37 |
37 |
38 |
38 |
39 (**** Inductive proofs about kerberos_ban ****) |
39 (**** Inductive proofs about kerberos_ban ****) |
40 |
40 |
41 (*Forwarding Lemma for reasoning about the encrypted portion of message Kb3*) |
41 (*Forwarding Lemma for reasoning about the encrypted portion of message Kb3*) |
42 Goal "Says S A (Crypt KA {|Timestamp, B, K, X|}) : set evs \ |
42 Goal "Says S A (Crypt KA {|Timestamp, B, K, X|}) \\<in> set evs \ |
43 \ ==> X : parts (spies evs)"; |
43 \ ==> X \\<in> parts (spies evs)"; |
44 by (Blast_tac 1); |
44 by (Blast_tac 1); |
45 qed "Kb3_msg_in_parts_spies"; |
45 qed "Kb3_msg_in_parts_spies"; |
46 |
46 |
47 Goal "Says Server A (Crypt (shrK A) {|Timestamp, B, K, X|}) : set evs \ |
47 Goal "Says Server A (Crypt (shrK A) {|Timestamp, B, K, X|}) \\<in> set evs \ |
48 \ ==> K : parts (spies evs)"; |
48 \ ==> K \\<in> parts (spies evs)"; |
49 by (Blast_tac 1); |
49 by (Blast_tac 1); |
50 qed "Oops_parts_spies"; |
50 qed "Oops_parts_spies"; |
51 |
51 |
52 (*For proving the easier theorems about X ~: parts (spies evs).*) |
52 (*For proving the easier theorems about X \\<notin> parts (spies evs).*) |
53 fun parts_induct_tac i = |
53 fun parts_induct_tac i = |
54 etac kerberos_ban.induct i THEN |
54 etac kerberos_ban.induct i THEN |
55 ftac Oops_parts_spies (i+6) THEN |
55 ftac Oops_parts_spies (i+6) THEN |
56 ftac Kb3_msg_in_parts_spies (i+4) THEN |
56 ftac Kb3_msg_in_parts_spies (i+4) THEN |
57 prove_simple_subgoals_tac i; |
57 prove_simple_subgoals_tac i; |
58 |
58 |
59 |
59 |
60 (*Spy never sees another agent's shared key! (unless it's bad at start)*) |
60 (*Spy never sees another agent's shared key! (unless it's bad at start)*) |
61 Goal "evs : kerberos_ban ==> (Key (shrK A) : parts (spies evs)) = (A : bad)"; |
61 Goal "evs \\<in> kerberos_ban ==> (Key (shrK A) \\<in> parts (spies evs)) = (A \\<in> bad)"; |
62 by (parts_induct_tac 1); |
62 by (parts_induct_tac 1); |
63 by (ALLGOALS Blast_tac); |
63 by (ALLGOALS Blast_tac); |
64 qed "Spy_see_shrK"; |
64 qed "Spy_see_shrK"; |
65 Addsimps [Spy_see_shrK]; |
65 Addsimps [Spy_see_shrK]; |
66 |
66 |
67 |
67 |
68 Goal "evs : kerberos_ban ==> (Key (shrK A) : analz (spies evs)) = (A : bad)"; |
68 Goal "evs \\<in> kerberos_ban ==> (Key (shrK A) \\<in> analz (spies evs)) = (A \\<in> bad)"; |
69 by Auto_tac; |
69 by Auto_tac; |
70 qed "Spy_analz_shrK"; |
70 qed "Spy_analz_shrK"; |
71 Addsimps [Spy_analz_shrK]; |
71 Addsimps [Spy_analz_shrK]; |
72 |
72 |
73 Goal "[| Key (shrK A) : parts (spies evs); \ |
73 Goal "[| Key (shrK A) \\<in> parts (spies evs); \ |
74 \ evs : kerberos_ban |] ==> A:bad"; |
74 \ evs \\<in> kerberos_ban |] ==> A:bad"; |
75 by (blast_tac (claset() addDs [Spy_see_shrK]) 1); |
75 by (blast_tac (claset() addDs [Spy_see_shrK]) 1); |
76 qed "Spy_see_shrK_D"; |
