src/HOL/Auth/OtwayRees.ML
author paulson
Fri Jan 17 12:49:31 1997 +0100 (1997-01-17)
changeset 2516 4d68fbe6378b
parent 2451 ce85a2aafc7a
child 2637 e9b203f854ae
permissions -rw-r--r--
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson@1941
     1
(*  Title:      HOL/Auth/OtwayRees
paulson@1941
     2
    ID:         $Id$
paulson@1941
     3
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
paulson@1941
     4
    Copyright   1996  University of Cambridge
paulson@1941
     5
paulson@1941
     6
Inductive relation "otway" for the Otway-Rees protocol.
paulson@1941
     7
paulson@2014
     8
Version that encrypts Nonce NB
paulson@2014
     9
paulson@1941
    10
From page 244 of
paulson@1941
    11
  Burrows, Abadi and Needham.  A Logic of Authentication.
paulson@1941
    12
  Proc. Royal Soc. 426 (1989)
paulson@1941
    13
*)
paulson@1941
    14
paulson@1941
    15
open OtwayRees;
paulson@1941
    16
paulson@1941
    17
proof_timing:=true;
paulson@1941
    18
HOL_quantifiers := false;
paulson@1941
    19
paulson@1996
    20
paulson@2328
    21
(*A "possibility property": there are traces that reach the end*)
paulson@1996
    22
goal thy 
paulson@1996
    23
 "!!A B. [| A ~= B; A ~= Server; B ~= Server |]   \
paulson@2032
    24
\        ==> EX K. EX NA. EX evs: otway lost.          \
paulson@2284
    25
\               Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|} \
paulson@2014
    26
\                 : set_of_list evs";
paulson@1996
    27
by (REPEAT (resolve_tac [exI,bexI] 1));
paulson@2032
    28
by (rtac (otway.Nil RS otway.OR1 RS otway.OR2 RS otway.OR3 RS otway.OR4) 2);
paulson@2516
    29
by possibility_tac;
paulson@2014
    30
result();
paulson@1996
    31
paulson@1996
    32
paulson@1941
    33
(**** Inductive proofs about otway ****)
paulson@1941
    34
paulson@2104
    35
(*Monotonicity*)
paulson@2032
    36
goal thy "!!evs. lost' <= lost ==> otway lost' <= otway lost";
paulson@2032
    37
by (rtac subsetI 1);
paulson@2032
    38
by (etac otway.induct 1);
paulson@2032
    39
by (REPEAT_FIRST
paulson@2032
    40
    (best_tac (!claset addIs (impOfSubs (sees_mono RS analz_mono RS synth_mono)
paulson@2032
    41
                              :: otway.intrs))));
paulson@2032
    42
qed "otway_mono";
paulson@2032
    43
paulson@1941
    44
(*Nobody sends themselves messages*)
paulson@2032
    45
goal thy "!!evs. evs : otway lost ==> ALL A X. Says A A X ~: set_of_list evs";
paulson@2032
    46
by (etac otway.induct 1);
paulson@1941
    47
by (Auto_tac());
paulson@1941
    48
qed_spec_mp "not_Says_to_self";
paulson@1941
    49
Addsimps [not_Says_to_self];
paulson@1941
    50
AddSEs   [not_Says_to_self RSN (2, rev_notE)];
paulson@1941
    51
paulson@1941
    52
paulson@1941
    53
(** For reasoning about the encrypted portion of messages **)
paulson@1941
    54
paulson@2135
    55
goal thy "!!evs. Says A' B {|N, Agent A, Agent B, X|} : set_of_list evs \
paulson@2135
    56
\                ==> X : analz (sees lost Spy evs)";
paulson@2032
    57
by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
paulson@2032
    58
qed "OR2_analz_sees_Spy";
paulson@1941
    59
paulson@2516
    60
goal thy "!!evs. Says S B {|N, X, Crypt (shrK B) X'|} : set_of_list evs \
paulson@2135
    61
\                ==> X : analz (sees lost Spy evs)";
paulson@2032
    62
by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
paulson@2032
    63
qed "OR4_analz_sees_Spy";
paulson@1941
    64
paulson@2284
    65
goal thy "!!evs. Says Server B {|NA, X, Crypt K' {|NB,K|}|} : set_of_list evs \
paulson@2135
    66
\                 ==> K : parts (sees lost Spy evs)";
paulson@2516
    67
by (fast_tac (!claset addSEs sees_Spy_partsEs) 1);
paulson@2135
    68
qed "Oops_parts_sees_Spy";
paulson@1941
    69
paulson@1941
    70
(*OR2_analz... and OR4_analz... let us treat those cases using the same 
paulson@1964
    71
  argument as for the Fake case.  This is possible for most, but not all,
paulson@1964
    72
  proofs: Fake does not invent new nonces (as in OR2), and of course Fake
paulson@2032
    73
  messages originate from the Spy. *)
paulson@1964
    74
paulson@2032
    75
bind_thm ("OR2_parts_sees_Spy",
