src/HOL/Auth/Yahalom.ML
author paulson
Thu Jun 26 11:58:05 1997 +0200 (1997-06-26)
changeset 3464 315694e22856
parent 3450 cd73bc206d87
child 3465 e85c24717cad
permissions -rw-r--r--
Trivial changes in connection with the Yahalom paper.
Changed the order of the premises in no_nonce_YM1_YM2.

Installed B_trusts_YM4_newK using bind_thm.

Improved some comments.
paulson@1995
     1
(*  Title:      HOL/Auth/Yahalom
paulson@1985
     2
    ID:         $Id$
paulson@1985
     3
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
paulson@1985
     4
    Copyright   1996  University of Cambridge
paulson@1985
     5
paulson@3432
     6
Inductive relation "yahalom" for the Yahalom protocol.
paulson@1985
     7
paulson@1985
     8
From page 257 of
paulson@1985
     9
  Burrows, Abadi and Needham.  A Logic of Authentication.
paulson@1985
    10
  Proc. Royal Soc. 426 (1989)
paulson@1985
    11
*)
paulson@1985
    12
paulson@1995
    13
open Yahalom;
paulson@1985
    14
paulson@1985
    15
proof_timing:=true;
paulson@1985
    16
HOL_quantifiers := false;
paulson@2516
    17
Pretty.setdepth 25;
paulson@1985
    18
paulson@3121
    19
(*Replacing the variable by a constant improves speed*)
paulson@3121
    20
val Says_imp_sees_Spy' = read_instantiate [("lost","lost")] Says_imp_sees_Spy;
oheimb@2637
    21
paulson@1995
    22
paulson@2322
    23
(*A "possibility property": there are traces that reach the end*)
paulson@1995
    24
goal thy 
paulson@1995
    25
 "!!A B. [| A ~= B; A ~= Server; B ~= Server |]   \
paulson@2032
    26
\        ==> EX X NB K. EX evs: yahalom lost.          \
paulson@2284
    27
\               Says A B {|X, Crypt K (Nonce NB)|} : set_of_list evs";
paulson@1995
    28
by (REPEAT (resolve_tac [exI,bexI] 1));
paulson@2516
    29
by (rtac (yahalom.Nil RS yahalom.YM1 RS yahalom.YM2 RS yahalom.YM3 RS 
paulson@2516
    30
          yahalom.YM4) 2);
paulson@2516
    31
by possibility_tac;
paulson@2013
    32
result();
paulson@1995
    33
paulson@1995
    34
paulson@1985
    35
(**** Inductive proofs about yahalom ****)
paulson@1985
    36
paulson@2110
    37
(*Monotonicity*)
paulson@2045
    38
goal thy "!!evs. lost' <= lost ==> yahalom lost' <= yahalom lost";
paulson@2045
    39
by (rtac subsetI 1);
paulson@2045
    40
by (etac yahalom.induct 1);
paulson@2045
    41
by (REPEAT_FIRST
paulson@3121
    42
    (blast_tac (!claset addIs (impOfSubs (sees_mono RS analz_mono RS synth_mono)
paulson@2045
    43
                              :: yahalom.intrs))));
paulson@2045
    44
qed "yahalom_mono";
paulson@2045
    45
paulson@1985
    46
paulson@1985
    47
(*Nobody sends themselves messages*)
paulson@2051
    48
goal thy "!!evs. evs: yahalom lost ==> ALL A X. Says A A X ~: set_of_list evs";
paulson@2032
    49
by (etac yahalom.induct 1);
paulson@1985
    50
by (Auto_tac());
paulson@1985
    51
qed_spec_mp "not_Says_to_self";
paulson@1985
    52
Addsimps [not_Says_to_self];
paulson@1985
    53
AddSEs   [not_Says_to_self RSN (2, rev_notE)];
paulson@1985
    54
paulson@1985
    55
paulson@1985
    56
(** For reasoning about the encrypted portion of messages **)
paulson@1985
    57
paulson@1995
    58
(*Lets us treat YM4 using a similar argument as for the Fake case.*)
paulson@2284
    59
goal thy "!!evs. Says S A {|Crypt (shrK A) Y, X|} : set_of_list evs ==> \
paulson@2032
    60
\                X : analz (sees lost Spy evs)";
paulson@3121
    61
by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]) 1);
paulson@2032
    62
qed "YM4_analz_sees_Spy";
paulson@1985
    63
paulson@2110
    64
bind_thm ("YM4_parts_sees_Spy",
paulson@2110
    65
          YM4_analz_sees_Spy RS (impOfSubs analz_subset_parts));
paulson@2110
    66
paulson@2133
    67
(*Relates to both YM4 and Oops*)
paulson@2284
    68
goal thy "!!evs. Says S A {|Crypt (shrK A) {|B, K, NA, NB|}, X|} \
paulson@1995
    69
\                  : set_of_list evs ==> \
paulson@2032
    70
\                K : parts (sees lost Spy evs)";
paulson@3121
    71
by (blast_tac (!claset addSEs partsEs
paulson@3121
    72
                      addSDs [Says_imp_sees_Spy' RS parts.Inj]) 1);
paulson@2110
    73
qed "YM4_Key_parts_sees_Spy";
paulson@2110
    74
paulson@3121
    75
(*For proving the easier theorems about X ~: parts (sees lost Spy evs).
