src/HOL/Auth/KerberosIV_Gets.thy
author haftmann
Mon Mar 01 13:40:23 2010 +0100 (2010-03-01 ago)
changeset 35416 d8d7d1b785af
parent 32960 69916a850301
child 36866 426d5781bb25
permissions -rw-r--r--
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
paulson@18886
     1
(*  Title:      HOL/Auth/KerberosIV
paulson@18886
     2
    ID:         $Id$
paulson@18886
     3
    Author:     Giampaolo Bella, Cambridge University Computer Laboratory
paulson@18886
     4
    Copyright   1998  University of Cambridge
paulson@18886
     5
*)
paulson@18886
     6
paulson@18886
     7
header{*The Kerberos Protocol, Version IV*}
paulson@18886
     8
paulson@18886
     9
theory KerberosIV_Gets imports Public begin
paulson@18886
    10
paulson@18886
    11
text{*The "u" prefix indicates theorems referring to an updated version of the protocol. The "r" suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.*}
paulson@18886
    12
wenzelm@20768
    13
abbreviation
wenzelm@21404
    14
  Kas :: agent where "Kas == Server"
paulson@18886
    15
wenzelm@21404
    16
abbreviation
wenzelm@21404
    17
  Tgs :: agent where "Tgs == Friend 0"
paulson@18886
    18
paulson@18886
    19
paulson@18886
    20
axioms
paulson@18886
    21
  Tgs_not_bad [iff]: "Tgs \<notin> bad"
paulson@18886
    22
   --{*Tgs is secure --- we already know that Kas is secure*}
paulson@18886
    23
paulson@18886
    24
constdefs
paulson@18886
    25
 (* authKeys are those contained in an authTicket *)
paulson@18886
    26
    authKeys :: "event list => key set"
paulson@18886
    27
    "authKeys evs == {authK. \<exists>A Peer Ta. Says Kas A
paulson@18886
    28
                        (Crypt (shrK A) \<lbrace>Key authK, Agent Peer, Number Ta,
paulson@18886
    29
               (Crypt (shrK Peer) \<lbrace>Agent A, Agent Peer, Key authK, Number Ta\<rbrace>)
paulson@18886
    30
                  \<rbrace>) \<in> set evs}"
paulson@18886
    31
paulson@18886
    32
 (* States than an event really appears only once on a trace *)
paulson@18886
    33
  Unique :: "[event, event list] => bool" ("Unique _ on _")
paulson@18886
    34
   "Unique ev on evs == 
paulson@18886
    35
      ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs))"
paulson@18886
    36
paulson@18886
    37
paulson@18886
    38
consts
paulson@18886
    39
    (*Duration of the authentication key*)
paulson@18886
    40
    authKlife   :: nat
paulson@18886
    41
paulson@18886
    42
    (*Duration of the service key*)
paulson@18886
    43
    servKlife   :: nat
paulson@18886
    44
paulson@18886
    45
    (*Duration of an authenticator*)
paulson@18886
    46
    authlife   :: nat
paulson@18886
    47
paulson@18886
    48
    (*Upper bound on the time of reaction of a server*)
paulson@18886
    49
    replylife   :: nat
paulson@18886
    50
paulson@18886
    51
specification (authKlife)
paulson@18886
    52
  authKlife_LB [iff]: "2 \<le> authKlife"
paulson@18886
    53
    by blast
paulson@18886
    54
paulson@18886
    55
specification (servKlife)
paulson@18886
    56
  servKlife_LB [iff]: "2 + authKlife \<le> servKlife"
paulson@18886
    57
    by blast
paulson@18886
    58
paulson@18886
    59
specification (authlife)
paulson@18886
    60
  authlife_LB [iff]: "Suc 0 \<le> authlife"
paulson@18886
    61
    by blast
paulson@18886
    62
paulson@18886
    63
specification (replylife)
paulson@18886
    64
  replylife_LB [iff]: "Suc 0 \<le> replylife"
paulson@18886
    65
    by blast
paulson@18886
    66
wenzelm@20768
    67
abbreviation
wenzelm@20768
    68
  (*The current time is just the length of the trace!*)
wenzelm@21404
    69
  CT :: "event list=>nat" where
wenzelm@20768
    70
  "CT == length"
paulson@18886
    71
wenzelm@21404
    72
abbreviation
wenzelm@21404
    73
  expiredAK :: "[nat, event list] => bool" where
wenzelm@20768
    74
  "expiredAK Ta evs == authKlife + Ta < CT evs"
paulson@18886
    75
wenzelm@21404
    76
abbreviation
wenzelm@21404
    77
  expiredSK :: "[nat, event list] => bool" where
wenzelm@20768
    78
  "expiredSK Ts evs == servKlife + Ts < CT evs"
paulson@18886
    79
wenzelm@21404
    80
abbreviation
wenzelm@21404
    81
  expiredA :: "[nat, event list] => bool" where
wenzelm@20768
    82
  "expiredA T evs == authlife + T < CT evs"
paulson@18886
    83
wenzelm@21404
    84
abbreviation
wenzelm@21404
    85
  valid :: "[nat, nat] => bool" ("valid _ wrt _") where
wenzelm@20768
    86
  "valid T1 wrt T2 == T1 <= replylife + T2"
paulson@18886
    87
paulson@18886
    88
(*---------------------------------------------------------------------*)
paulson@18886
    89
paulson@18886
    90
paulson@18886
    91
(* Predicate formalising the association between authKeys and servKeys *)
haftmann@35416
    92
definition AKcryptSK :: "[key, key, event list] => bool" where
paulson@18886
    93
  "AKcryptSK authK servK evs ==
paulson@18886
    94
     \<exists>A B Ts.
paulson@18886
    95
       Says Tgs A (Crypt authK
paulson@18886
    96
                     \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
    97
                       Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> \<rbrace>)
paulson@18886
    98
         \<in> set evs"
paulson@18886
    99
berghofe@23746
   100
inductive_set "kerbIV_gets" :: "event list set"
berghofe@23746
   101
  where
paulson@18886
   102
paulson@18886
   103
   Nil:  "[] \<in> kerbIV_gets"
paulson@18886
   104
berghofe@23746
   105
 | Fake: "\<lbrakk> evsf \<in> kerbIV_gets;  X \<in> synth (analz (spies evsf)) \<rbrakk>
paulson@18886
   106
          \<Longrightarrow> Says Spy B X  # evsf \<in> kerbIV_gets"
paulson@18886
   107
berghofe@23746
   108
 | Reception: "\<lbrakk> evsr \<in> kerbIV_gets;  Says A B X \<in> set evsr \<rbrakk>
paulson@18886
   109
                \<Longrightarrow> Gets B X # evsr \<in> kerbIV_gets"
paulson@18886
   110
paulson@18886
   111
(* FROM the initiator *)
berghofe@23746
   112
 | K1:   "\<lbrakk> evs1 \<in> kerbIV_gets \<rbrakk>
paulson@18886
   113
          \<Longrightarrow> Says A Kas \<lbrace>Agent A, Agent Tgs, Number (CT evs1)\<rbrace> # evs1
paulson@18886
   114
          \<in> kerbIV_gets"
paulson@18886
   115
paulson@18886
   116
(* Adding the timestamp serves to A in K3 to check that
paulson@18886
   117
   she doesn't get a reply too late. This kind of timeouts are ordinary.
paulson@18886
   118
   If a server's reply is late, then it is likely to be fake. *)
paulson@18886
   119
paulson@18886
   120
(*---------------------------------------------------------------------*)
paulson@18886
   121
paulson@18886
   122
(*FROM Kas *)
berghofe@23746
   123
 | K2:  "\<lbrakk> evs2 \<in> kerbIV_gets; Key authK \<notin> used evs2; authK \<in> symKeys;
paulson@18886
   124
            Gets Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs2 \<rbrakk>
paulson@18886
   125
          \<Longrightarrow> Says Kas A
paulson@18886
   126
                (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number (CT evs2),
paulson@18886
   127
                      (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK,
paulson@18886
   128
                          Number (CT evs2)\<rbrace>)\<rbrace>) # evs2 \<in> kerbIV_gets"
paulson@18886
   129
(*
paulson@18886
   130
  The internal encryption builds the authTicket.
paulson@18886
   131
  The timestamp doesn't change inside the two encryptions: the external copy
paulson@18886
   132
  will be used by the initiator in K3; the one inside the
paulson@18886
   133
  authTicket by Tgs in K4.
paulson@18886
   134
*)
paulson@18886
   135
paulson@18886
   136
(*---------------------------------------------------------------------*)
paulson@18886
   137
paulson@18886
   138
(* FROM the initiator *)
berghofe@23746
   139
 | K3:  "\<lbrakk> evs3 \<in> kerbIV_gets;
paulson@18886
   140
            Says A Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs3;
paulson@18886
   141
            Gets A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   142
              authTicket\<rbrace>) \<in> set evs3;
paulson@18886
   143
            valid Ta wrt T1
paulson@18886
   144
         \<rbrakk>
paulson@18886
   145
          \<Longrightarrow> Says A Tgs \<lbrace>authTicket,
paulson@18886
   146
                           (Crypt authK \<lbrace>Agent A, Number (CT evs3)\<rbrace>),
paulson@18886
   147
                           Agent B\<rbrace> # evs3 \<in> kerbIV_gets"
paulson@18886
   148
(*The two events amongst the premises allow A to accept only those authKeys
paulson@18886
   149
  that are not issued late. *)
paulson@18886
   150
paulson@18886
   151
(*---------------------------------------------------------------------*)
paulson@18886
   152
paulson@18886
   153
(* FROM Tgs *)
paulson@18886
   154
(* Note that the last temporal check is not mentioned in the original MIT
paulson@18886
   155
   specification. Adding it makes many goals "available" to the peers. 
paulson@18886
   156
   Theorems that exploit it have the suffix `_u', which stands for updated 
paulson@18886
   157
   protocol.
paulson@18886
   158
*)
berghofe@23746
   159
 | K4:  "\<lbrakk> evs4 \<in> kerbIV_gets; Key servK \<notin> used evs4; servK \<in> symKeys;
paulson@18886
   160
            B \<noteq> Tgs;  authK \<in> symKeys;
paulson@18886
   161
            Gets Tgs \<lbrace>
paulson@18886
   162
             (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK,
wenzelm@32960
   163
                                 Number Ta\<rbrace>),
paulson@18886
   164
             (Crypt authK \<lbrace>Agent A, Number T2\<rbrace>), Agent B\<rbrace>
wenzelm@32960
   165
                \<in> set evs4;
paulson@18886
   166
            \<not> expiredAK Ta evs4;
paulson@18886
   167
            \<not> expiredA T2 evs4;
paulson@18886
   168
            servKlife + (CT evs4) <= authKlife + Ta
paulson@18886
   169
         \<rbrakk>
paulson@18886
   170
          \<Longrightarrow> Says Tgs A
paulson@18886
   171
                (Crypt authK \<lbrace>Key servK, Agent B, Number (CT evs4),
wenzelm@32960
   172
                               Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK,
wenzelm@32960
   173
                                                Number (CT evs4)\<rbrace> \<rbrace>)
wenzelm@32960
   174
                # evs4 \<in> kerbIV_gets"
paulson@18886
   175
(* Tgs creates a new session key per each request for a service, without
paulson@18886
   176
   checking if there is still a fresh one for that service.
paulson@18886
   177
   The cipher under Tgs' key is the authTicket, the cipher under B's key
paulson@18886
   178
   is the servTicket, which is built now.
paulson@18886
   179
   NOTE that the last temporal check is not present in the MIT specification.
