src/HOL/Auth/Message.thy
author wenzelm
Thu, 06 Dec 2001 00:37:59 +0100
changeset 12395 d6913de7655f
parent 11270 a315a3862bb4
child 13922 75ae4244a596
permissions -rw-r--r--
this material already part of HOL/Set.thy;
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     1
(*  Title:      HOL/Auth/Message
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     2
    ID:         $Id$
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     3
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     4
    Copyright   1996  University of Cambridge
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     5
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     6
Datatypes of agents and messages;
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1839
diff changeset
     7
Inductive relations "parts", "analz" and "synth"
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     8
*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     9
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    10
theory Message = Main
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    11
files ("Message_lemmas.ML"):
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    12
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    13
(*Needed occasionally with spy_analz_tac, e.g. in analz_insert_Key_newK*)
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    14
lemma [simp] : "A Un (B Un A) = B Un A"
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    15
by blast
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    16
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    17
types 
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    18
  key = nat
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    19
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    20
consts
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    21
  invKey :: "key=>key"
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    22
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    23
axioms
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    24
  invKey [simp] : "invKey (invKey K) = K"
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    25
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    26
  (*The inverse of a symmetric key is itself;
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    27
    that of a public key is the private key and vice versa*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    28
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    29
constdefs
11230
756c5034f08b misc tidying; changing the predicate isSymKey to the set symKeys
paulson
parents: 11192
diff changeset
    30
  symKeys :: "key set"
756c5034f08b misc tidying; changing the predicate isSymKey to the set symKeys
paulson
parents: 11192
diff changeset
    31
  "symKeys == {K. invKey K = K}"
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    32
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    33
datatype  (*We allow any number of friendly agents*)
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2010
diff changeset
    34
  agent = Server | Friend nat | Spy
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    35
3668
a39baf59ea47 Split base cases from "msg" to "atomic" in order
paulson
parents: 2516
diff changeset
    36
datatype
7057
b9ddbb925939 tweaked proofs to handle new freeness reasoning for data c onstructors
paulson
parents: 6807
diff changeset
    37
     msg = Agent  agent	    (*Agent names*)
b9ddbb925939 tweaked proofs to handle new freeness reasoning for data c onstructors
paulson
parents: 6807
diff changeset
    38
         | Number nat       (*Ordinary integers, timestamps, ...*)
b9ddbb925939 tweaked proofs to handle new freeness reasoning for data c onstructors
paulson
parents: 6807
diff changeset
    39
         | Nonce  nat       (*Unguessable nonces*)
b9ddbb925939 tweaked proofs to handle new freeness reasoning for data c onstructors
paulson
parents: 6807
diff changeset
    40
         | Key    key       (*Crypto keys*)
5234
701fa0ed77b7 Better comments
paulson
parents: 5183
diff changeset
    41
	 | Hash   msg       (*Hashing*)
701fa0ed77b7 Better comments
paulson
parents: 5183
diff changeset
    42
	 | MPair  msg msg   (*Compound messages*)
701fa0ed77b7 Better comments
paulson
parents: 5183
diff changeset
    43
	 | Crypt  key msg   (*Encryption, public- or shared-key*)
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    44
5234
701fa0ed77b7 Better comments
paulson
parents: 5183
diff changeset
    45
701fa0ed77b7 Better comments
paulson
parents: 5183
diff changeset
    46
(*Concrete syntax: messages appear as {|A,B,NA|}, etc...*)
701fa0ed77b7 Better comments
paulson
parents: 5183
diff changeset
    47
syntax
2516
4d68fbe6378b Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents: 2484
diff changeset
    48
  "@MTuple"      :: "['a, args] => 'a * 'b"       ("(2{|_,/ _|})")
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    49
9686
87b460d72e80 xsymbols for {| and |}
paulson
parents: 7057
diff changeset
    50
syntax (xsymbols)
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    51
  "@MTuple"      :: "['a, args] => 'a * 'b"       ("(2\<lbrace>_,/ _\<rbrace>)")
9686
87b460d72e80 xsymbols for {| and |}
paulson
parents: 7057
diff changeset
    52
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    53
translations
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    54
  "{|x, y, z|}"   == "{|x, {|y, z|}|}"
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    55
  "{|x, y|}"      == "MPair x y"
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    56
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    57
2484
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2373
diff changeset
    58
constdefs
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2373
diff changeset
    59
