73 |
73 |
74 (*** Shared keys are not betrayed ***) |
74 (*** Shared keys are not betrayed ***) |
75 |
75 |
76 (*Enemy never sees another agent's shared key! (unless it is leaked at start)*) |
76 (*Enemy never sees another agent's shared key! (unless it is leaked at start)*) |
77 goal thy |
77 goal thy |
78 "!!evs. [| evs : otway; A ~= Enemy; A ~: Friend``leaked |] ==> \ |
78 "!!evs. [| evs : otway; A ~: bad |] ==> \ |
79 \ Key (shrK A) ~: parts (sees Enemy evs)"; |
79 \ Key (shrK A) ~: parts (sees Enemy evs)"; |
80 be otway.induct 1; |
80 be otway.induct 1; |
81 by OR2_OR4_tac; |
81 by OR2_OR4_tac; |
82 by (Auto_tac()); |
82 by (Auto_tac()); |
83 (*Deals with Fake message*) |
83 (*Deals with Fake message*) |
86 qed "Enemy_not_see_shrK"; |
86 qed "Enemy_not_see_shrK"; |
87 |
87 |
88 bind_thm ("Enemy_not_analz_shrK", |
88 bind_thm ("Enemy_not_analz_shrK", |
89 [analz_subset_parts, Enemy_not_see_shrK] MRS contra_subsetD); |
89 [analz_subset_parts, Enemy_not_see_shrK] MRS contra_subsetD); |
90 |
90 |
91 Addsimps [Enemy_not_see_shrK, |
91 Addsimps [Enemy_not_see_shrK, Enemy_not_analz_shrK]; |
92 not_sym RSN (2, Enemy_not_see_shrK), |
|
93 Enemy_not_analz_shrK, |
|
94 not_sym RSN (2, Enemy_not_analz_shrK)]; |
|
95 |
92 |
96 (*We go to some trouble to preserve R in the 3rd and 4th subgoals |
93 (*We go to some trouble to preserve R in the 3rd and 4th subgoals |
97 As usual fast_tac cannot be used because it uses the equalities too soon*) |
94 As usual fast_tac cannot be used because it uses the equalities too soon*) |
98 val major::prems = |
95 val major::prems = |
99 goal thy "[| Key (shrK A) : parts (sees Enemy evs); \ |
96 goal thy "[| Key (shrK A) : parts (sees Enemy evs); \ |
100 \ evs : otway; \ |
97 \ evs : otway; \ |
101 \ A=Enemy ==> R; \ |
98 \ A:bad ==> R \ |
102 \ !!i. [| A = Friend i; i: leaked |] ==> R \ |
|
103 \ |] ==> R"; |
99 \ |] ==> R"; |
104 br ccontr 1; |
100 br ccontr 1; |
105 br ([major, Enemy_not_see_shrK] MRS rev_notE) 1; |
101 br ([major, Enemy_not_see_shrK] MRS rev_notE) 1; |
106 br notI 3; |
|
107 be imageE 3; |
|
108 by (swap_res_tac prems 2); |
102 by (swap_res_tac prems 2); |
109 by (swap_res_tac prems 3 THEN ALLGOALS (fast_tac (!claset addIs prems))); |
103 by (ALLGOALS (fast_tac (!claset addIs prems))); |
110 qed "Enemy_see_shrK_E"; |
104 qed "Enemy_see_shrK_E"; |
111 |
105 |
112 bind_thm ("Enemy_analz_shrK_E", |
106 bind_thm ("Enemy_analz_shrK_E", |
113 analz_subset_parts RS subsetD RS Enemy_see_shrK_E); |
107 analz_subset_parts RS subsetD RS Enemy_see_shrK_E); |
114 |
108 |
115 (*Classical reasoner doesn't need the not_sym versions (with swapped ~=) *) |
|
116 AddSEs [Enemy_see_shrK_E, Enemy_analz_shrK_E]; |
109 AddSEs [Enemy_see_shrK_E, Enemy_analz_shrK_E]; |
117 |
110 |
118 |
111 |
119 (*** Future keys can't be seen or used! ***) |
112 (*** Future keys can't be seen or used! ***) |
