19 val Says_imp_sees_Spy' = read_instantiate [("lost","lost")] Says_imp_sees_Spy; |
19 val Says_imp_sees_Spy' = read_instantiate [("lost","lost")] Says_imp_sees_Spy; |
20 |
20 |
21 |
21 |
22 (*A "possibility property": there are traces that reach the end*) |
22 (*A "possibility property": there are traces that reach the end*) |
23 goal thy |
23 goal thy |
24 "!!A B. [| A ~= B; A ~= Server; B ~= Server |] \ |
24 "!!A B. [| A ~= B; A ~= Server; B ~= Server |] \ |
25 \ ==> EX N K. EX evs: ns_shared lost. \ |
25 \ ==> EX N K. EX evs: ns_shared lost. \ |
26 \ Says A B (Crypt K {|Nonce N, Nonce N|}) : set evs"; |
26 \ Says A B (Crypt K {|Nonce N, Nonce N|}) : set evs"; |
27 by (REPEAT (resolve_tac [exI,bexI] 1)); |
27 by (REPEAT (resolve_tac [exI,bexI] 1)); |
28 by (rtac (ns_shared.Nil RS ns_shared.NS1 RS ns_shared.NS2 RS |
28 by (rtac (ns_shared.Nil RS ns_shared.NS1 RS ns_shared.NS2 RS |
29 ns_shared.NS3 RS ns_shared.NS4 RS ns_shared.NS5) 2); |
29 ns_shared.NS3 RS ns_shared.NS4 RS ns_shared.NS5) 2); |
36 (*Monotonicity*) |
36 (*Monotonicity*) |
37 goal thy "!!evs. lost' <= lost ==> ns_shared lost' <= ns_shared lost"; |
37 goal thy "!!evs. lost' <= lost ==> ns_shared lost' <= ns_shared lost"; |
38 by (rtac subsetI 1); |
38 by (rtac subsetI 1); |
39 by (etac ns_shared.induct 1); |
39 by (etac ns_shared.induct 1); |
40 by (REPEAT_FIRST |
40 by (REPEAT_FIRST |
41 (blast_tac (!claset addIs (impOfSubs (sees_mono RS analz_mono RS synth_mono) |
41 (blast_tac (!claset addIs (impOfSubs(sees_mono RS analz_mono RS synth_mono) |
42 :: ns_shared.intrs)))); |
42 :: ns_shared.intrs)))); |
43 qed "ns_shared_mono"; |
43 qed "ns_shared_mono"; |
44 |
44 |
45 |
45 |
46 (*Nobody sends themselves messages*) |
46 (*Nobody sends themselves messages*) |
126 (** Lemmas concerning the form of items passed in messages **) |
126 (** Lemmas concerning the form of items passed in messages **) |
127 |
127 |
128 (*Describes the form of K, X and K' when the Server sends this message.*) |
128 (*Describes the form of K, X and K' when the Server sends this message.*) |
129 goal thy |
129 goal thy |
130 "!!evs. [| Says Server A (Crypt K' {|N, Agent B, Key K, X|}) \ |
130 "!!evs. [| Says Server A (Crypt K' {|N, Agent B, Key K, X|}) \ |
131 \ : set evs; \ |
131 \ : set evs; \ |
132 \ evs : ns_shared lost |] \ |
132 \ evs : ns_shared lost |] \ |
133 \ ==> K ~: range shrK & \ |
133 \ ==> K ~: range shrK & \ |
134 \ X = (Crypt (shrK B) {|Key K, Agent A|}) & \ |
134 \ X = (Crypt (shrK B) {|Key K, Agent A|}) & \ |
135 \ K' = shrK A"; |
135 \ K' = shrK A"; |
136 by (etac rev_mp 1); |
136 by (etac rev_mp 1); |
159 (*EITHER describes the form of X when the following message is sent, |
159 (*EITHER describes the form of X when the following message is sent, |
160 OR reduces it to the Fake case. |
160 OR reduces it to the Fake case. |
161 Use Says_Server_message_form if applicable.*) |
161 Use Says_Server_message_form if applicable.*) |
162 goal thy |
162 goal thy |
163 "!!evs. [| Says S A (Crypt (shrK A) {|Nonce NA, Agent B, Key K, X|}) \ |
163 "!!evs. [| Says S A (Crypt (shrK A) {|Nonce NA, Agent B, Key K, X|}) \ |
164 \ : set evs; evs : ns_shared lost |] \ |
164 \ : set evs; evs : ns_shared lost |] \ |
165 \ ==> (K ~: range shrK & X = (Crypt (shrK B) {|Key K, Agent A|})) \ |
