author  paulson 
Fri, 11 Jul 1997 13:26:15 +0200  
changeset 3512  9dcb4daa15e8 
parent 3466  30791e5a69c4 
child 3519  ab0a9fbed4c0 
permissions  rwrr 
2002  1 
(* Title: HOL/Auth/OtwayRees_Bad 
2 
ID: $Id$ 

3 
Author: Lawrence C Paulson, Cambridge University Computer Laboratory 

4 
Copyright 1996 University of Cambridge 

5 

6 
Inductive relation "otway" for the OtwayRees protocol. 

7 

8 
The FAULTY version omitting encryption of Nonce NB, as suggested on page 247 of 

9 
Burrows, Abadi and Needham. A Logic of Authentication. 

10 
Proc. Royal Soc. 426 (1989) 

11 

12 
This file illustrates the consequences of such errors. We can still prove 

2032  13 
impressivelooking properties such as Spy_not_see_encrypted_key, yet the 
2002  14 
protocol is open to a middleperson attack. Attempting to prove some key lemmas 
15 
indicates the possibility of this attack. 

16 
*) 

17 

18 
open OtwayRees_Bad; 

19 

20 
proof_timing:=true; 

21 
HOL_quantifiers := false; 

22 

3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

23 
(*Replacing the variable by a constant improves search speed by 50%!*) 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

24 
val Says_imp_sees_Spy' = 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

25 
read_instantiate_sg (sign_of thy) [("lost","lost")] Says_imp_sees_Spy; 
2002  26 

3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

27 
(*A "possibility property": there are traces that reach the end*) 
2002  28 
goal thy 
29 
"!!A B. [ A ~= B; A ~= Server; B ~= Server ] \ 

30 
\ ==> EX K. EX NA. EX evs: otway. \ 

2284
80ebd1a213fd
Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents:
2264
diff
changeset

31 
\ Says B A {Nonce NA, Crypt (shrK A) {Nonce NA, Key K}} \ 
3465  32 
\ : set evs"; 
2002  33 
by (REPEAT (resolve_tac [exI,bexI] 1)); 
2032  34 
by (rtac (otway.Nil RS otway.OR1 RS otway.OR2 RS otway.OR3 RS otway.OR4) 2); 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

35 
by possibility_tac; 
2002  36 
result(); 
37 

38 

39 
(**** Inductive proofs about otway ****) 

40 

41 
(*Nobody sends themselves messages*) 

3465  42 
goal thy "!!evs. evs : otway ==> ALL A X. Says A A X ~: set evs"; 
2032  43 
by (etac otway.induct 1); 
2002  44 
by (Auto_tac()); 
45 
qed_spec_mp "not_Says_to_self"; 

46 
Addsimps [not_Says_to_self]; 

47 
AddSEs [not_Says_to_self RSN (2, rev_notE)]; 

48 

49 

50 
(** For reasoning about the encrypted portion of messages **) 

51 

3465  52 
goal thy "!!evs. Says A' B {N, Agent A, Agent B, X} : set evs ==> \ 
2052  53 
\ X : analz (sees lost Spy evs)"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

54 
by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]) 1); 
2032  55 
qed "OR2_analz_sees_Spy"; 
2002  56 

3465  57 
goal thy "!!evs. Says S' B {N, X, Crypt (shrK B) X'} : set evs ==> \ 
2052  58 
\ X : analz (sees lost Spy evs)"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

59 
by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]) 1); 
2032  60 
qed "OR4_analz_sees_Spy"; 
2002  61 

3465  62 
goal thy "!!evs. Says Server B {NA, X, Crypt K' {NB,K}} : set evs \ 
2131  63 
\ ==> K : parts (sees lost Spy evs)"; 
3102  64 
by (blast_tac (!claset addSEs sees_Spy_partsEs) 1); 
2131  65 
qed "Oops_parts_sees_Spy"; 
2002  66 

67 
(*OR2_analz... and OR4_analz... let us treat those cases using the same 

68 
argument as for the Fake case. This is possible for most, but not all, 

69 
proofs: Fake does not invent new nonces (as in OR2), and of course Fake 

2032  70 
messages originate from the Spy. *) 
2002  71 

2052  72 
bind_thm ("OR2_parts_sees_Spy", 
73 
OR2_analz_sees_Spy RS (impOfSubs analz_subset_parts)); 

