| author | wenzelm |
| Thu, 18 Jul 2013 21:06:21 +0200 | |
| changeset 52698 | df1531af559f |
| parent 49322 | fbb320d02420 |
| child 56739 | 0d56854096ba |
| permissions | -rw-r--r-- |
| 49322 | 1 |
(* Author: Lawrence C Paulson, Cambridge University Computer Laboratory |
| 11250 | 2 |
Copyright 1996 University of Cambridge |
3 |
||
4 |
Inductive relation "ns_public" for the Needham-Schroeder Public-Key protocol. |
|
5 |
Version incorporating Lowe's fix (inclusion of B's identity in round 2). |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
6 |
*)(*<*) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
7 |
theory NS_Public imports Public begin(*>*) |
| 11250 | 8 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
9 |
section{* Modelling the Protocol \label{sec:modelling} *}
|
| 11250 | 10 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
11 |
text_raw {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
12 |
\begin{figure}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
13 |
\begin{isabelle}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
14 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
15 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
16 |
inductive_set ns_public :: "event list set" |
| 23733 | 17 |
where |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
18 |
|
| 11250 | 19 |
Nil: "[] \<in> ns_public" |
20 |
||
21 |
||
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
22 |
| Fake: "\<lbrakk>evsf \<in> ns_public; X \<in> synth (analz (knows Spy evsf))\<rbrakk> |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
23 |
\<Longrightarrow> Says Spy B X # evsf \<in> ns_public" |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
24 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
25 |
|
| 23733 | 26 |
| NS1: "\<lbrakk>evs1 \<in> ns_public; Nonce NA \<notin> used evs1\<rbrakk> |
| 11250 | 27 |
\<Longrightarrow> Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) |
28 |
# evs1 \<in> ns_public" |
|
29 |
||
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
30 |
|
| 23733 | 31 |
| NS2: "\<lbrakk>evs2 \<in> ns_public; Nonce NB \<notin> used evs2; |
| 11250 | 32 |
Says A' B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs2\<rbrakk> |
33 |
\<Longrightarrow> Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) |
|
34 |
# evs2 \<in> ns_public" |
|
35 |
||
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
36 |
|
| 23733 | 37 |
| NS3: "\<lbrakk>evs3 \<in> ns_public; |
| 11250 | 38 |
Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs3; |
39 |
Says B' A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) |
|
40 |
\<in> set evs3\<rbrakk> |
|
41 |
\<Longrightarrow> Says A B (Crypt (pubK B) (Nonce NB)) # evs3 \<in> ns_public" |
|
42 |
||
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
43 |
text_raw {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
44 |
\end{isabelle}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
45 |
\caption{An Inductive Protocol Definition}\label{fig:ns_public}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
46 |
\end{figure}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
47 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
48 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
49 |
text {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
50 |
Let us formalize the Needham-Schroeder public-key protocol, as corrected by |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
51 |
Lowe: |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
52 |
\begin{alignat*%
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
53 |
}{2}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
54 |
&1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
55 |
&2.&\quad B\to A &: \comp{Na,Nb,B}\sb{Ka} \\
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
56 |
&3.&\quad A\to B &: \comp{Nb}\sb{Kb}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
57 |
\end{alignat*%
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
58 |
} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
59 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
60 |
Each protocol step is specified by a rule of an inductive definition. An |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
61 |
event trace has type @{text "event list"}, so we declare the constant
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
62 |
@{text ns_public} to be a set of such traces.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
63 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
64 |
Figure~\ref{fig:ns_public} presents the inductive definition. The
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
65 |
@{text Nil} rule introduces the empty trace. The @{text Fake} rule models the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
66 |
adversary's sending a message built from components taken from past |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
67 |
traffic, expressed using the functions @{text synth} and
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
68 |
@{text analz}.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
69 |
The next three rules model how honest agents would perform the three |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
70 |
protocol steps. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
71 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
72 |
Here is a detailed explanation of rule @{text NS2}.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
73 |
A trace containing an event of the form |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
74 |
@{term [display,indent=5] "Says A' B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>)"}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
75 |
may be extended by an event of the form |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
76 |
@{term [display,indent=5] "Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>)"}
|
| 35503 | 77 |
where @{text NB} is a fresh nonce: @{term "Nonce NB \<notin> used evs2"}.
