|
18886
|
1 |
(* ID: $Id$
|
|
|
2 |
Author: Giampaolo Bella, Catania University
|
|
|
3 |
*)
|
|
|
4 |
|
|
|
5 |
header{*Bella's modification of the Shoup-Rubin protocol*}
|
|
|
6 |
|
|
|
7 |
theory ShoupRubinBella imports Smartcard begin
|
|
|
8 |
|
|
|
9 |
text{*The modifications are that message 7 now mentions A, while message 10
|
|
|
10 |
now mentions Nb and B. The lack of explicitness of the original version was
|
|
|
11 |
discovered by investigating adherence to the principle of Goal
|
|
|
12 |
Availability. Only the updated version makes the goals of confidentiality,
|
|
|
13 |
authentication and key distribution available to both peers.*}
|
|
|
14 |
|
|
|
15 |
consts
|
|
|
16 |
|
|
|
17 |
sesK :: "nat*key => key"
|
|
|
18 |
|
|
|
19 |
axioms
|
|
|
20 |
|
|
|
21 |
(*sesK is injective on each component*)
|
|
|
22 |
inj_sesK [iff]: "(sesK(m,k) = sesK(m',k')) = (m = m' \<and> k = k')"
|
|
|
23 |
|
|
|
24 |
(*all long-term keys differ from sesK*)
|
|
|
25 |
shrK_disj_sesK [iff]: "shrK A \<noteq> sesK(m,pk)"
|
|
|
26 |
crdK_disj_sesK [iff]: "crdK C \<noteq> sesK(m,pk)"
|
|
|
27 |
pin_disj_sesK [iff]: "pin P \<noteq> sesK(m,pk)"
|
|
|
28 |
pairK_disj_sesK[iff]: "pairK(A,B) \<noteq> sesK(m,pk)"
|
|
|
29 |
|
|
|
30 |
(*needed for base case in analz_image_freshK*)
|
|
|
31 |
Atomic_distrib [iff]: "Atomic`(KEY`K \<union> NONCE`N) =
|
|
|
32 |
Atomic`(KEY`K) \<union> Atomic`(NONCE`N)"
|
|
|
33 |
|
|
|
34 |
(*this protocol makes the assumption of secure means
|
|
|
35 |
between each agent and his smartcard*)
|
|
|
36 |
shouprubin_assumes_securemeans [iff]: "evs \<in> srb \<Longrightarrow> secureM"
|
|
|
37 |
|
|
|
38 |
constdefs
|
|
|
39 |
|
|
|
40 |
Unique :: "[event, event list] => bool" ("Unique _ on _")
|
|
|
41 |
"Unique ev on evs ==
|
|
|
42 |
ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs))"
|
|
|
43 |
|
|
|
44 |
|
|
23746
|
45 |
inductive_set srb :: "event list set"
|
|
|
46 |
where
|
|
18886
|
47 |
|
|
|
48 |
Nil: "[]\<in> srb"
|
|
|
49 |
|
|
|
50 |
|
|
|
51 |
|
|
23746
|
52 |
| Fake: "\<lbrakk> evsF \<in> srb; X \<in> synth (analz (knows Spy evsF));
|
|
18886
|
53 |
illegalUse(Card B) \<rbrakk>
|
|
|
54 |
\<Longrightarrow> Says Spy A X #
|
|
|
55 |
Inputs Spy (Card B) X # evsF \<in> srb"
|
|
|
56 |
|
|
|
57 |
(*In general this rule causes the assumption Card B \<notin> cloned
|
|
|
58 |
in most guarantees for B - starting with confidentiality -
|
|
|
59 |
otherwise pairK_confidential could not apply*)
|
|
23746
|
60 |
| Forge:
|
|
18886
|
61 |
"\<lbrakk> evsFo \<in> srb; Nonce Nb \<in> analz (knows Spy evsFo);
|
|
|
62 |
Key (pairK(A,B)) \<in> knows Spy evsFo \<rbrakk>
|
|
|
63 |
\<Longrightarrow> Notes Spy (Key (sesK(Nb,pairK(A,B)))) # evsFo \<in> srb"
|
|
|
64 |
|
|
|
65 |
|
|
|
66 |
|
|
23746
|
67 |
| Reception: "\<lbrakk> evsrb\<in> srb; Says A B X \<in> set evsrb \<rbrakk>
|
|
18886
|
68 |
\<Longrightarrow> Gets B X # evsrb \<in> srb"
|
|
|
69 |
|
|
|
70 |
|
|
|
71 |
|
|
|
72 |
(*A AND THE SERVER*)
|
|
23746
|
73 |
| SR_U1: "\<lbrakk> evs1 \<in> srb; A \<noteq> Server \<rbrakk>
|
|
18886
|
74 |
\<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B\<rbrace>
|
|
|
75 |
# evs1 \<in> srb"
|
|
|
76 |
|
|
23746
|
77 |
| SR_U2: "\<lbrakk> evs2 \<in> srb;
|
|
18886
|
78 |
Gets Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs2 \<rbrakk>
|
|
|
79 |
\<Longrightarrow> Says Server A \<lbrace>Nonce (Pairkey(A,B)),
|
|
|
80 |
Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), Agent B\<rbrace>
|
|
|
81 |
\<rbrace>
|
|
|
82 |
# evs2 \<in> srb"
|
|
|
83 |
|
|
|
84 |
|
|
|
85 |
|
|
|
86 |
|
|
|
87 |
(*A AND HER CARD*)
|
|
|
88 |
(*A cannot decrypt the verifier for she dosn't know shrK A,
|
|
|
89 |
but the pairkey is recognisable*)
|
|
23746
|
90 |
| SR_U3: "\<lbrakk> evs3 \<in> srb; legalUse(Card A);
|
|
18886
|
91 |
Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs3;
|
|
|
92 |
Gets A \<lbrace>Nonce Pk, Certificate\<rbrace> \<in> set evs3 \<rbrakk>
|
|
|
93 |
\<Longrightarrow> Inputs A (Card A) (Agent A)
|
|
|
94 |
# evs3 \<in> srb" (*however A only queries her card
|
|
|
95 |
if she has previously contacted the server to initiate with some B.
|
|
|
96 |
Otherwise she would do so even if the Server had not been active.
|
|
|
97 |
Still, this doesn't and can't mean that the pairkey originated with
|
|
|
98 |
the server*)
|
|
|
99 |
|
|
|
100 |
(*The card outputs the nonce Na to A*)
|
|
23746
|
101 |
| SR_U4: "\<lbrakk> evs4 \<in> srb;
|
|
18886
|
102 |
Nonce Na \<notin> used evs4; legalUse(Card A); A \<noteq> Server;
|
|
|
103 |
Inputs A (Card A) (Agent A) \<in> set evs4 \<rbrakk>
|
|
|
104 |
\<Longrightarrow> Outpts (Card A) A \<lbrace>Nonce Na, Crypt (crdK (Card A)) (Nonce Na)\<rbrace>
|
|
|
105 |
# evs4 \<in> srb"
|
|
|
106 |
|
|
|
107 |
(*The card can be exploited by the spy*)
|
|
|
108 |
(*because of the assumptions on the card, A is certainly not server nor spy*)
|
|
23746
|
109 |
| SR_U4Fake: "\<lbrakk> evs4F \<in> srb; Nonce Na \<notin> used evs4F;
|
|
18886
|
110 |
illegalUse(Card A);
|
|
|
111 |
Inputs Spy (Card A) (Agent A) \<in> set evs4F \<rbrakk>
|
|
|
112 |
\<Longrightarrow> Outpts (Card A) Spy \<lbrace>Nonce Na, Crypt (crdK (Card A)) (Nonce Na)\<rbrace>
|
|
|
113 |
# evs4F \<in> srb"
|
|
|
114 |
|
|
|
115 |
|
|
|
116 |
|
|
|
117 |
|
|
|
118 |
(*A TOWARDS B*)
|
|
23746
|
119 |
| SR_U5: "\<lbrakk> evs5 \<in> srb;
|
|
18886
|
120 |
Outpts (Card A) A \<lbrace>Nonce Na, Certificate\<rbrace> \<in> set evs5;
|
|
|
121 |
\<forall> p q. Certificate \<noteq> \<lbrace>p, q\<rbrace> \<rbrakk>
|
|
|
122 |
\<Longrightarrow> Says A B \<lbrace>Agent A, Nonce Na\<rbrace> # evs5 \<in> srb"
|
|
|
123 |
(*A must check that the verifier is not a compound message,
|
|
|
124 |
otherwise this would also fire after SR_U7 *)
|
|
|
125 |
|
|
|
126 |
|
|
|
127 |
|
|
|
128 |
|
|
|
129 |
(*B AND HIS CARD*)
|
|
23746
|
130 |
| SR_U6: "\<lbrakk> evs6 \<in> srb; legalUse(Card B);
|
|
18886
|
131 |
Gets B \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs6 \<rbrakk>
|
|
|
132 |
\<Longrightarrow> Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace>
|
|
|
133 |
# evs6 \<in> srb"
|
|
|
134 |
(*B gets back from the card the session key and various verifiers*)
|
|
23746
|
135 |
| SR_U7: "\<lbrakk> evs7 \<in> srb;
|
|
18886
|
136 |
Nonce Nb \<notin> used evs7; legalUse(Card B); B \<noteq> Server;
|
|
|
137 |
K = sesK(Nb,pairK(A,B));
|
|
|
138 |
Key K \<notin> used evs7;
|
|
|
139 |
Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs7\<rbrakk>
|
|
|
140 |
\<Longrightarrow> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K,
|
|
|
141 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
142 |
Crypt (pairK(A,B)) (Nonce Nb)\<rbrace>
|
|
|
143 |
# evs7 \<in> srb"
|
|
|
144 |
(*The card can be exploited by the spy*)
|
|
|
145 |
(*because of the assumptions on the card, A is certainly not server nor spy*)
|
|
23746
|
146 |
| SR_U7Fake: "\<lbrakk> evs7F \<in> srb; Nonce Nb \<notin> used evs7F;
|
|
18886
|
147 |
illegalUse(Card B);
|
|
|
148 |
K = sesK(Nb,pairK(A,B));
|
|
|
149 |
Key K \<notin> used evs7F;
|
|
|
150 |
Inputs Spy (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs7F \<rbrakk>
|
|
|
151 |
\<Longrightarrow> Outpts (Card B) Spy \<lbrace>Nonce Nb, Agent A, Key K,
|
|
|
152 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
153 |
Crypt (pairK(A,B)) (Nonce Nb)\<rbrace>
|
|
|
154 |
# evs7F \<in> srb"
|
|
|
155 |
|
|
|
156 |
|
|
|
157 |
|
|
|
158 |
|
|
|
159 |
(*B TOWARDS A*)
|
|
|
160 |
(*having sent an input that mentions A is the only memory B relies on,
|
|
|
161 |
since the output doesn't mention A - lack of explicitness*)
|
|
23746
|
162 |
| SR_U8: "\<lbrakk> evs8 \<in> srb;
|