165 \ ==> (K ~: range shrK & X = (Crypt (shrK B) {|Key K, Agent A|})) \ |
166 \ | X : analz (sees lost Spy evs)"; |
166 \ | X : analz (sees lost Spy evs)"; |
167 by (case_tac "A : lost" 1); |
167 by (case_tac "A : lost" 1); |
168 by (fast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj] |
168 by (fast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj] |
169 addss (!simpset)) 1); |
169 addss (!simpset)) 1); |
193 |
193 |
194 (*NOT useful in this form, but it says that session keys are not used |
194 (*NOT useful in this form, but it says that session keys are not used |
195 to encrypt messages containing other keys, in the actual protocol. |
195 to encrypt messages containing other keys, in the actual protocol. |
196 We require that agents should behave like this subsequently also.*) |
196 We require that agents should behave like this subsequently also.*) |
197 goal thy |
197 goal thy |
198 "!!evs. [| evs : ns_shared lost; Kab ~: range shrK |] ==> \ |
198 "!!evs. [| evs : ns_shared lost; Kab ~: range shrK |] ==> \ |
199 \ (Crypt KAB X) : parts (sees lost Spy evs) & \ |
199 \ (Crypt KAB X) : parts (sees lost Spy evs) & \ |
200 \ Key K : parts {X} --> Key K : parts (sees lost Spy evs)"; |
200 \ Key K : parts {X} --> Key K : parts (sees lost Spy evs)"; |
201 by parts_induct_tac; |
201 by parts_induct_tac; |
202 (*Deals with Faked messages*) |
202 (*Deals with Faked messages*) |
203 by (blast_tac (!claset addSEs partsEs |
203 by (blast_tac (!claset addSEs partsEs |
204 addDs [impOfSubs parts_insert_subset_Un]) 1); |
204 addDs [impOfSubs parts_insert_subset_Un]) 1); |
205 (*Base, NS4 and NS5*) |
205 (*Base, NS4 and NS5*) |
209 |
209 |
210 (** Session keys are not used to encrypt other session keys **) |
210 (** Session keys are not used to encrypt other session keys **) |
211 |
211 |
212 (*The equality makes the induction hypothesis easier to apply*) |
212 (*The equality makes the induction hypothesis easier to apply*) |
213 goal thy |
213 goal thy |
214 "!!evs. evs : ns_shared lost ==> \ |
214 "!!evs. evs : ns_shared lost ==> \ |
215 \ ALL K KK. KK <= Compl (range shrK) --> \ |
215 \ ALL K KK. KK <= Compl (range shrK) --> \ |
216 \ (Key K : analz (Key``KK Un (sees lost Spy evs))) = \ |
216 \ (Key K : analz (Key``KK Un (sees lost Spy evs))) = \ |
217 \ (K : KK | Key K : analz (sees lost Spy evs))"; |
217 \ (K : KK | Key K : analz (sees lost Spy evs))"; |
218 by (etac ns_shared.induct 1); |
218 by (etac ns_shared.induct 1); |
219 by analz_sees_tac; |
219 by analz_sees_tac; |
220 by (REPEAT_FIRST (resolve_tac [allI, impI])); |
220 by (REPEAT_FIRST (resolve_tac [allI, impI])); |
221 by (REPEAT_FIRST (rtac analz_image_freshK_lemma )); |
221 by (REPEAT_FIRST (rtac analz_image_freshK_lemma )); |
240 |
240 |
241 goal thy |
241 goal thy |
242 "!!evs. evs : ns_shared lost ==> \ |
242 "!!evs. evs : ns_shared lost ==> \ |
243 \ EX A' NA' B' X'. ALL A NA B X. \ |
243 \ EX A' NA' B' X'. ALL A NA B X. \ |
244 \ Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
244 \ Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
245 \ : set evs --> A=A' & NA=NA' & B=B' & X=X'"; |
245 \ : set evs --> A=A' & NA=NA' & B=B' & X=X'"; |
246 by (etac ns_shared.induct 1); |
