paulson@1941
|
1 |
(* Title: HOL/Auth/OtwayRees
|
paulson@1941
|
2 |
ID: $Id$
|
paulson@1941
|
3 |
Author: Lawrence C Paulson, Cambridge University Computer Laboratory
|
paulson@1941
|
4 |
Copyright 1996 University of Cambridge
|
paulson@1941
|
5 |
|
paulson@1941
|
6 |
Inductive relation "otway" for the Otway-Rees protocol.
|
paulson@1941
|
7 |
|
paulson@2014
|
8 |
Version that encrypts Nonce NB
|
paulson@2014
|
9 |
|
paulson@1941
|
10 |
From page 244 of
|
paulson@1941
|
11 |
Burrows, Abadi and Needham. A Logic of Authentication.
|
paulson@1941
|
12 |
Proc. Royal Soc. 426 (1989)
|
paulson@1941
|
13 |
*)
|
paulson@1941
|
14 |
|
paulson@1941
|
15 |
open OtwayRees;
|
paulson@1941
|
16 |
|
paulson@1941
|
17 |
proof_timing:=true;
|
paulson@1941
|
18 |
HOL_quantifiers := false;
|
paulson@1941
|
19 |
|
paulson@1996
|
20 |
|
paulson@2328
|
21 |
(*A "possibility property": there are traces that reach the end*)
|
paulson@1996
|
22 |
goal thy
|
paulson@1996
|
23 |
"!!A B. [| A ~= B; A ~= Server; B ~= Server |] \
|
paulson@2032
|
24 |
\ ==> EX K. EX NA. EX evs: otway lost. \
|
paulson@2284
|
25 |
\ Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|} \
|
paulson@2014
|
26 |
\ : set_of_list evs";
|
paulson@1996
|
27 |
by (REPEAT (resolve_tac [exI,bexI] 1));
|
paulson@2032
|
28 |
by (rtac (otway.Nil RS otway.OR1 RS otway.OR2 RS otway.OR3 RS otway.OR4) 2);
|
paulson@2516
|
29 |
by possibility_tac;
|
paulson@2014
|
30 |
result();
|
paulson@1996
|
31 |
|
paulson@1996
|
32 |
|
paulson@1941
|
33 |
(**** Inductive proofs about otway ****)
|
paulson@1941
|
34 |
|
paulson@2104
|
35 |
(*Monotonicity*)
|
paulson@2032
|
36 |
goal thy "!!evs. lost' <= lost ==> otway lost' <= otway lost";
|
paulson@2032
|
37 |
by (rtac subsetI 1);
|
paulson@2032
|
38 |
by (etac otway.induct 1);
|
paulson@2032
|
39 |
by (REPEAT_FIRST
|
paulson@2032
|
40 |
(best_tac (!claset addIs (impOfSubs (sees_mono RS analz_mono RS synth_mono)
|
paulson@2032
|
41 |
:: otway.intrs))));
|
paulson@2032
|
42 |
qed "otway_mono";
|
paulson@2032
|
43 |
|
paulson@1941
|
44 |
(*Nobody sends themselves messages*)
|
paulson@2032
|
45 |
goal thy "!!evs. evs : otway lost ==> ALL A X. Says A A X ~: set_of_list evs";
|
paulson@2032
|
46 |
by (etac otway.induct 1);
|
paulson@1941
|
47 |
by (Auto_tac());
|
paulson@1941
|
48 |
qed_spec_mp "not_Says_to_self";
|
paulson@1941
|
49 |
Addsimps [not_Says_to_self];
|
paulson@1941
|
50 |
AddSEs [not_Says_to_self RSN (2, rev_notE)];
|
paulson@1941
|
51 |
|
paulson@1941
|
52 |
|
paulson@1941
|
53 |
(** For reasoning about the encrypted portion of messages **)
|
paulson@1941
|
54 |
|
paulson@2135
|
55 |
goal thy "!!evs. Says A' B {|N, Agent A, Agent B, X|} : set_of_list evs \
|
paulson@2135
|
56 |
\ ==> X : analz (sees lost Spy evs)";
|
paulson@2032
|
57 |
by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
|
paulson@2032
|
58 |
qed "OR2_analz_sees_Spy";
|
paulson@1941
|
59 |
|
paulson@2516
|
60 |
goal thy "!!evs. Says S B {|N, X, Crypt (shrK B) X'|} : set_of_list evs \
|
paulson@2135
|
61 |
\ ==> X : analz (sees lost Spy evs)";
|
paulson@2032
|
62 |
by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
|
paulson@2032
|
63 |
qed "OR4_analz_sees_Spy";
|
paulson@1941
|
64 |
|
paulson@2284
|
65 |
goal thy "!!evs. Says Server B {|NA, X, Crypt K' {|NB,K|}|} : set_of_list evs \
|
paulson@2135
|
66 |
\ ==> K : parts (sees lost Spy evs)";
|
paulson@2516
|
67 |
by (fast_tac (!claset addSEs sees_Spy_partsEs) 1);
|
paulson@2135
|
68 |
qed "Oops_parts_sees_Spy";
|
paulson@1941
|
69 |
|
paulson@1941
|
70 |
(*OR2_analz... and OR4_analz... let us treat those cases using the same
|
paulson@1964
|
71 |
argument as for the Fake case. This is possible for most, but not all,
|
paulson@1964
|
72 |
