src/HOL/Auth/TLS.thy
author paulson
Tue Jul 01 11:11:42 1997 +0200 (1997-07-01)
changeset 3474 44249bba00ec
child 3480 d59bbf053258
permissions -rw-r--r--
Baby TLS. Proofs work, but model seems unrealistic
paulson@3474
     1
(*  Title:      HOL/Auth/TLS
paulson@3474
     2
    ID:         $Id$
paulson@3474
     3
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
paulson@3474
     4
    Copyright   1997  University of Cambridge
paulson@3474
     5
paulson@3474
     6
Inductive relation "tls" for the baby TLS (Transport Layer Security) protocol.
paulson@3474
     7
paulson@3474
     8
An RSA cryptosystem is assumed, and X.509v3 certificates are abstracted down
paulson@3474
     9
to the trivial form {A, publicKey(A)}privateKey(Server), where Server is a
paulson@3474
    10
global signing authority.
paulson@3474
    11
paulson@3474
    12
A is the client and B is the server, not to be confused with the constant
paulson@3474
    13
Server, who is in charge of all public keys.
paulson@3474
    14
paulson@3474
    15
The model assumes that no fraudulent certificates are present.
paulson@3474
    16
paulson@3474
    17
Protocol goals: 
paulson@3474
    18
* M, serverK(NA,NB,M) and clientK(NA,NB,M) will be known only to the two
paulson@3474
    19
     parties (though A is not necessarily authenticated).
paulson@3474
    20
paulson@3474
    21
* B upon receiving CERTIFICATE VERIFY knows that A is present (But this
paulson@3474
    22
    message is optional!)
paulson@3474
    23
paulson@3474
    24
* A upon receiving SERVER FINISHED knows that B is present
paulson@3474
    25
paulson@3474
    26
* Each party who has received a FINISHED message can trust that the other
paulson@3474
    27
  party agrees on all message components, including XA and XB (thus foiling
paulson@3474
    28
  rollback attacks).
paulson@3474
    29
*)
paulson@3474
    30
paulson@3474
    31
TLS = Public + 
paulson@3474
    32
paulson@3474
    33
consts
paulson@3474
    34
  (*Client, server write keys.  They implicitly include the MAC secrets.*)
paulson@3474
    35
  clientK, serverK :: "nat*nat*nat => key"
paulson@3474
    36
paulson@3474
    37
rules
paulson@3474
    38
  (*clientK is collision-free and makes symmetric keys*)
paulson@3474
    39
  inj_clientK   "inj clientK"	
paulson@3474
    40
  isSym_clientK "isSymKey (clientK x)"	(*client write keys are symmetric*)
paulson@3474
    41
paulson@3474
    42
  inj_serverK   "inj serverK"	
paulson@3474
    43
  isSym_serverK "isSymKey (serverK x)"	(*server write keys are symmetric*)
paulson@3474
    44
paulson@3474
    45
  (*Spy has access to his own key for spoof messages, but Server is secure*)
paulson@3474
    46
  Spy_in_lost     "Spy: lost"
paulson@3474
    47
  Server_not_lost "Server ~: lost"
paulson@3474
    48
paulson@3474
    49
paulson@3474
    50
consts  lost :: agent set        (*No need for it to be a variable*)
paulson@3474
    51
	tls  :: event list set
paulson@3474
    52
paulson@3474
    53
inductive tls
paulson@3474
    54
  intrs 
paulson@3474
    55
    Nil  (*Initial trace is empty*)
paulson@3474
    56
         "[]: tls"
paulson@3474
    57
paulson@3474
    58
    Fake (*The spy, an active attacker, MAY say anything he CAN say.*)
paulson@3474
    59
         "[| evs: tls;  B ~= Spy;  
paulson@3474
    60
             X: synth (analz (sees lost Spy evs)) |]
paulson@3474
    61
          ==> Says Spy B X  # evs : tls"
paulson@3474
    62
paulson@3474
    63
    ClientHello
paulson@3474
    64
	 (*XA represents CLIENT_VERSION, CIPHER_SUITES and COMPRESSION_METHODS.
paulson@3474
    65
	   It is uninterpreted but will be confirmed in the FINISHED messages.
paulson@3474
    66
	   As an initial simplification, SESSION_ID is identified with NA
paulson@3474
    67
           and reuse of sessions is not supported.*)
paulson@3474
    68
         "[| evs: tls;  A ~= B;  Nonce NA ~: used evs |]
paulson@3474
    69
          ==> Says A B {|Agent A, Nonce NA, Agent XA|} # evs  :  tls"
paulson@3474
    70
paulson@3474
    71
    ServerHello
paulson@3474
    72
         (*XB represents CLIENT_VERSION, CIPHER_SUITE and COMPRESSION_METHOD.