76 qed "Spy_see_shrK_D"; |
77 |
77 |
78 bind_thm ("Spy_analz_shrK_D", analz_subset_parts RS subsetD RS Spy_see_shrK_D); |
78 bind_thm ("Spy_analz_shrK_D", analz_subset_parts RS subsetD RS Spy_see_shrK_D); |
79 AddSDs [Spy_see_shrK_D, Spy_analz_shrK_D]; |
79 AddSDs [Spy_see_shrK_D, Spy_analz_shrK_D]; |
80 |
80 |
81 |
81 |
82 (*Nobody can have used non-existent keys!*) |
82 (*Nobody can have used non-existent keys!*) |
83 Goal "evs : kerberos_ban ==> \ |
83 Goal "evs \\<in> kerberos_ban ==> \ |
84 \ Key K ~: used evs --> K ~: keysFor (parts (spies evs))"; |
84 \ Key K \\<notin> used evs --> K \\<notin> keysFor (parts (spies evs))"; |
85 by (parts_induct_tac 1); |
85 by (parts_induct_tac 1); |
86 (*Fake*) |
86 (*Fake*) |
87 by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1); |
87 by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1); |
88 (*Kb2, Kb3, Kb4*) |
88 (*Kb2, Kb3, Kb4*) |
89 by (ALLGOALS Blast_tac); |
89 by (ALLGOALS Blast_tac); |
90 qed_spec_mp "new_keys_not_used"; |
90 qed_spec_mp "new_keys_not_used"; |
91 |
91 Addsimps [new_keys_not_used]; |
92 bind_thm ("new_keys_not_analzd", |
|
93 [analz_subset_parts RS keysFor_mono, |
|
94 new_keys_not_used] MRS contra_subsetD); |
|
95 |
|
96 Addsimps [new_keys_not_used, new_keys_not_analzd]; |
|
97 |
|
98 |
92 |
99 (** Lemmas concerning the form of items passed in messages **) |
93 (** Lemmas concerning the form of items passed in messages **) |
100 |
94 |
101 (*Describes the form of K, X and K' when the Server sends this message.*) |
95 (*Describes the form of K, X and K' when the Server sends this message.*) |
102 Goal "[| Says Server A (Crypt K' {|Number Ts, Agent B, Key K, X|}) \ |
96 Goal "[| Says Server A (Crypt K' {|Number Ts, Agent B, Key K, X|}) \ |
103 \ : set evs; evs : kerberos_ban |] \ |
97 \ \\<in> set evs; evs \\<in> kerberos_ban |] \ |
104 \ ==> K ~: range shrK & \ |
98 \ ==> K \\<notin> range shrK & \ |
105 \ X = (Crypt (shrK B) {|Number Ts, Agent A, Key K|}) & \ |
99 \ X = (Crypt (shrK B) {|Number Ts, Agent A, Key K|}) & \ |
106 \ K' = shrK A"; |
100 \ K' = shrK A"; |
107 by (etac rev_mp 1); |
101 by (etac rev_mp 1); |
108 by (etac kerberos_ban.induct 1); |
102 by (etac kerberos_ban.induct 1); |
109 by Auto_tac; |
103 by Auto_tac; |
114 PROVIDED that A is NOT compromised! |
108 PROVIDED that A is NOT compromised! |
115 |
109 |
116 This shows implicitly the FRESHNESS OF THE SESSION KEY to A |
110 This shows implicitly the FRESHNESS OF THE SESSION KEY to A |
117 *) |
111 *) |
118 Goal "[| Crypt (shrK A) {|Number Ts, Agent B, Key K, X|} \ |
112 Goal "[| Crypt (shrK A) {|Number Ts, Agent B, Key K, X|} \ |
119 \ : parts (spies evs); \ |
113 \ \\<in> parts (spies evs); \ |
120 \ A ~: bad; evs : kerberos_ban |] \ |
114 \ A \\<notin> bad; evs \\<in> kerberos_ban |] \ |