  (*Message Y, paired with a MAC computed with the help of X*)
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    60
  HPair :: "[msg,msg] => msg"                       ("(4Hash[_] /_)" [0, 1000])
2516
4d68fbe6378b Now with Andy Gordon's treatment of freshness to replace newN/K
paulson
parents: 2484
diff changeset
    61
    "Hash[X] Y == {| Hash{|X,Y|}, Y|}"
2484
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2373
diff changeset
    62
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2373
diff changeset
    63
  (*Keys useful to decrypt elements of a message set*)
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    64
  keysFor :: "msg set => key set"
11192
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
    65
  "keysFor H == invKey ` {K. \<exists>X. Crypt K X \<in> H}"
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    66
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    67
(** Inductive definition of all "parts" of a message.  **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    68
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    69
consts  parts   :: "msg set => msg set"
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    70
inductive "parts H"
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    71
  intros 
11192
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
    72
    Inj [intro]:               "X \<in> H ==> X \<in> parts H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
    73
    Fst:         "{|X,Y|}   \<in> parts H ==> X \<in> parts H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
    74
    Snd:         "{|X,Y|}   \<in> parts H ==> Y \<in> parts H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
    75
    Body:        "Crypt K X \<in> parts H ==> X \<in> parts H"
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    76
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    77
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    78
(*Monotonicity*)
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    79
lemma parts_mono: "G<=H ==> parts(G) <= parts(H)"
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    80
apply auto
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    81
apply (erule parts.induct) 
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    82
apply (auto dest: Fst Snd Body) 
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    83
done
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    84
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    85
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1839
diff changeset
    86
(** Inductive definition of "analz" -- what can be broken down from a set of
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    87
    messages, including keys.  A form of downward closure.  Pairs can
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    88
    be taken apart; messages decrypted with known keys.  **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    89
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    90
consts  analz   :: "msg set => msg set"
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1839
diff changeset
    91
inductive "analz H"
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    92
  intros 
11192
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
    93
    Inj [intro,simp] :    "X \<in> H ==> X \<in> analz H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
    94
    Fst:     "{|X,Y|} \<in> analz H ==> X \<in> analz H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
    95
    Snd:     "{|X,Y|} \<in> analz H ==> Y \<in> analz H"
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
    96
    Decrypt [dest]: 
11192
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
    97
             "[|Crypt K X \<in> analz H; Key(invKey K): analz H|] ==> X \<in> analz H"
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    98
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    99
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   100
(*Monotonicity; Lemma 1 of Lowe's paper*)
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   101
lemma analz_mono: "G<=H ==> analz(G) <= analz(H)"
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   102
apply auto
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   103
apply (erule analz.induct) 
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   104
apply (auto dest: Fst Snd) 
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   105
done
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   106
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1839
diff changeset
   107
(** Inductive definition of "synth" -- what can be built up from a set of
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   108
    messages.  A form of upward closure.  Pairs can be built, messages
3668
a39baf59ea47 Split base cases from "msg" to "atomic" in order
paulson
parents: 2516
diff changeset
   109
    encrypted with known keys.  Agent names are public domain.
a39baf59ea47 Split base cases from "msg" to "atomic" in order
paulson
parents: 2516
diff changeset
   110
    Numbers can be guessed, but Nonces cannot be.  **)
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   111
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   112
consts  synth   :: "msg set => msg set"
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1839
diff changeset
   113
inductive "synth H"
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   114
  intros 
11192
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
   115
    Inj    [intro]:   "X \<in> H ==> X \<in> synth H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
   116
    Agent  [intro]:   "Agent agt \<in> synth H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
   117
    Number [intro]:   "Number n  \<in> synth H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