|
18886
|
163 |
Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs8;
|
|
|
164 |
Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K,
|
|
|
165 |
Cert1, Cert2\<rbrace> \<in> set evs8 \<rbrakk>
|
|
|
166 |
\<Longrightarrow> Says B A \<lbrace>Nonce Nb, Cert1\<rbrace> # evs8 \<in> srb"
|
|
|
167 |
|
|
|
168 |
|
|
|
169 |
|
|
|
170 |
|
|
|
171 |
(*A AND HER CARD*)
|
|
|
172 |
(*A cannot check the form of the verifiers - although I can prove the form of
|
|
|
173 |
Cert2 - and just feeds her card with what she's got*)
|
|
23746
|
174 |
| SR_U9: "\<lbrakk> evs9 \<in> srb; legalUse(Card A);
|
|
18886
|
175 |
Gets A \<lbrace>Nonce Pk, Cert1\<rbrace> \<in> set evs9;
|
|
|
176 |
Outpts (Card A) A \<lbrace>Nonce Na, Cert2\<rbrace> \<in> set evs9;
|
|
|
177 |
Gets A \<lbrace>Nonce Nb, Cert3\<rbrace> \<in> set evs9;
|
|
|
178 |
\<forall> p q. Cert2 \<noteq> \<lbrace>p, q\<rbrace> \<rbrakk>
|
|
|
179 |
\<Longrightarrow> Inputs A (Card A)
|
|
|
180 |
\<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce Pk,
|
|
|
181 |
Cert1, Cert3, Cert2\<rbrace>
|
|
|
182 |
# evs9 \<in> srb"
|
|
|
183 |
(*But the card will only give outputs to the inputs of the correct form*)
|
|
23746
|
184 |
| SR_U10: "\<lbrakk> evs10 \<in> srb; legalUse(Card A); A \<noteq> Server;
|
|
18886
|
185 |
K = sesK(Nb,pairK(A,B));
|
|
|
186 |
Inputs A (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb,
|
|
|
187 |
Nonce (Pairkey(A,B)),
|
|
|
188 |
Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)),
|
|
|
189 |
Agent B\<rbrace>,
|
|
|
190 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
191 |
Crypt (crdK (Card A)) (Nonce Na)\<rbrace>
|
|
|
192 |
\<in> set evs10 \<rbrakk>
|
|
|
193 |
\<Longrightarrow> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb,
|
|
|
194 |
Key K, Crypt (pairK(A,B)) (Nonce Nb)\<rbrace>
|
|
|
195 |
# evs10 \<in> srb"
|
|
|
196 |
(*The card can be exploited by the spy*)
|
|
|
197 |
(*because of the assumptions on the card, A is certainly not server nor spy*)
|
|
23746
|
198 |
| SR_U10Fake: "\<lbrakk> evs10F \<in> srb;
|
|
18886
|
199 |
illegalUse(Card A);
|
|
|
200 |
K = sesK(Nb,pairK(A,B));
|
|
|
201 |
Inputs Spy (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb,
|
|
|
202 |
Nonce (Pairkey(A,B)),
|
|
|
203 |
Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)),
|
|
|
204 |
Agent B\<rbrace>,
|
|
|
205 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
206 |
Crypt (crdK (Card A)) (Nonce Na)\<rbrace>
|
|
|
207 |
\<in> set evs10F \<rbrakk>
|
|
|
208 |
\<Longrightarrow> Outpts (Card A) Spy \<lbrace>Agent B, Nonce Nb,
|
|
|
209 |
Key K, Crypt (pairK(A,B)) (Nonce Nb)\<rbrace>
|
|
|
210 |
# evs10F \<in> srb"
|
|
|
211 |
|
|
|
212 |
|
|
|
213 |
|
|
|
214 |
|
|
|
215 |
(*A TOWARDS B*)
|
|
|
216 |
(*having initiated with B is the only memory A relies on,
|
|
|
217 |
since the output doesn't mention B - lack of explicitness*)
|
|
23746
|
218 |
| SR_U11: "\<lbrakk> evs11 \<in> srb;
|
|
18886
|
219 |
Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs11;
|
|
|
220 |
Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace>
|
|
|
221 |
\<in> set evs11 \<rbrakk>
|
|
|
222 |
\<Longrightarrow> Says A B (Certificate)
|
|
|
223 |
# evs11 \<in> srb"
|
|
|
224 |
|
|
|
225 |
|
|
|
226 |
|
|
|
227 |
(*Both peers may leak by accident the session keys obtained from their
|
|
|
228 |
cards*)
|
|
23746
|
229 |
| Oops1:
|
|
18886
|
230 |
"\<lbrakk> evsO1 \<in> srb;
|
|
|
231 |
Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, Cert1, Cert2\<rbrace>
|
|
|
232 |
\<in> set evsO1 \<rbrakk>
|
|
|
233 |
\<Longrightarrow> Notes Spy \<lbrace>Key K, Nonce Nb, Agent A, Agent B\<rbrace> # evsO1 \<in> srb"
|
|
|
234 |
|
|
23746
|
235 |
| Oops2:
|
|
18886
|
236 |
"\<lbrakk> evsO2 \<in> srb;
|
|
|
237 |
Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace>
|
|
|
238 |
\<in> set evsO2 \<rbrakk>
|
|
|
239 |
\<Longrightarrow> Notes Spy \<lbrace>Key K, Nonce Nb, Agent A, Agent B\<rbrace> # evsO2 \<in> srb"
|
|
|
240 |
|
|
|
241 |
|
|
|
242 |
|
|
|
243 |
|
|
|
244 |
|
|
|
245 |
|
|
|
246 |
(*To solve Fake case when it doesn't involve analz - used to be condensed
|
|
|
247 |
into Fake_parts_insert_tac*)
|
|
|
248 |
declare Fake_parts_insert_in_Un [dest]
|
|
|
249 |
declare analz_into_parts [dest]
|
|
|
250 |
(*declare parts_insertI [intro]*)
|
|
|
251 |
|
|
|
252 |
|
|
|
253 |
|
|
|
254 |
(*General facts about message reception*)
|
|
|
255 |
lemma Gets_imp_Says:
|
|
|
256 |
"\<lbrakk> Gets B X \<in> set evs; evs \<in> srb \<rbrakk> \<Longrightarrow> \<exists> A. Says A B X \<in> set evs"
|
|
|
257 |
apply (erule rev_mp, erule srb.induct)
|
|
|
258 |
apply auto
|
|
|
259 |
done
|
|
|
260 |
|
|
|
261 |
lemma Gets_imp_knows_Spy:
|
|
|
262 |
"\<lbrakk> Gets B X \<in> set evs; evs \<in> srb \<rbrakk> \<Longrightarrow> X \<in> knows Spy evs"
|
|
|
263 |
apply (blast dest!: Gets_imp_Says Says_imp_knows_Spy)
|
|
|
264 |
done
|
|
|
265 |
|
|
|
266 |
lemma Gets_imp_knows_Spy_parts_Snd:
|
|
|
267 |
"\<lbrakk> Gets B \<lbrace>X, Y\<rbrace> \<in> set evs; evs \<in> srb \<rbrakk> \<Longrightarrow> Y \<in> parts (knows Spy evs)"
|
|
|
268 |
apply (blast dest!: Gets_imp_Says Says_imp_knows_Spy parts.Inj parts.Snd)
|
|
|
269 |
done
|
|
|
270 |
|
|
|
271 |
lemma Gets_imp_knows_Spy_analz_Snd:
|
|
|
272 |
"\<lbrakk> Gets B \<lbrace>X, Y\<rbrace> \<in> set evs; evs \<in> srb \<rbrakk> \<Longrightarrow> Y \<in> analz (knows Spy evs)"
|
|
|
273 |
apply (blast dest!: Gets_imp_Says Says_imp_knows_Spy analz.Inj analz.Snd)
|
|
|
274 |
done
|
|
|
275 |
|
|
|
276 |
(*end general facts*)
|
|
|
277 |
|
|
|
278 |
|
|
|
279 |
|
|
|
280 |
(*Begin lemmas on secure means, from Event.ML, proved for shouprubin. They help
|
|
|
281 |
the simplifier, especially in analz_image_freshK*)
|
|
|
282 |
|
|
|
283 |
|
|
|
284 |
lemma Inputs_imp_knows_Spy_secureM_srb:
|
|
|
285 |
"\<lbrakk> Inputs Spy C X \<in> set evs; evs \<in> srb \<rbrakk> \<Longrightarrow> X \<in> knows Spy evs"
|
|
|
286 |
apply (simp (no_asm_simp) add: Inputs_imp_knows_Spy_secureM)
|
|
|
287 |
done
|
|
|
288 |
|
|
|
289 |
lemma knows_Spy_Inputs_secureM_srb_Spy:
|
|
|
290 |
"evs \<in>srb \<Longrightarrow> knows Spy (Inputs Spy C X # evs) = insert X (knows Spy evs)"
|
|
|
291 |
apply (simp (no_asm_simp))
|
|
|
292 |
done
|
|
|
293 |
|
|
|
294 |
lemma knows_Spy_Inputs_secureM_srb:
|
|
|
295 |
"\<lbrakk> A \<noteq> Spy; evs \<in>srb \<rbrakk> \<Longrightarrow> knows Spy (Inputs A C X # evs) = knows Spy evs"
|
|
|
296 |
apply (simp (no_asm_simp))
|
|
|
297 |
done
|
|
|
298 |
|
|
|
299 |
lemma knows_Spy_Outpts_secureM_srb_Spy:
|
|
|
300 |
"evs \<in>srb \<Longrightarrow> knows Spy (Outpts C Spy X # evs) = insert X (knows Spy evs)"
|
|
|
301 |
apply (simp (no_asm_simp))
|
|
|
302 |
done
|
|
|
303 |
|
|
|
304 |
lemma knows_Spy_Outpts_secureM_srb:
|
|
|
305 |
"\<lbrakk> A \<noteq> Spy; evs \<in>srb \<rbrakk> \<Longrightarrow> knows Spy (Outpts C A X # evs) = knows Spy evs"
|
|
|
306 |
apply (simp (no_asm_simp))
|
|
|
307 |
done
|
|
|
308 |
|
|
|
309 |
(*End lemmas on secure means for shouprubin*)
|
|
|
310 |
|
|
|
311 |
|
|
|
312 |
|
|
|
313 |
|
|
|
314 |
(*BEGIN technical lemmas - evolution of forwarding lemmas*)
|
|
|
315 |
|
|
|
316 |
(*If an honest agent uses a smart card, then the card is his/her own, is
|
|
|
317 |
not stolen, and the agent has received suitable data to feed the card.
|
|
|
318 |
In other words, these are guarantees that an honest agent can only use
|
|
|
319 |
his/her own card, and must use it correctly.
|
|
|
320 |
On the contrary, the spy can "Inputs" any cloned cards also by the Fake rule.
|
|
|
321 |
|
|
|
322 |
Instead of Auto_tac, proofs here used to asm-simplify and then force-tac.