121 \ ==> Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \ |
115 \ ==> Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \ |
122 \ : set evs"; |
116 \ \\<in> set evs"; |
123 by (etac rev_mp 1); |
117 by (etac rev_mp 1); |
124 by (parts_induct_tac 1); |
118 by (parts_induct_tac 1); |
125 by (Blast_tac 1); |
119 by (Blast_tac 1); |
126 qed "A_trusts_K_by_Kb2"; |
120 qed "A_trusts_K_by_Kb2"; |
127 |
121 |
128 |
122 |
129 (*If the TICKET appears then it originated with the Server*) |
123 (*If the TICKET appears then it originated with the Server*) |
130 (*FRESHNESS OF THE SESSION KEY to B*) |
124 (*FRESHNESS OF THE SESSION KEY to B*) |
131 Goal "[| Crypt (shrK B) {|Number Ts, Agent A, Key K|} : parts (spies evs); \ |
125 Goal "[| Crypt (shrK B) {|Number Ts, Agent A, Key K|} \\<in> parts (spies evs); \ |
132 \ B ~: bad; evs : kerberos_ban |] \ |
126 \ B \\<notin> bad; evs \\<in> kerberos_ban |] \ |
133 \ ==> Says Server A \ |
127 \ ==> Says Server A \ |
134 \ (Crypt (shrK A) {|Number Ts, Agent B, Key K, \ |
128 \ (Crypt (shrK A) {|Number Ts, Agent B, Key K, \ |
135 \ Crypt (shrK B) {|Number Ts, Agent A, Key K|}|}) \ |
129 \ Crypt (shrK B) {|Number Ts, Agent A, Key K|}|}) \ |
136 \ : set evs"; |
130 \ \\<in> set evs"; |
137 by (etac rev_mp 1); |
131 by (etac rev_mp 1); |
138 by (parts_induct_tac 1); |
132 by (parts_induct_tac 1); |
139 by (Blast_tac 1); |
133 by (Blast_tac 1); |
140 qed "B_trusts_K_by_Kb3"; |
134 qed "B_trusts_K_by_Kb3"; |
141 |
135 |
142 |
136 |
143 (*EITHER describes the form of X when the following message is sent, |
137 (*EITHER describes the form of X when the following message is sent, |
144 OR reduces it to the Fake case. |
138 OR reduces it to the Fake case. |
145 Use Says_Server_message_form if applicable.*) |
139 Use Says_Server_message_form if applicable.*) |
146 Goal "[| Says S A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \ |
140 Goal "[| Says S A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \ |
147 \ : set evs; \ |
141 \ \\<in> set evs; \ |
148 \ evs : kerberos_ban |] \ |
142 \ evs \\<in> kerberos_ban |] \ |
149 \==> (K ~: range shrK & X = (Crypt (shrK B) {|Number Ts, Agent A, Key K|}))\ |
143 \==> (K \\<notin> range shrK & X = (Crypt (shrK B) {|Number Ts, Agent A, Key K|}))\ |
150 \ | X : analz (spies evs)"; |
144 \ | X \\<in> analz (spies evs)"; |
151 by (case_tac "A : bad" 1); |
145 by (case_tac "A \\<in> bad" 1); |
152 by (fast_tac (claset() addSDs [Says_imp_spies RS analz.Inj] |
146 by (fast_tac (claset() addSDs [Says_imp_spies RS analz.Inj] |
153 addss (simpset())) 1); |
147 addss (simpset())) 1); |
154 by (forward_tac [Says_imp_spies RS parts.Inj] 1); |
148 by (forward_tac [Says_imp_spies RS parts.Inj] 1); |
155 by (blast_tac (claset() addSDs [A_trusts_K_by_Kb2, |
