src/HOL/Auth/TLS.ML
author paulson
Fri Jul 04 17:34:55 1997 +0200 (1997-07-04)
changeset 3500 0d8ad2f192d8
parent 3480 d59bbf053258
child 3506 a36e0a49d2cd
permissions -rw-r--r--
New constant "certificate"--just an abbreviation
paulson@3474
     1
(*  Title:      HOL/Auth/TLS
paulson@3474
     2
    ID:         $Id$
paulson@3474
     3
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
paulson@3474
     4
    Copyright   1997  University of Cambridge
paulson@3474
     5
paulson@3474
     6
The public-key model has a weakness, especially concerning anonymous sessions.
paulson@3480
     7
The Spy's state is recorded as the trace of message.  But if he himself is the
paulson@3500
     8
Client and invents M, then he encrypts M with B's public key before sending
paulson@3500
     9
it.  This message gives no evidence that the spy knows M, and yet the spy
paulson@3500
    10
actually chose M!  So, in any property concerning the secrecy of some item,
paulson@3500
    11
one must establish that the spy didn't choose the item.  Guarantees normally
paulson@3500
    12
assume that the other party is uncompromised (otherwise, one can prove
paulson@3500
    13
little).
paulson@3480
    14
paulson@3480
    15
Protocol goals: 
paulson@3480
    16
* M, serverK(NA,NB,M) and clientK(NA,NB,M) will be known only to the two
paulson@3480
    17
     parties (though A is not necessarily authenticated).
paulson@3480
    18
paulson@3480
    19
* B upon receiving CERTIFICATE VERIFY knows that A is present (But this
paulson@3480
    20
    message is optional!)
paulson@3474
    21
paulson@3480
    22
* A upon receiving SERVER FINISHED knows that B is present
paulson@3480
    23
paulson@3480
    24
* Each party who has received a FINISHED message can trust that the other
paulson@3480
    25
  party agrees on all message components, including XA and XB (thus foiling
paulson@3480
    26
  rollback attacks).
paulson@3474
    27
*)
paulson@3474
    28
paulson@3474
    29
open TLS;
paulson@3474
    30
paulson@3474
    31
proof_timing:=true;
paulson@3474
    32
HOL_quantifiers := false;
paulson@3474
    33
paulson@3474
    34
AddIffs [Spy_in_lost, Server_not_lost];
paulson@3500
    35
Addsimps [certificate_def];
paulson@3474
    36
paulson@3480
    37
goal thy "!!A. A ~: lost ==> A ~= Spy";
paulson@3480
    38
by (Blast_tac 1);
paulson@3480
    39
qed "not_lost_not_eq_Spy";
paulson@3480
    40
Addsimps [not_lost_not_eq_Spy];
paulson@3480
    41
paulson@3474
    42
(*Injectiveness of key-generating functions*)
paulson@3474
    43
AddIffs [inj_clientK RS inj_eq, inj_serverK RS inj_eq];
paulson@3474
    44
paulson@3474
    45
(* invKey(clientK x) = clientK x  and similarly for serverK*)
paulson@3474
    46
Addsimps [isSym_clientK, rewrite_rule [isSymKey_def] isSym_clientK,
paulson@3474
    47
	  isSym_serverK, rewrite_rule [isSymKey_def] isSym_serverK];
paulson@3480
    48
paulson@3474
    49
paulson@3474
    50
(*Replacing the variable by a constant improves search speed by 50%!*)
paulson@3474
    51
val Says_imp_sees_Spy' = 
paulson@3474
    52
    read_instantiate_sg (sign_of thy) [("lost","lost")] Says_imp_sees_Spy;
paulson@3474
    53
paulson@3474
    54
paulson@3474
    55