proofs: Fake does not invent new nonces (as in OR2), and of course Fake
|
paulson@2032
|
73 |
messages originate from the Spy. *)
|
paulson@1964
|
74 |
|
paulson@2032
|
75 |
bind_thm ("OR2_parts_sees_Spy",
|
paulson@2032
|
76 |
OR2_analz_sees_Spy RS (impOfSubs analz_subset_parts));
|
paulson@2032
|
77 |
bind_thm ("OR4_parts_sees_Spy",
|
paulson@2032
|
78 |
OR4_analz_sees_Spy RS (impOfSubs analz_subset_parts));
|
paulson@2032
|
79 |
|
paulson@2032
|
80 |
(*We instantiate the variable to "lost". Leaving it as a Var makes proofs
|
paulson@2032
|
81 |
harder to complete, since simplification does less for us.*)
|
paulson@2014
|
82 |
val parts_Fake_tac =
|
paulson@2032
|
83 |
let val tac = forw_inst_tac [("lost","lost")]
|
paulson@2516
|
84 |
in tac OR2_parts_sees_Spy 4 THEN
|
paulson@2516
|
85 |
tac OR4_parts_sees_Spy 6 THEN
|
paulson@2516
|
86 |
tac Oops_parts_sees_Spy 7
|
paulson@2032
|
87 |
end;
|
paulson@1941
|
88 |
|
paulson@2064
|
89 |
(*For proving the easier theorems about X ~: parts (sees lost Spy evs) *)
|
paulson@2064
|
90 |
fun parts_induct_tac i = SELECT_GOAL
|
paulson@2064
|
91 |
(DETERM (etac otway.induct 1 THEN parts_Fake_tac THEN
|
paulson@2171
|
92 |
(*Fake message*)
|
paulson@2171
|
93 |
TRY (best_tac (!claset addDs [impOfSubs analz_subset_parts,
|
paulson@2171
|
94 |
impOfSubs Fake_parts_insert]
|
paulson@2064
|
95 |
addss (!simpset)) 2)) THEN
|
paulson@2064
|
96 |
(*Base case*)
|
paulson@2064
|
97 |
fast_tac (!claset addss (!simpset)) 1 THEN
|
paulson@2064
|
98 |
ALLGOALS Asm_simp_tac) i;
|
paulson@1941
|
99 |
|
paulson@2032
|
100 |
(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
|
paulson@2014
|
101 |
sends messages containing X! **)
|
paulson@1941
|
102 |
|
paulson@2064
|
103 |
(*Spy never sees another agent's shared key! (unless it's lost at start)*)
|
paulson@1941
|
104 |
goal thy
|
paulson@2135
|
105 |
"!!evs. evs : otway lost \
|
paulson@2135
|
106 |
\ ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)";
|
paulson@2064
|
107 |
by (parts_induct_tac 1);
|
paulson@1941
|
108 |
by (Auto_tac());
|
paulson@2135
|
109 |
qed "Spy_see_shrK";
|
paulson@2135
|
110 |
Addsimps [Spy_see_shrK];
|
paulson@1941
|
111 |
|
paulson@2135
|
112 |
goal thy
|
paulson@2135
|
113 |
"!!evs. evs : otway lost \
|
paulson@2135
|
114 |
\ ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)";
|
paulson@2135
|
115 |
by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
|
paulson@2135
|
116 |
qed "Spy_analz_shrK";
|
paulson@2135
|
117 |
Addsimps [Spy_analz_shrK];
|
paulson@1941
|
118 |
|
paulson@2135
|
119 |
goal thy "!!A. [| Key (shrK A) : parts (sees lost Spy evs); \
|
paulson@2135
|
120 |
\ evs : otway lost |] ==> A:lost";
|
paulson@2135
|
121 |
by (fast_tac (!claset addDs [Spy_see_shrK]) 1);
|
paulson@2135
|
122 |
qed "Spy_see_shrK_D";
|
paulson@1941
|
123 |
|
paulson@2135
|
124 |
bind_thm ("Spy_analz_shrK_D", analz_subset_parts RS subsetD RS Spy_see_shrK_D);
|
paulson@2135
|
125 |
AddSDs [Spy_see_shrK_D, Spy_analz_shrK_D];
|
paulson@1941
|
126 |
|
paulson@1941
|
127 |
|
paulson@2516
|
128 |
(*Nobody can have used non-existent keys!*)
|
paulson@2516
|
129 |
goal thy "!!evs. evs : otway lost ==> \
|
paulson@2516
|
130 |
\ Key K ~: used evs --> K ~: keysFor (parts (sees lost Spy evs))";
|
paulson@2160
|
131 |
by (parts_induct_tac 1);
|
paulson@2516
|
132 |
(*Fake*)
|
paulson@2516
|
133 |
by (best_tac
|
paulson@2516
|
134 |
(!claset addIs [impOfSubs analz_subset_parts]
|
paulson@2516
|
135 |
addDs [impOfSubs (analz_subset_parts RS keysFor_mono),
|
paulson@2516
|
136 |
impOfSubs (parts_insert_subset_Un RS keysFor_mono)]
|
paulson@2516
|
137 |
addss (!simpset)) 1);
|
paulson@2516
|
138 |
(*OR1-3*)
|
paulson@2516
|
139 |
by (REPEAT (fast_tac (!claset addss (!simpset)) 1));
|
paulson@2160
|
140 |