paulson@3121
    76
  We instantiate the variable to "lost" since leaving it as a Var would
paulson@3121
    77
  interfere with simplification.*)
paulson@3121
    78
val parts_sees_tac = 
paulson@3121
    79
    forw_inst_tac [("lost","lost")] YM4_parts_sees_Spy 6     THEN
paulson@3121
    80
    forw_inst_tac [("lost","lost")] YM4_Key_parts_sees_Spy 7 THEN
paulson@3121
    81
    prove_simple_subgoals_tac  1;
paulson@1985
    82
paulson@3121
    83
val parts_induct_tac = 
paulson@3121
    84
    etac yahalom.induct 1 THEN parts_sees_tac;
paulson@1985
    85
paulson@1985
    86
paulson@2032
    87
(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
paulson@2013
    88
    sends messages containing X! **)
paulson@1985
    89
paulson@2133
    90
(*Spy never sees another agent's shared key! (unless it's lost at start)*)
paulson@1985
    91
goal thy 
paulson@2133
    92
 "!!evs. evs : yahalom lost \
paulson@2133
    93
\        ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)";
paulson@3121
    94
by parts_induct_tac;
paulson@3121
    95
by (Fake_parts_insert_tac 1);
paulson@3121
    96
by (Blast_tac 1);
paulson@2133
    97
qed "Spy_see_shrK";
paulson@2133
    98
Addsimps [Spy_see_shrK];
paulson@1985
    99
paulson@2133
   100
goal thy 
paulson@2133
   101
 "!!evs. evs : yahalom lost \
paulson@2133
   102
\        ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)";
paulson@2133
   103
by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
paulson@2133
   104
qed "Spy_analz_shrK";
paulson@2133
   105
Addsimps [Spy_analz_shrK];
paulson@1985
   106
paulson@2133
   107
goal thy  "!!A. [| Key (shrK A) : parts (sees lost Spy evs);       \
paulson@2133
   108
\                  evs : yahalom lost |] ==> A:lost";
paulson@3121
   109
by (blast_tac (!claset addDs [Spy_see_shrK]) 1);
paulson@2133
   110
qed "Spy_see_shrK_D";
paulson@1985
   111
paulson@2133
   112
bind_thm ("Spy_analz_shrK_D", analz_subset_parts RS subsetD RS Spy_see_shrK_D);
paulson@2133
   113
AddSDs [Spy_see_shrK_D, Spy_analz_shrK_D];
paulson@1985
   114
paulson@1985
   115
paulson@3432
   116
(*Nobody can have used non-existent keys!  Needed to apply analz_insert_Key*)
paulson@2516
   117
goal thy "!!evs. evs : yahalom lost ==>          \
paulson@2516
   118
\         Key K ~: used evs --> K ~: keysFor (parts (sees lost Spy evs))";
paulson@3121
   119
by parts_induct_tac;
paulson@2516
   120
(*YM4: Key K is not fresh!*)
paulson@3121
   121
by (blast_tac (!claset addSEs sees_Spy_partsEs) 3);
paulson@2516
   122
(*YM3*)
paulson@3121
   123
by (Blast_tac 2);
paulson@2516
   124
(*Fake*)
paulson@2516
   125
by (best_tac
paulson@2516
   126
      (!claset addIs [impOfSubs analz_subset_parts]
paulson@2516
   127
               addDs [impOfSubs (analz_subset_parts RS keysFor_mono),
paulson@2516
   128
                      impOfSubs (parts_insert_subset_Un RS keysFor_mono)]
paulson@2516
   129
               addss (!simpset)) 1);
paulson@2160
   130
qed_spec_mp "new_keys_not_used";
paulson@1985
   131
paulson@1985
   132
bind_thm ("new_keys_not_analzd",
paulson@2032
   133
          [analz_subset_parts RS keysFor_mono,
paulson@2032
   134
           new_keys_not_used] MRS contra_subsetD);
paulson@1985
   135
paulson@1985
   136
Addsimps [new_keys_not_used, new_keys_not_analzd];
paulson@1985
   137
paulson@1985
   138
paulson@2133
   139
(*Describes the form of K when the Server sends this message.  Useful for
paulson@2133
   140
  Oops as well as main secrecy property.*)
paulson@2110
   141
goal thy 
paulson@2516
   142
 "!!evs. [| Says Server A {|Crypt (shrK A) {|Agent B, Key K, NA, NB|}, X|} \
paulson@2516
   143
\             : set_of_list evs;                                           \
paulson@2516
   144
\           evs : yahalom lost |]                                          \
paulson@2516
   145
\        ==> K ~: range shrK";
paulson@2133
   146
by (etac rev_mp 1);
paulson@2133
   147
by (etac yahalom.induct 1);
paulson@3121
   148
by (ALLGOALS Asm_simp_tac);
paulson@3121
   149
by (Blast_tac 1);
paulson@2133
   150
qed "Says_Server_message_form";
paulson@2110
   151
paulson@2110
   152
paulson@2110
   153
(*For proofs involving analz.  We again instantiate the variable to "lost".*)
paulson@3121
   154
val analz_sees_tac = 
paulson@2133
   155
    forw_inst_tac [("lost","lost")] YM4_analz_sees_Spy 6 THEN
paulson@2133
   156
    forw_inst_tac [("lost","lost")] Says_Server_message_form 7 THEN
paulson@2516
   157
    assume_tac 7 THEN REPEAT ((etac exE ORELSE' hyp_subst_tac) 7);
paulson@1985
   158
paulson@1985
   159
paulson@1985
   160
(****
paulson@1985
   161
 The following is to prove theorems of the form
paulson@1985
   162
paulson@2516
   163
  Key K : analz (insert (Key KAB) (sees lost Spy evs)) ==>
paulson@2451
   164
  Key K : analz (sees lost Spy evs)
paulson@1985
   165
paulson@1985
   166
 A more general formula must be proved inductively.
paulson@1985
   167
****)
paulson@1985
   168
paulson@1985
   169
(** Session keys are not used to encrypt other session keys **)
paulson@1985
   170
paulson@1985
   171
goal thy  
paulson@2032
   172
 "!!evs. evs : yahalom lost ==> \
paulson@2516
   173
\  ALL K KK. KK <= Compl (range shrK) -->                      \
paulson@2516
   174
\            (Key K : analz (Key``KK Un (sees lost Spy evs))) = \
paulson@2516
   175
\            (K : KK | Key K : analz (sees lost Spy evs))";
paulson@2032
   176
by (etac yahalom.induct 1);
paulson@3121
   177
by analz_sees_tac;
paulson@2516
   178
by (REPEAT_FIRST (resolve_tac [allI, impI]));
paulson@2516
   179
by (REPEAT_FIRST (rtac analz_image_freshK_lemma ));
paulson@2516
   180
by (ALLGOALS (asm_simp_tac analz_image_freshK_ss));
paulson@3450
   181
(*Fake*) 
paulson@3450
   182
by (spy_analz_tac 2);
paulson@2516
   183
(*Base*)
paulson@3121
   184
by (Blast_tac 1);
paulson@2516
   185
qed_spec_mp "analz_image_freshK";
paulson@1985
   186
paulson@1985
   187
goal thy
paulson@2516
   188
 "!!evs. [| evs : yahalom lost;  KAB ~: range shrK |] ==>             \
paulson@2516
   189
\        Key K : analz (insert (Key KAB) (sees lost Spy evs)) = \
paulson@2516
   190
\        (K = KAB | Key K : analz (sees lost Spy evs))";
paulson@2516