paulson@2032
    76
          OR2_analz_sees_Spy RS (impOfSubs analz_subset_parts));
paulson@2032
    77
bind_thm ("OR4_parts_sees_Spy",
paulson@2032
    78
          OR4_analz_sees_Spy RS (impOfSubs analz_subset_parts));
paulson@2032
    79
paulson@2032
    80
(*We instantiate the variable to "lost".  Leaving it as a Var makes proofs
paulson@2032
    81
  harder to complete, since simplification does less for us.*)
paulson@2014
    82
val parts_Fake_tac = 
paulson@2032
    83
    let val tac = forw_inst_tac [("lost","lost")] 
paulson@2516
    84
    in  tac OR2_parts_sees_Spy     4 THEN 
paulson@2516
    85
        tac OR4_parts_sees_Spy     6 THEN
paulson@2516
    86
        tac Oops_parts_sees_Spy    7
paulson@2032
    87
    end;
paulson@1941
    88
paulson@2064
    89
(*For proving the easier theorems about X ~: parts (sees lost Spy evs) *)
paulson@2064
    90
fun parts_induct_tac i = SELECT_GOAL
paulson@2064
    91
    (DETERM (etac otway.induct 1 THEN parts_Fake_tac THEN
paulson@2171
    92
             (*Fake message*)
paulson@2171
    93
             TRY (best_tac (!claset addDs [impOfSubs analz_subset_parts,
paulson@2171
    94
                                           impOfSubs Fake_parts_insert]
paulson@2064
    95
                                    addss (!simpset)) 2)) THEN
paulson@2064
    96
     (*Base case*)
paulson@2064
    97
     fast_tac (!claset addss (!simpset)) 1 THEN
paulson@2064
    98
     ALLGOALS Asm_simp_tac) i;
paulson@1941
    99
paulson@2032
   100
(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
paulson@2014
   101
    sends messages containing X! **)
paulson@1941
   102
paulson@2064
   103
(*Spy never sees another agent's shared key! (unless it's lost at start)*)
paulson@1941
   104
goal thy 
paulson@2135
   105
 "!!evs. evs : otway lost \
paulson@2135
   106
\        ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)";
paulson@2064
   107
by (parts_induct_tac 1);
paulson@1941
   108
by (Auto_tac());
paulson@2135
   109
qed "Spy_see_shrK";
paulson@2135
   110
Addsimps [Spy_see_shrK];
paulson@1941
   111
paulson@2135
   112
goal thy 
paulson@2135
   113
 "!!evs. evs : otway lost \
paulson@2135
   114
\        ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)";
paulson@2135
   115
by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
paulson@2135
   116
qed "Spy_analz_shrK";
paulson@2135
   117
Addsimps [Spy_analz_shrK];
paulson@1941
   118
paulson@2135
   119
goal thy  "!!A. [| Key (shrK A) : parts (sees lost Spy evs);       \
paulson@2135
   120
\                  evs : otway lost |] ==> A:lost";
paulson@2135
   121
by (fast_tac (!claset addDs [Spy_see_shrK]) 1);
paulson@2135
   122
qed "Spy_see_shrK_D";
paulson@1941
   123
paulson@2135
   124
bind_thm ("Spy_analz_shrK_D", analz_subset_parts RS subsetD RS Spy_see_shrK_D);
paulson@2135
   125
AddSDs [Spy_see_shrK_D, Spy_analz_shrK_D];
paulson@1941
   126
paulson@1941
   127
paulson@2516
   128
(*Nobody can have used non-existent keys!*)
paulson@2516
   129
goal thy "!!evs. evs : otway lost ==>          \
paulson@2516
   130
\         Key K ~: used evs --> K ~: keysFor (parts (sees lost Spy evs))";
paulson@2160
   131
by (parts_induct_tac 1);
paulson@2516
   132
(*Fake*)
paulson@2516
   133
by (best_tac
paulson@2516
   134
      (!claset addIs [impOfSubs analz_subset_parts]
paulson@2516
   135
               addDs [impOfSubs (analz_subset_parts RS keysFor_mono),
paulson@2516
   136
                      impOfSubs (parts_insert_subset_Un RS keysFor_mono)]
paulson@2516
   137
               addss (!simpset)) 1);
paulson@2516
   138
(*OR1-3*)
paulson@2516
   139
by (REPEAT (fast_tac (!claset addss (!simpset)) 1));
paulson@2160
   140
qed_spec_mp "new_keys_not_used";
paulson@1941
   141
paulson@1941
   142
bind_thm ("new_keys_not_analzd",
paulson@2032
   143
          [analz_subset_parts RS keysFor_mono,
paulson@2032
   144
           new_keys_not_used] MRS contra_subsetD);
paulson@1941
   145
paulson@1941
   146
Addsimps [new_keys_not_used, new_keys_not_analzd];
paulson@1941
   147
paulson@1941
   148
paulson@2064
   149
paulson@2064
   150
(*** Proofs involving analz ***)
paulson@2064
   151
paulson@2135
