src/HOL/Auth/KerberosIV_Gets.thy
author wenzelm
Mon Aug 31 21:28:08 2015 +0200 (2015-08-31)
changeset 61070 b72a990adfe2
parent 59807 22bc39064290
child 61830 4f5ab843cf5b
permissions -rw-r--r--
prefer symbols;
wenzelm@37936
     1
(*  Title:      HOL/Auth/KerberosIV_Gets.thy
paulson@18886
     2
    Author:     Giampaolo Bella, Cambridge University Computer Laboratory
paulson@18886
     3
    Copyright   1998  University of Cambridge
paulson@18886
     4
*)
paulson@18886
     5
wenzelm@58889
     6
section{*The Kerberos Protocol, Version IV*}
paulson@18886
     7
paulson@18886
     8
theory KerberosIV_Gets imports Public begin
paulson@18886
     9
paulson@18886
    10
text{*The "u" prefix indicates theorems referring to an updated version of the protocol. The "r" suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.*}
paulson@18886
    11
wenzelm@20768
    12
abbreviation
wenzelm@21404
    13
  Kas :: agent where "Kas == Server"
paulson@18886
    14
wenzelm@21404
    15
abbreviation
wenzelm@21404
    16
  Tgs :: agent where "Tgs == Friend 0"
paulson@18886
    17
paulson@18886
    18
wenzelm@41774
    19
axiomatization where
paulson@18886
    20
  Tgs_not_bad [iff]: "Tgs \<notin> bad"
paulson@18886
    21
   --{*Tgs is secure --- we already know that Kas is secure*}
paulson@18886
    22
wenzelm@36866
    23
definition
paulson@18886
    24
 (* authKeys are those contained in an authTicket *)
wenzelm@36866
    25
    authKeys :: "event list => key set" where
wenzelm@36866
    26
    "authKeys evs = {authK. \<exists>A Peer Ta. Says Kas A
paulson@18886
    27
                        (Crypt (shrK A) \<lbrace>Key authK, Agent Peer, Number Ta,
paulson@18886
    28
               (Crypt (shrK Peer) \<lbrace>Agent A, Agent Peer, Key authK, Number Ta\<rbrace>)
paulson@18886
    29
                  \<rbrace>) \<in> set evs}"
paulson@18886
    30
wenzelm@36866
    31
definition
paulson@18886
    32
 (* States than an event really appears only once on a trace *)
paulson@37809
    33
  Unique :: "[event, event list] => bool" ("Unique _ on _" [0, 50] 50)
paulson@37809
    34
  where "(Unique ev on evs) = (ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs)))"
paulson@18886
    35
paulson@18886
    36
paulson@18886
    37
consts
paulson@18886
    38
    (*Duration of the authentication key*)
paulson@18886
    39
    authKlife   :: nat
paulson@18886
    40
paulson@18886
    41
    (*Duration of the service key*)
paulson@18886
    42
    servKlife   :: nat
paulson@18886
    43
paulson@18886
    44
    (*Duration of an authenticator*)
paulson@18886
    45
    authlife   :: nat
paulson@18886
    46
paulson@18886
    47
    (*Upper bound on the time of reaction of a server*)
paulson@18886
    48
    replylife   :: nat
paulson@18886
    49
paulson@18886
    50
specification (authKlife)
paulson@18886
    51
  authKlife_LB [iff]: "2 \<le> authKlife"
paulson@18886
    52
    by blast
paulson@18886
    53
paulson@18886
    54
specification (servKlife)
paulson@18886
    55
  servKlife_LB [iff]: "2 + authKlife \<le> servKlife"
paulson@18886
    56
    by blast
paulson@18886
    57
paulson@18886
    58
specification (authlife)
paulson@18886
    59
  authlife_LB [iff]: "Suc 0 \<le> authlife"
paulson@18886
    60
    by blast
paulson@18886
    61
paulson@18886
    62
specification (replylife)
paulson@18886
    63
  replylife_LB [iff]: "Suc 0 \<le> replylife"
paulson@18886
    64
    by blast
paulson@18886
    65
wenzelm@20768
    66
abbreviation
wenzelm@20768
    67
  (*The current time is just the length of the trace!*)
wenzelm@21404
    68
  CT :: "event list=>nat" where
wenzelm@20768
    69
  "CT == length"
paulson@18886
    70
wenzelm@21404
    71
abbreviation
wenzelm@21404
    72
  expiredAK :: "[nat, event list] => bool" where
wenzelm@20768
    73
  "expiredAK Ta evs == authKlife + Ta < CT evs"
paulson@18886
    74
wenzelm@21404
    75
abbreviation
wenzelm@21404
    76
  expiredSK :: "[nat, event list] => bool" where
wenzelm@20768
    77
  "expiredSK Ts evs == servKlife + Ts < CT evs"
paulson@18886
    78
wenzelm@21404
    79
abbreviation
wenzelm@21404
    80
  expiredA :: "[nat, event list] => bool" where
wenzelm@20768
    81
  "expiredA T evs == authlife + T < CT evs"
paulson@18886
    82
wenzelm@21404
    83
abbreviation
paulson@37809
    84
  valid :: "[nat, nat] => bool" ("valid _ wrt _" [0, 50] 50) where
wenzelm@20768
    85
  "valid T1 wrt T2 == T1 <= replylife + T2"
paulson@18886
    86
paulson@18886
    87
(*---------------------------------------------------------------------*)
paulson@18886
    88
paulson@18886
    89
paulson@18886
    90
(* Predicate formalising the association between authKeys and servKeys *)
haftmann@35416
    91
definition AKcryptSK :: "[key, key, event list] => bool" where
paulson@18886
    92
  "AKcryptSK authK servK evs ==
paulson@18886
    93
     \<exists>A B Ts.
paulson@18886
    94
       Says Tgs A (Crypt authK
paulson@18886
    95
                     \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
    96
                       Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> \<rbrace>)
paulson@18886
    97
         \<in> set evs"
paulson@18886
    98
berghofe@23746
    99
inductive_set "kerbIV_gets" :: "event list set"
berghofe@23746
   100
  where
paulson@18886
   101
paulson@18886
   102
   Nil:  "[] \<in> kerbIV_gets"
paulson@18886
   103
berghofe@23746
   104
 | Fake: "\<lbrakk> evsf \<in> kerbIV_gets;  X \<in> synth (analz (spies evsf)) \<rbrakk>
paulson@18886
   105
          \<Longrightarrow> Says Spy B X  # evsf \<in> kerbIV_gets"
paulson@18886
   106
berghofe@23746
   107
 | Reception: "\<lbrakk> evsr \<in> kerbIV_gets;  Says A B X \<in> set evsr \<rbrakk>
paulson@18886
   108
                \<Longrightarrow> Gets B X # evsr \<in> kerbIV_gets"
paulson@18886
   109
paulson@18886
   110
(* FROM the initiator *)
berghofe@23746
   111
 | K1:   "\<lbrakk> evs1 \<in> kerbIV_gets \<rbrakk>
paulson@18886
   112
          \<Longrightarrow> Says A Kas \<lbrace>Agent A, Agent Tgs, Number (CT evs1)\<rbrace> # evs1
paulson@18886
   113
          \<in> kerbIV_gets"
paulson@18886
   114
paulson@18886
   115
(* Adding the timestamp serves to A in K3 to check that
paulson@18886
   116
   she doesn't get a reply too late. This kind of timeouts are ordinary.
paulson@18886
   117
   If a server's reply is late, then it is likely to be fake. *)
paulson@18886
   118
paulson@18886
   119
(*---------------------------------------------------------------------*)
paulson@18886
   120
paulson@18886
   121
(*FROM Kas *)
berghofe@23746
   122
 | K2:  "\<lbrakk> evs2 \<in> kerbIV_gets; Key authK \<notin> used evs2; authK \<in> symKeys;
paulson@18886
   123
            Gets Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs2 \<rbrakk>
paulson@18886
   124
          \<Longrightarrow> Says Kas A
paulson@18886
   125
                (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number (CT evs2),
paulson@18886
   126
                      (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK,
paulson@18886
   127
                          Number (CT evs2)\<rbrace>)\<rbrace>) # evs2 \<in> kerbIV_gets"
paulson@18886
   128
(*
paulson@18886
   129
  The internal encryption builds the authTicket.
paulson@18886
   130
  The timestamp doesn't change inside the two encryptions: the external copy
paulson@18886
   131
  will be used by the initiator in K3; the one inside the
paulson@18886
   132
  authTicket by Tgs in K4.
paulson@18886
   133
*)
paulson@18886
   134
paulson@18886
   135
(*---------------------------------------------------------------------*)
paulson@18886
   136
paulson@18886
   137
(* FROM the initiator *)
berghofe@23746
   138
 | K3:  "\<lbrakk> evs3 \<in> kerbIV_gets;
paulson@18886
   139
            Says A Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs3;
paulson@18886
   140
            Gets A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   141
              authTicket\<rbrace>) \<in> set evs3;
paulson@18886
   142
            valid Ta wrt T1
paulson@18886
   143
         \<rbrakk>
paulson@18886
   144
          \<Longrightarrow> Says A Tgs \<lbrace>authTicket,
paulson@18886
   145
                           (Crypt authK \<lbrace>Agent A, Number (CT evs3)\<rbrace>),
paulson@18886
   146
                           Agent B\<rbrace> # evs3 \<in> kerbIV_gets"
paulson@18886
   147
(*The two events amongst the premises allow A to accept only those authKeys
paulson@18886
   148
  that are not issued late. *)
paulson@18886
   149
paulson@18886
   150
(*---------------------------------------------------------------------*)
paulson@18886
   151
paulson@18886
   152
(* FROM Tgs *)
paulson@18886
   153
(* Note that the last temporal check is not mentioned in the original MIT
paulson@18886
   154
   specification. Adding it makes many goals "available" to the peers. 
paulson@18886
   155
   Theorems that exploit it have the suffix `_u', which stands for updated 
paulson@18886
   156
   protocol.
paulson@18886
   157
*)
berghofe@23746
   158
 | K4:  "\<lbrakk> evs4 \<in> kerbIV_gets; Key servK \<notin> used evs4; servK \<in> symKeys;
paulson@18886
   159
            B \<noteq> Tgs;  authK \<in> symKeys;
paulson@18886
   160
            Gets Tgs \<lbrace>
paulson@18886
   161
             (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK,
wenzelm@32960
   162
                                 Number Ta\<rbrace>),
paulson@18886
   163
             (Crypt authK \<lbrace>Agent A, Number T2\<rbrace>), Agent B\<rbrace>
wenzelm@32960
   164
                \<in> set evs4;
paulson@18886
   165
            \<not> expiredAK Ta evs4;
paulson@18886
   166
            \<not> expiredA T2 evs4;
paulson@18886
   167
            servKlife + (CT evs4) <= authKlife + Ta
paulson@18886
   168
         \<rbrakk>
paulson@18886
   169
          \<Longrightarrow> Says Tgs A
paulson@18886
   170
                (Crypt authK \<lbrace>Key servK, Agent B, Number (CT evs4),
wenzelm@32960
   171
                               Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK,
wenzelm@32960
   172
                                                Number (CT evs4)\<rbrace> \<rbrace>)
wenzelm@32960
   173
                # evs4 \<in> kerbIV_gets"
paulson@18886
   174
(* Tgs creates a new session key per each request for a service, without
paulson@18886
   175
   checking if there is still a fresh one for that service.
paulson@18886
   176
   The cipher under Tgs' key is the authTicket, the cipher under B's key
paulson@18886
   177
   is the servTicket, which is built now.