qed_spec_mp "new_keys_not_used";
|
paulson@1941
|
141 |
|
paulson@1941
|
142 |
bind_thm ("new_keys_not_analzd",
|
paulson@2032
|
143 |
[analz_subset_parts RS keysFor_mono,
|
paulson@2032
|
144 |
new_keys_not_used] MRS contra_subsetD);
|
paulson@1941
|
145 |
|
paulson@1941
|
146 |
Addsimps [new_keys_not_used, new_keys_not_analzd];
|
paulson@1941
|
147 |
|
paulson@1941
|
148 |
|
paulson@2064
|
149 |
|
paulson@2064
|
150 |
(*** Proofs involving analz ***)
|
paulson@2064
|
151 |
|
paulson@2135
|
152 |
(*Describes the form of K and NA when the Server sends this message. Also
|
paulson@2135
|
153 |
for Oops case.*)
|
paulson@2064
|
154 |
goal thy
|
paulson@2516
|
155 |
"!!evs. [| Says Server B \
|
paulson@2516
|
156 |
\ {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs; \
|
paulson@2451
|
157 |
\ evs : otway lost |] \
|
paulson@2516
|
158 |
\ ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
|
paulson@2135
|
159 |
by (etac rev_mp 1);
|
paulson@2135
|
160 |
by (etac otway.induct 1);
|
paulson@2135
|
161 |
by (ALLGOALS (fast_tac (!claset addss (!simpset))));
|
paulson@2135
|
162 |
qed "Says_Server_message_form";
|
paulson@2064
|
163 |
|
paulson@2064
|
164 |
|
paulson@2064
|
165 |
(*For proofs involving analz. We again instantiate the variable to "lost".*)
|
paulson@2064
|
166 |
val analz_Fake_tac =
|
paulson@2064
|
167 |
dres_inst_tac [("lost","lost")] OR2_analz_sees_Spy 4 THEN
|
paulson@2064
|
168 |
dres_inst_tac [("lost","lost")] OR4_analz_sees_Spy 6 THEN
|
paulson@2135
|
169 |
forw_inst_tac [("lost","lost")] Says_Server_message_form 7 THEN
|
paulson@2516
|
170 |
assume_tac 7 THEN
|
paulson@2451
|
171 |
REPEAT ((eresolve_tac [exE, conjE] ORELSE' hyp_subst_tac) 7);
|
paulson@1941
|
172 |
|
paulson@1941
|
173 |
|
paulson@1941
|
174 |
(****
|
paulson@1941
|
175 |
The following is to prove theorems of the form
|
paulson@1941
|
176 |
|
paulson@2516
|
177 |
Key K : analz (insert (Key KAB) (sees lost Spy evs)) ==>
|
paulson@2451
|
178 |
Key K : analz (sees lost Spy evs)
|
paulson@1941
|
179 |
|
paulson@1941
|
180 |
A more general formula must be proved inductively.
|
paulson@1941
|
181 |
****)
|
paulson@1941
|
182 |
|
paulson@1941
|
183 |
|
paulson@1941
|
184 |
(** Session keys are not used to encrypt other session keys **)
|
paulson@1941
|
185 |
|
paulson@2014
|
186 |
(*The equality makes the induction hypothesis easier to apply*)
|
paulson@1941
|
187 |
goal thy
|
paulson@2516
|
188 |
"!!evs. evs : otway lost ==> \
|
paulson@2516
|
189 |
\ ALL K KK. KK <= Compl (range shrK) --> \
|
paulson@2516
|
190 |
\ (Key K : analz (Key``KK Un (sees lost Spy evs))) = \
|
paulson@2516
|
191 |
\ (K : KK | Key K : analz (sees lost Spy evs))";
|
paulson@2032
|
192 |
by (etac otway.induct 1);
|
paulson@2064
|
193 |
by analz_Fake_tac;
|
paulson@2516
|
194 |
by (REPEAT_FIRST (resolve_tac [allI, impI]));
|
paulson@2516
|
195 |
by (REPEAT_FIRST (rtac analz_image_freshK_lemma ));
|
paulson@2516
|
196 |
by (ALLGOALS (asm_simp_tac analz_image_freshK_ss));
|
paulson@2516
|
197 |
(*Base*)
|
paulson@2516
|
198 |
by (fast_tac (!claset addIs [image_eqI] addss (!simpset)) 1);
|
paulson@2516
|
199 |
(*Fake, OR2, OR4*)
|
paulson@2516
|
200 |
by (REPEAT (spy_analz_tac 1));
|
paulson@2516
|
201 |
qed_spec_mp "analz_image_freshK";
|
paulson@1941
|
202 |
|
paulson@1941
|
203 |
|
paulson@1941
|
204 |
goal thy
|
paulson@2516
|
205 |
"!!evs. [| evs : otway lost; KAB ~: range shrK |] ==> \
|
paulson@2516
|
206 |
\ Key K : analz (insert (Key KAB) (sees lost Spy evs)) = \
|
paulson@2516
|
207 |
\ (K = KAB | Key K : analz (sees lost Spy evs))";
|
paulson@2516
|
208 |
by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
|
paulson@2516
|
209 |
qed "analz_insert_freshK";
|
paulson@1941
|
210 |
|
paulson@1941
|
211 |
|
paulson@2026
|
