author  paulson 
Fri, 11 Jul 1997 13:26:15 +0200  
changeset 3512  9dcb4daa15e8 
parent 3471  cd37ec057028 
child 3519  ab0a9fbed4c0 
permissions  rwrr 
2274  1 
(* Title: HOL/Auth/WooLam 
2 
ID: $Id$ 

3 
Author: Lawrence C Paulson, Cambridge University Computer Laboratory 

4 
Copyright 1996 University of Cambridge 

5 

6 
Inductive relation "woolam" for the WooLam protocol. 

7 

8 
Simplified version from page 11 of 

9 
Abadi and Needham. Prudent Engineering Practice for Cryptographic Protocols. 

10 
IEEE Trans. S.E. 22(1), 1996, pages 615. 

11 
*) 

12 

13 
open WooLam; 

14 

15 
proof_timing:=true; 

16 
HOL_quantifiers := false; 

17 

18 

2321  19 
(*A "possibility property": there are traces that reach the end*) 
2274  20 
goal thy 
21 
"!!A B. [ A ~= B; A ~= Server; B ~= Server ] \ 

2283
68829cf138fc
Swapping arguments of Crypt; removing argument lost
paulson
parents:
2274
diff
changeset

22 
\ ==> EX NB. EX evs: woolam. \ 
3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

23 
\ Says Server B (Crypt (shrK B) {Agent A, Nonce NB}) : set evs"; 
2274  24 
by (REPEAT (resolve_tac [exI,bexI] 1)); 
25 
by (rtac (woolam.Nil RS woolam.WL1 RS woolam.WL2 RS woolam.WL3 RS 

2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

26 
woolam.WL4 RS woolam.WL5) 2); 
3471
cd37ec057028
Now the possibility proof calls the appropriate tactic
paulson
parents:
3466
diff
changeset

27 
by possibility_tac; 
2274  28 
result(); 
29 

30 

31 
(**** Inductive proofs about woolam ****) 

32 

33 
(*Nobody sends themselves messages*) 

3465  34 
goal thy "!!evs. evs : woolam ==> ALL A X. Says A A X ~: set evs"; 
2274  35 
by (etac woolam.induct 1); 
36 
by (Auto_tac()); 

37 
qed_spec_mp "not_Says_to_self"; 

38 
Addsimps [not_Says_to_self]; 

39 
AddSEs [not_Says_to_self RSN (2, rev_notE)]; 

40 

41 

42 
(** For reasoning about the encrypted portion of messages **) 

43 

3465  44 
goal thy "!!evs. Says A' B X : set evs \ 
2274  45 
\ ==> X : analz (sees lost Spy evs)"; 
46 
by (etac (Says_imp_sees_Spy RS analz.Inj) 1); 

47 
qed "WL4_analz_sees_Spy"; 

48 

49 
bind_thm ("WL4_parts_sees_Spy", 

50 
WL4_analz_sees_Spy RS (impOfSubs analz_subset_parts)); 

51 

3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

52 
(*For proving the easier theorems about X ~: parts (sees lost Spy evs) *) 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

53 
val parts_induct_tac = 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

54 
etac woolam.induct 1 THEN 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

55 
forward_tac [WL4_parts_sees_Spy] 6 THEN 
3471
cd37ec057028
Now the possibility proof calls the appropriate tactic
paulson
parents:
3466
diff
changeset

56 
prove_simple_subgoals_tac 1; 
2274  57 

58 

59 
(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY 

60 
sends messages containing X! **) 

61 

62 
(*Spy never sees another agent's shared key! (unless it's lost at start)*) 

63 
goal thy 

2283
68829cf138fc
Swapping arguments of Crypt; removing argument lost
paulson
parents:
2274
diff
changeset

64 
"!!evs. evs : woolam \ 
2274  65 
\ ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

66 
by parts_induct_tac; 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

67 
by (Fake_parts_insert_tac 1); 
2274  68 
qed "Spy_see_shrK"; 
69 
Addsimps [Spy_see_shrK]; 

70 

71 
goal thy 

2283
68829cf138fc
Swapping arguments of Crypt; removing argument lost
paulson
parents:
2274
diff
changeset

72 
"!!evs. evs : woolam \ 
2274  73 
\ ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)"; 
74 
by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset)); 

75 
qed "Spy_analz_shrK"; 

76 
Addsimps [Spy_analz_shrK]; 

77 

78 
goal thy "!!A. [ Key (shrK A) : parts (sees lost Spy evs); \ 

2283
68829cf138fc
Swapping arguments of Crypt; removing argument lost
paulson
parents:
2274
diff
changeset

79 
\ evs : woolam ] ==> A:lost"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

80 
by (blast_tac (!claset addDs [Spy_see_shrK]) 1); 
2274  81 
qed "Spy_see_shrK_D"; 
82 

83 
bind_thm ("Spy_analz_shrK_D", analz_subset_parts RS subsetD RS Spy_see_shrK_D); 

84 
AddSDs [Spy_see_shrK_D, Spy_analz_shrK_D]; 

85 

86 

87 
(**** Autheticity properties for WooLam ****) 

88 

89 

90 
(*** WL4 ***) 

91 

92 
(*If the encrypted message appears then it originated with Alice*) 

93 
goal thy 

2283
68829cf138fc
Swapping arguments of Crypt; removing argument lost
paulson
parents:
2274
diff
changeset

94 
"!!evs. [ A ~: lost; evs : woolam ] \ 
68829cf138fc
Swapping arguments of Crypt; removing argument lost
paulson
parents:
2274
diff
changeset

95 
\ ==> Crypt (shrK A) (Nonce NB) : parts (sees lost Spy evs) \ 
3465  96 
\ > (EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs)"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