   191
by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
paulson@2516
   192
qed "analz_insert_freshK";
paulson@1985
   193
paulson@1985
   194
paulson@2110
   195
(*** The Key K uniquely identifies the Server's  message. **)
paulson@2110
   196
paulson@2110
   197
goal thy 
paulson@2110
   198
 "!!evs. evs : yahalom lost ==>                                     \
paulson@3450
   199
\      EX A' B' na' nb' X'. ALL A B na nb X.                             \
paulson@2110
   200
\          Says Server A                                            \
paulson@3450
   201
\           {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|}        \
paulson@3450
   202
\          : set_of_list evs --> A=A' & B=B' & na=na' & nb=nb' & X=X'";
paulson@2110
   203
by (etac yahalom.induct 1);
paulson@2110
   204
by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib])));
paulson@2110
   205
by (Step_tac 1);
paulson@2133
   206
by (ex_strip_tac 2);
paulson@3121
   207
by (Blast_tac 2);
paulson@2110
   208
(*Remaining case: YM3*)
paulson@2110
   209
by (expand_case_tac "K = ?y" 1);
paulson@2110
   210
by (REPEAT (ares_tac [refl,exI,impI,conjI] 2));
paulson@2516
   211
(*...we assume X is a recent message and handle this case by contradiction*)
paulson@3121
   212
by (blast_tac (!claset addSEs sees_Spy_partsEs
paulson@3121
   213
                      delrules [conjI]    (*no split-up to 4 subgoals*)) 1);
paulson@2110
   214
val lemma = result();
paulson@2110
   215
paulson@2110
   216
goal thy 
paulson@2110
   217
"!!evs. [| Says Server A                                            \
paulson@3450
   218
\           {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|}        \
paulson@2110
   219
\           : set_of_list evs;                                      \
paulson@2110
   220
\          Says Server A'                                           \
paulson@3450
   221
\           {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|}   \
paulson@2110
   222
\           : set_of_list evs;                                      \
paulson@2110
   223
\          evs : yahalom lost |]                                    \
paulson@3450
   224
\       ==> A=A' & B=B' & na=na' & nb=nb'";
paulson@2451
   225
by (prove_unique_tac lemma 1);
paulson@2110
   226
qed "unique_session_keys";
paulson@2110
   227
paulson@2110
   228
paulson@2110
   229
(** Crucial secrecy property: Spy does not see the keys sent in msg YM3 **)
paulson@2013
   230
paulson@2013
   231
goal thy 
paulson@2133
   232
 "!!evs. [| A ~: lost;  B ~: lost;  evs : yahalom lost |]         \
paulson@2051
   233
\        ==> Says Server A                                        \
paulson@3450
   234
\              {|Crypt (shrK A) {|Agent B, Key K, na, nb|},       \
paulson@2284
   235
\                Crypt (shrK B) {|Agent A, Key K|}|}              \
paulson@2110
   236
\             : set_of_list evs -->                               \
paulson@3450
   237
\            Says A Spy {|na, nb, Key K|} ~: set_of_list evs -->  \
paulson@2051
   238
\            Key K ~: analz (sees lost Spy evs)";
paulson@2032
   239
by (etac yahalom.induct 1);
paulson@3121
   240
by analz_sees_tac;
paulson@2013
   241
by (ALLGOALS
paulson@2013
   242
    (asm_simp_tac 
paulson@3450
   243
     (!simpset addsimps [analz_insert_eq, not_parts_not_analz, 
paulson@3450
   244
			 analz_insert_freshK]
paulson@2013
   245
               setloop split_tac [expand_if])));
paulson@3450
   246
(*Oops*)
paulson@3450
   247
by (blast_tac (!claset addDs [unique_session_keys]) 3);
paulson@2013
   248
(*YM3*)
paulson@3121
   249
by (blast_tac (!claset delrules [impCE]
paulson@3121
   250
                       addSEs sees_Spy_partsEs
paulson@3121
   251
                       addIs [impOfSubs analz_subset_parts]) 2);
paulson@3450
   252
(*Fake*) 
paulson@3450
   253
by (spy_analz_tac 1);
paulson@2110
   254
val lemma = result() RS mp RS mp RSN(2,rev_notE);
paulson@2013
   255
paulson@2013
   256
paulson@3432
   257
(*Final version*)
paulson@1985
   258
goal thy 
paulson@2516
   259
 "!!evs. [| Says Server A                                         \
paulson@3450
   260
\              {|Crypt (shrK A) {|Agent B, Key K, na, nb|},       \
paulson@2516
   261
\                Crypt (shrK B) {|Agent A, Key K|}|}              \
paulson@2516
   262
\             : set_of_list evs;                                  \
paulson@3450
   263
\           Says A Spy {|na, nb, Key K|} ~: set_of_list evs;      \
paulson@2516
   264
\           A ~: lost;  B ~: lost;  evs : yahalom lost |]         \
paulson@2516
   265
\        ==> Key K ~: analz (sees lost Spy evs)";
paulson@2013
   266
by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
paulson@3121
   267
by (blast_tac (!claset addSEs [lemma]) 1);
paulson@2032
   268
qed "Spy_not_see_encrypted_key";
paulson@2001
   269
paulson@2001
   270
paulson@3432
   271
(*And other agents don't see the key either.*)
paulson@2045
   272
goal thy 
paulson@2516
   273
 "!!evs. [| C ~: {A,B,Server};                                    \
paulson@2516
   274
\           Says Server A                                         \
paulson@3450
   275
\              {|Crypt (shrK A) {|Agent B, Key K, na, nb|},       \
paulson@2516
   276
\                Crypt (shrK B) {|Agent A, Key K|}|}              \
paulson@2516
   277
\             : set_of_list evs;                                  \
paulson@3450
   278
\           Says A Spy {|na, nb, Key K|} ~: set_of_list evs;      \
paulson@2516
   279
\           A ~: lost;  B ~: lost;  evs : yahalom lost |]         \
paulson@2516
   280
\        ==> Key K ~: analz (sees lost C evs)";
paulson@2045
   281
by (rtac (subset_insertI RS sees_mono RS analz_mono RS contra_subsetD) 1);
paulson@2045
   282
by (rtac (sees_lost_agent_subset_sees_Spy RS analz_mono RS contra_subsetD) 1);
paulson@2045
   283
by (FIRSTGOAL (rtac Spy_not_see_encrypted_key));
paulson@3121
   284
by (REPEAT_FIRST (blast_tac (!claset addIs [yahalom_mono RS subsetD])));
paulson@2045
   285
qed "Agent_not_see_encrypted_key";
paulson@2045
   286
paulson@2045
   287
paulson@3444
   288
(*Induction for theorems of the form X ~: analz (sees lost Spy evs) --> ...
