LaTeX code is now generated directly from theory files.
changeset

2 
\begin{isabellebody}% 
3 
\def\isabellecontext{NS{\isacharunderscore}Public}% 
4 
% 
5 
\isadelimtheory 
6 
% 
7 
\endisadelimtheory 
8 
% 
9 
\isatagtheory 
10 
% 
11 
\endisatagtheory 
12 
{\isafoldtheory}% 
13 
% 
14 
\isadelimtheory 
15 
% 
16 
\endisadelimtheory 
17 
% 
18 
\isamarkupsection{Modelling the Protocol \label{sec:modelling}% 
19 
} 
20 
\isamarkuptrue% 
21 
% 
22 
\begin{figure} 
23 
\begin{isabelle} 
24 
\isacommand{inductive{\isacharunderscore}set}\isamarkupfalse% 
25 
\ ns{\isacharunderscore}public\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}event\ list\ set{\isachardoublequoteclose}\isanewline 
26 
\ \ \isakeyword{where}\isanewline 
27 
\isanewline 
28 
\ \ \ Nil{\isacharcolon}\ \ {\isachardoublequoteopen}{\isacharbrackleft}{\isacharbrackright}\ {\isasymin}\ ns{\isacharunderscore}public{\isachardoublequoteclose}\isanewline 
29 
\isanewline 
30 
\isanewline 
31 
\ {\isacharbar}\ Fake{\isacharcolon}\ {\isachardoublequoteopen}{\isasymlbrakk}evsf\ {\isasymin}\ ns{\isacharunderscore}public{\isacharsemicolon}\ \ X\ {\isasymin}\ synth\ {\isacharparenleft}analz\ {\isacharparenleft}knows\ Spy\ evsf{\isacharparenright}{\isacharparenright}{\isasymrbrakk}\isanewline 
32 
\ \ \ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ Says\ Spy\ B\ X\ \ {\isacharhash}\ evsf\ {\isasymin}\ ns{\isacharunderscore}public{\isachardoublequoteclose}\isanewline 
33 
\isanewline 
34 
\isanewline 
35 
\ {\isacharbar}\ NS{\isadigit{1}}{\isacharcolon}\ \ {\isachardoublequoteopen}{\isasymlbrakk}evs{\isadigit{1}}\ {\isasymin}\ ns{\isacharunderscore}public{\isacharsemicolon}\ \ Nonce\ NA\ {\isasymnotin}\ used\ evs{\isadigit{1}}{\isasymrbrakk}\isanewline 
36 
\ \ \ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ Says\ A\ B\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ B{\isacharparenright}\ {\isasymlbrace}Nonce\ NA{\isacharcomma}\ Agent\ A{\isasymrbrace}{\isacharparenright}\isanewline 
37 
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isacharhash}\ evs{\isadigit{1}}\ \ {\isasymin}\ \ ns{\isacharunderscore}public{\isachardoublequoteclose}\isanewline 
38 
\isanewline 
39 
\isanewline 
40 
\ {\isacharbar}\ NS{\isadigit{2}}{\isacharcolon}\ \ {\isachardoublequoteopen}{\isasymlbrakk}evs{\isadigit{2}}\ {\isasymin}\ ns{\isacharunderscore}public{\isacharsemicolon}\ \ Nonce\ NB\ {\isasymnotin}\ used\ evs{\isadigit{2}}{\isacharsemicolon}\isanewline 
41 
\ \ \ \ \ \ \ \ \ \ \ Says\ A{\isacharprime}\ B\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ B{\isacharparenright}\ {\isasymlbrace}Nonce\ NA{\isacharcomma}\ Agent\ A{\isasymrbrace}{\isacharparenright}\ {\isasymin}\ set\ evs{\isadigit{2}}{\isasymrbrakk}\isanewline 
42 
\ \ \ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ Says\ B\ A\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ A{\isacharparenright}\ {\isasymlbrace}Nonce\ NA{\isacharcomma}\ Nonce\ NB{\isacharcomma}\ Agent\ B{\isasymrbrace}{\isacharparenright}\isanewline 
43 
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isacharhash}\ evs{\isadigit{2}}\ \ {\isasymin}\ \ ns{\isacharunderscore}public{\isachardoublequoteclose}\isanewline 
44 
\isanewline 
45 
\isanewline 
46 
\ {\isacharbar}\ NS{\isadigit{3}}{\isacharcolon}\ \ {\isachardoublequoteopen}{\isasymlbrakk}evs{\isadigit{3}}\ {\isasymin}\ ns{\isacharunderscore}public{\isacharsemicolon}\isanewline 
47 
\ \ \ \ \ \ \ \ \ \ \ Says\ A\ \ B\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ B{\isacharparenright}\ {\isasymlbrace}Nonce\ NA{\isacharcomma}\ Agent\ A{\isasymrbrace}{\isacharparenright}\ {\isasymin}\ set\ evs{\isadigit{3}}{\isacharsemicolon}\isanewline 
48 
\ \ \ \ \ \ \ \ \ \ \ Says\ B{\isacharprime}\ A\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ A{\isacharparenright}\ {\isasymlbrace}Nonce\ NA{\isacharcomma}\ Nonce\ NB{\isacharcomma}\ Agent\ B{\isasymrbrace}{\isacharparenright}\isanewline 
49 
\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isasymin}\ set\ evs{\isadigit{3}}{\isasymrbrakk}\isanewline 
50 
\ \ \ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ Says\ A\ B\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ B{\isacharparenright}\ {\isacharparenleft}Nonce\ NB{\isacharparenright}{\isacharparenright}\ {\isacharhash}\ evs{\isadigit{3}}\ {\isasymin}\ ns{\isacharunderscore}public{\isachardoublequoteclose}% 
51 
\end{isabelle} 
52 
\caption{An Inductive Protocol Definition}\label{fig:ns_public} 
53 
\end{figure} 
54 
% 
55 
\begin{isamarkuptext}% 
56 
Let us formalize the NeedhamSchroeder publickey protocol, as corrected by 
57 
Lowe: 
58 
\begin{alignat*% 
59 
}{2} 
60 
&1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\ 
61 
&2.&\quad B\to A &: \comp{Na,Nb,B}\sb{Ka} \\ 
62 
&3.&\quad A\to B &: \comp{Nb}\sb{Kb} 
63 
\end{alignat*% 
64 
} 
65 