   118
    Hash   [intro]:   "X \<in> synth H ==> Hash X \<in> synth H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
   119
    MPair  [intro]:   "[|X \<in> synth H;  Y \<in> synth H|] ==> {|X,Y|} \<in> synth H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
   120
    Crypt  [intro]:   "[|X \<in> synth H;  Key(K) \<in> H|] ==> Crypt K X \<in> synth H"
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   121
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   122
(*Monotonicity*)
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   123
lemma synth_mono: "G<=H ==> synth(G) <= synth(H)"
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   124
apply auto
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   125
apply (erule synth.induct) 
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   126
apply (auto dest: Fst Snd Body) 
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   127
done
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   128
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   129
(*NO Agent_synth, as any Agent name can be synthesized.  Ditto for Number*)
11192
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
   130
inductive_cases Nonce_synth [elim!]: "Nonce n \<in> synth H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
   131
inductive_cases Key_synth   [elim!]: "Key K \<in> synth H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
   132
inductive_cases Hash_synth  [elim!]: "Hash X \<in> synth H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
   133
inductive_cases MPair_synth [elim!]: "{|X,Y|} \<in> synth H"
5fd02b905a9a a few basic X-symbols
paulson
parents: 11189
diff changeset
   134
inductive_cases Crypt_synth [elim!]: "Crypt K X \<in> synth H"
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   135
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   136
use "Message_lemmas.ML"
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   137
11251
a6816d47f41d converted many HOL/Auth theories to Isar scripts
paulson
parents: 11245
diff changeset
   138
lemmas analz_into_parts = analz_subset_parts [THEN subsetD, standard]
a6816d47f41d converted many HOL/Auth theories to Isar scripts
paulson
parents: 11245
diff changeset
   139
11245
3d9d25a3375b new theorem Fake_parts_insert_in_Un
paulson
parents: 11230
diff changeset
   140
lemma Fake_parts_insert_in_Un:
3d9d25a3375b new theorem Fake_parts_insert_in_Un
paulson
parents: 11230
diff changeset
   141
     "[|Z \<in> parts (insert X H);  X: synth (analz H)|] 
3d9d25a3375b new theorem Fake_parts_insert_in_Un
paulson
parents: 11230
diff changeset
   142
      ==> Z \<in>  synth (analz H) \<union> parts H";
3d9d25a3375b new theorem Fake_parts_insert_in_Un
paulson
parents: 11230
diff changeset
   143
by (blast dest: Fake_parts_insert  [THEN subsetD, dest])
3d9d25a3375b new theorem Fake_parts_insert_in_Un
paulson
parents: 11230
diff changeset
   144
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   145
method_setup spy_analz = {*
11270
a315a3862bb4 better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents: 11264
diff changeset
   146
    Method.ctxt_args (fn ctxt =>
a315a3862bb4 better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents: 11264
diff changeset
   147
        Method.METHOD (fn facts => 
a315a3862bb4 better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents: 11264
diff changeset
   148
            gen_spy_analz_tac (Classical.get_local_claset ctxt,
a315a3862bb4 better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents: 11264
diff changeset
   149
                               Simplifier.get_local_simpset ctxt) 1)) *}
11189
1ea763a5d186 conversion of Message.thy to Isar format
paulson
parents: 10833
diff changeset
   150
    "for proving the Fake case when analz is involved"
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   151
11264
a47a9288f3f6 (rough) conversion of Auth/Recur to Isar format
paulson
parents: 11251
diff changeset
   152
method_setup atomic_spy_analz = {*
11270
a315a3862bb4 better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents: 11264
diff changeset
   153
    Method.ctxt_args (fn ctxt =>
a315a3862bb4 better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents: 11264
diff changeset
   154
        Method.METHOD (fn facts => 
a315a3862bb4 better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents: 11264
diff changeset
   155
            atomic_spy_analz_tac (Classical.get_local_claset ctxt,
a315a3862bb4 better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents: 11264
diff changeset
   156
                                  Simplifier.get_local_simpset ctxt) 1)) *}
11264
a47a9288f3f6 (rough) conversion of Auth/Recur to Isar format
paulson
parents: 11251
diff changeset
   157
    "for debugging spy_analz"
a47a9288f3f6 (rough) conversion of Auth/Recur to Isar format
paulson
parents: 11251
diff changeset
   158
a47a9288f3f6 (rough) conversion of Auth/Recur to Isar format
paulson
parents: 11251
diff changeset
   159
method_setup Fake_insert_simp = {*
11270
a315a3862bb4 better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents: 11264
diff changeset
   160
    Method.ctxt_args (fn ctxt =>
a315a3862bb4 better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents: 11264
diff changeset
   161
        Method.METHOD (fn facts =>
a315a3862bb4 better treatment of methods: uses Method.ctxt_args to refer to current
paulson
parents: 11264
diff changeset
   162
            Fake_insert_simp_tac (Simplifier.get_local_simpset ctxt) 1)) *}
11264
a47a9288f3f6 (rough) conversion of Auth/Recur to Isar format
paulson
parents: 11251
diff changeset
   163
    "for debugging spy_analz"
a47a9288f3f6 (rough) conversion of Auth/Recur to Isar format
paulson
parents: 11251
diff changeset
   164
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   165
end