(* Title: HOL/Auth/Recur 
ID: $Id$ 

Author: Lawrence C Paulson, Cambridge University Computer Laboratory 

Copyright 1996 University of Cambridge 

Inductive relation "recur" for the Recursive Authentication protocol. 

*) 

open Recur; 

proof_timing:=true; 

HOL_quantifiers := false; 

Pretty.setdepth 25; 

(** Possibility properties: traces that reach the end 

ONE theorem would be more elegant and faster! 

By induction on a list of agents (no repetitions) 

**) 

(*Simplest case: Alice goes directly to the server*) 

goal thy 

"!!A. A ~= Server \ 

\ ==> EX K NA. EX evs: recur lost. \ 

\ Says Server A {Agent A, \ 

\ Crypt (shrK A) {Key K, Agent Server, Nonce NA}, \ 

\ Agent Server} \ 

\ : set_of_list evs"; 

by (REPEAT (resolve_tac [exI,bexI] 1)); 

by (rtac (recur.Nil RS recur.RA1 RS 
(respond.One RSN (4,recur.RA3))) 2); 
by (ALLGOALS (simp_tac (!simpset setsolver safe_solver))); 
by (REPEAT_FIRST (eq_assume_tac ORELSE' resolve_tac [refl, conjI])); 

result(); 

(*Case two: Alice, Bob and the server*) 

goal thy 

"!!A B. [ A ~= B; A ~= Server; B ~= Server ] \ 

\ ==> EX K. EX NA. EX evs: recur lost. \ 

\ Says B A {Agent A, Crypt (shrK A) {Key K, Agent B, Nonce NA}, \ 

\ Agent Server} \ 

\ : set_of_list evs"; 

by (REPEAT (resolve_tac [exI,bexI] 1)); 

by (rtac (recur.Nil RS recur.RA1 RS recur.RA2 RS 
(respond.One RS respond.Cons RSN (4,recur.RA3)) RS 
recur.RA4) 2); 
by (REPEAT 
(REPEAT_FIRST (eq_assume_tac ORELSE' resolve_tac [refl, conjI]) 

THEN 

ALLGOALS (asm_simp_tac (!simpset setsolver safe_solver)))); 

result(); 

54 

(*Case three: Alice, Bob, Charlie and the server*) 

goal thy 

"!!A B. [ A ~= B; A ~= Server; B ~= Server ] \ 

\ ==> EX K. EX NA. EX evs: recur lost. \ 

\ Says B A {Agent A, Crypt (shrK A) {Key K, Agent B, Nonce NA}, \ 

\ Agent Server} \ 

\ : set_of_list evs"; 

by (REPEAT (resolve_tac [exI,bexI] 1)); 

by (rtac (recur.Nil RS recur.RA1 RS recur.RA2 RS recur.RA2 RS 
(respond.One RS respond.Cons RS respond.Cons RSN 
(4,recur.RA3)) RS recur.RA4 RS recur.RA4) 2); 
by (REPEAT (*SLOW: 37 seconds*) 
(REPEAT_FIRST (eq_assume_tac ORELSE' resolve_tac [refl, conjI]) 

THEN 

ALLGOALS (asm_simp_tac (!simpset setsolver safe_solver)))); 

by (ALLGOALS 

(SELECT_GOAL (DEPTH_SOLVE 

(swap_res_tac [refl, conjI, disjI1, disjI2] 1 APPEND 

etac not_sym 1)))); 

result(); 

(**** Inductive proofs about recur ****) 

(*Monotonicity*) 

goal thy "!!evs. lost' <= lost ==> recur lost' <= recur lost"; 

by (rtac subsetI 1); 

by (etac recur.induct 1); 

by (REPEAT_FIRST 

(best_tac (!claset addIs (impOfSubs (sees_mono RS analz_mono RS synth_mono) 

:: recur.intrs)))); 

qed "recur_mono"; 

(*Nobody sends themselves messages*) 

goal thy "!!evs. evs : recur lost ==> ALL A X. Says A A X ~: set_of_list evs"; 

by (etac recur.induct 1); 

by (Auto_tac()); 

qed_spec_mp "not_Says_to_self"; 

