author | paulson |
Fri, 25 Apr 2003 11:18:14 +0200 | |
changeset 13922 | 75ae4244a596 |
parent 11287 | 0103ee3082bf |
child 13926 | 6e62e5357a10 |
permissions | -rw-r--r-- |
2318 | 1 |
(* Title: HOL/Auth/Public |
2 |
ID: $Id$ |
|
3 |
Author: Lawrence C Paulson, Cambridge University Computer Laboratory |
|
4 |
Copyright 1996 University of Cambridge |
|
5 |
||
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
3478
diff
changeset
|
6 |
Theory of Public Keys (common to all public-key protocols) |
2318 | 7 |
|
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
3478
diff
changeset
|
8 |
Private and public keys; initial states of agents |
2318 | 9 |
*) |
10 |
||
13922 | 11 |
theory Public = Event: |
12 |
||
13 |
subsection{*Asymmetric Keys*} |
|
2318 | 14 |
|
15 |
consts |
|
13922 | 16 |
(*the bool is TRUE if a signing key*) |
17 |
publicKey :: "[bool,agent] => key" |
|
2318 | 18 |
|
19 |
syntax |
|
13922 | 20 |
pubEK :: "agent => key" |
21 |
pubSK :: "agent => key" |
|
22 |
||
23 |
privateKey :: "[bool,agent] => key" |
|
24 |
priEK :: "agent => key" |
|
25 |
priSK :: "agent => key" |
|
26 |
||
27 |
translations |
|
28 |
"pubEK" == "publicKey False" |
|
29 |
"pubSK" == "publicKey True" |
|
30 |
||
31 |
(*BEWARE!! priEK, priSK DON'T WORK with inj, range, image, etc.*) |
|
32 |
"privateKey b A" == "invKey (publicKey b A)" |
|
33 |
"priEK A" == "privateKey False A" |
|
34 |
"priSK A" == "privateKey True A" |
|
35 |
||
36 |
||
37 |
text{*These translations give backward compatibility. They represent the |
|
38 |
simple situation where the signature and encryption keys are the same.*} |
|
39 |
syntax |
|
40 |
pubK :: "agent => key" |
|
41 |
priK :: "agent => key" |
|
42 |
||
43 |
translations |
|
44 |
"pubK A" == "pubEK A" |
|
45 |
"priK A" == "invKey (pubEK A)" |
|
46 |
||
47 |
||
48 |
axioms |
|
49 |
(*By freeness of agents, no two agents have the same key. Since true\<noteq>false, |
|
50 |
no agent has identical signing and encryption keys*) |
|
51 |
injective_publicKey: |
|
52 |
"publicKey b A = publicKey c A' ==> b=c & A=A'" |
|
53 |
||
54 |
(*No private key equals any public key (essential to ensure that private |
|
55 |
keys are private!) *) |
|
56 |
privateKey_neq_publicKey [iff]: "privateKey b A \<noteq> publicKey c A'" |
|
57 |
||
58 |
||
59 |
||
60 |
||
61 |
(*** Basic properties of pubK & priK ***) |
|
62 |
||
63 |
lemma [iff]: "(publicKey b A = publicKey c A') = (b=c & A=A')" |
|
64 |
by (blast dest!: injective_publicKey) |
|
65 |
||
66 |
lemma [iff]: |
|
67 |
"(privateKey b A = privateKey c A') = (b=c & A=A')" |
|
68 |
apply (rule iffI) |
|
69 |
apply (drule_tac f = "invKey" in arg_cong) |
|
70 |
apply (auto ); |
|
71 |
done |
|
72 |
||
73 |
declare privateKey_neq_publicKey [THEN not_sym, iff] |
|
74 |
||
75 |
lemma not_symKeys_pubK [iff]: "publicKey b A \<notin> symKeys" |
|
76 |
apply (simp add: symKeys_def) |
|
77 |
done |
|
78 |
||
79 |
lemma not_symKeys_priK [iff]: "privateKey b A \<notin> symKeys" |
|
80 |
apply (simp add: symKeys_def) |
|
81 |
done |
|
82 |
||
83 |
lemma symKey_neq_priEK: "K \<in> symKeys ==> K \<noteq> priEK A" |
|
84 |
by auto |
|
85 |
||
86 |
lemma symKeys_neq_imp_neq: "(K \<in> symKeys) \<noteq> (K' \<in> symKeys) ==> K \<noteq> K'" |
|
87 |
apply blast |
|
88 |
done |
|
89 |
||
90 |
lemma symKeys_invKey_iff [iff]: "(invKey K \<in> symKeys) = (K \<in> symKeys)" |
