| author | wenzelm |
| Sat, 17 Oct 2009 14:43:18 +0200 | |
| changeset 32960 | 69916a850301 |
| parent 32891 | d403b99287ff |
| child 35503 | 7bba12c3b7b6 |
| permissions | -rw-r--r-- |
| 11250 | 1 |
(* Title: HOL/Auth/NS_Public |
2 |
ID: $Id$ |
|
3 |
Author: Lawrence C Paulson, Cambridge University Computer Laboratory |
|
4 |
Copyright 1996 University of Cambridge |
|
5 |
||
6 |
Inductive relation "ns_public" for the Needham-Schroeder Public-Key protocol. |
|
7 |
Version incorporating Lowe's fix (inclusion of B's identity in round 2). |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
8 |
*)(*<*) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
9 |
theory NS_Public imports Public begin(*>*) |
| 11250 | 10 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
11 |
section{* Modelling the Protocol \label{sec:modelling} *}
|
| 11250 | 12 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
13 |
text_raw {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
14 |
\begin{figure}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
15 |
\begin{isabelle}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
16 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
17 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
18 |
inductive_set ns_public :: "event list set" |
| 23733 | 19 |
where |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
20 |
|
| 11250 | 21 |
Nil: "[] \<in> ns_public" |
22 |
||
23 |
||
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
24 |
| Fake: "\<lbrakk>evsf \<in> ns_public; X \<in> synth (analz (knows Spy evsf))\<rbrakk> |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
25 |
\<Longrightarrow> Says Spy B X # evsf \<in> ns_public" |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
26 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
27 |
|
| 23733 | 28 |
| NS1: "\<lbrakk>evs1 \<in> ns_public; Nonce NA \<notin> used evs1\<rbrakk> |
| 11250 | 29 |
\<Longrightarrow> Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) |
30 |
# evs1 \<in> ns_public" |
|
31 |
||
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
32 |
|
| 23733 | 33 |
| NS2: "\<lbrakk>evs2 \<in> ns_public; Nonce NB \<notin> used evs2; |
| 11250 | 34 |
Says A' B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs2\<rbrakk> |
35 |
\<Longrightarrow> Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) |
|
36 |
# evs2 \<in> ns_public" |
|
37 |
||
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
38 |
|
| 23733 | 39 |
| NS3: "\<lbrakk>evs3 \<in> ns_public; |
| 11250 | 40 |
Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs3; |
41 |
Says B' A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) |
|
42 |
\<in> set evs3\<rbrakk> |
|
43 |
\<Longrightarrow> Says A B (Crypt (pubK B) (Nonce NB)) # evs3 \<in> ns_public" |
|
44 |
||
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
45 |
text_raw {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
46 |
\end{isabelle}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
47 |
\caption{An Inductive Protocol Definition}\label{fig:ns_public}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
48 |
\end{figure}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
49 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
50 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
51 |
text {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
52 |
Let us formalize the Needham-Schroeder public-key protocol, as corrected by |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
53 |
Lowe: |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
54 |
\begin{alignat*%
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
55 |
}{2}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
56 |
&1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
57 |
&2.&\quad B\to A &: \comp{Na,Nb,B}\sb{Ka} \\
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
58 |
&3.&\quad A\to B &: \comp{Nb}\sb{Kb}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
59 |
\end{alignat*%
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
60 |
} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
61 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
62 |
Each protocol step is specified by a rule of an inductive definition. An |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
63 |
event trace has type @{text "event list"}, so we declare the constant
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
64 |
@{text ns_public} to be a set of such traces.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
65 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
66 |
Figure~\ref{fig:ns_public} presents the inductive definition. The
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
67 |
@{text Nil} rule introduces the empty trace. The @{text Fake} rule models the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
68 |
adversary's sending a message built from components taken from past |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
69 |
traffic, expressed using the functions @{text synth} and
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
70 |
@{text analz}.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
71 |
The next three rules model how honest agents would perform the three |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
72 |
protocol steps. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
73 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
74 |
Here is a detailed explanation of rule @{text NS2}.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
75 |
A trace containing an event of the form |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
76 |
@{term [display,indent=5] "Says A' B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>)"}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