paulson@18886
   178
   NOTE that the last temporal check is not present in the MIT specification.
paulson@18886
   179
paulson@18886
   180
*)
paulson@18886
   181
paulson@18886
   182
(*---------------------------------------------------------------------*)
paulson@18886
   183
paulson@18886
   184
(* FROM the initiator *)
berghofe@23746
   185
 | K5:  "\<lbrakk> evs5 \<in> kerbIV_gets; authK \<in> symKeys; servK \<in> symKeys;
paulson@18886
   186
            Says A Tgs
paulson@18886
   187
                \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>,
wenzelm@32960
   188
                  Agent B\<rbrace>
paulson@18886
   189
              \<in> set evs5;
paulson@18886
   190
            Gets A
paulson@18886
   191
             (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   192
                \<in> set evs5;
paulson@18886
   193
            valid Ts wrt T2 \<rbrakk>
paulson@18886
   194
          \<Longrightarrow> Says A B \<lbrace>servTicket,
wenzelm@32960
   195
                         Crypt servK \<lbrace>Agent A, Number (CT evs5)\<rbrace> \<rbrace>
paulson@18886
   196
               # evs5 \<in> kerbIV_gets"
paulson@18886
   197
(* Checks similar to those in K3. *)
paulson@18886
   198
paulson@18886
   199
(*---------------------------------------------------------------------*)
paulson@18886
   200
paulson@18886
   201
(* FROM the responder*)
berghofe@23746
   202
  | K6:  "\<lbrakk> evs6 \<in> kerbIV_gets;
paulson@18886
   203
            Gets B \<lbrace>
paulson@18886
   204
              (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>),
paulson@18886
   205
              (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>)\<rbrace>
paulson@18886
   206
            \<in> set evs6;
paulson@18886
   207
            \<not> expiredSK Ts evs6;
paulson@18886
   208
            \<not> expiredA T3 evs6
paulson@18886
   209
         \<rbrakk>
paulson@18886
   210
          \<Longrightarrow> Says B A (Crypt servK (Number T3))
paulson@18886
   211
               # evs6 \<in> kerbIV_gets"
paulson@18886
   212
(* Checks similar to those in K4. *)
paulson@18886
   213
paulson@18886
   214
(*---------------------------------------------------------------------*)
paulson@18886
   215
paulson@18886
   216
(* Leaking an authK... *)
berghofe@23746
   217
 | Oops1: "\<lbrakk> evsO1 \<in> kerbIV_gets;  A \<noteq> Spy;
paulson@18886
   218
              Says Kas A
paulson@18886
   219
                (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   220
                                  authTicket\<rbrace>)  \<in> set evsO1;
paulson@18886
   221
              expiredAK Ta evsO1 \<rbrakk>
paulson@18886
   222
          \<Longrightarrow> Says A Spy \<lbrace>Agent A, Agent Tgs, Number Ta, Key authK\<rbrace>
paulson@18886
   223
               # evsO1 \<in> kerbIV_gets"
paulson@18886
   224
paulson@18886
   225
(*---------------------------------------------------------------------*)
paulson@18886
   226
paulson@18886
   227
(*Leaking a servK... *)
berghofe@23746
   228
 | Oops2: "\<lbrakk> evsO2 \<in> kerbIV_gets;  A \<noteq> Spy;
paulson@18886
   229
              Says Tgs A
paulson@18886
   230
                (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   231
                   \<in> set evsO2;
paulson@18886
   232
              expiredSK Ts evsO2 \<rbrakk>
paulson@18886
   233
          \<Longrightarrow> Says A Spy \<lbrace>Agent A, Agent B, Number Ts, Key servK\<rbrace>
paulson@18886
   234
               # evsO2 \<in> kerbIV_gets"
paulson@18886
   235
paulson@18886
   236
(*---------------------------------------------------------------------*)
paulson@18886
   237
paulson@18886
   238
declare Says_imp_knows_Spy [THEN parts.Inj, dest]
paulson@18886
   239
declare parts.Body [dest]
paulson@18886
   240
declare analz_into_parts [dest]
paulson@18886
   241
declare Fake_parts_insert_in_Un [dest]
paulson@18886
   242
paulson@18886
   243
subsection{*Lemmas about reception event*}
paulson@18886
   244
paulson@18886
   245
lemma Gets_imp_Says :
paulson@18886
   246
     "\<lbrakk> Gets B X \<in> set evs; evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> \<exists>A. Says A B X \<in> set evs"
paulson@18886
   247
apply (erule rev_mp)
paulson@18886
   248
apply (erule kerbIV_gets.induct)
paulson@18886
   249
apply auto
paulson@18886
   250
done
paulson@18886
   251
paulson@18886
   252
lemma Gets_imp_knows_Spy: 
paulson@18886
   253
     "\<lbrakk> Gets B X \<in> set evs; evs \<in> kerbIV_gets \<rbrakk>  \<Longrightarrow> X \<in> knows Spy evs"
paulson@37809
   254
by (blast dest!: Gets_imp_Says Says_imp_knows_Spy)
paulson@18886
   255
paulson@18886
   256
(*Needed for force to work for example in new_keys_not_used*)
paulson@18886
   257
declare Gets_imp_knows_Spy [THEN parts.Inj, dest]
paulson@18886
   258
paulson@18886
   259
lemma Gets_imp_knows:
paulson@18886
   260
     "\<lbrakk> Gets B X \<in> set evs; evs \<in> kerbIV_gets \<rbrakk>  \<Longrightarrow> X \<in> knows B evs"
paulson@37809
   261
by (metis Gets_imp_knows_Spy Gets_imp_knows_agents)
paulson@18886
   262
paulson@18886
   263
subsection{*Lemmas about @{term authKeys}*}
paulson@18886
   264
paulson@18886
   265
lemma authKeys_empty: "authKeys [] = {}"
paulson@37809
   266
by (simp add: authKeys_def)
paulson@18886
   267
paulson@18886
   268
lemma authKeys_not_insert:
paulson@18886
   269
 "(\<forall>A Ta akey Peer.
paulson@18886
   270
   ev \<noteq> Says Kas A (Crypt (shrK A) \<lbrace>akey, Agent Peer, Ta,
paulson@18886
   271
              (Crypt (shrK Peer) \<lbrace>Agent A, Agent Peer, akey, Ta\<rbrace>)\<rbrace>))
paulson@18886
   272
       \<Longrightarrow> authKeys (ev # evs) = authKeys evs"
paulson@18886
   273
by (unfold authKeys_def, auto)
paulson@18886
   274
paulson@18886
   275
lemma authKeys_insert:
paulson@18886
   276
  "authKeys
paulson@18886
   277
     (Says Kas A (Crypt (shrK A) \<lbrace>Key K, Agent Peer, Number Ta,
paulson@18886
   278
      (Crypt (shrK Peer) \<lbrace>Agent A, Agent Peer, Key K, Number Ta\<rbrace>)\<rbrace>) # evs)
paulson@18886
   279
       = insert K (authKeys evs)"
paulson@18886
   280
by (unfold authKeys_def, auto)
paulson@18886
   281
paulson@18886
   282
lemma authKeys_simp:
paulson@18886
   283
   "K \<in> authKeys
paulson@18886
   284
    (Says Kas A (Crypt (shrK A) \<lbrace>Key K', Agent Peer, Number Ta,
paulson@18886
   285
     (Crypt (shrK Peer) \<lbrace>Agent A, Agent Peer, Key K', Number Ta\<rbrace>)\<rbrace>) # evs)
paulson@18886
   286
        \<Longrightarrow> K = K' | K \<in> authKeys evs"
paulson@18886
   287
by (unfold authKeys_def, auto)
paulson@18886
   288
paulson@18886
   289
lemma authKeysI:
paulson@18886
   290
   "Says Kas A (Crypt (shrK A) \<lbrace>Key K, Agent Tgs, Number Ta,
paulson@18886
   291
     (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key K, Number Ta\<rbrace>)\<rbrace>) \<in> set evs
paulson@18886
   292
        \<Longrightarrow> K \<in> authKeys evs"
paulson@18886
   293
by (unfold authKeys_def, auto)
paulson@18886
   294
paulson@18886
   295
lemma authKeys_used: "K \<in> authKeys evs \<Longrightarrow> Key K \<in> used evs"
paulson@18886
   296
by (simp add: authKeys_def, blast)
paulson@18886
   297
paulson@18886
   298
paulson@18886
   299
subsection{*Forwarding Lemmas*}
paulson@18886
   300
paulson@18886
   301
lemma Says_ticket_parts:
paulson@18886
   302
     "Says S A (Crypt K \<lbrace>SesKey, B, TimeStamp, Ticket\<rbrace>) \<in> set evs
paulson@18886
   303
      \<Longrightarrow> Ticket \<in> parts (spies evs)"
paulson@37809
   304
by blast
paulson@18886
   305
paulson@18886
   306
lemma Gets_ticket_parts:
paulson@18886
   307
     "\<lbrakk>Gets A (Crypt K \<lbrace>SesKey, Peer, Ta, Ticket\<rbrace>) \<in> set evs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   308
      \<Longrightarrow> Ticket \<in> parts (spies evs)"
paulson@37809
   309
by (blast dest: Gets_imp_knows_Spy [THEN parts.Inj])
paulson@18886
   310
paulson@18886
   311
lemma Oops_range_spies1:
paulson@18886
   312
     "\<lbrakk> Says Kas A (Crypt KeyA \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>)
paulson@18886
   313
           \<in> set evs ;
paulson@18886
   314
         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys"
paulson@18886
   315
apply (erule rev_mp)
paulson@18886
   316
apply (erule kerbIV_gets.induct, auto)
paulson@18886
   317
done
paulson@18886
   318
paulson@18886
   319
lemma Oops_range_spies2:
paulson@18886
   320
     "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>)
paulson@18886
   321
           \<in> set evs ;
paulson@18886
   322
         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> servK \<notin> range shrK & servK \<in> symKeys"
paulson@18886
   323
apply (erule rev_mp)
paulson@18886
   324
apply (erule kerbIV_gets.induct, auto)
paulson@18886
   325
done
paulson@18886
   326
paulson@18886
   327
paulson@18886
   328
(*Spy never sees another agent's shared key! (unless it's lost at start)*)
paulson@18886
   329
lemma Spy_see_shrK [simp]:
paulson@18886
   330
     "evs \<in> kerbIV_gets \<Longrightarrow> (Key (shrK A) \<in> parts (spies evs)) = (A \<in> bad)"
paulson@18886
   331
apply (erule kerbIV_gets.induct)
paulson@18886
   332
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   333
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   334
apply (blast+)
paulson@18886
   335
done
paulson@18886
   336
paulson@18886
   337
lemma Spy_analz_shrK [simp]:
paulson@18886
   338
     "evs \<in> kerbIV_gets \<Longrightarrow> (Key (shrK A) \<in> analz (spies evs)) = (A \<in> bad)"
paulson@18886
   339
by auto
paulson@18886
   340
paulson@18886
   341
lemma Spy_see_shrK_D [dest!]:
paulson@18886
   342
     "\<lbrakk> Key (shrK A) \<in> parts (spies evs);  evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> A:bad"
paulson@18886
   343
by (blast dest: Spy_see_shrK)
paulson@18886
   344
lemmas Spy_analz_shrK_D = analz_subset_parts [THEN subsetD, THEN Spy_see_shrK_D, dest!]