97 
by parts_induct_tac; 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

98 
by (Fake_parts_insert_tac 1); 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

99 
by (Blast_tac 1); 
2274  100 
qed_spec_mp "NB_Crypt_imp_Alice_msg"; 
101 

102 
(*Guarantee for Server: if it gets a message containing a certificate from 

103 
Alice, then she originated that certificate. But we DO NOT know that B 

104 
ever saw it: the Spy may have rerouted the message to the Server.*) 

105 
goal thy 

3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

106 
"!!evs. [ A ~: lost; evs : woolam; \ 
2283
68829cf138fc
Swapping arguments of Crypt; removing argument lost
paulson
parents:
2274
diff
changeset

107 
\ Says B' Server {Agent A, Agent B, Crypt (shrK A) (Nonce NB)} \ 
3465  108 
\ : set evs ] \ 
109 
\ ==> EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs"; 

3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

110 
by (blast_tac (!claset addSIs [NB_Crypt_imp_Alice_msg] 
2274  111 
addSEs [MPair_parts] 
112 
addDs [Says_imp_sees_Spy RS parts.Inj]) 1); 

2321  113 
qed "Server_trusts_WL4"; 
2274  114 

115 

116 
(*** WL5 ***) 

117 

118 
(*Server sent WL5 only if it received the right sort of message*) 

119 
goal thy 

3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

120 
"!!evs. evs : woolam ==> \ 
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

121 
\ Says Server B (Crypt (shrK B) {Agent A, NB}) : set evs \ 
2283
68829cf138fc
Swapping arguments of Crypt; removing argument lost
paulson
parents:
2274
diff
changeset

122 
\ > (EX B'. Says B' Server {Agent A, Agent B, Crypt (shrK A) NB} \ 
3465  123 
\ : set evs)"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

124 
by parts_induct_tac; 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

125 
by (Fake_parts_insert_tac 1); 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

126 
by (ALLGOALS Blast_tac); 
2274  127 
bind_thm ("Server_sent_WL5", result() RSN (2, rev_mp)); 
128 

129 

130 
(*If the encrypted message appears then it originated with the Server!*) 

131 
goal thy 

3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

132 
"!!evs. [ B ~: lost; evs : woolam ] \ 
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

133 
\ ==> Crypt (shrK B) {Agent A, NB} : parts (sees lost Spy evs) \ 
3465  134 
\ > Says Server B (Crypt (shrK B) {Agent A, NB}) : set evs"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

135 
by parts_induct_tac; 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

136 
by (Fake_parts_insert_tac 1); 
2274  137 
qed_spec_mp "NB_Crypt_imp_Server_msg"; 
138 

139 
(*Partial guarantee for B: if it gets a message of correct form then the Server 

140 
sent the same message.*) 

141 
goal thy 

3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

142 
"!!evs. [ Says S B (Crypt (shrK B) {Agent A, NB}) : set evs; \ 
2283
68829cf138fc
Swapping arguments of Crypt; removing argument lost
paulson
parents:
2274
diff
changeset

143 
\ B ~: lost; evs : woolam ] \ 
3465  144 
\ ==> Says Server B (Crypt (shrK B) {Agent A, NB}) : set evs"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

145 
by (blast_tac (!claset addSIs [NB_Crypt_imp_Server_msg] 
2274  146 
addDs [Says_imp_sees_Spy RS parts.Inj]) 1); 
147 
qed "B_got_WL5"; 

148 

149 
(*Guarantee for B. If B gets the Server's certificate then A has encrypted 

150 
the nonce using her key. This event can be no older than the nonce itself. 

151 
But A may have sent the nonce to some other agent and it could have reached 

152 
the Server via the Spy.*) 

153 
goal thy 

3465  154 
"!!evs. [ Says S B (Crypt (shrK B) {Agent A, Nonce NB}): set evs; \ 
3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

155 
\ A ~: lost; B ~: lost; evs : woolam ] \ 
3465  156 
\ ==> EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

157 
by (blast_tac (!claset addIs [Server_trusts_WL4] 
2274  158 
addSDs [B_got_WL5 RS Server_sent_WL5]) 1); 
2321  159 
qed "B_trusts_WL5"; 
2274  160 

161 

162 
(*B only issues challenges in response to WL1. Useful??*) 

163 
goal thy 

2283
68829cf138fc
Swapping arguments of Crypt; removing argument lost
paulson
parents:
2274
diff
changeset

164 
"!!evs. [ B ~= Spy; evs : woolam ] \ 
3465  165 
\ ==> Says B A (Nonce NB) : set evs \ 
166 
\ > (EX A'. Says A' B (Agent A) : set evs)"; 

3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

167 
by parts_induct_tac; 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

168 
by (Fake_parts_insert_tac 1); 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

169 
by (ALLGOALS Blast_tac); 
2274  170 
bind_thm ("B_said_WL2", result() RSN (2, rev_mp)); 
171 

172 

173 
(**CANNOT be proved because A doesn't know where challenges come from... 

174 
goal thy 

3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

175 
"!!evs. [ A ~: lost; B ~= Spy; evs : woolam ] \ 
2283
68829cf138fc
Swapping arguments of Crypt; removing argument lost
paulson
parents:
2274
diff
changeset

176 
\ ==> Crypt (shrK A) (Nonce NB) : parts (sees lost Spy evs) & \ 
3466
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
paulson
parents:
3465
diff
changeset

177 
\ Says B A (Nonce NB) : set evs \ 
3465  178 
\ > Says A B (Crypt (shrK A) (Nonce NB)) : set evs"; 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

179 
by parts_induct_tac; 
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

180 
by (Fake_parts_insert_tac 1); 
2274  181 
by (Step_tac 1); 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

182 
by (blast_tac (!claset addSEs partsEs) 1); 
2274  183 
**) 