Addsimps [not_Says_to_self]; 

AddSEs [not_Says_to_self RSN (2, rev_notE)]; 

(*Simple inductive reasoning about responses*) 

goal thy "!!j. (j,PA,RB) : respond i ==> RB : responses i"; 

by (etac respond.induct 1); 

by (REPEAT (ares_tac responses.intrs 1)); 

qed "respond_imp_responses"; 

(** For reasoning about the encrypted portion of messages **) 

val RA2_analz_sees_Spy = Says_imp_sees_Spy RS analz.Inj > standard; 
goal thy "!!evs. Says C' B {Agent B, X, Agent B, X', RA} : set_of_list evs \ 

\ ==> RA : analz (sees lost Spy evs)"; 

by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1); 

qed "RA4_analz_sees_Spy"; 
(*RA2_analz... and RA4_analz... let us treat those cases using the same 
argument as for the Fake case. This is possible for most, but not all, 
proofs: Fake does not invent new nonces (as in RA2), and of course Fake 
messages originate from the Spy. *) 
bind_thm ("RA2_parts_sees_Spy", 
RA2_analz_sees_Spy RS (impOfSubs analz_subset_parts)); 
bind_thm ("RA4_parts_sees_Spy", 
RA4_analz_sees_Spy RS (impOfSubs analz_subset_parts)); 
124 
125 
126 
127 
in tac RA2_parts_sees_Spy 4 THEN 
forward_tac [respond_imp_responses] 5 THEN 
tac RA4_parts_sees_Spy 6 
end; 
133 
134 
135 
136 
137 
138 
139 
140 
141 
142 
144 
145 
146 

148 
149 

151 
152 
153 
154 
155 
156 
157 

goal thy 

"!!evs. evs : recur lost \ 

\ ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)"; 

by (parts_induct_tac 1); 

(*RA2*) 
by (best_tac (!claset addSEs partsEs addSDs [parts_cut] 
addss (!simpset)) 1); 

(*RA3*) 
by (fast_tac (!claset addDs [Key_in_parts_respond] 
addss (!simpset addsimps [parts_insert_sees])) 1); 

qed "Spy_see_shrK"; 

Addsimps [Spy_see_shrK]; 

"!!evs. evs : recur lost \ 

\ ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)"; 

175 
176 
177 

goal thy "!!A. [ Key (shrK A) : parts (sees lost Spy evs); \ 

by (fast_tac (!claset addDs [Spy_see_shrK]) 1); 

qed "Spy_see_shrK_D"; 

183 
184 
185 

188 

(*Nobody can have SEEN keys that will be generated in the future. *) 

goal thy "!!evs. evs : recur lost ==> \ 

\ length evs <= i > \ 

\ Key (newK2(i,j)) ~: parts (sees lost Spy evs)"; 

by (parts_induct_tac 1); 

(*RA2*) 
by (best_tac (!claset addSEs partsEs 
198 
199 
200 
201 
203 
2451
Extensive tidying and simplification, largely stemming from
parents:
diff
204 
2449  205 
2451
Extensive tidying and simplification, largely stemming from
parents:
diff
206 
2449  207 
addss (!simpset)) 1)); 

qed_spec_mp "new_keys_not_seen"; 

Addsimps [new_keys_not_seen]; 

213 
214 
215 
216 
217 
218 
by (dtac leI 1); 

by (fast_tac (!claset addSDs [new_keys_not_seen, Says_imp_sees_Spy] 

addIs [impOfSubs parts_mono]) 1); 

qed "Says_imp_old_keys"; 

224 

(*** Future nonces can't be seen or used! ***) 

227 
228 
229 
230 
231 
232 
goal thy "!!i. evs : recur lost ==> \ 

\ length evs <= i > Nonce(newN i) ~: parts (sees lost Spy evs)"; 

by (parts_induct_tac 1); 

(*For RA3*) 
by (asm_simp_tac (!simpset addsimps [parts_insert_sees]) 4); 
by (deepen_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj] 

addDs [Nonce_in_parts_respond, parts_cut, Suc_leD] 

addss (!simpset)) 0 4); 