(*** clientK and serverK make symmetric keys; no clashes with pubK or priK ***)
paulson@3474
    56
paulson@3474
    57
goal thy "pubK A ~= clientK arg";
paulson@3474
    58
br notI 1;
paulson@3474
    59
by (dres_inst_tac [("f","isSymKey")] arg_cong 1);
paulson@3474
    60
by (Full_simp_tac 1);
paulson@3474
    61
qed "pubK_neq_clientK";
paulson@3474
    62
paulson@3474
    63
goal thy "pubK A ~= serverK arg";
paulson@3474
    64
br notI 1;
paulson@3474
    65
by (dres_inst_tac [("f","isSymKey")] arg_cong 1);
paulson@3474
    66
by (Full_simp_tac 1);
paulson@3474
    67
qed "pubK_neq_serverK";
paulson@3474
    68
paulson@3474
    69
goal thy "priK A ~= clientK arg";
paulson@3474
    70
br notI 1;
paulson@3474
    71
by (dres_inst_tac [("f","isSymKey")] arg_cong 1);
paulson@3474
    72
by (Full_simp_tac 1);
paulson@3474
    73
qed "priK_neq_clientK";
paulson@3474
    74
paulson@3474
    75
goal thy "priK A ~= serverK arg";
paulson@3474
    76
br notI 1;
paulson@3474
    77
by (dres_inst_tac [("f","isSymKey")] arg_cong 1);
paulson@3474
    78
by (Full_simp_tac 1);
paulson@3474
    79
qed "priK_neq_serverK";
paulson@3474
    80
paulson@3480
    81
(*clientK and serverK have disjoint ranges*)
paulson@3480
    82
goal thy "clientK arg ~= serverK arg'";
paulson@3480
    83
by (cut_facts_tac [rangeI RS impOfSubs clientK_range] 1);
paulson@3480
    84
by (Blast_tac 1);
paulson@3480
    85
qed "clientK_neq_serverK";
paulson@3480
    86
paulson@3474
    87
val ths = [pubK_neq_clientK, pubK_neq_serverK, 
paulson@3480
    88
	   priK_neq_clientK, priK_neq_serverK, clientK_neq_serverK];
paulson@3474
    89
AddIffs (ths @ (ths RL [not_sym]));
paulson@3474
    90
paulson@3474
    91
paulson@3474
    92
(**** Protocol Proofs ****)
paulson@3474
    93
paulson@3474
    94
(*A "possibility property": there are traces that reach the end.
paulson@3474
    95
  This protocol has three end points and six messages to consider.*)
paulson@3474
    96
paulson@3474
    97
(*Possibility property ending with ServerFinished.*)
paulson@3474
    98
goal thy 
paulson@3474
    99
 "!!A B. A ~= B ==> EX NA XA NB XB M. EX evs: tls.    \
paulson@3474
   100
\  Says B A (Crypt (serverK(NA,NB,M))                 \
paulson@3474
   101
\            (Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|}, \
paulson@3474
   102
\                   Nonce NA, Agent XA, Agent A,      \
paulson@3474
   103
\                   Nonce NB, Agent XB,               \
paulson@3500
   104
\                   certificate B (pubK B)|})) \
paulson@3474
   105
\    : set evs";
paulson@3474
   106
by (REPEAT (resolve_tac [exI,bexI] 1));
paulson@3474
   107
by (rtac (tls.Nil RS tls.ClientHello RS tls.ServerHello RS tls.ClientCertKeyEx
paulson@3474
   108
	  RS tls.ServerFinished) 2);
paulson@3474
   109
by possibility_tac;
paulson@3474
   110
result();
paulson@3474
   111
paulson@3474
   112
(*And one for ClientFinished.  Either FINISHED message may come first.*)
paulson@3474
   113
goal thy 
paulson@3474
   114
 "!!A B. A ~= B ==> EX NA XA NB XB M. EX evs: tls.    \
paulson@3474
   115
\  Says A B (Crypt (clientK(NA,NB,M))                 \
paulson@3474
   116
\            (Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|}, \
paulson@3474
   117
