src/HOL/Auth/OtwayRees_Bad.ML
author paulson
Fri Jan 17 12:49:31 1997 +0100 (1997-01-17)
changeset 2516 4d68fbe6378b
parent 2451 ce85a2aafc7a
child 2637 e9b203f854ae
permissions -rw-r--r--
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson@2002
     1
(*  Title:      HOL/Auth/OtwayRees_Bad
paulson@2002
     2
    ID:         $Id$
paulson@2002
     3
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
paulson@2002
     4
    Copyright   1996  University of Cambridge
paulson@2002
     5
paulson@2002
     6
Inductive relation "otway" for the Otway-Rees protocol.
paulson@2002
     7
paulson@2002
     8
The FAULTY version omitting encryption of Nonce NB, as suggested on page 247 of
paulson@2002
     9
  Burrows, Abadi and Needham.  A Logic of Authentication.
paulson@2002
    10
  Proc. Royal Soc. 426 (1989)
paulson@2002
    11
paulson@2002
    12
This file illustrates the consequences of such errors.  We can still prove
paulson@2032
    13
impressive-looking properties such as Spy_not_see_encrypted_key, yet the
paulson@2002
    14
protocol is open to a middleperson attack.  Attempting to prove some key lemmas
paulson@2002
    15
indicates the possibility of this attack.
paulson@2002
    16
*)
paulson@2002
    17
paulson@2002
    18
open OtwayRees_Bad;
paulson@2002
    19
paulson@2002
    20
proof_timing:=true;
paulson@2002
    21
HOL_quantifiers := false;
paulson@2002
    22
paulson@2002
    23
paulson@2002
    24
(*Weak liveness: there are traces that reach the end*)
paulson@2002
    25
goal thy 
paulson@2002
    26
 "!!A B. [| A ~= B; A ~= Server; B ~= Server |]   \
paulson@2002
    27
\        ==> EX K. EX NA. EX evs: otway.          \
paulson@2284
    28
\               Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|} \
paulson@2002
    29
\                 : set_of_list evs";
paulson@2002
    30
by (REPEAT (resolve_tac [exI,bexI] 1));
paulson@2032
    31
by (rtac (otway.Nil RS otway.OR1 RS otway.OR2 RS otway.OR3 RS otway.OR4) 2);
paulson@2516
    32
by possibility_tac;
paulson@2002
    33
result();
paulson@2002
    34
paulson@2002
    35
paulson@2002
    36
(**** Inductive proofs about otway ****)
paulson@2002
    37
paulson@2002
    38
(*Nobody sends themselves messages*)
paulson@2002
    39
goal thy "!!evs. evs : otway ==> ALL A X. Says A A X ~: set_of_list evs";
paulson@2032
    40
by (etac otway.induct 1);
paulson@2002
    41
by (Auto_tac());
paulson@2002
    42
qed_spec_mp "not_Says_to_self";
paulson@2002
    43
Addsimps [not_Says_to_self];
paulson@2002
    44
AddSEs   [not_Says_to_self RSN (2, rev_notE)];
paulson@2002
    45
paulson@2002
    46
paulson@2002
    47
(** For reasoning about the encrypted portion of messages **)
paulson@2002
    48
paulson@2002
    49
goal thy "!!evs. Says A' B {|N, Agent A, Agent B, X|} : set_of_list evs ==> \
paulson@2052
    50
\                X : analz (sees lost Spy evs)";
paulson@2032
    51
by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
paulson@2032
    52
qed "OR2_analz_sees_Spy";
paulson@2002
    53
paulson@2516
    54
goal thy "!!evs. Says S B {|N, X, Crypt (shrK B) X'|} : set_of_list evs ==> \
paulson@2052
    55
\                X : analz (sees lost Spy evs)";
paulson@2032
    56
by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
paulson@2032
    57
qed "OR4_analz_sees_Spy";
paulson@2002
    58
paulson@2284
    59
goal thy "!!evs. Says Server B {|NA, X, Crypt K' {|NB,K|}|} : set_of_list evs \
paulson@2131
    60
\                 ==> K : parts (sees lost Spy evs)";
paulson@2516
    61
by (fast_tac (!claset addSEs sees_Spy_partsEs) 1);
paulson@2131
    62
qed "Oops_parts_sees_Spy";
paulson@2002
    63
paulson@2002
    64
(*OR2_analz... and OR4_analz... let us treat those cases using the same 
paulson@2002
    65
  argument as for the Fake case.  This is possible for most, but not all,
paulson@2002
    66
  proofs: Fake does not invent new nonces (as in OR2), and of course Fake
paulson@2032