paulson@18886
   345
paulson@18886
   346
text{*Nobody can have used non-existent keys!*}
paulson@18886
   347
lemma new_keys_not_used [simp]:
paulson@18886
   348
    "\<lbrakk>Key K \<notin> used evs; K \<in> symKeys; evs \<in> kerbIV_gets\<rbrakk>
paulson@18886
   349
     \<Longrightarrow> K \<notin> keysFor (parts (spies evs))"
paulson@18886
   350
apply (erule rev_mp)
paulson@18886
   351
apply (erule kerbIV_gets.induct)
paulson@18886
   352
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   353
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   354
txt{*Fake*}
paulson@18886
   355
apply (force dest!: keysFor_parts_insert)
paulson@18886
   356
txt{*Others*}
paulson@18886
   357
apply (force dest!: analz_shrK_Decrypt)+
paulson@18886
   358
done
paulson@18886
   359
paulson@18886
   360
(*Earlier, all protocol proofs declared this theorem.
paulson@18886
   361
  But few of them actually need it! (Another is Yahalom) *)
paulson@18886
   362
lemma new_keys_not_analzd:
paulson@18886
   363
 "\<lbrakk>evs \<in> kerbIV_gets; K \<in> symKeys; Key K \<notin> used evs\<rbrakk>
paulson@18886
   364
  \<Longrightarrow> K \<notin> keysFor (analz (spies evs))"
paulson@18886
   365
by (blast dest: new_keys_not_used intro: keysFor_mono [THEN subsetD])
paulson@18886
   366
paulson@18886
   367
paulson@18886
   368
subsection{*Regularity Lemmas*}
paulson@18886
   369
text{*These concern the form of items passed in messages*}
paulson@18886
   370
paulson@18886
   371
text{*Describes the form of all components sent by Kas*}
paulson@18886
   372
paulson@18886
   373
lemma Says_Kas_message_form:
paulson@18886
   374
     "\<lbrakk> Says Kas A (Crypt K \<lbrace>Key authK, Agent Peer, Number Ta, authTicket\<rbrace>)
paulson@18886
   375
           \<in> set evs;
paulson@18886
   376
         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow>  
paulson@18886
   377
  K = shrK A  & Peer = Tgs &
paulson@18886
   378
  authK \<notin> range shrK & authK \<in> authKeys evs & authK \<in> symKeys & 
paulson@18886
   379
  authTicket = (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>)"
paulson@18886
   380
apply (erule rev_mp)
paulson@18886
   381
apply (erule kerbIV_gets.induct)
paulson@18886
   382
apply (simp_all (no_asm) add: authKeys_def authKeys_insert)
paulson@18886
   383
apply blast+
paulson@18886
   384
done
paulson@18886
   385
paulson@18886
   386
paulson@18886
   387
lemma SesKey_is_session_key:
paulson@18886
   388
     "\<lbrakk> Crypt (shrK Tgs_B) \<lbrace>Agent A, Agent Tgs_B, Key SesKey, Number T\<rbrace>
paulson@18886
   389
            \<in> parts (spies evs); Tgs_B \<notin> bad;
paulson@18886
   390
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   391
      \<Longrightarrow> SesKey \<notin> range shrK"
paulson@18886
   392
apply (erule rev_mp)
paulson@18886
   393
apply (erule kerbIV_gets.induct)
paulson@18886
   394
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   395
apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
paulson@18886
   396
done
paulson@18886
   397
paulson@18886
   398
lemma authTicket_authentic:
paulson@18886
   399
     "\<lbrakk> Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>
paulson@18886
   400
           \<in> parts (spies evs);
paulson@18886
   401
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   402
      \<Longrightarrow> Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   403
                 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   404
            \<in> set evs"
paulson@18886
   405
apply (erule rev_mp)
paulson@18886
   406
apply (erule kerbIV_gets.induct)
paulson@18886
   407
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   408
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   409
txt{*Fake, K4*}
paulson@18886
   410
apply (blast+)
paulson@18886
   411
done
paulson@18886
   412
paulson@18886
   413
lemma authTicket_crypt_authK:
paulson@18886
   414
     "\<lbrakk> Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>
paulson@18886
   415
           \<in> parts (spies evs);
paulson@18886
   416
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   417
      \<Longrightarrow> authK \<in> authKeys evs"
paulson@18886
   418
apply (frule authTicket_authentic, assumption)
paulson@18886
   419
apply (simp (no_asm) add: authKeys_def)
paulson@18886
   420
apply blast
paulson@18886
   421
done
paulson@18886
   422
paulson@18886
   423
lemma Says_Tgs_message_form:
paulson@18886
   424
     "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   425
           \<in> set evs;
paulson@18886
   426
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   427
  \<Longrightarrow> B \<noteq> Tgs & 
paulson@18886
   428
      authK \<notin> range shrK & authK \<in> authKeys evs & authK \<in> symKeys &
paulson@18886
   429
      servK \<notin> range shrK & servK \<notin> authKeys evs & servK \<in> symKeys &
paulson@18886
   430
      servTicket = (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>)"
paulson@18886
   431
apply (erule rev_mp)
paulson@18886
   432
apply (erule kerbIV_gets.induct)
paulson@18886
   433
apply (simp_all add: authKeys_insert authKeys_not_insert authKeys_empty authKeys_simp, blast, auto)
paulson@18886
   434
txt{*Three subcases of Message 4*}
paulson@18886
   435
apply (blast dest!: SesKey_is_session_key)
paulson@18886
   436
apply (blast dest: authTicket_crypt_authK)
paulson@18886
   437
apply (blast dest!: authKeys_used Says_Kas_message_form)
paulson@18886
   438
done
paulson@18886
   439
paulson@18886
   440
paulson@18886
   441
lemma authTicket_form:
paulson@18886
   442
     "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>
paulson@18886
   443
           \<in> parts (spies evs);
paulson@18886
   444
         A \<notin> bad;
paulson@18886
   445
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   446
    \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys & 
paulson@18886
   447
        authTicket = Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Ta\<rbrace>"
paulson@18886
   448
apply (erule rev_mp)
paulson@18886
   449
apply (erule kerbIV_gets.induct)
paulson@18886
   450
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   451
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   452
apply blast+
paulson@18886
   453
done
paulson@18886
   454
paulson@18886
   455
text{* This form holds also over an authTicket, but is not needed below.*}
paulson@18886
   456
lemma servTicket_form:
paulson@18886
   457
     "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>
paulson@18886
   458
              \<in> parts (spies evs);
paulson@18886
   459
            Key authK \<notin> analz (spies evs);
paulson@18886
   460
            evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   461
         \<Longrightarrow> servK \<notin> range shrK & servK \<in> symKeys & 
paulson@18886
   462
    (\<exists>A. servTicket = Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)"
paulson@18886
   463
apply (erule rev_mp)
paulson@18886
   464
apply (erule rev_mp)
paulson@18886
   465
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   466
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   467
apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
paulson@18886
   468
done
paulson@18886
   469
paulson@18886
   470
text{* Essentially the same as @{text authTicket_form} *}
paulson@18886
   471
lemma Says_kas_message_form:
paulson@18886
   472
     "\<lbrakk> Gets A (Crypt (shrK A)
paulson@18886
   473
              \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>) \<in> set evs;
paulson@18886
   474
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   475
      \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys & 
paulson@18886
   476
          authTicket =
paulson@18886
   477
                  Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Ta\<rbrace>
paulson@18886
   478
          | authTicket \<in> analz (spies evs)"
paulson@18886
   479
by (blast dest: analz_shrK_Decrypt authTicket_form
paulson@18886
   480
                Gets_imp_knows_Spy [THEN analz.Inj])
paulson@18886
   481
paulson@18886
   482
lemma Says_tgs_message_form:
paulson@18886
   483
 "\<lbrakk> Gets A (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>)
paulson@18886
   484
       \<in> set evs;  authK \<in> symKeys;
paulson@18886
   485
     evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   486
  \<Longrightarrow> servK \<notin> range shrK &
paulson@18886
   487
      (\<exists>A. servTicket =
wenzelm@32960
   488
              Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)
paulson@18886
   489
       | servTicket \<in> analz (spies evs)"
paulson@18886
   490
apply (frule Gets_imp_knows_Spy [THEN analz.Inj], auto)
paulson@18886
   491
 apply (force dest!: servTicket_form)
paulson@18886
   492
apply (frule analz_into_parts)
paulson@18886
   493
apply (frule servTicket_form, auto)
paulson@18886
   494
done
paulson@18886
   495
paulson@18886
   496
paulson@18886
   497
subsection{*Authenticity theorems: confirm origin of sensitive messages*}
paulson@18886
   498
paulson@18886
   499
lemma authK_authentic:
paulson@18886
   500
     "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>
paulson@18886
   501
           \<in> parts (spies evs);
paulson@18886
   502
         A \<notin> bad;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   503
      \<Longrightarrow> Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>)
paulson@18886
   504
            \<in> set evs"
paulson@18886
   505
apply (erule rev_mp)
paulson@18886
   506
apply (erule kerbIV_gets.induct)
paulson@18886
   507
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   508
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   509
txt{*Fake*}
paulson@18886
   510
apply blast
paulson@18886
   511
txt{*K4*}
paulson@18886
   512
apply (blast dest!: authTicket_authentic [THEN Says_Kas_message_form])
paulson@18886
   513
done
paulson@18886
   514
paulson@18886
   515
text{*If a certain encrypted message appears then it originated with Tgs*}
paulson@18886
   516
lemma servK_authentic:
paulson@18886
   517
     "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
   518
           \<in> parts (spies evs);
paulson@18886
   519
         Key authK \<notin> analz (spies evs);
paulson@18886
   520
         authK \<notin> range shrK;
paulson@18886
   521
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   522
 \<Longrightarrow> \<exists>A. Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   523
       \<in> set evs"
paulson@18886
   524
apply (erule rev_mp)
paulson@18886
   525
apply (erule rev_mp)
paulson@18886
   526
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   527
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   528
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   529
txt{*Fake*}
paulson@18886
   530
apply blast
paulson@18886
   531
txt{*K2*}
paulson@18886
   532
apply blast
paulson@18886
   533
txt{*K4*}
paulson@18886
   534
apply auto
paulson@18886
   535
done
paulson@18886
   536
paulson@18886
   537
lemma servK_authentic_bis:
paulson@18886
   538
     "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
   539
           \<in> parts (spies evs);
paulson@18886
   540
         Key authK \<notin> analz (spies evs);
paulson@18886
   541
         B \<noteq> Tgs;
paulson@18886
   542
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   543
 \<Longrightarrow> \<exists>A. Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   544
       \<in> set evs"
paulson@18886
   545
apply (erule rev_mp)
paulson@18886
   546
apply (erule rev_mp)
paulson@18886
   547
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   548
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   549
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   550
txt{*Fake*}
paulson@18886
   551
apply blast
paulson@18886
   552
txt{*K4*}
paulson@18886
   553
apply blast
paulson@18886
   554
done
paulson@18886
   555
paulson@18886
   556
text{*Authenticity of servK for B*}
paulson@18886
   557
lemma servTicket_authentic_Tgs:
paulson@18886
   558
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
   559
           \<in> parts (spies evs); B \<noteq> Tgs;  B \<notin> bad;
paulson@18886
   560
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   561
 \<Longrightarrow> \<exists>authK.