149 by (blast_tac (claset() addSDs [A_trusts_K_by_Kb2, |
156 Says_Server_message_form]) 1); |
150 Says_Server_message_form]) 1); |
165 |
159 |
166 |
160 |
167 (**** |
161 (**** |
168 The following is to prove theorems of the form |
162 The following is to prove theorems of the form |
169 |
163 |
170 Key K : analz (insert (Key KAB) (spies evs)) ==> |
164 Key K \\<in> analz (insert (Key KAB) (spies evs)) ==> |
171 Key K : analz (spies evs) |
165 Key K \\<in> analz (spies evs) |
172 |
166 |
173 A more general formula must be proved inductively. |
167 A more general formula must be proved inductively. |
174 |
168 |
175 ****) |
169 ****) |
176 |
170 |
177 |
171 |
178 (** Session keys are not used to encrypt other session keys **) |
172 (** Session keys are not used to encrypt other session keys **) |
179 |
173 |
180 Goal "evs : kerberos_ban ==> \ |
174 Goal "evs \\<in> kerberos_ban ==> \ |
181 \ ALL K KK. KK <= - (range shrK) --> \ |
175 \ \\<forall>K KK. KK <= - (range shrK) --> \ |
182 \ (Key K : analz (Key`KK Un (spies evs))) = \ |
176 \ (Key K \\<in> analz (Key`KK Un (spies evs))) = \ |
183 \ (K : KK | Key K : analz (spies evs))"; |
177 \ (K \\<in> KK | Key K \\<in> analz (spies evs))"; |
184 by (etac kerberos_ban.induct 1); |
178 by (etac kerberos_ban.induct 1); |
185 by analz_spies_tac; |
179 by analz_spies_tac; |
186 by (REPEAT_FIRST (resolve_tac [allI, impI])); |
180 by (REPEAT_FIRST (resolve_tac [allI, impI])); |
187 by (REPEAT_FIRST (rtac analz_image_freshK_lemma)); |
181 by (REPEAT_FIRST (rtac analz_image_freshK_lemma)); |
188 (*Takes 5 secs*) |
182 (*Takes 5 secs*) |
190 (*Fake*) |
184 (*Fake*) |
191 by (spy_analz_tac 1); |
185 by (spy_analz_tac 1); |
192 qed_spec_mp "analz_image_freshK"; |
186 qed_spec_mp "analz_image_freshK"; |
193 |
187 |
194 |
188 |
195 Goal "[| evs : kerberos_ban; KAB ~: range shrK |] ==> \ |
189 Goal "[| evs \\<in> kerberos_ban; KAB \\<notin> range shrK |] ==> \ |
196 \ Key K : analz (insert (Key KAB) (spies evs)) = \ |
190 \ Key K \\<in> analz (insert (Key KAB) (spies evs)) = \ |
197 \ (K = KAB | Key K : analz (spies evs))"; |
191 \ (K = KAB | Key K \\<in> analz (spies evs))"; |
198 by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1); |
192 by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1); |
199 qed "analz_insert_freshK"; |
193 qed "analz_insert_freshK"; |
200 |
194 |
201 |
195 |
202 (** The session key K uniquely identifies the message **) |
196 (** The session key K uniquely identifies the message **) |
203 |
197 |
204 Goal "[| Says Server A \ |
198 Goal "[| Says Server A \ |
205 \ (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) : set evs; \ |
199 \ (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \\<in> set evs; \ |
206 \ Says Server A' \ |
200 \ Says Server A' \ |