(*Fake*) 

by (fast_tac (!claset addDs [impOfSubs analz_subset_parts, 

impOfSubs parts_insert_subset_Un, 

Suc_leD] 

addss (!simpset)) 1); 

ce85a2aafc7a
paulson
changeset

(*RA1, RA2, RA4*) 
by (REPEAT_FIRST (fast_tac (!claset 
addSEs partsEs 

addEs [leD RS notE] 

qed_spec_mp "new_nonces_not_seen"; 

Addsimps [new_nonces_not_seen]; 

257 
258 
259 
260 
261 
262 
263 
264 
266 
267 

269 
goal thy 

"!!evs. (j,PB,RB) : respond i \ 

\ ==> K : keysFor (parts {RB}) > (EX A. K = shrK A)"; 

be (respond_imp_responses RS responses.induct) 1; 

by (Auto_tac()); 

qed_spec_mp "Key_in_keysFor_parts_respond"; 

278 

goal thy "!!i. evs : recur lost ==> \ 

\ length evs <= i > newK2(i,j) ~: keysFor (parts (sees lost Spy evs))"; 

by (parts_induct_tac 1); 

(*RA3*) 
by (fast_tac (!claset addDs [Key_in_keysFor_parts_respond, Suc_leD] 
2451
Extensive tidying and simplification, largely stemming from
parents:
diff
285 
2449  286 
addDs [Suc_leD] addss (!simpset)) 3); 

ce85a2aafc7a
paulson
2449
changeset

(*Fake, RA1, RA4*) 
by (REPEAT 
290 
(best_tac 

291 
(!claset addDs [impOfSubs (analz_subset_parts RS keysFor_mono), 

292 
impOfSubs (parts_insert_subset_Un RS keysFor_mono), 

293 
Suc_leD] 

294 
addEs [new_keys_not_seen RS not_parts_not_analz RSN(2,rev_notE)] 

295 
addss (!simpset)) 1)); 

296 
qed_spec_mp "new_keys_not_used"; 

297 

298 

299 
bind_thm ("new_keys_not_analzd", 

300 
[analz_subset_parts RS keysFor_mono, 

301 
new_keys_not_used] MRS contra_subsetD); 

302 

303 
Addsimps [new_keys_not_used, new_keys_not_analzd]; 

304 

305 

306 

307 
(*** Proofs involving analz ***) 

308 

309 
(*For proofs involving analz. We again instantiate the variable to "lost".*) 

dres_inst_tac [("lost","lost")] RA2_analz_sees_Spy 4 THEN 
forward_tac [respond_imp_responses] 5 THEN 
dres_inst_tac [("lost","lost")] RA4_analz_sees_Spy 6; 
(** Session keys are not used to encrypt other session keys **) 

2451
(*Version for "responses" relation. Handles case RA3 in the theorem below. 
Note that it holds for *any* set H (not just "sees lost Spy evs") 
satisfying the inductive hypothesis.*) 

goal thy 

"!!evs. [ RB : responses i; \ 

\ ALL K I. (Key K : analz (Key``(newK``I) Un H)) = \ 

\ (K : newK``I  Key K : analz H) ] \ 

\ ==> ALL K I. (Key K : analz (insert RB (Key``(newK``I) Un H))) = \ 

\ (K : newK``I  Key K : analz (insert RB H))"; 

be responses.induct 1; 

by (ALLGOALS 

(asm_simp_tac 

(!simpset addsimps [insert_Key_singleton, insert_Key_image, 

Un_assoc RS sym, pushKey_newK] 

setloop split_tac [expand_if]))); 

by (fast_tac (!claset addIs [image_eqI] addss (!simpset)) 1); 

qed "resp_analz_image_newK_lemma"; 

(*Version for the protocol. Proof is almost trivial, thanks to the lemma.*) 

goal thy 

"!!evs. evs : recur lost ==> \ 

\ ALL K I. (Key K : analz (Key``(newK``I) Un (sees lost Spy evs))) = \ 

\ (K : newK``I  Key K : analz (sees lost Spy evs))"; 

by (etac recur.induct 1); 

by analz_Fake_tac; 

be ssubst 4; (*RA2: DELETE needless definition of PA!*) 
by (REPEAT_FIRST (ares_tac [allI, analz_image_newK_lemma])); 
by (ALLGOALS (asm_simp_tac (!simpset addsimps [resp_analz_image_newK_lemma]))); 