paulson@18886
   180
paulson@18886
   181
*)
paulson@18886
   182
paulson@18886
   183
(*---------------------------------------------------------------------*)
paulson@18886
   184
paulson@18886
   185
(* FROM the initiator *)
berghofe@23746
   186
 | K5:  "\<lbrakk> evs5 \<in> kerbIV_gets; authK \<in> symKeys; servK \<in> symKeys;
paulson@18886
   187
            Says A Tgs
paulson@18886
   188
                \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>,
wenzelm@32960
   189
                  Agent B\<rbrace>
paulson@18886
   190
              \<in> set evs5;
paulson@18886
   191
            Gets A
paulson@18886
   192
             (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   193
                \<in> set evs5;
paulson@18886
   194
            valid Ts wrt T2 \<rbrakk>
paulson@18886
   195
          \<Longrightarrow> Says A B \<lbrace>servTicket,
wenzelm@32960
   196
                         Crypt servK \<lbrace>Agent A, Number (CT evs5)\<rbrace> \<rbrace>
paulson@18886
   197
               # evs5 \<in> kerbIV_gets"
paulson@18886
   198
(* Checks similar to those in K3. *)
paulson@18886
   199
paulson@18886
   200
(*---------------------------------------------------------------------*)
paulson@18886
   201
paulson@18886
   202
(* FROM the responder*)
berghofe@23746
   203
  | K6:  "\<lbrakk> evs6 \<in> kerbIV_gets;
paulson@18886
   204
            Gets B \<lbrace>
paulson@18886
   205
              (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>),
paulson@18886
   206
              (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>)\<rbrace>
paulson@18886
   207
            \<in> set evs6;
paulson@18886
   208
            \<not> expiredSK Ts evs6;
paulson@18886
   209
            \<not> expiredA T3 evs6
paulson@18886
   210
         \<rbrakk>
paulson@18886
   211
          \<Longrightarrow> Says B A (Crypt servK (Number T3))
paulson@18886
   212
               # evs6 \<in> kerbIV_gets"
paulson@18886
   213
(* Checks similar to those in K4. *)
paulson@18886
   214
paulson@18886
   215
(*---------------------------------------------------------------------*)
paulson@18886
   216
paulson@18886
   217
(* Leaking an authK... *)
berghofe@23746
   218
 | Oops1: "\<lbrakk> evsO1 \<in> kerbIV_gets;  A \<noteq> Spy;
paulson@18886
   219
              Says Kas A
paulson@18886
   220
                (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   221
                                  authTicket\<rbrace>)  \<in> set evsO1;
paulson@18886
   222
              expiredAK Ta evsO1 \<rbrakk>
paulson@18886
   223
          \<Longrightarrow> Says A Spy \<lbrace>Agent A, Agent Tgs, Number Ta, Key authK\<rbrace>
paulson@18886
   224
               # evsO1 \<in> kerbIV_gets"
paulson@18886
   225
paulson@18886
   226
(*---------------------------------------------------------------------*)
paulson@18886
   227
paulson@18886
   228
(*Leaking a servK... *)
berghofe@23746
   229
 | Oops2: "\<lbrakk> evsO2 \<in> kerbIV_gets;  A \<noteq> Spy;
paulson@18886
   230
              Says Tgs A
paulson@18886
   231
                (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   232
                   \<in> set evsO2;
paulson@18886
   233
              expiredSK Ts evsO2 \<rbrakk>
paulson@18886
   234
          \<Longrightarrow> Says A Spy \<lbrace>Agent A, Agent B, Number Ts, Key servK\<rbrace>
paulson@18886
   235
               # evsO2 \<in> kerbIV_gets"
paulson@18886
   236
paulson@18886
   237
(*---------------------------------------------------------------------*)
paulson@18886
   238
paulson@18886
   239
declare Says_imp_knows_Spy [THEN parts.Inj, dest]
paulson@18886
   240
declare parts.Body [dest]
paulson@18886
   241
declare analz_into_parts [dest]
paulson@18886
   242
declare Fake_parts_insert_in_Un [dest]
paulson@18886
   243
paulson@18886
   244
subsection{*Lemmas about reception event*}
paulson@18886
   245
paulson@18886
   246
lemma Gets_imp_Says :
paulson@18886
   247
     "\<lbrakk> Gets B X \<in> set evs; evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> \<exists>A. Says A B X \<in> set evs"
paulson@18886
   248
apply (erule rev_mp)
paulson@18886
   249
apply (erule kerbIV_gets.induct)
paulson@18886
   250
apply auto
paulson@18886
   251
done
paulson@18886
   252
paulson@18886
   253
lemma Gets_imp_knows_Spy: 
paulson@18886
   254
     "\<lbrakk> Gets B X \<in> set evs; evs \<in> kerbIV_gets \<rbrakk>  \<Longrightarrow> X \<in> knows Spy evs"
paulson@18886
   255
apply (blast dest!: Gets_imp_Says Says_imp_knows_Spy)
paulson@18886
   256
done
paulson@18886
   257
paulson@18886
   258
(*Needed for force to work for example in new_keys_not_used*)
paulson@18886
   259
declare Gets_imp_knows_Spy [THEN parts.Inj, dest]
paulson@18886
   260
paulson@18886
   261
lemma Gets_imp_knows:
paulson@18886
   262
     "\<lbrakk> Gets B X \<in> set evs; evs \<in> kerbIV_gets \<rbrakk>  \<Longrightarrow> X \<in> knows B evs"
paulson@18886
   263
apply (case_tac "B = Spy")
paulson@18886
   264
apply (blast dest!: Gets_imp_knows_Spy)
paulson@18886
   265
apply (blast dest!: Gets_imp_knows_agents)
paulson@18886
   266
done
paulson@18886
   267
paulson@18886
   268
subsection{*Lemmas about @{term authKeys}*}
paulson@18886
   269
paulson@18886
   270
lemma authKeys_empty: "authKeys [] = {}"
paulson@18886
   271
apply (unfold authKeys_def)
paulson@18886
   272
apply (simp (no_asm))
paulson@18886
   273
done
paulson@18886
   274
paulson@18886
   275
lemma authKeys_not_insert:
paulson@18886
   276
 "(\<forall>A Ta akey Peer.
paulson@18886
   277
   ev \<noteq> Says Kas A (Crypt (shrK A) \<lbrace>akey, Agent Peer, Ta,
paulson@18886
   278
              (Crypt (shrK Peer) \<lbrace>Agent A, Agent Peer, akey, Ta\<rbrace>)\<rbrace>))
paulson@18886
   279
       \<Longrightarrow> authKeys (ev # evs) = authKeys evs"
paulson@18886
   280
by (unfold authKeys_def, auto)
paulson@18886
   281
paulson@18886
   282
lemma authKeys_insert:
paulson@18886
   283
  "authKeys
paulson@18886
   284
     (Says Kas A (Crypt (shrK A) \<lbrace>Key K, Agent Peer, Number Ta,
paulson@18886
   285
      (Crypt (shrK Peer) \<lbrace>Agent A, Agent Peer, Key K, Number Ta\<rbrace>)\<rbrace>) # evs)
paulson@18886
   286
       = insert K (authKeys evs)"
paulson@18886
   287
by (unfold authKeys_def, auto)
paulson@18886
   288
paulson@18886
   289
lemma authKeys_simp:
paulson@18886
   290
   "K \<in> authKeys
paulson@18886
   291
    (Says Kas A (Crypt (shrK A) \<lbrace>Key K', Agent Peer, Number Ta,
paulson@18886
   292
     (Crypt (shrK Peer) \<lbrace>Agent A, Agent Peer, Key K', Number Ta\<rbrace>)\<rbrace>) # evs)
paulson@18886
   293
        \<Longrightarrow> K = K' | K \<in> authKeys evs"
paulson@18886
   294
by (unfold authKeys_def, auto)
paulson@18886
   295
paulson@18886
   296
lemma authKeysI:
paulson@18886
   297
   "Says Kas A (Crypt (shrK A) \<lbrace>Key K, Agent Tgs, Number Ta,
paulson@18886
   298
     (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key K, Number Ta\<rbrace>)\<rbrace>) \<in> set evs
paulson@18886
   299
        \<Longrightarrow> K \<in> authKeys evs"
paulson@18886
   300
by (unfold authKeys_def, auto)
paulson@18886
   301
paulson@18886
   302
lemma authKeys_used: "K \<in> authKeys evs \<Longrightarrow> Key K \<in> used evs"
paulson@18886
   303
by (simp add: authKeys_def, blast)
paulson@18886
   304
paulson@18886
   305
paulson@18886
   306
subsection{*Forwarding Lemmas*}
paulson@18886
   307
paulson@18886
   308
lemma Says_ticket_parts:
paulson@18886
   309
     "Says S A (Crypt K \<lbrace>SesKey, B, TimeStamp, Ticket\<rbrace>) \<in> set evs
paulson@18886
   310
      \<Longrightarrow> Ticket \<in> parts (spies evs)"
paulson@18886
   311
apply blast
paulson@18886
   312
done
paulson@18886
   313
paulson@18886
   314
lemma Gets_ticket_parts:
paulson@18886
   315
     "\<lbrakk>Gets A (Crypt K \<lbrace>SesKey, Peer, Ta, Ticket\<rbrace>) \<in> set evs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   316
      \<Longrightarrow> Ticket \<in> parts (spies evs)"
paulson@18886
   317
apply (blast dest: Gets_imp_knows_Spy [THEN parts.Inj])
paulson@18886
   318
done
paulson@18886
   319
paulson@18886
   320
lemma Oops_range_spies1:
paulson@18886
   321
     "\<lbrakk> Says Kas A (Crypt KeyA \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>)
paulson@18886
   322
           \<in> set evs ;
paulson@18886
   323
         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys"
paulson@18886
   324
apply (erule rev_mp)
paulson@18886
   325
apply (erule kerbIV_gets.induct, auto)
paulson@18886
   326
done
paulson@18886
   327
paulson@18886
   328
lemma Oops_range_spies2:
paulson@18886
   329
     "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>)
paulson@18886
   330
           \<in> set evs ;
paulson@18886
   331
         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> servK \<notin> range shrK & servK \<in> symKeys"
paulson@18886
   332
apply (erule rev_mp)
paulson@18886
   333
apply (erule kerbIV_gets.induct, auto)
paulson@18886
   334
done
paulson@18886
   335
paulson@18886
   336
paulson@18886
   337
(*Spy never sees another agent's shared key! (unless it's lost at start)*)
paulson@18886
   338
lemma Spy_see_shrK [simp]:
paulson@18886
   339
     "evs \<in> kerbIV_gets \<Longrightarrow> (Key (shrK A) \<in> parts (spies evs)) = (A \<in> bad)"
paulson@18886
   340
apply (erule kerbIV_gets.induct)
paulson@18886
   341
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   342
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   343
apply (blast+)
paulson@18886
   344
done
paulson@18886
   345
paulson@18886
   346
lemma Spy_analz_shrK [simp]:
paulson@18886
   347
     "evs \<in> kerbIV_gets \<Longrightarrow> (Key (shrK A) \<in> analz (spies evs)) = (A \<in> bad)"
paulson@18886
   348
by auto
paulson@18886
   349
paulson@18886
   350
lemma Spy_see_shrK_D [dest!]:
paulson@18886
   351
     "\<lbrakk> Key (shrK A) \<in> parts (spies evs);  evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> A:bad"
paulson@18886
   352
by (blast dest: Spy_see_shrK)
paulson@18886
   353
lemmas Spy_analz_shrK_D = analz_subset_parts [THEN subsetD, THEN Spy_see_shrK_D, dest!]
paulson@18886
   354
paulson@18886
   355
text{*Nobody can have used non-existent keys!*}
paulson@18886
   356
lemma new_keys_not_used [simp]:
paulson@18886
   357
    "\<lbrakk>Key K \<notin> used evs; K \<in> symKeys; evs \<in> kerbIV_gets\<rbrakk>
paulson@18886
   358
     \<Longrightarrow> K \<notin> keysFor (parts (spies evs))"
paulson@18886
   359
apply (erule rev_mp)
paulson@18886
   360
apply (erule kerbIV_gets.induct)
paulson@18886
   361
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   362
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   363
txt{*Fake*}
paulson@18886
   364
apply (force dest!: keysFor_parts_insert)
paulson@18886
   365
txt{*Others*}
paulson@18886
   366
apply (force dest!: analz_shrK_Decrypt)+
paulson@18886
   367
done
paulson@18886
   368
paulson@18886
   369
(*Earlier, all protocol proofs declared this theorem.