207 \ (Crypt (shrK A') {|Number Ts', Agent B', Key K, X'|}) : set evs;\ |
201 \ (Crypt (shrK A') {|Number Ts', Agent B', Key K, X'|}) \\<in> set evs;\ |
208 \ evs : kerberos_ban |] ==> A=A' & Ts=Ts' & B=B' & X = X'"; |
202 \ evs \\<in> kerberos_ban |] ==> A=A' & Ts=Ts' & B=B' & X = X'"; |
209 by (etac rev_mp 1); |
203 by (etac rev_mp 1); |
210 by (etac rev_mp 1); |
204 by (etac rev_mp 1); |
211 by (parts_induct_tac 1); |
205 by (parts_induct_tac 1); |
212 (*Kb2: it can't be a new key*) |
206 (*Kb2: it can't be a new key*) |
213 by (Blast_tac 1); |
207 by (Blast_tac 1); |
216 |
210 |
217 (** Lemma: the session key sent in msg Kb2 would be EXPIRED |
211 (** Lemma: the session key sent in msg Kb2 would be EXPIRED |
218 if the spy could see it! |
212 if the spy could see it! |
219 **) |
213 **) |
220 |
214 |
221 Goal "[| A ~: bad; B ~: bad; evs : kerberos_ban |] \ |
215 Goal "[| A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban |] \ |
222 \ ==> Says Server A \ |
216 \ ==> Says Server A \ |
223 \ (Crypt (shrK A) {|Number Ts, Agent B, Key K, \ |
217 \ (Crypt (shrK A) {|Number Ts, Agent B, Key K, \ |
224 \ Crypt (shrK B) {|Number Ts, Agent A, Key K|}|})\ |
218 \ Crypt (shrK B) {|Number Ts, Agent A, Key K|}|})\ |
225 \ : set evs --> \ |
219 \ \\<in> set evs --> \ |
226 \ Key K : analz (spies evs) --> Expired Ts evs"; |
220 \ Key K \\<in> analz (spies evs) --> Expired Ts evs"; |
227 by (etac kerberos_ban.induct 1); |
221 by (etac kerberos_ban.induct 1); |
228 by analz_spies_tac; |
222 by analz_spies_tac; |
229 by (ALLGOALS |
223 by (ALLGOALS |
230 (asm_simp_tac (simpset() addsimps [less_SucI, analz_insert_eq, |
224 (asm_simp_tac (simpset() addsimps [less_SucI, analz_insert_eq, |
231 analz_insert_freshK] @ pushes))); |
225 analz_insert_freshK] @ pushes))); |
248 (** CONFIDENTIALITY for the SERVER: |
242 (** CONFIDENTIALITY for the SERVER: |
249 Spy does not see the keys sent in msg Kb2 |
243 Spy does not see the keys sent in msg Kb2 |
250 as long as they have NOT EXPIRED |
244 as long as they have NOT EXPIRED |
251 **) |
245 **) |
252 Goal "[| Says Server A \ |
246 Goal "[| Says Server A \ |
253 \ (Crypt K' {|Number T, Agent B, Key K, X|}) : set evs; \ |
247 \ (Crypt K' {|Number T, Agent B, Key K, X|}) \\<in> set evs; \ |
254 \ ~ Expired T evs; \ |
248 \ ~ Expired T evs; \ |
255 \ A ~: bad; B ~: bad; evs : kerberos_ban \ |
249 \ A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban \ |
256 \ |] ==> Key K ~: analz (spies evs)"; |
250 \ |] ==> Key K \\<notin> analz (spies evs)"; |
257 by (ftac Says_Server_message_form 1 THEN assume_tac 1); |
251 by (ftac Says_Server_message_form 1 THEN assume_tac 1); |
258 by (blast_tac (claset() addIs [lemma2]) 1); |
252 by (blast_tac (claset() addIs [lemma2]) 1); |
259 qed "Confidentiality_S"; |
253 qed "Confidentiality_S"; |