    67
  messages originate from the Spy. *)
paulson@2002
    68
paulson@2052
    69
bind_thm ("OR2_parts_sees_Spy",
paulson@2052
    70
          OR2_analz_sees_Spy RS (impOfSubs analz_subset_parts));
paulson@2052
    71
bind_thm ("OR4_parts_sees_Spy",
paulson@2052
    72
          OR4_analz_sees_Spy RS (impOfSubs analz_subset_parts));
paulson@2052
    73
paulson@2002
    74
val parts_Fake_tac = 
paulson@2052
    75
    forward_tac [OR2_parts_sees_Spy] 4 THEN 
paulson@2052
    76
    forward_tac [OR4_parts_sees_Spy] 6 THEN
paulson@2131
    77
    forward_tac [Oops_parts_sees_Spy] 7;
paulson@2131
    78
paulson@2131
    79
(*For proving the easier theorems about X ~: parts (sees lost Spy evs) *)
paulson@2131
    80
fun parts_induct_tac i = SELECT_GOAL
paulson@2131
    81
    (DETERM (etac otway.induct 1 THEN parts_Fake_tac THEN
paulson@2516
    82
             (*Fake message*)
paulson@2516
    83
             TRY (best_tac (!claset addDs [impOfSubs analz_subset_parts,
paulson@2516
    84
                                           impOfSubs Fake_parts_insert]
paulson@2131
    85
                                    addss (!simpset)) 2)) THEN
paulson@2131
    86
     (*Base case*)
paulson@2131
    87
     fast_tac (!claset addss (!simpset)) 1 THEN
paulson@2131
    88
     ALLGOALS Asm_simp_tac) i;
paulson@2002
    89
paulson@2002
    90
paulson@2052
    91
(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
paulson@2002
    92
    sends messages containing X! **)
paulson@2002
    93
paulson@2131
    94
(*Spy never sees another agent's shared key! (unless it's lost at start)*)
paulson@2002
    95
goal thy 
paulson@2131
    96
 "!!evs. evs : otway \
paulson@2131
    97
\        ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)";
paulson@2131
    98
by (parts_induct_tac 1);
paulson@2002
    99
by (Auto_tac());
paulson@2131
   100
qed "Spy_see_shrK";
paulson@2131
   101
Addsimps [Spy_see_shrK];
paulson@2002
   102
paulson@2131
   103
goal thy 
paulson@2131
   104
 "!!evs. evs : otway \
paulson@2131
   105
\        ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)";
paulson@2131
   106
by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
paulson@2131
   107
qed "Spy_analz_shrK";
paulson@2131
   108
Addsimps [Spy_analz_shrK];
paulson@2002
   109
paulson@2131
   110
goal thy  "!!A. [| Key (shrK A) : parts (sees lost Spy evs);       \
paulson@2131
   111
\                  evs : otway |] ==> A:lost";
paulson@2131
   112
by (fast_tac (!claset addDs [Spy_see_shrK]) 1);
paulson@2131
   113
qed "Spy_see_shrK_D";
paulson@2002
   114
paulson@2131
   115
bind_thm ("Spy_analz_shrK_D", analz_subset_parts RS subsetD RS Spy_see_shrK_D);
paulson@2131
   116
AddSDs [Spy_see_shrK_D, Spy_analz_shrK_D];
paulson@2002
   117
paulson@2002
   118
paulson@2516
   119
(*Nobody can have used non-existent keys!*)
paulson@2516
   120
goal thy "!!evs. evs : otway ==>          \
paulson@2516
   121
\         Key K ~: used evs --> K ~: keysFor (parts (sees lost Spy evs))";
paulson@2160
   122
by (parts_induct_tac 1);
paulson@2516
   123
(*Fake*)
paulson@2516
   124
by (best_tac
paulson@2516
   125
      (!claset addIs [impOfSubs analz_subset_parts]
paulson@2516
   126
               addDs [impOfSubs (analz_subset_parts RS keysFor_mono),
paulson@2516
   127
                      impOfSubs (parts_insert_subset_Un RS keysFor_mono)]
paulson@2516
   128
               addss (!simpset)) 1);
paulson@2516
   129
(*OR1-3*)
paulson@2516
   130
by (REPEAT (fast_tac (!claset addss (!simpset)) 1));
paulson@2160
   131
qed_spec_mp "new_keys_not_used";
paulson@2002
   132
paulson@2002
   133
bind_thm ("new_keys_not_analzd",
paulson@2032
   134
          [analz_subset_parts RS keysFor_mono,
paulson@2032
   135
           new_keys_not_used] MRS contra_subsetD);
paulson@2002
   136
paulson@2002
   137
Addsimps [new_keys_not_used, new_keys_not_analzd];
paulson@2002
   138
paulson@2002
   139
paulson@2131
   140