(*Base*) 

by (fast_tac (!claset addIs [image_eqI] addss (!simpset)) 1); 

(*RA4, RA2, Fake*) 
by (REPEAT (spy_analz_tac 1)); 
val raw_analz_image_newK = result(); 

qed_spec_mp "analz_image_newK"; 

354 
355 
356 
357 
358 
359 
360 
361 
goal thy 

"!!evs. evs : recur lost ==> \ 

\ Key K : analz (insert (Key (newK x)) (sees lost Spy evs)) = \ 

\ (K = newK x  Key K : analz (sees lost Spy evs))"; 

by (asm_simp_tac (HOL_ss addsimps [pushKey_newK, analz_image_newK, 

insert_Key_singleton]) 1); 

by (Fast_tac 1); 

qed "analz_insert_Key_newK"; 

(** Nonces cannot appear before their time, even hashed! 

One is tempted to add the rule 

"Hash X : parts H ==> X : parts H" 

but we'd then lose theorems like Spy_see_shrK 

***) 

goal thy "!!i. evs : recur lost ==> \ 

\ length evs <= i > \ 

\ (Nonce (newN i) : parts {X} > \ 

\ Hash X ~: parts (sees lost Spy evs))"; 

be recur.induct 1; 

be ssubst 4; (*RA2: DELETE needless definition of PA!*) 
by parts_Fake_tac; 
(*RA3 requires a further induction*) 
be responses.induct 5; 
by (ALLGOALS Asm_simp_tac); 

(*RA2*) 
by (best_tac (!claset addDs [Suc_leD, parts_cut] 
addEs [leD RS notE, 

new_nonces_not_seen RSN(2,rev_notE)] 

addss (!simpset)) 4); 

(*Fake*) 

by (best_tac (!claset addSDs [impOfSubs analz_subset_parts, 

impOfSubs parts_insert_subset_Un, 

Suc_leD] 

addss (!simpset)) 2); 

(*Five others!*) 

by (REPEAT (fast_tac (!claset addEs [leD RS notE] 

addDs [Suc_leD] 

addss (!simpset)) 1)); 

bind_thm ("Hash_new_nonces_not_seen", 

result() RS mp RS mp RSN (2, rev_notE)); 

(** The Nonce NA uniquely identifies A's message. 

This theorem applies to rounds RA1 and RA2! 
9c4444bfd44e
Unicity is not used in other proofs but is desirable in its own right. 
**) 
goal thy 

"!!evs. [ evs : recur lost; A ~: lost ] \ 

\ ==> EX B' P'. ALL B P. \ 

\ Hash {Key(shrK A), Agent A, Agent B, Nonce NA, P} \ 

\ : parts (sees lost Spy evs) > B=B' & P=P'"; 

be recur.induct 1; 

be ssubst 4; (*RA2: DELETE needless definition of PA!*) 
(*For better simplification of RA2*) 
by (res_inst_tac [("x1","XA")] (insert_commute RS ssubst) 4); 
by parts_Fake_tac; 

(*RA3 requires a further induction*) 
be responses.induct 5; 
by (ALLGOALS Asm_simp_tac); 

by (step_tac (!claset addSEs partsEs) 1); 

(*RA3: inductive case*) 
by (best_tac (!claset addss (!simpset)) 5); 
(*Fake*) 

by (best_tac (!claset addSIs [exI] 

addDs [impOfSubs analz_subset_parts, 

impOfSubs Fake_parts_insert] 

addss (!simpset)) 2); 

(*Base*) 

by (fast_tac (!claset addss (!simpset)) 1); 

by (ALLGOALS (simp_tac (!simpset addsimps [all_conj_distrib]))); 

(*RA1: creation of new Nonce. Move assertion into global context*) 
by (expand_case_tac "NA = ?y" 1); 
by (best_tac (!claset addSIs [exI] 

addEs [Hash_new_nonces_not_seen] 

addss (!simpset)) 1); 

by (best_tac (!claset addss (!simpset)) 1); 