paulson@18886
   370
  But few of them actually need it! (Another is Yahalom) *)
paulson@18886
   371
lemma new_keys_not_analzd:
paulson@18886
   372
 "\<lbrakk>evs \<in> kerbIV_gets; K \<in> symKeys; Key K \<notin> used evs\<rbrakk>
paulson@18886
   373
  \<Longrightarrow> K \<notin> keysFor (analz (spies evs))"
paulson@18886
   374
by (blast dest: new_keys_not_used intro: keysFor_mono [THEN subsetD])
paulson@18886
   375
paulson@18886
   376
paulson@18886
   377
subsection{*Regularity Lemmas*}
paulson@18886
   378
text{*These concern the form of items passed in messages*}
paulson@18886
   379
paulson@18886
   380
text{*Describes the form of all components sent by Kas*}
paulson@18886
   381
paulson@18886
   382
lemma Says_Kas_message_form:
paulson@18886
   383
     "\<lbrakk> Says Kas A (Crypt K \<lbrace>Key authK, Agent Peer, Number Ta, authTicket\<rbrace>)
paulson@18886
   384
           \<in> set evs;
paulson@18886
   385
         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow>  
paulson@18886
   386
  K = shrK A  & Peer = Tgs &
paulson@18886
   387
  authK \<notin> range shrK & authK \<in> authKeys evs & authK \<in> symKeys & 
paulson@18886
   388
  authTicket = (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>)"
paulson@18886
   389
apply (erule rev_mp)
paulson@18886
   390
apply (erule kerbIV_gets.induct)
paulson@18886
   391
apply (simp_all (no_asm) add: authKeys_def authKeys_insert)
paulson@18886
   392
apply blast+
paulson@18886
   393
done
paulson@18886
   394
paulson@18886
   395
paulson@18886
   396
lemma SesKey_is_session_key:
paulson@18886
   397
     "\<lbrakk> Crypt (shrK Tgs_B) \<lbrace>Agent A, Agent Tgs_B, Key SesKey, Number T\<rbrace>
paulson@18886
   398
            \<in> parts (spies evs); Tgs_B \<notin> bad;
paulson@18886
   399
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   400
      \<Longrightarrow> SesKey \<notin> range shrK"
paulson@18886
   401
apply (erule rev_mp)
paulson@18886
   402
apply (erule kerbIV_gets.induct)
paulson@18886
   403
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   404
apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
paulson@18886
   405
done
paulson@18886
   406
paulson@18886
   407
lemma authTicket_authentic:
paulson@18886
   408
     "\<lbrakk> Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>
paulson@18886
   409
           \<in> parts (spies evs);
paulson@18886
   410
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   411
      \<Longrightarrow> Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   412
                 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   413
            \<in> set evs"
paulson@18886
   414
apply (erule rev_mp)
paulson@18886
   415
apply (erule kerbIV_gets.induct)
paulson@18886
   416
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   417
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   418
txt{*Fake, K4*}
paulson@18886
   419
apply (blast+)
paulson@18886
   420
done
paulson@18886
   421
paulson@18886
   422
lemma authTicket_crypt_authK:
paulson@18886
   423
     "\<lbrakk> Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>
paulson@18886
   424
           \<in> parts (spies evs);
paulson@18886
   425
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   426
      \<Longrightarrow> authK \<in> authKeys evs"
paulson@18886
   427
apply (frule authTicket_authentic, assumption)
paulson@18886
   428
apply (simp (no_asm) add: authKeys_def)
paulson@18886
   429
apply blast
paulson@18886
   430
done
paulson@18886
   431
paulson@18886
   432
lemma Says_Tgs_message_form:
paulson@18886
   433
     "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   434
           \<in> set evs;
paulson@18886
   435
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   436
  \<Longrightarrow> B \<noteq> Tgs & 
paulson@18886
   437
      authK \<notin> range shrK & authK \<in> authKeys evs & authK \<in> symKeys &
paulson@18886
   438
      servK \<notin> range shrK & servK \<notin> authKeys evs & servK \<in> symKeys &
paulson@18886
   439
      servTicket = (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>)"
paulson@18886
   440
apply (erule rev_mp)
paulson@18886
   441
apply (erule kerbIV_gets.induct)
paulson@18886
   442
apply (simp_all add: authKeys_insert authKeys_not_insert authKeys_empty authKeys_simp, blast, auto)
paulson@18886
   443
txt{*Three subcases of Message 4*}
paulson@18886
   444
apply (blast dest!: SesKey_is_session_key)
paulson@18886
   445
apply (blast dest: authTicket_crypt_authK)
paulson@18886
   446
apply (blast dest!: authKeys_used Says_Kas_message_form)
paulson@18886
   447
done
paulson@18886
   448
paulson@18886
   449
paulson@18886
   450
lemma authTicket_form:
paulson@18886
   451
     "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>
paulson@18886
   452
           \<in> parts (spies evs);
paulson@18886
   453
         A \<notin> bad;
paulson@18886
   454
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   455
    \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys & 
paulson@18886
   456
        authTicket = Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Ta\<rbrace>"
paulson@18886
   457
apply (erule rev_mp)
paulson@18886
   458
apply (erule kerbIV_gets.induct)
paulson@18886
   459
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   460
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   461
apply blast+
paulson@18886
   462
done
paulson@18886
   463
paulson@18886
   464
text{* This form holds also over an authTicket, but is not needed below.*}
paulson@18886
   465
lemma servTicket_form:
paulson@18886
   466
     "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>
paulson@18886
   467
              \<in> parts (spies evs);
paulson@18886
   468
            Key authK \<notin> analz (spies evs);
paulson@18886
   469
            evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   470
         \<Longrightarrow> servK \<notin> range shrK & servK \<in> symKeys & 
paulson@18886
   471
    (\<exists>A. servTicket = Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)"
paulson@18886
   472
apply (erule rev_mp)
paulson@18886
   473
apply (erule rev_mp)
paulson@18886
   474
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   475
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   476
apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
paulson@18886
   477
done
paulson@18886
   478
paulson@18886
   479
text{* Essentially the same as @{text authTicket_form} *}
paulson@18886
   480
lemma Says_kas_message_form:
paulson@18886
   481
     "\<lbrakk> Gets A (Crypt (shrK A)
paulson@18886
   482
              \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>) \<in> set evs;
paulson@18886
   483
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   484
      \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys & 
paulson@18886
   485
          authTicket =
paulson@18886
   486
                  Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Ta\<rbrace>
paulson@18886
   487
          | authTicket \<in> analz (spies evs)"
paulson@18886
   488
by (blast dest: analz_shrK_Decrypt authTicket_form
paulson@18886
   489
                Gets_imp_knows_Spy [THEN analz.Inj])
paulson@18886
   490
paulson@18886
   491
lemma Says_tgs_message_form:
paulson@18886
   492
 "\<lbrakk> Gets A (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>)
paulson@18886
   493
       \<in> set evs;  authK \<in> symKeys;
paulson@18886
   494
     evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   495
  \<Longrightarrow> servK \<notin> range shrK &
paulson@18886
   496
      (\<exists>A. servTicket =
wenzelm@32960
   497
              Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)
paulson@18886
   498
       | servTicket \<in> analz (spies evs)"
paulson@18886
   499
apply (frule Gets_imp_knows_Spy [THEN analz.Inj], auto)
paulson@18886
   500
 apply (force dest!: servTicket_form)
paulson@18886
   501
apply (frule analz_into_parts)
paulson@18886
   502
apply (frule servTicket_form, auto)
paulson@18886
   503
done
paulson@18886
   504
paulson@18886
   505
paulson@18886
   506
subsection{*Authenticity theorems: confirm origin of sensitive messages*}
paulson@18886
   507
paulson@18886
   508
lemma authK_authentic:
paulson@18886
   509
     "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>
paulson@18886
   510
           \<in> parts (spies evs);
paulson@18886
   511
         A \<notin> bad;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   512
      \<Longrightarrow> Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>)
paulson@18886
   513
            \<in> set evs"
paulson@18886
   514
apply (erule rev_mp)
paulson@18886
   515
apply (erule kerbIV_gets.induct)
paulson@18886
   516
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   517
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   518
txt{*Fake*}
paulson@18886
   519
apply blast
paulson@18886
   520
txt{*K4*}
paulson@18886
   521
apply (blast dest!: authTicket_authentic [THEN Says_Kas_message_form])
paulson@18886
   522
done
paulson@18886
   523
paulson@18886
   524
text{*If a certain encrypted message appears then it originated with Tgs*}
paulson@18886
   525
lemma servK_authentic:
paulson@18886
   526
     "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
   527
           \<in> parts (spies evs);
paulson@18886
   528
         Key authK \<notin> analz (spies evs);
paulson@18886
   529
         authK \<notin> range shrK;
paulson@18886
   530
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   531
 \<Longrightarrow> \<exists>A. Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   532
       \<in> set evs"
paulson@18886
   533
apply (erule rev_mp)
paulson@18886
   534
apply (erule rev_mp)
paulson@18886
   535
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   536
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   537
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   538
txt{*Fake*}
paulson@18886
   539
apply blast
paulson@18886
   540
txt{*K2*}
paulson@18886
   541
apply blast
paulson@18886
   542
txt{*K4*}
paulson@18886
   543
apply auto
paulson@18886
   544
done
paulson@18886
   545
paulson@18886
   546
lemma servK_authentic_bis:
paulson@18886
   547
     "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
   548
           \<in> parts (spies evs);
paulson@18886
   549
         Key authK \<notin> analz (spies evs);
paulson@18886
   550
         B \<noteq> Tgs;
paulson@18886
   551
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   552
 \<Longrightarrow> \<exists>A. Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   553
       \<in> set evs"
paulson@18886
   554
apply (erule rev_mp)
paulson@18886
   555
apply (erule rev_mp)
paulson@18886
   556
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   557
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   558
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   559
txt{*Fake*}
paulson@18886
   560
apply blast
paulson@18886
   561
txt{*K4*}
paulson@18886
   562
apply blast
paulson@18886
   563
done
paulson@18886
   564
paulson@18886
   565
text{*Authenticity of servK for B*}
paulson@18886
   566
lemma servTicket_authentic_Tgs:
paulson@18886
   567
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
   568
           \<in> parts (spies evs); B \<noteq> Tgs;  B \<notin> bad;
paulson@18886
   569
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   570
 \<Longrightarrow> \<exists>authK.
paulson@18886
   571
       Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
   572
                   Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
paulson@18886
   573
       \<in> set evs"
paulson@18886
   574
apply (erule rev_mp)
paulson@18886
   575
apply (erule rev_mp)
paulson@18886
   576
apply (erule kerbIV_gets.induct)
paulson@18886
   577
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   578
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   579
apply blast+
paulson@18886
   580
done
paulson@18886
   581
paulson@18886
   582
text{*Anticipated here from next subsection*}
paulson@18886
   583
lemma K4_imp_K2:
paulson@18886
   584
"\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   585
      \<in> set evs;  evs \<in> kerbIV_gets\<rbrakk>
paulson@18886
   586
   \<Longrightarrow> \<exists>Ta. Says Kas A
paulson@18886
   587
        (Crypt (shrK A)
paulson@18886
   588
         \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   589
           Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   590
        \<in> set evs"
paulson@18886
   591
apply (erule rev_mp)
paulson@18886
   592
apply (erule kerbIV_gets.induct)
paulson@18886
   593
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   594
apply (frule_tac [6] Gets_ticket_parts, simp_all, auto)
paulson@18886
   595
apply (blast dest!: Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Fst, THEN authTicket_authentic])
paulson@18886
   596
done
paulson@18886
   597
paulson@18886
   598
text{*Anticipated here from next subsection*}
paulson@18886
   599
lemma u_K4_imp_K2:
paulson@18886
   600
"\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   601
      \<in> set evs; evs \<in> kerbIV_gets\<rbrakk>
paulson@18886
   602
   \<Longrightarrow> \<exists>Ta. (Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   603
           Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   604
             \<in> set evs
paulson@18886
   605
          & servKlife + Ts <= authKlife + Ta)"
paulson@18886
   606
apply (erule rev_mp)
paulson@18886
   607
apply (erule kerbIV_gets.induct)
paulson@18886
   608
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   609
apply (frule_tac [6] Gets_ticket_parts, simp_all, auto)
paulson@18886
   610
apply (blast dest!: Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Fst, THEN authTicket_authentic])
paulson@18886
   611
done
paulson@18886
   612
paulson@18886
   613
lemma servTicket_authentic_Kas:
paulson@18886
   614
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
   615
           \<in> parts (spies evs);  B \<noteq> Tgs;  B \<notin> bad;
paulson@18886
   616
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   617
  \<Longrightarrow> \<exists>authK Ta.