   152
(*Describes the form of K and NA when the Server sends this message.  Also
paulson@2135
   153
  for Oops case.*)
paulson@2064
   154
goal thy 
paulson@2516
   155
 "!!evs. [| Says Server B                                                 \
paulson@2516
   156
\            {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs;   \
paulson@2451
   157
\           evs : otway lost |]                                           \
paulson@2516
   158
\     ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
paulson@2135
   159
by (etac rev_mp 1);
paulson@2135
   160
by (etac otway.induct 1);
paulson@2135
   161
by (ALLGOALS (fast_tac (!claset addss (!simpset))));
paulson@2135
   162
qed "Says_Server_message_form";
paulson@2064
   163
paulson@2064
   164
paulson@2064
   165
(*For proofs involving analz.  We again instantiate the variable to "lost".*)
paulson@2064
   166
val analz_Fake_tac = 
paulson@2064
   167
    dres_inst_tac [("lost","lost")] OR2_analz_sees_Spy 4 THEN 
paulson@2064
   168
    dres_inst_tac [("lost","lost")] OR4_analz_sees_Spy 6 THEN
paulson@2135
   169
    forw_inst_tac [("lost","lost")] Says_Server_message_form 7 THEN
paulson@2516
   170
    assume_tac 7 THEN
paulson@2451
   171
    REPEAT ((eresolve_tac [exE, conjE] ORELSE' hyp_subst_tac) 7);
paulson@1941
   172
paulson@1941
   173
paulson@1941
   174
(****
paulson@1941
   175
 The following is to prove theorems of the form
paulson@1941
   176
paulson@2516
   177
  Key K : analz (insert (Key KAB) (sees lost Spy evs)) ==>
paulson@2451
   178
  Key K : analz (sees lost Spy evs)
paulson@1941
   179
paulson@1941
   180
 A more general formula must be proved inductively.
paulson@1941
   181
****)
paulson@1941
   182
paulson@1941
   183
paulson@1941
   184
(** Session keys are not used to encrypt other session keys **)
paulson@1941
   185
paulson@2014
   186
(*The equality makes the induction hypothesis easier to apply*)
paulson@1941
   187
goal thy  
paulson@2516
   188
 "!!evs. evs : otway lost ==>                                         \
paulson@2516
   189
\  ALL K KK. KK <= Compl (range shrK) -->                      \
paulson@2516
   190
\            (Key K : analz (Key``KK Un (sees lost Spy evs))) = \
paulson@2516
   191
\            (K : KK | Key K : analz (sees lost Spy evs))";
paulson@2032
   192
by (etac otway.induct 1);
paulson@2064
   193
by analz_Fake_tac;
paulson@2516
   194
by (REPEAT_FIRST (resolve_tac [allI, impI]));
paulson@2516
   195
by (REPEAT_FIRST (rtac analz_image_freshK_lemma ));
paulson@2516
   196
by (ALLGOALS (asm_simp_tac analz_image_freshK_ss));
paulson@2516
   197
(*Base*)
paulson@2516
   198
by (fast_tac (!claset addIs [image_eqI] addss (!simpset)) 1);
paulson@2516
   199
(*Fake, OR2, OR4*) 
paulson@2516
   200
by (REPEAT (spy_analz_tac 1));
paulson@2516
   201
qed_spec_mp "analz_image_freshK";
paulson@1941
   202
paulson@1941
   203
paulson@1941
   204
goal thy
paulson@2516
   205
 "!!evs. [| evs : otway lost;  KAB ~: range shrK |] ==>             \
paulson@2516
   206
\        Key K : analz (insert (Key KAB) (sees lost Spy evs)) = \
paulson@2516
   207
\        (K = KAB | Key K : analz (sees lost Spy evs))";
paulson@2516
   208
by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
paulson@2516
   209
qed "analz_insert_freshK";
paulson@1941
   210
paulson@1941
   211
paulson@2026
   212
(*** The Key K uniquely identifies the Server's  message. **)
paulson@2014
   213
paulson@2014
   214
goal thy 
paulson@2135
   215
 "!!evs. evs : otway lost ==>                                                 \
paulson@2135
   216
\   EX B' NA' NB' X'. ALL B NA NB X.                                          \
paulson@2284
   217
\     Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|} : set_of_list evs --> \
paulson@2135
   218
\     B=B' & NA=NA' & NB=NB' & X=X'";
paulson@2032
   219
by (etac otway.induct 1);
paulson@2014
   220
by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib])));
paulson@2014
   221
by (Step_tac 1);
paulson@2014
   222
(*Remaining cases: OR3 and OR4*)
paulson@2014
   223
by (ex_strip_tac 2);
paulson@2014
   224
by (Fast_tac 2);
paulson@2064
   225
by (expand_case_tac "K = ?y" 1);