paulson@3474
    73
	   Na is returned in its role as SESSION_ID.  A CERTIFICATE_REQUEST is
paulson@3474
    74
	   implied and a SERVER CERTIFICATE is always present.*)
paulson@3474
    75
         "[| evs: tls;  A ~= B;  Nonce NB ~: used evs;
paulson@3474
    76
             Says A' B {|Agent A, Nonce NA, Agent XA|} : set evs |]
paulson@3474
    77
          ==> Says B A {|Nonce NA, Nonce NB, Agent XB,
paulson@3474
    78
			 Crypt (priK Server) {|Agent B, Key (pubK B)|}|}
paulson@3474
    79
                # evs  :  tls"
paulson@3474
    80
paulson@3474
    81
    ClientCertKeyEx
paulson@3474
    82
         (*CLIENT CERTIFICATE and KEY EXCHANGE.  M is the pre-master-secret.
paulson@3474
    83
           Note that A encrypts using the supplied KB, not pubK B.*)
paulson@3474
    84
         "[| evs: tls;  A ~= B;  Nonce M ~: used evs;
paulson@3474
    85
             Says B' A {|Nonce NA, Nonce NB, Agent XB,
paulson@3474
    86
			 Crypt (priK Server) {|Agent B, Key KB|}|} : set evs |]
paulson@3474
    87
          ==> Says A B {|Crypt (priK Server) {|Agent A, Key (pubK A)|},
paulson@3474
    88
			 Crypt KB (Nonce M)|}
paulson@3474
    89
                # evs  :  tls"
paulson@3474
    90
paulson@3474
    91
    CertVerify
paulson@3474
    92
	(*The optional CERTIFICATE VERIFY message contains the specific
paulson@3474
    93
          components listed in the security analysis, Appendix F.1.1.2.
paulson@3474
    94
          By checking the signature, B is assured of A's existence:
paulson@3474
    95
          the only use of A's certificate.*)
paulson@3474
    96
         "[| evs: tls;  A ~= B;  
paulson@3474
    97
             Says B' A {|Nonce NA, Nonce NB, Agent XB,
paulson@3474
    98
			 Crypt (priK Server) {|Agent B, Key KB|}|} : set evs |]
paulson@3474
    99
          ==> Says A B (Crypt (priK A)
paulson@3474
   100
			(Hash{|Nonce NB,
paulson@3474
   101
	 		       Crypt (priK Server) {|Agent B, Key KB|}|}))
paulson@3474
   102
                # evs  :  tls"
paulson@3474
   103
paulson@3474
   104
	(*Finally come the FINISHED messages, confirming XA and XB among
paulson@3474
   105
          other things.  The master-secret is the hash of NA, NB and M.
paulson@3474
   106
          Either party may sent its message first.*)
paulson@3474
   107
paulson@3474
   108
    ClientFinished
paulson@3474
   109
         "[| evs: tls;  A ~= B;
paulson@3474
   110
	     Says A  B {|Agent A, Nonce NA, Agent XA|} : set evs;
paulson@3474
   111
             Says B' A {|Nonce NA, Nonce NB, Agent XB, 
paulson@3474
   112
			 Crypt (priK Server) {|Agent B, Key KB|}|} : set evs;
paulson@3474
   113
             Says A  B {|Crypt (priK Server) {|Agent A, Key (pubK A)|},
paulson@3474
   114
		         Crypt KB (Nonce M)|} : set evs |]
paulson@3474
   115
          ==> Says A B (Crypt (clientK(NA,NB,M))
paulson@3474
   116
			(Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|},
paulson@3474
   117
			       Nonce NA, Agent XA,
paulson@3474
   118
			       Crypt (priK Server) {|Agent A, Key(pubK A)|}, 
paulson@3474
   119
			       Nonce NB, Agent XB, Agent B|}))
paulson@3474
   120
                # evs  :  tls"
paulson@3474
   121
paulson@3474
   122
	(*Keeping A' and A'' distinct means B cannot even check that the
paulson@3474
   123
          two messages originate from the same source.*)
paulson@3474
   124
paulson@3474
   125
    ServerFinished
paulson@3474
   126
         "[| evs: tls;  A ~= B;
paulson@3474
   127
	     Says A' B  {|Agent A, Nonce NA, Agent XA|} : set evs;
paulson@3474
   128
	     Says B  A  {|Nonce NA, Nonce NB, Agent XB,
paulson@3474
   129
		 	  Crypt (priK Server) {|Agent B, Key (pubK B)|}|}
paulson@3474
   130
	       : set evs;
paulson@3474
   131
	     Says A'' B {|CERTA, Crypt (pubK B) (Nonce M)|} : set evs |]
paulson@3474
   132
          ==> Says B A (Crypt (serverK(NA,NB,M))
paulson@3474
   133
			(Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|},
paulson@3474
   134
			       Nonce NA, Agent XA, Agent A, 
paulson@3474
   135
			       Nonce NB, Agent XB,
paulson@3474
   136
			       Crypt (priK Server) {|Agent B, Key(pubK B)|}|}))
paulson@3474
   137
                # evs  :  tls"
paulson@3474
   138
paulson@3474
   139
  (**Oops message??**)
paulson@3474
   140
paulson@3474
   141
end