paulson@2131
   141
(*** Proofs involving analz ***)
paulson@2131
   142
paulson@2131
   143
(*Describes the form of K and NA when the Server sends this message.  Also
paulson@2131
   144
  for Oops case.*)
paulson@2131
   145
goal thy 
paulson@2516
   146
 "!!evs. [| Says Server B                                                 \
paulson@2516
   147
\            {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs;   \
paulson@2516
   148
\           evs : otway |]                                                \
paulson@2516
   149
\     ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
paulson@2131
   150
by (etac rev_mp 1);
paulson@2131
   151
by (etac otway.induct 1);
paulson@2131
   152
by (ALLGOALS (fast_tac (!claset addss (!simpset))));
paulson@2131
   153
qed "Says_Server_message_form";
paulson@2131
   154
paulson@2131
   155
paulson@2131
   156
(*For proofs involving analz.*)
paulson@2131
   157
val analz_Fake_tac = 
paulson@2131
   158
    dtac OR2_analz_sees_Spy 4 THEN 
paulson@2131
   159
    dtac OR4_analz_sees_Spy 6 THEN
paulson@2516
   160
    forward_tac [Says_Server_message_form] 7 THEN assume_tac 7 THEN 
paulson@2451
   161
    REPEAT ((eresolve_tac [exE, conjE] ORELSE' hyp_subst_tac) 7);
paulson@2002
   162
paulson@2002
   163
paulson@2002
   164
(****
paulson@2002
   165
 The following is to prove theorems of the form
paulson@2002
   166
paulson@2516
   167
  Key K : analz (insert (Key KAB) (sees lost Spy evs)) ==>
paulson@2451
   168
  Key K : analz (sees lost Spy evs)
paulson@2002
   169
paulson@2002
   170
 A more general formula must be proved inductively.
paulson@2002
   171
****)
paulson@2002
   172
paulson@2002
   173
paulson@2002
   174
(** Session keys are not used to encrypt other session keys **)
paulson@2002
   175
paulson@2002
   176
(*The equality makes the induction hypothesis easier to apply*)
paulson@2002
   177
goal thy  
paulson@2002
   178
 "!!evs. evs : otway ==> \
paulson@2516
   179
\  ALL K KK. KK <= Compl (range shrK) -->                      \
paulson@2516
   180
\            (Key K : analz (Key``KK Un (sees lost Spy evs))) = \
paulson@2516
   181
\            (K : KK | Key K : analz (sees lost Spy evs))";
paulson@2032
   182
by (etac otway.induct 1);
paulson@2131
   183
by analz_Fake_tac;
paulson@2516
   184
by (REPEAT_FIRST (resolve_tac [allI, impI]));
paulson@2516
   185
by (REPEAT_FIRST (rtac analz_image_freshK_lemma ));
paulson@2516
   186
by (ALLGOALS (asm_simp_tac analz_image_freshK_ss));
paulson@2516
   187
(*Base*)
paulson@2516
   188
by (fast_tac (!claset addIs [image_eqI] addss (!simpset)) 1);
paulson@2516
   189
(*Fake, OR2, OR4*) 
paulson@2516
   190
by (REPEAT (spy_analz_tac 1));
paulson@2516
   191
qed_spec_mp "analz_image_freshK";
paulson@2002
   192
paulson@2002
   193
paulson@2002
   194
goal thy
paulson@2516
   195
 "!!evs. [| evs : otway;  KAB ~: range shrK |] ==>              \
paulson@2516
   196
\        Key K : analz (insert (Key KAB) (sees lost Spy evs)) = \
paulson@2516
   197
\        (K = KAB | Key K : analz (sees lost Spy evs))";
paulson@2516
   198
by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
paulson@2516
   199
qed "analz_insert_freshK";
paulson@2002
   200
paulson@2002
   201
paulson@2131
   202
(*** The Key K uniquely identifies the Server's  message. **)
paulson@2002
   203
paulson@2002
   204
goal thy 
paulson@2451
   205
 "!!evs. evs : otway ==>                                                      \
paulson@2131
   206
\   EX B' NA' NB' X'. ALL B NA NB X.                                          \
paulson@2284
   207
\     Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|} : set_of_list evs --> \
paulson@2131
   208
\     B=B' & NA=NA' & NB=NB' & X=X'";
paulson@2032
   209
by (etac otway.induct 1);
paulson@2002
   210
by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib])));
paulson@2002
   211
by (Step_tac 1);
paulson@2002
   212
(*Remaining cases: OR3 and OR4*)