paulson@2064
   226
by (REPEAT (ares_tac [refl,exI,impI,conjI] 2));
paulson@2516
   227
(*...we assume X is a recent message, and handle this case by contradiction*)
paulson@2516
   228
by (fast_tac (!claset addSEs sees_Spy_partsEs
paulson@2032
   229
                      delrules [conjI]    (*prevent split-up into 4 subgoals*)
paulson@2032
   230
                      addss (!simpset addsimps [parts_insertI])) 1);
paulson@2014
   231
val lemma = result();
paulson@2014
   232
paulson@2014
   233
goal thy 
paulson@2284
   234
 "!!evs. [| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|}      \
paulson@2014
   235
\            : set_of_list evs;                                    \ 
paulson@2284
   236
\           Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|}    \
paulson@2014
   237
\            : set_of_list evs;                                    \
paulson@2135
   238
\           evs : otway lost |] ==> X=X' & B=B' & NA=NA' & NB=NB'";
paulson@2417
   239
by (prove_unique_tac lemma 1);
paulson@2014
   240
qed "unique_session_keys";
paulson@2014
   241
paulson@2014
   242
paulson@2014
   243
paulson@2048
   244
(**** Authenticity properties relating to NA ****)
paulson@2014
   245
paulson@2014
   246
(*Only OR1 can have caused such a part of a message to appear.*)
paulson@2014
   247
goal thy 
paulson@2064
   248
 "!!evs. [| A ~: lost;  evs : otway lost |]                        \
paulson@2284
   249
\        ==> Crypt (shrK A) {|NA, Agent A, Agent B|}               \
paulson@2064
   250
\             : parts (sees lost Spy evs) -->                      \
paulson@2064
   251
\            Says A B {|NA, Agent A, Agent B,                      \
paulson@2284
   252
\                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}  \
paulson@2014
   253
\             : set_of_list evs";
paulson@2064
   254
by (parts_induct_tac 1);
paulson@2014
   255
qed_spec_mp "Crypt_imp_OR1";
paulson@2014
   256
paulson@2014
   257
paulson@2064
   258
(** The Nonce NA uniquely identifies A's message. **)
paulson@2014
   259
paulson@2014
   260
goal thy 
paulson@2032
   261
 "!!evs. [| evs : otway lost; A ~: lost |]               \
paulson@2014
   262
\ ==> EX B'. ALL B.    \
paulson@2284
   263
\        Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (sees lost Spy evs) \
paulson@2048
   264
\        --> B = B'";
paulson@2064
   265
by (parts_induct_tac 1);
paulson@2064
   266
by (simp_tac (!simpset addsimps [all_conj_distrib]) 1); 
paulson@2026
   267
(*OR1: creation of new Nonce.  Move assertion into global context*)
paulson@2064
   268
by (expand_case_tac "NA = ?y" 1);
paulson@2516
   269
by (best_tac (!claset addSEs sees_Spy_partsEs) 1);
paulson@2014
   270
val lemma = result();
paulson@2014
   271
paulson@2014
   272
goal thy 
paulson@2284
   273
 "!!evs.[| Crypt (shrK A) {|NA, Agent A, Agent B|}: parts(sees lost Spy evs); \
paulson@2284
   274
\          Crypt (shrK A) {|NA, Agent A, Agent C|}: parts(sees lost Spy evs); \
paulson@2048
   275
\          evs : otway lost;  A ~: lost |]                                    \
paulson@2014
   276
\        ==> B = C";
paulson@2417
   277
by (prove_unique_tac lemma 1);
paulson@2048
   278
qed "unique_NA";
paulson@2014
   279
paulson@2014
   280
paulson@2014
   281
(*It is impossible to re-use a nonce in both OR1 and OR2.  This holds because
paulson@2014
   282
  OR2 encrypts Nonce NB.  It prevents the attack that can occur in the
paulson@2014
   283
  over-simplified version of this protocol: see OtwayRees_Bad.*)
paulson@2014
   284
goal thy 
paulson@2328
   285
 "!!evs. [| A ~: lost;  evs : otway lost |]                      \
paulson@2284
   286
\        ==> Crypt (shrK A) {|NA, Agent A, Agent B|}             \
paulson@2328
   287
\             : parts (sees lost Spy evs) -->                    \
paulson@2284
   288
\            Crypt (shrK A) {|NA', NA, Agent A', Agent A|}       \
paulson@2032
   289
\             ~: parts (sees lost Spy evs)";
paulson@2071
   290
by (parts_induct_tac 1);
paulson@2516
   291
by (REPEAT (fast_tac (!claset addSEs sees_Spy_partsEs
paulson@2026
   292
                              addSDs  [impOfSubs parts_insert_subset_Un]