paulson@18886
   562
       Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
   563
                   Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
paulson@18886
   564
       \<in> set evs"
paulson@18886
   565
apply (erule rev_mp)
paulson@18886
   566
apply (erule rev_mp)
paulson@18886
   567
apply (erule kerbIV_gets.induct)
paulson@18886
   568
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   569
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   570
apply blast+
paulson@18886
   571
done
paulson@18886
   572
paulson@18886
   573
text{*Anticipated here from next subsection*}
paulson@18886
   574
lemma K4_imp_K2:
paulson@18886
   575
"\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   576
      \<in> set evs;  evs \<in> kerbIV_gets\<rbrakk>
paulson@18886
   577
   \<Longrightarrow> \<exists>Ta. Says Kas A
paulson@18886
   578
        (Crypt (shrK A)
paulson@18886
   579
         \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   580
           Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   581
        \<in> set evs"
paulson@18886
   582
apply (erule rev_mp)
paulson@18886
   583
apply (erule kerbIV_gets.induct)
paulson@18886
   584
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   585
apply (frule_tac [6] Gets_ticket_parts, simp_all, auto)
paulson@18886
   586
apply (blast dest!: Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Fst, THEN authTicket_authentic])
paulson@18886
   587
done
paulson@18886
   588
paulson@18886
   589
text{*Anticipated here from next subsection*}
paulson@18886
   590
lemma u_K4_imp_K2:
paulson@18886
   591
"\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   592
      \<in> set evs; evs \<in> kerbIV_gets\<rbrakk>
paulson@18886
   593
   \<Longrightarrow> \<exists>Ta. (Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   594
           Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   595
             \<in> set evs
paulson@18886
   596
          & servKlife + Ts <= authKlife + Ta)"
paulson@18886
   597
apply (erule rev_mp)
paulson@18886
   598
apply (erule kerbIV_gets.induct)
paulson@18886
   599
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   600
apply (frule_tac [6] Gets_ticket_parts, simp_all, auto)
paulson@18886
   601
apply (blast dest!: Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Fst, THEN authTicket_authentic])
paulson@18886
   602
done
paulson@18886
   603
paulson@18886
   604
lemma servTicket_authentic_Kas:
paulson@18886
   605
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
   606
           \<in> parts (spies evs);  B \<noteq> Tgs;  B \<notin> bad;
paulson@18886
   607
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   608
  \<Longrightarrow> \<exists>authK Ta.
paulson@18886
   609
       Says Kas A
paulson@18886
   610
         (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   611
            Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   612
        \<in> set evs"
paulson@37809
   613
by (blast dest!: servTicket_authentic_Tgs K4_imp_K2)
paulson@18886
   614
paulson@18886
   615
lemma u_servTicket_authentic_Kas:
paulson@18886
   616
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
   617
           \<in> parts (spies evs);  B \<noteq> Tgs;  B \<notin> bad;
paulson@18886
   618
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   619
  \<Longrightarrow> \<exists>authK Ta. Says Kas A (Crypt(shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   620
           Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   621
             \<in> set evs
paulson@18886
   622
           & servKlife + Ts <= authKlife + Ta"
paulson@37809
   623
by (blast dest!: servTicket_authentic_Tgs u_K4_imp_K2)
paulson@18886
   624
paulson@18886
   625
lemma servTicket_authentic:
paulson@18886
   626
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
   627
           \<in> parts (spies evs);  B \<noteq> Tgs;  B \<notin> bad;
paulson@18886
   628
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   629
 \<Longrightarrow> \<exists>Ta authK.
paulson@18886
   630
     Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   631
                   Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   632
       \<in> set evs
paulson@18886
   633
     & Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
   634
                   Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
paulson@18886
   635
       \<in> set evs"
paulson@37809
   636
by (blast dest: servTicket_authentic_Tgs K4_imp_K2)
paulson@18886
   637
paulson@18886
   638
lemma u_servTicket_authentic:
paulson@18886
   639
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
   640
           \<in> parts (spies evs);  B \<noteq> Tgs;  B \<notin> bad;
paulson@18886
   641
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   642
 \<Longrightarrow> \<exists>Ta authK.
paulson@18886
   643
     (Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   644
                   Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   645
       \<in> set evs
paulson@18886
   646
     & Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
   647
                   Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
paulson@18886
   648
       \<in> set evs
paulson@18886
   649
     & servKlife + Ts <= authKlife + Ta)"
paulson@37809
   650
by (blast dest: servTicket_authentic_Tgs u_K4_imp_K2)
paulson@18886
   651
paulson@18886
   652
lemma u_NotexpiredSK_NotexpiredAK:
paulson@18886
   653
     "\<lbrakk> \<not> expiredSK Ts evs; servKlife + Ts <= authKlife + Ta \<rbrakk>
paulson@18886
   654
      \<Longrightarrow> \<not> expiredAK Ta evs"
paulson@37809
   655
by (blast dest: leI le_trans dest: leD)
paulson@18886
   656
paulson@18886
   657
paulson@18886
   658
subsection{* Reliability: friendly agents send something if something else happened*}
paulson@18886
   659
paulson@18886
   660
lemma K3_imp_K2:
paulson@18886
   661
     "\<lbrakk> Says A Tgs
paulson@18886
   662
             \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B\<rbrace>
paulson@18886
   663
           \<in> set evs;
paulson@18886
   664
         A \<notin> bad;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   665
      \<Longrightarrow> \<exists>Ta. Says Kas A (Crypt (shrK A)
paulson@18886
   666
                      \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>)
paulson@18886
   667
                   \<in> set evs"
paulson@18886
   668
apply (erule rev_mp)
paulson@18886
   669
apply (erule kerbIV_gets.induct)
paulson@18886
   670
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   671
apply (frule_tac [6] Gets_ticket_parts, simp_all, blast, blast)
paulson@18886
   672
apply (blast dest: Gets_imp_knows_Spy [THEN parts.Inj, THEN authK_authentic])
paulson@18886
   673
done
paulson@18886
   674
paulson@18886
   675
text{*Anticipated here from next subsection. An authK is encrypted by one and only one Shared key. A servK is encrypted by one and only one authK.*}
paulson@18886
   676
lemma Key_unique_SesKey:
paulson@18886
   677
     "\<lbrakk> Crypt K  \<lbrace>Key SesKey,  Agent B, T, Ticket\<rbrace>
paulson@18886
   678
           \<in> parts (spies evs);
paulson@18886
   679
         Crypt K' \<lbrace>Key SesKey,  Agent B', T', Ticket'\<rbrace>
paulson@18886
   680
           \<in> parts (spies evs);  Key SesKey \<notin> analz (spies evs);
paulson@18886
   681
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   682
      \<Longrightarrow> K=K' & B=B' & T=T' & Ticket=Ticket'"
paulson@18886
   683
apply (erule rev_mp)
paulson@18886
   684
apply (erule rev_mp)
paulson@18886
   685
apply (erule rev_mp)
paulson@18886
   686
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   687
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   688
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   689
txt{*Fake, K2, K4*}
paulson@18886
   690
apply (blast+)
paulson@18886
   691
done
paulson@18886
   692
paulson@18886
   693
lemma Tgs_authenticates_A:
paulson@18886
   694
  "\<lbrakk>  Crypt authK \<lbrace>Agent A, Number T2\<rbrace> \<in> parts (spies evs); 
paulson@18886
   695
      Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>
paulson@18886
   696
           \<in> parts (spies evs);
paulson@18886
   697
      Key authK \<notin> analz (spies evs); A \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   698
 \<Longrightarrow> \<exists> B. Says A Tgs \<lbrace>
paulson@18886
   699
          Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>,
paulson@18886
   700
          Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B \<rbrace> \<in> set evs"  
paulson@18886
   701
apply (drule authTicket_authentic, assumption, rotate_tac 4)
paulson@18886
   702
apply (erule rev_mp, erule rev_mp, erule rev_mp)
paulson@18886
   703
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   704
apply (frule_tac [6] Gets_ticket_parts)
paulson@18886
   705
apply (frule_tac [9] Gets_ticket_parts)
paulson@18886
   706
apply (simp_all (no_asm_simp) add: all_conj_distrib)
paulson@18886
   707
txt{*Fake*}
paulson@18886
   708
apply blast
paulson@18886
   709
txt{*K2*}
paulson@18886
   710
apply (force dest!: Crypt_imp_keysFor)
paulson@18886
   711
txt{*K3*}
paulson@18886
   712
apply (blast dest: Key_unique_SesKey)
paulson@18886
   713
txt{*K5*}
paulson@18886
   714
txt{*If authKa were compromised, so would be authK*}
paulson@18886
   715
apply (case_tac "Key authKa \<in> analz (spies evs5)")
paulson@18886
   716
apply (force dest!: Gets_imp_knows_Spy [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst])
paulson@18886
   717
txt{*Besides, since authKa originated with Kas anyway...*}
paulson@18886
   718
apply (clarify, drule K3_imp_K2, assumption, assumption)
paulson@18886
   719
apply (clarify, drule Says_Kas_message_form, assumption)
paulson@18886
   720
txt{*...it cannot be a shared key*. Therefore @{term servK_authentic} applies. 