paulson@2002
   213
by (ex_strip_tac 2);
paulson@2002
   214
by (Fast_tac 2);
paulson@2107
   215
by (expand_case_tac "K = ?y" 1);
paulson@2107
   216
by (REPEAT (ares_tac [refl,exI,impI,conjI] 2));
paulson@2516
   217
(*...we assume X is a recent message, and handle this case by contradiction*)
paulson@2516
   218
by (fast_tac (!claset addSEs sees_Spy_partsEs
paulson@2032
   219
                      delrules [conjI]    (*prevent split-up into 4 subgoals*)
paulson@2032
   220
                      addss (!simpset addsimps [parts_insertI])) 1);
paulson@2002
   221
val lemma = result();
paulson@2002
   222
paulson@2002
   223
goal thy 
paulson@2284
   224
 "!!evs. [| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|}      \
paulson@2002
   225
\            : set_of_list evs;                                    \ 
paulson@2284
   226
\           Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|}    \
paulson@2002
   227
\            : set_of_list evs;                                    \
paulson@2131
   228
\           evs : otway |] ==> X=X' & B=B' & NA=NA' & NB=NB'";
paulson@2417
   229
by (prove_unique_tac lemma 1);
paulson@2002
   230
qed "unique_session_keys";
paulson@2002
   231
paulson@2002
   232
paulson@2131
   233
(*Crucial security property, but not itself enough to guarantee correctness!*)
paulson@2131
   234
goal thy 
paulson@2166
   235
 "!!evs. [| A ~: lost;  B ~: lost;  evs : otway |]                    \
paulson@2166
   236
\        ==> Says Server B                                            \
paulson@2284
   237
\              {|NA, Crypt (shrK A) {|NA, Key K|},                    \
paulson@2284
   238
\                Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs --> \
paulson@2166
   239
\            Says B Spy {|NA, NB, Key K|} ~: set_of_list evs -->      \
paulson@2166
   240
\            Key K ~: analz (sees lost Spy evs)";
paulson@2131
   241
by (etac otway.induct 1);
paulson@2131
   242
by analz_Fake_tac;
paulson@2131
   243
by (ALLGOALS
paulson@2516
   244
    (asm_simp_tac (!simpset addcongs [conj_cong] 
paulson@2516
   245
                            addsimps [not_parts_not_analz, analz_insert_freshK]
paulson@2516
   246
                            setloop split_tac [expand_if])));
paulson@2131
   247
(*OR3*)
paulson@2516
   248
by (fast_tac (!claset delrules [impCE]
paulson@2516
   249
                      addSEs sees_Spy_partsEs
paulson@2516
   250
                      addIs [impOfSubs analz_subset_parts]
paulson@2131
   251
                      addss (!simpset addsimps [parts_insert2])) 3);
paulson@2131
   252
(*OR4, OR2, Fake*) 
paulson@2375
   253
by (REPEAT_FIRST spy_analz_tac);
paulson@2131
   254
(*Oops*) (** LEVEL 5 **)
paulson@2131
   255
by (fast_tac (!claset delrules [disjE]
paulson@2516
   256
                      addDs [unique_session_keys] addss (!simpset)) 1);
paulson@2131
   257
val lemma = result() RS mp RS mp RSN(2,rev_notE);
paulson@2131
   258
paulson@2131
   259
goal thy 
paulson@2516
   260
 "!!evs. [| Says Server B                                                \
paulson@2516
   261
\            {|NA, Crypt (shrK A) {|NA, Key K|},                         \
paulson@2516
   262
\                  Crypt (shrK B) {|NB, Key K|}|} : set_of_list evs;     \
paulson@2516
   263
\           Says B Spy {|NA, NB, Key K|} ~: set_of_list evs;             \
paulson@2131
   264
\           A ~: lost;  B ~: lost;  evs : otway |]                \
paulson@2516
   265
\        ==> Key K ~: analz (sees lost Spy evs)";
paulson@2131
   266
by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
paulson@2131
   267
by (fast_tac (!claset addSEs [lemma]) 1);
paulson@2131
   268
qed "Spy_not_see_encrypted_key";
paulson@2131
   269
paulson@2131
   270
paulson@2131
   271
(*** Attempting to prove stronger properties ***)
paulson@2131
   272
paulson@2052
   273
(*Only OR1 can have caused such a part of a message to appear.