|
91 |
apply (unfold symKeys_def) |
|
92 |
apply auto |
|
93 |
done |
|
2318 | 94 |
|
13922 | 95 |
lemma analz_symKeys_Decrypt: |
96 |
"[| Crypt K X \<in> analz H; K \<in> symKeys; Key K \<in> analz H |] |
|
97 |
==> X \<in> analz H" |
|
98 |
by (auto simp add: symKeys_def) |
|
99 |
||
100 |
||
101 |
||
102 |
subsection{*"Image" equations that hold for injective functions*} |
|
103 |
||
104 |
lemma invKey_image_eq [simp]: "(invKey x \<in> invKey`A) = (x \<in> A)" |
|
105 |
apply auto |
|
106 |
done |
|
107 |
||
108 |
(*holds because invKey is injective*) |
|
109 |
lemma publicKey_image_eq [simp]: |
|
110 |
"(publicKey b x \<in> publicKey c ` AA) = (b=c & x \<in> AA)" |
|
111 |
by auto |
|
112 |
||
113 |
lemma privateKey_notin_image_publicKey [simp]: "privateKey b x \<notin> publicKey c ` AA" |
|
114 |
apply auto |
|
115 |
done |
|
116 |
||
117 |
lemma privateKey_image_eq [simp]: |
|
118 |
"(privateKey b A \<in> invKey ` publicKey c ` AS) = (b=c & A\<in>AS)" |
|
119 |
by auto |
|
120 |
||
121 |
lemma publicKey_notin_image_privateKey [simp]: "publicKey b A \<notin> invKey ` publicKey c ` AS" |
|
122 |
apply auto |
|
123 |
done |
|
124 |
||
125 |
||
126 |
subsection{*Symmetric Keys*} |
|
127 |
||
128 |
text{*For some protocols, it is convenient to equip agents with symmetric as |
|
129 |
well as asymmetric keys. The theory @{text Shared} assumes that all keys |
|
130 |
are symmetric.*} |
|
131 |
||
132 |
consts |
|
133 |
shrK :: "agent => key" --{*long-term shared keys*} |
|
134 |
||
135 |
axioms |
|
136 |
inj_shrK: "inj shrK" --{*No two agents have the same key*} |
|
137 |
sym_shrK [iff]: "shrK X \<in> symKeys" --{*All shared keys are symmetric*} |
|
138 |
||
139 |
(*Injectiveness: Agents' long-term keys are distinct.*) |
|
140 |
declare inj_shrK [THEN inj_eq, iff] |
|
141 |
||
142 |
lemma priK_neq_shrK [iff]: "shrK A \<noteq> privateKey b C" |
|
143 |
apply (simp add: symKeys_neq_imp_neq) |
|
144 |
done |
|
145 |
||
146 |
declare priK_neq_shrK [THEN not_sym, simp] |
|
147 |
||
148 |
lemma pubK_neq_shrK [iff]: "shrK A \<noteq> publicKey b C" |
|
149 |
apply (simp add: symKeys_neq_imp_neq) |
|
150 |
done |
|
151 |
||
152 |
declare pubK_neq_shrK [THEN not_sym, simp] |
|
153 |
||
154 |
lemma priEK_noteq_shrK [simp]: "priEK A \<noteq> shrK B" |
|
155 |
by auto |
|
156 |
||
157 |
lemma publicKey_notin_image_shrK [simp]: "publicKey b x \<notin> shrK ` AA" |
|
158 |
by auto |
|
159 |
||
160 |
lemma privateKey_notin_image_shrK [simp]: "privateKey b x \<notin> shrK ` AA" |
|
161 |
by auto |
|
162 |
||
163 |
lemma shrK_notin_image_publicKey [simp]: "shrK x \<notin> publicKey b ` AA" |
|
164 |
by auto |
|
165 |
||
166 |
lemma shrK_notin_image_privateKey [simp]: "shrK x \<notin> invKey ` publicKey b ` AA" |
|
167 |
by auto |
|
168 |
||
169 |
lemma shrK_image_eq [simp]: "(shrK x \<in> shrK ` AA) = (x \<in> AA)" |
|
170 |
by auto |
|
171 |
||
172 |
||
173 |
subsection{*Initial States of Agents*} |
|
174 |
||
175 |
text{*Note: for all practical purposes, all that matters is the initial |
|
176 |
knowledge of the Spy. All other agents are automata, merely following the |
|
177 |
protocol.*} |
|
2318 | 178 |
|
5183 | 179 |
primrec |
2318 | 180 |
(*Agents know their private key and all public keys*) |
13922 | 181 |
initState_Server: |
182 |
"initState Server = |
|
183 |