74 
bind_thm ("OR4_parts_sees_Spy", 

75 
OR4_analz_sees_Spy RS (impOfSubs analz_subset_parts)); 

76 

3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

77 
(*For proving the easier theorems about X ~: parts (sees lost Spy evs) *) 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

78 
val parts_induct_tac = 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

79 
etac otway.induct 1 THEN 
2052  80 
forward_tac [OR2_parts_sees_Spy] 4 THEN 
81 
forward_tac [OR4_parts_sees_Spy] 6 THEN 

3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

82 
forward_tac [Oops_parts_sees_Spy] 7 THEN 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

83 
prove_simple_subgoals_tac 1; 
2002  84 

85 

2052  86 
(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY 
2002  87 
sends messages containing X! **) 
88 

2131  89 
(*Spy never sees another agent's shared key! (unless it's lost at start)*) 
2002  90 
goal thy 
2131  91 
"!!evs. evs : otway \ 
92 
\ ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)"; 

3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

93 
by parts_induct_tac; 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

94 
by (Fake_parts_insert_tac 1); 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

95 
by (Blast_tac 1); 
2131  96 
qed "Spy_see_shrK"; 
97 
Addsimps [Spy_see_shrK]; 

2002  98 

2131  99 
goal thy 
100 
"!!evs. evs : otway \ 

101 
\ ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)"; 

102 
by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset)); 

103 
qed "Spy_analz_shrK"; 

104 
Addsimps [Spy_analz_shrK]; 

2002  105 

2131  106 
goal thy "!!A. [ Key (shrK A) : parts (sees lost Spy evs); \ 
107 
\ evs : otway ] ==> A:lost"; 

3102  108 
by (blast_tac (!claset addDs [Spy_see_shrK]) 1); 
2131  109 
qed "Spy_see_shrK_D"; 
2002  110 

2131  111 
bind_thm ("Spy_analz_shrK_D", analz_subset_parts RS subsetD RS Spy_see_shrK_D); 
112 
AddSDs [Spy_see_shrK_D, Spy_analz_shrK_D]; 

2002  113 

114 

2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

115 
(*Nobody can have used nonexistent keys!*) 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

116 
goal thy "!!evs. evs : otway ==> \ 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

117 
\ Key K ~: used evs > K ~: keysFor (parts (sees lost Spy evs))"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

118 
by parts_induct_tac; 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

119 
(*Fake*) 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

120 
by (best_tac 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

121 
(!claset addIs [impOfSubs analz_subset_parts] 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

122 
addDs [impOfSubs (analz_subset_parts RS keysFor_mono), 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

123 
impOfSubs (parts_insert_subset_Un RS keysFor_mono)] 
3207  124 
addss (!simpset)) 1); 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

125 
(*OR13*) 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

126 
by (ALLGOALS Blast_tac); 
2160  127 
qed_spec_mp "new_keys_not_used"; 
2002  128 

129 
bind_thm ("new_keys_not_analzd", 

2032  130 
[analz_subset_parts RS keysFor_mono, 
131 
new_keys_not_used] MRS contra_subsetD); 

2002  132 

133 
Addsimps [new_keys_not_used, new_keys_not_analzd]; 

134 

135 

2131  136 

137 
(*** Proofs involving analz ***) 

138 

139 
(*Describes the form of K and NA when the Server sends this message. Also 

140 
for Oops case.*) 

141 
goal thy 

2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

142 
"!!evs. [ Says Server B \ 
3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

143 
\ {NA, X, Crypt (shrK B) {NB, Key K}} : set evs; \ 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

144 
\ evs : otway ] \ 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

145 
\ ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)"; 
2131  146 
by (etac rev_mp 1); 
147 
by (etac otway.induct 1); 

3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

148 
by (prove_simple_subgoals_tac 1); 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

149 
by (Blast_tac 1); 
2131  150 
qed "Says_Server_message_form"; 
151 

152 

153 
(*For proofs involving analz.*) 