(*RA2: creation of new Nonce*) 
by (expand_case_tac "NA = ?y" 1); 
by (best_tac (!claset addSIs [exI] 

addDs [parts_cut] 

addEs [Hash_new_nonces_not_seen] 

addss (!simpset)) 1); 

by (best_tac (!claset addss (!simpset)) 1); 

val lemma = result(); 

goal thy 

"!!evs.[ Hash {Key(shrK A), Agent A, Agent B, Nonce NA, P} \ 

\ : parts (sees lost Spy evs); \ 

\ Hash {Key(shrK A), Agent A, Agent B', Nonce NA, P'} \ 

\ : parts (sees lost Spy evs); \ 

\ evs : recur lost; A ~: lost ] \ 

\ ==> B=B' & P=P'"; 

by (prove_unique_tac lemma 1); 

qed "unique_NA"; 

(*** Lemmas concerning the Server's response 

(relations "respond" and "responses") 

***) 

(*The response never contains Hashes*) 

(*NEEDED????????????????*) 
goal thy 
"!!evs. (j,PB,RB) : respond i \ 

\ ==> Hash {Key (shrK B), M} : parts (insert RB H) > \ 

\ Hash {Key (shrK B), M} : parts H"; 

be (respond_imp_responses RS responses.induct) 1; 

by (Auto_tac()); 

bind_thm ("Hash_in_parts_respond", result() RSN (2, rev_mp)); 

goal thy 

"!!evs. [ RB : responses i; evs : recur lost ] \ 

\ ==> (Key (shrK B) : analz (insert RB (sees lost Spy evs))) = (B:lost)"; 

be responses.induct 1; 

by (ALLGOALS 

(asm_simp_tac 

(!simpset addsimps [resp_analz_image_newK, insert_Key_singleton] 

setloop split_tac [expand_if]))); 

qed "shrK_in_analz_respond"; 

Addsimps [shrK_in_analz_respond]; 

goal thy 

"!!evs. [ RB : responses i; \ 

\ ALL K I. (Key K : analz (Key``(newK``I) Un H)) = \ 

\ (K : newK``I  Key K : analz H) ] \ 

\ ==> (Key K : analz (insert RB H)) > \ 

\ (Key K : parts{RB}  Key K : analz H)"; 

be responses.induct 1; 

by (ALLGOALS 

(asm_simp_tac 

(!simpset addsimps [read_instantiate [("H", "?ff``?xx")] parts_insert, 

resp_analz_image_newK_lemma, 

insert_Key_singleton, insert_Key_image, 

Un_assoc RS sym, pushKey_newK] 

setloop split_tac [expand_if]))); 

(*The "Message" simpset gives the standard treatment of "image"*) 

by (simp_tac (simpset_of "Message") 1); 

by (fast_tac (!claset delrules [allE]) 1); 

qed "resp_analz_insert_lemma"; 

bind_thm ("resp_analz_insert", 

raw_analz_image_newK RSN 

(2, resp_analz_insert_lemma) RSN(2, rev_mp)); 

(*The Server does not send such messages. This theorem lets us avoid 

assuming B~=Server in RA4.*) 
goal thy 
"!!evs. evs : recur lost \ 

\ ==> ALL C X Y P. Says Server C {X, Agent Server, Agent C, Y, P} \ 

\ ~: set_of_list evs"; 

by (etac recur.induct 1); 

be (respond.induct) 5; 

by (Auto_tac()); 

qed_spec_mp "Says_Server_not"; 

AddSEs [Says_Server_not RSN (2,rev_notE)]; 

goal thy 

"!!i. (j,PB,RB) : respond i \ 

\ ==> EX A' B'. ALL A B N. \ 

\ Crypt (shrK A) {Key K, Agent B, N} : parts {RB} \ 

\ > (A'=A & B'=B)  (A'=B & B'=A)"; 

be respond.induct 1; 

by (ALLGOALS (asm_full_simp_tac (!simpset addsimps [all_conj_distrib]))); 