\                   Nonce NA, Agent XA,               \
paulson@3500
   118
\                   certificate A (pubK A),      \
paulson@3474
   119
\                   Nonce NB, Agent XB, Agent B|})) : set evs";
paulson@3474
   120
by (REPEAT (resolve_tac [exI,bexI] 1));
paulson@3474
   121
by (rtac (tls.Nil RS tls.ClientHello RS tls.ServerHello RS tls.ClientCertKeyEx
paulson@3474
   122
	  RS tls.ClientFinished) 2);
paulson@3474
   123
by possibility_tac;
paulson@3474
   124
result();
paulson@3474
   125
paulson@3474
   126
(*Another one, for CertVerify (which is optional)*)
paulson@3474
   127
goal thy 
paulson@3474
   128
 "!!A B. A ~= B ==> EX NB. EX evs: tls.     \
paulson@3474
   129
\  Says A B (Crypt (priK A)                 \
paulson@3500
   130
\            (Hash{|Nonce NB, certificate B (pubK B)|})) : set evs";
paulson@3474
   131
by (REPEAT (resolve_tac [exI,bexI] 1));
paulson@3474
   132
by (rtac (tls.Nil RS tls.ClientHello RS tls.ServerHello RS tls.CertVerify) 2);
paulson@3474
   133
by possibility_tac;
paulson@3474
   134
result();
paulson@3474
   135
paulson@3474
   136
paulson@3474
   137
(**** Inductive proofs about tls ****)
paulson@3474
   138
paulson@3474
   139
(*Nobody sends themselves messages*)
paulson@3474
   140
goal thy "!!evs. evs : tls ==> ALL A X. Says A A X ~: set evs";
paulson@3474
   141
by (etac tls.induct 1);
paulson@3474
   142
by (Auto_tac());
paulson@3474
   143
qed_spec_mp "not_Says_to_self";
paulson@3474
   144
Addsimps [not_Says_to_self];
paulson@3474
   145
AddSEs   [not_Says_to_self RSN (2, rev_notE)];
paulson@3474
   146
paulson@3474
   147
paulson@3474
   148
(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
paulson@3474
   149
    sends messages containing X! **)
paulson@3474
   150
paulson@3474
   151
(*Spy never sees another agent's private key! (unless it's lost at start)*)
paulson@3474
   152
goal thy 
paulson@3474
   153
 "!!evs. evs : tls \
paulson@3474
   154
\        ==> (Key (priK A) : parts (sees lost Spy evs)) = (A : lost)";
paulson@3474
   155
by (etac tls.induct 1);
paulson@3474
   156
by (prove_simple_subgoals_tac 1);
paulson@3474
   157
by (Fake_parts_insert_tac 1);
paulson@3474
   158
qed "Spy_see_priK";
paulson@3474
   159
Addsimps [Spy_see_priK];
paulson@3474
   160
paulson@3474
   161
goal thy 
paulson@3474
   162
 "!!evs. evs : tls \
paulson@3474
   163
\        ==> (Key (priK A) : analz (sees lost Spy evs)) = (A : lost)";
paulson@3474
   164
by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
paulson@3474
   165
qed "Spy_analz_priK";
paulson@3474
   166
Addsimps [Spy_analz_priK];
paulson@3474
   167
paulson@3474
   168
goal thy  "!!A. [| Key (priK A) : parts (sees lost Spy evs);       \
paulson@3474
   169
\                  evs : tls |] ==> A:lost";
paulson@3474
   170
by (blast_tac (!claset addDs [Spy_see_priK]) 1);
paulson@3474
   171
qed "Spy_see_priK_D";
paulson@3474
   172
paulson@3474
   173
bind_thm ("Spy_analz_priK_D", analz_subset_parts RS subsetD RS Spy_see_priK_D);
paulson@3474
   174
AddSDs [Spy_see_priK_D, Spy_analz_priK_D];
paulson@3474
   175
paulson@3474
   176
paulson@3474
   177
(*Every Nonce that's hashed is already in past traffic. *)
paulson@3474
   178
goal thy "!!evs. [| Hash {|Nonce N, X|} : parts (sees lost Spy evs);  \
