(* Title: HOL/Auth/Yahalom2 
New version of Yahalom, as recommended on p 259 of BAN paper
parents:
2 
ID: $Id$ 
New version of Yahalom, as recommended on p 259 of BAN paper
3 
Author: Lawrence C Paulson, Cambridge University Computer Laboratory 
New version of Yahalom, as recommended on p 259 of BAN paper
4 
Copyright 1996 University of Cambridge 
New version of Yahalom, as recommended on p 259 of BAN paper
5 

New version of Yahalom, as recommended on p 259 of BAN paper
6 
Inductive relation "yahalom" for the Yahalom protocol, Variant 2. 
New version of Yahalom, as recommended on p 259 of BAN paper
7 

New version of Yahalom, as recommended on p 259 of BAN paper
8 
This version trades encryption of NB for additional explicitness in YM3. 
New version of Yahalom, as recommended on p 259 of BAN paper
9 

New version of Yahalom, as recommended on p 259 of BAN paper
10 
From page 259 of 
New version of Yahalom, as recommended on p 259 of BAN paper
11 
Burrows, Abadi and Needham. A Logic of Authentication. 
New version of Yahalom, as recommended on p 259 of BAN paper
12 
Proc. Royal Soc. 426 (1989) 
New version of Yahalom, as recommended on p 259 of BAN paper
13 
*) 
New version of Yahalom, as recommended on p 259 of BAN paper
14 

New version of Yahalom, as recommended on p 259 of BAN paper
15 
open Yahalom2; 
New version of Yahalom, as recommended on p 259 of BAN paper
16 

New version of Yahalom, as recommended on p 259 of BAN paper
17 
proof_timing:=true; 
New version of Yahalom, as recommended on p 259 of BAN paper
18 
HOL_quantifiers := false; 
New version of Yahalom, as recommended on p 259 of BAN paper
19 

3432  20 
(*Replacing the variable by a constant improves speed*) 
21 
val Says_imp_sees_Spy' = read_instantiate [("lost","lost")] Says_imp_sees_Spy; 

22 

23 

2323  24 
(*A "possibility property": there are traces that reach the end*) 
25 
goal thy 
26 
"!!A B. [ A ~= B; A ~= Server; B ~= Server ] \ 
27 
\ ==> EX X NB K. EX evs: yahalom lost. \ 
29 
by (REPEAT (resolve_tac [exI,bexI] 1)); 
30 
by (rtac (yahalom.Nil RS yahalom.YM1 RS yahalom.YM2 RS yahalom.YM3 RS 
31 
yahalom.YM4) 2); 
32 
by possibility_tac; 
33 
result(); 
New version of Yahalom, as recommended on p 259 of BAN paper
34 

New version of Yahalom, as recommended on p 259 of BAN paper
35 

New version of Yahalom, as recommended on p 259 of BAN paper
36 
(**** Inductive proofs about yahalom ****) 
New version of Yahalom, as recommended on p 259 of BAN paper
37 

New version of Yahalom, as recommended on p 259 of BAN paper
38 
(*Monotonicity*) 
New version of Yahalom, as recommended on p 259 of BAN paper
39 
goal thy "!!evs. lost' <= lost ==> yahalom lost' <= yahalom lost"; 
New version of Yahalom, as recommended on p 259 of BAN paper
40 
by (rtac subsetI 1); 
New version of Yahalom, as recommended on p 259 of BAN paper
41 
by (etac yahalom.induct 1); 
New version of Yahalom, as recommended on p 259 of BAN paper
42 
by (REPEAT_FIRST 
(blast_tac (!claset addIs (impOfSubs(sees_mono RS analz_mono RS synth_mono) 
2111
New version of Yahalom, as recommended on p 259 of BAN paper
45 
qed "yahalom_mono"; 
New version of Yahalom, as recommended on p 259 of BAN paper
46 