(*Base case*) 

by (Fast_tac 1); 

by (Step_tac 1); 

by (expand_case_tac "K = ?y" 1); 

by (best_tac (!claset addSIs [exI] 

addSEs partsEs 

addDs [Key_in_parts_respond] 

addss (!simpset)) 1); 

by (expand_case_tac "K = ?y" 1); 

by (REPEAT (ares_tac [exI] 2)); 

by (ex_strip_tac 1); 

be respond.elim 1; 

by (REPEAT_FIRST (etac Pair_inject ORELSE' hyp_subst_tac)); 

by (ALLGOALS (asm_full_simp_tac 

(!simpset addsimps [all_conj_distrib, ex_disj_distrib]))); 

by (Fast_tac 1); 

551 
by (Fast_tac 1); 

552 
val lemma = result(); 

553 

554 
goal thy 

555 
"!!RB. [ Crypt (shrK A) {Key K, Agent B, N} : parts {RB}; \ 

556 
\ Crypt (shrK A') {Key K, Agent B', N'} : parts {RB}; \ 

557 
\ (j,PB,RB) : respond i ] \ 

558 
\ ==> (A'=A & B'=B)  (A'=B & B'=A)"; 

559 
by (prove_unique_tac lemma 1); (*33 seconds, due to the disjunctions*) 

560 
qed "unique_session_keys"; 

561 

562 

2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

563 
(** Crucial secrecy property: Spy does not see the keys sent in msg RA3 
2449  564 
Does not in itself guarantee security: an attack could violate 
565 
the premises, e.g. by having A=Spy **) 

566 

567 
goal thy 

568 
"!!j. (j, {Hash {Key(shrK A), Agent A, B, NA, P}, X}, RA) : respond i \ 

569 
\ ==> Crypt (shrK A) {Key (newK2 (i,j)), B, NA} : parts {RA}"; 

570 
be respond.elim 1; 

571 
by (ALLGOALS Asm_full_simp_tac); 

572 
qed "newK2_respond_lemma"; 

573 

574 

575 
goal thy 

576 
"!!evs. [ (j,PB,RB) : respond (length evs); evs : recur lost ] \ 

577 
\ ==> ALL A A' N. A ~: lost & A' ~: lost > \ 

578 
\ Crypt (shrK A) {Key K, Agent A', N} : parts{RB} > \ 

579 
\ Key K ~: analz (insert RB (sees lost Spy evs))"; 

580 
be respond.induct 1; 

581 
by (forward_tac [respond_imp_responses] 2); 

582 
by (ALLGOALS 

583 
(asm_simp_tac 

584 
(!simpset addsimps 

585 
([analz_image_newK, not_parts_not_analz, 

586 
read_instantiate [("H", "?ff``?xx")] parts_insert, 

587 
Un_assoc RS sym, resp_analz_image_newK, 

588 
insert_Key_singleton, analz_insert_Key_newK]) 

589 
setloop split_tac [expand_if]))); 

590 
by (ALLGOALS (simp_tac (simpset_of "Message"))); 

591 
by (Fast_tac 1); 

592 
by (step_tac (!claset addSEs [MPair_parts]) 1); 

593 
(** LEVEL 6 **) 

594 
by (fast_tac (!claset addDs [resp_analz_insert, Key_in_parts_respond] 

595 
addSEs [new_keys_not_seen RS not_parts_not_analz 

596 
RSN(2,rev_notE)] 

597 
addss (!simpset)) 4); 

598 
by (fast_tac (!claset addSDs [newK2_respond_lemma]) 3); 

599 
by (best_tac (!claset addSEs partsEs 

600 
addDs [Key_in_parts_respond] 

601 
addss (!simpset)) 2); 

602 
by (thin_tac "ALL x.?P(x)" 1); 

603 
be respond.elim 1; 

604 
by (fast_tac (!claset addss (!simpset)) 1); 

605 
by (step_tac (!claset addss (!simpset)) 1); 

606 
by (best_tac (!claset addSEs partsEs 

607 
addDs [Key_in_parts_respond] 

608 
addss (!simpset)) 1); 

