author | bulwahn |
Mon, 12 Dec 2011 13:45:54 +0100 | |
changeset 45818 | 53a697f5454a |
parent 43584 | 027dc42505be |
child 58889 | 5b7a9633cfa8 |
permissions | -rw-r--r-- |
37936 | 1 |
(* Title: HOL/Auth/CertifiedEmail.thy |
13922 | 2 |
Author: Giampaolo Bella, Christiano Longo and Lawrence C Paulson |
13956 | 3 |
*) |
13922 | 4 |
|
13956 | 5 |
header{*The Certified Electronic Mail Protocol by Abadi et al.*} |
13922 | 6 |
|
16417 | 7 |
theory CertifiedEmail imports Public begin |
13922 | 8 |
|
20768 | 9 |
abbreviation |
21404
eb85850d3eb7
more robust syntax for definition/abbreviation/notation;
wenzelm
parents:
20768
diff
changeset
|
10 |
TTP :: agent where |
20768 | 11 |
"TTP == Server" |
13922 | 12 |
|
21404
eb85850d3eb7
more robust syntax for definition/abbreviation/notation;
wenzelm
parents:
20768
diff
changeset
|
13 |
abbreviation |
eb85850d3eb7
more robust syntax for definition/abbreviation/notation;
wenzelm
parents:
20768
diff
changeset
|
14 |
RPwd :: "agent => key" where |
20768 | 15 |
"RPwd == shrK" |
13922 | 16 |
|
17 |
||
18 |
(*FIXME: the four options should be represented by pairs of 0 or 1. |
|
19 |
Right now only BothAuth is modelled.*) |
|
20 |
consts |
|
21 |
NoAuth :: nat |
|
22 |
TTPAuth :: nat |
|
23 |
SAuth :: nat |
|
24 |
BothAuth :: nat |
|
25 |
||
26 |
text{*We formalize a fixed way of computing responses. Could be better.*} |
|
35416
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
haftmann
parents:
32960
diff
changeset
|
27 |
definition "response" :: "agent => agent => nat => msg" where |
13922 | 28 |
"response S R q == Hash {|Agent S, Key (shrK R), Nonce q|}" |
29 |
||
30 |
||
23746 | 31 |
inductive_set certified_mail :: "event list set" |
32 |
where |
|
13922 | 33 |
|
23746 | 34 |
Nil: --{*The empty trace*} |
13922 | 35 |
"[] \<in> certified_mail" |
36 |
||
23746 | 37 |
| Fake: --{*The Spy may say anything he can say. The sender field is correct, |
13922 | 38 |
but agents don't use that information.*} |
14145
2e31b8cc8788
ZhouGollmann: new example (fair non-repudiation protocol)
paulson
parents:
13956
diff
changeset
|
39 |
"[| evsf \<in> certified_mail; X \<in> synth(analz(spies evsf))|] |
13956 | 40 |
==> Says Spy B X # evsf \<in> certified_mail" |
13922 | 41 |
|
23746 | 42 |
| FakeSSL: --{*The Spy may open SSL sessions with TTP, who is the only agent |
13922 | 43 |
equipped with the necessary credentials to serve as an SSL server.*} |
32960
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
23746
diff
changeset
|
44 |
"[| evsfssl \<in> certified_mail; X \<in> synth(analz(spies evsfssl))|] |
13922 | 45 |
==> Notes TTP {|Agent Spy, Agent TTP, X|} # evsfssl \<in> certified_mail" |
46 |
||
23746 | 47 |
| CM1: --{*The sender approaches the recipient. The message is a number.*} |
15068
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
48 |
"[|evs1 \<in> certified_mail; |
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
49 |
Key K \<notin> used evs1; |
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
50 |
K \<in> symKeys; |
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
51 |
Nonce q \<notin> used evs1; |
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
52 |
hs = Hash{|Number cleartext, Nonce q, response S R q, Crypt K (Number m)|}; |
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
53 |
S2TTP = Crypt(pubEK TTP) {|Agent S, Number BothAuth, Key K, Agent R, hs|}|] |
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
54 |
==> Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number BothAuth, |
32960
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
23746
diff
changeset
|
55 |
Number cleartext, Nonce q, S2TTP|} # evs1 |
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
23746
diff
changeset
|
56 |
\<in> certified_mail" |
13922 | 57 |
|
23746 | 58 |
| CM2: --{*The recipient records @{term S2TTP} while transmitting it and her |
13922 | 59 |
password to @{term TTP} over an SSL channel.*} |
15068
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
60 |
"[|evs2 \<in> certified_mail; |
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
61 |
Gets R {|Agent S, Agent TTP, em, Number BothAuth, Number cleartext, |
32960
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
23746
diff
changeset
|
62 |
Nonce q, S2TTP|} \<in> set evs2; |
15068
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
63 |
TTP \<noteq> R; |
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
64 |
hr = Hash {|Number cleartext, Nonce q, response S R q, em|} |] |
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
65 |
==> |
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
66 |
Notes TTP {|Agent R, Agent TTP, S2TTP, Key(RPwd R), hr|} # evs2 |
58d216b32199
minor tweaks to go with the new version of the Accountability paper
paulson
parents:
14735
diff
changeset
|
67 |
\<in> certified_mail" |
13922 | 68 |
|
23746 | 69 |
| CM3: --{*@{term TTP} simultaneously reveals the key to the recipient and gives |
13922 | 70 |
a receipt to the sender. The SSL channel does not authenticate |
14735 | 71 |
the client (@{term R}), but @{term TTP} accepts the message only |
72 |
if the given password is that of the claimed sender, @{term R}. |
|
13922 | 73 |