paulson@18886
   721
     Contradition: Tgs used authK as a servkey, 
paulson@18886
   722
     while Kas used it as an authkey*}
paulson@18886
   723
apply (blast dest: servK_authentic Says_Tgs_message_form)
paulson@18886
   724
done
paulson@18886
   725
paulson@18886
   726
lemma Says_K5:
paulson@18886
   727
     "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs);
paulson@18886
   728
         Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
   729
                                     servTicket\<rbrace>) \<in> set evs;
paulson@18886
   730
         Key servK \<notin> analz (spies evs);
paulson@18886
   731
         A \<notin> bad; B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   732
 \<Longrightarrow> Says A B \<lbrace>servTicket, Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> \<in> set evs"
paulson@18886
   733
apply (erule rev_mp)
paulson@18886
   734
apply (erule rev_mp)
paulson@18886
   735
apply (erule rev_mp)
paulson@18886
   736
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   737
apply (frule_tac [6] Gets_ticket_parts)
paulson@18886
   738
apply (frule_tac [9] Gets_ticket_parts)
paulson@18886
   739
apply (simp_all (no_asm_simp) add: all_conj_distrib)
paulson@18886
   740
apply blast
paulson@18886
   741
txt{*K3*}
paulson@18886
   742
apply (blast dest: authK_authentic Says_Kas_message_form Says_Tgs_message_form)
paulson@18886
   743
txt{*K4*}
paulson@18886
   744
apply (force dest!: Crypt_imp_keysFor)
paulson@18886
   745
txt{*K5*}
paulson@18886
   746
apply (blast dest: Key_unique_SesKey)
paulson@18886
   747
done
paulson@18886
   748
paulson@18886
   749
text{*Anticipated here from next subsection*}
paulson@18886
   750
lemma unique_CryptKey:
paulson@18886
   751
     "\<lbrakk> Crypt (shrK B)  \<lbrace>Agent A,  Agent B,  Key SesKey, T\<rbrace>
paulson@18886
   752
           \<in> parts (spies evs);
paulson@18886
   753
         Crypt (shrK B') \<lbrace>Agent A', Agent B', Key SesKey, T'\<rbrace>
paulson@18886
   754
           \<in> parts (spies evs);  Key SesKey \<notin> analz (spies evs);
paulson@18886
   755
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   756
      \<Longrightarrow> A=A' & B=B' & T=T'"
paulson@18886
   757
apply (erule rev_mp)
paulson@18886
   758
apply (erule rev_mp)
paulson@18886
   759
apply (erule rev_mp)
paulson@18886
   760
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   761
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   762
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   763
txt{*Fake, K2, K4*}
paulson@18886
   764
apply (blast+)
paulson@18886
   765
done
paulson@18886
   766
paulson@18886
   767
lemma Says_K6:
paulson@18886
   768
     "\<lbrakk> Crypt servK (Number T3) \<in> parts (spies evs);
paulson@18886
   769
         Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
   770
                                     servTicket\<rbrace>) \<in> set evs;
paulson@18886
   771
         Key servK \<notin> analz (spies evs);
paulson@18886
   772
         A \<notin> bad; B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   773
      \<Longrightarrow> Says B A (Crypt servK (Number T3)) \<in> set evs"
paulson@18886
   774
apply (erule rev_mp)
paulson@18886
   775
apply (erule rev_mp)
paulson@18886
   776
apply (erule rev_mp)
paulson@18886
   777
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   778
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   779
apply (frule_tac [6] Gets_ticket_parts)
paulson@18886
   780
apply (simp_all (no_asm_simp))
paulson@18886
   781
apply blast
paulson@18886
   782
apply (force dest!: Crypt_imp_keysFor, clarify)
paulson@18886
   783
apply (frule Says_Tgs_message_form, assumption, clarify) (*PROOF FAILED if omitted*)
paulson@18886
   784
apply (blast dest: unique_CryptKey)
paulson@18886
   785
done
paulson@18886
   786
paulson@18886
   787
text{*Needs a unicity theorem, hence moved here*}
paulson@18886
   788
lemma servK_authentic_ter:
paulson@18886
   789
 "\<lbrakk> Says Kas A
paulson@18886
   790
    (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>) \<in> set evs;
paulson@18886
   791
     Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
   792
       \<in> parts (spies evs);
paulson@18886
   793
     Key authK \<notin> analz (spies evs);
paulson@18886
   794
     evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   795
 \<Longrightarrow> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   796
       \<in> set evs"
paulson@18886
   797
apply (frule Says_Kas_message_form, assumption)
paulson@18886
   798
apply (erule rev_mp)
paulson@18886
   799
apply (erule rev_mp)
paulson@18886
   800
apply (erule rev_mp)
paulson@18886
   801
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   802
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   803
apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
paulson@18886
   804
txt{*K2 and K4 remain*}
paulson@18886
   805
prefer 2 apply (blast dest!: unique_CryptKey)
paulson@18886
   806
apply (blast dest!: servK_authentic Says_Tgs_message_form authKeys_used)
paulson@18886
   807
done
paulson@18886
   808
paulson@18886
   809
paulson@18886
   810
subsection{*Unicity Theorems*}
paulson@18886
   811
paulson@18886
   812
text{* The session key, if secure, uniquely identifies the Ticket
paulson@18886
   813
   whether authTicket or servTicket. As a matter of fact, one can read
paulson@18886
   814
   also Tgs in the place of B.                                     *}
paulson@18886
   815
paulson@18886
   816
paulson@18886
   817
lemma unique_authKeys:
paulson@18886
   818
     "\<lbrakk> Says Kas A
paulson@18886
   819
              (Crypt Ka \<lbrace>Key authK, Agent Tgs, Ta, X\<rbrace>) \<in> set evs;
paulson@18886
   820
         Says Kas A'
paulson@18886
   821
              (Crypt Ka' \<lbrace>Key authK, Agent Tgs, Ta', X'\<rbrace>) \<in> set evs;
paulson@18886
   822
         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> A=A' & Ka=Ka' & Ta=Ta' & X=X'"
paulson@18886
   823
apply (erule rev_mp)
paulson@18886
   824
apply (erule rev_mp)
paulson@18886
   825
apply (erule kerbIV_gets.induct)
paulson@18886
   826
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   827
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   828
txt{*K2*}
paulson@18886
   829
apply blast
paulson@18886
   830
done
paulson@18886
   831
paulson@18886
   832
text{* servK uniquely identifies the message from Tgs *}
paulson@18886
   833
lemma unique_servKeys:
paulson@18886
   834
     "\<lbrakk> Says Tgs A
paulson@18886
   835
              (Crypt K \<lbrace>Key servK, Agent B, Ts, X\<rbrace>) \<in> set evs;
paulson@18886
   836
         Says Tgs A'
paulson@18886
   837
              (Crypt K' \<lbrace>Key servK, Agent B', Ts', X'\<rbrace>) \<in> set evs;
paulson@18886
   838
         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> A=A' & B=B' & K=K' & Ts=Ts' & X=X'"
paulson@18886
   839
apply (erule rev_mp)
paulson@18886
   840
apply (erule rev_mp)
paulson@18886
   841
apply (erule kerbIV_gets.induct)
paulson@18886
   842
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   843
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   844
txt{*K4*}
paulson@18886
   845
apply blast
paulson@18886
   846
done
paulson@18886
   847
paulson@18886
   848
text{* Revised unicity theorems *}
paulson@18886
   849
paulson@18886
   850
lemma Kas_Unique:
paulson@18886
   851
     "\<lbrakk> Says Kas A
paulson@18886
   852
              (Crypt Ka \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>) \<in> set evs;
paulson@18886
   853
        evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> 
paulson@18886
   854
   Unique (Says Kas A (Crypt Ka \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>)) 
paulson@18886
   855
   on evs"
paulson@18886
   856
apply (erule rev_mp, erule kerbIV_gets.induct, simp_all add: Unique_def)
paulson@18886
   857
apply blast
paulson@18886
   858
done
paulson@18886
   859
paulson@18886
   860
lemma Tgs_Unique:
paulson@18886
   861
     "\<lbrakk> Says Tgs A
paulson@18886
   862
              (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>) \<in> set evs;
paulson@18886
   863
        evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> 
paulson@18886
   864
  Unique (Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>)) 
paulson@18886
   865
  on evs"
paulson@18886
   866
apply (erule rev_mp, erule kerbIV_gets.induct, simp_all add: Unique_def)
paulson@18886
   867
apply blast
paulson@18886
   868
done
paulson@18886
   869
paulson@18886
   870
paulson@18886
   871
subsection{*Lemmas About the Predicate @{term AKcryptSK}*}
paulson@18886
   872
paulson@18886
   873
lemma not_AKcryptSK_Nil [iff]: "\<not> AKcryptSK authK servK []"
paulson@18886
   874
by (simp add: AKcryptSK_def)
paulson@18886
   875
paulson@18886
   876
lemma AKcryptSKI:
paulson@18886
   877
 "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, X \<rbrace>) \<in> set evs;
paulson@18886
   878
     evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> AKcryptSK authK servK evs"
paulson@18886
   879
apply (unfold AKcryptSK_def)
paulson@18886
   880
apply (blast dest: Says_Tgs_message_form)
paulson@18886
   881
done
paulson@18886
   882
paulson@18886
   883
lemma AKcryptSK_Says [simp]:
paulson@18886
   884
   "AKcryptSK authK servK (Says S A X # evs) =
paulson@18886
   885
     (Tgs = S &
paulson@18886
   886
      (\<exists>B Ts. X = Crypt authK
paulson@18886
   887
                \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
   888
                  Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> \<rbrace>)
paulson@18886
   889
     | AKcryptSK authK servK evs)"
paulson@37809
   890
by (auto simp add: AKcryptSK_def)
paulson@18886
   891
paulson@18886
   892
(*A fresh authK cannot be associated with any other
paulson@18886
   893
  (with respect to a given trace). *)
paulson@18886
   894
lemma Auth_fresh_not_AKcryptSK:
paulson@18886
   895
     "\<lbrakk> Key authK \<notin> used evs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   896
      \<Longrightarrow> \<not> AKcryptSK authK servK evs"
paulson@18886
   897
apply (unfold AKcryptSK_def)
paulson@18886
   898
apply (erule rev_mp)
paulson@18886
   899
apply (erule kerbIV_gets.induct)
paulson@18886
   900
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   901
apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
paulson@18886
   902
done
paulson@18886
   903
paulson@18886
   904
(*A fresh servK cannot be associated with any other
paulson@18886
   905
  (with respect to a given trace). *)
paulson@18886
   906
lemma Serv_fresh_not_AKcryptSK:
paulson@18886
   907
 "Key servK \<notin> used evs \<Longrightarrow> \<not> AKcryptSK authK servK evs"
paulson@37809
   908
by (unfold AKcryptSK_def, blast)
paulson@18886
   909
paulson@18886
   910
lemma authK_not_AKcryptSK:
paulson@18886
   911
     "\<lbrakk> Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, tk\<rbrace>
paulson@18886
   912
           \<in> parts (spies evs);  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   913
      \<Longrightarrow> \<not> AKcryptSK K authK evs"
paulson@18886
   914
apply (erule rev_mp)
paulson@18886
   915
apply (erule kerbIV_gets.induct)
paulson@18886