{Key (priEK Server), Key (priSK Server)} \<union> |
|
184 |
(Key ` range pubEK) \<union> (Key ` range pubSK) \<union> (Key ` range shrK)" |
|
185 |
||
186 |
initState_Friend: |
|
187 |
"initState (Friend i) = |
|
188 |
{Key (priEK(Friend i)), Key (priSK(Friend i)), Key (shrK(Friend i))} \<union> |
|
189 |
(Key ` range pubEK) \<union> (Key ` range pubSK)" |
|
190 |
||
191 |
initState_Spy: |
|
192 |
"initState Spy = |
|
193 |
(Key ` invKey ` pubEK ` bad) \<union> (Key ` invKey ` pubSK ` bad) \<union> |
|
194 |
(Key ` shrK ` bad) \<union> |
|
195 |
(Key ` range pubEK) \<union> (Key ` range pubSK)" |
|
196 |
||
197 |
||
198 |
||
199 |
text{*These lemmas allow reasoning about @{term "used evs"} rather than |
|
200 |
@{term "knows Spy evs"}, which is useful when there are private Notes. *} |
|
201 |
||
202 |
lemma used_parts_subset_parts [rule_format]: |
|
203 |
"\<forall>X \<in> used evs. parts {X} \<subseteq> used evs" |
|
204 |
apply (induct evs) |
|
205 |
prefer 2 |
|
206 |
apply (simp add: used_Cons) |
|
207 |
apply (rule ballI) |
|
208 |
apply (case_tac a, auto) |
|
209 |
apply (drule parts_cut, assumption, simp) |
|
210 |
apply (drule parts_cut, assumption, simp) |
|
211 |
txt{*Base case*} |
|
212 |
apply (simp add: used_Nil, clarify) |
|
213 |
apply (rename_tac B) |
|
214 |
apply (rule_tac x=B in exI) |
|
215 |
apply (case_tac B, auto) |
|
216 |
done |
|
217 |
||
218 |
lemma MPair_used_D: "{|X,Y|} \<in> used H ==> X \<in> used H & Y \<in> used H" |
|
219 |
by (drule used_parts_subset_parts, simp, blast) |
|
220 |
||
221 |
lemma MPair_used [elim!]: |
|
222 |
"[| {|X,Y|} \<in> used H; |
|
223 |
[| X \<in> used H; Y \<in> used H |] ==> P |] |
|
224 |
==> P" |
|
225 |
by (blast dest: MPair_used_D) |
|
226 |
||
227 |
||
228 |
text{*Rewrites should not refer to @{term "initState(Friend i)"} because |
|
229 |
that expression is not in normal form.*} |
|
230 |
||
231 |
lemma keysFor_parts_initState [simp]: "keysFor (parts (initState C)) = {}" |
|
232 |
apply (unfold keysFor_def) |
|
233 |
apply (induct_tac "C") |
|
234 |
apply (auto intro: range_eqI) |
|
235 |
done |
|
236 |
||
237 |
lemma Crypt_notin_initState: "Crypt K X \<notin> parts (initState B)" |
|
238 |
by (induct B, auto) |
|
239 |
||
240 |
||
241 |
(*** Basic properties of shrK ***) |
|
242 |
||
243 |
(*Agents see their own shared keys!*) |
|
244 |
lemma shrK_in_initState [iff]: "Key (shrK A) \<in> initState A" |
|
245 |
apply (induct_tac "A") |
|
246 |
apply auto |
|
247 |
done |
|
248 |
||
249 |
lemma shrK_in_knows [iff]: "Key (shrK A) \<in> knows A evs" |
|
250 |
by (simp add: initState_subset_knows [THEN subsetD]) |
|
251 |
||
252 |
lemma shrK_in_used [iff]: "Key (shrK A) \<in> used evs" |
|
253 |
apply (rule initState_into_used) |
|
254 |
apply blast |
|
255 |
done |
|
256 |
||
257 |
(** Fresh keys never clash with long-term shared keys **) |
|
258 |
||
259 |
(*Used in parts_induct_tac and analz_Fake_tac to distinguish session keys |
|
260 |
from long-term shared keys*) |
|
261 |
lemma Key_not_used: "Key K \<notin> used evs ==> K \<notin> range shrK" |
|
262 |
apply blast |
|
263 |
done |
|
264 |
||
265 |
lemma shrK_neq: "Key K \<notin> used evs ==> shrK B \<noteq> K" |
|
266 |
apply blast |
|
267 |
done |
|
268 |
||
2318 | 269 |
|
270 |
||
13922 | 271 |
subsection{*Function @{term spies} *} |
272 |
||
273 |
text{*Agents see their own private keys!*} |