212 |
(*** The Key K uniquely identifies the Server's message. **)
|
paulson@2014
|
213 |
|
paulson@2014
|
214 |
goal thy
|
paulson@2135
|
215 |
"!!evs. evs : otway lost ==> \
|
paulson@2135
|
216 |
\ EX B' NA' NB' X'. ALL B NA NB X. \
|
paulson@2284
|
217 |
\ Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|} : set_of_list evs --> \
|
paulson@2135
|
218 |
\ B=B' & NA=NA' & NB=NB' & X=X'";
|
paulson@2032
|
219 |
by (etac otway.induct 1);
|
paulson@2014
|
220 |
by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib])));
|
paulson@2014
|
221 |
by (Step_tac 1);
|
paulson@2014
|
222 |
(*Remaining cases: OR3 and OR4*)
|
paulson@2014
|
223 |
by (ex_strip_tac 2);
|
paulson@2014
|
224 |
by (Fast_tac 2);
|
paulson@2064
|
225 |
by (expand_case_tac "K = ?y" 1);
|
paulson@2064
|
226 |
by (REPEAT (ares_tac [refl,exI,impI,conjI] 2));
|
paulson@2516
|
227 |
(*...we assume X is a recent message, and handle this case by contradiction*)
|
paulson@2516
|
228 |
by (fast_tac (!claset addSEs sees_Spy_partsEs
|
paulson@2032
|
229 |
delrules [conjI] (*prevent split-up into 4 subgoals*)
|
paulson@2032
|
230 |
addss (!simpset addsimps [parts_insertI])) 1);
|
paulson@2014
|
231 |
val lemma = result();
|
paulson@2014
|
232 |
|
paulson@2014
|
233 |
goal thy
|
paulson@2284
|
234 |
"!!evs. [| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|} \
|
paulson@2014
|
235 |
\ : set_of_list evs; \
|
paulson@2284
|
236 |
\ Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} \
|
paulson@2014
|
237 |
\ : set_of_list evs; \
|
paulson@2135
|
238 |
\ evs : otway lost |] ==> X=X' & B=B' & NA=NA' & NB=NB'";
|
paulson@2417
|
239 |
by (prove_unique_tac lemma 1);
|
paulson@2014
|
240 |
qed "unique_session_keys";
|
paulson@2014
|
241 |
|
paulson@2014
|
242 |
|
paulson@2014
|
243 |
|
paulson@2048
|
244 |
(**** Authenticity properties relating to NA ****)
|
paulson@2014
|
245 |
|
paulson@2014
|
246 |
(*Only OR1 can have caused such a part of a message to appear.*)
|
paulson@2014
|
247 |
goal thy
|
paulson@2064
|
248 |
"!!evs. [| A ~: lost; evs : otway lost |] \
|
paulson@2284
|
249 |
\ ==> Crypt (shrK A) {|NA, Agent A, Agent B|} \
|
paulson@2064
|
250 |
\ : parts (sees lost Spy evs) --> \
|
paulson@2064
|
251 |
\ Says A B {|NA, Agent A, Agent B, \
|
paulson@2284
|
252 |
\ Crypt (shrK A) {|NA, Agent A, Agent B|}|} \
|
paulson@2014
|
253 |
\ : set_of_list evs";
|
paulson@2064
|
254 |
by (parts_induct_tac 1);
|
paulson@2014
|
255 |
qed_spec_mp "Crypt_imp_OR1";
|
paulson@2014
|
256 |
|
paulson@2014
|
257 |
|
paulson@2064
|
258 |
(** The Nonce NA uniquely identifies A's message. **)
|
paulson@2014
|
259 |
|
paulson@2014
|
260 |
goal thy
|
paulson@2032
|
261 |
"!!evs. [| evs : otway lost; A ~: lost |] \
|
paulson@2014
|
262 |
\ ==> EX B'. ALL B. \
|
paulson@2284
|
263 |
\ Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (sees lost Spy evs) \
|
paulson@2048
|
264 |
\ --> B = B'";
|
paulson@2064
|
265 |
by (parts_induct_tac 1);
|
paulson@2064
|
266 |
by (simp_tac (!simpset addsimps [all_conj_distrib]) 1);
|
paulson@2026
|
267 |
(*OR1: creation of new Nonce. Move assertion into global context*)
|
paulson@2064
|
268 |
by (expand_case_tac "NA = ?y" 1);
|
paulson@2516
|
269 |
by (best_tac (!claset addSEs sees_Spy_partsEs) 1);
|
paulson@2014
|
270 |
val lemma = result();
|
paulson@2014
|
271 |
|
paulson@2014
|
272 |
goal thy
|
paulson@2284
|
273 |
"!!evs.[| Crypt (shrK A) {|NA, Agent A, Agent B|}: parts(sees lost Spy evs); \
|
paulson@2284
|
274 |
\ Crypt (shrK A) {|NA, Agent A, Agent C|}: parts(sees lost Spy evs); \
|
paulson@2048
|
275 |
\ evs : otway lost; A ~: lost |] \
|
paulson@2014
|
276 |
\ ==> B = C";
|
paulson@2417
|
277 |
by (prove_unique_tac lemma 1);
|
paulson@2048
|
278 |
qed "unique_NA";
|
paulson@2014
|
279 |
|