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
78 |
Writing the sender as @{text A'} indicates that @{text B} does not
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
79 |
know who sent the message. Calling the trace variable @{text evs2} rather
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
80 |
than simply @{text evs} helps us know where we are in a proof after many
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
81 |
case-splits: every subgoal mentioning @{text evs2} involves message~2 of the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
82 |
protocol. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
83 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
84 |
Benefits of this approach are simplicity and clarity. The semantic model |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
85 |
is set theory, proofs are by induction and the translation from the informal |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
86 |
notation to the inductive rules is straightforward. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
87 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
88 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
89 |
section{* Proving Elementary Properties \label{sec:regularity} *}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
90 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
91 |
(*<*) |
| 11250 | 92 |
declare knows_Spy_partsEs [elim] |
93 |
declare analz_subset_parts [THEN subsetD, dest] |
|
94 |
declare Fake_parts_insert [THEN subsetD, dest] |
|
95 |
declare image_eq_UN [simp] (*accelerates proofs involving nested images*) |
|
96 |
||
97 |
(*A "possibility property": there are traces that reach the end*) |
|
98 |
lemma "\<exists>NB. \<exists>evs \<in> ns_public. Says A B (Crypt (pubK B) (Nonce NB)) \<in> set evs" |
|
99 |
apply (intro exI bexI) |
|
| 11269 | 100 |
apply (rule_tac [2] ns_public.Nil [THEN ns_public.NS1, THEN ns_public.NS2, |
| 11250 | 101 |
THEN ns_public.NS3]) |
102 |
by possibility |
|
103 |
||
104 |
||
105 |
(**** Inductive proofs about ns_public ****) |
|
106 |
||
| 11269 | 107 |
(** Theorems of the form X \<notin> parts (knows Spy evs) imply that NOBODY |
| 11250 | 108 |
sends messages containing X! **) |
109 |
||
110 |
(*Spy never sees another agent's private key! (unless it's bad at start)*) |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
111 |
(*>*) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
112 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
113 |
text {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
114 |
Secrecy properties can be hard to prove. The conclusion of a typical |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
115 |
secrecy theorem is |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
116 |
@{term "X \<notin> analz (knows Spy evs)"}. The difficulty arises from
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
117 |
having to reason about @{text analz}, or less formally, showing that the spy
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
118 |
can never learn~@{text X}. Much easier is to prove that @{text X} can never
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
119 |
occur at all. Such \emph{regularity} properties are typically expressed
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
120 |
using @{text parts} rather than @{text analz}.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
121 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
122 |
The following lemma states that @{text A}'s private key is potentially
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
123 |
known to the spy if and only if @{text A} belongs to the set @{text bad} of
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
124 |
compromised agents. The statement uses @{text parts}: the very presence of
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
125 |
@{text A}'s private key in a message, whether protected by encryption or
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
126 |
not, is enough to confirm that @{text A} is compromised. The proof, like
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
127 |
nearly all protocol proofs, is by induction over traces. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
128 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
129 |
|
| 11269 | 130 |
lemma Spy_see_priK [simp]: |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
131 |
"evs \<in> ns_public |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
132 |
\<Longrightarrow> (Key (priK A) \<in> parts (knows Spy evs)) = (A \<in> bad)" |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
133 |
apply (erule ns_public.induct, simp_all) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
134 |
txt {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
135 |
The induction yields five subgoals, one for each rule in the definition of |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
136 |
@{text ns_public}. The idea is to prove that the protocol property holds initially
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
137 |
(rule @{text Nil}), is preserved by each of the legitimate protocol steps (rules
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
138 |
@{text NS1}--@{text 3}), and even is preserved in the face of anything the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
139 |
spy can do (rule @{text Fake}).