paulson@3444
   289
  It simplifies the proof by discarding needless information about
paulson@3444
   290
	analz (insert X (sees lost Spy evs)) 
paulson@3444
   291
*)
paulson@3444
   292
val analz_mono_parts_induct_tac = 
paulson@3444
   293
    etac yahalom.induct 1 
paulson@3444
   294
    THEN 
paulson@3444
   295
    REPEAT_FIRST  
paulson@3444
   296
      (rtac impI THEN' 
paulson@3444
   297
       dtac (sees_subset_sees_Says RS analz_mono RS contra_subsetD) THEN'
paulson@3444
   298
       mp_tac)  
paulson@3444
   299
    THEN  parts_sees_tac;
paulson@3444
   300
paulson@3444
   301
paulson@3444
   302
(** Security Guarantee for A upon receiving YM3 **)
paulson@3444
   303
paulson@3444
   304
(*If the encrypted message appears then it originated with the Server*)
paulson@3444
   305
goal thy
paulson@3450
   306
 "!!evs. [| Crypt (shrK A) {|Agent B, Key K, na, nb|}                  \
paulson@3444
   307
\            : parts (sees lost Spy evs);                              \
paulson@3444
   308
\           A ~: lost;  evs : yahalom lost |]                          \
paulson@3444
   309
\         ==> Says Server A                                            \
paulson@3450
   310
\              {|Crypt (shrK A) {|Agent B, Key K, na, nb|},            \
paulson@3444
   311
\                Crypt (shrK B) {|Agent A, Key K|}|}                   \
paulson@3444
   312
\             : set_of_list evs";
paulson@3444
   313
by (etac rev_mp 1);
paulson@3444
   314
by parts_induct_tac;
paulson@3444
   315
by (Fake_parts_insert_tac 1);
paulson@3444
   316
qed "A_trusts_YM3";
paulson@3444
   317
paulson@3444
   318
paulson@3444
   319
(** Security Guarantees for B upon receiving YM4 **)
paulson@2013
   320
paulson@2110
   321
(*B knows, by the first part of A's message, that the Server distributed 
paulson@2110
   322
  the key for A and B.  But this part says nothing about nonces.*)
paulson@2001
   323
goal thy 
paulson@2284
   324
 "!!evs. [| Crypt (shrK B) {|Agent A, Key K|} : parts (sees lost Spy evs); \
paulson@2051
   325
\           B ~: lost;  evs : yahalom lost |]                           \
paulson@2001
   326
\        ==> EX NA NB. Says Server A                                    \
paulson@2451
   327
\                        {|Crypt (shrK A) {|Agent B, Key K,             \
paulson@2516
   328
\                                           Nonce NA, Nonce NB|},       \
paulson@2284
   329
\                          Crypt (shrK B) {|Agent A, Key K|}|}          \
paulson@2013
   330
\                       : set_of_list evs";
paulson@2032
   331
by (etac rev_mp 1);
paulson@3121
   332
by parts_induct_tac;
paulson@3121
   333
by (Fake_parts_insert_tac 1);
paulson@2110
   334
(*YM3*)
paulson@3121
   335
by (Blast_tac 1);
paulson@2110
   336
qed "B_trusts_YM4_shrK";
paulson@2110
   337
paulson@3444
   338
(*B knows, by the second part of A's message, that the Server distributed 
paulson@3444
   339
  the key quoting nonce NB.  This part says nothing about agent names. 
paulson@3444
   340
  Secrecy of NB is crucial.*)
paulson@3444
   341
goal thy 
paulson@3444
   342
 "!!evs. evs : yahalom lost                                             \
paulson@3444
   343
\        ==> Nonce NB ~: analz (sees lost Spy evs) -->                  \
paulson@3444
   344
\            Crypt K (Nonce NB) : parts (sees lost Spy evs) -->         \
paulson@3444
   345
\            (EX A B NA. Says Server A                                  \
paulson@3444
   346
\                        {|Crypt (shrK A) {|Agent B, Key K,             \
paulson@3444
   347
\                                  Nonce NA, Nonce NB|},                \
paulson@3444
   348
\                          Crypt (shrK B) {|Agent A, Key K|}|}          \
paulson@3444
   349
\                       : set_of_list evs)";
paulson@3444
   350
by analz_mono_parts_induct_tac;
paulson@3444
   351
(*YM3 & Fake*)
paulson@3444
   352
by (Blast_tac 2);
paulson@3444
   353
by (Fake_parts_insert_tac 1);
paulson@3444
   354
(*YM4*)
paulson@3444
   355
by (Step_tac 1);
paulson@3444
   356
(*A is uncompromised because NB is secure*)
paulson@3444
   357
by (not_lost_tac "A" 1);
paulson@3444
   358
(*A's certificate guarantees the existence of the Server message*)
paulson@3444
   359
by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS parts.Inj RS parts.Fst RS
paulson@3444
   360
			      A_trusts_YM3]) 1);
paulson@3464
   361
bind_thm ("B_trusts_YM4_newK", result() RS mp RSN (2, rev_mp));
paulson@2133
   362
paulson@3444
   363
paulson@3444
   364
(**** Towards proving secrecy of Nonce NB ****)
paulson@3444
   365
paulson@3444
   366
(** Lemmas about the predicate KeyWithNonce **)
paulson@3444
   367
paulson@3444
   368
goalw thy [KeyWithNonce_def]
paulson@3444
   369
 "!!evs. Says Server A                                              \
paulson@3444
   370
\            {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB|}, X|} \
paulson@3444
   371
\          : set_of_list evs ==> KeyWithNonce K NB evs";
paulson@3444
   372
by (Blast_tac 1);
paulson@3444
   373
qed "KeyWithNonceI";
paulson@3444
   374
paulson@3444
   375
goalw thy [KeyWithNonce_def]
paulson@3444
   376
   "KeyWithNonce K NB (Says S A X # evs) =                                    \
paulson@3444
   377
\    (Server = S &                                                            \
paulson@3444
   378
\     (EX B n X'. X = {|Crypt (shrK A) {|Agent B, Key K, n, Nonce NB|}, X'|}) \
paulson@3444
   379
\    | KeyWithNonce K NB evs)";
paulson@3444
   380
by (Simp_tac 1);
paulson@3444
   381
by (Blast_tac 1);
paulson@3444
   382
qed "KeyWithNonce_Says";
paulson@3444
   383
Addsimps [KeyWithNonce_Says];
paulson@3444
   384
paulson@3464
   385
(*A fresh key cannot be associated with any nonce 
paulson@3464
   386
  (with respect to a given trace). *)
paulson@3444
   387
goalw thy [KeyWithNonce_def]
paulson@3444
   388
 "!!evs. Key K ~: used evs ==> ~ KeyWithNonce K NB evs";
paulson@3444
   389
by (blast_tac (!claset addSEs sees_Spy_partsEs) 1);
paulson@3444
   390
qed "fresh_not_KeyWithNonce";
paulson@3444
   391
paulson@3444
   392
(*The Server message associates K with NB' and therefore not with any 
paulson@3444
   393
