equal
deleted
inserted
replaced
32 SesKeyLife :: nat |
32 SesKeyLife :: nat |
33 |
33 |
34 (*Duration of the authenticator*) |
34 (*Duration of the authenticator*) |
35 AutLife :: nat |
35 AutLife :: nat |
36 |
36 |
37 axioms |
37 text{*The ticket should remain fresh for two journeys on the network at least*} |
38 (*The ticket should remain fresh for two journeys on the network at least*) |
38 specification (SesKeyLife) |
39 SesKeyLife_LB: "2 <= SesKeyLife" |
39 SesKeyLife_LB [iff]: "2 \<le> SesKeyLife" |
40 |
40 by blast |
41 (*The authenticator only for one journey*) |
41 |
42 AutLife_LB: "Suc 0 <= AutLife" |
42 text{*The authenticator only for one journey*} |
|
43 specification (AutLife) |
|
44 AutLife_LB [iff]: "Suc 0 \<le> AutLife" |
|
45 by blast |
|
46 |
43 |
47 |
44 translations |
48 translations |
45 "CT" == "length" |
49 "CT" == "length" |
46 |
50 |
47 "Expired T evs" == "SesKeyLife + T < CT evs" |
51 "Expired T evs" == "SesKeyLife + T < CT evs" |
48 |
52 |
49 "RecentAuth T evs" == "CT evs <= AutLife + T" |
53 "RecentAuth T evs" == "CT evs \<le> AutLife + T" |
50 |
54 |
51 consts kerberos_ban :: "event list set" |
55 consts kerberos_ban :: "event list set" |
52 inductive "kerberos_ban" |
56 inductive "kerberos_ban" |
53 intros |
57 intros |
54 |
58 |
97 |
101 |
98 |
102 |
99 declare Says_imp_knows_Spy [THEN parts.Inj, dest] parts.Body [dest] |
103 declare Says_imp_knows_Spy [THEN parts.Inj, dest] parts.Body [dest] |
100 declare analz_subset_parts [THEN subsetD, dest] |
104 declare analz_subset_parts [THEN subsetD, dest] |
101 declare Fake_parts_insert [THEN subsetD, dest] |
105 declare Fake_parts_insert [THEN subsetD, dest] |
102 |
|
103 declare SesKeyLife_LB [iff] AutLife_LB [iff] |
|
104 |
|
105 |
106 |
106 (*A "possibility property": there are traces that reach the end.*) |
107 (*A "possibility property": there are traces that reach the end.*) |
107 lemma "\<exists>Timestamp K. \<exists>evs \<in> kerberos_ban. |
108 lemma "\<exists>Timestamp K. \<exists>evs \<in> kerberos_ban. |
108 Says B A (Crypt K (Number Timestamp)) |
109 Says B A (Crypt K (Number Timestamp)) |
109 \<in> set evs" |
110 \<in> set evs" |
248 |
249 |
249 (** Session keys are not used to encrypt other session keys **) |
250 (** Session keys are not used to encrypt other session keys **) |
250 |
251 |
251 lemma analz_image_freshK [rule_format (no_asm)]: |
252 lemma analz_image_freshK [rule_format (no_asm)]: |
252 "evs \<in> kerberos_ban ==> |
253 "evs \<in> kerberos_ban ==> |
253 \<forall>K KK. KK <= - (range shrK) --> |
254 \<forall>K KK. KK \<subseteq> - (range shrK) --> |
254 (Key K \<in> analz (Key`KK Un (spies evs))) = |
255 (Key K \<in> analz (Key`KK Un (spies evs))) = |
255 (K \<in> KK | Key K \<in> analz (spies evs))" |
256 (K \<in> KK | Key K \<in> analz (spies evs))" |
256 apply (erule kerberos_ban.induct) |
257 apply (erule kerberos_ban.induct) |
257 apply (drule_tac [7] Says_Server_message_form) |
258 apply (drule_tac [7] Says_Server_message_form) |
258 apply (erule_tac [5] Says_S_message_form [THEN disjE], analz_freshK, spy_analz) |
259 apply (erule_tac [5] Says_S_message_form [THEN disjE], analz_freshK, spy_analz) |