|
| 11250 | 140 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
141 |
The proof is trivial. No legitimate protocol rule sends any keys |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
142 |
at all, so only @{text Fake} is relevant. Indeed, simplification leaves
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
143 |
only the @{text Fake} case, as indicated by the variable name @{text evsf}:
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
144 |
@{subgoals[display,indent=0,margin=65]}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
145 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
146 |
by blast |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
147 |
(*<*) |
| 11269 | 148 |
lemma Spy_analz_priK [simp]: |
149 |
"evs \<in> ns_public \<Longrightarrow> (Key (priK A) \<in> analz (knows Spy evs)) = (A \<in> bad)" |
|
| 11250 | 150 |
by auto |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
151 |
(*>*) |
| 11250 | 152 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
153 |
text {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
154 |
The @{text Fake} case is proved automatically. If
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
155 |
@{term "priK A"} is in the extended trace then either (1) it was already in the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
156 |
original trace or (2) it was |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
157 |
generated by the spy, who must have known this key already. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
158 |
Either way, the induction hypothesis applies. |
| 11250 | 159 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
160 |
\emph{Unicity} lemmas are regularity lemmas stating that specified items
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
161 |
can occur only once in a trace. The following lemma states that a nonce |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
162 |
cannot be used both as $Na$ and as $Nb$ unless |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
163 |
it is known to the spy. Intuitively, it holds because honest agents |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
164 |
always choose fresh values as nonces; only the spy might reuse a value, |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
165 |
and he doesn't know this particular value. The proof script is short: |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
166 |
induction, simplification, @{text blast}. The first line uses the rule
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
167 |
@{text rev_mp} to prepare the induction by moving two assumptions into the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
168 |
induction formula. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
169 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
170 |
|
| 11269 | 171 |
lemma no_nonce_NS1_NS2: |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
172 |
"\<lbrakk>Crypt (pubK C) \<lbrace>NA', Nonce NA, Agent D\<rbrace> \<in> parts (knows Spy evs); |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
173 |
Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (knows Spy evs); |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
174 |
evs \<in> ns_public\<rbrakk> |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
175 |
\<Longrightarrow> Nonce NA \<in> analz (knows Spy evs)" |
| 11269 | 176 |
apply (erule rev_mp, erule rev_mp) |
| 11250 | 177 |
apply (erule ns_public.induct, simp_all) |
178 |
apply (blast intro: analz_insertI)+ |
|
179 |
done |
|
180 |
||
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
181 |
text {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
182 |
The following unicity lemma states that, if \isa{NA} is secret, then its
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
183 |
appearance in any instance of message~1 determines the other components. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
184 |
The proof is similar to the previous one. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
185 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
186 |
|
| 11269 | 187 |
lemma unique_NA: |
188 |
"\<lbrakk>Crypt(pubK B) \<lbrace>Nonce NA, Agent A \<rbrace> \<in> parts(knows Spy evs); |
|
189 |
Crypt(pubK B') \<lbrace>Nonce NA, Agent A'\<rbrace> \<in> parts(knows Spy evs); |
|
190 |
Nonce NA \<notin> analz (knows Spy evs); evs \<in> ns_public\<rbrakk> |
|
| 11250 | 191 |
\<Longrightarrow> A=A' \<and> B=B'" |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
192 |
(*<*) |
| 11269 | 193 |
apply (erule rev_mp, erule rev_mp, erule rev_mp) |
| 11250 | 194 |