  other nonce NB.*)
paulson@3444
   394
goalw thy [KeyWithNonce_def]
paulson@3444
   395
 "!!evs. [| Says Server A                                                \
paulson@3444
   396
\                {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB'|}, X|} \
paulson@3444
   397
\             : set_of_list evs;                                         \
paulson@3444
   398
\           NB ~= NB';  evs : yahalom lost |]                            \
paulson@3444
   399
\        ==> ~ KeyWithNonce K NB evs";
paulson@3444
   400
by (blast_tac (!claset addDs [unique_session_keys]) 1);
paulson@3444
   401
qed "Says_Server_KeyWithNonce";
paulson@3444
   402
paulson@3444
   403
paulson@3444
   404
(*The only nonces that can be found with the help of session keys are
paulson@3444
   405
  those distributed as nonce NB by the Server.  The form of the theorem
paulson@3444
   406
  recalls analz_image_freshK, but it is much more complicated.*)
paulson@3444
   407
paulson@3444
   408
paulson@3444
   409
(*As with analz_image_freshK, we take some pains to express the property
paulson@3444
   410
  as a logical equivalence so that the simplifier can apply it.*)
paulson@3444
   411
goal thy  
paulson@3444
   412
 "!!evs. P --> (X : analz (G Un H)) --> (X : analz H)  ==> \
paulson@3444
   413
\        P --> (X : analz (G Un H)) = (X : analz H)";
paulson@3444
   414
by (blast_tac (!claset addIs [impOfSubs analz_mono]) 1);
paulson@3444
   415
val lemma = result();
paulson@2133
   416
paulson@2133
   417
goal thy 
paulson@3444
   418
 "!!evs. evs : yahalom lost ==>                                         \
paulson@3444
   419
\        (ALL KK. KK <= Compl (range shrK) -->                          \
paulson@3444
   420
\             (ALL K: KK. ~ KeyWithNonce K NB evs)   -->                \
paulson@3444
   421
\             (Nonce NB : analz (Key``KK Un (sees lost Spy evs))) =     \
paulson@3444
   422
\             (Nonce NB : analz (sees lost Spy evs)))";
paulson@3444
   423
by (etac yahalom.induct 1);
paulson@3444
   424
by analz_sees_tac;
paulson@3444
   425
by (REPEAT_FIRST (resolve_tac [impI RS allI]));
paulson@3444
   426
by (REPEAT_FIRST (rtac lemma));
paulson@3444
   427
(*For Oops, simplification proves NBa~=NB.  By Says_Server_KeyWithNonce,
paulson@3444
   428
  we get (~ KeyWithNonce K NB evsa); then simplification can apply the
paulson@3444
   429
  induction hypothesis with KK = {K}.*)
paulson@3444
   430
by (ALLGOALS  (*22 seconds*)
paulson@3444
   431
    (asm_simp_tac 
paulson@3444
   432
     (analz_image_freshK_ss addsimps
paulson@3444
   433
        ([all_conj_distrib, not_parts_not_analz, analz_image_freshK,
paulson@3444
   434
	  KeyWithNonce_Says, fresh_not_KeyWithNonce, 
paulson@3444
   435
	  imp_disj_not1,  (*Moves NBa~=NB to the front*)
paulson@3444
   436
	  Says_Server_KeyWithNonce] 
paulson@3444
   437
	 @ pushes))));
paulson@3444
   438
(*Base*)
paulson@3444
   439
by (Blast_tac 1);
paulson@3444
   440
(*Fake*) 
paulson@3444
   441
by (spy_analz_tac 1);
paulson@3444
   442
(*YM4*)  (** LEVEL 7 **)
paulson@3444
   443
by (not_lost_tac "A" 1);
paulson@3444
   444
by (dtac (Says_imp_sees_Spy' RS parts.Inj RS parts.Fst RS A_trusts_YM3) 1
paulson@3444
   445
    THEN REPEAT (assume_tac 1));
paulson@3444
   446
by (blast_tac (!claset addIs [KeyWithNonceI]) 1);
paulson@3444
   447
qed_spec_mp "Nonce_secrecy";
paulson@3444
   448
paulson@3444
   449
paulson@3444
   450
(*Version required below: if NB can be decrypted using a session key then it
paulson@3444
   451
  was distributed with that key.  The more general form above is required
paulson@3444
   452
  for the induction to carry through.*)
paulson@3444
   453
goal thy 
paulson@3444
   454
 "!!evs. [| Says Server A                                                 \
paulson@3444
   455
\            {|Crypt (shrK A) {|Agent B, Key KAB, na, Nonce NB'|}, X|}    \
paulson@3444
   456
\           : set_of_list evs;                                            \
paulson@3444
   457
\           NB ~= NB';  KAB ~: range shrK;  evs : yahalom lost |]         \
paulson@3444
   458
\        ==> (Nonce NB : analz (insert (Key KAB) (sees lost Spy evs))) =  \
paulson@3444
   459
\            (Nonce NB : analz (sees lost Spy evs))";
paulson@3444
   460
by (asm_simp_tac (analz_image_freshK_ss addsimps 
paulson@3444
   461
		  [Nonce_secrecy, Says_Server_KeyWithNonce]) 1);
paulson@3444
   462
qed "single_Nonce_secrecy";
paulson@3444
   463
paulson@3444
   464
paulson@3444
   465
(*** The Nonce NB uniquely identifies B's message. ***)
paulson@3444
   466
paulson@3444
   467
goal thy 
paulson@3444
   468
 "!!evs. evs : yahalom lost ==>                                            \
paulson@3444
   469
\   EX NA' A' B'. ALL NA A B.                                              \
paulson@2284
   470
\      Crypt (shrK B) {|Agent A, Nonce NA, NB|} : parts(sees lost Spy evs) \
paulson@2133
   471
\      --> B ~: lost --> NA = NA' & A = A' & B = B'";
paulson@3121
   472
by parts_induct_tac;
paulson@3121
   473
(*Fake*)
paulson@3121
   474
by (REPEAT (etac (exI RSN (2,exE)) 1)   (*stripping EXs makes proof faster*)
paulson@3121
   475
    THEN Fake_parts_insert_tac 1);
paulson@3121
   476
by (asm_simp_tac (!simpset addsimps [all_conj_distrib]) 1); 
paulson@2133
   477
(*YM2: creation of new Nonce.  Move assertion into global context*)
paulson@2133
   478
by (expand_case_tac "NB = ?y" 1);
paulson@2516
   479
by (REPEAT (resolve_tac [exI, conjI, impI, refl] 1));
paulson@3121
   480
by (blast_tac (!claset addSEs sees_Spy_partsEs) 1);
paulson@2133
   481
val lemma = result();
paulson@2133
   482
paulson@2110
   483
goal thy 
paulson@3444
   484
 "!!evs.[| Crypt (shrK B) {|Agent A, Nonce NA, NB|}        \
paulson@3444
   485
\                  : parts (sees lost Spy evs);            \
paulson@3444
   486
\          Crypt (shrK B') {|Agent A', Nonce NA', NB|}     \
paulson@3444
   487
\                  : parts (sees lost Spy evs);            \
paulson@2133
   488
\          evs : yahalom lost;  B ~: lost;  B' ~: lost |]  \
paulson@2133
   489
\        ==> NA' = NA & A' = A & B' = B";
paulson@2451
   490
by (prove_unique_tac lemma 1);
paulson@2133
   491
qed "unique_NB";
