src/HOL/Auth/Yahalom2.thy
author paulson
Mon Jul 14 12:47:21 1997 +0200 (1997-07-14)
changeset 3519 ab0a9fbed4c0
parent 3481 256f38c01b98
child 3659 eddedfe2f3f8
permissions -rw-r--r--
Changing "lost" from a parameter of protocol definitions to a constant.

Advantages: no "lost" argument everywhere; fewer Vars in subgoals;
less need for specially instantiated rules
Disadvantage: can no longer prove "Agent_not_see_encrypted_key", but this
theorem was never used, and its original proof was also broken
the introduction of the "Notes" constructor.
     1 (*  Title:      HOL/Auth/Yahalom2
     2     ID:         $Id$
     3     Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
     4     Copyright   1996  University of Cambridge
     5 
     6 Inductive relation "yahalom" for the Yahalom protocol, Variant 2.
     7 
     8 This version trades encryption of NB for additional explicitness in YM3.
     9 Also in YM3, care is taken to make the two certificates distinct.
    10 
    11 From page 259 of
    12   Burrows, Abadi and Needham.  A Logic of Authentication.
    13   Proc. Royal Soc. 426 (1989)
    14 *)
    15 
    16 Yahalom2 = Shared + 
    17 
    18 consts  yahalom   :: event list set
    19 inductive "yahalom"
    20   intrs 
    21          (*Initial trace is empty*)
    22     Nil  "[]: yahalom"
    23 
    24          (*The spy MAY say anything he CAN say.  We do not expect him to
    25            invent new nonces here, but he can also use NS1.  Common to
    26            all similar protocols.*)
    27     Fake "[| evs: yahalom;  B ~= Spy;  
    28              X: synth (analz (sees Spy evs)) |]
    29           ==> Says Spy B X  # evs : yahalom"
    30 
    31          (*Alice initiates a protocol run*)
    32     YM1  "[| evs: yahalom;  A ~= B;  Nonce NA ~: used evs |]
    33           ==> Says A B {|Agent A, Nonce NA|} # evs : yahalom"
    34 
    35          (*Bob's response to Alice's message.  Bob doesn't know who 
    36 	   the sender is, hence the A' in the sender field.*)
    37     YM2  "[| evs: yahalom;  B ~= Server;  Nonce NB ~: used evs;
    38              Says A' B {|Agent A, Nonce NA|} : set evs |]
    39           ==> Says B Server 
    40                   {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
    41                 # evs : yahalom"
    42 
    43          (*The Server receives Bob's message.  He responds by sending a
    44            new session key to Alice, with a packet for forwarding to Bob.
    45            !! Fields are reversed in the 2nd packet to prevent attacks!! *)
    46     YM3  "[| evs: yahalom;  A ~= B;  A ~= Server;  Key KAB ~: used evs;
    47              Says B' Server {|Agent B, Nonce NB,
    48 			      Crypt (shrK B) {|Agent A, Nonce NA|}|}
    49                : set evs |]
    50           ==> Says Server A
    51                {|Nonce NB, 
    52                  Crypt (shrK A) {|Agent B, Key KAB, Nonce NA|},
    53                  Crypt (shrK B) {|Nonce NB, Key KAB, Agent A|}|}
    54                  # evs : yahalom"
    55 
    56          (*Alice receives the Server's (?) message, checks her Nonce, and
    57            uses the new session key to send Bob his Nonce.*)
    58     YM4  "[| evs: yahalom;  A ~= Server;  
    59              Says S A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
    60                         X|}  : set evs;
    61              Says A B {|Agent A, Nonce NA|} : set evs |]
    62           ==> Says A B {|X, Crypt K (Nonce NB)|} # evs : yahalom"
    63 
    64          (*This message models possible leaks of session keys.  The nonces
    65            identify the protocol run.  Quoting Server here ensures they are
    66            correct. *)
    67     Oops "[| evs: yahalom;  A ~= Spy;
    68              Says Server A {|Nonce NB, 
    69                              Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
    70                              X|}  : set evs |]
    71           ==> Says A Spy {|Nonce NA, Nonce NB, Key K|} # evs : yahalom"
    72 
    73 end