paulson@2014
|
280 |
|
paulson@2014
|
281 |
(*It is impossible to re-use a nonce in both OR1 and OR2. This holds because
|
paulson@2014
|
282 |
OR2 encrypts Nonce NB. It prevents the attack that can occur in the
|
paulson@2014
|
283 |
over-simplified version of this protocol: see OtwayRees_Bad.*)
|
paulson@2014
|
284 |
goal thy
|
paulson@2328
|
285 |
"!!evs. [| A ~: lost; evs : otway lost |] \
|
paulson@2284
|
286 |
\ ==> Crypt (shrK A) {|NA, Agent A, Agent B|} \
|
paulson@2328
|
287 |
\ : parts (sees lost Spy evs) --> \
|
paulson@2284
|
288 |
\ Crypt (shrK A) {|NA', NA, Agent A', Agent A|} \
|
paulson@2032
|
289 |
\ ~: parts (sees lost Spy evs)";
|
paulson@2071
|
290 |
by (parts_induct_tac 1);
|
paulson@2516
|
291 |
by (REPEAT (fast_tac (!claset addSEs sees_Spy_partsEs
|
paulson@2026
|
292 |
addSDs [impOfSubs parts_insert_subset_Un]
|
paulson@2071
|
293 |
addss (!simpset)) 1));
|
paulson@2014
|
294 |
qed_spec_mp"no_nonce_OR1_OR2";
|
paulson@2014
|
295 |
|
paulson@2014
|
296 |
|
paulson@2053
|
297 |
(*Crucial property: If the encrypted message appears, and A has used NA
|
paulson@2053
|
298 |
to start a run, then it originated with the Server!*)
|
paulson@2014
|
299 |
goal thy
|
paulson@2048
|
300 |
"!!evs. [| A ~: lost; A ~= Spy; evs : otway lost |] \
|
paulson@2284
|
301 |
\ ==> Crypt (shrK A) {|NA, Key K|} : parts (sees lost Spy evs) \
|
paulson@2048
|
302 |
\ --> Says A B {|NA, Agent A, Agent B, \
|
paulson@2284
|
303 |
\ Crypt (shrK A) {|NA, Agent A, Agent B|}|} \
|
paulson@2048
|
304 |
\ : set_of_list evs --> \
|
paulson@2048
|
305 |
\ (EX NB. Says Server B \
|
paulson@2048
|
306 |
\ {|NA, \
|
paulson@2284
|
307 |
\ Crypt (shrK A) {|NA, Key K|}, \
|
paulson@2284
|
308 |
\ Crypt (shrK B) {|NB, Key K|}|} \
|
paulson@2014
|
309 |
\ : set_of_list evs)";
|
paulson@2064
|
310 |
by (parts_induct_tac 1);
|
paulson@2014
|
311 |
(*OR1: it cannot be a new Nonce, contradiction.*)
|
paulson@2014
|
312 |
by (fast_tac (!claset addSIs [parts_insertI]
|
paulson@2516
|
313 |
addSEs sees_Spy_partsEs
|
paulson@2032
|
314 |
addss (!simpset)) 1);
|
paulson@2064
|
315 |
(*OR3 and OR4*)
|
paulson@2014
|
316 |
(*OR4*)
|
paulson@2014
|
317 |
by (REPEAT (Safe_step_tac 2));
|
paulson@2014
|
318 |
by (REPEAT (best_tac (!claset addSDs [parts_cut]) 3));
|
paulson@2014
|
319 |
by (fast_tac (!claset addSIs [Crypt_imp_OR1]
|
paulson@2516
|
320 |
addEs sees_Spy_partsEs) 2);
|
paulson@2064
|
321 |
(*OR3*) (** LEVEL 5 **)
|
paulson@2064
|
322 |
by (asm_simp_tac (!simpset addsimps [ex_disj_distrib]) 1);
|
paulson@2014
|
323 |
by (step_tac (!claset delrules [disjCI, impCE]) 1);
|
paulson@2014
|
324 |
by (fast_tac (!claset addSEs [MPair_parts]
|
paulson@2032
|
325 |
addSDs [Says_imp_sees_Spy RS parts.Inj]
|
paulson@2014
|
326 |
addEs [no_nonce_OR1_OR2 RSN (2, rev_notE)]
|
paulson@2048
|
327 |
delrules [conjI] (*stop split-up into 4 subgoals*)) 2);
|
paulson@2048
|
328 |
by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj]
|
paulson@2048
|
329 |
addSEs [MPair_parts]
|
paulson@2048
|
330 |
addEs [unique_NA]) 1);
|
paulson@2048
|
331 |
qed_spec_mp "NA_Crypt_imp_Server_msg";
|
paulson@2014
|
332 |
|
paulson@2014
|
333 |
|
paulson@2053
|
334 |
(*Corollary: if A receives B's OR4 message and the nonce NA agrees
|
paulson@2014
|
335 |
then the key really did come from the Server! CANNOT prove this of the
|
paulson@2048
|
336 |
bad form of this protocol, even though we can prove
|
paulson@2032
|
337 |
Spy_not_see_encrypted_key*)
|
paulson@2014
|
338 |
goal thy
|
paulson@2284
|
339 |
"!!evs. [| Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} \
|
paulson@2053
|
340 |
\ : set_of_list evs; \
|
paulson@2053
|
341 |
\ Says A B {|NA, Agent A, Agent B, \
|
paulson@2284
|
342 |
\ Crypt (shrK A) {|NA, Agent A, Agent B|}|} \