paulson@18886
   618
       Says Kas A
paulson@18886
   619
         (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   620
            Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   621
        \<in> set evs"
paulson@18886
   622
apply (blast dest!: servTicket_authentic_Tgs K4_imp_K2)
paulson@18886
   623
done
paulson@18886
   624
paulson@18886
   625
lemma u_servTicket_authentic_Kas:
paulson@18886
   626
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
   627
           \<in> parts (spies evs);  B \<noteq> Tgs;  B \<notin> bad;
paulson@18886
   628
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   629
  \<Longrightarrow> \<exists>authK Ta. Says Kas A (Crypt(shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   630
           Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   631
             \<in> set evs
paulson@18886
   632
           & servKlife + Ts <= authKlife + Ta"
paulson@18886
   633
apply (blast dest!: servTicket_authentic_Tgs u_K4_imp_K2)
paulson@18886
   634
done
paulson@18886
   635
paulson@18886
   636
lemma servTicket_authentic:
paulson@18886
   637
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
   638
           \<in> parts (spies evs);  B \<noteq> Tgs;  B \<notin> bad;
paulson@18886
   639
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   640
 \<Longrightarrow> \<exists>Ta authK.
paulson@18886
   641
     Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   642
                   Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   643
       \<in> set evs
paulson@18886
   644
     & Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
   645
                   Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
paulson@18886
   646
       \<in> set evs"
paulson@18886
   647
apply (blast dest: servTicket_authentic_Tgs K4_imp_K2)
paulson@18886
   648
done
paulson@18886
   649
paulson@18886
   650
lemma u_servTicket_authentic:
paulson@18886
   651
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
   652
           \<in> parts (spies evs);  B \<noteq> Tgs;  B \<notin> bad;
paulson@18886
   653
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   654
 \<Longrightarrow> \<exists>Ta authK.
paulson@18886
   655
     (Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
   656
                   Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
   657
       \<in> set evs
paulson@18886
   658
     & Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
   659
                   Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
paulson@18886
   660
       \<in> set evs
paulson@18886
   661
     & servKlife + Ts <= authKlife + Ta)"
paulson@18886
   662
apply (blast dest: servTicket_authentic_Tgs u_K4_imp_K2)
paulson@18886
   663
done
paulson@18886
   664
paulson@18886
   665
lemma u_NotexpiredSK_NotexpiredAK:
paulson@18886
   666
     "\<lbrakk> \<not> expiredSK Ts evs; servKlife + Ts <= authKlife + Ta \<rbrakk>
paulson@18886
   667
      \<Longrightarrow> \<not> expiredAK Ta evs"
paulson@18886
   668
apply (blast dest: leI le_trans dest: leD)
paulson@18886
   669
done
paulson@18886
   670
paulson@18886
   671
paulson@18886
   672
subsection{* Reliability: friendly agents send something if something else happened*}
paulson@18886
   673
paulson@18886
   674
lemma K3_imp_K2:
paulson@18886
   675
     "\<lbrakk> Says A Tgs
paulson@18886
   676
             \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B\<rbrace>
paulson@18886
   677
           \<in> set evs;
paulson@18886
   678
         A \<notin> bad;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   679
      \<Longrightarrow> \<exists>Ta. Says Kas A (Crypt (shrK A)
paulson@18886
   680
                      \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>)
paulson@18886
   681
                   \<in> set evs"
paulson@18886
   682
apply (erule rev_mp)
paulson@18886
   683
apply (erule kerbIV_gets.induct)
paulson@18886
   684
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   685
apply (frule_tac [6] Gets_ticket_parts, simp_all, blast, blast)
paulson@18886
   686
apply (blast dest: Gets_imp_knows_Spy [THEN parts.Inj, THEN authK_authentic])
paulson@18886
   687
done
paulson@18886
   688
paulson@18886
   689
text{*Anticipated here from next subsection. An authK is encrypted by one and only one Shared key. A servK is encrypted by one and only one authK.*}
paulson@18886
   690
lemma Key_unique_SesKey:
paulson@18886
   691
     "\<lbrakk> Crypt K  \<lbrace>Key SesKey,  Agent B, T, Ticket\<rbrace>
paulson@18886
   692
           \<in> parts (spies evs);
paulson@18886
   693
         Crypt K' \<lbrace>Key SesKey,  Agent B', T', Ticket'\<rbrace>
paulson@18886
   694
           \<in> parts (spies evs);  Key SesKey \<notin> analz (spies evs);
paulson@18886
   695
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   696
      \<Longrightarrow> K=K' & B=B' & T=T' & Ticket=Ticket'"
paulson@18886
   697
apply (erule rev_mp)
paulson@18886
   698
apply (erule rev_mp)
paulson@18886
   699
apply (erule rev_mp)
paulson@18886
   700
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   701
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   702
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   703
txt{*Fake, K2, K4*}
paulson@18886
   704
apply (blast+)
paulson@18886
   705
done
paulson@18886
   706
paulson@18886
   707
lemma Tgs_authenticates_A:
paulson@18886
   708
  "\<lbrakk>  Crypt authK \<lbrace>Agent A, Number T2\<rbrace> \<in> parts (spies evs); 
paulson@18886
   709
      Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>
paulson@18886
   710
           \<in> parts (spies evs);
paulson@18886
   711
      Key authK \<notin> analz (spies evs); A \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   712
 \<Longrightarrow> \<exists> B. Says A Tgs \<lbrace>
paulson@18886
   713
          Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>,
paulson@18886
   714
          Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B \<rbrace> \<in> set evs"  
paulson@18886
   715
apply (drule authTicket_authentic, assumption, rotate_tac 4)
paulson@18886
   716
apply (erule rev_mp, erule rev_mp, erule rev_mp)
paulson@18886
   717
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   718
apply (frule_tac [6] Gets_ticket_parts)
paulson@18886
   719
apply (frule_tac [9] Gets_ticket_parts)
paulson@18886
   720
apply (simp_all (no_asm_simp) add: all_conj_distrib)
paulson@18886
   721
txt{*Fake*}
paulson@18886
   722
apply blast
paulson@18886
   723
txt{*K2*}
paulson@18886
   724
apply (force dest!: Crypt_imp_keysFor)
paulson@18886
   725
txt{*K3*}
paulson@18886
   726
apply (blast dest: Key_unique_SesKey)
paulson@18886
   727
txt{*K5*}
paulson@18886
   728
txt{*If authKa were compromised, so would be authK*}
paulson@18886
   729
apply (case_tac "Key authKa \<in> analz (spies evs5)")
paulson@18886
   730
apply (force dest!: Gets_imp_knows_Spy [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst])
paulson@18886
   731
txt{*Besides, since authKa originated with Kas anyway...*}
paulson@18886
   732
apply (clarify, drule K3_imp_K2, assumption, assumption)
paulson@18886
   733
apply (clarify, drule Says_Kas_message_form, assumption)
paulson@18886
   734
txt{*...it cannot be a shared key*. Therefore @{term servK_authentic} applies. 
paulson@18886
   735
     Contradition: Tgs used authK as a servkey, 
paulson@18886
   736
     while Kas used it as an authkey*}
paulson@18886
   737
apply (blast dest: servK_authentic Says_Tgs_message_form)
paulson@18886
   738
done
paulson@18886
   739
paulson@18886
   740
lemma Says_K5:
paulson@18886
   741
     "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs);
paulson@18886
   742
         Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
   743
                                     servTicket\<rbrace>) \<in> set evs;
paulson@18886
   744
         Key servK \<notin> analz (spies evs);
paulson@18886
   745
         A \<notin> bad; B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   746
 \<Longrightarrow> Says A B \<lbrace>servTicket, Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> \<in> set evs"
paulson@18886
   747
apply (erule rev_mp)
paulson@18886
   748
apply (erule rev_mp)
paulson@18886
   749
apply (erule rev_mp)
paulson@18886
   750
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   751
apply (frule_tac [6] Gets_ticket_parts)
paulson@18886
   752
apply (frule_tac [9] Gets_ticket_parts)
paulson@18886
   753
apply (simp_all (no_asm_simp) add: all_conj_distrib)
paulson@18886
   754
apply blast
paulson@18886
   755
txt{*K3*}
paulson@18886
   756
apply (blast dest: authK_authentic Says_Kas_message_form Says_Tgs_message_form)
paulson@18886
   757
txt{*K4*}
paulson@18886
   758
apply (force dest!: Crypt_imp_keysFor)
paulson@18886
   759
txt{*K5*}
paulson@18886
   760
apply (blast dest: Key_unique_SesKey)
paulson@18886
   761
done
paulson@18886
   762
paulson@18886
   763
text{*Anticipated here from next subsection*}
paulson@18886
   764
lemma unique_CryptKey:
paulson@18886
   765
     "\<lbrakk> Crypt (shrK B)  \<lbrace>Agent A,  Agent B,  Key SesKey, T\<rbrace>
paulson@18886
   766
           \<in> parts (spies evs);
paulson@18886
   767
         Crypt (shrK B') \<lbrace>Agent A', Agent B', Key SesKey, T'\<rbrace>
paulson@18886
   768
           \<in> parts (spies evs);  Key SesKey \<notin> analz (spies evs);
paulson@18886
   769
         evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   770
      \<Longrightarrow> A=A' & B=B' & T=T'"
paulson@18886
   771
apply (erule rev_mp)
paulson@18886
   772
apply (erule rev_mp)
paulson@18886
   773
apply (erule rev_mp)
paulson@18886
   774
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   775
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   776
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   777
txt{*Fake, K2, K4*}
paulson@18886
   778
apply (blast+)
paulson@18886
   779
done
paulson@18886
   780
paulson@18886
   781
lemma Says_K6:
paulson@18886
   782
     "\<lbrakk> Crypt servK (Number T3) \<in> parts (spies evs);
paulson@18886
   783
         Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
   784
                                     servTicket\<rbrace>) \<in> set evs;
paulson@18886
   785
         Key servK \<notin> analz (spies evs);
paulson@18886
   786
         A \<notin> bad; B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   787
      \<Longrightarrow> Says B A (Crypt servK (Number T3)) \<in> set evs"
paulson@18886
   788
apply (erule rev_mp)
paulson@18886
   789
apply (erule rev_mp)
paulson@18886
   790
apply (erule rev_mp)
paulson@18886
   791
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   792
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   793
apply (frule_tac [6] Gets_ticket_parts)
paulson@18886
   794
apply (simp_all (no_asm_simp))
paulson@18886
   795
apply blast
paulson@18886
   796
apply (force dest!: Crypt_imp_keysFor, clarify)
paulson@18886
   797
apply (frule Says_Tgs_message_form, assumption, clarify) (*PROOF FAILED if omitted*)
paulson@18886
   798
apply (blast dest: unique_CryptKey)
paulson@18886
   799
done
paulson@18886
   800
paulson@18886
   801
text{*Needs a unicity theorem, hence moved here*}
paulson@18886
   802
lemma servK_authentic_ter:
paulson@18886
   803
 "\<lbrakk> Says Kas A
paulson@18886
   804
    (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>) \<in> set evs;
paulson@18886
   805
     Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
   806
       \<in> parts (spies evs);
paulson@18886
   807
     Key authK \<notin> analz (spies evs);
