src/HOL/Auth/OtwayRees_AN.thy
author paulson
Mon Jul 14 12:47:21 1997 +0200 (1997-07-14)
changeset 3519 ab0a9fbed4c0
parent 3466 30791e5a69c4
child 3659 eddedfe2f3f8
permissions -rw-r--r--
Changing "lost" from a parameter of protocol definitions to a constant.

Advantages: no "lost" argument everywhere; fewer Vars in subgoals;
less need for specially instantiated rules
Disadvantage: can no longer prove "Agent_not_see_encrypted_key", but this
theorem was never used, and its original proof was also broken
the introduction of the "Notes" constructor.
     1 (*  Title:      HOL/Auth/OtwayRees
     2     ID:         $Id$
     3     Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
     4     Copyright   1996  University of Cambridge
     5 
     6 Inductive relation "otway" for the Otway-Rees protocol.
     7 
     8 Simplified version with minimal encryption but explicit messages
     9 
    10 Note that the formalization does not even assume that nonces are fresh.
    11 This is because the protocol does not rely on uniqueness of nonces for
    12 security, only for freshness, and the proof script does not prove freshness
    13 properties.
    14 
    15 From page 11 of
    16   Abadi and Needham.  Prudent Engineering Practice for Cryptographic Protocols.
    17   IEEE Trans. SE 22 (1), 1996
    18 *)
    19 
    20 OtwayRees_AN = Shared + 
    21 
    22 consts  otway   :: event list set
    23 inductive "otway"
    24   intrs 
    25          (*Initial trace is empty*)
    26     Nil  "[]: otway"
    27 
    28          (*The spy MAY say anything he CAN say.  We do not expect him to
    29            invent new nonces here, but he can also use NS1.  Common to
    30            all similar protocols.*)
    31     Fake "[| evs: otway;  B ~= Spy;  
    32              X: synth (analz (sees Spy evs)) |]
    33           ==> Says Spy B X  # evs : otway"
    34 
    35          (*Alice initiates a protocol run*)
    36     OR1  "[| evs: otway;  A ~= B;  B ~= Server |]
    37           ==> Says A B {|Agent A, Agent B, Nonce NA|} # evs : otway"
    38 
    39          (*Bob's response to Alice's message.  Bob doesn't know who 
    40 	   the sender is, hence the A' in the sender field.*)
    41     OR2  "[| evs: otway;  B ~= Server;
    42              Says A' B {|Agent A, Agent B, Nonce NA|} : set evs |]
    43           ==> Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
    44                  # evs : otway"
    45 
    46          (*The Server receives Bob's message.  Then he sends a new
    47            session key to Bob with a packet for forwarding to Alice.*)
    48     OR3  "[| evs: otway;  B ~= Server;  A ~= B;  Key KAB ~: used evs;
    49              Says B' Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
    50                : set evs |]
    51           ==> Says Server B 
    52                {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key KAB|},
    53                  Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key KAB|}|}
    54               # evs : otway"
    55 
    56          (*Bob receives the Server's (?) message and compares the Nonces with
    57 	   those in the message he previously sent the Server.*)
    58     OR4  "[| evs: otway;  A ~= B;
    59              Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} : set evs;
    60              Says S' B {|X, Crypt(shrK B){|Nonce NB,Agent A,Agent B,Key K|}|}
    61                : set evs |]
    62           ==> Says B A X # evs : otway"
    63 
    64          (*This message models possible leaks of session keys.  The nonces
    65            identify the protocol run.  B is not assumed to know shrK A.*)
    66     Oops "[| evs: otway;  B ~= Spy;
    67              Says Server B 
    68                       {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}, 
    69                         Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key K|}|}
    70                : set evs |]
    71           ==> Says B Spy {|Nonce NA, Nonce NB, Key K|} # evs : otway"
    72 
    73 end