ee98c2528a8f
66 
Each protocol step is specified by a rule of an inductive definition. An 
67 
event trace has type \isa{event\ list}, so we declare the constant 
68 
\isa{ns{\isacharunderscore}public} to be a set of such traces. 
69 

70 
Figure~\ref{fig:ns_public} presents the inductive definition. The 
71 
\isa{Nil} rule introduces the empty trace. The \isa{Fake} rule models the 
72 
adversary's sending a message built from components taken from past 
73 
traffic, expressed using the functions \isa{synth} and 
74 
\isa{analz}. 
75 
The next three rules model how honest agents would perform the three 
76 
protocol steps. 
77 

78 
Here is a detailed explanation of rule \isa{NS{\isadigit{2}}}. 
79 
A trace containing an event of the form 
80 
\begin{isabelle}% 
81 
\ \ \ \ \ Says\ A{\isacharprime}\ B\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ B{\isacharparenright}\ {\isasymlbrace}Nonce\ NA{\isacharcomma}\ Agent\ A{\isasymrbrace}{\isacharparenright}% 
82 
\end{isabelle} 
83 
may be extended by an event of the form 
84 
\begin{isabelle}% 
85 
\ \ \ \ \ Says\ B\ A\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ A{\isacharparenright}\ {\isasymlbrace}Nonce\ NA{\isacharcomma}\ Nonce\ NB{\isacharcomma}\ Agent\ B{\isasymrbrace}{\isacharparenright}% 
86 
\end{isabelle} 
35503  87 
where \isa{NB} is a fresh nonce: \isa{Nonce\ NB\ {\isasymnotin}\ used\ evs{\isadigit{2}}}. 
88 
Writing the sender as \isa{A{\isacharprime}} indicates that \isa{B} does not 
89 
know who sent the message. Calling the trace variable \isa{evs{\isadigit{2}}} rather 
90 
than simply \isa{evs} helps us know where we are in a proof after many 
91 
casesplits: every subgoal mentioning \isa{evs{\isadigit{2}}} involves message~2 of the 
92 
protocol. 
93 