paulson@2133
   492
paulson@2133
   493
paulson@3444
   494
(*Variant useful for proving secrecy of NB: the Says... form allows 
paulson@3444
   495
  not_lost_tac to remove the assumption B' ~: lost.*)
paulson@2133
   496
goal thy 
paulson@3444
   497
 "!!evs.[| Says C D   {|X,  Crypt (shrK B) {|Agent A, Nonce NA, NB|}|}    \
paulson@3444
   498
\            : set_of_list evs;  B ~: lost;                               \
paulson@2284
   499
\          Says C' D' {|X', Crypt (shrK B') {|Agent A', Nonce NA', NB|}|} \
paulson@3444
   500
\            : set_of_list evs;                                           \
paulson@3444
   501
\          NB ~: analz (sees lost Spy evs);  evs : yahalom lost |]        \
paulson@2133
   502
\        ==> NA' = NA & A' = A & B' = B";
paulson@3444
   503
by (not_lost_tac "B'" 1);
paulson@3121
   504
by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
paulson@3121
   505
                       addSEs [MPair_parts]
paulson@3121
   506
                       addDs  [unique_NB]) 1);
paulson@2133
   507
qed "Says_unique_NB";
paulson@2133
   508
paulson@3444
   509
val Says_unique_NB' = read_instantiate [("lost","lost")] Says_unique_NB;
paulson@3444
   510
paulson@3444
   511
paulson@3444
   512
(** A nonce value is never used both as NA and as NB **)
paulson@3121
   513
paulson@2133
   514
goal thy 
paulson@3464
   515
 "!!evs. [| B ~: lost;  evs : yahalom lost  |]       \
paulson@3464
   516
\ ==> Nonce NB ~: analz (sees lost Spy evs) -->      \
paulson@3464
   517
\     Crypt (shrK B') {|Agent A', Nonce NB, NB'|}    \
paulson@3464
   518
\       : parts(sees lost Spy evs)                   \
paulson@3464
   519
\ --> Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|} \
paulson@3464
   520
\       ~: parts(sees lost Spy evs)";
paulson@3121
   521
by analz_mono_parts_induct_tac;
paulson@3121
   522
by (Fake_parts_insert_tac 1);
paulson@3121
   523
by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS analz.Inj]
paulson@3121
   524
                       addSIs [parts_insertI]
paulson@3121
   525
                       addSEs partsEs) 1);
paulson@3464
   526
bind_thm ("no_nonce_YM1_YM2", result() RS mp RSN (2,rev_mp) RSN (2,rev_notE));
paulson@2133
   527
paulson@3464
   528
(*The Server sends YM3 only in response to YM2.*)
paulson@2133
   529
goal thy 
paulson@2133
   530
 "!!evs. [| Says Server A                                           \
paulson@2284
   531
\            {|Crypt (shrK A) {|Agent B, k, na, nb|}, X|} : set_of_list evs; \
paulson@2133
   532
\           evs : yahalom lost |]                                        \
paulson@2133
   533
\        ==> EX B'. Says B' Server                                       \
paulson@2284
   534
\                      {| Agent B, Crypt (shrK B) {|Agent A, na, nb|} |} \
paulson@2133
   535
\                   : set_of_list evs";
paulson@2133
   536
by (etac rev_mp 1);
paulson@2133
   537
by (etac yahalom.induct 1);
paulson@2133
   538
by (ALLGOALS Asm_simp_tac);
paulson@3121
   539
by (ALLGOALS Blast_tac);
paulson@2133
   540
qed "Says_Server_imp_YM2";
paulson@2133
   541
paulson@2133
   542
paulson@3464
   543
(*A vital theorem for B, that nonce NB remains secure from the Spy.
paulson@3444
   544
  Unusually, the Fake case requires Spy:lost.*)
paulson@2133
   545
goal thy 
paulson@2133
   546
 "!!evs. [| A ~: lost;  B ~: lost;  Spy: lost;  evs : yahalom lost |]  \
paulson@2133
   547
\ ==> Says B Server                                                    \
paulson@2284
   548
\          {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \
paulson@2133
   549
\     : set_of_list evs -->                               \
paulson@2133
   550
\     (ALL k. Says A Spy {|Nonce NA, Nonce NB, k|} ~: set_of_list evs) -->  \
paulson@2133
   551
\     Nonce NB ~: analz (sees lost Spy evs)";
paulson@2133
   552
by (etac yahalom.induct 1);
paulson@3121
   553
by analz_sees_tac;
paulson@2133
   554
by (ALLGOALS
paulson@2133
   555
    (asm_simp_tac 
paulson@3444
   556
     (!simpset addsimps ([analz_insert_eq, not_parts_not_analz,
paulson@2516
   557
                          analz_insert_freshK] @ pushes)
paulson@2133
   558
               setloop split_tac [expand_if])));
paulson@3450
   559
(*Prove YM3 by showing that no NB can also be an NA*)
paulson@3450
   560
by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS parts.Inj]
paulson@3450
   561
	               addSEs [MPair_parts]
paulson@3450
   562
		       addDs  [no_nonce_YM1_YM2, Says_unique_NB']) 4
paulson@3450
   563
    THEN flexflex_tac);
paulson@3444
   564
(*YM2: similar freshness reasoning*) 
paulson@3121
   565
by (blast_tac (!claset addSEs partsEs
paulson@3121
   566
		       addDs  [Says_imp_sees_Spy' RS analz.Inj,
paulson@3450
   567
			       impOfSubs analz_subset_parts]) 3);
paulson@3450
   568
(*YM1: NB=NA is impossible anyway, but NA is secret because it is fresh!*)
paulson@3450
   569
by (blast_tac (!claset addSIs [parts_insertI]
paulson@3450
   570
                       addSEs sees_Spy_partsEs) 2);
paulson@2377
   571
(*Fake*)
paulson@2377
   572
by (spy_analz_tac 1);
paulson@3444
   573
(** LEVEL 7: YM4 and Oops remain **)
paulson@3444
   574
(*YM4: key K is visible to Spy, contradicting session key secrecy theorem*) 
paulson@3444
   575
by (REPEAT (Safe_step_tac 1));
paulson@3444
   576
by (not_lost_tac "Aa" 1);
paulson@3121
   577
by (dtac (Says_imp_sees_Spy' RS parts.Inj RS parts.Fst RS A_trusts_YM3) 1);
paulson@2133
   578
by (forward_tac [Says_Server_message_form] 3);
paulson@2133
   579
by (forward_tac [Says_Server_imp_YM2] 4);
paulson@3121
   580
by (REPEAT_FIRST (eresolve_tac [asm_rl, bexE, exE, disjE]));
paulson@3444
   581
(*  use Says_unique_NB' to identify message components: Aa=A, Ba=B, NAa=NA *)
paulson@3444
   582
by (blast_tac (!claset addDs [Says_unique_NB', Spy_not_see_encrypted_key,
paulson@3444
   583
			      impOfSubs Fake_analz_insert]) 1);
paulson@3444
   584
(** LEVEL 14 **)
paulson@3444
   585
(*Oops case: if the nonce is betrayed now, show that the Oops event is 
paulson@3444
   586
  covered by the quantified Oops assumption.*)
paulson@2133
   587
by (full_simp_tac (!simpset addsimps [all_conj_distrib]) 1);
paulson@2133
   588