77 |
may be extended by an event of the form |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
78 |
@{term [display,indent=5] "Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>)"}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
79 |
where @{text NB} is a fresh nonce: @{term "Nonce NB \<in> used evs2"}.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
80 |
Writing the sender as @{text A'} indicates that @{text B} does not
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
81 |
know who sent the message. Calling the trace variable @{text evs2} rather
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
82 |
than simply @{text evs} helps us know where we are in a proof after many
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
83 |
case-splits: every subgoal mentioning @{text evs2} involves message~2 of the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
84 |
protocol. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
85 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
86 |
Benefits of this approach are simplicity and clarity. The semantic model |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
87 |
is set theory, proofs are by induction and the translation from the informal |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
88 |
notation to the inductive rules is straightforward. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
89 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
90 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
91 |
section{* Proving Elementary Properties \label{sec:regularity} *}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
92 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
93 |
(*<*) |
| 11250 | 94 |
declare knows_Spy_partsEs [elim] |
95 |
declare analz_subset_parts [THEN subsetD, dest] |
|
96 |
declare Fake_parts_insert [THEN subsetD, dest] |
|
97 |
declare image_eq_UN [simp] (*accelerates proofs involving nested images*) |
|
98 |
||
99 |
(*A "possibility property": there are traces that reach the end*) |
|
100 |
lemma "\<exists>NB. \<exists>evs \<in> ns_public. Says A B (Crypt (pubK B) (Nonce NB)) \<in> set evs" |
|
101 |
apply (intro exI bexI) |
|
| 11269 | 102 |
apply (rule_tac [2] ns_public.Nil [THEN ns_public.NS1, THEN ns_public.NS2, |
| 11250 | 103 |
THEN ns_public.NS3]) |
104 |
by possibility |
|
105 |
||
106 |
||
107 |
(**** Inductive proofs about ns_public ****) |
|
108 |
||
| 11269 | 109 |
(** Theorems of the form X \<notin> parts (knows Spy evs) imply that NOBODY |
| 11250 | 110 |
sends messages containing X! **) |
111 |
||
112 |
(*Spy never sees another agent's private key! (unless it's bad at start)*) |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
113 |
(*>*) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
114 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
115 |
text {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
116 |
Secrecy properties can be hard to prove. The conclusion of a typical |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
117 |
secrecy theorem is |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
118 |
@{term "X \<notin> analz (knows Spy evs)"}. The difficulty arises from
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
119 |
having to reason about @{text analz}, or less formally, showing that the spy
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
120 |
can never learn~@{text X}. Much easier is to prove that @{text X} can never
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
121 |
occur at all. Such \emph{regularity} properties are typically expressed
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
122 |
using @{text parts} rather than @{text analz}.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
123 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
124 |
The following lemma states that @{text A}'s private key is potentially
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
125 |
known to the spy if and only if @{text A} belongs to the set @{text bad} of
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
126 |
compromised agents. The statement uses @{text parts}: the very presence of
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
127 |
@{text A}'s private key in a message, whether protected by encryption or
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
128 |
not, is enough to confirm that @{text A} is compromised. The proof, like
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
129 |
nearly all protocol proofs, is by induction over traces. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
130 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
131 |
|
| 11269 | 132 |
lemma Spy_see_priK [simp]: |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
133 |
"evs \<in> ns_public |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
134 |
\<Longrightarrow> (Key (priK A) \<in> parts (knows Spy evs)) = (A \<in> bad)" |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
135 |
apply (erule ns_public.induct, simp_all) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
136 |
txt {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
137 |
The induction yields five subgoals, one for each rule in the definition of |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
138 |
@{text ns_public}. The idea is to prove that the protocol property holds initially
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
139 |
(rule @{text Nil}), is preserved by each of the legitimate protocol steps (rules
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
140 |
@{text NS1}--@{text 3}), and even is preserved in the face of anything the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
141 |
spy can do (rule @{text Fake}).