246 by (etac ns_shared.induct 1); |
247 by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib]))); |
247 by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib]))); |
248 by (Step_tac 1); |
248 by (Step_tac 1); |
249 (*NS3*) |
249 (*NS3*) |
250 by (ex_strip_tac 2); |
250 by (ex_strip_tac 2); |
258 |
258 |
259 (*In messages of this form, the session key uniquely identifies the rest*) |
259 (*In messages of this form, the session key uniquely identifies the rest*) |
260 goal thy |
260 goal thy |
261 "!!evs. [| Says Server A \ |
261 "!!evs. [| Says Server A \ |
262 \ (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
262 \ (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
263 \ : set evs; \ |
263 \ : set evs; \ |
264 \ Says Server A' \ |
264 \ Says Server A' \ |
265 \ (Crypt (shrK A') {|NA', Agent B', Key K, X'|}) \ |
265 \ (Crypt (shrK A') {|NA', Agent B', Key K, X'|}) \ |
266 \ : set evs; \ |
266 \ : set evs; \ |
267 \ evs : ns_shared lost |] ==> A=A' & NA=NA' & B=B' & X = X'"; |
267 \ evs : ns_shared lost |] ==> A=A' & NA=NA' & B=B' & X = X'"; |
268 by (prove_unique_tac lemma 1); |
268 by (prove_unique_tac lemma 1); |
269 qed "unique_session_keys"; |
269 qed "unique_session_keys"; |
270 |
270 |
271 |
271 |
274 goal thy |
274 goal thy |
275 "!!evs. [| A ~: lost; B ~: lost; evs : ns_shared lost |] \ |
275 "!!evs. [| A ~: lost; B ~: lost; evs : ns_shared lost |] \ |
276 \ ==> Says Server A \ |
276 \ ==> Says Server A \ |
277 \ (Crypt (shrK A) {|NA, Agent B, Key K, \ |
277 \ (Crypt (shrK A) {|NA, Agent B, Key K, \ |
278 \ Crypt (shrK B) {|Key K, Agent A|}|}) \ |
278 \ Crypt (shrK B) {|Key K, Agent A|}|}) \ |
279 \ : set evs --> \ |
279 \ : set evs --> \ |
280 \ (ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs) --> \ |
280 \ (ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs) --> \ |
281 \ Key K ~: analz (sees lost Spy evs)"; |
281 \ Key K ~: analz (sees lost Spy evs)"; |
282 by (etac ns_shared.induct 1); |
282 by (etac ns_shared.induct 1); |
283 by analz_sees_tac; |
283 by analz_sees_tac; |
284 by (ALLGOALS |
284 by (ALLGOALS |
285 (asm_simp_tac |
285 (asm_simp_tac |
306 |
306 |
307 |
307 |
308 (*Final version: Server's message in the most abstract form*) |
308 (*Final version: Server's message in the most abstract form*) |
309 goal thy |
309 goal thy |
310 "!!evs. [| Says Server A \ |
310 "!!evs. [| Says Server A \ |
311 \ (Crypt K' {|NA, Agent B, Key K, X|}) : set evs; \ |
311 \ (Crypt K' {|NA, Agent B, Key K, X|}) : set evs; \ |
312 \ (ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs); \ |
312 \ (ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs); \ |
313 \ A ~: lost; B ~: lost; evs : ns_shared lost \ |
313 \ A ~: lost; B ~: lost; evs : ns_shared lost \ |
314 \ |] ==> Key K ~: analz (sees lost Spy evs)"; |
314 \ |] ==> Key K ~: analz (sees lost Spy evs)"; |
315 by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1); |
315 by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1); |
316 by (blast_tac (!claset addSDs [lemma]) 1); |
316 by (blast_tac (!claset addSDs [lemma]) 1); |
317 qed "Spy_not_see_encrypted_key"; |
317 qed "Spy_not_see_encrypted_key"; |
318 |
318 |
319 |
319 |
320 goal thy |
320 goal thy |
321 "!!evs. [| C ~: {A,B,Server}; \ |
321 "!!evs. [| C ~: {A,B,Server}; \ |