paulson@2071
   293
                              addss (!simpset)) 1));
paulson@2014
   294
qed_spec_mp"no_nonce_OR1_OR2";
paulson@2014
   295
paulson@2014
   296
paulson@2053
   297
(*Crucial property: If the encrypted message appears, and A has used NA
paulson@2053
   298
  to start a run, then it originated with the Server!*)
paulson@2014
   299
goal thy 
paulson@2048
   300
 "!!evs. [| A ~: lost;  A ~= Spy;  evs : otway lost |]                 \
paulson@2284
   301
\    ==> Crypt (shrK A) {|NA, Key K|} : parts (sees lost Spy evs)      \
paulson@2048
   302
\        --> Says A B {|NA, Agent A, Agent B,                          \
paulson@2284
   303
\                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}      \
paulson@2048
   304
\             : set_of_list evs -->                                    \
paulson@2048
   305
\            (EX NB. Says Server B                                     \
paulson@2048
   306
\                 {|NA,                                                \
paulson@2284
   307
\                   Crypt (shrK A) {|NA, Key K|},                      \
paulson@2284
   308
\                   Crypt (shrK B) {|NB, Key K|}|}                     \
paulson@2014
   309
\                   : set_of_list evs)";
paulson@2064
   310
by (parts_induct_tac 1);
paulson@2014
   311
(*OR1: it cannot be a new Nonce, contradiction.*)
paulson@2014
   312
by (fast_tac (!claset addSIs [parts_insertI]
paulson@2516
   313
                      addSEs sees_Spy_partsEs
paulson@2032
   314
                      addss (!simpset)) 1);
paulson@2064
   315
(*OR3 and OR4*) 
paulson@2014
   316
(*OR4*)
paulson@2014
   317
by (REPEAT (Safe_step_tac 2));
paulson@2014
   318
by (REPEAT (best_tac (!claset addSDs [parts_cut]) 3));
paulson@2014
   319
by (fast_tac (!claset addSIs [Crypt_imp_OR1]
paulson@2516
   320
                      addEs  sees_Spy_partsEs) 2);
paulson@2064
   321
(*OR3*)  (** LEVEL 5 **)
paulson@2064
   322
by (asm_simp_tac (!simpset addsimps [ex_disj_distrib]) 1);
paulson@2014
   323
by (step_tac (!claset delrules [disjCI, impCE]) 1);
paulson@2014
   324
by (fast_tac (!claset addSEs [MPair_parts]
paulson@2032
   325
                      addSDs [Says_imp_sees_Spy RS parts.Inj]
paulson@2014
   326
                      addEs  [no_nonce_OR1_OR2 RSN (2, rev_notE)]
paulson@2048
   327
                      delrules [conjI] (*stop split-up into 4 subgoals*)) 2);
paulson@2048
   328
by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj]
paulson@2048
   329
                      addSEs [MPair_parts]
paulson@2048
   330
                      addEs  [unique_NA]) 1);
paulson@2048
   331
qed_spec_mp "NA_Crypt_imp_Server_msg";
paulson@2014
   332
paulson@2014
   333
paulson@2053
   334
(*Corollary: if A receives B's OR4 message and the nonce NA agrees
paulson@2014
   335
  then the key really did come from the Server!  CANNOT prove this of the
paulson@2048
   336
  bad form of this protocol, even though we can prove
paulson@2032
   337
  Spy_not_see_encrypted_key*)
paulson@2014
   338
goal thy 
paulson@2284
   339
 "!!evs. [| Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|}         \
paulson@2053
   340
\            : set_of_list evs;                                    \
paulson@2053
   341
\           Says A B {|NA, Agent A, Agent B,                       \
paulson@2284
   342
\                      Crypt (shrK A) {|NA, Agent A, Agent B|}|}   \
paulson@2053
   343
\            : set_of_list evs;                                    \
paulson@2053
   344
\           A ~: lost;  A ~= Spy;  evs : otway lost |]             \
paulson@2053
   345
\        ==> EX NB. Says Server B                                  \
paulson@2048
   346
\                     {|NA,                                        \
paulson@2284
   347
\                       Crypt (shrK A) {|NA, Key K|},              \
paulson@2284
   348
\                       Crypt (shrK B) {|NB, Key K|}|}             \
paulson@2053
   349
\                       : set_of_list evs";
paulson@2048
   350
by (fast_tac (!claset addSIs [NA_Crypt_imp_Server_msg]
paulson@2516
   351
                      addEs  sees_Spy_partsEs) 1);