|
| 11250 | 142 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
143 |
The proof is trivial. No legitimate protocol rule sends any keys |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
144 |
at all, so only @{text Fake} is relevant. Indeed, simplification leaves
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
145 |
only the @{text Fake} case, as indicated by the variable name @{text evsf}:
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
146 |
@{subgoals[display,indent=0,margin=65]}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
147 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
148 |
by blast |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
149 |
(*<*) |
| 11269 | 150 |
lemma Spy_analz_priK [simp]: |
151 |
"evs \<in> ns_public \<Longrightarrow> (Key (priK A) \<in> analz (knows Spy evs)) = (A \<in> bad)" |
|
| 11250 | 152 |
by auto |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
153 |
(*>*) |
| 11250 | 154 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
155 |
text {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
156 |
The @{text Fake} case is proved automatically. If
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
157 |
@{term "priK A"} is in the extended trace then either (1) it was already in the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
158 |
original trace or (2) it was |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
159 |
generated by the spy, who must have known this key already. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
160 |
Either way, the induction hypothesis applies. |
| 11250 | 161 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
162 |
\emph{Unicity} lemmas are regularity lemmas stating that specified items
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
163 |
can occur only once in a trace. The following lemma states that a nonce |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
164 |
cannot be used both as $Na$ and as $Nb$ unless |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
165 |
it is known to the spy. Intuitively, it holds because honest agents |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
166 |
always choose fresh values as nonces; only the spy might reuse a value, |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
167 |
and he doesn't know this particular value. The proof script is short: |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
168 |
induction, simplification, @{text blast}. The first line uses the rule
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
169 |
@{text rev_mp} to prepare the induction by moving two assumptions into the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
170 |
induction formula. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
171 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
172 |
|
| 11269 | 173 |
lemma no_nonce_NS1_NS2: |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
174 |
"\<lbrakk>Crypt (pubK C) \<lbrace>NA', Nonce NA, Agent D\<rbrace> \<in> parts (knows Spy evs); |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
175 |
Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (knows Spy evs); |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
176 |
evs \<in> ns_public\<rbrakk> |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
177 |
\<Longrightarrow> Nonce NA \<in> analz (knows Spy evs)" |
| 11269 | 178 |
apply (erule rev_mp, erule rev_mp) |
| 11250 | 179 |
apply (erule ns_public.induct, simp_all) |
180 |
apply (blast intro: analz_insertI)+ |
|
181 |
done |
|
182 |
||
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
183 |
text {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
184 |
The following unicity lemma states that, if \isa{NA} is secret, then its
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
185 |
appearance in any instance of message~1 determines the other components. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
186 |
The proof is similar to the previous one. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
187 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
188 |
|
| 11269 | 189 |
lemma unique_NA: |
190 |
"\<lbrakk>Crypt(pubK B) \<lbrace>Nonce NA, Agent A \<rbrace> \<in> parts(knows Spy evs); |
|
191 |
Crypt(pubK B') \<lbrace>Nonce NA, Agent A'\<rbrace> \<in> parts(knows Spy evs); |
|
192 |
Nonce NA \<notin> analz (knows Spy evs); evs \<in> ns_public\<rbrakk> |
|
| 11250 | 193 |
\<Longrightarrow> A=A' \<and> B=B'" |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
194 |
(*<*) |
| 11269 | 195 |
apply (erule rev_mp, erule rev_mp, erule rev_mp) |
| 11250 | 196 |