paulson@18886
   808
     evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   809
 \<Longrightarrow> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
   810
       \<in> set evs"
paulson@18886
   811
apply (frule Says_Kas_message_form, assumption)
paulson@18886
   812
apply (erule rev_mp)
paulson@18886
   813
apply (erule rev_mp)
paulson@18886
   814
apply (erule rev_mp)
paulson@18886
   815
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   816
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   817
apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
paulson@18886
   818
txt{*K2 and K4 remain*}
paulson@18886
   819
prefer 2 apply (blast dest!: unique_CryptKey)
paulson@18886
   820
apply (blast dest!: servK_authentic Says_Tgs_message_form authKeys_used)
paulson@18886
   821
done
paulson@18886
   822
paulson@18886
   823
paulson@18886
   824
subsection{*Unicity Theorems*}
paulson@18886
   825
paulson@18886
   826
text{* The session key, if secure, uniquely identifies the Ticket
paulson@18886
   827
   whether authTicket or servTicket. As a matter of fact, one can read
paulson@18886
   828
   also Tgs in the place of B.                                     *}
paulson@18886
   829
paulson@18886
   830
paulson@18886
   831
lemma unique_authKeys:
paulson@18886
   832
     "\<lbrakk> Says Kas A
paulson@18886
   833
              (Crypt Ka \<lbrace>Key authK, Agent Tgs, Ta, X\<rbrace>) \<in> set evs;
paulson@18886
   834
         Says Kas A'
paulson@18886
   835
              (Crypt Ka' \<lbrace>Key authK, Agent Tgs, Ta', X'\<rbrace>) \<in> set evs;
paulson@18886
   836
         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> A=A' & Ka=Ka' & Ta=Ta' & X=X'"
paulson@18886
   837
apply (erule rev_mp)
paulson@18886
   838
apply (erule rev_mp)
paulson@18886
   839
apply (erule kerbIV_gets.induct)
paulson@18886
   840
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   841
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   842
txt{*K2*}
paulson@18886
   843
apply blast
paulson@18886
   844
done
paulson@18886
   845
paulson@18886
   846
text{* servK uniquely identifies the message from Tgs *}
paulson@18886
   847
lemma unique_servKeys:
paulson@18886
   848
     "\<lbrakk> Says Tgs A
paulson@18886
   849
              (Crypt K \<lbrace>Key servK, Agent B, Ts, X\<rbrace>) \<in> set evs;
paulson@18886
   850
         Says Tgs A'
paulson@18886
   851
              (Crypt K' \<lbrace>Key servK, Agent B', Ts', X'\<rbrace>) \<in> set evs;
paulson@18886
   852
         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> A=A' & B=B' & K=K' & Ts=Ts' & X=X'"
paulson@18886
   853
apply (erule rev_mp)
paulson@18886
   854
apply (erule rev_mp)
paulson@18886
   855
apply (erule kerbIV_gets.induct)
paulson@18886
   856
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   857
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   858
txt{*K4*}
paulson@18886
   859
apply blast
paulson@18886
   860
done
paulson@18886
   861
paulson@18886
   862
text{* Revised unicity theorems *}
paulson@18886
   863
paulson@18886
   864
lemma Kas_Unique:
paulson@18886
   865
     "\<lbrakk> Says Kas A
paulson@18886
   866
              (Crypt Ka \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>) \<in> set evs;
paulson@18886
   867
        evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> 
paulson@18886
   868
   Unique (Says Kas A (Crypt Ka \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>)) 
paulson@18886
   869
   on evs"
paulson@18886
   870
apply (erule rev_mp, erule kerbIV_gets.induct, simp_all add: Unique_def)
paulson@18886
   871
apply blast
paulson@18886
   872
done
paulson@18886
   873
paulson@18886
   874
lemma Tgs_Unique:
paulson@18886
   875
     "\<lbrakk> Says Tgs A
paulson@18886
   876
              (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>) \<in> set evs;
paulson@18886
   877
        evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> 
paulson@18886
   878
  Unique (Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>)) 
paulson@18886
   879
  on evs"
paulson@18886
   880
apply (erule rev_mp, erule kerbIV_gets.induct, simp_all add: Unique_def)
paulson@18886
   881
apply blast
paulson@18886
   882
done
paulson@18886
   883
paulson@18886
   884
paulson@18886
   885
subsection{*Lemmas About the Predicate @{term AKcryptSK}*}
paulson@18886
   886
paulson@18886
   887
lemma not_AKcryptSK_Nil [iff]: "\<not> AKcryptSK authK servK []"
paulson@18886
   888
by (simp add: AKcryptSK_def)
paulson@18886
   889
paulson@18886
   890
lemma AKcryptSKI:
paulson@18886
   891
 "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, X \<rbrace>) \<in> set evs;
paulson@18886
   892
     evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> AKcryptSK authK servK evs"
paulson@18886
   893
apply (unfold AKcryptSK_def)
paulson@18886
   894
apply (blast dest: Says_Tgs_message_form)
paulson@18886
   895
done
paulson@18886
   896
paulson@18886
   897
lemma AKcryptSK_Says [simp]:
paulson@18886
   898
   "AKcryptSK authK servK (Says S A X # evs) =
paulson@18886
   899
     (Tgs = S &
paulson@18886
   900
      (\<exists>B Ts. X = Crypt authK
paulson@18886
   901
                \<lbrace>Key servK, Agent B, Number Ts,
paulson@18886
   902
                  Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> \<rbrace>)
paulson@18886
   903
     | AKcryptSK authK servK evs)"
paulson@18886
   904
apply (unfold AKcryptSK_def)
paulson@18886
   905
apply (simp (no_asm))
paulson@18886
   906
apply blast
paulson@18886
   907
done
paulson@18886
   908
paulson@18886
   909
(*A fresh authK cannot be associated with any other
paulson@18886
   910
  (with respect to a given trace). *)
paulson@18886
   911
lemma Auth_fresh_not_AKcryptSK:
paulson@18886
   912
     "\<lbrakk> Key authK \<notin> used evs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   913
      \<Longrightarrow> \<not> AKcryptSK authK servK evs"
paulson@18886
   914
apply (unfold AKcryptSK_def)
paulson@18886
   915
apply (erule rev_mp)
paulson@18886
   916
apply (erule kerbIV_gets.induct)
paulson@18886
   917
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   918
apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
paulson@18886
   919
done
paulson@18886
   920
paulson@18886
   921
(*A fresh servK cannot be associated with any other
paulson@18886
   922
  (with respect to a given trace). *)
paulson@18886
   923
lemma Serv_fresh_not_AKcryptSK:
paulson@18886
   924
 "Key servK \<notin> used evs \<Longrightarrow> \<not> AKcryptSK authK servK evs"
paulson@18886
   925
apply (unfold AKcryptSK_def, blast)
paulson@18886
   926
done
paulson@18886
   927
paulson@18886
   928
lemma authK_not_AKcryptSK:
paulson@18886
   929
     "\<lbrakk> Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, tk\<rbrace>
paulson@18886
   930
           \<in> parts (spies evs);  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   931
      \<Longrightarrow> \<not> AKcryptSK K authK evs"
paulson@18886
   932
apply (erule rev_mp)
paulson@18886
   933
apply (erule kerbIV_gets.induct)
paulson@18886
   934
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   935
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
   936
txt{*Fake*}
paulson@18886
   937
apply blast
paulson@18886
   938
txt{*Reception*}
paulson@18886
   939
apply (simp add: AKcryptSK_def)
paulson@18886
   940
txt{*K2: by freshness*}
paulson@18886
   941
apply (simp add: AKcryptSK_def)
paulson@18886
   942
txt{*K4*}
paulson@18886
   943
apply (blast+)
paulson@18886
   944
done
paulson@18886
   945
paulson@18886
   946
text{*A secure serverkey cannot have been used to encrypt others*}
paulson@18886
   947
lemma servK_not_AKcryptSK:
paulson@18886
   948
 "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key SK, Number Ts\<rbrace> \<in> parts (spies evs);
paulson@18886
   949
     Key SK \<notin> analz (spies evs);  SK \<in> symKeys;
paulson@18886
   950
     B \<noteq> Tgs;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   951
  \<Longrightarrow> \<not> AKcryptSK SK K evs"
paulson@18886
   952
apply (erule rev_mp)
paulson@18886
   953
apply (erule rev_mp)
paulson@18886
   954
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
   955
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   956
apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
paulson@18886
   957
txt{*Reception*}
paulson@18886
   958
apply (simp add: AKcryptSK_def)
paulson@18886
   959
txt{*K4 splits into distinct subcases*}
paulson@18886
   960
apply auto
paulson@18886
   961
txt{*servK can't have been enclosed in two certificates*}
paulson@18886
   962
 prefer 2 apply (blast dest: unique_CryptKey)
paulson@18886
   963
txt{*servK is fresh and so could not have been used, by
paulson@18886
   964
   @{text new_keys_not_used}*}
paulson@18886
   965
apply (force dest!: Crypt_imp_invKey_keysFor simp add: AKcryptSK_def)
paulson@18886
   966
done
paulson@18886
   967
paulson@18886
   968
text{*Long term keys are not issued as servKeys*}
paulson@18886
   969
lemma shrK_not_AKcryptSK:
paulson@18886
   970
     "evs \<in> kerbIV_gets \<Longrightarrow> \<not> AKcryptSK K (shrK A) evs"
paulson@18886
   971
apply (unfold AKcryptSK_def)
paulson@18886
   972
apply (erule kerbIV_gets.induct)
paulson@18886
   973
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
   974
apply (frule_tac [6] Gets_ticket_parts, auto)
paulson@18886
   975
done
paulson@18886
   976
paulson@18886
   977
text{*The Tgs message associates servK with authK and therefore not with any
paulson@18886
   978
  other key authK.*}
paulson@18886
   979
lemma Says_Tgs_AKcryptSK:
paulson@18886
   980
     "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, X \<rbrace>)
paulson@18886
   981
           \<in> set evs;
paulson@18886
   982
         authK' \<noteq> authK;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   983
      \<Longrightarrow> \<not> AKcryptSK authK' servK evs"
paulson@18886
   984
apply (unfold AKcryptSK_def)
paulson@18886
   985
apply (blast dest: unique_servKeys)
paulson@18886
   986
done
paulson@18886
   987
paulson@18886
   988
text{*Equivalently*}
paulson@18886
   989
lemma not_different_AKcryptSK:
paulson@18886
   990
     "\<lbrakk> AKcryptSK authK servK evs;
paulson@18886
   991
        authK' \<noteq> authK;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   992
      \<Longrightarrow> \<not> AKcryptSK authK' servK evs  \<and> servK \<in> symKeys"
paulson@18886
   993
apply (simp add: AKcryptSK_def)
paulson@18886
   994
apply (blast dest: unique_servKeys Says_Tgs_message_form)
paulson@18886
   995
done
paulson@18886
   996
paulson@18886
   997
lemma AKcryptSK_not_AKcryptSK:
paulson@18886
   998
     "\<lbrakk> AKcryptSK authK servK evs;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
   999
      \<Longrightarrow> \<not> AKcryptSK servK K evs"
paulson@18886
  1000
apply (erule rev_mp)
paulson@18886
  1001
apply (erule kerbIV_gets.induct)
paulson@18886
  1002
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
  1003
apply (frule_tac [6] Gets_ticket_parts)
paulson@18886
  1004
txt{*Reception*}
paulson@18886
  1005
prefer 3 apply (simp add: AKcryptSK_def)
paulson@18886
  1006
apply (simp_all, safe)
paulson@18886
  1007
txt{*K4 splits into subcases*}
paulson@18886
  1008
prefer 4 apply (blast dest!: authK_not_AKcryptSK)
paulson@18886
  1009
txt{*servK is fresh and so could not have been used, by
paulson@18886
  1010
   @{text new_keys_not_used}*}
paulson@18886
  1011
 prefer 2 
paulson@18886
  1012
 apply (force dest!: Crypt_imp_invKey_keysFor simp add: AKcryptSK_def)