|
|
|
323 |
*)
|
|
|
324 |
lemma Inputs_A_Card_3:
|
|
|
325 |
"\<lbrakk> Inputs A C (Agent A) \<in> set evs; A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
326 |
\<Longrightarrow> legalUse(C) \<and> C = (Card A) \<and>
|
|
|
327 |
(\<exists> Pk Certificate. Gets A \<lbrace>Pk, Certificate\<rbrace> \<in> set evs)"
|
|
|
328 |
apply (erule rev_mp, erule srb.induct)
|
|
|
329 |
apply auto
|
|
|
330 |
done
|
|
|
331 |
|
|
|
332 |
lemma Inputs_B_Card_6:
|
|
|
333 |
"\<lbrakk> Inputs B C \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs; B \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
334 |
\<Longrightarrow> legalUse(C) \<and> C = (Card B) \<and> Gets B \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs"
|
|
|
335 |
apply (erule rev_mp, erule srb.induct)
|
|
|
336 |
apply auto
|
|
|
337 |
done
|
|
|
338 |
|
|
|
339 |
lemma Inputs_A_Card_9:
|
|
|
340 |
"\<lbrakk> Inputs A C \<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce Pk,
|
|
|
341 |
Cert1, Cert2, Cert3\<rbrace> \<in> set evs;
|
|
|
342 |
A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
343 |
\<Longrightarrow> legalUse(C) \<and> C = (Card A) \<and>
|
|
|
344 |
Gets A \<lbrace>Nonce Pk, Cert1\<rbrace> \<in> set evs \<and>
|
|
|
345 |
Outpts (Card A) A \<lbrace>Nonce Na, Cert3\<rbrace> \<in> set evs \<and>
|
|
|
346 |
Gets A \<lbrace>Nonce Nb, Cert2\<rbrace> \<in> set evs"
|
|
|
347 |
apply (erule rev_mp, erule srb.induct)
|
|
|
348 |
apply auto
|
|
|
349 |
done
|
|
|
350 |
|
|
|
351 |
|
|
|
352 |
(*The two occurrences of A in the Outpts event don't match SR_U4Fake, where
|
|
|
353 |
A cannot be the Spy. Hence the card is legally usable by rule SR_U4*)
|
|
|
354 |
lemma Outpts_A_Card_4:
|
|
|
355 |
"\<lbrakk> Outpts C A \<lbrace>Nonce Na, (Crypt (crdK (Card A)) (Nonce Na))\<rbrace> \<in> set evs;
|
|
|
356 |
evs \<in> srb \<rbrakk>
|
|
|
357 |
\<Longrightarrow> legalUse(C) \<and> C = (Card A) \<and>
|
|
|
358 |
Inputs A (Card A) (Agent A) \<in> set evs"
|
|
|
359 |
apply (erule rev_mp, erule srb.induct)
|
|
|
360 |
apply auto
|
|
|
361 |
done
|
|
|
362 |
|
|
|
363 |
|
|
|
364 |
(*First certificate is made explicit so that a comment similar to the previous
|
|
|
365 |
applies. This also provides Na to the Inputs event in the conclusion*)
|
|
|
366 |
lemma Outpts_B_Card_7:
|
|
|
367 |
"\<lbrakk> Outpts C B \<lbrace>Nonce Nb, Agent A, Key K,
|
|
|
368 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
369 |
Cert2\<rbrace> \<in> set evs;
|
|
|
370 |
evs \<in> srb \<rbrakk>
|
|
|
371 |
\<Longrightarrow> legalUse(C) \<and> C = (Card B) \<and>
|
|
|
372 |
Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs"
|
|
|
373 |
apply (erule rev_mp, erule srb.induct)
|
|
|
374 |
apply auto
|
|
|
375 |
done
|
|
|
376 |
|
|
|
377 |
lemma Outpts_A_Card_10:
|
|
|
378 |
"\<lbrakk> Outpts C A \<lbrace>Agent B, Nonce Nb,
|
|
|
379 |
Key K, (Crypt (pairK(A,B)) (Nonce Nb))\<rbrace> \<in> set evs;
|
|
|
380 |
evs \<in> srb \<rbrakk>
|
|
|
381 |
\<Longrightarrow> legalUse(C) \<and> C = (Card A) \<and>
|
|
|
382 |
(\<exists> Na Ver1 Ver2 Ver3.
|
|
|
383 |
Inputs A (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)),
|
|
|
384 |
Ver1, Ver2, Ver3\<rbrace> \<in> set evs)"
|
|
|
385 |
apply (erule rev_mp, erule srb.induct)
|
|
|
386 |
apply auto
|
|
|
387 |
done
|
|
|
388 |
|
|
|
389 |
|
|
|
390 |
|
|
|
391 |
(*
|
|
|
392 |
Contrarily to original version, A doesn't need to check the form of the
|
|
|
393 |
certificate to learn that her peer is B. The goal is available to A.
|
|
|
394 |
*)
|
|
|
395 |
lemma Outpts_A_Card_10_imp_Inputs:
|
|
|
396 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace>
|
|
|
397 |
\<in> set evs; evs \<in> srb \<rbrakk>
|
|
|
398 |
\<Longrightarrow> (\<exists> Na Ver1 Ver2 Ver3.
|
|
|
399 |
Inputs A (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)),
|
|
|
400 |
Ver1, Ver2, Ver3\<rbrace> \<in> set evs)"
|
|
|
401 |
apply (erule rev_mp, erule srb.induct)
|
|
|
402 |
apply simp_all
|
|
|
403 |
apply blast+
|
|
|
404 |
done
|
|
|
405 |
|
|
|
406 |
|
|
|
407 |
|
|
|
408 |
|
|
|
409 |
(*Weaker version: if the agent can't check the forms of the verifiers, then
|
|
|
410 |
the agent must not be the spy so as to solve SR_U4Fake. The verifier must be
|
|
|
411 |
recognised as some cyphertex in order to distinguish from case SR_U7,
|
|
|
412 |
concerning B's output, which also begins with a nonce.
|
|
|
413 |
*)
|
|
|
414 |
lemma Outpts_honest_A_Card_4:
|
|
|
415 |
"\<lbrakk> Outpts C A \<lbrace>Nonce Na, Crypt K X\<rbrace> \<in>set evs;
|
|
|
416 |
A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
417 |
\<Longrightarrow> legalUse(C) \<and> C = (Card A) \<and>
|
|
|
418 |
Inputs A (Card A) (Agent A) \<in> set evs"
|
|
|
419 |
apply (erule rev_mp, erule srb.induct)
|
|
|
420 |
apply auto
|
|
|
421 |
done
|
|
|
422 |
|
|
|
423 |
(*alternative formulation of same theorem
|
|
|
424 |
Goal "\<lbrakk> Outpts C A \<lbrace>Nonce Na, Certificate\<rbrace> \<in> set evs;
|
|
|
425 |
\<forall> p q. Certificate \<noteq> \<lbrace>p, q\<rbrace>;
|
|
|
426 |
A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
427 |
\<Longrightarrow> legalUse(C) \<and> C = (Card A) \<and>
|
|
|
428 |
Inputs A (Card A) (Agent A) \<in> set evs"
|
|
|
429 |
same proof
|
|
|
430 |
*)
|
|
|
431 |
|
|
|
432 |
|
|
|
433 |
lemma Outpts_honest_B_Card_7:
|
|
|
434 |
"\<lbrakk> Outpts C B \<lbrace>Nonce Nb, Agent A, Key K, Cert1, Cert2\<rbrace> \<in> set evs;
|
|
|
435 |
B \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
436 |
\<Longrightarrow> legalUse(C) \<and> C = (Card B) \<and>
|
|
|
437 |
(\<exists> Na. Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs)"
|
|
|
438 |
apply (erule rev_mp, erule srb.induct)
|
|
|
439 |
apply auto
|
|
|
440 |
done
|
|
|
441 |
|
|
|
442 |
lemma Outpts_honest_A_Card_10:
|
|
|
443 |
"\<lbrakk> Outpts C A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace> \<in> set evs;
|
|
|
444 |
A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
445 |
\<Longrightarrow> legalUse (C) \<and> C = (Card A) \<and>
|
|
|
446 |
(\<exists> Na Pk Ver1 Ver2 Ver3.
|
|
|
447 |
Inputs A (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, Pk,
|
|
|
448 |
Ver1, Ver2, Ver3\<rbrace> \<in> set evs)"
|
|
|
449 |
apply (erule rev_mp, erule srb.induct)
|
|
|
450 |
apply simp_all
|
|
|
451 |
apply blast+
|
|
|
452 |
done
|
|
|
453 |
(*-END-*)
|
|
|
454 |
|
|
|
455 |
|
|
|
456 |
(*Even weaker versions: if the agent can't check the forms of the verifiers
|
|
|
457 |
and the agent may be the spy, then we must know what card the agent
|
|
|
458 |
is getting the output from.
|
|
|
459 |
*)
|
|
|
460 |
lemma Outpts_which_Card_4:
|
|
|
461 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Nonce Na, Crypt K X\<rbrace> \<in> set evs; evs \<in> srb \<rbrakk>
|
|
|
462 |
\<Longrightarrow> Inputs A (Card A) (Agent A) \<in> set evs"
|
|
|
463 |
apply (erule rev_mp, erule srb.induct)
|
|
|
464 |
apply (simp_all (no_asm_simp))
|
|
|
465 |
apply clarify
|
|
|
466 |
done
|
|
|
467 |
|
|
|
468 |
lemma Outpts_which_Card_7:
|
|
|
469 |
"\<lbrakk> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, Cert1, Cert2\<rbrace>
|
|
|
470 |
\<in> set evs; evs \<in> srb \<rbrakk>
|
|
|
471 |
\<Longrightarrow> \<exists> Na. Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs"
|
|
|
472 |
apply (erule rev_mp, erule srb.induct)
|
|
|
473 |
apply auto
|
|
|
474 |
done
|
|
|
475 |
|
|
|
476 |
(*This goal is now available - in the sense of Goal Availability*)
|
|
|
477 |
lemma Outpts_which_Card_10:
|
|
|
478 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate \<rbrace> \<in> set evs;
|
|
|
479 |
evs \<in> srb \<rbrakk>
|
|
|
480 |
\<Longrightarrow> \<exists> Na. Inputs A (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)),
|
|
|
481 |
Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), Agent B\<rbrace>,
|
|
|
482 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
483 |
Crypt (crdK (Card A)) (Nonce Na) \<rbrace> \<in> set evs"
|
|
|
484 |
apply (erule rev_mp, erule srb.induct)
|
|
|
485 |
apply auto
|
|
|
486 |
done
|
|
|
487 |
|
|
|
488 |
|
|
|
489 |
(*Lemmas on the form of outputs*)
|
|
|
490 |
|
|
|
491 |
|
|
|
492 |
(*A needs to check that the verifier is a cipher for it to come from SR_U4
|
|
|
493 |
otherwise it could come from SR_U7 *)
|
|
|
494 |
lemma Outpts_A_Card_form_4:
|
|
|
495 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Nonce Na, Certificate\<rbrace> \<in> set evs;
|
|
|
496 |
\<forall> p q. Certificate \<noteq> \<lbrace>p, q\<rbrace>; evs \<in> srb \<rbrakk>
|
|
|
497 |
\<Longrightarrow> Certificate = (Crypt (crdK (Card A)) (Nonce Na))"
|
|
|
498 |
apply (erule rev_mp, erule srb.induct)
|
|
|
499 |
apply (simp_all (no_asm_simp))
|
|
|
500 |
done
|
|
|
501 |
|
|
|
502 |
lemma Outpts_B_Card_form_7:
|
|
|
503 |
"\<lbrakk> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, Cert1, Cert2\<rbrace>
|
|
|
504 |
\<in> set evs; evs \<in> srb \<rbrakk>
|
|
|
505 |
\<Longrightarrow> \<exists> Na.