paulson@2052
   274
  I'm not sure why A ~= B premise is needed: OtwayRees.ML doesn't need it.
paulson@2052
   275
  Perhaps it's because OR2 has two similar-looking encrypted messages in
paulson@2516
   276
        this version.*)
paulson@2002
   277
goal thy 
paulson@2516
   278
 "!!evs. [| A ~: lost;  A ~= B;  evs : otway |]                \
paulson@2284
   279
\        ==> Crypt (shrK A) {|NA, Agent A, Agent B|}           \
paulson@2052
   280
\             : parts (sees lost Spy evs) -->                  \
paulson@2131
   281
\            Says A B {|NA, Agent A, Agent B,                  \
paulson@2284
   282
\                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}  \
paulson@2002
   283
\             : set_of_list evs";
paulson@2131
   284
by (parts_induct_tac 1);
paulson@2131
   285
by (Fast_tac 1);
paulson@2002
   286
qed_spec_mp "Crypt_imp_OR1";
paulson@2002
   287
paulson@2002
   288
paulson@2131
   289
(*Crucial property: If the encrypted message appears, and A has used NA
paulson@2131
   290
  to start a run, then it originated with the Server!*)
paulson@2131
   291
(*Only it is FALSE.  Somebody could make a fake message to Server
paulson@2002
   292
          substituting some other nonce NA' for NB.*)
paulson@2002
   293
goal thy 
paulson@2052
   294
 "!!evs. [| A ~: lost;  A ~= Spy;  evs : otway |]                        \
paulson@2284
   295
\        ==> Crypt (shrK A) {|NA, Key K|} : parts (sees lost Spy evs) --> \
paulson@2131
   296
\            Says A B {|NA, Agent A, Agent B,                  \
paulson@2284
   297
\                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}  \
paulson@2131
   298
\             : set_of_list evs -->                            \
paulson@2131
   299
\            (EX B NB. Says Server B                           \
paulson@2131
   300
\                 {|NA,                                        \
paulson@2284
   301
\                   Crypt (shrK A) {|NA, Key K|},              \
paulson@2284
   302
\                   Crypt (shrK B) {|NB, Key K|}|}             \
paulson@2002
   303
\                   : set_of_list evs)";
paulson@2131
   304
by (parts_induct_tac 1);
paulson@2002
   305
(*OR1: it cannot be a new Nonce, contradiction.*)
paulson@2002
   306
by (fast_tac (!claset addSIs [parts_insertI]
paulson@2516
   307
                      addSEs sees_Spy_partsEs
paulson@2032
   308
                      addss (!simpset)) 1);
paulson@2002
   309
(*OR4*)
paulson@2002
   310
by (REPEAT (Safe_step_tac 2));
paulson@2052
   311
by (REPEAT (best_tac (!claset addSDs [parts_cut]) 3));
paulson@2052
   312
by (fast_tac (!claset addSIs [Crypt_imp_OR1]
paulson@2516
   313
                      addEs  sees_Spy_partsEs) 2);
paulson@2131
   314
(*OR3*)  (** LEVEL 5 **)
paulson@2002
   315
by (ALLGOALS (asm_simp_tac (!simpset addsimps [ex_disj_distrib])));
paulson@2052
   316
by (step_tac (!claset delrules [disjCI, impCE]) 1);
paulson@2002
   317
(*The hypotheses at this point suggest an attack in which nonce NA is used
paulson@2052
   318
  in two different roles:
paulson@2052
   319
          Says B' Server
paulson@2052
   320
           {|Nonce NAa, Agent Aa, Agent A,
paulson@2284
   321
             Crypt (shrK Aa) {|Nonce NAa, Agent Aa, Agent A|}, Nonce NA,
paulson@2284
   322
             Crypt (shrK A) {|Nonce NAa, Agent Aa, Agent A|}|}
paulson@2052
   323
          : set_of_list evsa;
paulson@2052
   324
          Says A B
paulson@2052
   325
           {|Nonce NA, Agent A, Agent B,
paulson@2284
   326
             Crypt (shrK A) {|Nonce NA, Agent A, Agent B|}|}
paulson@2052
   327
          : set_of_list evsa 
paulson@2052
   328
*)
paulson@2131
   329
writeln "GIVE UP! on NA_Crypt_imp_Server_msg";
paulson@2002
   330
paulson@2002
   331
paulson@2052
   332
(*Thus the key property A_can_trust probably fails too.*)