3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

154 
val analz_sees_tac = 
2131  155 
dtac OR2_analz_sees_Spy 4 THEN 
156 
dtac OR4_analz_sees_Spy 6 THEN 

2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

157 
forward_tac [Says_Server_message_form] 7 THEN assume_tac 7 THEN 
2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2417
diff
changeset

158 
REPEAT ((eresolve_tac [exE, conjE] ORELSE' hyp_subst_tac) 7); 
2002  159 

160 

161 
(**** 

162 
The following is to prove theorems of the form 

163 

2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

164 
Key K : analz (insert (Key KAB) (sees lost Spy evs)) ==> 
2451
ce85a2aafc7a
Extensive tidying and simplification, largely stemming from
paulson
parents:
2417
diff
changeset

165 
Key K : analz (sees lost Spy evs) 
2002  166 

167 
A more general formula must be proved inductively. 

168 
****) 

169 

170 

171 
(** Session keys are not used to encrypt other session keys **) 

172 

173 
(*The equality makes the induction hypothesis easier to apply*) 

174 
goal thy 

3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

175 
"!!evs. evs : otway ==> \ 
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

176 
\ ALL K KK. KK <= Compl (range shrK) > \ 
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

177 
\ (Key K : analz (Key``KK Un (sees lost Spy evs))) = \ 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

178 
\ (K : KK  Key K : analz (sees lost Spy evs))"; 
2032  179 
by (etac otway.induct 1); 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

180 
by analz_sees_tac; 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

181 
by (REPEAT_FIRST (resolve_tac [allI, impI])); 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

182 
by (REPEAT_FIRST (rtac analz_image_freshK_lemma )); 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

183 
by (ALLGOALS (asm_simp_tac analz_image_freshK_ss)); 
3451
d10f100676d8
Made proofs more concise by replacing calls to spy_analz_tac by uses of
paulson
parents:
3207
diff
changeset

184 
(*Fake*) 
d10f100676d8
Made proofs more concise by replacing calls to spy_analz_tac by uses of
paulson
parents:
3207
diff
changeset

185 
by (spy_analz_tac 2); 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

186 
(*Base*) 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

187 
by (Blast_tac 1); 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

188 
qed_spec_mp "analz_image_freshK"; 
2002  189 

190 

191 
goal thy 

2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

192 
"!!evs. [ evs : otway; KAB ~: range shrK ] ==> \ 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

193 
\ Key K : analz (insert (Key KAB) (sees lost Spy evs)) = \ 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

194 
\ (K = KAB  Key K : analz (sees lost Spy evs))"; 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

195 
by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1); 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

196 
qed "analz_insert_freshK"; 
2002  197 

198 

2131  199 
(*** The Key K uniquely identifies the Server's message. **) 
2002  200 

201 
goal thy 

3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

202 
"!!evs. evs : otway ==> \ 
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

203 
\ EX B' NA' NB' X'. ALL B NA NB X. \ 
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

204 
\ Says Server B {NA, X, Crypt (shrK B) {NB, K}} : set evs > \ 
2131  205 
\ B=B' & NA=NA' & NB=NB' & X=X'"; 
2032  206 
by (etac otway.induct 1); 
2002  207 
by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib]))); 
208 
by (Step_tac 1); 

209 
(*Remaining cases: OR3 and OR4*) 

210 
by (ex_strip_tac 2); 

3102  211 
by (Blast_tac 2); 
2107
23e8f15ec95f
The new proof of the lemma for new_nonces_not_seen is faster
paulson
parents:
2052
diff
changeset

212 
by (expand_case_tac "K = ?y" 1); 
23e8f15ec95f
The new proof of the lemma for new_nonces_not_seen is faster
paulson
parents:
2052
diff
changeset

213 
by (REPEAT (ares_tac [refl,exI,impI,conjI] 2)); 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

214 
(*...we assume X is a recent message, and handle this case by contradiction*) 
3102  215 
by (blast_tac (!claset addSEs sees_Spy_partsEs 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

216 
delrules [conjI] (*no splitup to 4 subgoals*)) 1); 
2002  217 
val lemma = result(); 
218 

219 
goal thy 

3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

220 
"!!evs. [ Says Server B {NA, X, Crypt (shrK B) {NB, K}} : set evs; \ 
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