260 |
254 |
261 (**** THE COUNTERPART OF CONFIDENTIALITY |
255 (**** THE COUNTERPART OF CONFIDENTIALITY |
262 [|...; Expired Ts evs; ...|] ==> Key K : analz (spies evs) |
256 [|...; Expired Ts evs; ...|] ==> Key K \\<in> analz (spies evs) |
263 WOULD HOLD ONLY IF AN OOPS OCCURRED! ---> Nothing to prove! ****) |
257 WOULD HOLD ONLY IF AN OOPS OCCURRED! ---> Nothing to prove! ****) |
264 |
258 |
265 |
259 |
266 (** CONFIDENTIALITY for ALICE: **) |
260 (** CONFIDENTIALITY for ALICE: **) |
267 (** Also A_trusts_K_by_Kb2 RS Confidentiality_S **) |
261 (** Also A_trusts_K_by_Kb2 RS Confidentiality_S **) |
268 Goal "[| Crypt (shrK A) {|Number T, Agent B, Key K, X|} : parts (spies evs);\ |
262 Goal "[| Crypt (shrK A) {|Number T, Agent B, Key K, X|} \\<in> parts (spies evs);\ |
269 \ ~ Expired T evs; \ |
263 \ ~ Expired T evs; \ |
270 \ A ~: bad; B ~: bad; evs : kerberos_ban \ |
264 \ A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban \ |
271 \ |] ==> Key K ~: analz (spies evs)"; |
265 \ |] ==> Key K \\<notin> analz (spies evs)"; |
272 by (blast_tac (claset() addSDs [A_trusts_K_by_Kb2, Confidentiality_S]) 1); |
266 by (blast_tac (claset() addSDs [A_trusts_K_by_Kb2, Confidentiality_S]) 1); |
273 qed "Confidentiality_A"; |
267 qed "Confidentiality_A"; |
274 |
268 |
275 |
269 |
276 (** CONFIDENTIALITY for BOB: **) |
270 (** CONFIDENTIALITY for BOB: **) |
277 (** Also B_trusts_K_by_Kb3 RS Confidentiality_S **) |
271 (** Also B_trusts_K_by_Kb3 RS Confidentiality_S **) |
278 Goal "[| Crypt (shrK B) {|Number Tk, Agent A, Key K|} \ |
272 Goal "[| Crypt (shrK B) {|Number Tk, Agent A, Key K|} \ |
279 \ : parts (spies evs); \ |
273 \ \\<in> parts (spies evs); \ |
280 \ ~ Expired Tk evs; \ |
274 \ ~ Expired Tk evs; \ |
281 \ A ~: bad; B ~: bad; evs : kerberos_ban \ |
275 \ A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban \ |
282 \ |] ==> Key K ~: analz (spies evs)"; |
276 \ |] ==> Key K \\<notin> analz (spies evs)"; |
283 by (blast_tac (claset() addSDs [B_trusts_K_by_Kb3, |
277 by (blast_tac (claset() addSDs [B_trusts_K_by_Kb3, |
284 Confidentiality_S]) 1); |
278 Confidentiality_S]) 1); |
285 qed "Confidentiality_B"; |
279 qed "Confidentiality_B"; |
286 |
280 |
287 |
281 |
288 Goal "[| B ~: bad; evs : kerberos_ban |] \ |
282 Goal "[| B \\<notin> bad; evs \\<in> kerberos_ban |] \ |
289 \ ==> Key K ~: analz (spies evs) --> \ |
283 \ ==> Key K \\<notin> analz (spies evs) --> \ |
290 \ Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \ |
284 \ Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \ |
291 \ : set evs --> \ |
285 \ \\<in> set evs --> \ |
292 \ Crypt K (Number Ta) : parts (spies evs) --> \ |
286 \ Crypt K (Number Ta) \\<in> parts (spies evs) --> \ |
293 \ Says B A (Crypt K (Number Ta)) : set evs"; |
287 \ Says B A (Crypt K (Number Ta)) \\<in> set evs"; |