paulson@3474
   179
\                   evs : tls |]  \
paulson@3474
   180
\                ==> Nonce N : parts (sees lost Spy evs)";
paulson@3474
   181
by (etac rev_mp 1);
paulson@3474
   182
by (etac tls.induct 1);
paulson@3474
   183
by (ALLGOALS (asm_simp_tac (!simpset addsimps [parts_insert_sees])));
paulson@3474
   184
by (step_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
paulson@3474
   185
		      addSEs partsEs) 1);
paulson@3474
   186
by (Fake_parts_insert_tac 1);
paulson@3474
   187
qed "Hash_imp_Nonce1";
paulson@3474
   188
paulson@3474
   189
(*Lemma needed to prove Hash_Hash_imp_Nonce*)
paulson@3474
   190
goal thy "!!evs. [| Hash{|Nonce NA, Nonce NB, Nonce M|}  \
paulson@3474
   191
\                       : parts (sees lost Spy evs);     \
paulson@3474
   192
\                   evs : tls |]  \
paulson@3474
   193
\                ==> Nonce M : parts (sees lost Spy evs)";
paulson@3474
   194
by (etac rev_mp 1);
paulson@3474
   195
by (etac tls.induct 1);
paulson@3474
   196
by (ALLGOALS (asm_simp_tac (!simpset addsimps [parts_insert_sees])));
paulson@3474
   197
by (step_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
paulson@3474
   198
		      addSEs partsEs) 1);
paulson@3474
   199
by (Fake_parts_insert_tac 1);
paulson@3474
   200
qed "Hash_imp_Nonce2";
paulson@3474
   201
AddSDs [Hash_imp_Nonce2];
paulson@3474
   202
paulson@3474
   203
goal thy "!!evs. [| Hash {| Hash{|Nonce NA, Nonce NB, Nonce M|}, X |}  \
paulson@3474
   204
\                      : parts (sees lost Spy evs);      \
paulson@3474
   205
\                   evs : tls |]                         \
paulson@3474
   206
\                ==> Nonce M : parts (sees lost Spy evs)";
paulson@3474
   207
by (etac rev_mp 1);
paulson@3474
   208
by (etac tls.induct 1);
paulson@3474
   209
by (ALLGOALS (asm_simp_tac (!simpset addsimps [parts_insert_sees])));
paulson@3474
   210
by (step_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
paulson@3474
   211
		      addSEs partsEs) 1);
paulson@3474
   212
by (Fake_parts_insert_tac 1);
paulson@3474
   213
qed "Hash_Hash_imp_Nonce";
paulson@3474
   214
paulson@3474
   215
paulson@3474
   216
(*NEEDED??
paulson@3474
   217
  Every Nonce that's hashed is already in past traffic. 
paulson@3474
   218
  This general formulation is tricky to prove and hard to use, since the
paulson@3474
   219
  2nd premise is typically proved by simplification.*)
paulson@3474
   220
goal thy "!!evs. [| Hash X : parts (sees lost Spy evs);  \
paulson@3474
   221
\                   Nonce N : parts {X};  evs : tls |]  \
paulson@3474
   222
\                ==> Nonce N : parts (sees lost Spy evs)";
paulson@3474
   223
by (etac rev_mp 1);
paulson@3474
   224
by (etac tls.induct 1);
paulson@3474
   225
by (ALLGOALS Asm_simp_tac);
paulson@3474
   226
by (step_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
paulson@3474
   227
		      addSEs partsEs) 1);
paulson@3474
   228
by (ALLGOALS (asm_full_simp_tac (!simpset addsimps [parts_insert_sees])));
paulson@3474
   229
(*ServerFinished*)
paulson@3474
   230
by (Blast_tac 3);
paulson@3474
   231
(*ClientFinished*)
paulson@3474
   232
by (Blast_tac 2);
paulson@3474
   233
by (Fake_parts_insert_tac 1);