   916
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   917
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   918
txt{*Fake*}
paulson@18886
   919
apply blast
paulson@18886
   920
txt{*Reception*}
paulson@18886
   921
apply (simp add: AKcryptSK_def)
paulson@18886
   922
txt{*K2: by freshness*}
paulson@18886
   923
apply (simp add: AKcryptSK_def)
paulson@18886
   924
txt{*K4*}
paulson@37809
   925
by (blast+)
paulson@18886
   926
paulson@18886
   927
text{*A secure serverkey cannot have been used to encrypt others*}
paulson@18886
   928
lemma servK_not_AKcryptSK:
paulson@18886
   929
 "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key SK, Number Ts\<rbrace> \<in> parts (spies evs);
paulson@18886
   930
     Key SK \<notin> analz (spies evs);  SK \<in> symKeys;
paulson@18886
   931
     B \<noteq> Tgs;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   932
  \<Longrightarrow> \<not> AKcryptSK SK K evs"
paulson@18886
   933
apply (erule rev_mp)
paulson@18886
   934
apply (erule rev_mp)
paulson@18886
   935
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   936
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   937
apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
paulson@18886
   938
txt{*Reception*}
paulson@18886
   939
apply (simp add: AKcryptSK_def)
paulson@18886
   940
txt{*K4 splits into distinct subcases*}
paulson@18886
   941
apply auto
paulson@18886
   942
txt{*servK can't have been enclosed in two certificates*}
paulson@18886
   943
 prefer 2 apply (blast dest: unique_CryptKey)
paulson@18886
   944
txt{*servK is fresh and so could not have been used, by
paulson@18886
   945
   @{text new_keys_not_used}*}
paulson@37809
   946
by (force dest!: Crypt_imp_invKey_keysFor simp add: AKcryptSK_def)
paulson@18886
   947
paulson@18886
   948
text{*Long term keys are not issued as servKeys*}
paulson@18886
   949
lemma shrK_not_AKcryptSK:
paulson@18886
   950
     "evs \<in> kerbIV_gets \<Longrightarrow> \<not> AKcryptSK K (shrK A) evs"
paulson@18886
   951
apply (unfold AKcryptSK_def)
paulson@18886
   952
apply (erule kerbIV_gets.induct)
paulson@18886
   953
apply (frule_tac [8] Gets_ticket_parts)
paulson@37809
   954
by (frule_tac [6] Gets_ticket_parts, auto)
paulson@18886
   955
paulson@18886
   956
text{*The Tgs message associates servK with authK and therefore not with any
paulson@18886
   957
  other key authK.*}
paulson@18886
   958
lemma Says_Tgs_AKcryptSK:
paulson@18886
   959
     "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, X \<rbrace>)
paulson@18886
   960
           \<in> set evs;
paulson@18886
   961
         authK' \<noteq> authK;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   962
      \<Longrightarrow> \<not> AKcryptSK authK' servK evs"
paulson@18886
   963
apply (unfold AKcryptSK_def)
paulson@37809
   964
by (blast dest: unique_servKeys)
paulson@18886
   965
paulson@18886
   966
text{*Equivalently*}
paulson@18886
   967
lemma not_different_AKcryptSK:
paulson@18886
   968
     "\<lbrakk> AKcryptSK authK servK evs;
paulson@18886
   969
        authK' \<noteq> authK;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   970
      \<Longrightarrow> \<not> AKcryptSK authK' servK evs  \<and> servK \<in> symKeys"
paulson@18886
   971
apply (simp add: AKcryptSK_def)
paulson@37809
   972
by (blast dest: unique_servKeys Says_Tgs_message_form)
paulson@18886
   973
paulson@18886
   974
lemma AKcryptSK_not_AKcryptSK:
paulson@18886
   975
     "\<lbrakk> AKcryptSK authK servK evs;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   976
      \<Longrightarrow> \<not> AKcryptSK servK K evs"
paulson@18886
   977
apply (erule rev_mp)
paulson@18886
   978
apply (erule kerbIV_gets.induct)
paulson@18886
   979
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   980
apply (frule_tac [6] Gets_ticket_parts)
paulson@18886
   981
txt{*Reception*}
paulson@18886
   982
prefer 3 apply (simp add: AKcryptSK_def)
paulson@18886
   983
apply (simp_all, safe)
paulson@18886
   984
txt{*K4 splits into subcases*}
paulson@18886
   985
prefer 4 apply (blast dest!: authK_not_AKcryptSK)
paulson@18886
   986
txt{*servK is fresh and so could not have been used, by
paulson@18886
   987
   @{text new_keys_not_used}*}
paulson@18886
   988
 prefer 2 
paulson@18886
   989
 apply (force dest!: Crypt_imp_invKey_keysFor simp add: AKcryptSK_def)
paulson@18886
   990
txt{*Others by freshness*}
paulson@37809
   991
by (blast+)
paulson@18886
   992
paulson@18886
   993
text{*The only session keys that can be found with the help of session keys are
paulson@18886
   994
  those sent by Tgs in step K4.  *}
paulson@18886
   995
paulson@18886
   996
text{*We take some pains to express the property
paulson@18886
   997
  as a logical equivalence so that the simplifier can apply it.*}
paulson@18886
   998
lemma Key_analz_image_Key_lemma:
paulson@18886
   999
     "P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) \<longrightarrow> (K:KK | Key K \<in> analz H)
paulson@18886
  1000
      \<Longrightarrow>
paulson@18886
  1001
      P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) = (K:KK | Key K \<in> analz H)"
paulson@18886
  1002
by (blast intro: analz_mono [THEN subsetD])
paulson@18886
  1003
paulson@18886
  1004
paulson@18886
  1005
lemma AKcryptSK_analz_insert:
paulson@18886
  1006
     "\<lbrakk> AKcryptSK K K' evs; K \<in> symKeys; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1007
      \<Longrightarrow> Key K' \<in> analz (insert (Key K) (spies evs))"
paulson@18886
  1008
apply (simp add: AKcryptSK_def, clarify)
paulson@37809
  1009
by (drule Says_imp_spies [THEN analz.Inj, THEN analz_insertI], auto)
paulson@18886
  1010
paulson@18886
  1011
lemma authKeys_are_not_AKcryptSK:
paulson@18886
  1012
     "\<lbrakk> K \<in> authKeys evs Un range shrK;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1013
      \<Longrightarrow> \<forall>SK. \<not> AKcryptSK SK K evs \<and> K \<in> symKeys"
paulson@18886
  1014
apply (simp add: authKeys_def AKcryptSK_def)
paulson@37809
  1015
by (blast dest: Says_Kas_message_form Says_Tgs_message_form)
paulson@18886
  1016
paulson@18886
  1017
lemma not_authKeys_not_AKcryptSK:
paulson@18886
  1018
     "\<lbrakk> K \<notin> authKeys evs;
paulson@18886
  1019
         K \<notin> range shrK; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1020
      \<Longrightarrow> \<forall>SK. \<not> AKcryptSK K SK evs"
paulson@18886
  1021
apply (simp add: AKcryptSK_def)
paulson@37809
  1022
by (blast dest: Says_Tgs_message_form)
paulson@18886
  1023
paulson@18886
  1024
paulson@18886
  1025
subsection{*Secrecy Theorems*}
paulson@18886
  1026
paulson@18886
  1027
text{*For the Oops2 case of the next theorem*}
paulson@18886
  1028
lemma Oops2_not_AKcryptSK:
paulson@18886
  1029
     "\<lbrakk> evs \<in> kerbIV_gets;
paulson@18886
  1030
         Says Tgs A (Crypt authK
paulson@18886
  1031
                     \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1032
           \<in> set evs \<rbrakk>
paulson@18886
  1033
      \<Longrightarrow> \<not> AKcryptSK servK SK evs"
paulson@37809
  1034
by (blast dest: AKcryptSKI AKcryptSK_not_AKcryptSK)
paulson@18886
  1035
   
paulson@18886
  1036
text{* Big simplification law for keys SK that are not crypted by keys in KK
paulson@18886
  1037
 It helps prove three, otherwise hard, facts about keys. These facts are
paulson@18886
  1038
 exploited as simplification laws for analz, and also "limit the damage"
paulson@18886
  1039
 in case of loss of a key to the spy. See ESORICS98. *}
paulson@18886
  1040
lemma Key_analz_image_Key [rule_format (no_asm)]:
paulson@18886
  1041
     "evs \<in> kerbIV_gets \<Longrightarrow>
paulson@18886
  1042
      (\<forall>SK KK. SK \<in> symKeys & KK <= -(range shrK) \<longrightarrow>
paulson@18886
  1043
       (\<forall>K \<in> KK. \<not> AKcryptSK K SK evs)   \<longrightarrow>
paulson@18886
  1044
       (Key SK \<in> analz (Key`KK Un (spies evs))) =
paulson@18886
  1045
       (SK \<in> KK | Key SK \<in> analz (spies evs)))"
paulson@18886
  1046
apply (erule kerbIV_gets.induct)
paulson@18886
  1047
apply (frule_tac [11] Oops_range_spies2)
paulson@18886
  1048
apply (frule_tac [10] Oops_range_spies1)
paulson@18886
  1049
apply (frule_tac [8] Says_tgs_message_form)
paulson@18886
  1050
apply (frule_tac [6] Says_kas_message_form)
paulson@18886
  1051
apply (safe del: impI intro!: Key_analz_image_Key_lemma [THEN impI])
paulson@18886
  1052
txt{*Case-splits for Oops1 and message 5: the negated case simplifies using
paulson@18886
  1053
 the induction hypothesis*}
paulson@18886
  1054
apply (case_tac [12] "AKcryptSK authK SK evsO1")
paulson@18886
  1055
apply (case_tac [9] "AKcryptSK servK SK evs5")
paulson@18886
  1056
apply (simp_all del: image_insert
paulson@18886
  1057
        add: analz_image_freshK_simps AKcryptSK_Says shrK_not_AKcryptSK
paulson@18886
  1058
             Oops2_not_AKcryptSK Auth_fresh_not_AKcryptSK
paulson@18886
  1059
       Serv_fresh_not_AKcryptSK Says_Tgs_AKcryptSK Spy_analz_shrK)
paulson@18886
  1060
  --{*18 seconds on a 1.8GHz machine??*}
paulson@18886
  1061
txt{*Fake*} 
paulson@18886
  1062
apply spy_analz
paulson@18886
  1063
txt{*Reception*}
paulson@18886
  1064
apply (simp add: AKcryptSK_def)
paulson@18886
  1065
txt{*K2*}
paulson@18886
  1066
apply blast 
paulson@18886
  1067
txt{*K3*}
paulson@18886
  1068
apply blast 
paulson@18886
  1069
txt{*K4*}
paulson@18886
  1070
apply (blast dest!: authK_not_AKcryptSK)
paulson@18886
  1071
txt{*K5*}
paulson@18886
  1072
apply (case_tac "Key servK \<in> analz (spies evs5) ")
paulson@18886
  1073
txt{*If servK is compromised then the result follows directly...*}
paulson@18886
  1074
apply (simp (no_asm_simp) add: analz_insert_eq Un_upper2 [THEN analz_mono, THEN subsetD])
paulson@18886
  1075
txt{*...therefore servK is uncompromised.*}
paulson@18886
  1076
txt{*The AKcryptSK servK SK evs5 case leads to a contradiction.*}
paulson@18886
  1077
apply (blast elim!: servK_not_AKcryptSK [THEN [2] rev_notE] del: allE ballE)
paulson@18886
  1078
txt{*Another K5 case*}
paulson@18886
  1079
apply blast 
paulson@18886
  1080
txt{*Oops1*}
paulson@18886
  1081
apply simp 
paulson@37809
  1082
by (blast dest!: AKcryptSK_analz_insert)
paulson@18886
  1083
paulson@18886
  1084
text{* First simplification law for analz: no session keys encrypt
paulson@18886
  1085
authentication keys or shared keys. *}
paulson@18886
  1086
lemma analz_insert_freshK1:
paulson@18886
  1087
     "\<lbrakk> evs \<in> kerbIV_gets;  K \<in> authKeys evs Un range shrK;
paulson@18886
  1088
        SesKey \<notin> range shrK \<rbrakk>
paulson@18886
  1089
      \<Longrightarrow> (Key K \<in> analz (insert (Key SesKey) (spies evs))) =
paulson@18886
  1090
          (K = SesKey | Key K \<in> analz (spies evs))"
paulson@18886
  1091
apply (frule authKeys_are_not_AKcryptSK, assumption)
paulson@18886
  1092
apply (simp del: image_insert
paulson@18886
  1093
            add: analz_image_freshK_simps add: Key_analz_image_Key)
paulson@18886
  1094
done
paulson@18886
  1095
paulson@18886
  1096
paulson@18886
  1097
text{* Second simplification law for analz: no service keys encrypt any other keys.*}
paulson@18886
  1098
lemma analz_insert_freshK2:
paulson@18886
  1099