94 
Benefits of this approach are simplicity and clarity. The semantic model 
95 
is set theory, proofs are by induction and the translation from the informal 
96 
notation to the inductive rules is straightforward.% 
97 
\end{isamarkuptext}% 
98 
\isamarkuptrue% 
99 
% 
100 
\isamarkupsection{Proving Elementary Properties \label{sec:regularity}% 
101 
} 
102 
\isamarkuptrue% 
103 
% 
104 
\isadelimproof 
105 
% 
106 
\endisadelimproof 
107 
% 
108 
\isatagproof 
109 
% 
110 
\endisatagproof 
111 
{\isafoldproof}% 
112 
% 
113 
\isadelimproof 
114 
% 
115 
\endisadelimproof 
116 
% 
117 
\begin{isamarkuptext}% 
118 
Secrecy properties can be hard to prove. The conclusion of a typical 
119 
secrecy theorem is 
120 
\isa{X\ {\isasymnotin}\ analz\ {\isacharparenleft}knows\ Spy\ evs{\isacharparenright}}. The difficulty arises from 
121 
having to reason about \isa{analz}, or less formally, showing that the spy 
122 
can never learn~\isa{X}. Much easier is to prove that \isa{X} can never 
123 
occur at all. Such \emph{regularity} properties are typically expressed 
124 
using \isa{parts} rather than \isa{analz}. 
125 

126 
The following lemma states that \isa{A}'s private key is potentially 
127 
known to the spy if and only if \isa{A} belongs to the set \isa{bad} of 
128 
compromised agents. The statement uses \isa{parts}: the very presence of 
129 
\isa{A}'s private key in a message, whether protected by encryption or 
130 
not, is enough to confirm that \isa{A} is compromised. The proof, like 
131 
nearly all protocol proofs, is by induction over traces.% 
132 
\end{isamarkuptext}% 
133 
\isamarkuptrue% 
134 
\isacommand{lemma}\isamarkupfalse% 
135 
\ Spy{\isacharunderscore}see{\isacharunderscore}priK\ {\isacharbrackleft}simp{\isacharbrackright}{\isacharcolon}\isanewline 
136 
\ \ \ \ \ \ {\isachardoublequoteopen}evs\ {\isasymin}\ ns{\isacharunderscore}public\isanewline 
137 
\ \ \ \ \ \ \ {\isasymLongrightarrow}\ {\isacharparenleft}Key\ {\isacharparenleft}priK\ A{\isacharparenright}\ {\isasymin}\ parts\ {\isacharparenleft}knows\ Spy\ evs{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}A\ {\isasymin}\ bad{\isacharparenright}{\isachardoublequoteclose}\isanewline 
138 
% 
139 
\isadelimproof 
140 
% 
141 
\endisadelimproof 
142 
% 
143 
\isatagproof 
144 
\isacommand{apply}\isamarkupfalse% 
145 
\ {\isacharparenleft}erule\ ns{\isacharunderscore}public{\isachardot}induct{\isacharcomma}\ simp{\isacharunderscore}all{\isacharparenright}% 
146 
\begin{isamarkuptxt}% 
147 
The induction yields five subgoals, one for each rule in the definition of 
148 
\isa{ns{\isacharunderscore}public}. The idea is to prove that the protocol property holds initially 
149 
(rule \isa{Nil}), is preserved by each of the legitimate protocol steps (rules 
150 
\isa{NS{\isadigit{1}}}\isa{{\isadigit{3}}}), and even is preserved in the face of anything the 
151 
spy can do (rule \isa{Fake}). 
152 