|
|
|
506 |
K = sesK(Nb,pairK(A,B)) \<and>
|
|
|
507 |
Cert1 = (Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>) \<and>
|
|
|
508 |
Cert2 = (Crypt (pairK(A,B)) (Nonce Nb))"
|
|
|
509 |
apply (erule rev_mp, erule srb.induct)
|
|
|
510 |
apply auto
|
|
|
511 |
done
|
|
|
512 |
|
|
|
513 |
lemma Outpts_A_Card_form_10:
|
|
|
514 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace>
|
|
|
515 |
\<in> set evs; evs \<in> srb \<rbrakk>
|
|
|
516 |
\<Longrightarrow> K = sesK(Nb,pairK(A,B)) \<and>
|
|
|
517 |
Certificate = (Crypt (pairK(A,B)) (Nonce Nb))"
|
|
|
518 |
apply (erule rev_mp, erule srb.induct)
|
|
|
519 |
apply (simp_all (no_asm_simp))
|
|
|
520 |
done
|
|
|
521 |
|
|
|
522 |
lemma Outpts_A_Card_form_bis:
|
|
|
523 |
"\<lbrakk> Outpts (Card A') A' \<lbrace>Agent B', Nonce Nb', Key (sesK(Nb,pairK(A,B))),
|
|
|
524 |
Certificate\<rbrace> \<in> set evs;
|
|
|
525 |
evs \<in> srb \<rbrakk>
|
|
|
526 |
\<Longrightarrow> A' = A \<and> B' = B \<and> Nb = Nb' \<and>
|
|
|
527 |
Certificate = (Crypt (pairK(A,B)) (Nonce Nb))"
|
|
|
528 |
apply (erule rev_mp, erule srb.induct)
|
|
|
529 |
apply (simp_all (no_asm_simp))
|
|
|
530 |
done
|
|
|
531 |
|
|
|
532 |
(*\<dots> and Inputs *)
|
|
|
533 |
|
|
|
534 |
lemma Inputs_A_Card_form_9:
|
|
|
535 |
|
|
|
536 |
"\<lbrakk> Inputs A (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce Pk,
|
|
|
537 |
Cert1, Cert2, Cert3\<rbrace> \<in> set evs;
|
|
|
538 |
evs \<in> srb \<rbrakk>
|
|
|
539 |
\<Longrightarrow> Cert3 = Crypt (crdK (Card A)) (Nonce Na)"
|
|
|
540 |
apply (erule rev_mp)
|
|
|
541 |
apply (erule srb.induct)
|
|
|
542 |
apply (simp_all (no_asm_simp))
|
|
|
543 |
(*Fake*)
|
|
|
544 |
apply force
|
|
|
545 |
(*SR_U9*)
|
|
|
546 |
apply (blast dest!: Outpts_A_Card_form_4)
|
|
|
547 |
done
|
|
|
548 |
(* Pk, Cert1, Cert2 cannot be made explicit because they traversed the network in the clear *)
|
|
|
549 |
|
|
|
550 |
|
|
|
551 |
|
|
|
552 |
(*General guarantees on Inputs and Outpts*)
|
|
|
553 |
|
|
|
554 |
(*for any agents*)
|
|
|
555 |
|
|
|
556 |
|
|
|
557 |
lemma Inputs_Card_legalUse:
|
|
|
558 |
"\<lbrakk> Inputs A (Card A) X \<in> set evs; evs \<in> srb \<rbrakk> \<Longrightarrow> legalUse(Card A)"
|
|
|
559 |
apply (erule rev_mp, erule srb.induct)
|
|
|
560 |
apply auto
|
|
|
561 |
done
|
|
|
562 |
|
|
|
563 |
lemma Outpts_Card_legalUse:
|
|
|
564 |
"\<lbrakk> Outpts (Card A) A X \<in> set evs; evs \<in> srb \<rbrakk> \<Longrightarrow> legalUse(Card A)"
|
|
|
565 |
apply (erule rev_mp, erule srb.induct)
|
|
|
566 |
apply auto
|
|
|
567 |
done
|
|
|
568 |
|
|
|
569 |
(*for honest agents*)
|
|
|
570 |
|
|
|
571 |
lemma Inputs_Card: "\<lbrakk> Inputs A C X \<in> set evs; A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
572 |
\<Longrightarrow> C = (Card A) \<and> legalUse(C)"
|
|
|
573 |
apply (erule rev_mp, erule srb.induct)
|
|
|
574 |
apply auto
|
|
|
575 |
done
|
|
|
576 |
|
|
|
577 |
lemma Outpts_Card: "\<lbrakk> Outpts C A X \<in> set evs; A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
578 |
\<Longrightarrow> C = (Card A) \<and> legalUse(C)"
|
|
|
579 |
apply (erule rev_mp, erule srb.induct)
|
|
|
580 |
apply auto
|
|
|
581 |
done
|
|
|
582 |
|
|
|
583 |
lemma Inputs_Outpts_Card:
|
|
|
584 |
"\<lbrakk> Inputs A C X \<in> set evs \<or> Outpts C A Y \<in> set evs;
|
|
|
585 |
A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
586 |
\<Longrightarrow> C = (Card A) \<and> legalUse(Card A)"
|
|
|
587 |
apply (blast dest: Inputs_Card Outpts_Card)
|
|
|
588 |
done
|
|
|
589 |
|
|
|
590 |
|
|
|
591 |
(*for the spy - they stress that the model behaves as it is meant to*)
|
|
|
592 |
|
|
|
593 |
(*The or version can be also proved directly.
|
|
|
594 |
It stresses that the spy may use either her own legally usable card or
|
|
|
595 |
all the illegally usable cards.
|
|
|
596 |
*)
|
|
|
597 |
lemma Inputs_Card_Spy:
|
|
|
598 |
"\<lbrakk> Inputs Spy C X \<in> set evs \<or> Outpts C Spy X \<in> set evs; evs \<in> srb \<rbrakk>
|
|
|
599 |
\<Longrightarrow> C = (Card Spy) \<and> legalUse(Card Spy) \<or>
|
|
|
600 |
(\<exists> A. C = (Card A) \<and> illegalUse(Card A))"
|
|
|
601 |
apply (erule rev_mp, erule srb.induct)
|
|
|
602 |
apply auto
|
|
|
603 |
done
|
|
|
604 |
|
|
|
605 |
|
|
|
606 |
(*END technical lemmas*)
|
|
|
607 |
|
|
|
608 |
|
|
|
609 |
|
|
|
610 |
|
|
|
611 |
|
|
|
612 |
|
|
|
613 |
(*BEGIN unicity theorems: certain items uniquely identify a smart card's
|
|
|
614 |
output*)
|
|
|
615 |
|
|
|
616 |
(*A's card's first output: the nonce uniquely identifies the rest*)
|
|
|
617 |
lemma Outpts_A_Card_unique_nonce:
|
|
|
618 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Nonce Na, Crypt (crdK (Card A)) (Nonce Na)\<rbrace>
|
|
|
619 |
\<in> set evs;
|
|
|
620 |
Outpts (Card A') A' \<lbrace>Nonce Na, Crypt (crdK (Card A')) (Nonce Na)\<rbrace>
|
|
|
621 |
\<in> set evs;
|
|
|
622 |
evs \<in> srb \<rbrakk> \<Longrightarrow> A=A'"
|
|
|
623 |
apply (erule rev_mp, erule rev_mp, erule srb.induct, simp_all)
|
|
|
624 |
apply (fastsimp dest: Outpts_parts_used)
|
|
|
625 |
apply blast
|
|
|
626 |
done
|
|
|
627 |
|
|
|
628 |
(*B's card's output: the NONCE uniquely identifies the rest*)
|
|
|
629 |
lemma Outpts_B_Card_unique_nonce:
|
|
|
630 |
"\<lbrakk> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key SK, Cert1, Cert2\<rbrace> \<in> set evs;
|
|
|
631 |
Outpts (Card B') B' \<lbrace>Nonce Nb, Agent A', Key SK', Cert1', Cert2'\<rbrace> \<in> set evs;
|
|
|
632 |
evs \<in> srb \<rbrakk> \<Longrightarrow> B=B' \<and> A=A' \<and> SK=SK' \<and> Cert1=Cert1' \<and> Cert2=Cert2'"
|
|
|
633 |
apply (erule rev_mp, erule rev_mp, erule srb.induct, simp_all)
|
|
|
634 |
apply (fastsimp dest: Outpts_parts_used)
|
|
|
635 |
apply blast
|
|
|
636 |
done
|
|
|
637 |
|
|
|
638 |
|
|
|
639 |
(*B's card's output: the SESKEY uniquely identifies the rest*)
|
|
|
640 |
lemma Outpts_B_Card_unique_key:
|
|
|
641 |
"\<lbrakk> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key SK, Cert1, Cert2\<rbrace> \<in> set evs;
|
|
|
642 |
Outpts (Card B') B' \<lbrace>Nonce Nb', Agent A', Key SK, Cert1', Cert2'\<rbrace> \<in> set evs;
|
|
|
643 |
evs \<in> srb \<rbrakk> \<Longrightarrow> B=B' \<and> A=A' \<and> Nb=Nb' \<and> Cert1=Cert1' \<and> Cert2=Cert2'"
|
|
|
644 |
apply (erule rev_mp, erule rev_mp, erule srb.induct, simp_all)
|
|
|
645 |
apply (fastsimp dest: Outpts_parts_used)
|
|
|
646 |
apply blast
|
|
|
647 |
done
|
|
|
648 |
|
|
|
649 |
lemma Outpts_A_Card_unique_key:
|
|
|
650 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, V\<rbrace> \<in> set evs;
|
|
|
651 |
Outpts (Card A') A' \<lbrace>Agent B', Nonce Nb', Key K, V'\<rbrace> \<in> set evs;
|
|
|
652 |
evs \<in> srb \<rbrakk> \<Longrightarrow> A=A' \<and> B=B' \<and> Nb=Nb' \<and> V=V'"
|
|
|
653 |
apply (erule rev_mp, erule rev_mp, erule srb.induct, simp_all)
|
|
|
654 |
apply (blast dest: Outpts_A_Card_form_bis)
|
|
|
655 |
apply blast
|
|
|
656 |
done
|
|
|
657 |
|
|
|
658 |
|
|
|
659 |
(*Revised unicity theorem - applies to both steps 4 and 7*)
|
|
|
660 |
lemma Outpts_A_Card_Unique:
|
|
|
661 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Nonce Na, rest\<rbrace> \<in> set evs; evs \<in> srb \<rbrakk>
|
|
|
662 |
\<Longrightarrow> Unique (Outpts (Card A) A \<lbrace>Nonce Na, rest\<rbrace>) on evs"
|
|
|
663 |
apply (erule rev_mp, erule srb.induct, simp_all add: Unique_def)
|
|
|
664 |
apply (fastsimp dest: Outpts_parts_used)
|
|
|
665 |
apply blast
|
|
|
666 |
apply (fastsimp dest: Outpts_parts_used)
|
|
|
667 |
apply blast
|
|
|
668 |
done
|
|
|
669 |
|
|
|
670 |
(*can't prove the same on evs10 for it doesn't have a freshness assumption!*)
|
|
|
671 |
|
|
|
672 |
|
|
|
673 |
(*END unicity theorems*)
|
|
|
674 |
|
|
|
675 |
|
|
|
676 |
(*BEGIN counterguarantees about spy's knowledge*)
|
|
|
677 |
|
|
|
678 |
(*on nonces*)
|
|
|
679 |
|
|
|
680 |
lemma Spy_knows_Na:
|
|
|
681 |
"\<lbrakk> Says A B \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs; evs \<in> srb \<rbrakk>
|
|
|
682 |
\<Longrightarrow> Nonce Na \<in> analz (knows Spy evs)"
|
|
|
683 |
apply (blast dest!: Says_imp_knows_Spy [THEN analz.Inj, THEN analz.Snd])
|
|
|
684 |
done
|
|
|
685 |
|
|
|
686 |
lemma Spy_knows_Nb:
|
|
|
687 |
"\<lbrakk> Says B A \<lbrace>Nonce Nb, Certificate\<rbrace> \<in> set evs; evs \<in> srb \<rbrakk>
|
|
|
688 |
\<Longrightarrow> Nonce Nb \<in> analz (knows Spy evs)"
|
|
|
689 |
apply (blast dest!: Says_imp_knows_Spy [THEN analz.Inj, THEN analz.Fst])
|
|
|
690 |
done
|
|
|
691 |
|
|
|
692 |
|
|
|
693 |
(*on Pairkey*)
|
|
|
694 |
|
|
|
695 |
lemma Pairkey_Gets_analz_knows_Spy:
|
|
|
696 |
"\<lbrakk> Gets A \<lbrace>Nonce (Pairkey(A,B)), Certificate\<rbrace> \<in> set evs; evs \<in> srb \<rbrakk>
|
|
|
697 |
\<Longrightarrow> Nonce (Pairkey(A,B)) \<in> analz (knows Spy evs)"
|
|
|
698 |
apply (blast dest!: Gets_imp_knows_Spy [THEN analz.Inj])
|
|
|
699 |
done
|
|
|
700 |
|
|
|
701 |
lemma Pairkey_Inputs_imp_Gets:
|
|
|
702 |
"\<lbrakk> Inputs A (Card A)
|
|
|
703 |
\<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)),
|
|
|
704 |
Cert1, Cert3, Cert2\<rbrace> \<in> set evs;
|
|
|
705 |
A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
706 |
\<Longrightarrow> Gets A \<lbrace>Nonce (Pairkey(A,B)), Cert1\<rbrace> \<in> set evs"
|
|
|
707 |
apply (erule rev_mp, erule srb.induct)
|
|
|
708 |
apply (simp_all (no_asm_simp))
|
|
|
709 |
apply force
|
|
|
710 |
done
|
|
|
711 |
|
|
|
712 |
lemma Pairkey_Inputs_analz_knows_Spy:
|
|
|
713 |
"\<lbrakk> Inputs A (Card A)
|
|
|
714 |
\<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)),
|
|
|
715 |
Cert1, Cert3, Cert2\<rbrace> \<in> set evs;
|
|
|
716 |
evs \<in> srb \<rbrakk>
|
|
|
717 |
\<Longrightarrow> Nonce (Pairkey(A,B)) \<in> analz (knows Spy evs)"
|
|
|
718 |
apply (case_tac "A = Spy")
|
|
|
719 |
apply (fastsimp dest!: Inputs_imp_knows_Spy_secureM [THEN analz.Inj])
|
|
|
720 |
apply (blast dest!: Pairkey_Inputs_imp_Gets [THEN Pairkey_Gets_analz_knows_Spy])
|
|
|
721 |
done
|
|
|
722 |
|
|
|
723 |
(* This fails on base case because of XOR properties.