apply (erule ns_public.induct, simp_all) |
195 |
(*Fake, NS1*) |
|
196 |
apply (blast intro: analz_insertI)+ |
|
197 |
done |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
198 |
(*>*) |
| 11250 | 199 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
200 |
section{* Proving Secrecy Theorems \label{sec:secrecy} *}
|
| 11250 | 201 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
202 |
(*<*) |
| 11250 | 203 |
(*Secrecy: Spy does not see the nonce sent in msg NS1 if A and B are secure |
204 |
The major premise "Says A B ..." makes it a dest-rule, so we use |
|
205 |
(erule rev_mp) rather than rule_format. *) |
|
| 11269 | 206 |
theorem Spy_not_see_NA: |
| 11250 | 207 |
"\<lbrakk>Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs; |
| 11269 | 208 |
A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> |
209 |
\<Longrightarrow> Nonce NA \<notin> analz (knows Spy evs)" |
|
210 |
apply (erule rev_mp) |
|
| 11250 | 211 |
apply (erule ns_public.induct, simp_all) |
212 |
apply spy_analz |
|
213 |
apply (blast dest: unique_NA intro: no_nonce_NS1_NS2)+ |
|
214 |
done |
|
215 |
||
216 |
||
217 |
(*Authentication for A: if she receives message 2 and has used NA |
|
218 |
to start a run, then B has sent message 2.*) |
|
| 11269 | 219 |
lemma A_trusts_NS2_lemma [rule_format]: |
220 |
"\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> |
|
221 |
\<Longrightarrow> Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow> |
|
|
32960
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
32891
diff
changeset
|
222 |
Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs \<longrightarrow> |
|
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
32891
diff
changeset
|
223 |
Says B A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs" |
| 11250 | 224 |
apply (erule ns_public.induct, simp_all) |
225 |
(*Fake, NS1*) |
|
226 |
apply (blast dest: Spy_not_see_NA)+ |
|
227 |
done |
|
228 |
||
| 11269 | 229 |
theorem A_trusts_NS2: |
230 |
"\<lbrakk>Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs; |
|
| 11250 | 231 |
Says B' A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs; |
| 11269 | 232 |
A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> |
| 11250 | 233 |
\<Longrightarrow> Says B A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs" |
234 |
by (blast intro: A_trusts_NS2_lemma) |
|
235 |
||
236 |
||
237 |
(*If the encrypted message appears then it originated with Alice in NS1*) |
|
238 |
lemma B_trusts_NS1 [rule_format]: |
|
| 11269 | 239 |
"evs \<in> ns_public |
240 |
\<Longrightarrow> Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow> |
|
|
32960
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
32891
diff
changeset
|
241 |
Nonce NA \<notin> analz (knows Spy evs) \<longrightarrow> |
|
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
wenzelm
parents:
32891
diff
changeset
|
242 |
Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs" |
| 11250 | 243 |
apply (erule ns_public.induct, simp_all) |
244 |
(*Fake*) |
|
245 |
apply (blast intro!: analz_insertI) |
|
246 |
done |
|
247 |
||
248 |
||
249 |
||
250 |
(*** Authenticity properties obtained from NS2 ***) |
|
251 |
||
| 11269 | 252 |
(*Unicity for NS2: nonce NB identifies nonce NA and agents A, B |
| 11250 | 253 |
[unicity of B makes Lowe's fix work] |
254 |
[proof closely follows that for unique_NA] *) |
|
255 |
||
| 11269 | 256 |
lemma unique_NB [dest]: |
257 |
"\<lbrakk>Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace> \<in> parts(knows Spy evs); |
|
258 |
Crypt(pubK A') \<lbrace>Nonce NA', Nonce NB, Agent B'\<rbrace> \<in> parts(knows Spy evs); |
|
259 |
Nonce NB \<notin> analz (knows Spy evs); evs \<in> ns_public\<rbrakk> |
|
| 11250 | 260 |
\<Longrightarrow> A=A' \<and> NA=NA' \<and> B=B'" |
| 11269 | 261 |
apply (erule rev_mp, erule rev_mp, erule rev_mp) |
| 11250 | 262 |
apply (erule ns_public.induct, simp_all) |
263 |
(*Fake, NS2*) |
|
264 |
apply (blast intro: analz_insertI)+ |
|
265 |
done |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
266 |
(*>*) |
| 11269 | 267 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
268 |
text {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
269 |
The secrecy theorems for Bob (the second participant) are especially |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
270 |
important because they fail for the original protocol. The following |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
271 |
theorem states that if Bob sends message~2 to Alice, and both agents are |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
272 |
uncompromised, then Bob's nonce will never reach the spy. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