paulson@3474
   234
qed "Hash_imp_Nonce_seen";
paulson@3474
   235
paulson@3474
   236
paulson@3474
   237
(*** Protocol goal: if B receives CERTIFICATE VERIFY, then A sent it ***)
paulson@3474
   238
paulson@3474
   239
(*Perhaps B~=Spy is unnecessary, but there's no obvious proof if the first
paulson@3480
   240
  message is Fake.  We don't need guarantees for the Spy anyway.  We must
paulson@3480
   241
  assume A~:lost; otherwise, the Spy can forge A's signature.*)
paulson@3500
   242
goalw thy [certificate_def]
paulson@3474
   243
 "!!evs. [| X = Crypt (priK A)                          \
paulson@3474
   244
\                 (Hash{|Nonce NB,                                      \
paulson@3500
   245
\                        certificate B KB|});    \
paulson@3474
   246
\           evs : tls;  A ~: lost;  B ~= Spy |]         \
paulson@3474
   247
\    ==> Says B A {|Nonce NA, Nonce NB, Agent XB,       \
paulson@3500
   248
\                   certificate B KB|} : set evs --> \
paulson@3474
   249
\        X : parts (sees lost Spy evs) --> Says A B X : set evs";
paulson@3480
   250
by (hyp_subst_tac 1);
paulson@3474
   251
by (etac tls.induct 1);
paulson@3474
   252
by (ALLGOALS Asm_simp_tac);
paulson@3474
   253
by (Fake_parts_insert_tac 1);
paulson@3480
   254
(*ServerHello: nonce NB cannot be in X because it's fresh!*)
paulson@3474
   255
by (blast_tac (!claset addSDs [Hash_imp_Nonce1]
paulson@3474
   256
	               addSEs sees_Spy_partsEs) 1);
paulson@3474
   257
qed_spec_mp "TrustCertVerify";
paulson@3474
   258
paulson@3474
   259
paulson@3474
   260
(*This lemma says that no false certificates exist.  One might extend the
paulson@3474
   261
  model to include bogus certificates for the lost agents, but there seems
paulson@3474
   262
  little point in doing so: the loss of their private keys is a worse
paulson@3474
   263
  breach of security.*)
paulson@3500
   264
goalw thy [certificate_def]
paulson@3474
   265
 "!!evs. evs : tls     \
paulson@3500
   266
\    ==> certificate B KB : parts (sees lost Spy evs) \
paulson@3474
   267
\        --> KB = pubK B";
paulson@3474
   268
by (etac tls.induct 1);
paulson@3474
   269
by (ALLGOALS Asm_simp_tac);
paulson@3474
   270
by (Fake_parts_insert_tac 2);
paulson@3474
   271
by (Blast_tac 1);
paulson@3474
   272
bind_thm ("Server_cert_pubB", result() RSN (2, rev_mp));
paulson@3474
   273
paulson@3474
   274
paulson@3474
   275
(*Replace key KB in ClientCertKeyEx by (pubK B) *)
paulson@3474
   276
val ClientCertKeyEx_tac = 
paulson@3474
   277
    forward_tac [Says_imp_sees_Spy' RS parts.Inj RS 
paulson@3474
   278
		 parts.Snd RS parts.Snd RS parts.Snd RS Server_cert_pubB]
paulson@3474
   279
    THEN' assume_tac
paulson@3474
   280
    THEN' hyp_subst_tac;
paulson@3474
   281
paulson@3474
   282
fun analz_induct_tac i = 
paulson@3474
   283
    etac tls.induct i   THEN
paulson@3480
   284
    ClientCertKeyEx_tac  (i+5)  THEN
paulson@3474
   285
    ALLGOALS (asm_simp_tac 
paulson@3474
   286
              (!simpset addsimps [not_parts_not_analz]
paulson@3474
   287
                        setloop split_tac [expand_if]))  THEN
paulson@3474
   288
    (*Remove instances of pubK B:  the Spy already knows all public keys.