apply (erule ns_public.induct, simp_all) |
197 |
(*Fake, NS1*) |
|
198 |
apply (blast intro: analz_insertI)+ |
|
199 |
done |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
200 |
(*>*) |
| 11250 | 201 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
202 |
section{* Proving Secrecy Theorems \label{sec:secrecy} *}
|
| 11250 | 203 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
204 |
(*<*) |
| 11250 | 205 |
(*Secrecy: Spy does not see the nonce sent in msg NS1 if A and B are secure |
206 |
The major premise "Says A B ..." makes it a dest-rule, so we use |
|
207 |
(erule rev_mp) rather than rule_format. *) |
|
| 11269 | 208 |
theorem Spy_not_see_NA: |
| 11250 | 209 |
"\<lbrakk>Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs; |
| 11269 | 210 |
A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> |
211 |
\<Longrightarrow> Nonce NA \<notin> analz (knows Spy evs)" |
|
212 |
apply (erule rev_mp) |
|
| 11250 | 213 |
apply (erule ns_public.induct, simp_all) |
214 |
apply spy_analz |
|
215 |
apply (blast dest: unique_NA intro: no_nonce_NS1_NS2)+ |
|
216 |
done |
|
217 |
||
218 |
||
219 |
(*Authentication for A: if she receives message 2 and has used NA |
|
220 |
to start a run, then B has sent message 2.*) |
|
| 11269 | 221 |
lemma A_trusts_NS2_lemma [rule_format]: |
222 |
"\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> |
|
223 |
\<Longrightarrow> Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow> |
|
|
32960
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
32891
diff
changeset
|
224 |
Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs \<longrightarrow> |
|
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
32891
diff
changeset
|
225 |
Says B A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs" |
| 11250 | 226 |
apply (erule ns_public.induct, simp_all) |
227 |
(*Fake, NS1*) |
|
228 |
apply (blast dest: Spy_not_see_NA)+ |
|
229 |
done |
|
230 |
||
| 11269 | 231 |
theorem A_trusts_NS2: |
232 |
"\<lbrakk>Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs; |
|
| 11250 | 233 |
Says B' A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs; |
| 11269 | 234 |
A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> |
| 11250 | 235 |
\<Longrightarrow> Says B A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs" |
236 |
by (blast intro: A_trusts_NS2_lemma) |
|
237 |
||
238 |
||
239 |
(*If the encrypted message appears then it originated with Alice in NS1*) |
|
240 |
lemma B_trusts_NS1 [rule_format]: |
|
| 11269 | 241 |
"evs \<in> ns_public |
242 |
\<Longrightarrow> Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow> |
|
|
32960
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
32891
diff
changeset
|
243 |
Nonce NA \<notin> analz (knows Spy evs) \<longrightarrow> |
|
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
32891
diff
changeset
|
244 |
Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs" |
| 11250 | 245 |
apply (erule ns_public.induct, simp_all) |
246 |
(*Fake*) |
|
247 |
apply (blast intro!: analz_insertI) |
|
248 |
done |
|
249 |
||
250 |
||
251 |
||
252 |
(*** Authenticity properties obtained from NS2 ***) |
|
253 |
||
| 11269 | 254 |
(*Unicity for NS2: nonce NB identifies nonce NA and agents A, B |
| 11250 | 255 |
[unicity of B makes Lowe's fix work] |
256 |
[proof closely follows that for unique_NA] *) |
|
257 |
||
| 11269 | 258 |
lemma unique_NB [dest]: |
259 |
"\<lbrakk>Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace> \<in> parts(knows Spy evs); |
|
260 |
Crypt(pubK A') \<lbrace>Nonce NA', Nonce NB, Agent B'\<rbrace> \<in> parts(knows Spy evs); |
|
261 |
Nonce NB \<notin> analz (knows Spy evs); evs \<in> ns_public\<rbrakk> |
|
| 11250 | 262 |
\<Longrightarrow> A=A' \<and> NA=NA' \<and> B=B'" |
| 11269 | 263 |
apply (erule rev_mp, erule rev_mp, erule rev_mp) |
| 11250 | 264 |
apply (erule ns_public.induct, simp_all) |
265 |
(*Fake, NS2*) |
|
266 |
apply (blast intro: analz_insertI)+ |
|
267 |
done |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
268 |
(*>*) |
| 11269 | 269 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
270 |
text {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
271 |
The secrecy theorems for Bob (the second participant) are especially |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
272 |
important because they fail for the original protocol. The following |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
273 |
theorem states that if Bob sends message~2 to Alice, and both agents are |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
274 |
uncompromised, then Bob's nonce will never reach the spy. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