273 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
274 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
275 |
theorem Spy_not_see_NB [dest]: |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
276 |
"\<lbrakk>Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs; |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
277 |
A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
278 |
\<Longrightarrow> Nonce NB \<notin> analz (knows Spy evs)" |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
279 |
txt {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
280 |
To prove it, we must formulate the induction properly (one of the |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
281 |
assumptions mentions~@{text evs}), apply induction, and simplify:
|
| 11269 | 282 |
*} |
283 |
||
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
284 |
apply (erule rev_mp, erule ns_public.induct, simp_all) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
285 |
(*<*) |
| 11250 | 286 |
apply spy_analz |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
287 |
defer |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
288 |
apply (blast intro: no_nonce_NS1_NS2) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
289 |
apply (blast intro: no_nonce_NS1_NS2) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
290 |
(*>*) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
291 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
292 |
txt {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
293 |
The proof states are too complicated to present in full. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
294 |
Let's examine the simplest subgoal, that for message~1. The following |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
295 |
event has just occurred: |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
296 |
\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'} \]
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
297 |
The variables above have been primed because this step |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
298 |
belongs to a different run from that referred to in the theorem |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
299 |
statement --- the theorem |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
300 |
refers to a past instance of message~2, while this subgoal |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
301 |
concerns message~1 being sent just now. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
302 |
In the Isabelle subgoal, instead of primed variables like $B'$ and $Na'$ |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
303 |
we have @{text Ba} and~@{text NAa}:
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
304 |
@{subgoals[display,indent=0]}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
305 |
The simplifier has used a |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
306 |
default simplification rule that does a case |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
307 |
analysis for each encrypted message on whether or not the decryption key |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
308 |
is compromised. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
309 |
@{named_thms [display,indent=0,margin=50] analz_Crypt_if [no_vars] (analz_Crypt_if)}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
310 |
The simplifier has also used @{text Spy_see_priK}, proved in
|
| 27093 | 311 |
{\S}\ref{sec:regularity} above, to yield @{term "Ba \<in> bad"}.
|
| 11250 | 312 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
313 |
Recall that this subgoal concerns the case |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
314 |
where the last message to be sent was |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
315 |
\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'}. \]
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
316 |
This message can compromise $Nb$ only if $Nb=Na'$ and $B'$ is compromised, |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
317 |
allowing the spy to decrypt the message. The Isabelle subgoal says |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
318 |
precisely this, if we allow for its choice of variable names. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
319 |
Proving @{term "NB \<noteq> NAa"} is easy: @{text NB} was
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
320 |
sent earlier, while @{text NAa} is fresh; formally, we have
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
321 |
the assumption @{term "Nonce NAa \<notin> used evs1"}.