paulson@2328
   352
qed "A_trusts_OR4";
paulson@2014
   353
paulson@2014
   354
paulson@2048
   355
(** Crucial secrecy property: Spy does not see the keys sent in msg OR3
paulson@2048
   356
    Does not in itself guarantee security: an attack could violate 
paulson@2048
   357
    the premises, e.g. by having A=Spy **)
paulson@2014
   358
paulson@1941
   359
goal thy 
paulson@2166
   360
 "!!evs. [| A ~: lost;  B ~: lost;  evs : otway lost |]                    \
paulson@2048
   361
\        ==> Says Server B                                                 \
paulson@2284
   362
\              {|NA, Crypt (shrK A) {|NA, Key K|},                         \
paulson@2284
   363
\                Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs -->      \
paulson@2135
   364
\            Says B Spy {|NA, NB, Key K|} ~: set_of_list evs -->           \
paulson@2048
   365
\            Key K ~: analz (sees lost Spy evs)";
paulson@2032
   366
by (etac otway.induct 1);
paulson@2064
   367
by analz_Fake_tac;
paulson@1964
   368
by (ALLGOALS
paulson@2516
   369
    (asm_simp_tac (!simpset addcongs [conj_cong] 
paulson@2516
   370
                            addsimps [not_parts_not_analz, analz_insert_freshK]
paulson@2516
   371
                            setloop split_tac [expand_if])));
paulson@1941
   372
(*OR3*)
paulson@2516
   373
by (fast_tac (!claset delrules [impCE]
paulson@2516
   374
                      addSEs sees_Spy_partsEs
paulson@2516
   375
                      addIs [impOfSubs analz_subset_parts]
paulson@2048
   376
                      addss (!simpset addsimps [parts_insert2])) 3);
paulson@2135
   377
(*OR4, OR2, Fake*) 
paulson@2375
   378
by (REPEAT_FIRST spy_analz_tac);
paulson@2135
   379
(*Oops*) (** LEVEL 5 **)
paulson@2135
   380
by (fast_tac (!claset delrules [disjE]
paulson@2171
   381
                      addDs [unique_session_keys] addss (!simpset)) 1);
paulson@2014
   382
val lemma = result() RS mp RS mp RSN(2,rev_notE);
paulson@2014
   383
paulson@2014
   384
goal thy 
paulson@2516
   385
 "!!evs. [| Says Server B                                                \
paulson@2516
   386
\            {|NA, Crypt (shrK A) {|NA, Key K|},                         \
paulson@2516
   387
\                  Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs;     \
paulson@2516
   388
\           Says B Spy {|NA, NB, Key K|} ~: set_of_list evs;             \
paulson@2032
   389
\           A ~: lost;  B ~: lost;  evs : otway lost |]                  \
paulson@2516
   390
\        ==> Key K ~: analz (sees lost Spy evs)";
paulson@2014
   391
by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
paulson@2014
   392
by (fast_tac (!claset addSEs [lemma]) 1);
paulson@2032
   393
qed "Spy_not_see_encrypted_key";
paulson@2032
   394
paulson@1945
   395
paulson@2032
   396
goal thy 
paulson@2048
   397
 "!!evs. [| C ~: {A,B,Server};                                           \
paulson@2048
   398
\           Says Server B                                                \
paulson@2516
   399
\            {|NA, Crypt (shrK A) {|NA, Key K|},                         \
paulson@2516
   400
\                  Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs;     \
paulson@2516
   401
\           Says B Spy {|NA, NB, Key K|} ~: set_of_list evs;             \
paulson@2032
   402
\           A ~: lost;  B ~: lost;  evs : otway lost |]                  \
paulson@2516
   403
\        ==> Key K ~: analz (sees lost C evs)";
paulson@2032
   404
by (rtac (subset_insertI RS sees_mono RS analz_mono RS contra_subsetD) 1);
paulson@2032
   405
by (rtac (sees_lost_agent_subset_sees_Spy RS analz_mono RS contra_subsetD) 1);
paulson@2032
   406
by (FIRSTGOAL (rtac Spy_not_see_encrypted_key));
paulson@2032
   407
by (REPEAT_FIRST (fast_tac (!claset addIs [otway_mono RS subsetD])));
paulson@2032
   408
qed "Agent_not_see_encrypted_key";
paulson@1945
   409
paulson@1945
   410
paulson@2048
   411
(**** Authenticity properties relating to NB ****)
paulson@2048
   412
paulson@2048
   413
(*Only OR2 can have caused such a part of a message to appear.  We do not
paulson@2194
   414