609 
qed_spec_mp "respond_Spy_not_see_encrypted_key"; 

610 

611 

612 
goal thy 

2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

613 
"!!evs. [ A ~: lost; A' ~: lost; evs : recur lost ] \ 
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

614 
\ ==> Says Server B RB : set_of_list evs > \ 
2449  615 
\ Crypt (shrK A) {Key K, Agent A', N} : parts{RB} > \ 
616 
\ Key K ~: analz (sees lost Spy evs)"; 

617 
by (etac recur.induct 1); 

618 
by analz_Fake_tac; 

2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

619 
be ssubst 4; (*RA2: DELETE needless definition of PA!*) 
2449  620 
by (ALLGOALS 
621 
(asm_simp_tac 

622 
(!simpset addsimps [not_parts_not_analz, analz_insert_Key_newK] 

623 
setloop split_tac [expand_if]))); 

2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

624 
(*RA4*) 
2449  625 
by (spy_analz_tac 4); 
626 
(*Fake*) 

627 
by (spy_analz_tac 1); 

628 
by (step_tac (!claset delrules [impCE]) 1); 

2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

629 
(*RA2*) 
2449  630 
by (spy_analz_tac 1); 
2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

631 
(*RA3, case 2: K is an old key*) 
2449  632 
by (fast_tac (!claset addSDs [resp_analz_insert] 
633 
addSEs partsEs 

634 
addDs [Key_in_parts_respond] 

635 
addEs [Says_imp_old_keys RS less_irrefl]) 2); 

2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

636 
(*RA3, case 1: use lemma previously proved by induction*) 
2449  637 
by (fast_tac (!claset addSEs [respond_Spy_not_see_encrypted_key RSN 
638 
(2,rev_notE)]) 1); 

639 
bind_thm ("Spy_not_see_encrypted_key", result() RS mp RSN (2, rev_mp)); 

640 

641 

642 
goal thy 

2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

643 
"!!evs. [ Says Server B RB : set_of_list evs; \ 
2449  644 
\ Crypt (shrK A) {Key K, Agent A', N} : parts{RB}; \ 
2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

645 
\ C ~: {A,A',Server}; \ 
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

646 
\ A ~: lost; A' ~: lost; evs : recur lost ] \ 
2449  647 
\ ==> Key K ~: analz (sees lost C evs)"; 
648 
by (rtac (subset_insertI RS sees_mono RS analz_mono RS contra_subsetD) 1); 

649 
by (rtac (sees_lost_agent_subset_sees_Spy RS analz_mono RS contra_subsetD) 1); 

650 
by (FIRSTGOAL (rtac Spy_not_see_encrypted_key)); 

651 
by (REPEAT_FIRST (fast_tac (!claset addIs [recur_mono RS subsetD]))); 

652 
qed "Agent_not_see_encrypted_key"; 

653 

654 

655 
(**** Authenticity properties for Agents ****) 

656 

2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

657 
(*NEEDED????????????????*) 
2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

658 
(*Only RA1 or RA2 can have caused such a part of a message to appear.*) 
2449  659 
goal thy 
660 
"!!evs. [ Hash {Key(shrK A), Agent A, Agent B, NA, P} \ 

661 
\ : parts (sees lost Spy evs); \ 

662 
\ A ~: lost; evs : recur lost ] \ 

663 
\ ==> Says A B {Hash{Key(shrK A), Agent A, Agent B, NA, P}, \ 

664 
\ Agent A, Agent B, NA, P} \ 

665 
\ : set_of_list evs"; 

666 
be rev_mp 1; 

667 
by (parts_induct_tac 1); 

2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

668 
(*RA3*) 
2449  669 
by (fast_tac (!claset addSDs [Hash_in_parts_respond]) 2); 
2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

670 
(*RA2*) 
2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

671 
by ((REPEAT o CHANGED) (*Push in XAfor more simplification*) 
2449  672 
(res_inst_tac [("x1","XA")] (insert_commute RS ssubst) 1)); 
673 
by (best_tac (!claset addSEs partsEs 

674 
addDs [parts_cut] 

675 
addss (!simpset)) 1); 