paulson@3474
   289
      Combining the two simplifier calls makes them run extremely slowly.*)
paulson@3474
   290
    ALLGOALS (asm_simp_tac 
paulson@3474
   291
              (!simpset addsimps [insert_absorb]
paulson@3474
   292
                        setloop split_tac [expand_if]));
paulson@3474
   293
paulson@3480
   294
(*** Specialized rewriting for the analz_image_... theorems ***)
paulson@3480
   295
paulson@3480
   296
goal thy "insert (Key K) H = Key `` {K} Un H";
paulson@3480
   297
by (Blast_tac 1);
paulson@3480
   298
qed "insert_Key_singleton";
paulson@3480
   299
paulson@3480
   300
goal thy "insert (Key K) (Key``KK Un C) = Key `` (insert K KK) Un C";
paulson@3480
   301
by (Blast_tac 1);
paulson@3480
   302
qed "insert_Key_image";
paulson@3480
   303
paulson@3480
   304
(*Reverse the normal simplification of "image" to build up (not break down)
paulson@3480
   305
  the set of keys.  Based on analz_image_freshK_ss, but simpler.*)
paulson@3480
   306
val analz_image_keys_ss = 
paulson@3480
   307
     !simpset delsimps [image_insert, image_Un]
paulson@3480
   308
              addsimps [image_insert RS sym, image_Un RS sym,
paulson@3480
   309
			rangeI, 
paulson@3480
   310
			insert_Key_singleton, 
paulson@3480
   311
			insert_Key_image, Un_assoc RS sym]
paulson@3480
   312
              setloop split_tac [expand_if];
paulson@3480
   313
paulson@3480
   314
(*No collection of keys can help the spy get new private keys*)
paulson@3480
   315
goal thy  
paulson@3480
   316
 "!!evs. evs : tls ==>                                    \
paulson@3480
   317
\  ALL KK. (Key(priK B) : analz (Key``KK Un (sees lost Spy evs))) =  \
paulson@3480
   318
\            (priK B : KK | B : lost)";
paulson@3480
   319
by (etac tls.induct 1);
paulson@3480
   320
by (ALLGOALS (asm_simp_tac analz_image_keys_ss));
paulson@3480
   321
(*Fake*) 
paulson@3480
   322
by (spy_analz_tac 2);
paulson@3480
   323
(*Base*)
paulson@3480
   324
by (Blast_tac 1);
paulson@3480
   325
qed_spec_mp "analz_image_priK";
paulson@3480
   326
paulson@3480
   327
paulson@3480
   328
(*Lemma for the trivial direction of the if-and-only-if*)
paulson@3480
   329
goal thy  
paulson@3480
   330
 "!!evs. (X : analz (G Un H)) --> (X : analz H)  ==> \
paulson@3480
   331
\        (X : analz (G Un H))  =  (X : analz H)";
paulson@3480
   332
by (blast_tac (!claset addIs [impOfSubs analz_mono]) 1);
paulson@3480
   333
val lemma = result();
paulson@3480
   334
paulson@3480
   335
(*Knowing some clientKs and serverKs is no help in getting new nonces*)
paulson@3480
   336
goal thy  
paulson@3480
   337
 "!!evs. evs : tls ==>                                 \
paulson@3480
   338
\    ALL KK. KK <= (range clientK Un range serverK) -->           \
paulson@3480
   339
\            (Nonce N : analz (Key``KK Un (sees lost Spy evs))) = \
paulson@3480
   340
\            (Nonce N : analz (sees lost Spy evs))";
paulson@3480
   341
by (etac tls.induct 1);
paulson@3480
   342
by (ClientCertKeyEx_tac 6);
paulson@3480
   343
by (REPEAT_FIRST (resolve_tac [allI, impI]));
paulson@3480
   344
by (REPEAT_FIRST (rtac lemma ));
paulson@3480
   345
	(*SLOW: 30s!*)
paulson@3480
   346
by (ALLGOALS (asm_simp_tac analz_image_keys_ss));
paulson@3480
   347
by (ALLGOALS (asm_simp_tac
paulson@3480
   348
	      (!simpset addsimps [analz_image_priK, insert_absorb])));
paulson@3480
   349
(*ClientCertKeyEx: a nonce is sent, but one needs a priK to read it.*)
paulson@3480
   350
by (Blast_tac 3);
paulson@3480
   351
(*Fake*) 
paulson@3480
   352
by (spy_analz_tac 2);
paulson@3480
   353
(*Base*)
paulson@3480
   354
by (Blast_tac 1);
paulson@3480
   355
qed_spec_mp "analz_image_keys";
paulson@3480
   356
paulson@3480
   357
paulson@3480
   358
(*If A sends ClientCertKeyEx to an uncompromised B, then M will stay secret.