by (step_tac (!claset delrules [disjE, conjI]) 1);
paulson@2133
   589
by (forward_tac [Says_Server_imp_YM2] 1 THEN assume_tac 1 THEN etac exE 1);
paulson@2133
   590
by (expand_case_tac "NB = NBa" 1);
paulson@3444
   591
(*If NB=NBa then all other components of the Oops message agree*)
paulson@3444
   592
by (blast_tac (!claset addDs [Says_unique_NB']) 1 THEN flexflex_tac);
paulson@3444
   593
(*case NB ~= NBa*)
paulson@3444
   594
by (asm_simp_tac (!simpset addsimps [single_Nonce_secrecy]) 1);
paulson@3444
   595
by (blast_tac (!claset addSEs [MPair_parts]
paulson@3444
   596
		       addDs  [Says_imp_sees_Spy' RS parts.Inj, 
paulson@3444
   597
			       no_nonce_YM1_YM2 (*to prove NB~=NAa*) ]) 1);
paulson@3444
   598
bind_thm ("Spy_not_see_NB", result() RSN(2,rev_mp) RSN(2,rev_mp));
paulson@2133
   599
paulson@2001
   600
paulson@3464
   601
(*B's session key guarantee from YM4.  The two certificates contribute to a
paulson@3464
   602
  single conclusion about the Server's message.  Note that the "Says A Spy"
paulson@3464
   603
  assumption must quantify over ALL POSSIBLE keys instead of our particular K.
paulson@3464
   604
  If this run is broken and the spy substitutes a certificate containing an
paulson@3464
   605
  old key, B has no means of telling.*)
paulson@2001
   606
goal thy 
paulson@3444
   607
 "!!evs. [| Says B Server                                                   \
paulson@3444
   608
\             {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}   \
paulson@3444
   609
\             : set_of_list evs;                                            \
paulson@3444
   610
\           Says A' B {|Crypt (shrK B) {|Agent A, Key K|},                  \
paulson@3444
   611
\                       Crypt K (Nonce NB)|} : set_of_list evs;             \
paulson@2133
   612
\           ALL k. Says A Spy {|Nonce NA, Nonce NB, k|} ~: set_of_list evs; \
paulson@3444
   613
\           A ~: lost;  B ~: lost;  Spy: lost;  evs : yahalom lost |]       \
paulson@3444
   614
\         ==> Says Server A                                                 \
paulson@3444
   615
\                     {|Crypt (shrK A) {|Agent B, Key K,                    \
paulson@3444
   616
\                               Nonce NA, Nonce NB|},                       \
paulson@3444
   617
\                       Crypt (shrK B) {|Agent A, Key K|}|}                 \
paulson@3444
   618
\               : set_of_list evs";
paulson@2133
   619
by (forward_tac [Spy_not_see_NB] 1 THEN REPEAT (assume_tac 1));
paulson@3121
   620
by (etac (Says_imp_sees_Spy' RS parts.Inj RS MPair_parts) 1 THEN
paulson@2133
   621
    dtac B_trusts_YM4_shrK 1);
paulson@2170
   622
by (dtac B_trusts_YM4_newK 3);
paulson@2110
   623
by (REPEAT_FIRST (eresolve_tac [asm_rl, exE]));
paulson@2133
   624
by (forward_tac [Says_Server_imp_YM2] 1 THEN assume_tac 1);
paulson@2170
   625
by (dtac unique_session_keys 1 THEN REPEAT (assume_tac 1));
paulson@3121
   626
by (blast_tac (!claset addDs [Says_unique_NB']) 1);
paulson@2322
   627
qed "B_trusts_YM4";
paulson@3444
   628
paulson@3444
   629
paulson@3444
   630
paulson@3444
   631
(*** Authenticating B to A ***)
paulson@3444
   632
paulson@3444
   633
(*The encryption in message YM2 tells us it cannot be faked.*)
paulson@3444
   634
goal thy 
paulson@3444
   635
 "!!evs. evs : yahalom lost                                            \
paulson@3444
   636
\  ==> Crypt (shrK B) {|Agent A, Nonce NA, nb|}                        \
paulson@3444
   637
\        : parts (sees lost Spy evs) -->                               \
paulson@3444
   638
\      B ~: lost -->                                                   \
paulson@3444
   639
\      Says B Server {|Agent B,                                \
paulson@3444
   640
\                          Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}  \
paulson@3444
   641
\         : set_of_list evs";
paulson@3444
   642
by parts_induct_tac;
paulson@3444
   643
by (Fake_parts_insert_tac 1);
paulson@3444
   644
bind_thm ("B_Said_YM2", result() RSN (2, rev_mp) RS mp);
paulson@3444
   645
paulson@3444
   646
(*If the server sends YM3 then B sent YM2*)
paulson@3444
   647
goal thy 
paulson@3444
   648
 "!!evs. evs : yahalom lost                                       \
paulson@3444
   649
\  ==> Says Server A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \
paulson@3444
   650
\         : set_of_list evs -->                                          \
paulson@3444
   651
\      B ~: lost -->                                                     \
paulson@3444
   652
\      Says B Server {|Agent B,                            \
paulson@3444
   653
\                               Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}   \
paulson@3444
   654
\                 : set_of_list evs";
paulson@3444
   655
by (etac yahalom.induct 1);
paulson@3444
   656
by (ALLGOALS Asm_simp_tac);
paulson@3444
   657
(*YM4*)
paulson@3444
   658
by (Blast_tac 2);
paulson@3444
   659
(*YM3*)
paulson@3444
   660
by (best_tac (!claset addSDs [B_Said_YM2, Says_imp_sees_Spy' RS parts.Inj]
paulson@3444
   661
		      addSEs [MPair_parts]) 1);
paulson@3444
   662
val lemma = result() RSN (2, rev_mp) RS mp |> standard;
paulson@3444
   663
paulson@3444
   664
(*If A receives YM3 then B has used nonce NA (and therefore is alive)*)
paulson@3444
   665
goal thy
paulson@3444
   666
 "!!evs. [| Says S A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \
paulson@3444
   667
\             : set_of_list evs;                                            \
paulson@3444
   668
\           A ~: lost;  B ~: lost;  evs : yahalom lost |]                   \
paulson@3444
   669
\   ==> Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \
paulson@3444
   670
\         : set_of_list evs";
paulson@3444
   671
by (blast_tac (!claset addSDs [A_trusts_YM3, lemma]
paulson@3444
   672
		       addEs sees_Spy_partsEs) 1);
paulson@3444
   673
qed "YM3_auth_B_to_A";
paulson@3444
   674
paulson@3444
   675
paulson@3444
   676
(*** Authenticating A to B using the certificate Crypt K (Nonce NB) ***)
paulson@3444
   677
paulson@3444
   678
(*Induction for theorems of the form X ~: analz (sees lost Spy evs) --> ...