  know anything about X: it does NOT have to have the right form.*)
paulson@2048
   415
goal thy 
paulson@2048
   416
 "!!evs. [| B ~: lost;  evs : otway lost |]                    \
paulson@2284
   417
\        ==> Crypt (shrK B) {|NA, NB, Agent A, Agent B|}       \
paulson@2048
   418
\             : parts (sees lost Spy evs) -->                  \
paulson@2194
   419
\            (EX X. Says B Server                              \
paulson@2194
   420
\             {|NA, Agent A, Agent B, X,                       \
paulson@2284
   421
\               Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|}  \
paulson@2048
   422
\             : set_of_list evs)";
paulson@2064
   423
by (parts_induct_tac 1);
paulson@2064
   424
by (auto_tac (!claset, !simpset addcongs [conj_cong]));
paulson@2194
   425
bind_thm ("Crypt_imp_OR2", result() RSN (2,rev_mp) RS exE);
paulson@2048
   426
paulson@2048
   427
paulson@2048
   428
(** The Nonce NB uniquely identifies B's  message. **)
paulson@2048
   429
paulson@2048
   430
goal thy 
paulson@2048
   431
 "!!evs. [| evs : otway lost; B ~: lost |]               \
paulson@2064
   432
\ ==> EX NA' A'. ALL NA A.                               \
paulson@2284
   433
\      Crypt (shrK B) {|NA, NB, Agent A, Agent B|} : parts(sees lost Spy evs) \
paulson@2048
   434
\      --> NA = NA' & A = A'";
paulson@2064
   435
by (parts_induct_tac 1);
paulson@2064
   436
by (simp_tac (!simpset addsimps [all_conj_distrib]) 1); 
paulson@2048
   437
(*OR2: creation of new Nonce.  Move assertion into global context*)
paulson@2064
   438
by (expand_case_tac "NB = ?y" 1);
paulson@2516
   439
by (deepen_tac (!claset addSEs sees_Spy_partsEs) 3 1);
paulson@2048
   440
val lemma = result();
paulson@2048
   441
paulson@2048
   442
goal thy 
paulson@2284
   443
 "!!evs.[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} \
paulson@2048
   444
\                  : parts(sees lost Spy evs);         \
paulson@2284
   445
\          Crypt (shrK B) {|NC, NB, Agent C, Agent B|} \
paulson@2048
   446
\                  : parts(sees lost Spy evs);         \
paulson@2048
   447
\          evs : otway lost;  B ~: lost |]             \
paulson@2048
   448
\        ==> NC = NA & C = A";
paulson@2417
   449
by (prove_unique_tac lemma 1);
paulson@2048
   450
qed "unique_NB";
paulson@2048
   451
paulson@2048
   452
paulson@2048
   453
(*If the encrypted message appears, and B has used Nonce NB,
paulson@2048
   454
  then it originated with the Server!*)
paulson@2048
   455
goal thy 
paulson@2048
   456
 "!!evs. [| B ~: lost;  B ~= Spy;  evs : otway lost |]                   \
paulson@2284
   457
\    ==> Crypt (shrK B) {|NB, Key K|} : parts (sees lost Spy evs)        \
paulson@2048
   458
\        --> (ALL X'. Says B Server                                      \
paulson@2048
   459
\                       {|NA, Agent A, Agent B, X',                      \
paulson@2284
   460
\                         Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|}  \
paulson@2048
   461
\             : set_of_list evs                                          \
paulson@2048
   462
\             --> Says Server B                                          \
paulson@2284
   463
\                  {|NA, Crypt (shrK A) {|NA, Key K|},                   \
paulson@2284
   464
\                        Crypt (shrK B) {|NB, Key K|}|}                  \
paulson@2048
   465
\                   : set_of_list evs)";
paulson@2064
   466
by (parts_induct_tac 1);
paulson@2048
   467
(*OR1: it cannot be a new Nonce, contradiction.*)
paulson@2048
   468
by (fast_tac (!claset addSIs [parts_insertI]
paulson@2516
   469
                      addSEs sees_Spy_partsEs
paulson@2048
   470
                      addss (!simpset)) 1);
paulson@2048
   471
(*OR4*)
paulson@2194
   472
by (fast_tac (!claset addSEs [MPair_parts, Crypt_imp_OR2]) 2);
paulson@2194
   473
(*OR3*)
paulson@2048
   474
by (step_tac (!claset delrules [disjCI, impCE]) 1);
paulson@2048
   475
by (fast_tac (!claset delrules [conjI] (*stop split-up*)) 3); 
paulson@2048
   476
by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj]
paulson@2048
   477
                      addSEs [MPair_parts]
paulson@2048