|
274 |
lemma priK_in_initState [iff]: "Key (privateKey b A) \<in> initState A" |
|
275 |
apply (induct_tac "A") |
|
276 |
apply auto |
|
277 |
done |
|
278 |
||
279 |
text{*Agents see all public keys!*} |
|
280 |
lemma publicKey_in_initState [iff]: "Key (publicKey b A) \<in> initState B" |
|
281 |
apply (case_tac "B") |
|
282 |
apply auto |
|
283 |
done |
|
284 |
||
285 |
text{*All public keys are visible*} |
|
286 |
lemma spies_pubK [iff]: "Key (publicKey b A) \<in> spies evs" |
|
287 |
apply (induct_tac "evs") |
|
288 |
apply (simp_all add: imageI knows_Cons split add: event.split) |
|
289 |
done |
|
290 |
||
291 |
declare spies_pubK [THEN analz.Inj, iff] |
|
292 |
||
293 |
text{*Spy sees private keys of bad agents!*} |
|
294 |
lemma Spy_spies_bad_privateKey [intro!]: |
|
295 |
"A \<in> bad ==> Key (privateKey b A) \<in> spies evs" |
|
296 |
apply (induct_tac "evs") |
|
297 |
apply (simp_all add: imageI knows_Cons split add: event.split) |
|
298 |
done |
|
299 |
||
300 |
text{*Spy sees long-term shared keys of bad agents!*} |
|
301 |
lemma Spy_spies_bad_shrK [intro!]: |
|
302 |
"A \<in> bad ==> Key (shrK A) \<in> spies evs" |
|
303 |
apply (induct_tac "evs") |
|
304 |
apply (simp_all add: imageI knows_Cons split add: event.split) |
|
305 |
done |
|
306 |
||
307 |
lemma publicKey_into_used [iff] :"Key (publicKey b A) \<in> used evs" |
|
308 |
apply (rule initState_into_used) |
|
309 |
apply (rule publicKey_in_initState [THEN parts.Inj]) |
|
310 |
done |
|
311 |
||
312 |
lemma privateKey_into_used [iff]: "Key (privateKey b A) \<in> used evs" |
|
313 |
apply(rule initState_into_used) |
|
314 |
apply(rule priK_in_initState [THEN parts.Inj]) |
|
315 |
done |
|
316 |
||
317 |
||
318 |
subsection{*Fresh Nonces*} |
|
319 |
||
320 |
lemma Nonce_notin_initState [iff]: "Nonce N \<notin> parts (initState B)" |
|
321 |
apply (induct_tac "B") |
|
322 |
apply auto |
|
323 |
done |
|
324 |
||
325 |
lemma Nonce_notin_used_empty [simp]: "Nonce N \<notin> used []" |
|
326 |
apply (simp add: used_Nil) |
|
327 |
done |
|
328 |
||
11104 | 329 |
|
13922 | 330 |
subsection{*Supply fresh nonces for possibility theorems*} |
331 |
||
332 |
text{*In any trace, there is an upper bound N on the greatest nonce in use*} |
|
333 |
lemma Nonce_supply_lemma: "EX N. ALL n. N<=n --> Nonce n \<notin> used evs" |
|
334 |
apply (induct_tac "evs") |
|
335 |
apply (rule_tac x = "0" in exI) |
|
336 |
apply (simp_all (no_asm_simp) add: used_Cons split add: event.split) |
|
337 |
apply safe |
|
338 |
apply (rule msg_Nonce_supply [THEN exE], blast elim!: add_leE)+ |
|
339 |
done |
|
340 |
||
341 |
lemma Nonce_supply1: "EX N. Nonce N \<notin> used evs" |
|
342 |
apply (rule Nonce_supply_lemma [THEN exE]) |
|
343 |
apply blast |
|
344 |
done |
|
345 |
||
346 |
lemma Nonce_supply: "Nonce (@ N. Nonce N \<notin> used evs) \<notin> used evs" |
|
347 |
apply (rule Nonce_supply_lemma [THEN exE]) |
|
348 |
apply (rule someI) |
|
349 |
apply fast |
|
350 |
done |
|
351 |
||
352 |
subsection{*Specialized rewriting for the analz_image_... theorems*} |
|
353 |
||
354 |
lemma insert_Key_singleton: "insert (Key K) H = Key ` {K} Un H" |
|
355 |
apply blast |
|
356 |
done |
|
11104 | 357 |
|
13922 | 358 |
lemma insert_Key_image: "insert (Key K) (Key`KK \<union> C) = Key ` (insert K KK) \<union> C" |
359 |
apply blast |
|
360 |
done |
|
361 |