paulson@18886
  1013
txt{*Others by freshness*}
paulson@18886
  1014
apply (blast+)
paulson@18886
  1015
done
paulson@18886
  1016
paulson@18886
  1017
text{*The only session keys that can be found with the help of session keys are
paulson@18886
  1018
  those sent by Tgs in step K4.  *}
paulson@18886
  1019
paulson@18886
  1020
text{*We take some pains to express the property
paulson@18886
  1021
  as a logical equivalence so that the simplifier can apply it.*}
paulson@18886
  1022
lemma Key_analz_image_Key_lemma:
paulson@18886
  1023
     "P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) \<longrightarrow> (K:KK | Key K \<in> analz H)
paulson@18886
  1024
      \<Longrightarrow>
paulson@18886
  1025
      P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) = (K:KK | Key K \<in> analz H)"
paulson@18886
  1026
by (blast intro: analz_mono [THEN subsetD])
paulson@18886
  1027
paulson@18886
  1028
paulson@18886
  1029
lemma AKcryptSK_analz_insert:
paulson@18886
  1030
     "\<lbrakk> AKcryptSK K K' evs; K \<in> symKeys; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1031
      \<Longrightarrow> Key K' \<in> analz (insert (Key K) (spies evs))"
paulson@18886
  1032
apply (simp add: AKcryptSK_def, clarify)
paulson@18886
  1033
apply (drule Says_imp_spies [THEN analz.Inj, THEN analz_insertI], auto)
paulson@18886
  1034
done
paulson@18886
  1035
paulson@18886
  1036
lemma authKeys_are_not_AKcryptSK:
paulson@18886
  1037
     "\<lbrakk> K \<in> authKeys evs Un range shrK;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1038
      \<Longrightarrow> \<forall>SK. \<not> AKcryptSK SK K evs \<and> K \<in> symKeys"
paulson@18886
  1039
apply (simp add: authKeys_def AKcryptSK_def)
paulson@18886
  1040
apply (blast dest: Says_Kas_message_form Says_Tgs_message_form)
paulson@18886
  1041
done
paulson@18886
  1042
paulson@18886
  1043
lemma not_authKeys_not_AKcryptSK:
paulson@18886
  1044
     "\<lbrakk> K \<notin> authKeys evs;
paulson@18886
  1045
         K \<notin> range shrK; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1046
      \<Longrightarrow> \<forall>SK. \<not> AKcryptSK K SK evs"
paulson@18886
  1047
apply (simp add: AKcryptSK_def)
paulson@18886
  1048
apply (blast dest: Says_Tgs_message_form)
paulson@18886
  1049
done
paulson@18886
  1050
paulson@18886
  1051
paulson@18886
  1052
subsection{*Secrecy Theorems*}
paulson@18886
  1053
paulson@18886
  1054
text{*For the Oops2 case of the next theorem*}
paulson@18886
  1055
lemma Oops2_not_AKcryptSK:
paulson@18886
  1056
     "\<lbrakk> evs \<in> kerbIV_gets;
paulson@18886
  1057
         Says Tgs A (Crypt authK
paulson@18886
  1058
                     \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1059
           \<in> set evs \<rbrakk>
paulson@18886
  1060
      \<Longrightarrow> \<not> AKcryptSK servK SK evs"
paulson@18886
  1061
apply (blast dest: AKcryptSKI AKcryptSK_not_AKcryptSK)
paulson@18886
  1062
done
paulson@18886
  1063
   
paulson@18886
  1064
text{* Big simplification law for keys SK that are not crypted by keys in KK
paulson@18886
  1065
 It helps prove three, otherwise hard, facts about keys. These facts are
paulson@18886
  1066
 exploited as simplification laws for analz, and also "limit the damage"
paulson@18886
  1067
 in case of loss of a key to the spy. See ESORICS98. *}
paulson@18886
  1068
lemma Key_analz_image_Key [rule_format (no_asm)]:
paulson@18886
  1069
     "evs \<in> kerbIV_gets \<Longrightarrow>
paulson@18886
  1070
      (\<forall>SK KK. SK \<in> symKeys & KK <= -(range shrK) \<longrightarrow>
paulson@18886
  1071
       (\<forall>K \<in> KK. \<not> AKcryptSK K SK evs)   \<longrightarrow>
paulson@18886
  1072
       (Key SK \<in> analz (Key`KK Un (spies evs))) =
paulson@18886
  1073
       (SK \<in> KK | Key SK \<in> analz (spies evs)))"
paulson@18886
  1074
apply (erule kerbIV_gets.induct)
paulson@18886
  1075
apply (frule_tac [11] Oops_range_spies2)
paulson@18886
  1076
apply (frule_tac [10] Oops_range_spies1)
paulson@18886
  1077
apply (frule_tac [8] Says_tgs_message_form)
paulson@18886
  1078
apply (frule_tac [6] Says_kas_message_form)
paulson@18886
  1079
apply (safe del: impI intro!: Key_analz_image_Key_lemma [THEN impI])
paulson@18886
  1080
txt{*Case-splits for Oops1 and message 5: the negated case simplifies using
paulson@18886
  1081
 the induction hypothesis*}
paulson@18886
  1082
apply (case_tac [12] "AKcryptSK authK SK evsO1")
paulson@18886
  1083
apply (case_tac [9] "AKcryptSK servK SK evs5")
paulson@18886
  1084
apply (simp_all del: image_insert
paulson@18886
  1085
        add: analz_image_freshK_simps AKcryptSK_Says shrK_not_AKcryptSK
paulson@18886
  1086
             Oops2_not_AKcryptSK Auth_fresh_not_AKcryptSK
paulson@18886
  1087
       Serv_fresh_not_AKcryptSK Says_Tgs_AKcryptSK Spy_analz_shrK)
paulson@18886
  1088
  --{*18 seconds on a 1.8GHz machine??*}
paulson@18886
  1089
txt{*Fake*} 
paulson@18886
  1090
apply spy_analz
paulson@18886
  1091
txt{*Reception*}
paulson@18886
  1092
apply (simp add: AKcryptSK_def)
paulson@18886
  1093
txt{*K2*}
paulson@18886
  1094
apply blast 
paulson@18886
  1095
txt{*K3*}
paulson@18886
  1096
apply blast 
paulson@18886
  1097
txt{*K4*}
paulson@18886
  1098
apply (blast dest!: authK_not_AKcryptSK)
paulson@18886
  1099
txt{*K5*}
paulson@18886
  1100
apply (case_tac "Key servK \<in> analz (spies evs5) ")
paulson@18886
  1101
txt{*If servK is compromised then the result follows directly...*}
paulson@18886
  1102
apply (simp (no_asm_simp) add: analz_insert_eq Un_upper2 [THEN analz_mono, THEN subsetD])
paulson@18886
  1103
txt{*...therefore servK is uncompromised.*}
paulson@18886
  1104
txt{*The AKcryptSK servK SK evs5 case leads to a contradiction.*}
paulson@18886
  1105
apply (blast elim!: servK_not_AKcryptSK [THEN [2] rev_notE] del: allE ballE)
paulson@18886
  1106
txt{*Another K5 case*}
paulson@18886
  1107
apply blast 
paulson@18886
  1108
txt{*Oops1*}
paulson@18886
  1109
apply simp 
paulson@18886
  1110
apply (blast dest!: AKcryptSK_analz_insert)
paulson@18886
  1111
done
paulson@18886
  1112
paulson@18886
  1113
text{* First simplification law for analz: no session keys encrypt
paulson@18886
  1114
authentication keys or shared keys. *}
paulson@18886
  1115
lemma analz_insert_freshK1:
paulson@18886
  1116
     "\<lbrakk> evs \<in> kerbIV_gets;  K \<in> authKeys evs Un range shrK;
paulson@18886
  1117
        SesKey \<notin> range shrK \<rbrakk>
paulson@18886
  1118
      \<Longrightarrow> (Key K \<in> analz (insert (Key SesKey) (spies evs))) =
paulson@18886
  1119
          (K = SesKey | Key K \<in> analz (spies evs))"
paulson@18886
  1120
apply (frule authKeys_are_not_AKcryptSK, assumption)
paulson@18886
  1121
apply (simp del: image_insert
paulson@18886
  1122
            add: analz_image_freshK_simps add: Key_analz_image_Key)
paulson@18886
  1123
done
paulson@18886
  1124
paulson@18886
  1125
paulson@18886
  1126
text{* Second simplification law for analz: no service keys encrypt any other keys.*}
paulson@18886
  1127
lemma analz_insert_freshK2:
paulson@18886
  1128
     "\<lbrakk> evs \<in> kerbIV_gets;  servK \<notin> (authKeys evs); servK \<notin> range shrK;
paulson@18886
  1129
        K \<in> symKeys \<rbrakk>
paulson@18886
  1130
      \<Longrightarrow> (Key K \<in> analz (insert (Key servK) (spies evs))) =
paulson@18886
  1131
          (K = servK | Key K \<in> analz (spies evs))"
paulson@18886
  1132
apply (frule not_authKeys_not_AKcryptSK, assumption, assumption)
paulson@18886
  1133
apply (simp del: image_insert
paulson@18886
  1134
            add: analz_image_freshK_simps add: Key_analz_image_Key)
paulson@18886
  1135
done
paulson@18886
  1136
paulson@18886
  1137
paulson@18886
  1138
text{* Third simplification law for analz: only one authentication key encrypts a certain service key.*}
paulson@18886
  1139
paulson@18886
  1140
lemma analz_insert_freshK3:
paulson@18886
  1141
 "\<lbrakk> AKcryptSK authK servK evs;
paulson@18886
  1142
    authK' \<noteq> authK; authK' \<notin> range shrK; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1143
        \<Longrightarrow> (Key servK \<in> analz (insert (Key authK') (spies evs))) =
paulson@18886
  1144
                (servK = authK' | Key servK \<in> analz (spies evs))"
paulson@18886
  1145
apply (drule_tac authK' = authK' in not_different_AKcryptSK, blast, assumption)
paulson@18886
  1146
apply (simp del: image_insert
paulson@18886
  1147
            add: analz_image_freshK_simps add: Key_analz_image_Key)
paulson@18886
  1148
done
paulson@18886
  1149
paulson@18886
  1150
lemma analz_insert_freshK3_bis:
paulson@18886
  1151
 "\<lbrakk> Says Tgs A
paulson@18886
  1152
            (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1153
        \<in> set evs; 
paulson@18886
  1154
     authK \<noteq> authK'; authK' \<notin> range shrK; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1155
        \<Longrightarrow> (Key servK \<in> analz (insert (Key authK') (spies evs))) =
paulson@18886
  1156
                (servK = authK' | Key servK \<in> analz (spies evs))"
paulson@18886
  1157
apply (frule AKcryptSKI, assumption)
paulson@18886
  1158
apply (simp add: analz_insert_freshK3)
paulson@18886
  1159
done
paulson@18886
  1160
paulson@18886
  1161
text{*a weakness of the protocol*}
paulson@18886
  1162
lemma authK_compromises_servK:
paulson@18886
  1163
     "\<lbrakk> Says Tgs A
paulson@18886
  1164
              (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1165
           \<in> set evs;  authK \<in> symKeys;
paulson@18886
  1166
         Key authK \<in> analz (spies evs); evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1167
      \<Longrightarrow> Key servK \<in> analz (spies evs)"
paulson@18886
  1168
by (force dest: Says_imp_spies [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst])
paulson@18886
  1169
paulson@18886
  1170
lemma servK_notin_authKeysD:
paulson@18886
  1171
     "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Ts,
paulson@18886
  1172
                      Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>\<rbrace>
paulson@18886
  1173
           \<in> parts (spies evs);
paulson@18886
  1174
         Key servK \<notin> analz (spies evs);
paulson@18886
  1175
         B \<noteq> Tgs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1176
      \<Longrightarrow> servK \<notin> authKeys evs"
paulson@18886
  1177
apply (erule rev_mp)
paulson@18886
  1178
apply (erule rev_mp)
paulson@18886
  1179
apply (simp add: authKeys_def)
paulson@18886
  1180
apply (erule kerbIV_gets.induct, analz_mono_contra)
paulson@18886
  1181
apply (frule_tac [8] Gets_ticket_parts)
paulson@18886
  1182
apply (frule_tac [6] Gets_ticket_parts, simp_all)
paulson@18886
  1183
apply (blast+)
paulson@18886
  1184
done
paulson@18886
  1185
paulson@18886
  1186
paulson@18886
  1187
text{*If Spy sees the Authentication Key sent in msg K2, then
paulson@18886
  1188
    the Key has expired.*}
paulson@18886
  1189
lemma Confidentiality_Kas_lemma [rule_format]:
paulson@18886
  1190
     "\<lbrakk> authK \<in> symKeys; A \<notin> bad;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1191
      \<Longrightarrow> Says Kas A
paulson@18886
  1192
               (Crypt (shrK A)
paulson@18886
  1193
                  \<lbrace>Key authK, Agent Tgs, Number Ta,
paulson@18886
  1194
          Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
  1195
            \<in> set evs \<longrightarrow>
paulson@18886
  1196
          Key authK \<in> analz (spies evs) \<longrightarrow>
paulson@18886
  1197
          expiredAK Ta evs"
paulson@18886
  1198