275 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
276 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
277 |
theorem Spy_not_see_NB [dest]: |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
278 |
"\<lbrakk>Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs; |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
279 |
A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
280 |
\<Longrightarrow> Nonce NB \<notin> analz (knows Spy evs)" |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
281 |
txt {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
282 |
To prove it, we must formulate the induction properly (one of the |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
283 |
assumptions mentions~@{text evs}), apply induction, and simplify:
|
| 11269 | 284 |
*} |
285 |
||
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
286 |
apply (erule rev_mp, erule ns_public.induct, simp_all) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
287 |
(*<*) |
| 11250 | 288 |
apply spy_analz |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
289 |
defer |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
290 |
apply (blast intro: no_nonce_NS1_NS2) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
291 |
apply (blast intro: no_nonce_NS1_NS2) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
292 |
(*>*) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
293 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
294 |
txt {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
295 |
The proof states are too complicated to present in full. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
296 |
Let's examine the simplest subgoal, that for message~1. The following |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
297 |
event has just occurred: |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
298 |
\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'} \]
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
299 |
The variables above have been primed because this step |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
300 |
belongs to a different run from that referred to in the theorem |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
301 |
statement --- the theorem |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
302 |
refers to a past instance of message~2, while this subgoal |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
303 |
concerns message~1 being sent just now. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
304 |
In the Isabelle subgoal, instead of primed variables like $B'$ and $Na'$ |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
305 |
we have @{text Ba} and~@{text NAa}:
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
306 |
@{subgoals[display,indent=0]}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
307 |
The simplifier has used a |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
308 |
default simplification rule that does a case |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
309 |
analysis for each encrypted message on whether or not the decryption key |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
310 |
is compromised. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
311 |
@{named_thms [display,indent=0,margin=50] analz_Crypt_if [no_vars] (analz_Crypt_if)}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
312 |
The simplifier has also used @{text Spy_see_priK}, proved in
|
| 27093 | 313 |
{\S}\ref{sec:regularity} above, to yield @{term "Ba \<in> bad"}.
|
| 11250 | 314 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
315 |
Recall that this subgoal concerns the case |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
316 |
where the last message to be sent was |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
317 |
\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'}. \]
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
318 |
This message can compromise $Nb$ only if $Nb=Na'$ and $B'$ is compromised, |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
319 |
allowing the spy to decrypt the message. The Isabelle subgoal says |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
320 |
precisely this, if we allow for its choice of variable names. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
321 |
Proving @{term "NB \<noteq> NAa"} is easy: @{text NB} was
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
322 |
sent earlier, while @{text NAa} is fresh; formally, we have
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
323 |
the assumption @{term "Nonce NAa \<notin> used evs1"}.