676 
qed_spec_mp "Hash_auth_sender"; 

677 

678 

2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

679 
(*NEEDED????????????????*) 
2449  680 
goal thy "!!i. {Hash {Key (shrK Server), M}, M} : responses i ==> R"; 
681 
be setup_induction 1; 

682 
be responses.induct 1; 

683 
by (ALLGOALS Asm_simp_tac); 

684 
qed "responses_no_Hash_Server"; 

685 

686 

687 
val nonce_not_seen_now = le_refl RSN (2, new_nonces_not_seen) RSN (2,rev_notE); 

688 

689 

690 
(** These two results should subsume (for all agents) the guarantees proved 

691 
separately for A and B in the OtwayRees protocol. 

692 
**) 

693 

694 

2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

695 
(*Encrypted messages can only originate with the Server.*) 
2449  696 
goal thy 
2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

697 
"!!evs. [ A ~: lost; A ~= Spy; evs : recur lost ] \ 
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

698 
\ ==> Crypt (shrK A) Y : parts (sees lost Spy evs) \ 
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

699 
\ > (EX C RC. Says Server C RC : set_of_list evs & \ 
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

700 
\ Crypt (shrK A) Y : parts {RC})"; 
2449  701 
by (parts_induct_tac 1); 
2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

702 
(*RA4*) 
2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

703 
by (Fast_tac 4); 
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

704 
(*RA3*) 
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

705 
by (full_simp_tac (!simpset addsimps [parts_insert_sees]) 3 
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

706 
THEN Fast_tac 3); 
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

707 
(*RA1*) 
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

708 
by (Fast_tac 1); 
2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

709 
(*RA2: it cannot be a new Nonce, contradiction.*) 
2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

710 
by ((REPEAT o CHANGED) (*Push in XAfor more simplification*) 
2449  711 
(res_inst_tac [("x1","XA")] (insert_commute RS ssubst) 1)); 
712 
by (deepen_tac (!claset delrules [impCE] 

713 
addSIs [disjI2] 

2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

714 
addSEs [MPair_parts] 
2449  715 
addDs [parts_cut, parts.Body] 
716 
addss (!simpset)) 0 1); 

717 
qed_spec_mp "Crypt_imp_Server_msg"; 

718 

719 

2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

720 
(*Corollary: if A receives B's message then the key came from the Server*) 
2449  721 
goal thy 
722 
"!!evs. [ Says B' A RA : set_of_list evs; \ 

2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

723 
\ Crypt (shrK A) {Key K, Agent A', NA} : parts {RA}; \ 
2449  724 
\ A ~: lost; A ~= Spy; evs : recur lost ] \ 
2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

725 
\ ==> EX C RC. Says Server C RC : set_of_list evs & \ 
2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

726 
\ Crypt (shrK A) {Key K, Agent A', NA} : parts {RC}"; 
2449  727 
by (best_tac (!claset addSIs [Crypt_imp_Server_msg] 
728 
addDs [Says_imp_sees_Spy RS parts.Inj RSN (2,parts_cut)] 

729 
addss (!simpset)) 1); 

730 
qed "Agent_trust"; 

731 

732 

2455
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

733 
(*Overall guarantee: if A receives a certificant mentioning A' 
9c4444bfd44e
Simplification and generalization of the guarantees.
paulson
parents:
2451
diff
changeset

734 
then the only other agent who knows the key is A'.*) 
2449  735 
goal thy 
736 
"!!evs. [ Says B' A RA : set_of_list evs; \ 

2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

737 
\ Crypt (shrK A) {Key K, Agent A', NA} : parts {RA}; \ 
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

738 
\ C ~: {A,A',Server}; \ 
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2449
diff
changeset

739 
\ A ~: lost; A' ~: lost; A ~= Spy; evs : recur lost ] \ 
2449  740 
\ ==> Key K ~: analz (sees lost C evs)"; 
741 
by (dtac Agent_trust 1 THEN REPEAT_FIRST assume_tac); 

742 
by (fast_tac (!claset addSEs [Agent_not_see_encrypted_key RSN(2,rev_notE)]) 1); 

743 
qed "Agent_secrecy"; 

744 