ee98c2528a8f
The proof is trivial. No legitimate protocol rule sends any keys 
ee98c2528a8f
at all, so only \isa{Fake} is relevant. Indeed, simplification leaves 
ee98c2528a8f
only the \isa{Fake} case, as indicated by the variable name \isa{evsf}: 
ee98c2528a8f
\begin{isabelle}% 
ee98c2528a8f
\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}evsf\ X{\isachardot}\isanewline 
ee98c2528a8f
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ }{\isasymlbrakk}evsf\ {\isasymin}\ ns{\isacharunderscore}public{\isacharsemicolon}\isanewline 
ee98c2528a8f
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ \ }{\isacharparenleft}Key\ {\isacharparenleft}priK\ A{\isacharparenright}\ {\isasymin}\ parts\ {\isacharparenleft}knows\ Spy\ evsf{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}A\ {\isasymin}\ bad{\isacharparenright}{\isacharsemicolon}\isanewline 
ee98c2528a8f
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ \ }X\ {\isasymin}\ synth\ {\isacharparenleft}analz\ {\isacharparenleft}knows\ Spy\ evsf{\isacharparenright}{\isacharparenright}{\isasymrbrakk}\isanewline 
ee98c2528a8f
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ }{\isasymLongrightarrow}\ {\isacharparenleft}Key\ {\isacharparenleft}priK\ A{\isacharparenright}\ {\isasymin}\ parts\ {\isacharparenleft}insert\ X\ {\isacharparenleft}knows\ Spy\ evsf{\isacharparenright}{\isacharparenright}{\isacharparenright}\ {\isacharequal}\isanewline 
ee98c2528a8f
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ {\isasymLongrightarrow}\ }{\isacharparenleft}A\ {\isasymin}\ bad{\isacharparenright}% 
ee98c2528a8f
\end{isabelle}% 
ee98c2528a8f
\end{isamarkuptxt}% 
ee98c2528a8f
\isamarkuptrue% 
ee98c2528a8f
\isacommand{by}\isamarkupfalse% 
ee98c2528a8f
\ blast% 
ee98c2528a8f
\endisatagproof 
ee98c2528a8f
{\isafoldproof}% 
ee98c2528a8f
% 
ee98c2528a8f
\isadelimproof 
ee98c2528a8f
% 
ee98c2528a8f
\endisadelimproof 
ee98c2528a8f
% 
ee98c2528a8f
\isadelimproof 
ee98c2528a8f
% 
ee98c2528a8f
\endisadelimproof 
ee98c2528a8f
% 
ee98c2528a8f
\isatagproof 
ee98c2528a8f
% 
ee98c2528a8f
\endisatagproof 
ee98c2528a8f
{\isafoldproof}% 
ee98c2528a8f
% 
ee98c2528a8f
\isadelimproof 
ee98c2528a8f
% 
ee98c2528a8f
\endisadelimproof 
ee98c2528a8f
% 
ee98c2528a8f
\begin{isamarkuptext}% 
ee98c2528a8f
The \isa{Fake} case is proved automatically. If 
ee98c2528a8f
\isa{priK\ A} is in the extended trace then either (1) it was already in the 
ee98c2528a8f
original trace or (2) it was 
ee98c2528a8f
generated by the spy, who must have known this key already. 
ee98c2528a8f
Either way, the induction hypothesis applies. 
ee98c2528a8f
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

259 
} 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

260 
\isamarkuptrue% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

261 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

262 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

263 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

264 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

265 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

266 
\isatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

267 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

268 
\endisatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

269 
{\isafoldproof}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

270 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

271 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

272 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

273 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

274 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

275 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

276 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

277 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

278 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

279 
\isatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

280 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

281 
\endisatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

282 
{\isafoldproof}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

283 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

284 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

285 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

286 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

287 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

288 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

289 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

290 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

291 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

292 
\isatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

293 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

294 
\endisatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

295 
{\isafoldproof}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

296 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

297 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

298 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

299 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

300 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

301 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

302 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

303 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

304 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

305 
\isatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

306 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

307 
\endisatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

308 
{\isafoldproof}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

309 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

310 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

311 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

312 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

313 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

314 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

315 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

316 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

317 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

318 
\isatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

319 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

320 
\endisatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

321 
{\isafoldproof}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

322 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

323 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

324 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

325 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

326 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

327 
\begin{isamarkuptext}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

328 
The secrecy theorems for Bob (the second participant) are especially 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

329 
important because they fail for the original protocol. The following 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

330 
theorem states that if Bob sends message~2 to Alice, and both agents are 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

331 
uncompromised, then Bob's nonce will never reach the spy.% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