|
| 11250 | 324 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
325 |
Note that our reasoning concerned @{text B}'s participation in another
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
326 |
run. Agents may engage in several runs concurrently, and some attacks work |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
327 |
by interleaving the messages of two runs. With model checking, this |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
328 |
possibility can cause a state-space explosion, and for us it |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
329 |
certainly complicates proofs. The biggest subgoal concerns message~2. It |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
330 |
splits into several cases, such as whether or not the message just sent is |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
331 |
the very message mentioned in the theorem statement. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
332 |
Some of the cases are proved by unicity, others by |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
333 |
the induction hypothesis. For all those complications, the proofs are |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
334 |
automatic by @{text blast} with the theorem @{text no_nonce_NS1_NS2}.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
335 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
336 |
The remaining theorems about the protocol are not hard to prove. The |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
337 |
following one asserts a form of \emph{authenticity}: if
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
338 |
@{text B} has sent an instance of message~2 to~@{text A} and has received the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
339 |
expected reply, then that reply really originated with~@{text A}. The
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
340 |
proof is a simple induction. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
341 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
342 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
343 |
(*<*) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
344 |
by (blast intro: no_nonce_NS1_NS2) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
345 |
|
| 11250 | 346 |
lemma B_trusts_NS3_lemma [rule_format]: |
347 |
"\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> \<Longrightarrow> |
|
| 11269 | 348 |
Crypt (pubK B) (Nonce NB) \<in> parts (knows Spy evs) \<longrightarrow> |
| 11250 | 349 |
Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs \<longrightarrow> |
350 |
Says A B (Crypt (pubK B) (Nonce NB)) \<in> set evs" |
|
351 |
by (erule ns_public.induct, auto) |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
352 |
(*>*) |
| 11250 | 353 |
theorem B_trusts_NS3: |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
354 |
"\<lbrakk>Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs; |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
355 |
Says A' B (Crypt (pubK B) (Nonce NB)) \<in> set evs; |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
356 |
A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
357 |
\<Longrightarrow> Says A B (Crypt (pubK B) (Nonce NB)) \<in> set evs" |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
358 |
(*<*) |
| 11250 | 359 |
by (blast intro: B_trusts_NS3_lemma) |
360 |
||
361 |
(*** Overall guarantee for B ***) |
|
362 |
||
363 |
||
364 |
(*If NS3 has been sent and the nonce NB agrees with the nonce B joined with |
|
365 |
NA, then A initiated the run using NA.*) |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
366 |
theorem B_trusts_protocol [rule_format]: |
| 11250 | 367 |
"\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> \<Longrightarrow> |
| 11269 | 368 |
Crypt (pubK B) (Nonce NB) \<in> parts (knows Spy evs) \<longrightarrow> |
| 11250 | 369 |
Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs \<longrightarrow> |
370 |
Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs" |
|
371 |
by (erule ns_public.induct, auto) |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
372 |
(*>*) |
| 11250 | 373 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
374 |
text {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
375 |
From similar assumptions, we can prove that @{text A} started the protocol
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
376 |
run by sending an instance of message~1 involving the nonce~@{text NA}\@.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
377 |
For this theorem, the conclusion is |
| 32891 | 378 |
@{thm [display] (concl) B_trusts_protocol [no_vars]}
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
379 |
Analogous theorems can be proved for~@{text A}, stating that nonce~@{text NA}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
380 |
remains secret and that message~2 really originates with~@{text B}. Even the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
381 |
flawed protocol establishes these properties for~@{text A};
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
382 |
the flaw only harms the second participant. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
383 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
384 |
\medskip |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
385 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
386 |
Detailed information on this protocol verification technique can be found |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
387 |
elsewhere~\cite{paulson-jcs}, including proofs of an Internet
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
388 |
protocol~\cite{paulson-tls}. We must stress that the protocol discussed
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
389 |
in this chapter is trivial. There are only three messages; no keys are |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
390 |
exchanged; we merely have to prove that encrypted data remains secret. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
391 |
Real world protocols are much longer and distribute many secrets to their |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
392 |
participants. To be realistic, the model has to include the possibility |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
393 |
of keys being lost dynamically due to carelessness. If those keys have |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
394 |
been used to encrypt other sensitive information, there may be cascading |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
395 |
losses. We may still be able to establish a bound on the losses and to |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
396 |
prove that other protocol runs function |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
397 |
correctly~\cite{paulson-yahalom}. Proofs of real-world protocols follow
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
398 |
the strategy illustrated above, but the subgoals can |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
399 |
be much bigger and there are more of them. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
400 |
\index{protocols!security|)}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
401 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
402 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
403 |
(*<*)end(*>*) |