322 \ Says Server A \ |
322 \ Says Server A \ |
323 \ (Crypt K' {|NA, Agent B, Key K, X|}) : set evs; \ |
323 \ (Crypt K' {|NA, Agent B, Key K, X|}) : set evs; \ |
324 \ (ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs); \ |
324 \ (ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs); \ |
325 \ A ~: lost; B ~: lost; evs : ns_shared lost |] \ |
325 \ A ~: lost; B ~: lost; evs : ns_shared lost |] \ |
326 \ ==> Key K ~: analz (sees lost C evs)"; |
326 \ ==> Key K ~: analz (sees lost C evs)"; |
327 by (rtac (subset_insertI RS sees_mono RS analz_mono RS contra_subsetD) 1); |
327 by (rtac (subset_insertI RS sees_mono RS analz_mono RS contra_subsetD) 1); |
328 by (rtac (sees_lost_agent_subset_sees_Spy RS analz_mono RS contra_subsetD) 1); |
328 by (rtac (sees_lost_agent_subset_sees_Spy RS analz_mono RS contra_subsetD) 1); |
329 by (FIRSTGOAL (rtac Spy_not_see_encrypted_key)); |
329 by (FIRSTGOAL (rtac Spy_not_see_encrypted_key)); |
352 by (ALLGOALS Blast_tac); |
352 by (ALLGOALS Blast_tac); |
353 qed "B_trusts_NS3"; |
353 qed "B_trusts_NS3"; |
354 |
354 |
355 |
355 |
356 goal thy |
356 goal thy |
357 "!!evs. [| B ~: lost; evs : ns_shared lost |] \ |
357 "!!evs. [| B ~: lost; evs : ns_shared lost |] \ |
358 \ ==> Key K ~: analz (sees lost Spy evs) --> \ |
358 \ ==> Key K ~: analz (sees lost Spy evs) --> \ |
359 \ Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
359 \ Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
360 \ : set evs --> \ |
360 \ : set evs --> \ |
361 \ Crypt K (Nonce NB) : parts (sees lost Spy evs) --> \ |
361 \ Crypt K (Nonce NB) : parts (sees lost Spy evs) --> \ |
362 \ Says B A (Crypt K (Nonce NB)) : set evs"; |
362 \ Says B A (Crypt K (Nonce NB)) : set evs"; |
363 by (etac ns_shared.induct 1); |
363 by (etac ns_shared.induct 1); |
364 by (forward_tac [Says_S_message_form] 5 THEN assume_tac 5); |
364 by (forward_tac [Says_S_message_form] 5 THEN assume_tac 5); |
365 by (dres_inst_tac [("lost","lost")] NS3_msg_in_parts_sees_Spy 5); |
365 by (dres_inst_tac [("lost","lost")] NS3_msg_in_parts_sees_Spy 5); |
366 by (forw_inst_tac [("lost","lost")] Oops_parts_sees_Spy 8); |
366 by (forw_inst_tac [("lost","lost")] Oops_parts_sees_Spy 8); |
388 val lemma = result(); |
388 val lemma = result(); |
389 |
389 |
390 goal thy |
390 goal thy |
391 "!!evs. [| Crypt K (Nonce NB) : parts (sees lost Spy evs); \ |
391 "!!evs. [| Crypt K (Nonce NB) : parts (sees lost Spy evs); \ |
392 \ Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
392 \ Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
393 \ : set evs; \ |
393 \ : set evs; \ |
394 \ ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs; \ |
394 \ ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs; \ |
395 \ A ~: lost; B ~: lost; evs : ns_shared lost |] \ |
395 \ A ~: lost; B ~: lost; evs : ns_shared lost |] \ |
396 \ ==> Says B A (Crypt K (Nonce NB)) : set evs"; |
396 \ ==> Says B A (Crypt K (Nonce NB)) : set evs"; |
397 by (blast_tac (!claset addSIs [lemma RS mp RS mp RS mp] |
397 by (blast_tac (!claset addSIs [lemma RS mp RS mp RS mp] |
398 addSEs [Spy_not_see_encrypted_key RSN (2,rev_notE)]) 1); |
398 addSEs [Spy_not_see_encrypted_key RSN (2,rev_notE)]) 1); |
399 qed "A_trusts_NS4"; |
399 qed "A_trusts_NS4"; |