|
| 11250 | 322 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
323 |
Note that our reasoning concerned @{text B}'s participation in another
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
324 |
run. Agents may engage in several runs concurrently, and some attacks work |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
325 |
by interleaving the messages of two runs. With model checking, this |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
326 |
possibility can cause a state-space explosion, and for us it |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
327 |
certainly complicates proofs. The biggest subgoal concerns message~2. It |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
328 |
splits into several cases, such as whether or not the message just sent is |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
329 |
the very message mentioned in the theorem statement. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
330 |
Some of the cases are proved by unicity, others by |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
331 |
the induction hypothesis. For all those complications, the proofs are |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
332 |
automatic by @{text blast} with the theorem @{text no_nonce_NS1_NS2}.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
333 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
334 |
The remaining theorems about the protocol are not hard to prove. The |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
335 |
following one asserts a form of \emph{authenticity}: if
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
336 |
@{text B} has sent an instance of message~2 to~@{text A} and has received the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
337 |
expected reply, then that reply really originated with~@{text A}. The
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
338 |
proof is a simple induction. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
339 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
340 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
341 |
(*<*) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
342 |
by (blast intro: no_nonce_NS1_NS2) |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
343 |
|
| 11250 | 344 |
lemma B_trusts_NS3_lemma [rule_format]: |
345 |
"\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> \<Longrightarrow> |
|
| 11269 | 346 |
Crypt (pubK B) (Nonce NB) \<in> parts (knows Spy evs) \<longrightarrow> |
| 11250 | 347 |
Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs \<longrightarrow> |
348 |
Says A B (Crypt (pubK B) (Nonce NB)) \<in> set evs" |
|
349 |
by (erule ns_public.induct, auto) |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
350 |
(*>*) |
| 11250 | 351 |
theorem B_trusts_NS3: |
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
352 |
"\<lbrakk>Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs; |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
353 |
Says A' B (Crypt (pubK B) (Nonce NB)) \<in> set evs; |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
354 |
A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
355 |
\<Longrightarrow> Says A B (Crypt (pubK B) (Nonce NB)) \<in> set evs" |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
356 |
(*<*) |
| 11250 | 357 |
by (blast intro: B_trusts_NS3_lemma) |
358 |
||
359 |
(*** Overall guarantee for B ***) |
|
360 |
||
361 |
||
362 |
(*If NS3 has been sent and the nonce NB agrees with the nonce B joined with |
|
363 |
NA, then A initiated the run using NA.*) |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
364 |
theorem B_trusts_protocol [rule_format]: |
| 11250 | 365 |
"\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> \<Longrightarrow> |
| 11269 | 366 |
Crypt (pubK B) (Nonce NB) \<in> parts (knows Spy evs) \<longrightarrow> |
| 11250 | 367 |
Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs \<longrightarrow> |
368 |
Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs" |
|
369 |
by (erule ns_public.induct, auto) |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
370 |
(*>*) |
| 11250 | 371 |
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
372 |
text {*
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
373 |
From similar assumptions, we can prove that @{text A} started the protocol
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
374 |
run by sending an instance of message~1 involving the nonce~@{text NA}\@.
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
375 |
For this theorem, the conclusion is |
| 32891 | 376 |
@{thm [display] (concl) B_trusts_protocol [no_vars]}
|
|
23925
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
377 |
Analogous theorems can be proved for~@{text A}, stating that nonce~@{text NA}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
378 |
remains secret and that message~2 really originates with~@{text B}. Even the
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
379 |
flawed protocol establishes these properties for~@{text A};
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
380 |
the flaw only harms the second participant. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
381 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
382 |
\medskip |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
383 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
384 |
Detailed information on this protocol verification technique can be found |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
385 |
elsewhere~\cite{paulson-jcs}, including proofs of an Internet
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
386 |
protocol~\cite{paulson-tls}. We must stress that the protocol discussed
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
387 |
in this chapter is trivial. There are only three messages; no keys are |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
388 |
exchanged; we merely have to prove that encrypted data remains secret. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
389 |
Real world protocols are much longer and distribute many secrets to their |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
390 |
participants. To be realistic, the model has to include the possibility |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
391 |
of keys being lost dynamically due to carelessness. If those keys have |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
392 |
been used to encrypt other sensitive information, there may be cascading |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
393 |
losses. We may still be able to establish a bound on the losses and to |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
394 |
prove that other protocol runs function |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
395 |
correctly~\cite{paulson-yahalom}. Proofs of real-world protocols follow
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
396 |
the strategy illustrated above, but the subgoals can |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
397 |
be much bigger and there are more of them. |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
398 |
\index{protocols!security|)}
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
399 |
*} |
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
400 |
|
|
ee98c2528a8f
LaTeX code is now generated directly from theory files.
berghofe
parents:
23733
diff
changeset
|
401 |
(*<*)end(*>*) |