paulson@3480
   359
  The assumption is A~=Spy, not A~:lost, since A doesn't use her private key
paulson@3480
   360
  here.*)
paulson@3500
   361
goalw thy [certificate_def]
paulson@3480
   362
 "!!evs. [| evs : tls;  A~=Spy;  B ~: lost |]                       \
paulson@3500
   363
\        ==> Says A B {|certificate A (pubK A), \
paulson@3480
   364
\                       Crypt KB (Nonce M)|} : set evs -->             \
paulson@3480
   365
\            Nonce M ~: analz (sees lost Spy evs)";
paulson@3474
   366
by (analz_induct_tac 1);
paulson@3474
   367
(*ClientHello*)
paulson@3480
   368
by (blast_tac (!claset addSEs sees_Spy_partsEs) 3);
paulson@3480
   369
(*SpyKeys*)
paulson@3480
   370
by (asm_simp_tac (analz_image_keys_ss addsimps [analz_image_keys]) 2);
paulson@3474
   371
(*Fake*)
paulson@3474
   372
by (spy_analz_tac 1);
paulson@3474
   373
(*ServerHello and ClientCertKeyEx: mostly freshness reasoning*)
paulson@3474
   374
by (REPEAT (blast_tac (!claset addSEs partsEs
paulson@3474
   375
			       addDs  [impOfSubs analz_subset_parts,
paulson@3474
   376
				       Says_imp_sees_Spy' RS analz.Inj]) 1));
paulson@3474
   377
bind_thm ("Spy_not_see_premaster_secret", result() RSN (2, rev_mp));
paulson@3474
   378
paulson@3474
   379
paulson@3474
   380
(*** Protocol goal: serverK(NA,NB,M) and clientK(NA,NB,M) remain secure ***)
paulson@3474
   381
paulson@3480
   382
(*The two proofs are identical*)
paulson@3474
   383
goal thy 
paulson@3480
   384
 "!!evs. [| Nonce M ~: analz (sees lost Spy evs);  \
paulson@3480
   385
\           evs : tls |]                           \
paulson@3480
   386
\        ==> Key (clientK(NA,NB,M)) ~: parts (sees lost Spy evs)";
paulson@3480
   387
by (etac rev_mp 1);
paulson@3480
   388
by (analz_induct_tac 1);
paulson@3480
   389
(*SpyKeys*)
paulson@3480
   390
by (asm_simp_tac (analz_image_keys_ss addsimps [analz_image_keys]) 3);
paulson@3480
   391
by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS analz.Inj]) 3);
paulson@3480
   392
(*Fake*) 
paulson@3480
   393
by (spy_analz_tac 2);
paulson@3480
   394
(*Base*)
paulson@3480
   395
by (Blast_tac 1);
paulson@3474
   396
qed "clientK_notin_parts";
paulson@3474
   397
paulson@3474
   398
goal thy 
paulson@3480
   399
 "!!evs. [| Nonce M ~: analz (sees lost Spy evs);  \
paulson@3480
   400
\           evs : tls |]                           \
paulson@3480
   401
\        ==> Key (serverK(NA,NB,M)) ~: parts (sees lost Spy evs)";
paulson@3480
   402
by (etac rev_mp 1);
paulson@3480
   403
by (analz_induct_tac 1);
paulson@3480
   404
(*SpyKeys*)
paulson@3480
   405
by (asm_simp_tac (analz_image_keys_ss addsimps [analz_image_keys]) 3);
paulson@3480
   406
by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS analz.Inj]) 3);
paulson@3480
   407
(*Fake*) 
paulson@3480
   408
by (spy_analz_tac 2);
paulson@3480
   409
(*Base*)
paulson@3480
   410
by (Blast_tac 1);
paulson@3474
   411
qed "serverK_notin_parts";
paulson@3474
   412
paulson@3474
   413
paulson@3474
   414
(*** Protocol goals: if A receives SERVER FINISHED, then B is present 
paulson@3474
   415
     and has used the quoted values XA, XB, etc.  Note that it is up to A
paulson@3474
   416
     to compare XA with what she originally sent.