|
|
|
724 |
lemma Pairkey_authentic:
|
|
|
725 |
"\<lbrakk> Nonce (Pairkey(A,B)) \<in> parts (knows Spy evs);
|
|
|
726 |
Card A \<notin> cloned; evs \<in> sr \<rbrakk>
|
|
|
727 |
\<Longrightarrow> \<exists> cert. Says Server A \<lbrace>Nonce (Pairkey(A,B)), Cert\<rbrace> \<in> set evs"
|
|
|
728 |
apply (erule rev_mp)
|
|
|
729 |
apply (erule sr.induct, simp_all)
|
|
|
730 |
apply clarify
|
|
|
731 |
oops
|
|
|
732 |
|
|
|
733 |
1. \<And>x a b.
|
|
|
734 |
\<lbrakk>Card A \<notin> cloned; Pairkey (A, B) = Pairkey (a, b); Card a \<in> cloned;
|
|
|
735 |
Card b \<in> cloned\<rbrakk>
|
|
|
736 |
\<Longrightarrow> False
|
|
|
737 |
*)
|
|
|
738 |
|
|
|
739 |
|
|
|
740 |
(*END counterguarantees on spy's knowledge*)
|
|
|
741 |
|
|
|
742 |
|
|
|
743 |
(*BEGIN rewrite rules for parts operator*)
|
|
|
744 |
|
|
|
745 |
declare shrK_disj_sesK [THEN not_sym, iff]
|
|
|
746 |
declare pin_disj_sesK [THEN not_sym, iff]
|
|
|
747 |
declare crdK_disj_sesK [THEN not_sym, iff]
|
|
|
748 |
declare pairK_disj_sesK [THEN not_sym, iff]
|
|
|
749 |
|
|
|
750 |
|
|
|
751 |
ML
|
|
|
752 |
{*
|
|
|
753 |
val Outpts_B_Card_form_7 = thm "Outpts_B_Card_form_7"
|
|
|
754 |
val Outpts_A_Card_form_4 = thm "Outpts_A_Card_form_4"
|
|
|
755 |
val Outpts_A_Card_form_10 = thm "Outpts_A_Card_form_10"
|
|
|
756 |
val Gets_imp_knows_Spy = thm "Gets_imp_knows_Spy"
|
|
|
757 |
val Outpts_B_Card_form_7 = thm "Outpts_B_Card_form_7"
|
|
|
758 |
val Gets_imp_knows_Spy_parts_Snd = thm "Gets_imp_knows_Spy_parts_Snd"
|
|
|
759 |
val Gets_imp_knows_Spy_analz_Snd = thm "Gets_imp_knows_Spy_analz_Snd"
|
|
|
760 |
|
|
|
761 |
val prepare_tac =
|
|
|
762 |
(*SR_U8*) forward_tac [Outpts_B_Card_form_7] 14 THEN
|
|
|
763 |
(*SR_U8*) Clarify_tac 15 THEN
|
|
|
764 |
(*SR_U9*) forward_tac [Outpts_A_Card_form_4] 16 THEN
|
|
|
765 |
(*SR_U11*) forward_tac [Outpts_A_Card_form_10] 21
|
|
|
766 |
|
|
|
767 |
val parts_prepare_tac =
|
|
|
768 |
prepare_tac THEN
|
|
|
769 |
(*SR_U9*) dresolve_tac [Gets_imp_knows_Spy_parts_Snd] 18 THEN
|
|
|
770 |
(*SR_U9*) dresolve_tac [Gets_imp_knows_Spy_parts_Snd] 19 THEN
|
|
|
771 |
(*Oops1*) dresolve_tac [Outpts_B_Card_form_7] 25 THEN
|
|
|
772 |
(*Oops2*) dresolve_tac [Outpts_A_Card_form_10] 27 THEN
|
|
|
773 |
(*Base*) Force_tac 1
|
|
|
774 |
|
|
|
775 |
val analz_prepare_tac =
|
|
|
776 |
prepare_tac THEN
|
|
|
777 |
dtac (Gets_imp_knows_Spy_analz_Snd) 18 THEN
|
|
|
778 |
(*SR_U9*) dtac (Gets_imp_knows_Spy_analz_Snd) 19 THEN
|
|
|
779 |
REPEAT_FIRST (eresolve_tac [asm_rl, conjE] ORELSE' hyp_subst_tac)
|
|
|
780 |
|
|
|
781 |
*}
|
|
|
782 |
|
|
|
783 |
method_setup prepare = {*
|
|
21588
|
784 |
Method.no_args (Method.SIMPLE_METHOD prepare_tac) *}
|
|
18886
|
785 |
"to launch a few simple facts that'll help the simplifier"
|
|
|
786 |
|
|
|
787 |
method_setup parts_prepare = {*
|
|
21588
|
788 |
Method.no_args (Method.SIMPLE_METHOD parts_prepare_tac) *}
|
|
18886
|
789 |
"additional facts to reason about parts"
|
|
|
790 |
|
|
|
791 |
method_setup analz_prepare = {*
|
|
21588
|
792 |
Method.no_args (Method.SIMPLE_METHOD analz_prepare_tac) *}
|
|
18886
|
793 |
"additional facts to reason about analz"
|
|
|
794 |
|
|
|
795 |
|
|
|
796 |
|
|
|
797 |
lemma Spy_parts_keys [simp]: "evs \<in> srb \<Longrightarrow>
|
|
|
798 |
(Key (shrK P) \<in> parts (knows Spy evs)) = (Card P \<in> cloned) \<and>
|
|
|
799 |
(Key (pin P) \<in> parts (knows Spy evs)) = (P \<in> bad \<or> Card P \<in> cloned) \<and>
|
|
|
800 |
(Key (crdK C) \<in> parts (knows Spy evs)) = (C \<in> cloned) \<and>
|
|
|
801 |
(Key (pairK(A,B)) \<in> parts (knows Spy evs)) = (Card B \<in> cloned)"
|
|
|
802 |
apply (erule srb.induct)
|
|
|
803 |
apply parts_prepare
|
|
|
804 |
apply simp_all
|
|
|
805 |
apply (blast intro: parts_insertI)
|
|
|
806 |
done
|
|
|
807 |
|
|
|
808 |
(*END rewrite rules for parts operator*)
|
|
|
809 |
|
|
|
810 |
(*BEGIN rewrite rules for analz operator*)
|
|
|
811 |
|
|
|
812 |
|
|
|
813 |
lemma Spy_analz_shrK[simp]: "evs \<in> srb \<Longrightarrow>
|
|
|
814 |
(Key (shrK P) \<in> analz (knows Spy evs)) = (Card P \<in> cloned)"
|
|
|
815 |
apply (auto dest!: Spy_knows_cloned)
|
|
|
816 |
done
|
|
|
817 |
|
|
|
818 |
lemma Spy_analz_crdK[simp]: "evs \<in> srb \<Longrightarrow>
|
|
|
819 |
(Key (crdK C) \<in> analz (knows Spy evs)) = (C \<in> cloned)"
|
|
|
820 |
apply (auto dest!: Spy_knows_cloned)
|
|
|
821 |
done
|
|
|
822 |
|
|
|
823 |
lemma Spy_analz_pairK[simp]: "evs \<in> srb \<Longrightarrow>
|
|
|
824 |
(Key (pairK(A,B)) \<in> analz (knows Spy evs)) = (Card B \<in> cloned)"
|
|
|
825 |
apply (auto dest!: Spy_knows_cloned)
|
|
|
826 |
done
|
|
|
827 |
|
|
|
828 |
|
|
|
829 |
|
|
|
830 |
|
|
|
831 |
(*Because initState contains a set of nonces, this is needed for base case of
|
|
|
832 |
analz_image_freshK*)
|
|
|
833 |
lemma analz_image_Key_Un_Nonce: "analz (Key`K \<union> Nonce`N) = Key`K \<union> Nonce`N"
|
|
|
834 |
apply auto
|
|
|
835 |
done
|
|
|
836 |
|
|
|
837 |
ML
|
|
|
838 |
{*
|
|
|
839 |
val knows_Spy_Inputs_secureM_srb_Spy = thm "knows_Spy_Inputs_secureM_srb_Spy"
|
|
|
840 |
val knows_Spy_Outpts_secureM_srb_Spy = thm "knows_Spy_Outpts_secureM_srb_Spy"
|
|
|
841 |
val shouprubin_assumes_securemeans = thm "shouprubin_assumes_securemeans"
|
|
|
842 |
val analz_image_Key_Un_Nonce= thm "analz_image_Key_Un_Nonce"
|
|
|
843 |
*}
|
|
|
844 |
|
|
|
845 |
method_setup sc_analz_freshK = {*
|
|
20048
|
846 |
Method.ctxt_args (fn ctxt =>
|
|
21588
|
847 |
(Method.SIMPLE_METHOD
|
|
|
848 |
(EVERY [REPEAT_FIRST (resolve_tac [allI, ballI, impI]),
|
|
18886
|
849 |
REPEAT_FIRST (rtac analz_image_freshK_lemma),
|
|
20048
|
850 |
ALLGOALS (asm_simp_tac (Simplifier.context ctxt analz_image_freshK_ss
|
|
18886
|
851 |
addsimps [knows_Spy_Inputs_secureM_srb_Spy,
|
|
|
852 |
knows_Spy_Outpts_secureM_srb_Spy,
|
|
|
853 |
shouprubin_assumes_securemeans,
|
|
20048
|
854 |
analz_image_Key_Un_Nonce]))]))) *}
|
|
18886
|
855 |
"for proving the Session Key Compromise theorem for smartcard protocols"
|
|
|
856 |
|
|
|
857 |
|
|
|
858 |
lemma analz_image_freshK [rule_format]:
|
|
|
859 |
"evs \<in> srb \<Longrightarrow> \<forall> K KK.