294 by (etac kerberos_ban.induct 1); |
288 by (etac kerberos_ban.induct 1); |
295 by (ftac Says_S_message_form 5 THEN assume_tac 5); |
289 by (ftac Says_S_message_form 5 THEN assume_tac 5); |
296 by (dtac Kb3_msg_in_parts_spies 5); |
290 by (dtac Kb3_msg_in_parts_spies 5); |
297 by (ftac Oops_parts_spies 7); |
291 by (ftac Oops_parts_spies 7); |
298 by (REPEAT (FIRSTGOAL analz_mono_contra_tac)); |
292 by (REPEAT (FIRSTGOAL analz_mono_contra_tac)); |
300 (**LEVEL 6**) |
294 (**LEVEL 6**) |
301 by (Blast_tac 1); |
295 by (Blast_tac 1); |
302 by (Clarify_tac 1); |
296 by (Clarify_tac 1); |
303 (* |
297 (* |
304 Subgoal 1: contradiction from the assumptions |
298 Subgoal 1: contradiction from the assumptions |
305 Key K ~: used evs2 and Crypt K (Number Ta) : parts (spies evs2) |
299 Key K \\<notin> used evs2 and Crypt K (Number Ta) \\<in> parts (spies evs2) |
306 *) |
300 *) |
307 by (dtac Crypt_imp_invKey_keysFor 1); |
301 by (dtac Crypt_imp_invKey_keysFor 1); |
308 by (Asm_full_simp_tac 1); |
302 by (Asm_full_simp_tac 1); |
309 (* the two tactics above detect the contradiction*) |
303 (* the two tactics above detect the contradiction*) |
310 by (case_tac "Ba : bad" 1); (*splits up the subgoal by the stated case*) |
304 by (case_tac "Ba \\<in> bad" 1); (*splits up the subgoal by the stated case*) |
311 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj RS parts.Fst RS |
305 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj RS parts.Fst RS |
312 B_trusts_K_by_Kb3, |
306 B_trusts_K_by_Kb3, |
313 unique_session_keys]) 2); |
307 unique_session_keys]) 2); |
314 by (blast_tac (claset() addDs [Says_imp_spies RS analz.Inj RS analz.Fst RS |
308 by (blast_tac (claset() addDs [Says_imp_spies RS analz.Inj RS analz.Fst RS |
315 Crypt_Spy_analz_bad]) 1); |
309 Crypt_Spy_analz_bad]) 1); |
316 val lemma_B = result(); |
310 val lemma_B = result(); |
317 |
311 |
318 |
312 |
319 (*AUTHENTICATION OF B TO A*) |
313 (*AUTHENTICATION OF B TO A*) |
320 Goal "[| Crypt K (Number Ta) : parts (spies evs); \ |
314 Goal "[| Crypt K (Number Ta) \\<in> parts (spies evs); \ |
321 \ Crypt (shrK A) {|Number Ts, Agent B, Key K, X|} \ |
315 \ Crypt (shrK A) {|Number Ts, Agent B, Key K, X|} \ |
322 \ : parts (spies evs); \ |
316 \ \\<in> parts (spies evs); \ |
323 \ ~ Expired Ts evs; \ |
317 \ ~ Expired Ts evs; \ |
324 \ A ~: bad; B ~: bad; evs : kerberos_ban |] \ |
318 \ A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban |] \ |
325 \ ==> Says B A (Crypt K (Number Ta)) : set evs"; |
319 \ ==> Says B A (Crypt K (Number Ta)) \\<in> set evs"; |
326 by (blast_tac (claset() addSDs [A_trusts_K_by_Kb2] |
320 by (blast_tac (claset() addSDs [A_trusts_K_by_Kb2] |
327 addSIs [lemma_B RS mp RS mp RS mp] |
321 addSIs [lemma_B RS mp RS mp RS mp] |