|
paulson@2053
|
343 |
\ : set_of_list evs; \
|
paulson@2053
|
344 |
\ A ~: lost; A ~= Spy; evs : otway lost |] \
|
paulson@2053
|
345 |
\ ==> EX NB. Says Server B \
|
paulson@2048
|
346 |
\ {|NA, \
|
paulson@2284
|
347 |
\ Crypt (shrK A) {|NA, Key K|}, \
|
paulson@2284
|
348 |
\ Crypt (shrK B) {|NB, Key K|}|} \
|
paulson@2053
|
349 |
\ : set_of_list evs";
|
paulson@2048
|
350 |
by (fast_tac (!claset addSIs [NA_Crypt_imp_Server_msg]
|
paulson@2516
|
351 |
addEs sees_Spy_partsEs) 1);
|
paulson@2328
|
352 |
qed "A_trusts_OR4";
|
paulson@2014
|
353 |
|
paulson@2014
|
354 |
|
paulson@2048
|
355 |
(** Crucial secrecy property: Spy does not see the keys sent in msg OR3
|
paulson@2048
|
356 |
Does not in itself guarantee security: an attack could violate
|
paulson@2048
|
357 |
the premises, e.g. by having A=Spy **)
|
paulson@2014
|
358 |
|
paulson@1941
|
359 |
goal thy
|
paulson@2166
|
360 |
"!!evs. [| A ~: lost; B ~: lost; evs : otway lost |] \
|
paulson@2048
|
361 |
\ ==> Says Server B \
|
paulson@2284
|
362 |
\ {|NA, Crypt (shrK A) {|NA, Key K|}, \
|
paulson@2284
|
363 |
\ Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs --> \
|
paulson@2135
|
364 |
\ Says B Spy {|NA, NB, Key K|} ~: set_of_list evs --> \
|
paulson@2048
|
365 |
\ Key K ~: analz (sees lost Spy evs)";
|
paulson@2032
|
366 |
by (etac otway.induct 1);
|
paulson@2064
|
367 |
by analz_Fake_tac;
|
paulson@1964
|
368 |
by (ALLGOALS
|
paulson@2516
|
369 |
(asm_simp_tac (!simpset addcongs [conj_cong]
|
paulson@2516
|
370 |
addsimps [not_parts_not_analz, analz_insert_freshK]
|
paulson@2516
|
371 |
setloop split_tac [expand_if])));
|
paulson@1941
|
372 |
(*OR3*)
|
paulson@2516
|
373 |
by (fast_tac (!claset delrules [impCE]
|
paulson@2516
|
374 |
addSEs sees_Spy_partsEs
|
paulson@2516
|
375 |
addIs [impOfSubs analz_subset_parts]
|
paulson@2048
|
376 |
addss (!simpset addsimps [parts_insert2])) 3);
|
paulson@2135
|
377 |
(*OR4, OR2, Fake*)
|
paulson@2375
|
378 |
by (REPEAT_FIRST spy_analz_tac);
|
paulson@2135
|
379 |
(*Oops*) (** LEVEL 5 **)
|
paulson@2135
|
380 |
by (fast_tac (!claset delrules [disjE]
|
paulson@2171
|
381 |
addDs [unique_session_keys] addss (!simpset)) 1);
|
paulson@2014
|
382 |
val lemma = result() RS mp RS mp RSN(2,rev_notE);
|
paulson@2014
|
383 |
|
paulson@2014
|
384 |
goal thy
|
paulson@2516
|
385 |
"!!evs. [| Says Server B \
|
paulson@2516
|
386 |
\ {|NA, Crypt (shrK A) {|NA, Key K|}, \
|
paulson@2516
|
387 |
\ Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs; \
|
paulson@2516
|
388 |
\ Says B Spy {|NA, NB, Key K|} ~: set_of_list evs; \
|
paulson@2032
|
389 |
\ A ~: lost; B ~: lost; evs : otway lost |] \
|
paulson@2516
|
390 |
\ ==> Key K ~: analz (sees lost Spy evs)";
|
paulson@2014
|
391 |
by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
|
paulson@2014
|
392 |
by (fast_tac (!claset addSEs [lemma]) 1);
|
paulson@2032
|
393 |
qed "Spy_not_see_encrypted_key";
|
paulson@2032
|
394 |
|
paulson@1945
|
395 |
|
paulson@2032
|
396 |
goal thy
|
paulson@2048
|
397 |
"!!evs. [| C ~: {A,B,Server}; \
|
paulson@2048
|
398 |
\ Says Server B \
|
paulson@2516
|
399 |
\ {|NA, Crypt (shrK A) {|NA, Key K|}, \
|
paulson@2516
|
400 |
\ Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs; \
|
paulson@2516
|
401 |
\ Says B Spy {|NA, NB, Key K|} ~: set_of_list evs; \
|
paulson@2032
|
402 |
\ A ~: lost; B ~: lost; evs : otway lost |] \
|
paulson@2516
|
403 |
\ ==> Key K ~: analz (sees lost C evs)";
|
paulson@2032
|
404 |
by (rtac (subset_insertI RS sees_mono RS analz_mono RS contra_subsetD) 1);
|
paulson@2032
|
405 |
by (rtac (sees_lost_agent_subset_sees_Spy RS analz_mono RS contra_subsetD) 1);
|
paulson@2032
|
406 |
by (FIRSTGOAL (rtac Spy_not_see_encrypted_key));
|
paulson@2032
|
407 |
