rbcNonce_37_34625,a_34608,trainNonce_23_34627,genSessionKey(trainNonce_23_34627,rbcNonce_37_34625,getKey(new_rbc_id_19_34623,train_etcs_id_20_34624)))) at {41} in copy a_34605 The event rbcFinishSession(new_rbc_id_19_34623,train_etcs_id_20_34624,rbcNonce_37_34625,a_34608,trainNonce_23_34627,genSessionKey(trainNonce_23_34627,rbcNonce_37_34625,getKey(new_rbc_id_19_34623,train_etcs_id_20_34624))) is executed in session a_34605. A trace has been found. RESULT evinj:rbcFinishSession(rbc_id_32068,train_id_32069,rbc_nonce_32070,saf_32071,train_nonce_32072,ks_32073) ==> evinj:trainStartSession(rbc_id_32068,train_id_32069,train_nonce_32072,saf_32071) is false. RESULT (even ev:rbcFinishSession(rbc_id_34434,train_id_34435,rbc_nonce_34438,saf_34437,train_nonce_34436,ks_34439) ==> ev:trainStartSession(rbc_id_34434,train_id_34435,train_nonce_34436,saf_34437) is false.) nounif greater:x_34806,*y_34807/-5000 -- Query evinj:trainFinishSession(rbc_id_34792,train_id_34793,train_nonce_34794,saf_34795,rbc_nonce_34796,ks_34797) ==> evinj:rbcStartSession(rbc_id_34792,train_id_34793,rbc_nonce_34796,saf_34795,train_nonce_34794) Completing... Starting query evinj:trainFinishSession(rbc_id_34792,train_id_34793,train_nonce_34794,saf_34795,rbc_nonce_34796,ks_34797) ==> evinj:rbcStartSession(rbc_id_34792,train_id_34793,rbc_nonce_34796,saf_34795,train_nonce_34794) goal reachable: begin:rbcStartSession(new_rbc_id_19[!1 = @sid_37234],train_etcs_id_20[!1 = @sid_37231],rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_37234],!1 = @sid_37235],saf_37232,trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_37229],!2 = endsid_37230,!1 = @sid_37231]), trainNonce_41 = trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_37229],!2 = endsid_37230,!1 = @sid_37231], trainSaF_40 = saf_37232, in_train_etcs_id_39 = train_etcs_id_20[!1 = @sid_37231], sent_ETCS_ID_TYPE_38 = sent_ETCS_ID_TYPE_37233, rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_37234], @sid_1031 = @sid_37235, @occ34_35750 = @occ_cst() & attacker:sent_ETCS_ID_TYPE_37233 & attacker:saf_37232 -> end:endsid_37230,trainFinishSession(new_rbc_id_19[!1 = @sid_37234],train_etcs_id_20[!1 = @sid_37231],trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_37229],!2 = endsid_37230,!1 = @sid_37231],saf_37232,rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_37234],!1 = @sid_37235],genSessionKey(trainNonce_23[rbc_etcs_id_22 = new_rbc_id_19[!1 = @sid_37229],!2 = endsid_37230,!1 = @sid_37231],rbcNonce_37[rbc_etcs_id_36 = new_rbc_id_19[!1 = @sid_37234],!1 = @sid_37235],getKey(new_rbc_id_19[!1 = @sid_37234],train_etcs_id_20[!1 = @sid_37231]))) RESULT evinj:trainFinishSession(rbc_id_34792,train_id_34793,train_nonce_34794,saf_34795,rbc_nonce_34796,ks_34797) ==> evinj:rbcStartSession(rbc_id_34792,train_id_34793,rbc_nonce_34796,saf_34795,train_nonce_34794) is true. nounif greater:x_37270,*y_37271/-5000 -- Query not attacker:SECRET[] Completing... Starting query not attacker:SECRET[] RESULT not attacker:SECRET[] is true.