New version of Yahalom, as recommended on p 259 of BAN paper
47 

New version of Yahalom, as recommended on p 259 of BAN paper
48 
(*Nobody sends themselves messages*) 
3465  49 
goal thy "!!evs. evs: yahalom lost ==> ALL A X. Says A A X ~: set evs"; 
2111
81c8d46edfa3
New version of Yahalom, as recommended on p 259 of BAN paper
paulson
parents:
diff
changeset

50 
by (etac yahalom.induct 1); 
81c8d46edfa3
New version of Yahalom, as recommended on p 259 of BAN paper
paulson
parents:
diff
changeset

51 
by (Auto_tac()); 
New version of Yahalom, as recommended on p 259 of BAN paper
52 
qed_spec_mp "not_Says_to_self"; 
New version of Yahalom, as recommended on p 259 of BAN paper
53 
Addsimps [not_Says_to_self]; 
New version of Yahalom, as recommended on p 259 of BAN paper
54 
AddSEs [not_Says_to_self RSN (2, rev_notE)]; 
New version of Yahalom, as recommended on p 259 of BAN paper
55 

New version of Yahalom, as recommended on p 259 of BAN paper
56 

New version of Yahalom, as recommended on p 259 of BAN paper
57 
(** For reasoning about the encrypted portion of messages **) 
New version of Yahalom, as recommended on p 259 of BAN paper
58 

New version of Yahalom, as recommended on p 259 of BAN paper
59 
(*Lets us treat YM4 using a similar argument as for the Fake case.*) 
3465  60 
goal thy "!!evs. Says S A {NB, Crypt (shrK A) Y, X} : set evs ==> \ 
2111
81c8d46edfa3
New version of Yahalom, as recommended on p 259 of BAN paper
paulson
parents:
diff
changeset

61 
\ X : analz (sees lost Spy evs)"; 
3432  62 
by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]) 1); 
2111
81c8d46edfa3
New version of Yahalom, as recommended on p 259 of BAN paper
paulson
parents:
diff
changeset

63 
qed "YM4_analz_sees_Spy"; 
New version of Yahalom, as recommended on p 259 of BAN paper
64 

New version of Yahalom, as recommended on p 259 of BAN paper
65 
bind_thm ("YM4_parts_sees_Spy", 
New version of Yahalom, as recommended on p 259 of BAN paper
66 
YM4_analz_sees_Spy RS (impOfSubs analz_subset_parts)); 
New version of Yahalom, as recommended on p 259 of BAN paper
67 

2155  68 
(*Relates to both YM4 and Oops*) 
69 
goal thy "!!evs. Says S A {NB, Crypt (shrK A) {B,K,NA}, X} : set evs ==> \ 
2111
70 
\ K : parts (sees lost Spy evs)"; 
71 
by (blast_tac (!claset addSEs partsEs 
72 
addSDs [Says_imp_sees_Spy' RS parts.Inj]) 1); 
73 
qed "YM4_Key_parts_sees_Spy"; 
74 

75 
(*For proving the easier theorems about X ~: parts (sees lost Spy evs). 
76 
We instantiate the variable to "lost" since leaving it as a Var would 
77 
interfere with simplification.*) 
79 
forw_inst_tac [("lost","lost")] YM4_parts_sees_Spy 6 THEN 
80 
forw_inst_tac [("lost","lost")] YM4_Key_parts_sees_Spy 7 THEN 
81 
prove_simple_subgoals_tac 1; 
2111
82 

3432  83 
val parts_induct_tac = 
84 
etac yahalom.induct 1 THEN parts_sees_tac; 

85 

2111
86 

87 
(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY 
88 
sends messages containing X! **) 
89 

90 
(*Spy never sees another agent's shared key! (unless it's lost at start)*) 
91 
goal thy 
92 
"!!evs. evs : yahalom lost \ 
93 
\ ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)"; 
94 
by parts_induct_tac; 
95 
by (Fake_parts_insert_tac 1); 
96 
by (Blast_tac 1); 
97 
qed "Spy_see_shrK"; 
98 
Addsimps [Spy_see_shrK]; 
99 