221 
\ Says Server B' {NA',X',Crypt (shrK B') {NB',K}} : set evs; \ 
2131  222 
\ evs : otway ] ==> X=X' & B=B' & NA=NA' & NB=NB'"; 
2417  223 
by (prove_unique_tac lemma 1); 
2002  224 
qed "unique_session_keys"; 
225 

226 

2131  227 
(*Crucial security property, but not itself enough to guarantee correctness!*) 
228 
goal thy 

2166  229 
"!!evs. [ A ~: lost; B ~: lost; evs : otway ] \ 
230 
\ ==> Says Server B \ 

2284
80ebd1a213fd
Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents:
2264
diff
changeset

231 
\ {NA, Crypt (shrK A) {NA, Key K}, \ 
3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

232 
\ Crypt (shrK B) {NB, Key K}} : set evs > \ 
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

233 
\ Says B Spy {NA, NB, Key K} ~: set evs > \ 
2166  234 
\ Key K ~: analz (sees lost Spy evs)"; 
2131  235 
by (etac otway.induct 1); 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

236 
by analz_sees_tac; 
2131  237 
by (ALLGOALS 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

238 
(asm_simp_tac (!simpset addcongs [conj_cong] 
3451
d10f100676d8
Made proofs more concise by replacing calls to spy_analz_tac by uses of
paulson
parents:
3207
diff
changeset

239 
addsimps [analz_insert_eq, not_parts_not_analz, 
d10f100676d8
Made proofs more concise by replacing calls to spy_analz_tac by uses of
paulson
parents:
3207
diff
changeset

240 
analz_insert_freshK] 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

241 
setloop split_tac [expand_if]))); 
3451
d10f100676d8
Made proofs more concise by replacing calls to spy_analz_tac by uses of
paulson
parents:
3207
diff
changeset

242 
(*Oops*) 
d10f100676d8
Made proofs more concise by replacing calls to spy_analz_tac by uses of
paulson
parents:
3207
diff
changeset

243 
by (blast_tac (!claset addSDs [unique_session_keys]) 4); 
d10f100676d8
Made proofs more concise by replacing calls to spy_analz_tac by uses of
paulson
parents:
3207
diff
changeset

244 
(*OR4*) 
d10f100676d8
Made proofs more concise by replacing calls to spy_analz_tac by uses of
paulson
parents:
3207
diff
changeset

245 
by (Blast_tac 3); 
2131  246 
(*OR3*) 
3451
d10f100676d8
Made proofs more concise by replacing calls to spy_analz_tac by uses of
paulson
parents:
3207
diff
changeset

247 
by (blast_tac (!claset addSEs sees_Spy_partsEs 
d10f100676d8
Made proofs more concise by replacing calls to spy_analz_tac by uses of
paulson
parents:
3207
diff
changeset

248 
addIs [impOfSubs analz_subset_parts]) 2); 
d10f100676d8
Made proofs more concise by replacing calls to spy_analz_tac by uses of
paulson
parents:
3207
diff
changeset

249 
(*Fake*) 
d10f100676d8
Made proofs more concise by replacing calls to spy_analz_tac by uses of
paulson
parents:
3207
diff
changeset

250 
by (spy_analz_tac 1); 
2131  251 
val lemma = result() RS mp RS mp RSN(2,rev_notE); 
252 

253 
goal thy 

3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

254 
"!!evs. [ Says Server B \ 
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

255 
\ {NA, Crypt (shrK A) {NA, Key K}, \ 
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

256 
\ Crypt (shrK B) {NB, Key K}} : set evs; \ 
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

257 
\ Says B Spy {NA, NB, Key K} ~: set evs; \ 
2131  258 
\ A ~: lost; B ~: lost; evs : otway ] \ 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

259 
\ ==> Key K ~: analz (sees lost Spy evs)"; 
2131  260 
by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1); 
3102  261 
by (blast_tac (!claset addSEs [lemma]) 1); 
2131  262 
qed "Spy_not_see_encrypted_key"; 
263 

264 

265 
(*** Attempting to prove stronger properties ***) 

266 

2052  267 
(*Only OR1 can have caused such a part of a message to appear. 
268 
I'm not sure why A ~= B premise is needed: OtwayRees.ML doesn't need it. 