   478
                      addDs  [unique_NB]) 2);
paulson@2048
   479
by (fast_tac (!claset addSEs [MPair_parts]
paulson@2048
   480
                      addSDs [Says_imp_sees_Spy RS parts.Inj]
paulson@2048
   481
                      addSEs  [no_nonce_OR1_OR2 RSN (2, rev_notE)]
paulson@2048
   482
                      delrules [conjI, impCE] (*stop split-up*)) 1);
paulson@2048
   483
qed_spec_mp "NB_Crypt_imp_Server_msg";
paulson@2048
   484
paulson@2048
   485
paulson@2048
   486
(*Guarantee for B: if it gets a message with matching NB then the Server
paulson@2048
   487
  has sent the correct message.*)
paulson@2048
   488
goal thy 
paulson@2048
   489
 "!!evs. [| B ~: lost;  B ~= Spy;  evs : otway lost;               \
paulson@2284
   490
\           Says S B {|NA, X, Crypt (shrK B) {|NB, Key K|}|}       \
paulson@2048
   491
\            : set_of_list evs;                                    \
paulson@2048
   492
\           Says B Server {|NA, Agent A, Agent B, X',              \
paulson@2284
   493
\                           Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
paulson@2048
   494
\            : set_of_list evs |]                                  \
paulson@2048
   495
\        ==> Says Server B                                         \
paulson@2048
   496
\                 {|NA,                                            \
paulson@2284
   497
\                   Crypt (shrK A) {|NA, Key K|},                  \
paulson@2284
   498
\                   Crypt (shrK B) {|NB, Key K|}|}                 \
paulson@2048
   499
\                   : set_of_list evs";
paulson@2048
   500
by (fast_tac (!claset addSIs [NB_Crypt_imp_Server_msg]
paulson@2516
   501
                      addEs  sees_Spy_partsEs) 1);
paulson@2328
   502
qed "B_trusts_OR3";
paulson@2048
   503
paulson@2048
   504
paulson@2328
   505
B_trusts_OR3 RS Spy_not_see_encrypted_key;
paulson@2048
   506
paulson@2048
   507
paulson@1945
   508
goal thy 
paulson@2214
   509
 "!!evs. [| B ~: lost;  evs : otway lost |]                           \
paulson@2214
   510
\        ==> Says Server B                                            \
paulson@2284
   511
\              {|NA, Crypt (shrK A) {|NA, Key K|},                    \
paulson@2284
   512
\                Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs --> \
paulson@2214
   513
\            (EX X. Says B Server {|NA, Agent A, Agent B, X,          \
paulson@2284
   514
\                            Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
paulson@2194
   515
\            : set_of_list evs)";
paulson@2032
   516
by (etac otway.induct 1);
paulson@2194
   517
by (Auto_tac());
paulson@2284
   518
by (dtac (Says_imp_sees_Spy RS parts.Inj) 1);
paulson@2194
   519
by (fast_tac (!claset addSEs [MPair_parts, Crypt_imp_OR2]) 1);
paulson@2194
   520
bind_thm ("OR3_imp_OR2", result() RSN (2,rev_mp) RS exE);
paulson@2194
   521
paulson@2194
   522
paulson@2194
   523
(*After getting and checking OR4, agent A can trust that B has been active.
paulson@2194
   524
  We could probably prove that X has the expected form, but that is not
paulson@2194
   525
  strictly necessary for authentication.*)
paulson@2194
   526
goal thy 
paulson@2284
   527
 "!!evs. [| Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|}         \
paulson@2194
   528
\            : set_of_list evs;                                    \
paulson@2194
   529
\           Says A B {|NA, Agent A, Agent B,                       \
paulson@2284
   530
\                      Crypt (shrK A) {|NA, Agent A, Agent B|}|}   \
paulson@2194
   531
\            : set_of_list evs;                                    \
paulson@2194
   532
\           A ~: lost;  A ~= Spy;  B ~: lost;  evs : otway lost |] \
paulson@2194
   533
\        ==> EX NB X. Says B Server {|NA, Agent A, Agent B, X,     \
paulson@2284
   534
\                              Crypt (shrK B)  {|NA, NB, Agent A, Agent B|} |}\
paulson@2194
   535
\            : set_of_list evs";
paulson@2328
   536
by (fast_tac (!claset addSDs  [A_trusts_OR4]
paulson@2284
   537
                      addSEs [OR3_imp_OR2]) 1);
paulson@2194
   538
qed "A_auths_B";