|
|
|
860 |
(Key K \<in> analz (Key`KK \<union> (knows Spy evs))) =
|
|
|
861 |
(K \<in> KK \<or> Key K \<in> analz (knows Spy evs))"
|
|
|
862 |
apply (erule srb.induct)
|
|
|
863 |
apply analz_prepare
|
|
|
864 |
apply sc_analz_freshK
|
|
|
865 |
apply spy_analz
|
|
|
866 |
done
|
|
|
867 |
|
|
|
868 |
|
|
|
869 |
lemma analz_insert_freshK: "evs \<in> srb \<Longrightarrow>
|
|
|
870 |
Key K \<in> analz (insert (Key K') (knows Spy evs)) =
|
|
|
871 |
(K = K' \<or> Key K \<in> analz (knows Spy evs))"
|
|
|
872 |
apply (simp only: analz_image_freshK_simps analz_image_freshK)
|
|
|
873 |
done
|
|
|
874 |
|
|
|
875 |
(*END rewrite rules for analz operator*)
|
|
|
876 |
|
|
|
877 |
(*BEGIN authenticity theorems*)
|
|
|
878 |
|
|
|
879 |
|
|
|
880 |
|
|
|
881 |
|
|
|
882 |
lemma Na_Nb_certificate_authentic:
|
|
|
883 |
"\<lbrakk> Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace> \<in> parts (knows Spy evs);
|
|
|
884 |
\<not>illegalUse(Card B);
|
|
|
885 |
evs \<in> srb \<rbrakk>
|
|
|
886 |
\<Longrightarrow> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key (sesK(Nb,pairK(A,B))),
|
|
|
887 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
888 |
Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> \<in> set evs"
|
|
|
889 |
apply (erule rev_mp, erule srb.induct)
|
|
|
890 |
apply parts_prepare
|
|
|
891 |
apply simp_all
|
|
|
892 |
(*Fake*)
|
|
|
893 |
apply spy_analz
|
|
|
894 |
(*SR_U7F*)
|
|
|
895 |
apply clarify
|
|
|
896 |
(*SR_U8*)
|
|
|
897 |
apply clarify
|
|
|
898 |
done
|
|
|
899 |
|
|
|
900 |
lemma Nb_certificate_authentic:
|
|
|
901 |
"\<lbrakk> Crypt (pairK(A,B)) (Nonce Nb) \<in> parts (knows Spy evs);
|
|
|
902 |
B \<noteq> Spy; \<not>illegalUse(Card A); \<not>illegalUse(Card B);
|
|
|
903 |
evs \<in> srb \<rbrakk>
|
|
|
904 |
\<Longrightarrow> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key (sesK(Nb,pairK(A,B))),
|
|
|
905 |
Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> \<in> set evs"
|
|
|
906 |
apply (erule rev_mp, erule srb.induct)
|
|
|
907 |
apply parts_prepare
|
|
|
908 |
apply (case_tac [17] "Aa = Spy")
|
|
|
909 |
apply simp_all
|
|
|
910 |
(*Fake*)
|
|
|
911 |
apply spy_analz
|
|
|
912 |
(*SR_U7F, SR_U10F*)
|
|
|
913 |
apply clarify+
|
|
|
914 |
done
|
|
|
915 |
|
|
|
916 |
|
|
|
917 |
|
|
|
918 |
(*Discovering the very origin of the Nb certificate...*)
|
|
|
919 |
lemma Outpts_A_Card_imp_pairK_parts:
|
|
|
920 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb,
|
|
|
921 |
Key K, Certificate\<rbrace> \<in> set evs;
|
|
|
922 |
evs \<in> srb \<rbrakk>
|
|
|
923 |
\<Longrightarrow> \<exists> Na. Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace> \<in> parts (knows Spy evs)"
|
|
|
924 |
apply (erule rev_mp, erule srb.induct)
|
|
|
925 |
apply parts_prepare
|
|
|
926 |
apply simp_all
|
|
|
927 |
(*Fake*)
|
|
|
928 |
apply (blast dest: parts_insertI)
|
|
|
929 |
(*SR_U7*)
|
|
|
930 |
apply force
|
|
|
931 |
(*SR_U7F*)
|
|
|
932 |
apply force
|
|
|
933 |
(*SR_U8*)
|
|
|
934 |
apply blast
|
|
|
935 |
(*SR_U10*)
|
|
|
936 |
apply (blast dest: Inputs_imp_knows_Spy_secureM_srb parts.Inj Inputs_A_Card_9 Gets_imp_knows_Spy elim: knows_Spy_partsEs)
|
|
|
937 |
(*SR_U10F*)
|
|
|
938 |
apply (blast dest: Inputs_imp_knows_Spy_secureM_srb [THEN parts.Inj]
|
|
|
939 |
Inputs_A_Card_9 Gets_imp_knows_Spy
|
|
|
940 |
elim: knows_Spy_partsEs)
|
|
|
941 |
done
|
|
|
942 |
|
|
|
943 |
|
|
|
944 |
lemma Nb_certificate_authentic_bis:
|
|
|
945 |
"\<lbrakk> Crypt (pairK(A,B)) (Nonce Nb) \<in> parts (knows Spy evs);
|
|
|
946 |
B \<noteq> Spy; \<not>illegalUse(Card B);
|
|
|
947 |
evs \<in> srb \<rbrakk>
|
|
|
948 |
\<Longrightarrow> \<exists> Na. Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key (sesK(Nb,pairK(A,B))),
|
|
|
949 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
950 |
Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> \<in> set evs"
|
|
|
951 |
apply (erule rev_mp, erule srb.induct)
|
|
|
952 |
apply parts_prepare
|
|
|
953 |
apply (simp_all (no_asm_simp))
|
|
|
954 |
(*Fake*)
|
|
|
955 |
apply spy_analz
|
|
|
956 |
(*SR_U7*)
|
|
|
957 |
apply blast
|
|
|
958 |
(*SR_U7F*)
|
|
|
959 |
apply blast
|
|
|
960 |
(*SR_U8*)
|
|
|
961 |
apply force
|
|
|
962 |
(*SR_U10*)
|
|
|
963 |
apply (blast dest: Na_Nb_certificate_authentic Inputs_imp_knows_Spy_secureM_srb [THEN parts.Inj] elim: knows_Spy_partsEs)
|
|
|
964 |
(*SR_U10F*)
|
|
|
965 |
apply (blast dest: Na_Nb_certificate_authentic Inputs_imp_knows_Spy_secureM_srb [THEN parts.Inj] elim: knows_Spy_partsEs)
|
|
|
966 |
(*SR_U11*)
|
|
|
967 |
apply (blast dest: Na_Nb_certificate_authentic Outpts_A_Card_imp_pairK_parts)
|
|
|
968 |
done
|
|
|
969 |
|
|
|
970 |
|
|
|
971 |
lemma Pairkey_certificate_authentic:
|
|
|
972 |
"\<lbrakk> Crypt (shrK A) \<lbrace>Nonce Pk, Agent B\<rbrace> \<in> parts (knows Spy evs);
|
|
|
973 |
Card A \<notin> cloned; evs \<in> srb \<rbrakk>
|
|
|
974 |
\<Longrightarrow> Pk = Pairkey(A,B) \<and>
|
|
|
975 |
Says Server A \<lbrace>Nonce Pk,
|
|
|
976 |
Crypt (shrK A) \<lbrace>Nonce Pk, Agent B\<rbrace>\<rbrace>
|
|
|
977 |
\<in> set evs"
|
|
|
978 |
apply (erule rev_mp, erule srb.induct)
|
|
|
979 |
apply parts_prepare
|
|
|
980 |
apply (simp_all (no_asm_simp))
|
|
|
981 |
(*Fake*)
|
|
|
982 |
apply spy_analz
|
|
|
983 |
(*SR_U8*)
|
|
|
984 |
apply force
|
|
|
985 |
done
|
|
|
986 |
|
|
|
987 |
|
|
|
988 |
lemma sesK_authentic:
|
|
|
989 |
"\<lbrakk> Key (sesK(Nb,pairK(A,B))) \<in> parts (knows Spy evs);
|
|
|
990 |
A \<noteq> Spy; B \<noteq> Spy; \<not>illegalUse(Card A); \<not>illegalUse(Card B);
|
|
|
991 |
evs \<in> srb \<rbrakk>
|
|
|
992 |
\<Longrightarrow> Notes Spy \<lbrace>Key (sesK(Nb,pairK(A,B))), Nonce Nb, Agent A, Agent B\<rbrace>
|
|
|
993 |
\<in> set evs"
|
|
|
994 |
apply (erule rev_mp, erule srb.induct)
|
|
|
995 |
apply parts_prepare
|
|
|
996 |
apply (simp_all)
|
|
|
997 |
(*fake*)
|
|
|
998 |
apply spy_analz
|
|
|
999 |
(*forge*)
|
|
|
1000 |
apply (fastsimp dest: analz.Inj)
|
|
|
1001 |
(*SR_U7: used B\<noteq>Spy*)
|
|
|
1002 |
(*SR_U7F*)
|
|
|
1003 |
apply clarify
|
|
|
1004 |
(*SR_U10: used A\<noteq>Spy*)
|
|
|
1005 |
(*SR_U10F*)
|
|
|
1006 |
apply clarify
|
|
|
1007 |
done
|
|
|
1008 |
|
|
|
1009 |
|
|
|
1010 |
(*END authenticity theorems*)
|
|
|
1011 |
|
|
|
1012 |
|
|
|
1013 |
(*BEGIN confidentiality theorems*)
|
|
|
1014 |
|
|
|
1015 |
|
|
|
1016 |
lemma Confidentiality:
|
|
|
1017 |
"\<lbrakk> Notes Spy \<lbrace>Key (sesK(Nb,pairK(A,B))), Nonce Nb, Agent A, Agent B\<rbrace>
|
|
|
1018 |
\<notin> set evs;
|
|
|
1019 |
A \<noteq> Spy; B \<noteq> Spy; \<not>illegalUse(Card A); \<not>illegalUse(Card B);
|
|
|
1020 |
evs \<in> srb \<rbrakk>
|
|
|
1021 |
\<Longrightarrow> Key (sesK(Nb,pairK(A,B))) \<notin> analz (knows Spy evs)"
|
|
|
1022 |
apply (blast intro: sesK_authentic)
|
|
|
1023 |
done
|
|
|
1024 |
|
|
|
1025 |
lemma Confidentiality_B:
|
|
|
1026 |
"\<lbrakk> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, Cert1, Cert2\<rbrace>
|
|
|
1027 |
\<in> set evs;
|
|
|
1028 |
Notes Spy \<lbrace>Key K, Nonce Nb, Agent A, Agent B\<rbrace> \<notin> set evs;
|
|
|
1029 |
A \<noteq> Spy; B \<noteq> Spy; \<not>illegalUse(Card A); Card B \<notin> cloned;
|
|
|
1030 |
evs \<in> srb \<rbrakk>
|
|
|
1031 |
\<Longrightarrow> Key K \<notin> analz (knows Spy evs)"
|
|
|
1032 |
apply (erule rev_mp, erule rev_mp, erule srb.induct)
|
|
|
1033 |
apply analz_prepare
|
|
|
1034 |
apply (simp_all add: analz_insert_eq analz_insert_freshK pushes split_ifs)
|
|
|
1035 |
(*Fake*)
|
|
|
1036 |
apply spy_analz
|
|
|
1037 |
(*Forge*)
|
|
|
1038 |
apply (rotate_tac 7)
|
|
|
1039 |
apply (drule parts.Inj)
|
|
|
1040 |
apply (fastsimp dest: Outpts_B_Card_form_7)
|
|
|
1041 |
(*SR_U7*)
|
|
|
1042 |
apply (blast dest!: Outpts_B_Card_form_7)
|
|
|
1043 |
(*SR_U7F*)
|
|
|
1044 |
apply clarify
|
|
|
1045 |
apply (drule Outpts_parts_used)
|
|
|
1046 |
apply simp
|
|
|
1047 |
(*faster than
|
|
|
1048 |