     "\<lbrakk> evs \<in> kerbIV_gets;  servK \<notin> (authKeys evs); servK \<notin> range shrK;
paulson@18886
  1100
        K \<in> symKeys \<rbrakk>
paulson@18886
  1101
      \<Longrightarrow> (Key K \<in> analz (insert (Key servK) (spies evs))) =
paulson@18886
  1102
          (K = servK | Key K \<in> analz (spies evs))"
paulson@18886
  1103
apply (frule not_authKeys_not_AKcryptSK, assumption, assumption)
paulson@18886
  1104
apply (simp del: image_insert
paulson@18886
  1105
            add: analz_image_freshK_simps add: Key_analz_image_Key)
paulson@18886
  1106
done
paulson@18886
  1107
paulson@18886
  1108
paulson@18886
  1109
text{* Third simplification law for analz: only one authentication key encrypts a certain service key.*}
paulson@18886
  1110
paulson@18886
  1111
lemma analz_insert_freshK3:
paulson@18886
  1112
 "\<lbrakk> AKcryptSK authK servK evs;
paulson@18886
  1113
    authK' \<noteq> authK; authK' \<notin> range shrK; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1114
        \<Longrightarrow> (Key servK \<in> analz (insert (Key authK') (spies evs))) =
paulson@18886
  1115
                (servK = authK' | Key servK \<in> analz (spies evs))"
paulson@18886
  1116
apply (drule_tac authK' = authK' in not_different_AKcryptSK, blast, assumption)
paulson@18886
  1117
apply (simp del: image_insert
paulson@18886
  1118
            add: analz_image_freshK_simps add: Key_analz_image_Key)
paulson@18886
  1119
done
paulson@18886
  1120
paulson@18886
  1121
lemma analz_insert_freshK3_bis:
paulson@18886
  1122
 "\<lbrakk> Says Tgs A
paulson@18886
  1123
            (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1124
        \<in> set evs; 
paulson@18886
  1125
     authK \<noteq> authK'; authK' \<notin> range shrK; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1126
        \<Longrightarrow> (Key servK \<in> analz (insert (Key authK') (spies evs))) =
paulson@18886
  1127
                (servK = authK' | Key servK \<in> analz (spies evs))"
paulson@18886
  1128
apply (frule AKcryptSKI, assumption)
paulson@37809
  1129
by (simp add: analz_insert_freshK3)
paulson@18886
  1130
paulson@18886
  1131
text{*a weakness of the protocol*}
paulson@18886
  1132
lemma authK_compromises_servK:
paulson@18886
  1133
     "\<lbrakk> Says Tgs A
paulson@18886
  1134
              (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1135
           \<in> set evs;  authK \<in> symKeys;
paulson@18886
  1136
         Key authK \<in> analz (spies evs); evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1137
      \<Longrightarrow> Key servK \<in> analz (spies evs)"
paulson@18886
  1138
by (force dest: Says_imp_spies [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst])
paulson@18886
  1139
paulson@18886
  1140
lemma servK_notin_authKeysD:
paulson@18886
  1141
     "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Ts,
paulson@18886
  1142
                      Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>\<rbrace>
paulson@18886
  1143
           \<in> parts (spies evs);
paulson@18886
  1144
         Key servK \<notin> analz (spies evs);
paulson@18886
  1145
         B \<noteq> Tgs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1146
      \<Longrightarrow> servK \<notin> authKeys evs"
paulson@18886
  1147
apply (erule rev_mp)
paulson@18886
  1148
apply (erule rev_mp)
paulson@18886
  1149
apply (simp add: authKeys_def)
paulson@18886
  1150
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
  1151
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
  1152
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@37809
  1153
by (blast+)
paulson@18886
  1154
paulson@18886
  1155
paulson@18886
  1156
text{*If Spy sees the Authentication Key sent in msg K2, then
paulson@18886
  1157
    the Key has expired.*}
paulson@18886
  1158
lemma Confidentiality_Kas_lemma [rule_format]:
paulson@18886
  1159
     "\<lbrakk> authK \<in> symKeys; A \<notin> bad;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1160
      \<Longrightarrow> Says Kas A
paulson@18886
  1161
               (Crypt (shrK A)
paulson@18886
  1162
                  \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
  1163
          Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
  1164
            \<in> set evs \<longrightarrow>
paulson@18886
  1165
          Key authK \<in> analz (spies evs) \<longrightarrow>
paulson@18886
  1166
          expiredAK Ta evs"
paulson@18886
  1167
apply (erule kerbIV_gets.induct)
paulson@18886
  1168
apply (frule_tac [11] Oops_range_spies2)
paulson@18886
  1169
apply (frule_tac [10] Oops_range_spies1)
paulson@18886
  1170
apply (frule_tac [8] Says_tgs_message_form)
paulson@18886
  1171
apply (frule_tac [6] Says_kas_message_form)
paulson@18886
  1172
apply (safe del: impI conjI impCE)
paulson@18886
  1173
apply (simp_all (no_asm_simp) add: Says_Kas_message_form less_SucI analz_insert_eq not_parts_not_analz analz_insert_freshK1 pushes)
paulson@18886
  1174
txt{*Fake*}
paulson@18886
  1175
apply spy_analz
paulson@18886
  1176
txt{*K2*}
paulson@18886
  1177
apply blast
paulson@18886
  1178
txt{*K4*}
paulson@18886
  1179
apply blast
paulson@18886
  1180
txt{*Level 8: K5*}
paulson@18886
  1181
apply (blast dest: servK_notin_authKeysD Says_Kas_message_form intro: less_SucI)
paulson@18886
  1182
txt{*Oops1*}
paulson@18886
  1183
apply (blast dest!: unique_authKeys intro: less_SucI)
paulson@18886
  1184
txt{*Oops2*}
paulson@37809
  1185
by (blast dest: Says_Tgs_message_form Says_Kas_message_form)
paulson@18886
  1186
paulson@18886
  1187
lemma Confidentiality_Kas:
paulson@18886
  1188
     "\<lbrakk> Says Kas A
paulson@18886
  1189
              (Crypt Ka \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>)
paulson@18886
  1190
           \<in> set evs;
paulson@18886
  1191
         \<not> expiredAK Ta evs;
paulson@18886
  1192
         A \<notin> bad;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1193
      \<Longrightarrow> Key authK \<notin> analz (spies evs)"
paulson@18886
  1194
by (blast dest: Says_Kas_message_form Confidentiality_Kas_lemma)
paulson@18886
  1195
paulson@18886
  1196
text{*If Spy sees the Service Key sent in msg K4, then
paulson@18886
  1197
    the Key has expired.*}
paulson@18886
  1198
paulson@18886
  1199
lemma Confidentiality_lemma [rule_format]:
paulson@18886
  1200
     "\<lbrakk> Says Tgs A
wenzelm@32960
  1201
            (Crypt authK
wenzelm@32960
  1202
               \<lbrace>Key servK, Agent B, Number Ts,
wenzelm@32960
  1203
                 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
wenzelm@32960
  1204
           \<in> set evs;
wenzelm@32960
  1205
        Key authK \<notin> analz (spies evs);
paulson@18886
  1206
        servK \<in> symKeys;
wenzelm@32960
  1207
        A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1208
      \<Longrightarrow> Key servK \<in> analz (spies evs) \<longrightarrow>
wenzelm@32960
  1209
          expiredSK Ts evs"
paulson@18886
  1210
apply (erule rev_mp)
paulson@18886
  1211
apply (erule rev_mp)
paulson@18886
  1212
apply (erule kerbIV_gets.induct)
paulson@37809
  1213
apply (rule_tac [10] impI)+
paulson@18886
  1214
  --{*The Oops1 case is unusual: must simplify
paulson@18886
  1215
    @{term "Authkey \<notin> analz (spies (ev#evs))"}, not letting
paulson@18886
  1216
   @{text analz_mono_contra} weaken it to
paulson@18886
  1217
   @{term "Authkey \<notin> analz (spies evs)"},
paulson@18886
  1218
  for we then conclude @{term "authK \<noteq> authKa"}.*}
paulson@18886
  1219
apply analz_mono_contra
paulson@18886
  1220
apply (frule_tac [11] Oops_range_spies2)
paulson@18886
  1221
apply (frule_tac [10] Oops_range_spies1)
paulson@18886
  1222
apply (frule_tac [8] Says_tgs_message_form)
paulson@18886
  1223
apply (frule_tac [6] Says_kas_message_form)
paulson@18886
  1224
apply (safe del: impI conjI impCE)
paulson@18886
  1225
apply (simp_all add: less_SucI new_keys_not_analzd Says_Kas_message_form Says_Tgs_message_form analz_insert_eq not_parts_not_analz analz_insert_freshK1 analz_insert_freshK2 analz_insert_freshK3_bis pushes)
paulson@18886
  1226
txt{*Fake*}
paulson@18886
  1227
apply spy_analz
paulson@18886
  1228
txt{*K2*}
paulson@18886
  1229
apply (blast intro: parts_insertI less_SucI)
paulson@18886
  1230
txt{*K4*}
paulson@18886
  1231
apply (blast dest: authTicket_authentic Confidentiality_Kas)
paulson@18886
  1232
txt{*Oops2*}
paulson@18886
  1233
  prefer 3
paulson@18886
  1234
  apply (blast dest: Says_imp_spies [THEN parts.Inj] Key_unique_SesKey intro: less_SucI)
paulson@18886
  1235
txt{*Oops1*}
paulson@18886
  1236
 prefer 2
paulson@18886
  1237
apply (blast dest: Says_Kas_message_form Says_Tgs_message_form intro: less_SucI)
paulson@18886
  1238
txt{*K5. Not clear how this step could be integrated with the main
paulson@18886
  1239
       simplification step. Done in KerberosV.thy*}
paulson@18886
  1240
apply clarify
wenzelm@59807
  1241
apply (erule_tac V = "Says Aa Tgs X \<in> set evs" for X evs in thin_rl)
paulson@18886
  1242
apply (frule Gets_imp_knows_Spy [THEN parts.Inj, THEN servK_notin_authKeysD])
paulson@18886
  1243
apply (assumption, assumption, blast, assumption)
paulson@18886
  1244
apply (simp add: analz_insert_freshK2)
wenzelm@59807
  1245
apply (blast dest: Key_unique_SesKey intro: less_SucI)
wenzelm@59807
  1246
done
paulson@18886
  1247
paulson@18886
  1248
paulson@18886
  1249
text{* In the real world Tgs can't check wheter authK is secure! *}
paulson@18886
  1250
lemma Confidentiality_Tgs:
paulson@18886
  1251
     "\<lbrakk> Says Tgs A
paulson@18886
  1252
              (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1253
           \<in> set evs;
paulson@18886
  1254
         Key authK \<notin> analz (spies evs);
paulson@18886
  1255
         \<not> expiredSK Ts evs;
paulson@18886
  1256
         A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1257
      \<Longrightarrow> Key servK \<notin> analz (spies evs)"
paulson@37809
  1258
by (blast dest: Says_Tgs_message_form Confidentiality_lemma)
paulson@18886
  1259
paulson@18886
  1260
text{* In the real world Tgs CAN check what Kas sends! *}
paulson@18886
  1261
lemma Confidentiality_Tgs_bis:
paulson@18886
  1262
     "\<lbrakk> Says Kas A
paulson@18886
  1263
               (Crypt Ka \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>)
paulson@18886
  1264
           \<in> set evs;
paulson@18886
  1265
         Says Tgs A
paulson@18886
  1266
              (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1267
           \<in> set evs;
paulson@18886
  1268
         \<not> expiredAK Ta evs; \<not> expiredSK Ts evs;
paulson@18886
  1269
         A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1270
      \<Longrightarrow> Key servK \<notin> analz (spies evs)"
paulson@37809
  1271
by (blast dest!: Confidentiality_Kas Confidentiality_Tgs)
paulson@18886
  1272
paulson@18886
  1273
text{*Most general form*}
paulson@18886
  1274
lemmas Confidentiality_Tgs_ter = authTicket_authentic [THEN Confidentiality_Tgs_bis]
paulson@18886
  1275
paulson@18886
  1276
lemmas Confidentiality_Auth_A = authK_authentic [THEN Confidentiality_Kas]
paulson@18886
  1277
paulson@18886
  1278
text{*Needs a confidentiality guarantee, hence moved here.