by (REPEAT_FIRST (fast_tac (!claset addIs [otway_mono RS subsetD])));
|
paulson@2032
|
408 |
qed "Agent_not_see_encrypted_key";
|
paulson@1945
|
409 |
|
paulson@1945
|
410 |
|
paulson@2048
|
411 |
(**** Authenticity properties relating to NB ****)
|
paulson@2048
|
412 |
|
paulson@2048
|
413 |
(*Only OR2 can have caused such a part of a message to appear. We do not
|
paulson@2194
|
414 |
know anything about X: it does NOT have to have the right form.*)
|
paulson@2048
|
415 |
goal thy
|
paulson@2048
|
416 |
"!!evs. [| B ~: lost; evs : otway lost |] \
|
paulson@2284
|
417 |
\ ==> Crypt (shrK B) {|NA, NB, Agent A, Agent B|} \
|
paulson@2048
|
418 |
\ : parts (sees lost Spy evs) --> \
|
paulson@2194
|
419 |
\ (EX X. Says B Server \
|
paulson@2194
|
420 |
\ {|NA, Agent A, Agent B, X, \
|
paulson@2284
|
421 |
\ Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|} \
|
paulson@2048
|
422 |
\ : set_of_list evs)";
|
paulson@2064
|
423 |
by (parts_induct_tac 1);
|
paulson@2064
|
424 |
by (auto_tac (!claset, !simpset addcongs [conj_cong]));
|
paulson@2194
|
425 |
bind_thm ("Crypt_imp_OR2", result() RSN (2,rev_mp) RS exE);
|
paulson@2048
|
426 |
|
paulson@2048
|
427 |
|
paulson@2048
|
428 |
(** The Nonce NB uniquely identifies B's message. **)
|
paulson@2048
|
429 |
|
paulson@2048
|
430 |
goal thy
|
paulson@2048
|
431 |
"!!evs. [| evs : otway lost; B ~: lost |] \
|
paulson@2064
|
432 |
\ ==> EX NA' A'. ALL NA A. \
|
paulson@2284
|
433 |
\ Crypt (shrK B) {|NA, NB, Agent A, Agent B|} : parts(sees lost Spy evs) \
|
paulson@2048
|
434 |
\ --> NA = NA' & A = A'";
|
paulson@2064
|
435 |
by (parts_induct_tac 1);
|
paulson@2064
|
436 |
by (simp_tac (!simpset addsimps [all_conj_distrib]) 1);
|
paulson@2048
|
437 |
(*OR2: creation of new Nonce. Move assertion into global context*)
|
paulson@2064
|
438 |
by (expand_case_tac "NB = ?y" 1);
|
paulson@2516
|
439 |
by (deepen_tac (!claset addSEs sees_Spy_partsEs) 3 1);
|
paulson@2048
|
440 |
val lemma = result();
|
paulson@2048
|
441 |
|
paulson@2048
|
442 |
goal thy
|
paulson@2284
|
443 |
"!!evs.[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} \
|
paulson@2048
|
444 |
\ : parts(sees lost Spy evs); \
|
paulson@2284
|
445 |
\ Crypt (shrK B) {|NC, NB, Agent C, Agent B|} \
|
paulson@2048
|
446 |
\ : parts(sees lost Spy evs); \
|
paulson@2048
|
447 |
\ evs : otway lost; B ~: lost |] \
|
paulson@2048
|
448 |
\ ==> NC = NA & C = A";
|
paulson@2417
|
449 |
by (prove_unique_tac lemma 1);
|
paulson@2048
|
450 |
qed "unique_NB";
|
paulson@2048
|
451 |
|
paulson@2048
|
452 |
|
paulson@2048
|
453 |
(*If the encrypted message appears, and B has used Nonce NB,
|
paulson@2048
|
454 |
then it originated with the Server!*)
|
paulson@2048
|
455 |
goal thy
|
paulson@2048
|
456 |
"!!evs. [| B ~: lost; B ~= Spy; evs : otway lost |] \
|
paulson@2284
|
457 |
\ ==> Crypt (shrK B) {|NB, Key K|} : parts (sees lost Spy evs) \
|
paulson@2048
|
458 |
\ --> (ALL X'. Says B Server \
|
paulson@2048
|
459 |
\ {|NA, Agent A, Agent B, X', \
|
paulson@2284
|
460 |
\ Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|} \
|
paulson@2048
|
461 |
\ : set_of_list evs \
|
paulson@2048
|
462 |
\ --> Says Server B \
|
paulson@2284
|
463 |
\ {|NA, Crypt (shrK A) {|NA, Key K|}, \
|
paulson@2284
|
464 |
\ Crypt (shrK B) {|NB, Key K|}|} \
|
paulson@2048
|
465 |
\ : set_of_list evs)";
|
paulson@2064
|
466 |
by (parts_induct_tac 1);
|
paulson@2048
|
467 |
(*OR1: it cannot be a new Nonce, contradiction.*)
|
paulson@2048
|
468 |
by (fast_tac (!claset addSIs [parts_insertI]
|
paulson@2516
|
469 |
addSEs sees_Spy_partsEs
|
paulson@2048
|
470 |
addss (!simpset)) 1);
|
paulson@2048
|
471 |
(*OR4*)
|
paulson@2194
|
472 |
by (fast_tac (!claset addSEs [MPair_parts, Crypt_imp_OR2]) 2);
|
paulson@2194
|
473 |
(*OR3*)
|
paulson@2048