by (fast_tac (claset() addDs [Outpts_parts_used] addss (simpset())) 1)
|
|
|
1049 |
*)
|
|
|
1050 |
(*SR_U10*)
|
|
|
1051 |
apply (fastsimp dest: Outpts_B_Card_form_7)
|
|
|
1052 |
(*SR_U10F - uses assumption Card A not cloned*)
|
|
|
1053 |
apply clarify
|
|
|
1054 |
apply (drule Outpts_B_Card_form_7, assumption)
|
|
|
1055 |
apply simp
|
|
|
1056 |
(*Oops1*)
|
|
|
1057 |
apply (blast dest!: Outpts_B_Card_form_7)
|
|
|
1058 |
(*Oops2*)
|
|
|
1059 |
apply (blast dest!: Outpts_B_Card_form_7 Outpts_A_Card_form_10)
|
|
|
1060 |
done
|
|
|
1061 |
|
|
|
1062 |
|
|
|
1063 |
(*END confidentiality theorems*)
|
|
|
1064 |
|
|
|
1065 |
|
|
|
1066 |
(*BEGIN authentication theorems*)
|
|
|
1067 |
|
|
|
1068 |
lemma A_authenticates_B:
|
|
|
1069 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace> \<in> set evs;
|
|
|
1070 |
\<not>illegalUse(Card B);
|
|
|
1071 |
evs \<in> srb \<rbrakk>
|
|
|
1072 |
\<Longrightarrow> \<exists> Na. Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K,
|
|
|
1073 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
1074 |
Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> \<in> set evs"
|
|
|
1075 |
apply (blast dest: Na_Nb_certificate_authentic Outpts_A_Card_form_10 Outpts_A_Card_imp_pairK_parts)
|
|
|
1076 |
done
|
|
|
1077 |
|
|
|
1078 |
lemma A_authenticates_B_Gets:
|
|
|
1079 |
"\<lbrakk> Gets A \<lbrace>Nonce Nb, Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>\<rbrace>
|
|
|
1080 |
\<in> set evs;
|
|
|
1081 |
\<not>illegalUse(Card B);
|
|
|
1082 |
evs \<in> srb \<rbrakk>
|
|
|
1083 |
\<Longrightarrow> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key (sesK(Nb, pairK (A, B))),
|
|
|
1084 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
1085 |
Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> \<in> set evs"
|
|
|
1086 |
apply (blast dest: Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd, THEN Na_Nb_certificate_authentic])
|
|
|
1087 |
done
|
|
|
1088 |
|
|
|
1089 |
|
|
|
1090 |
lemma A_authenticates_B_bis:
|
|
|
1091 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Cert2\<rbrace> \<in> set evs;
|
|
|
1092 |
\<not>illegalUse(Card B);
|
|
|
1093 |
evs \<in> srb \<rbrakk>
|
|
|
1094 |
\<Longrightarrow> \<exists> Cert1. Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, Cert1, Cert2\<rbrace>
|
|
|
1095 |
\<in> set evs"
|
|
|
1096 |
apply (blast dest: Na_Nb_certificate_authentic Outpts_A_Card_form_10 Outpts_A_Card_imp_pairK_parts)
|
|
|
1097 |
done
|
|
|
1098 |
|
|
|
1099 |
|
|
|
1100 |
|
|
|
1101 |
|
|
|
1102 |
|
|
|
1103 |
|
|
|
1104 |
lemma B_authenticates_A:
|
|
|
1105 |
"\<lbrakk> Gets B (Crypt (pairK(A,B)) (Nonce Nb)) \<in> set evs;
|
|
|
1106 |
B \<noteq> Spy; \<not>illegalUse(Card A); \<not>illegalUse(Card B);
|
|
|
1107 |
evs \<in> srb \<rbrakk>
|
|
|
1108 |
\<Longrightarrow> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb,
|
|
|
1109 |
Key (sesK(Nb,pairK(A,B))), Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> \<in> set evs"
|
|
|
1110 |
apply (erule rev_mp)
|
|
|
1111 |
apply (erule srb.induct)
|
|
|
1112 |
apply (simp_all (no_asm_simp))
|
|
|
1113 |
apply (blast dest: Says_imp_knows_Spy [THEN parts.Inj] Nb_certificate_authentic)
|
|
|
1114 |
done
|
|
|
1115 |
|
|
|
1116 |
|
|
|
1117 |
lemma B_authenticates_A_bis:
|
|
|
1118 |
"\<lbrakk> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, Cert1, Cert2\<rbrace> \<in> set evs;
|
|
|
1119 |
Gets B (Cert2) \<in> set evs;
|
|
|
1120 |
B \<noteq> Spy; \<not>illegalUse(Card A); \<not>illegalUse(Card B);
|
|
|
1121 |
evs \<in> srb \<rbrakk>
|
|
|
1122 |
\<Longrightarrow> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Cert2\<rbrace> \<in> set evs"
|
|
|
1123 |
apply (blast dest: Outpts_B_Card_form_7 B_authenticates_A)
|
|
|
1124 |
done
|
|
|
1125 |
|
|
|
1126 |
|
|
|
1127 |
(*END authentication theorems*)
|
|
|
1128 |
|
|
|
1129 |
|
|
|
1130 |
lemma Confidentiality_A:
|
|
|
1131 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb,
|
|
|
1132 |
Key K, Certificate\<rbrace> \<in> set evs;
|
|
|
1133 |
Notes Spy \<lbrace>Key K, Nonce Nb, Agent A, Agent B\<rbrace> \<notin> set evs;
|
|
|
1134 |
A \<noteq> Spy; B \<noteq> Spy; \<not>illegalUse(Card A); \<not>illegalUse(Card B);
|
|
|
1135 |
evs \<in> srb \<rbrakk>
|
|
|
1136 |
\<Longrightarrow> Key K \<notin> analz (knows Spy evs)"
|
|
|
1137 |
apply (drule A_authenticates_B)
|
|
|
1138 |
prefer 3
|
|
|
1139 |
apply (erule exE)
|
|
|
1140 |
apply (drule Confidentiality_B)
|
|
|
1141 |
apply auto
|
|
|
1142 |
done
|
|
|
1143 |
|
|
|
1144 |
|
|
|
1145 |
lemma Outpts_imp_knows_agents_secureM_srb:
|
|
|
1146 |
"\<lbrakk> Outpts (Card A) A X \<in> set evs; evs \<in> srb \<rbrakk> \<Longrightarrow> X \<in> knows A evs"
|
|
|
1147 |
apply (simp (no_asm_simp) add: Outpts_imp_knows_agents_secureM)
|
|
|
1148 |
done
|
|
|
1149 |
|
|
|
1150 |
|
|
|
1151 |
(*BEGIN key distribution theorems*)
|
|
|
1152 |
lemma A_keydist_to_B:
|
|
|
1153 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace> \<in> set evs;
|
|
|
1154 |
\<not>illegalUse(Card B);
|
|
|
1155 |
evs \<in> srb \<rbrakk>
|
|
|
1156 |
\<Longrightarrow> Key K \<in> analz (knows B evs)"
|
|
|
1157 |
apply (drule A_authenticates_B)
|
|
|
1158 |
prefer 3
|
|
|
1159 |
apply (erule exE)
|
|
|
1160 |
apply (rule Outpts_imp_knows_agents_secureM_srb [THEN analz.Inj, THEN analz.Snd, THEN analz.Snd, THEN analz.Fst])
|
|
|
1161 |
apply assumption+
|
|
|
1162 |
done
|
|
|
1163 |
|
|
|
1164 |
|
|
|
1165 |
lemma B_keydist_to_A:
|
|
|
1166 |
"\<lbrakk> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, Cert1, Cert2\<rbrace> \<in> set evs;
|
|
|
1167 |
Gets B (Cert2) \<in> set evs;
|
|
|
1168 |
B \<noteq> Spy; \<not>illegalUse(Card A); \<not>illegalUse(Card B);
|
|
|
1169 |
evs \<in> srb \<rbrakk>
|
|
|
1170 |
\<Longrightarrow> Key K \<in> analz (knows A evs)"
|
|
|
1171 |
apply (frule Outpts_B_Card_form_7)
|
|
|
1172 |
apply assumption apply simp
|
|
|
1173 |
apply (frule B_authenticates_A)
|
|
|
1174 |
apply (rule_tac [5] Outpts_imp_knows_agents_secureM_srb [THEN analz.Inj, THEN analz.Snd, THEN analz.Snd, THEN analz.Fst])
|
|
|
1175 |
apply simp+
|
|
|
1176 |
done
|
|
|
1177 |
|
|
|
1178 |
(*END key distribution theorems*)
|
|
|
1179 |
|
|
|
1180 |
|
|
|
1181 |
|
|
|
1182 |
|
|
|
1183 |
(*BEGIN further theorems about authenticity of verifiers - useful to cards,
|
|
|
1184 |
and somewhat to agents *)
|
|
|
1185 |
|
|
|
1186 |
(*MSG11
|
|
|
1187 |
If B receives the verifier of msg11, then the verifier originated with msg7.
|
|
|
1188 |
This is clearly not available to B: B can't check the form of the verifier because he doesn't know pairK(A,B)
|
|
|
1189 |
*)
|
|
|
1190 |
lemma Nb_certificate_authentic_B:
|
|
|
1191 |
"\<lbrakk> Gets B (Crypt (pairK(A,B)) (Nonce Nb)) \<in> set evs;
|
|
|
1192 |
B \<noteq> Spy; \<not>illegalUse(Card B);
|
|
|
1193 |
evs \<in> srb \<rbrakk>
|
|
|
1194 |
\<Longrightarrow> \<exists> Na.
|
|
|
1195 |
Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key (sesK(Nb,pairK(A,B))),
|
|
|
1196 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
1197 |
Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> \<in> set evs"
|
|
|
1198 |
apply (blast dest: Gets_imp_knows_Spy [THEN parts.Inj, THEN Nb_certificate_authentic_bis])
|
|
|
1199 |
done
|
|
|
1200 |
|
|
|
1201 |
(*MSG10
|
|
|
1202 |
If A obtains the verifier of msg10, then the verifier originated with msg7:
|
|
|
1203 |
A_authenticates_B. It is useful to A, who can check the form of the
|
|
|
1204 |
verifier by application of Outpts_A_Card_form_10.
|
|
|
1205 |
*)
|
|
|
1206 |
|
|
|
1207 |
(*MSG9
|
|
|
1208 |
The first verifier verifies the Pairkey to the card: since it's encrypted
|
|
|
1209 |
under Ka, it must come from the server (if A's card is not cloned).
|
|
|
1210 |
The second verifier verifies both nonces, since it's encrypted under the
|
|
|
1211 |
pairK, it must originate with B's card (if A and B's cards not cloned).