120 |
113 |
346 qed "Says_Server_message_form"; |
339 qed "Says_Server_message_form"; |
347 |
340 |
348 |
341 |
349 (*Crucial secrecy property: Enemy does not see the keys sent in msg OR3*) |
342 (*Crucial secrecy property: Enemy does not see the keys sent in msg OR3*) |
350 goal thy |
343 goal thy |
351 "!!evs. [| Says Server (Friend j) \ |
344 "!!evs. [| Says Server A \ |
352 \ {|Ni, Crypt {|Ni, K|} (shrK (Friend i)), \ |
345 \ {|NA, Crypt {|NA, K|} (shrK B), \ |
353 \ Crypt {|Nj, K|} (shrK (Friend j))|} : set_of_list evs; \ |
346 \ Crypt {|NB, K|} (shrK A)|} : set_of_list evs; \ |
354 \ i ~: leaked; j ~: leaked; evs : otway |] ==> \ |
347 \ A ~: bad; B ~: bad; evs : otway |] ==> \ |
355 \ K ~: analz (sees Enemy evs)"; |
348 \ K ~: analz (sees Enemy evs)"; |
356 be rev_mp 1; |
349 be rev_mp 1; |
357 be otway.induct 1; |
350 be otway.induct 1; |
358 bd OR2_analz_sees_Enemy 4; |
351 bd OR2_analz_sees_Enemy 4; |
359 bd OR4_analz_sees_Enemy 6; |
352 bd OR4_analz_sees_Enemy 6; |
390 (** First, two lemmas for the Fake, OR2 and OR4 cases **) |
383 (** First, two lemmas for the Fake, OR2 and OR4 cases **) |
391 |
384 |
392 goal thy |
385 goal thy |
393 "!!evs. [| X : synth (analz (sees Enemy evs)); \ |
386 "!!evs. [| X : synth (analz (sees Enemy evs)); \ |
394 \ Crypt X' (shrK C) : parts{X}; \ |
387 \ Crypt X' (shrK C) : parts{X}; \ |
395 \ C ~= Enemy; C ~: Friend``leaked; evs : otway |] \ |
388 \ C ~: bad; evs : otway |] \ |
396 \ ==> Crypt X' (shrK C) : parts (sees Enemy evs)"; |
389 \ ==> Crypt X' (shrK C) : parts (sees Enemy evs)"; |
397 by (best_tac (!claset addSEs [impOfSubs analz_subset_parts] |
390 by (best_tac (!claset addSEs [impOfSubs analz_subset_parts] |
398 addDs [impOfSubs parts_insert_subset_Un] |
391 addDs [impOfSubs parts_insert_subset_Un] |
399 addss (!simpset)) 1); |
392 addss (!simpset)) 1); |
400 qed "Crypt_Fake_parts"; |
393 qed "Crypt_Fake_parts"; |
412 (*The Key K uniquely identifies a pair of senders in the message encrypted by |
405 (*The Key K uniquely identifies a pair of senders in the message encrypted by |
413 C, but if C=Enemy then he could send all sorts of nonsense.*) |
406 C, but if C=Enemy then he could send all sorts of nonsense.*) |
414 goal thy |
407 goal thy |
415 "!!evs. evs : otway ==> \ |
408 "!!evs. evs : otway ==> \ |
416 \ EX A B. ALL C. \ |
409 \ EX A B. ALL C. \ |
417 \ C ~= Enemy & C ~: Friend``leaked --> \ |
410 \ C ~: bad --> \ |
418 \ (ALL S S' X. Says S S' X : set_of_list evs --> \ |
411 \ (ALL S S' X. Says S S' X : set_of_list evs --> \ |
419 \ (EX NA. Crypt {|NA, Key K|} (shrK C) : parts{X}) --> C=A | C=B)"; |
412 \ (EX NA. Crypt {|NA, Key K|} (shrK C) : parts{X}) --> C=A | C=B)"; |
420 by (Simp_tac 1); |
413 by (Simp_tac 1); |
421 be otway.induct 1; |
414 be otway.induct 1; |
422 bd OR2_analz_sees_Enemy 4; |
415 bd OR2_analz_sees_Enemy 4; |