|
474 |
by (step_tac (!claset delrules [disjCI, impCE]) 1);
|
paulson@2048
|
475 |
by (fast_tac (!claset delrules [conjI] (*stop split-up*)) 3);
|
paulson@2048
|
476 |
by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj]
|
paulson@2048
|
477 |
addSEs [MPair_parts]
|
paulson@2048
|
478 |
addDs [unique_NB]) 2);
|
paulson@2048
|
479 |
by (fast_tac (!claset addSEs [MPair_parts]
|
paulson@2048
|
480 |
addSDs [Says_imp_sees_Spy RS parts.Inj]
|
paulson@2048
|
481 |
addSEs [no_nonce_OR1_OR2 RSN (2, rev_notE)]
|
paulson@2048
|
482 |
delrules [conjI, impCE] (*stop split-up*)) 1);
|
paulson@2048
|
483 |
qed_spec_mp "NB_Crypt_imp_Server_msg";
|
paulson@2048
|
484 |
|
paulson@2048
|
485 |
|
paulson@2048
|
486 |
(*Guarantee for B: if it gets a message with matching NB then the Server
|
paulson@2048
|
487 |
has sent the correct message.*)
|
paulson@2048
|
488 |
goal thy
|
paulson@2048
|
489 |
"!!evs. [| B ~: lost; B ~= Spy; evs : otway lost; \
|
paulson@2284
|
490 |
\ Says S B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \
|
paulson@2048
|
491 |
\ : set_of_list evs; \
|
paulson@2048
|
492 |
\ Says B Server {|NA, Agent A, Agent B, X', \
|
paulson@2284
|
493 |
\ Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
|
paulson@2048
|
494 |
\ : set_of_list evs |] \
|
paulson@2048
|
495 |
\ ==> Says Server B \
|
paulson@2048
|
496 |
\ {|NA, \
|
paulson@2284
|
497 |
\ Crypt (shrK A) {|NA, Key K|}, \
|
paulson@2284
|
498 |
\ Crypt (shrK B) {|NB, Key K|}|} \
|
paulson@2048
|
499 |
\ : set_of_list evs";
|
paulson@2048
|
500 |
by (fast_tac (!claset addSIs [NB_Crypt_imp_Server_msg]
|
paulson@2516
|
501 |
addEs sees_Spy_partsEs) 1);
|
paulson@2328
|
502 |
qed "B_trusts_OR3";
|
paulson@2048
|
503 |
|
paulson@2048
|
504 |
|
paulson@2328
|
505 |
B_trusts_OR3 RS Spy_not_see_encrypted_key;
|
paulson@2048
|
506 |
|
paulson@2048
|
507 |
|
paulson@1945
|
508 |
goal thy
|
paulson@2214
|
509 |
"!!evs. [| B ~: lost; evs : otway lost |] \
|
paulson@2214
|
510 |
\ ==> Says Server B \
|
paulson@2284
|
511 |
\ {|NA, Crypt (shrK A) {|NA, Key K|}, \
|
paulson@2284
|
512 |
\ Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs --> \
|
paulson@2214
|
513 |
\ (EX X. Says B Server {|NA, Agent A, Agent B, X, \
|
paulson@2284
|
514 |
\ Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
|
paulson@2194
|
515 |
\ : set_of_list evs)";
|
paulson@2032
|
516 |
by (etac otway.induct 1);
|
paulson@2194
|
517 |
by (Auto_tac());
|
paulson@2284
|
518 |
by (dtac (Says_imp_sees_Spy RS parts.Inj) 1);
|
paulson@2194
|
519 |
by (fast_tac (!claset addSEs [MPair_parts, Crypt_imp_OR2]) 1);
|
paulson@2194
|
520 |
bind_thm ("OR3_imp_OR2", result() RSN (2,rev_mp) RS exE);
|
paulson@2194
|
521 |
|
paulson@2194
|
522 |
|
paulson@2194
|
523 |
(*After getting and checking OR4, agent A can trust that B has been active.
|
paulson@2194
|
524 |
We could probably prove that X has the expected form, but that is not
|
paulson@2194
|
525 |
strictly necessary for authentication.*)
|
paulson@2194
|
526 |
goal thy
|
paulson@2284
|
527 |
"!!evs. [| Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} \
|
paulson@2194
|
528 |
\ : set_of_list evs; \
|
paulson@2194
|
529 |
\ Says A B {|NA, Agent A, Agent B, \
|
paulson@2284
|
530 |
\ Crypt (shrK A) {|NA, Agent A, Agent B|}|} \
|
paulson@2194
|
531 |
\ : set_of_list evs; \
|
paulson@2194
|
532 |
\ A ~: lost; A ~= Spy; B ~: lost; evs : otway lost |] \
|
paulson@2194
|
533 |
\ ==> EX NB X. Says B Server {|NA, Agent A, Agent B, X, \
|
paulson@2284
|
534 |
\ Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |}\
|
paulson@2194
|
535 |
\ : set_of_list evs";
|
paulson@2328
|
536 |
by (fast_tac (!claset addSDs [A_trusts_OR4]
|
paulson@2284
|
537 |
addSEs [OR3_imp_OR2]) 1);
|
paulson@2194
|
538 |
qed "A_auths_B";
|