apply (erule kerbIV_gets.induct)
paulson@18886
  1199
apply (frule_tac [11] Oops_range_spies2)
paulson@18886
  1200
apply (frule_tac [10] Oops_range_spies1)
paulson@18886
  1201
apply (frule_tac [8] Says_tgs_message_form)
paulson@18886
  1202
apply (frule_tac [6] Says_kas_message_form)
paulson@18886
  1203
apply (safe del: impI conjI impCE)
paulson@18886
  1204
apply (simp_all (no_asm_simp) add: Says_Kas_message_form less_SucI analz_insert_eq not_parts_not_analz analz_insert_freshK1 pushes)
paulson@18886
  1205
txt{*Fake*}
paulson@18886
  1206
apply spy_analz
paulson@18886
  1207
txt{*K2*}
paulson@18886
  1208
apply blast
paulson@18886
  1209
txt{*K4*}
paulson@18886
  1210
apply blast
paulson@18886
  1211
txt{*Level 8: K5*}
paulson@18886
  1212
apply (blast dest: servK_notin_authKeysD Says_Kas_message_form intro: less_SucI)
paulson@18886
  1213
txt{*Oops1*}
paulson@18886
  1214
apply (blast dest!: unique_authKeys intro: less_SucI)
paulson@18886
  1215
txt{*Oops2*}
paulson@18886
  1216
apply (blast dest: Says_Tgs_message_form Says_Kas_message_form)
paulson@18886
  1217
done
paulson@18886
  1218
paulson@18886
  1219
lemma Confidentiality_Kas:
paulson@18886
  1220
     "\<lbrakk> Says Kas A
paulson@18886
  1221
              (Crypt Ka \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>)
paulson@18886
  1222
           \<in> set evs;
paulson@18886
  1223
         \<not> expiredAK Ta evs;
paulson@18886
  1224
         A \<notin> bad;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1225
      \<Longrightarrow> Key authK \<notin> analz (spies evs)"
paulson@18886
  1226
by (blast dest: Says_Kas_message_form Confidentiality_Kas_lemma)
paulson@18886
  1227
paulson@18886
  1228
text{*If Spy sees the Service Key sent in msg K4, then
paulson@18886
  1229
    the Key has expired.*}
paulson@18886
  1230
paulson@18886
  1231
lemma Confidentiality_lemma [rule_format]:
paulson@18886
  1232
     "\<lbrakk> Says Tgs A
wenzelm@32960
  1233
            (Crypt authK
wenzelm@32960
  1234
               \<lbrace>Key servK, Agent B, Number Ts,
wenzelm@32960
  1235
                 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
wenzelm@32960
  1236
           \<in> set evs;
wenzelm@32960
  1237
        Key authK \<notin> analz (spies evs);
paulson@18886
  1238
        servK \<in> symKeys;
wenzelm@32960
  1239
        A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1240
      \<Longrightarrow> Key servK \<in> analz (spies evs) \<longrightarrow>
wenzelm@32960
  1241
          expiredSK Ts evs"
paulson@18886
  1242
apply (erule rev_mp)
paulson@18886
  1243
apply (erule rev_mp)
paulson@18886
  1244
apply (erule kerbIV_gets.induct)
paulson@18886
  1245
apply (rule_tac [10] impI)+;
paulson@18886
  1246
  --{*The Oops1 case is unusual: must simplify
paulson@18886
  1247
    @{term "Authkey \<notin> analz (spies (ev#evs))"}, not letting
paulson@18886
  1248
   @{text analz_mono_contra} weaken it to
paulson@18886
  1249
   @{term "Authkey \<notin> analz (spies evs)"},
paulson@18886
  1250
  for we then conclude @{term "authK \<noteq> authKa"}.*}
paulson@18886
  1251
apply analz_mono_contra
paulson@18886
  1252
apply (frule_tac [11] Oops_range_spies2)
paulson@18886
  1253
apply (frule_tac [10] Oops_range_spies1)
paulson@18886
  1254
apply (frule_tac [8] Says_tgs_message_form)
paulson@18886
  1255
apply (frule_tac [6] Says_kas_message_form)
paulson@18886
  1256
apply (safe del: impI conjI impCE)
paulson@18886
  1257
apply (simp_all add: less_SucI new_keys_not_analzd Says_Kas_message_form Says_Tgs_message_form analz_insert_eq not_parts_not_analz analz_insert_freshK1 analz_insert_freshK2 analz_insert_freshK3_bis pushes)
paulson@18886
  1258
txt{*Fake*}
paulson@18886
  1259
apply spy_analz
paulson@18886
  1260
txt{*K2*}
paulson@18886
  1261
apply (blast intro: parts_insertI less_SucI)
paulson@18886
  1262
txt{*K4*}
paulson@18886
  1263
apply (blast dest: authTicket_authentic Confidentiality_Kas)
paulson@18886
  1264
txt{*Oops2*}
paulson@18886
  1265
  prefer 3
paulson@18886
  1266
  apply (blast dest: Says_imp_spies [THEN parts.Inj] Key_unique_SesKey intro: less_SucI)
paulson@18886
  1267
txt{*Oops1*}
paulson@18886
  1268
 prefer 2
paulson@18886
  1269
apply (blast dest: Says_Kas_message_form Says_Tgs_message_form intro: less_SucI)
paulson@18886
  1270
txt{*K5. Not clear how this step could be integrated with the main
paulson@18886
  1271
       simplification step. Done in KerberosV.thy*}
paulson@18886
  1272
apply clarify
paulson@18886
  1273
apply (erule_tac V = "Says Aa Tgs ?X \<in> set ?evs" in thin_rl)
paulson@18886
  1274
apply (frule Gets_imp_knows_Spy [THEN parts.Inj, THEN servK_notin_authKeysD])
paulson@18886
  1275
apply (assumption, assumption, blast, assumption)
paulson@18886
  1276
apply (simp add: analz_insert_freshK2)
paulson@18886
  1277
apply (blast dest: Says_imp_spies [THEN parts.Inj] Key_unique_SesKey intro: less_SucI)
paulson@18886
  1278
done
paulson@18886
  1279
paulson@18886
  1280
paulson@18886
  1281
text{* In the real world Tgs can't check wheter authK is secure! *}
paulson@18886
  1282
lemma Confidentiality_Tgs:
paulson@18886
  1283
     "\<lbrakk> Says Tgs A
paulson@18886
  1284
              (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1285
           \<in> set evs;
paulson@18886
  1286
         Key authK \<notin> analz (spies evs);
paulson@18886
  1287
         \<not> expiredSK Ts evs;
paulson@18886
  1288
         A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1289
      \<Longrightarrow> Key servK \<notin> analz (spies evs)"
paulson@18886
  1290
apply (blast dest: Says_Tgs_message_form Confidentiality_lemma)
paulson@18886
  1291
done
paulson@18886
  1292
paulson@18886
  1293
text{* In the real world Tgs CAN check what Kas sends! *}
paulson@18886
  1294
lemma Confidentiality_Tgs_bis:
paulson@18886
  1295
     "\<lbrakk> Says Kas A
paulson@18886
  1296
               (Crypt Ka \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>)
paulson@18886
  1297
           \<in> set evs;
paulson@18886
  1298
         Says Tgs A
paulson@18886
  1299
              (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1300
           \<in> set evs;
paulson@18886
  1301
         \<not> expiredAK Ta evs; \<not> expiredSK Ts evs;
paulson@18886
  1302
         A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1303
      \<Longrightarrow> Key servK \<notin> analz (spies evs)"
paulson@18886
  1304
apply (blast dest!: Confidentiality_Kas Confidentiality_Tgs)
paulson@18886
  1305
done
paulson@18886
  1306
paulson@18886
  1307
text{*Most general form*}
paulson@18886
  1308
lemmas Confidentiality_Tgs_ter = authTicket_authentic [THEN Confidentiality_Tgs_bis]
paulson@18886
  1309
paulson@18886
  1310
lemmas Confidentiality_Auth_A = authK_authentic [THEN Confidentiality_Kas]
paulson@18886
  1311
paulson@18886
  1312
text{*Needs a confidentiality guarantee, hence moved here.
paulson@18886
  1313
      Authenticity of servK for A*}
paulson@18886
  1314
lemma servK_authentic_bis_r:
paulson@18886
  1315
     "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>
paulson@18886
  1316
           \<in> parts (spies evs);
paulson@18886
  1317
         Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
  1318
           \<in> parts (spies evs);
paulson@18886
  1319
         \<not> expiredAK Ta evs; A \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1320
 \<Longrightarrow>Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1321
       \<in> set evs"
paulson@18886
  1322
apply (blast dest: authK_authentic Confidentiality_Auth_A servK_authentic_ter)
paulson@18886
  1323
done
paulson@18886
  1324
paulson@18886
  1325
lemma Confidentiality_Serv_A:
paulson@18886
  1326
     "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>
paulson@18886
  1327
           \<in> parts (spies evs);
paulson@18886
  1328
         Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
  1329
           \<in> parts (spies evs);
paulson@18886
  1330
         \<not> expiredAK Ta evs; \<not> expiredSK Ts evs;
paulson@18886
  1331
         A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1332
      \<Longrightarrow> Key servK \<notin> analz (spies evs)"
paulson@18886
  1333
apply (drule authK_authentic, assumption, assumption)
paulson@18886
  1334
apply (blast dest: Confidentiality_Kas Says_Kas_message_form servK_authentic_ter Confidentiality_Tgs_bis)
paulson@18886
  1335
done
paulson@18886
  1336
paulson@18886
  1337
lemma Confidentiality_B:
paulson@18886
  1338
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
  1339
           \<in> parts (spies evs);
paulson@18886
  1340
         Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
  1341
           \<in> parts (spies evs);
paulson@18886
  1342
         Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>
paulson@18886
  1343
           \<in> parts (spies evs);
paulson@18886
  1344
         \<not> expiredSK Ts evs; \<not> expiredAK Ta evs;
paulson@18886
  1345
         A \<notin> bad;  B \<notin> bad; B \<noteq> Tgs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1346
      \<Longrightarrow> Key servK \<notin> analz (spies evs)"
paulson@18886
  1347
apply (frule authK_authentic)
paulson@18886
  1348
apply (frule_tac [3] Confidentiality_Kas)
paulson@18886
  1349
apply (frule_tac [6] servTicket_authentic, auto)
paulson@18886
  1350
apply (blast dest!: Confidentiality_Tgs_bis dest: Says_Kas_message_form servK_authentic unique_servKeys unique_authKeys)
paulson@18886
  1351
done
paulson@18886
  1352
paulson@18886
  1353
lemma u_Confidentiality_B:
paulson@18886
  1354
     "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
paulson@18886
  1355
           \<in> parts (spies evs);
paulson@18886
  1356
         \<not> expiredSK Ts evs;
paulson@18886
  1357
         A \<notin> bad;  B \<notin> bad;  B \<noteq> Tgs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1358
      \<Longrightarrow> Key servK \<notin> analz (spies evs)"
paulson@18886
  1359
apply (blast dest: u_servTicket_authentic u_NotexpiredSK_NotexpiredAK Confidentiality_Tgs_bis)
paulson@18886
  1360
done
paulson@18886
  1361
paulson@18886
  1362
paulson@18886
  1363
paulson@18886
  1364
subsection{*2. Parties' strong authentication: 
paulson@18886
  1365
       non-injective agreement on the session key. The same guarantees also
paulson@18886
  1366
       express key distribution, hence their names*}
paulson@18886
  1367
paulson@18886
  1368
text{*Authentication here still is weak agreement - of B with A*}
paulson@18886
  1369
lemma A_authenticates_B:
paulson@18886
  1370
     "\<lbrakk> Crypt servK (Number T3) \<in> parts (spies evs);
paulson@18886
  1371
         Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
paulson@18886
  1372
           \<in> parts (spies evs);
paulson@18886
  1373
         Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>
paulson@18886
  1374
           \<in> parts (spies evs);
paulson@18886
  1375
         Key authK \<notin> analz (spies evs); Key servK \<notin> analz (spies evs);
paulson@18886
  1376
         A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1377
      \<Longrightarrow> Says B A (Crypt servK (Number T3)) \<in> set evs"
paulson@18886
  1378
apply (frule authK_authentic)
paulson@18886
  1379
apply assumption+
paulson@18886
  1380
apply (frule servK_authentic)
paulson@18886
  1381
prefer 2 apply (blast dest: authK_authentic Says_Kas_message_form)
paulson@18886
  1382
apply assumption+
paulson@18886
  1383
apply (blast dest: K4_imp_K2 Key_unique_SesKey intro!: Says_K6)
paulson@18886
  1384
(*Single command proof: slower!