269 
Perhaps it's because OR2 has two similarlooking encrypted messages in 

2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

270 
this version.*) 
2002  271 
goal thy 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

272 
"!!evs. [ A ~: lost; A ~= B; evs : otway ] \ 
2284
80ebd1a213fd
Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents:
2264
diff
changeset

273 
\ ==> Crypt (shrK A) {NA, Agent A, Agent B} \ 
2052  274 
\ : parts (sees lost Spy evs) > \ 
2131  275 
\ Says A B {NA, Agent A, Agent B, \ 
3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

276 
\ Crypt (shrK A) {NA, Agent A, Agent B}} : set evs"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

277 
by parts_induct_tac; 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

278 
by (Fake_parts_insert_tac 1); 
3102  279 
by (Blast_tac 1); 
2002  280 
qed_spec_mp "Crypt_imp_OR1"; 
281 

282 

2131  283 
(*Crucial property: If the encrypted message appears, and A has used NA 
284 
to start a run, then it originated with the Server!*) 

285 
(*Only it is FALSE. Somebody could make a fake message to Server 

2002  286 
substituting some other nonce NA' for NB.*) 
287 
goal thy 

3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

288 
"!!evs. [ A ~: lost; A ~= Spy; evs : otway ] \ 
2284
80ebd1a213fd
Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents:
2264
diff
changeset

289 
\ ==> Crypt (shrK A) {NA, Key K} : parts (sees lost Spy evs) > \ 
3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

290 
\ Says A B {NA, Agent A, Agent B, \ 
2284
80ebd1a213fd
Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents:
2264
diff
changeset

291 
\ Crypt (shrK A) {NA, Agent A, Agent B}} \ 
3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

292 
\ : set evs > \ 
2131  293 
\ (EX B NB. Says Server B \ 
294 
\ {NA, \ 

2284
80ebd1a213fd
Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents:
2264
diff
changeset

295 
\ Crypt (shrK A) {NA, Key K}, \ 
3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

296 
\ Crypt (shrK B) {NB, Key K}} : set evs)"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

297 
by parts_induct_tac; 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
3102
diff
changeset

298 
by (Fake_parts_insert_tac 1); 
2002  299 
(*OR1: it cannot be a new Nonce, contradiction.*) 
3102  300 
by (blast_tac (!claset addSIs [parts_insertI] 
301 
addSEs sees_Spy_partsEs) 1); 

2002  302 
(*OR4*) 
303 
by (REPEAT (Safe_step_tac 2)); 

3102  304 
by (REPEAT (blast_tac (!claset addSDs [parts_cut]) 3)); 
305 
by (blast_tac (!claset addSIs [Crypt_imp_OR1] 

306 
addEs sees_Spy_partsEs) 2); 

2131  307 
(*OR3*) (** LEVEL 5 **) 
2002  308 
by (ALLGOALS (asm_simp_tac (!simpset addsimps [ex_disj_distrib]))); 
2052  309 
by (step_tac (!claset delrules [disjCI, impCE]) 1); 
2002  310 
(*The hypotheses at this point suggest an attack in which nonce NA is used 
2052  311 
in two different roles: 
312 
Says B' Server 

313 
{Nonce NAa, Agent Aa, Agent A, 

2284
80ebd1a213fd
Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents:
2264
diff
changeset

314 
Crypt (shrK Aa) {Nonce NAa, Agent Aa, Agent A}, Nonce NA, 
80ebd1a213fd
Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents:
2264
diff
changeset

315 
Crypt (shrK A) {Nonce NAa, Agent Aa, Agent A}} 
3465  316 
: set evsa; 
2052  317 
Says A B 
318 
{Nonce NA, Agent A, Agent B, 

2284
80ebd1a213fd
Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents:
2264
diff
changeset

319 
Crypt (shrK A) {Nonce NA, Agent A, Agent B}} 
3465  320 
: set evsa 
2052  321 
*) 
2131  322 
writeln "GIVE UP! on NA_Crypt_imp_Server_msg"; 
2002  323 

324 

2052  325 
(*Thus the key property A_can_trust probably fails too.*) 