2516
100 
goal thy 
101 
"!!evs. evs : yahalom lost \ 
102 
\ ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)"; 
103 
by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset)); 
104 
qed "Spy_analz_shrK"; 
105 
Addsimps [Spy_analz_shrK]; 
106 

2516
107 
goal thy "!!A. [ Key (shrK A) : parts (sees lost Spy evs); \ 
108 
\ evs : yahalom lost ] ==> A:lost"; 
109 
by (blast_tac (!claset addDs [Spy_see_shrK]) 1); 
110 
qed "Spy_see_shrK_D"; 
111 

2516
112 
bind_thm ("Spy_analz_shrK_D", analz_subset_parts RS subsetD RS Spy_see_shrK_D); 
113 
AddSDs [Spy_see_shrK_D, Spy_analz_shrK_D]; 
114 

115 

3432  116 
(*Nobody can have used nonexistent keys! Needed to apply analz_insert_Key*) 
2516
117 
goal thy "!!evs. evs : yahalom lost ==> \ 
118 
\ Key K ~: used evs > K ~: keysFor (parts (sees lost Spy evs))"; 
119 
by parts_induct_tac; 
2516
120 
(*YM4: Key K is not fresh!*) 
121 
by (blast_tac (!claset addSEs sees_Spy_partsEs) 3); 
122 
(*YM3*) 
123 
by (blast_tac (!claset addss (!simpset)) 2); 
124 
(*Fake*) 
125 
by (best_tac 
126 
(!claset addIs [impOfSubs analz_subset_parts] 
127 
addDs [impOfSubs (analz_subset_parts RS keysFor_mono), 
128 
impOfSubs (parts_insert_subset_Un RS keysFor_mono)] 
129 
addss (!simpset)) 1); 
2160  130 
qed_spec_mp "new_keys_not_used"; 
131 

132 
bind_thm ("new_keys_not_analzd", 
133 
[analz_subset_parts RS keysFor_mono, 
134 
new_keys_not_used] MRS contra_subsetD); 
135 

136 
Addsimps [new_keys_not_used, new_keys_not_analzd]; 
137 

2155  138 
(*Describes the form of K when the Server sends this message. Useful for 
139 
Oops as well as main secrecy property.*) 

2111
140 
goal thy 
141 
"!!evs. [ Says Server A {nb', Crypt (shrK A) {Agent B, Key K, na}, X} \ 
142 
\ : set evs; \ 
2155  143 
\ evs : yahalom lost ] \ 
144 
\ ==> K ~: range shrK & A ~= B"; 
2155  145 
by (etac rev_mp 1); 
146 
by (etac yahalom.induct 1); 

147 
by (ALLGOALS Asm_simp_tac); 
2155  148 
qed "Says_Server_message_form"; 
2111
149 

150 

151 
(*For proofs involving analz. We again instantiate the variable to "lost".*) 
3121
152 
val analz_sees_tac = 
2111
153 
dres_inst_tac [("lost","lost")] YM4_analz_sees_Spy 6 THEN 
2155  154 
forw_inst_tac [("lost","lost")] Says_Server_message_form 7 THEN 
2516
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

155 
assume_tac 7 THEN 
4d68fbe6378b
Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents:
2451
diff
changeset

156 
REPEAT ((etac conjE ORELSE' hyp_subst_tac) 7); 
2111
81c8d46edfa3
New version of Yahalom, as recommended on p 259 of BAN paper
paulson
parents:
diff
changeset

157 

81c8d46edfa3
New version of Yahalom, as recommended on p 259 of BAN paper
paulson
parents:
diff
changeset

158 

159 
(**** 
160 
The following is to prove theorems of the form 
161 

2516
162 
Key K : analz (insert (Key KAB) (sees lost Spy evs)) ==> 
163 
Key K : analz (sees lost Spy evs) 
164 