paulson@3474
   417
***)
paulson@3474
   418
paulson@3500
   419
goalw thy [certificate_def]
paulson@3480
   420
 "!!evs. [| X = Crypt (serverK(NA,NB,M))                            \
paulson@3480
   421
\                 (Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|},       \
paulson@3480
   422
\                        Nonce NA, Agent XA, Agent A,               \
paulson@3480
   423
\                        Nonce NB, Agent XB,                        \
paulson@3500
   424
\                        certificate B (pubK B)|}); \
paulson@3480
   425
\           evs : tls;  A~=Spy;  B ~: lost |]                       \
paulson@3500
   426
\    ==> Says A B {|certificate A (pubK A),  \
paulson@3480
   427
\                   Crypt KB (Nonce M)|} : set evs -->              \
paulson@3480
   428
\        X : parts (sees lost Spy evs) --> Says B A X : set evs";
paulson@3480
   429
by (hyp_subst_tac 1);
paulson@3474
   430
by (etac tls.induct 1);
paulson@3474
   431
by (ALLGOALS Asm_simp_tac);
paulson@3480
   432
(*ClientCertKeyEx: M isn't in the Hash because it's fresh!*)
paulson@3480
   433
by (blast_tac (!claset addSDs [Hash_Hash_imp_Nonce]
paulson@3480
   434
                       addSEs sees_Spy_partsEs) 2);
paulson@3480
   435
(*Fake: the Spy doesn't have the critical session key!*)
paulson@3480
   436
by (REPEAT (rtac impI 1));
paulson@3480
   437
by (subgoal_tac "Key (serverK(NA,NB,M)) ~: analz (sees lost Spy evsa)" 1);
paulson@3480
   438
by (asm_simp_tac (!simpset addsimps [Spy_not_see_premaster_secret, 
paulson@3480
   439
				     serverK_notin_parts, 
paulson@3480
   440
				     not_parts_not_analz]) 2);
paulson@3474
   441
by (Fake_parts_insert_tac 1);
paulson@3474
   442
qed_spec_mp "TrustServerFinished";
paulson@3474
   443
paulson@3474
   444
paulson@3500
   445
(*** Protocol goal: if B receives CLIENT FINISHED, then A has used the
paulson@3500
   446
     quoted values XA, XB, etc., which B can then check.  BUT NOTE:
paulson@3500
   447
     B has no way of knowing that A is the sender of CERTIFICATE VERIFY
paulson@3500
   448
 ***)
paulson@3500
   449
goalw thy [certificate_def]
paulson@3474
   450
 "!!evs. [| X = Crypt (clientK(NA,NB,M))                        \
paulson@3474
   451
\                 (Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|},   \
paulson@3474
   452
\                        Nonce NA, Agent XA,                    \
paulson@3500
   453
\                        certificate A (pubK A),                \
paulson@3474
   454
\                        Nonce NB, Agent XB, Agent B|});        \
paulson@3480
   455
\           evs : tls;  A~=Spy;  B ~: lost |]                   \
paulson@3500
   456
\     ==> Says A B {|certificate A (pubK A),                    \
paulson@3480
   457
\                    Crypt KB (Nonce M)|} : set evs -->              \
paulson@3480
   458
\         X : parts (sees lost Spy evs) --> Says A B X : set evs";
paulson@3480
   459
by (hyp_subst_tac 1);
paulson@3474
   460
by (etac tls.induct 1);
paulson@3474
   461
by (ALLGOALS Asm_simp_tac);
paulson@3480
   462
(*ClientCertKeyEx: M isn't in the Hash because it's fresh!*)
paulson@3480
   463
by (blast_tac (!claset addSDs [Hash_Hash_imp_Nonce]
paulson@3480
   464
                       addSEs sees_Spy_partsEs) 2);
paulson@3480
   465
(*Fake: the Spy doesn't have the critical session key!*)
paulson@3480
   466
by (REPEAT (rtac impI 1));
paulson@3480
   467
by (subgoal_tac "Key (clientK(NA,NB,M)) ~: analz (sees lost Spy evsa)" 1);
paulson@3480
   468
by (asm_simp_tac (!simpset addsimps [Spy_not_see_premaster_secret, 
paulson@3480
   469
				     clientK_notin_parts, 
paulson@3480
   470
				     not_parts_not_analz]) 2);
paulson@3474
   471
by (Fake_parts_insert_tac 1);
paulson@3474
   472
qed_spec_mp "TrustClientFinished";