paulson@3444
   679
  It simplifies the proof by discarding needless information about
paulson@3444
   680
	analz (insert X (sees lost Spy evs)) 
paulson@3444
   681
*)
paulson@3444
   682
val analz_mono_parts_induct_tac = 
paulson@3444
   683
    etac yahalom.induct 1 
paulson@3444
   684
    THEN 
paulson@3444
   685
    REPEAT_FIRST  
paulson@3444
   686
      (rtac impI THEN' 
paulson@3444
   687
       dtac (sees_subset_sees_Says RS analz_mono RS contra_subsetD) THEN'
paulson@3444
   688
       mp_tac)  
paulson@3444
   689
    THEN  parts_sees_tac;
paulson@3444
   690
paulson@3444
   691
(*Assuming the session key is secure, if both certificates are present then
paulson@3444
   692
  A has said NB.  We can't be sure about the rest of A's message, but only
paulson@3444
   693
  NB matters for freshness.*)  
paulson@3444
   694
goal thy 
paulson@3444
   695
 "!!evs. evs : yahalom lost                                             \
paulson@3444
   696
\        ==> Key K ~: analz (sees lost Spy evs) -->                     \
paulson@3444
   697
\            Crypt K (Nonce NB) : parts (sees lost Spy evs) -->         \
paulson@3444
   698
\            Crypt (shrK B) {|Agent A, Key K|}                          \
paulson@3444
   699
\              : parts (sees lost Spy evs) -->                          \
paulson@3444
   700
\            B ~: lost -->                                              \
paulson@3444
   701
\             (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set_of_list evs)";
paulson@3444
   702
by analz_mono_parts_induct_tac;
paulson@3444
   703
(*Fake*)
paulson@3444
   704
by (Fake_parts_insert_tac 1);
paulson@3444
   705
(*YM3: by new_keys_not_used we note that Crypt K (Nonce NB) could not exist*)
paulson@3444
   706
by (fast_tac (!claset addSDs [Crypt_imp_invKey_keysFor] addss (!simpset)) 1); 
paulson@3444
   707
(*YM4: was Crypt K (Nonce NB) the very last message?  If not, use ind. hyp.*)
paulson@3444
   708
by (asm_simp_tac (!simpset addsimps [ex_disj_distrib]) 1);
paulson@3444
   709
(*yes: apply unicity of session keys*)
paulson@3444
   710
by (not_lost_tac "Aa" 1);
paulson@3444
   711
by (blast_tac (!claset addSEs [MPair_parts]
paulson@3444
   712
                       addSDs [A_trusts_YM3, B_trusts_YM4_shrK]
paulson@3444
   713
		       addDs  [Says_imp_sees_Spy' RS parts.Inj,
paulson@3444
   714
			       unique_session_keys]) 1);
paulson@3444
   715
val lemma = normalize_thm [RSspec, RSmp] (result()) |> standard;
paulson@3444
   716
paulson@3444
   717
(*If B receives YM4 then A has used nonce NB (and therefore is alive).
paulson@3444
   718
  Moreover, A associates K with NB (thus is talking about the same run).
paulson@3444
   719
  Other premises guarantee secrecy of K.*)
paulson@3444
   720
goal thy 
paulson@3444
   721
 "!!evs. [| Says B Server                                                   \
paulson@3444
   722
\             {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}   \
paulson@3444
   723
\             : set_of_list evs;                                            \
paulson@3444
   724
\           Says A' B {|Crypt (shrK B) {|Agent A, Key K|},       \
paulson@3444
   725
\                       Crypt K (Nonce NB)|} : set_of_list evs;  \
paulson@3444
   726
\           (ALL NA k. Says A Spy {|Nonce NA, Nonce NB, k|}    \
paulson@3444
   727
\               ~: set_of_list evs);                             \
paulson@3444
   728
\           A ~: lost;  B ~: lost;  Spy: lost;  evs : yahalom lost |]       \
paulson@3444
   729
\        ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set_of_list evs";
paulson@3444
   730
by (dtac B_trusts_YM4 1);
paulson@3444
   731
by (REPEAT_FIRST (eresolve_tac [asm_rl, spec]));
paulson@3444
   732
by (etac (Says_imp_sees_Spy' RS parts.Inj RS MPair_parts) 1);
paulson@3444
   733
by (rtac lemma 1);
paulson@3444
   734
by (rtac Spy_not_see_encrypted_key 2);
paulson@3444
   735
by (REPEAT_FIRST assume_tac);
paulson@3444
   736
by (blast_tac (!claset addSEs [MPair_parts]
paulson@3444
   737
	       	       addDs [Says_imp_sees_Spy' RS parts.Inj]) 1);
paulson@3444
   738
qed_spec_mp "YM4_imp_A_Said_YM3";