81c8d46edfa3
165 
A more general formula must be proved inductively. 
166 

81c8d46edfa3
167 
****) 
168 

81c8d46edfa3
169 
(** Session keys are not used to encrypt other session keys **) 
170 

81c8d46edfa3
171 
goal thy 
3466
172 
"!!evs. evs : yahalom lost ==> \ 
173 
\ ALL K KK. KK <= Compl (range shrK) > \ 
174 
\ (Key K : analz (Key``KK Un (sees lost Spy evs))) = \ 
175 
\ (K : KK  Key K : analz (sees lost Spy evs))"; 
2111
176 
by (etac yahalom.induct 1); 
177 
by analz_sees_tac; 
2516
178 
by (REPEAT_FIRST (resolve_tac [allI, impI])); 
179 
by (REPEAT_FIRST (rtac analz_image_freshK_lemma )); 
180 
by (ALLGOALS (asm_simp_tac analz_image_freshK_ss)); 
181 
(*Fake*) 
182 
by (spy_analz_tac 2); 
183 
(*Base*) 
3450
184 
by (Blast_tac 1); 
2516
185 
qed_spec_mp "analz_image_freshK"; 
2111
186 

81c8d46edfa3
187 
goal thy 
2516
188 
"!!evs. [ evs : yahalom lost; KAB ~: range shrK ] ==> \ 
189 
\ Key K : analz (insert (Key KAB) (sees lost Spy evs)) = \ 
2516
190 
\ (K = KAB  Key K : analz (sees lost Spy evs))"; 
191 
by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1); 
192 
qed "analz_insert_freshK"; 
193 

81c8d46edfa3
194 

81c8d46edfa3
195 
(*** The Key K uniquely identifies the Server's message. **) 
196 

81c8d46edfa3
197 
goal thy 
198 
"!!evs. evs : yahalom lost ==> \ 
3450
199 
\ EX A' B' na' nb' X'. ALL A B na nb X. \ 
2111
200 
\ Says Server A \ 
changeset

201 
203 
by (etac yahalom.induct 1); 
204 
by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib]))); 
205 
by (Step_tac 1); 
206 
(*Remaining case: YM3*) 
207 
by (expand_case_tac "K = ?y" 1); 
208 
by (REPEAT (ares_tac [refl,exI,impI,conjI] 2)); 
2516
209 
(*...we assume X is a recent message and handle this case by contradiction*) 
3121
210 
by (blast_tac (!claset addSEs sees_Spy_partsEs 
211 
delrules [conjI] (*prevent splitup into 4 subgoals*) 
212 
addss (!simpset addsimps [parts_insertI])) 1); 
213 
val lemma = result(); 
214 

81c8d46edfa3
215 
goal thy 
216 
"!!evs. [ Says Server A \ 
3450
217 
\ {nb, Crypt (shrK A) {Agent B, Key K, na}, X} \ 
218 
\ : set evs; \ 
2111
219 
\ Says Server A' \ 
3450
220 
\ {nb', Crypt (shrK A') {Agent B', Key K, na'}, X'} \ 
221 
\ : set evs; \ 
2111
222 
\ evs : yahalom lost ] \ 
3450
cd73bc206d87
Proof tidying and variable renaming (NA>na, NB>nb when of type msg)
paulson
parents:
3432
diff
changeset

223 
\ ==> A=A' & B=B' & na=na' & nb=nb'"; 
2451
224 
by (prove_unique_tac lemma 1); 
2111
225 
qed "unique_session_keys"; 
226 

81c8d46edfa3
227 

81c8d46edfa3
228 
(** Crucial secrecy property: Spy does not see the keys sent in msg YM3 **) 
229 