paulson@18886
  1385
apply (blast dest: authK_authentic servK_authentic Says_Kas_message_form Key_unique_SesKey K4_imp_K2 intro!: Says_K6)
paulson@18886
  1386
*)
paulson@18886
  1387
done
paulson@18886
  1388
paulson@18886
  1389
(*These two have never been proved, because never were they needed before!*)
paulson@18886
  1390
lemma shrK_in_initState_Server[iff]:  "Key (shrK A) \<in> initState Kas"
paulson@18886
  1391
by (induct_tac "A", auto)
paulson@18886
  1392
lemma shrK_in_knows_Server [iff]: "Key (shrK A) \<in> knows Kas evs"
paulson@18886
  1393
by (simp add: initState_subset_knows [THEN subsetD])
paulson@18886
  1394
(*Because of our simple model of Tgs, the equivalent for it required an axiom*)
paulson@18886
  1395
paulson@18886
  1396
paulson@18886
  1397
lemma A_authenticates_and_keydist_to_Kas:
paulson@18886
  1398
   "\<lbrakk> Gets A (Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>) \<in> set evs;
paulson@18886
  1399
      A \<notin> bad;  evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1400
  \<Longrightarrow> Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>) \<in> set evs
paulson@18886
  1401
  \<and> Key authK \<in> analz(knows Kas evs)"
paulson@18886
  1402
apply (force dest!: authK_authentic Says_imp_knows [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst])
paulson@18886
  1403
done
paulson@18886
  1404
paulson@18886
  1405
wenzelm@26301
  1406
lemma K3_imp_Gets_evs:
paulson@18886
  1407
  "\<lbrakk> Says A Tgs \<lbrace>Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>,
paulson@18886
  1408
                 Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B\<rbrace> 
paulson@18886
  1409
      \<in> set evs;  A \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1410
 \<Longrightarrow>  Gets A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, 
paulson@18886
  1411
                 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
paulson@18886
  1412
       \<in> set evs"
paulson@18886
  1413
apply (erule rev_mp)
paulson@18886
  1414
apply (erule kerbIV_gets.induct)
paulson@18886
  1415
apply auto
paulson@18886
  1416
apply (blast dest: authTicket_form)
paulson@18886
  1417
done
paulson@18886
  1418
paulson@18886
  1419
lemma Tgs_authenticates_and_keydist_to_A:
paulson@18886
  1420
  "\<lbrakk>  Gets Tgs \<lbrace>
paulson@18886
  1421
          Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>,
paulson@18886
  1422
          Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B \<rbrace> \<in> set evs;
paulson@18886
  1423
      Key authK \<notin> analz (spies evs); A \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1424
 \<Longrightarrow> \<exists> B. Says A Tgs \<lbrace>
paulson@18886
  1425
          Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>,
paulson@18886
  1426
          Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B \<rbrace> \<in> set evs
paulson@18886
  1427
 \<and>  Key authK \<in> analz (knows A evs)"  
paulson@18886
  1428
apply (frule Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Fst], assumption)
paulson@18886
  1429
apply (drule Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd, THEN parts.Fst], assumption)
paulson@18886
  1430
apply (drule Tgs_authenticates_A, assumption+, simp)
wenzelm@26301
  1431
apply (force dest!: K3_imp_Gets_evs Gets_imp_knows [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst])
paulson@18886
  1432
done
paulson@18886
  1433
paulson@18886
  1434
lemma K4_imp_Gets:
paulson@18886
  1435
  "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1436
       \<in> set evs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1437
 \<Longrightarrow> \<exists> Ta X. 
paulson@18886
  1438
     Gets Tgs \<lbrace>Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>, X\<rbrace>
paulson@18886
  1439
       \<in> set evs"
paulson@18886
  1440
apply (erule rev_mp)
paulson@18886
  1441
apply (erule kerbIV_gets.induct)
paulson@18886
  1442
apply auto
paulson@18886
  1443
done
paulson@18886
  1444
paulson@18886
  1445
lemma A_authenticates_and_keydist_to_Tgs:
paulson@18886
  1446
 "\<lbrakk>  Gets A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>)
paulson@18886
  1447
       \<in> set evs;
paulson@18886
  1448
     Gets A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1449
       \<in> set evs;
paulson@18886
  1450
     Key authK \<notin> analz (spies evs); A \<notin> bad;
paulson@18886
  1451
     evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1452
 \<Longrightarrow> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
paulson@18886
  1453
       \<in> set evs
paulson@18886
  1454
  \<and> Key authK \<in> analz (knows Tgs evs)
paulson@18886
  1455
  \<and> Key servK \<in> analz (knows Tgs evs)"
paulson@18886
  1456
apply (drule Gets_imp_knows_Spy [THEN parts.Inj], assumption)
paulson@18886
  1457
apply (drule Gets_imp_knows_Spy [THEN parts.Inj], assumption)
paulson@18886
  1458
apply (frule authK_authentic, assumption+)
paulson@18886
  1459
apply (drule servK_authentic_ter, assumption+)
paulson@18886
  1460
apply (frule K4_imp_Gets, assumption, erule exE, erule exE)
paulson@18886
  1461
apply (drule Gets_imp_knows [THEN analz.Inj, THEN analz.Fst, THEN analz.Decrypt, THEN analz.Snd, THEN analz.Snd, THEN analz.Fst], assumption, force)
paulson@18886
  1462
apply (frule Says_imp_knows [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst])
paulson@18886
  1463
apply (force dest!: authK_authentic Says_Kas_message_form)
paulson@18886
  1464
apply simp
paulson@18886
  1465
done
paulson@18886
  1466
paulson@18886
  1467
lemma K5_imp_Gets:
paulson@18886
  1468
  "\<lbrakk> Says A B \<lbrace>servTicket, Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> \<in> set evs;
paulson@18886
  1469
    A \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1470
 \<Longrightarrow> \<exists> authK Ts authTicket T2.
paulson@18886
  1471
    Gets A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) \<in> set evs
paulson@18886
  1472
 \<and> Says A Tgs \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B\<rbrace>  \<in> set evs"
paulson@18886
  1473
apply (erule rev_mp)
paulson@18886
  1474
apply (erule kerbIV_gets.induct)
paulson@18886
  1475
apply auto
paulson@18886
  1476
done 
paulson@18886
  1477
paulson@18886
  1478
lemma K3_imp_Gets:
paulson@18886
  1479
  "\<lbrakk> Says A Tgs \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B\<rbrace>
paulson@18886
  1480
       \<in> set evs;
paulson@18886
  1481
    A \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1482
 \<Longrightarrow> \<exists> Ta. Gets A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>) \<in> set evs";
paulson@18886
  1483
apply (erule rev_mp)
paulson@18886
  1484
apply (erule kerbIV_gets.induct)
paulson@18886
  1485
apply auto
paulson@18886
  1486
done 
paulson@18886
  1487
paulson@18886
  1488
lemma B_authenticates_and_keydist_to_A:
paulson@18886
  1489
     "\<lbrakk> Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>,
paulson@18886
  1490
                Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> \<in> set evs;
paulson@18886
  1491
        Key servK \<notin> analz (spies evs);
paulson@18886
  1492
        A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1493
 \<Longrightarrow> Says A B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>,
paulson@18886
  1494
               Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> \<in> set evs
paulson@18886
  1495
  \<and> Key servK \<in> analz (knows A evs)"
paulson@18886
  1496
apply (frule Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Fst, THEN servTicket_authentic_Tgs], assumption+)  
paulson@18886
  1497
apply (drule Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd], assumption)
paulson@18886
  1498
apply (erule exE, drule Says_K5, assumption+)
paulson@18886
  1499
apply (frule K5_imp_Gets, assumption+)
paulson@18886
  1500
apply clarify
paulson@18886
  1501
apply (drule K3_imp_Gets, assumption+)
paulson@18886
  1502
apply (erule exE)
paulson@18886
  1503
apply (frule Gets_imp_knows_Spy [THEN parts.Inj, THEN authK_authentic, THEN Says_Kas_message_form], assumption+, clarify)
paulson@18886
  1504
apply (force dest!: Gets_imp_knows [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst])
paulson@18886
  1505
done
paulson@18886
  1506
paulson@18886
  1507
paulson@18886
  1508
lemma K6_imp_Gets:
paulson@18886
  1509
  "\<lbrakk> Says B A (Crypt servK (Number T3)) \<in> set evs;
paulson@18886
  1510
     B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1511
\<Longrightarrow> \<exists> Ts X. Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>,X\<rbrace>
paulson@18886
  1512
       \<in> set evs"
paulson@18886
  1513
apply (erule rev_mp)
paulson@18886
  1514
apply (erule kerbIV_gets.induct)
paulson@18886
  1515
apply auto
paulson@18886
  1516
done
paulson@18886
  1517
paulson@18886
  1518
paulson@18886
  1519
lemma A_authenticates_and_keydist_to_B:
paulson@18886
  1520
  "\<lbrakk> Gets A \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>,
paulson@18886
  1521
             Crypt servK (Number T3)\<rbrace> \<in> set evs;
paulson@18886
  1522
     Gets A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>)
paulson@18886
  1523
           \<in> set evs;
paulson@18886
  1524
     Key authK \<notin> analz (spies evs); Key servK \<notin> analz (spies evs);
paulson@18886
  1525
     A \<notin> bad;  B \<notin> bad; evs \<in> kerbIV_gets \<rbrakk>
paulson@18886
  1526
 \<Longrightarrow> Says B A (Crypt servK (Number T3)) \<in> set evs 
paulson@18886
  1527
   \<and> Key servK \<in> analz (knows B evs)"
paulson@18886
  1528
apply (frule Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Fst], assumption)
paulson@18886
  1529
apply (drule Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd], assumption)
paulson@18886
  1530
apply (drule Gets_imp_knows_Spy [THEN parts.Inj], assumption)
paulson@18886
  1531
apply (drule A_authenticates_B, assumption+)
paulson@18886
  1532
apply (force dest!: K6_imp_Gets Gets_imp_knows [THEN analz.Inj, THEN analz.Fst, THEN analz.Decrypt, THEN analz.Snd, THEN analz.Snd, THEN analz.Fst])
paulson@18886
  1533
done
paulson@18886
  1534
paulson@18886
  1535
 
paulson@18886
  1536
paulson@18886
  1537
end
paulson@18886
  1538