332 
\end{isamarkuptext}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

333 
\isamarkuptrue% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

334 
\isacommand{theorem}\isamarkupfalse% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

335 
\ Spy{\isacharunderscore}not{\isacharunderscore}see{\isacharunderscore}NB\ {\isacharbrackleft}dest{\isacharbrackright}{\isacharcolon}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

336 
\ {\isachardoublequoteopen}{\isasymlbrakk}Says\ B\ A\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ A{\isacharparenright}\ {\isasymlbrace}Nonce\ NA{\isacharcomma}\ Nonce\ NB{\isacharcomma}\ Agent\ B{\isasymrbrace}{\isacharparenright}\ {\isasymin}\ set\ evs{\isacharsemicolon}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

337 
\ \ \ A\ {\isasymnotin}\ bad{\isacharsemicolon}\ \ B\ {\isasymnotin}\ bad{\isacharsemicolon}\ \ evs\ {\isasymin}\ ns{\isacharunderscore}public{\isasymrbrakk}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

338 
\ \ {\isasymLongrightarrow}\ Nonce\ NB\ {\isasymnotin}\ analz\ {\isacharparenleft}knows\ Spy\ evs{\isacharparenright}{\isachardoublequoteclose}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

339 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

340 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

341 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

342 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

343 
\isatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

344 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

345 
\begin{isamarkuptxt}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

346 
To prove it, we must formulate the induction properly (one of the 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

347 
assumptions mentions~\isa{evs}), apply induction, and simplify:% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

348 
\end{isamarkuptxt}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

349 
\isamarkuptrue% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

350 
\isacommand{apply}\isamarkupfalse% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

351 
\ {\isacharparenleft}erule\ rev{\isacharunderscore}mp{\isacharcomma}\ erule\ ns{\isacharunderscore}public{\isachardot}induct{\isacharcomma}\ simp{\isacharunderscore}all{\isacharparenright}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

352 
\begin{isamarkuptxt}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

353 
The proof states are too complicated to present in full. 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

354 
Let's examine the simplest subgoal, that for message~1. The following 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

355 
event has just occurred: 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

356 
\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'} \] 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

357 
The variables above have been primed because this step 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

358 
belongs to a different run from that referred to in the theorem 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

359 
statement  the theorem 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

360 
refers to a past instance of message~2, while this subgoal 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

361 
concerns message~1 being sent just now. 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

362 
In the Isabelle subgoal, instead of primed variables like $B'$ and $Na'$ 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

363 
we have \isa{Ba} and~\isa{NAa}: 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

364 
\begin{isabelle}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

365 
\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}evs{\isadigit{1}}\ NAa\ Ba{\isachardot}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

366 
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ }{\isasymlbrakk}A\ {\isasymnotin}\ bad{\isacharsemicolon}\ B\ {\isasymnotin}\ bad{\isacharsemicolon}\ evs{\isadigit{1}}\ {\isasymin}\ ns{\isacharunderscore}public{\isacharsemicolon}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

367 
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ \ }Says\ B\ A\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ A{\isacharparenright}\ {\isasymlbrace}Nonce\ NA{\isacharcomma}\ Nonce\ NB{\isacharcomma}\ Agent\ B{\isasymrbrace}{\isacharparenright}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

368 
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ \ }{\isasymin}\ set\ evs{\isadigit{1}}\ {\isasymlongrightarrow}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

369 
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ \ }Nonce\ NB\ {\isasymnotin}\ analz\ {\isacharparenleft}knows\ Spy\ evs{\isadigit{1}}{\isacharparenright}{\isacharsemicolon}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

370 
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ \ }Nonce\ NAa\ {\isasymnotin}\ used\ evs{\isadigit{1}}{\isasymrbrakk}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

371 
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ }{\isasymLongrightarrow}\ Ba\ {\isasymin}\ bad\ {\isasymlongrightarrow}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

372 
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ {\isasymLongrightarrow}\ }Says\ B\ A\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ A{\isacharparenright}\ {\isasymlbrace}Nonce\ NA{\isacharcomma}\ Nonce\ NB{\isacharcomma}\ Agent\ B{\isasymrbrace}{\isacharparenright}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