81c8d46edfa3
230 
goal thy 
2155  231 
"!!evs. [ A ~: lost; B ~: lost; A ~= B; \ 
3121
cbb6c0c1c58a
Conversion to use blast_tac (with other improvements)
paulson
parents:
2637
diff
changeset

232 
\ evs : yahalom lost ] \ 
2111
81c8d46edfa3
233 
\ ==> Says Server A \ 
changeset

234 
235 
\ Crypt (shrK B) {nb, Key K, Agent A}} \ 
236 
\ : set evs > \ 
237 
\ Says A Spy {na, nb, Key K} ~: set evs > \ 
238 
\ Key K ~: analz (sees lost Spy evs)"; 
239 
by (etac yahalom.induct 1); 
240 
by analz_sees_tac; 
2111
241 
by (ALLGOALS 
242 
(asm_simp_tac 
243 
(!simpset addsimps [analz_insert_eq, not_parts_not_analz, 
244 
analz_insert_freshK] 
245 
setloop split_tac [expand_if]))); 
3450
246 
(*Oops*) 
247 
by (blast_tac (!claset addDs [unique_session_keys]) 3); 
2111
248 
(*YM3*) 
3121
249 
by (blast_tac (!claset delrules [impCE] 
paulson
parents:
paulson
parents:
New version of Yahalom, as recommended on p 259 of BAN paper
paulson
254 
val lemma = result() RS mp RS mp RSN(2,rev_notE); 
255 

81c8d46edfa3
256 

3432  257 
(*Final version*) 
2111
258 
goal thy 
259 
"!!evs. [ Says Server A \ 
3450
260 
\ {nb, Crypt (shrK A) {Agent B, Key K, na}, \ 
261 
\ Crypt (shrK B) {nb, Key K, Agent A}} \ 
262 
\ : set evs; \ 
263 
\ Says A Spy {na, nb, Key K} ~: set evs; \ 
2451
diff
parents:
diff
paulson
parents:
267 
by (blast_tac (!claset addSEs [lemma]) 1); 
268 
qed "Spy_not_see_encrypted_key"; 
269 

81c8d46edfa3
270 

3432  271 
(*And other agents don't see the key either.*) 
2111
81c8d46edfa3
272 
goal thy 
274 
\ Says Server A \ 
changeset

275 
276 
\ Crypt (shrK B) {nb, Key K, Agent A}} \ 
277 
\ : set evs; \ 
278 
\ Says A Spy {na, nb, Key K} ~: set evs; \ 
280 
\ ==> Key K ~: analz (sees lost C evs)"; 
281 
by (rtac (subset_insertI RS sees_mono RS analz_mono RS contra_subsetD) 1); 
282 
by (rtac (sees_lost_agent_subset_sees_Spy RS analz_mono RS contra_subsetD) 1); 
283 
parents:
2637
81c8d46edfa3
New version of Yahalom, as recommended on p 259 of BAN paper
285 
qed "Agent_not_see_encrypted_key"; 
81c8d46edfa3
New version of Yahalom, as recommended on p 259 of BAN paper
paulson
parents:
diff
changeset

286 

81c8d46edfa3
New version of Yahalom, as recommended on p 259 of BAN paper
paulson
parents:
diff
changeset

287 

3450
288 
(** Security Guarantee for A upon receiving YM3 **) 
293 
"!!evs. [ Crypt (shrK A) {Agent B, Key K, na} \ 
Proof tidying and variable renaming (NA>na, NB>nb when of type msg)
paulson
298 
\ Crypt (shrK B) {nb, Key K, Agent A}} \ 
paulson
parents:
302 
by (Fake_parts_insert_tac 1); 
303 
by (Blast_tac 1); 
306 

3450
307 
(** Security Guarantee for B upon receiving YM4 **) 
308 

2111
309 
(*B knows, by the first part of A's message, that the Server distributed 
3450
310 
the key for A and B, and has associated it with NB. *) 
311 
goal thy 
2284
312 
"!!evs. [ Crypt (shrK B) {Nonce NB, Key K, Agent A} \ 
315 
\ ==> EX NA. Says Server A \ 
changeset