paulson@18886
  1279
      Authenticity of servK for A*}
paulson@18886
  1280
lemma servK_authentic_bis_r:
paulson@18886
  1281
     "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>
paulson@18886
  1282
           \<in> parts (spies evs);
paulson@18886
  1283
         Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
  1284
           \<in> parts (spies evs);
paulson@18886
  1285
         \<not> expiredAK Ta evs; A \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1286
 \<Longrightarrow>Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1287
       \<in> set evs"
paulson@37809
  1288
by (blast dest: authK_authentic Confidentiality_Auth_A servK_authentic_ter)
paulson@18886
  1289
paulson@18886
  1290
lemma Confidentiality_Serv_A:
paulson@18886
  1291
     "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>
paulson@18886
  1292
           \<in> parts (spies evs);
paulson@18886
  1293
         Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
  1294
           \<in> parts (spies evs);
paulson@18886
  1295
         \<not> expiredAK Ta evs; \<not> expiredSK Ts evs;
paulson@18886
  1296
         A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1297
      \<Longrightarrow> Key servK \<notin> analz (spies evs)"
paulson@37809
  1298
by (metis Confidentiality_Auth_A Confidentiality_Tgs K4_imp_K2 authK_authentic authTicket_form servK_authentic unique_authKeys)
paulson@18886
  1299
paulson@37809
  1300
(*deleted Confidentiality_B, which was identical to Confidentiality_Serv_A*)
paulson@18886
  1301
paulson@18886
  1302
lemma u_Confidentiality_B:
paulson@18886
  1303
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
  1304
           \<in> parts (spies evs);
paulson@18886
  1305
         \<not> expiredSK Ts evs;
paulson@18886
  1306
         A \<notin> bad;  B \<notin> bad;  B \<noteq> Tgs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1307
      \<Longrightarrow> Key servK \<notin> analz (spies evs)"
paulson@37809
  1308
by (blast dest: u_servTicket_authentic u_NotexpiredSK_NotexpiredAK Confidentiality_Tgs_bis)
paulson@18886
  1309
paulson@18886
  1310
paulson@18886
  1311
paulson@18886
  1312
subsection{*2. Parties' strong authentication: 
paulson@18886
  1313
       non-injective agreement on the session key. The same guarantees also
paulson@18886
  1314
       express key distribution, hence their names*}
paulson@18886
  1315
paulson@18886
  1316
text{*Authentication here still is weak agreement - of B with A*}
paulson@18886
  1317
lemma A_authenticates_B:
paulson@18886
  1318
     "\<lbrakk> Crypt servK (Number T3) \<in> parts (spies evs);
paulson@18886
  1319
         Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
  1320
           \<in> parts (spies evs);
paulson@18886
  1321
         Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>
paulson@18886
  1322
           \<in> parts (spies evs);
paulson@18886
  1323
         Key authK \<notin> analz (spies evs); Key servK \<notin> analz (spies evs);
paulson@18886
  1324
         A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1325
      \<Longrightarrow> Says B A (Crypt servK (Number T3)) \<in> set evs"
paulson@37809
  1326
by (blast dest: authK_authentic servK_authentic Says_Kas_message_form Key_unique_SesKey K4_imp_K2 intro: Says_K6)
paulson@18886
  1327
paulson@18886
  1328
(*These two have never been proved, because never were they needed before!*)
paulson@18886
  1329
lemma shrK_in_initState_Server[iff]:  "Key (shrK A) \<in> initState Kas"
paulson@18886
  1330
by (induct_tac "A", auto)
paulson@37809
  1331
paulson@18886
  1332
lemma shrK_in_knows_Server [iff]: "Key (shrK A) \<in> knows Kas evs"
paulson@18886
  1333
by (simp add: initState_subset_knows [THEN subsetD])
paulson@18886
  1334
(*Because of our simple model of Tgs, the equivalent for it required an axiom*)
paulson@18886
  1335
paulson@18886
  1336
paulson@18886
  1337
lemma A_authenticates_and_keydist_to_Kas:
paulson@18886
  1338
   "\<lbrakk> Gets A (Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>) \<in> set evs;
paulson@18886
  1339
      A \<notin> bad;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1340
  \<Longrightarrow> Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>) \<in> set evs
paulson@18886
  1341
  \<and> Key authK \<in> analz(knows Kas evs)"
paulson@37809
  1342
by (force dest!: authK_authentic Says_imp_knows [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst])
paulson@18886
  1343
paulson@18886
  1344
wenzelm@26301
  1345
lemma K3_imp_Gets_evs:
paulson@18886
  1346
  "\<lbrakk> Says A Tgs \<lbrace>Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>,
paulson@18886
  1347
                 Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B\<rbrace> 
paulson@18886
  1348
      \<in> set evs;  A \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1349
 \<Longrightarrow>  Gets A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, 
paulson@18886
  1350
                 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
  1351
       \<in> set evs"
paulson@18886
  1352
apply (erule rev_mp)
paulson@18886
  1353
apply (erule kerbIV_gets.induct)
paulson@18886
  1354
apply auto
paulson@18886
  1355
apply (blast dest: authTicket_form)
paulson@18886
  1356
done
paulson@18886
  1357
paulson@18886
  1358
lemma Tgs_authenticates_and_keydist_to_A:
paulson@18886
  1359
  "\<lbrakk>  Gets Tgs \<lbrace>
paulson@18886
  1360
          Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>,
paulson@18886
  1361
          Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B \<rbrace> \<in> set evs;
paulson@18886
  1362
      Key authK \<notin> analz (spies evs); A \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1363
 \<Longrightarrow> \<exists> B. Says A Tgs \<lbrace>
paulson@18886
  1364
          Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>,
paulson@18886
  1365
          Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B \<rbrace> \<in> set evs
paulson@18886
  1366
 \<and>  Key authK \<in> analz (knows A evs)"  
paulson@18886
  1367
apply (frule Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Fst], assumption)
paulson@18886
  1368
apply (drule Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd, THEN parts.Fst], assumption)
paulson@18886
  1369
apply (drule Tgs_authenticates_A, assumption+, simp)
wenzelm@26301
  1370
apply (force dest!: K3_imp_Gets_evs Gets_imp_knows [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst])
paulson@18886
  1371
done
paulson@18886
  1372
paulson@18886
  1373
lemma K4_imp_Gets:
paulson@18886
  1374
  "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1375
       \<in> set evs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1376
 \<Longrightarrow> \<exists> Ta X. 
paulson@18886
  1377
     Gets Tgs \<lbrace>Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>, X\<rbrace>
paulson@18886
  1378
       \<in> set evs"
paulson@18886
  1379
apply (erule rev_mp)
paulson@18886
  1380
apply (erule kerbIV_gets.induct)
paulson@18886
  1381
apply auto
paulson@18886
  1382
done
paulson@18886
  1383
paulson@18886
  1384
lemma A_authenticates_and_keydist_to_Tgs:
paulson@18886
  1385
 "\<lbrakk>  Gets A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>)
paulson@18886
  1386
       \<in> set evs;
paulson@18886
  1387
     Gets A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1388
       \<in> set evs;
paulson@18886
  1389
     Key authK \<notin> analz (spies evs); A \<notin> bad;
paulson@18886
  1390
     evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1391
 \<Longrightarrow> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1392
       \<in> set evs
paulson@18886
  1393
  \<and> Key authK \<in> analz (knows Tgs evs)
paulson@18886
  1394
  \<and> Key servK \<in> analz (knows Tgs evs)"
paulson@18886
  1395
apply (drule Gets_imp_knows_Spy [THEN parts.Inj], assumption)
paulson@18886
  1396
apply (drule Gets_imp_knows_Spy [THEN parts.Inj], assumption)
paulson@18886
  1397
apply (frule authK_authentic, assumption+)
paulson@18886
  1398
apply (drule servK_authentic_ter, assumption+)
paulson@18886
  1399
apply (frule K4_imp_Gets, assumption, erule exE, erule exE)
paulson@18886
  1400
apply (drule Gets_imp_knows [THEN analz.Inj, THEN analz.Fst, THEN analz.Decrypt, THEN analz.Snd, THEN analz.Snd, THEN analz.Fst], assumption, force)
paulson@37809
  1401
apply (metis Says_imp_knows analz.Fst analz.Inj analz_symKeys_Decrypt authTicket_form)
paulson@18886
  1402
done
paulson@18886
  1403
paulson@18886
  1404
lemma K5_imp_Gets:
paulson@18886
  1405
  "\<lbrakk> Says A B \<lbrace>servTicket, Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> \<in> set evs;
paulson@18886
  1406
    A \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1407
 \<Longrightarrow> \<exists> authK Ts authTicket T2.
paulson@18886
  1408
    Gets A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) \<in> set evs
paulson@18886
  1409
 \<and> Says A Tgs \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B\<rbrace>  \<in> set evs"
paulson@18886
  1410
apply (erule rev_mp)
paulson@18886
  1411
apply (erule kerbIV_gets.induct)
paulson@18886
  1412
apply auto
paulson@18886
  1413
done 
paulson@18886
  1414
paulson@18886
  1415
lemma K3_imp_Gets:
paulson@18886
  1416
  "\<lbrakk> Says A Tgs \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B\<rbrace>
paulson@18886
  1417
       \<in> set evs;
paulson@18886
  1418
    A \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@37809
  1419
 \<Longrightarrow> \<exists> Ta. Gets A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>) \<in> set evs"
paulson@18886
  1420
apply (erule rev_mp)
paulson@18886
  1421
apply (erule kerbIV_gets.induct)
paulson@18886
  1422
apply auto
paulson@18886
  1423
done 
paulson@18886
  1424
paulson@18886
  1425
lemma B_authenticates_and_keydist_to_A:
paulson@18886
  1426
     "\<lbrakk> Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>,
paulson@18886
  1427
                Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> \<in> set evs;
paulson@18886
  1428
        Key servK \<notin> analz (spies evs);
paulson@18886
  1429
        A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1430
 \<Longrightarrow> Says A B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>,
paulson@18886
  1431
               Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> \<in> set evs
paulson@18886
  1432
  \<and> Key servK \<in> analz (knows A evs)"
paulson@18886
  1433
apply (frule Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Fst, THEN servTicket_authentic_Tgs], assumption+)  
paulson@18886
  1434
apply (drule Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd], assumption)
paulson@18886
  1435
apply (erule exE, drule Says_K5, assumption+)
paulson@18886
  1436
apply (frule K5_imp_Gets, assumption+)
paulson@18886
  1437
apply clarify
paulson@18886
  1438
apply (drule K3_imp_Gets, assumption+)
paulson@18886
  1439
apply (erule exE)
paulson@18886
  1440
apply (frule Gets_imp_knows_Spy [THEN parts.Inj, THEN authK_authentic, THEN Says_Kas_message_form], assumption+, clarify)
paulson@18886
  1441
apply (force dest!: Gets_imp_knows [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst])
paulson@18886
  1442
done
paulson@18886
  1443
paulson@18886
  1444
paulson@18886
  1445
lemma K6_imp_Gets:
paulson@18886
  1446
  "\<lbrakk> Says B A (Crypt servK (Number T3)) \<in> set evs;
paulson@18886
  1447
     B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1448
\<Longrightarrow> \<exists> Ts X. Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>,X\<rbrace>
paulson@18886
  1449
       \<in> set evs"
paulson@18886
  1450
apply (erule rev_mp)
paulson@18886
  1451
apply (erule kerbIV_gets.induct)
paulson@18886
  1452
apply auto
paulson@18886
  1453
done
paulson@18886
  1454
paulson@18886
  1455
paulson@18886
  1456
lemma A_authenticates_and_keydist_to_B:
paulson@18886
  1457
  "\<lbrakk> Gets A \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>,
paulson@18886
  1458
             Crypt servK (Number T3)\<rbrace> \<in> set evs;
paulson@18886
  1459
     Gets A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>)
paulson@18886
  1460
           \<in> set evs;
paulson@18886
  1461
     Key authK \<notin> analz (spies evs); Key servK \<notin> analz (spies evs);
paulson@18886
  1462
     A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1463
 \<Longrightarrow> Says B A (Crypt servK (Number T3)) \<in> set evs 
paulson@18886
  1464
   \<and> Key servK \<in> analz (knows B evs)"
paulson@18886
  1465
apply (frule Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Fst], assumption)
paulson@18886
  1466
apply (drule Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd], assumption)
paulson@18886
  1467
apply (drule Gets_imp_knows_Spy [THEN parts.Inj], assumption)
paulson@18886
  1468
apply (drule A_authenticates_B, assumption+)
paulson@18886
  1469
apply (force dest!: K6_imp_Gets Gets_imp_knows [THEN analz.Inj, THEN analz.Fst, THEN analz.Decrypt, THEN analz.Snd, THEN analz.Snd, THEN analz.Fst])
paulson@18886
  1470
done
paulson@18886
  1471
paulson@18886
  1472
end
paulson@18886
  1473