373 
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ {\isasymLongrightarrow}\ }{\isasymin}\ set\ evs{\isadigit{1}}\ {\isasymlongrightarrow}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

374 
\isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ {\isasymLongrightarrow}\ }NB\ {\isasymnoteq}\ NAa% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

375 
\end{isabelle} 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

376 
The simplifier has used a 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

377 
default simplification rule that does a case 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

378 
analysis for each encrypted message on whether or not the decryption key 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

379 
is compromised. 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

380 
\begin{isabelle}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

381 
analz\ {\isacharparenleft}insert\ {\isacharparenleft}Crypt\ K\ X{\isacharparenright}\ H{\isacharparenright}\ {\isacharequal}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

382 
{\isacharparenleft}if\ Key\ {\isacharparenleft}invKey\ K{\isacharparenright}\ {\isasymin}\ analz\ H\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

383 
\isaindent{{\isacharparenleft}}then\ insert\ {\isacharparenleft}Crypt\ K\ X{\isacharparenright}\ {\isacharparenleft}analz\ {\isacharparenleft}insert\ X\ H{\isacharparenright}{\isacharparenright}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

384 
\isaindent{{\isacharparenleft}}else\ insert\ {\isacharparenleft}Crypt\ K\ X{\isacharparenright}\ {\isacharparenleft}analz\ H{\isacharparenright}{\isacharparenright}\rulename{analz{\isacharunderscore}Crypt{\isacharunderscore}if}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

385 
\end{isabelle} 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

386 
The simplifier has also used \isa{Spy{\isacharunderscore}see{\isacharunderscore}priK}, proved in 
27094  387 
{\S}\ref{sec:regularity} above, to yield \isa{Ba\ {\isasymin}\ bad}. 
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

388 

ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

389 
Recall that this subgoal concerns the case 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

390 
where the last message to be sent was 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

391 
\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'}. \] 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

392 
This message can compromise $Nb$ only if $Nb=Na'$ and $B'$ is compromised, 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

393 
allowing the spy to decrypt the message. The Isabelle subgoal says 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

394 
precisely this, if we allow for its choice of variable names. 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

395 
Proving \isa{NB\ {\isasymnoteq}\ NAa} is easy: \isa{NB} was 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

396 
sent earlier, while \isa{NAa} is fresh; formally, we have 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

397 
the assumption \isa{Nonce\ NAa\ {\isasymnotin}\ used\ evs{\isadigit{1}}}. 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

398 

ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

399 
Note that our reasoning concerned \isa{B}'s participation in another 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

400 
run. Agents may engage in several runs concurrently, and some attacks work 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

401 
by interleaving the messages of two runs. With model checking, this 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

402 
possibility can cause a statespace explosion, and for us it 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

403 
certainly complicates proofs. The biggest subgoal concerns message~2. It 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

404 
splits into several cases, such as whether or not the message just sent is 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

405 
the very message mentioned in the theorem statement. 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

406 
Some of the cases are proved by unicity, others by 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

407 
the induction hypothesis. For all those complications, the proofs are 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

408 
automatic by \isa{blast} with the theorem \isa{no{\isacharunderscore}nonce{\isacharunderscore}NS{\isadigit{1}}{\isacharunderscore}NS{\isadigit{2}}}. 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

409 

ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

410 
The remaining theorems about the protocol are not hard to prove. The 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

411 
following one asserts a form of \emph{authenticity}: if 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

412 
\isa{B} has sent an instance of message~2 to~\isa{A} and has received the 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

413 
expected reply, then that reply really originated with~\isa{A}. The 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

414 
proof is a simple induction.% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

415 
\end{isamarkuptxt}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

416 
\isamarkuptrue% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

417 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

418 
\endisatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

419 
{\isafoldproof}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

420 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

421 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

422 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

423 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

424 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

425 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

426 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

427 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

428 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

429 
\isatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

430 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

431 
\endisatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

432 
{\isafoldproof}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

433 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

434 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

435 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

436 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

437 
\isacommand{theorem}\isamarkupfalse% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

438 
\ B{\isacharunderscore}trusts{\isacharunderscore}NS{\isadigit{3}}{\isacharcolon}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