317 
318 
\ Crypt (shrK B) {Nonce NB, Key K, Agent A}} \ 
320 
by (etac rev_mp 1); 
changeset

321 
by parts_induct_tac; 
322 
by (Fake_parts_insert_tac 1); 
323 
(*YM3*) 
changeset

324 
by (Blast_tac 1); 
325 
qed "B_trusts_YM4_shrK"; 
326 

3450
327 

cd73bc206d87
328 
(*With this protocol variant, we don't need the 2nd part of YM4 at all: 
329 
Nonce NB is available in the first part.*) 
2111
81c8d46edfa3
New version of Yahalom, as recommended on p 259 of BAN paper
paulson
parents:
diff
changeset

330 

2155  331 
(*What can B deduce from receipt of YM4? Stronger and simpler than Yahalom 
332 
because we do not have to show that NB is secret. *) 

2111
81c8d46edfa3
New version of Yahalom, as recommended on p 259 of BAN paper
paulson
parents:
diff
changeset

333 
goal thy 
3450
334 
"!!evs. [ Says A' B {Crypt (shrK B) {Nonce NB, Key K, Agent A}, X} \ 
335 
\ : set evs; \ 
3450
336 
\ A ~: lost; B ~: lost; evs : yahalom lost ] \ 
cd73bc206d87
337 
\ ==> EX NA. Says Server A \ 
cd73bc206d87
338 
\ {Nonce NB, \ 
cd73bc206d87
339 
\ Crypt (shrK A) {Agent B, Key K, Nonce NA}, \ 
cd73bc206d87
340 
\ Crypt (shrK B) {Nonce NB, Key K, Agent A}} \ 
3465  341 
343 
by (blast_tac (!claset addSDs [B_trusts_YM4_shrK]) 1); 
Proof tidying and variable renaming (NA>na, NB>nb when of type msg)
paulson
396 
(*** Authenticating A to B using the certificate Crypt K (Nonce NB) ***) 
397 

3432  398 
(*Induction for theorems of the form X ~: analz (sees lost Spy evs) > ... 
399 
It simplifies the proof by discarding needless information about 

400 
analz (insert X (sees lost Spy evs)) 

401 
*) 

402 
val analz_mono_parts_induct_tac = 

403 
etac yahalom.induct 1 

404 
THEN 

405 
REPEAT_FIRST 

406 
(rtac impI THEN' 

407 
dtac (sees_subset_sees_Says RS analz_mono RS contra_subsetD) THEN' 

408 
mp_tac) 

409 
THEN parts_sees_tac; 

410 

3450
411 
(*Assuming the session key is secure, if both certificates are present then 
427 
(*YM4: was Crypt K (Nonce NB) the very last message? If not, use ind. hyp.*) 
428 
by (asm_simp_tac (!simpset addsimps [ex_disj_distrib]) 1); 
429 
(*yes: apply unicity of session keys*) 
430 
by (not_lost_tac "Aa" 1); 
435 
val lemma = normalize_thm [RSspec, RSmp] (result()) > standard; 
3432  436 

changeset

438 
Moreover, A associates K with NB (thus is talking about the same run). 
30791e5a69c4
Corrected indentations and margins after the renaming of "set_of_list"
3465  443 
\ (ALL NA. Says A Spy {Nonce NA, Nonce NB, Key K} ~: set evs); \ 
3432  444 
446 
by (etac (Says_imp_sees_Spy' RS parts.Inj RS MPair_parts) 1); 
447 
by (dtac B_trusts_YM4_shrK 1); 
449 
by (rtac lemma 1); 
450 
by (rtac Spy_not_see_encrypted_key 2); 
453 
addDs [Says_imp_sees_Spy' RS parts.Inj]))); 
3432  454 
qed_spec_mp "YM4_imp_A_Said_YM3"; 