|
|
|
1212 |
The third verifier verifies Na: since it's encrytped under the card's key,
|
|
|
1213 |
it originated with the card; so the card does not need to save Na
|
|
|
1214 |
in the first place and do a comparison now: it just verifies Na through the
|
|
|
1215 |
verifier. Three theorems related to these three statements.
|
|
|
1216 |
|
|
|
1217 |
Recall that a card can check the form of the verifiers (can decrypt them),
|
|
|
1218 |
while an agent in general cannot, if not provided with a suitable theorem.
|
|
|
1219 |
*)
|
|
|
1220 |
|
|
|
1221 |
(*Card A can't reckon the pairkey - we need to guarantee its integrity!*)
|
|
|
1222 |
lemma Pairkey_certificate_authentic_A_Card:
|
|
|
1223 |
"\<lbrakk> Inputs A (Card A)
|
|
|
1224 |
\<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce Pk,
|
|
|
1225 |
Crypt (shrK A) \<lbrace>Nonce Pk, Agent B\<rbrace>,
|
|
|
1226 |
Cert2, Cert3\<rbrace> \<in> set evs;
|
|
|
1227 |
A \<noteq> Spy; Card A \<notin> cloned; evs \<in> srb \<rbrakk>
|
|
|
1228 |
\<Longrightarrow> Pk = Pairkey(A,B) \<and>
|
|
|
1229 |
Says Server A \<lbrace>Nonce (Pairkey(A,B)),
|
|
|
1230 |
Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), Agent B\<rbrace>\<rbrace>
|
|
|
1231 |
\<in> set evs "
|
|
|
1232 |
apply (blast dest: Inputs_A_Card_9 Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd] Pairkey_certificate_authentic)
|
|
|
1233 |
done
|
|
|
1234 |
(*the second conjunct of the thesis might be regarded as a form of integrity
|
|
|
1235 |
in the sense of Neuman-Ts'o*)
|
|
|
1236 |
|
|
|
1237 |
lemma Na_Nb_certificate_authentic_A_Card:
|
|
|
1238 |
"\<lbrakk> Inputs A (Card A)
|
|
|
1239 |
\<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce Pk,
|
|
|
1240 |
Cert1, Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>, Cert3\<rbrace> \<in> set evs;
|
|
|
1241 |
A \<noteq> Spy; \<not>illegalUse(Card B); evs \<in> srb \<rbrakk>
|
|
|
1242 |
\<Longrightarrow> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key (sesK(Nb, pairK (A, B))),
|
|
|
1243 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
1244 |
Crypt (pairK(A,B)) (Nonce Nb)\<rbrace>
|
|
|
1245 |
\<in> set evs "
|
|
|
1246 |
apply (frule Inputs_A_Card_9)
|
|
|
1247 |
apply assumption+
|
|
|
1248 |
apply (blast dest: Inputs_A_Card_9 Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd, THEN Na_Nb_certificate_authentic])
|
|
|
1249 |
done
|
|
|
1250 |
|
|
|
1251 |
lemma Na_authentic_A_Card:
|
|
|
1252 |
"\<lbrakk> Inputs A (Card A)
|
|
|
1253 |
\<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce Pk,
|
|
|
1254 |
Cert1, Cert2, Cert3\<rbrace> \<in> set evs;
|
|
|
1255 |
A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
1256 |
\<Longrightarrow> Outpts (Card A) A \<lbrace>Nonce Na, Cert3\<rbrace>
|
|
|
1257 |
\<in> set evs"
|
|
|
1258 |
apply (blast dest: Inputs_A_Card_9)
|
|
|
1259 |
done
|
|
|
1260 |
|
|
|
1261 |
(* These three theorems for Card A can be put together trivially.
|
|
|
1262 |
They are separated to highlight the different requirements on agents
|
|
|
1263 |
and their cards.*)
|
|
|
1264 |
|
|
|
1265 |
|
|
|
1266 |
lemma Inputs_A_Card_9_authentic:
|
|
|
1267 |
"\<lbrakk> Inputs A (Card A)
|
|
|
1268 |
\<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce Pk,
|
|
|
1269 |
Crypt (shrK A) \<lbrace>Nonce Pk, Agent B\<rbrace>,
|
|
|
1270 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>, Cert3\<rbrace> \<in> set evs;
|
|
|
1271 |
A \<noteq> Spy; Card A \<notin> cloned; \<not>illegalUse(Card B); evs \<in> srb \<rbrakk>
|
|
|
1272 |
\<Longrightarrow> Says Server A \<lbrace>Nonce Pk, Crypt (shrK A) \<lbrace>Nonce Pk, Agent B\<rbrace>\<rbrace>
|
|
|
1273 |
\<in> set evs \<and>
|
|
|
1274 |
Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key (sesK(Nb, pairK (A, B))),
|
|
|
1275 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
1276 |
Crypt (pairK(A,B)) (Nonce Nb)\<rbrace>
|
|
|
1277 |
\<in> set evs \<and>
|
|
|
1278 |
Outpts (Card A) A \<lbrace>Nonce Na, Cert3\<rbrace>
|
|
|
1279 |
\<in> set evs"
|
|
|
1280 |
apply (blast dest: Inputs_A_Card_9 Na_Nb_certificate_authentic Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd] Pairkey_certificate_authentic)
|
|
|
1281 |
done
|
|
|
1282 |
|
|
|
1283 |
|
|
|
1284 |
(*MSG8
|
|
|
1285 |
Nothing to prove because the message is a cleartext that comes from the
|
|
|
1286 |
network*)
|
|
|
1287 |
|
|
|
1288 |
(*Other messages: nothing to prove because the verifiers involved are new*)
|
|
|
1289 |
|
|
|
1290 |
(*END further theorems about authenticity of verifiers*)
|
|
|
1291 |
|
|
|
1292 |
|
|
|
1293 |
|
|
|
1294 |
(* BEGIN trivial guarantees on outputs for agents *)
|
|
|
1295 |
|
|
|
1296 |
(*MSG4*)
|
|
|
1297 |
lemma SR_U4_imp:
|
|
|
1298 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Nonce Na, Crypt (crdK (Card A)) (Nonce Na)\<rbrace>
|
|
|
1299 |
\<in> set evs;
|
|
|
1300 |
A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
1301 |
\<Longrightarrow> \<exists> Pk V. Gets A \<lbrace>Pk, V\<rbrace> \<in> set evs"
|
|
|
1302 |
apply (blast dest: Outpts_A_Card_4 Inputs_A_Card_3)
|
|
|
1303 |
done
|
|
|
1304 |
(*weak: could strengthen the model adding verifier for the Pairkey to msg3*)
|
|
|
1305 |
|
|
|
1306 |
|
|
|
1307 |
(*MSG7*)
|
|
|
1308 |
lemma SR_U7_imp:
|
|
|
1309 |
"\<lbrakk> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K,
|
|
|
1310 |
Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>,
|
|
|
1311 |
Cert2\<rbrace> \<in> set evs;
|
|
|
1312 |
B \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
1313 |
\<Longrightarrow> Gets B \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs"
|
|
|
1314 |
apply (blast dest: Outpts_B_Card_7 Inputs_B_Card_6)
|
|
|
1315 |
done
|
|
|
1316 |
|
|
|
1317 |
(*MSG10*)
|
|
|
1318 |
lemma SR_U10_imp:
|
|
|
1319 |
"\<lbrakk> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb,
|
|
|
1320 |
Key K, Crypt (pairK(A,B)) (Nonce Nb)\<rbrace>
|
|
|
1321 |
\<in> set evs;
|
|
|
1322 |
A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
1323 |
\<Longrightarrow> \<exists> Cert1 Cert2.
|
|
|
1324 |
Gets A \<lbrace>Nonce (Pairkey (A, B)), Cert1\<rbrace> \<in> set evs \<and>
|
|
|
1325 |
Gets A \<lbrace>Nonce Nb, Cert2\<rbrace> \<in> set evs"
|
|
|
1326 |
apply (blast dest: Outpts_A_Card_10 Inputs_A_Card_9)
|
|
|
1327 |
done
|
|
|
1328 |
|
|
|
1329 |
|
|
|
1330 |
(*END trivial guarantees on outputs for agents*)
|
|
|
1331 |
|
|
|
1332 |
|
|
|
1333 |
|
|
|
1334 |
(*INTEGRITY*)
|
|
|
1335 |
lemma Outpts_Server_not_evs:
|
|
|
1336 |
"evs \<in> srb \<Longrightarrow> Outpts (Card Server) P X \<notin> set evs"
|
|
|
1337 |
apply (erule srb.induct)
|
|
|
1338 |
apply auto
|
|
|
1339 |
done
|
|
|
1340 |
|
|
|
1341 |
text{*@{term step2_integrity} also is a reliability theorem*}
|
|
|
1342 |
lemma Says_Server_message_form:
|
|
|
1343 |
"\<lbrakk> Says Server A \<lbrace>Pk, Certificate\<rbrace> \<in> set evs;
|
|
|
1344 |
evs \<in> srb \<rbrakk>
|
|
|
1345 |
\<Longrightarrow> \<exists> B. Pk = Nonce (Pairkey(A,B)) \<and>
|
|
|
1346 |
Certificate = Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), Agent B\<rbrace>"
|
|
|
1347 |
apply (erule rev_mp)
|
|
|
1348 |
apply (erule srb.induct)
|
|
|
1349 |
apply auto
|
|
|
1350 |
apply (blast dest!: Outpts_Server_not_evs)+
|
|
|
1351 |
done
|
|
|
1352 |
(*cannot be made useful to A in form of a Gets event*)
|
|
|
1353 |
|
|
|
1354 |
text{*
|
|
|
1355 |
step4integrity is @{term Outpts_A_Card_form_4}
|
|
|
1356 |
|
|
|
1357 |
step7integrity is @{term Outpts_B_Card_form_7}
|
|
|
1358 |
*}
|
|
|
1359 |
|
|
|
1360 |
lemma step8_integrity:
|
|
|
1361 |
"\<lbrakk> Says B A \<lbrace>Nonce Nb, Certificate\<rbrace> \<in> set evs;
|
|
|
1362 |
B \<noteq> Server; B \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
1363 |
\<Longrightarrow> \<exists> Cert2 K.
|
|
|
1364 |
Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, Certificate, Cert2\<rbrace> \<in> set evs"
|
|
|
1365 |
apply (erule rev_mp)
|
|
|
1366 |
apply (erule srb.induct)
|
|
|
1367 |
prefer 18 apply (fastsimp dest: Outpts_A_Card_form_10)
|
|
|
1368 |
apply auto
|
|
|
1369 |
done
|
|
|
1370 |
|
|
|
1371 |
|
|
|
1372 |
text{* step9integrity is @{term Inputs_A_Card_form_9}
|
|
|
1373 |
step10integrity is @{term Outpts_A_Card_form_10}.
|
|
|
1374 |
*}
|
|
|
1375 |
|
|
|
1376 |
|
|
|
1377 |
lemma step11_integrity:
|
|
|
1378 |
"\<lbrakk> Says A B (Certificate) \<in> set evs;
|
|
|
1379 |
\<forall> p q. Certificate \<noteq> \<lbrace>p, q\<rbrace>;
|
|
|
1380 |
A \<noteq> Spy; evs \<in> srb \<rbrakk>
|
|
|
1381 |
\<Longrightarrow> \<exists> K Nb.
|
|
|
1382 |
Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace> \<in> set evs"
|
|
|
1383 |
apply (erule rev_mp)
|
|
|
1384 |
apply (erule srb.induct)
|
|
|
1385 |
apply auto
|
|
|
1386 |
done
|
|
|
1387 |
|
|
|
1388 |
end
|
|
|
1389 |
|