328 addSEs [Confidentiality_S RSN (2,rev_notE)]) 1); |
322 addSEs [Confidentiality_S RSN (2,rev_notE)]) 1); |
329 qed "Authentication_B"; |
323 qed "Authentication_B"; |
330 |
324 |
331 |
325 |
332 Goal "[| A ~: bad; B ~: bad; evs : kerberos_ban |] ==> \ |
326 Goal "[| A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban |] ==> \ |
333 \ Key K ~: analz (spies evs) --> \ |
327 \ Key K \\<notin> analz (spies evs) --> \ |
334 \ Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \ |
328 \ Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \ |
335 \ : set evs --> \ |
329 \ \\<in> set evs --> \ |
336 \ Crypt K {|Agent A, Number Ta|} : parts (spies evs) -->\ |
330 \ Crypt K {|Agent A, Number Ta|} \\<in> parts (spies evs) -->\ |
337 \ Says A B {|X, Crypt K {|Agent A, Number Ta|}|} \ |
331 \ Says A B {|X, Crypt K {|Agent A, Number Ta|}|} \ |
338 \ : set evs"; |
332 \ \\<in> set evs"; |
339 by (etac kerberos_ban.induct 1); |
333 by (etac kerberos_ban.induct 1); |
340 by (ftac Says_S_message_form 5 THEN assume_tac 5); |
334 by (ftac Says_S_message_form 5 THEN assume_tac 5); |
341 by (ftac Kb3_msg_in_parts_spies 5); |
335 by (ftac Kb3_msg_in_parts_spies 5); |
342 by (ftac Oops_parts_spies 7); |
336 by (ftac Oops_parts_spies 7); |
343 by (REPEAT (FIRSTGOAL analz_mono_contra_tac)); |
337 by (REPEAT (FIRSTGOAL analz_mono_contra_tac)); |
350 by (blast_tac (claset() addDs [A_trusts_K_by_Kb2, unique_session_keys]) 1); |
344 by (blast_tac (claset() addDs [A_trusts_K_by_Kb2, unique_session_keys]) 1); |
351 val lemma_A = result(); |
345 val lemma_A = result(); |
352 |
346 |
353 |
347 |
354 (*AUTHENTICATION OF A TO B*) |
348 (*AUTHENTICATION OF A TO B*) |
355 Goal "[| Crypt K {|Agent A, Number Ta|} : parts (spies evs); \ |
349 Goal "[| Crypt K {|Agent A, Number Ta|} \\<in> parts (spies evs); \ |
356 \ Crypt (shrK B) {|Number Ts, Agent A, Key K|} \ |
350 \ Crypt (shrK B) {|Number Ts, Agent A, Key K|} \ |
357 \ : parts (spies evs); \ |
351 \ \\<in> parts (spies evs); \ |
358 \ ~ Expired Ts evs; \ |
352 \ ~ Expired Ts evs; \ |
359 \ A ~: bad; B ~: bad; evs : kerberos_ban |] \ |
353 \ A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban |] \ |
360 \ ==> Says A B {|Crypt (shrK B) {|Number Ts, Agent A, Key K|}, \ |
354 \ ==> Says A B {|Crypt (shrK B) {|Number Ts, Agent A, Key K|}, \ |
361 \ Crypt K {|Agent A, Number Ta|}|} : set evs"; |
355 \ Crypt K {|Agent A, Number Ta|}|} \\<in> set evs"; |
362 by (blast_tac (claset() addSDs [B_trusts_K_by_Kb3] |
356 by (blast_tac (claset() addSDs [B_trusts_K_by_Kb3] |
363 addSIs [lemma_A RS mp RS mp RS mp] |
357 addSIs [lemma_A RS mp RS mp RS mp] |
364 addSEs [Confidentiality_S RSN (2,rev_notE)]) 1); |
358 addSEs [Confidentiality_S RSN (2,rev_notE)]) 1); |
365 qed "Authentication_A"; |
359 qed "Authentication_A"; |