439 
\ {\isachardoublequoteopen}{\isasymlbrakk}Says\ B\ A\ \ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ A{\isacharparenright}\ {\isasymlbrace}Nonce\ NA{\isacharcomma}\ Nonce\ NB{\isacharcomma}\ Agent\ B{\isasymrbrace}{\isacharparenright}\ {\isasymin}\ set\ evs{\isacharsemicolon}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

440 
\ \ \ Says\ A{\isacharprime}\ B\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ B{\isacharparenright}\ {\isacharparenleft}Nonce\ NB{\isacharparenright}{\isacharparenright}\ {\isasymin}\ set\ evs{\isacharsemicolon}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

441 
\ \ \ A\ {\isasymnotin}\ bad{\isacharsemicolon}\ \ B\ {\isasymnotin}\ bad{\isacharsemicolon}\ \ evs\ {\isasymin}\ ns{\isacharunderscore}public{\isasymrbrakk}\isanewline 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

442 
\ \ {\isasymLongrightarrow}\ Says\ A\ B\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ B{\isacharparenright}\ {\isacharparenleft}Nonce\ NB{\isacharparenright}{\isacharparenright}\ {\isasymin}\ set\ evs{\isachardoublequoteclose}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

443 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

444 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

445 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

446 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

447 
\isatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

448 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

449 
\endisatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

450 
{\isafoldproof}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

451 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

452 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

453 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

454 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

455 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

456 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

457 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

458 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

459 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

460 
\isatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

461 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

462 
\endisatagproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

463 
{\isafoldproof}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

464 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

465 
\isadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

466 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

467 
\endisadelimproof 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

468 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

469 
\begin{isamarkuptext}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

470 
From similar assumptions, we can prove that \isa{A} started the protocol 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

471 
run by sending an instance of message~1 involving the nonce~\isa{NA}\@. 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

472 
For this theorem, the conclusion is 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

473 
\begin{isabelle}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

474 
Says\ A\ B\ {\isacharparenleft}Crypt\ {\isacharparenleft}pubK\ B{\isacharparenright}\ {\isasymlbrace}Nonce\ NA{\isacharcomma}\ Agent\ A{\isasymrbrace}{\isacharparenright}\ {\isasymin}\ set\ evs% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

475 
\end{isabelle} 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

476 
Analogous theorems can be proved for~\isa{A}, stating that nonce~\isa{NA} 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

477 
remains secret and that message~2 really originates with~\isa{B}. Even the 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

478 
flawed protocol establishes these properties for~\isa{A}; 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

479 
the flaw only harms the second participant. 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

480 

ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

481 
\medskip 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

482 

ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

483 
Detailed information on this protocol verification technique can be found 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

484 
elsewhere~\cite{paulsonjcs}, including proofs of an Internet 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

485 
protocol~\cite{paulsontls}. We must stress that the protocol discussed 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

486 
in this chapter is trivial. There are only three messages; no keys are 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

487 
exchanged; we merely have to prove that encrypted data remains secret. 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

488 
Real world protocols are much longer and distribute many secrets to their 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

489 
participants. To be realistic, the model has to include the possibility 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

490 
of keys being lost dynamically due to carelessness. If those keys have 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

491 
been used to encrypt other sensitive information, there may be cascading 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

492 
losses. We may still be able to establish a bound on the losses and to 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

493 
prove that other protocol runs function 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

494 
correctly~\cite{paulsonyahalom}. Proofs of realworld protocols follow 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

495 
the strategy illustrated above, but the subgoals can 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

496 
be much bigger and there are more of them. 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

497 
\index{protocols!security)}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

498 
\end{isamarkuptext}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

499 
\isamarkuptrue% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

500 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

501 
\isadelimtheory 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

502 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

503 
\endisadelimtheory 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

504 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

505 
\isatagtheory 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

506 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

507 
\endisatagtheory 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

508 
{\isafoldtheory}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

509 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

510 
\isadelimtheory 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

511 
% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

512 
\endisadelimtheory 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

513 
\end{isabellebody}% 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

514 
%%% Local Variables: 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

515 
%%% mode: latex 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

516 
%%% TeXmaster: "root" 
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
diff
changeset

517 
%%% End: 