||
362 |
ML |
|
363 |
{* |
|
364 |
val Key_not_used = thm "Key_not_used"; |
|
365 |
val insert_Key_singleton = thm "insert_Key_singleton"; |
|
366 |
val insert_Key_image = thm "insert_Key_image"; |
|
367 |
*} |
|
368 |
||
369 |
(* |
|
370 |
val not_symKeys_pubK = thm "not_symKeys_pubK"; |
|
371 |
val not_symKeys_priK = thm "not_symKeys_priK"; |
|
372 |
val symKeys_neq_imp_neq = thm "symKeys_neq_imp_neq"; |
|
373 |
val analz_symKeys_Decrypt = thm "analz_symKeys_Decrypt"; |
|
374 |
val invKey_image_eq = thm "invKey_image_eq"; |
|
375 |
val pubK_image_eq = thm "pubK_image_eq"; |
|
376 |
val priK_pubK_image_eq = thm "priK_pubK_image_eq"; |
|
377 |
val keysFor_parts_initState = thm "keysFor_parts_initState"; |
|
378 |
val priK_in_initState = thm "priK_in_initState"; |
|
379 |
val spies_pubK = thm "spies_pubK"; |
|
380 |
val Spy_spies_bad = thm "Spy_spies_bad"; |
|
381 |
val Nonce_notin_initState = thm "Nonce_notin_initState"; |
|
382 |
val Nonce_notin_used_empty = thm "Nonce_notin_used_empty"; |
|
383 |
||
384 |
*) |
|
385 |
||
386 |
||
387 |
lemma invKey_K [simp]: "K \<in> symKeys ==> invKey K = K" |
|
11287 | 388 |
by (simp add: symKeys_def) |
389 |
||
13922 | 390 |
lemma Crypt_imp_keysFor :"[|K \<in> symKeys; Crypt K X \<in> H|] ==> K \<in> keysFor H" |
391 |
apply (drule Crypt_imp_invKey_keysFor, simp) |
|
392 |
done |
|
393 |
||
394 |
||
395 |
subsection{*Specialized Methods for Possibility Theorems*} |
|
396 |
||
397 |
ML |
|
398 |
{* |
|
399 |
val Nonce_supply1 = thm "Nonce_supply1"; |
|
400 |
val Nonce_supply = thm "Nonce_supply"; |
|
401 |
||
402 |
(*Tactic for possibility theorems (Isar interface)*) |
|
403 |
fun gen_possibility_tac ss state = state |> |
|
404 |
REPEAT (*omit used_Says so that Nonces start from different traces!*) |
|
405 |
(ALLGOALS (simp_tac (ss delsimps [used_Says])) |
|
406 |
THEN |
|
407 |
REPEAT_FIRST (eq_assume_tac ORELSE' |
|
408 |
resolve_tac [refl, conjI, Nonce_supply])) |
|
409 |
||
410 |
(*Tactic for possibility theorems (ML script version)*) |
|
411 |
fun possibility_tac state = gen_possibility_tac (simpset()) state |
|
412 |
*} |
|
11104 | 413 |
|
414 |
method_setup possibility = {* |
|
11270
a315a3862bb4
better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents:
11104
diff
changeset
|
415 |
Method.ctxt_args (fn ctxt => |
a315a3862bb4
better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents:
11104
diff
changeset
|
416 |
Method.METHOD (fn facts => |
a315a3862bb4
better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents:
11104
diff
changeset
|
417 |
gen_possibility_tac (Simplifier.get_local_simpset ctxt))) *} |
11104 | 418 |
"for proving possibility theorems" |
2318 | 419 |
|
13922 | 420 |
|
421 |
||
422 |
ML |
|
423 |
{* |
|
424 |
bind_thms ("analz_image_freshK_simps", |
|
425 |
simp_thms @ mem_simps @ (*these two allow its use with only:*) |
|
426 |
disj_comms @ |
|
427 |
[image_insert RS sym, image_Un RS sym, empty_subsetI, insert_subset, |
|
428 |
analz_insert_eq, impOfSubs (Un_upper2 RS analz_mono), |
|
429 |
insert_Key_singleton, |
|
430 |
Key_not_used, insert_Key_image, Un_assoc RS sym]); |
|
431 |
||
432 |
val analz_image_freshK_ss = |
|
433 |
simpset() delsimps [image_insert, image_Un] |
|
434 |
delsimps [imp_disjL] (*reduces blow-up*) |
|
435 |
addsimps analz_image_freshK_simps; |
|
436 |
*} |
|
437 |
||
2318 | 438 |
end |