320 by (ALLGOALS Blast_tac); |
327 by (ALLGOALS Blast_tac); |
321 qed "B_trusts_NS3"; |
328 qed "B_trusts_NS3"; |
322 |
329 |
323 |
330 |
324 goal thy |
331 goal thy |
325 "!!evs. [| B ~: bad; evs : ns_shared |] \ |
332 "!!evs. [| Crypt K (Nonce NB) : parts (spies evs); \ |
326 \ ==> Key K ~: analz (spies evs) --> \ |
333 \ Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
327 \ Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
334 \ : set evs; \ |
328 \ : set evs --> \ |
335 \ Key K ~: analz (spies evs); \ |
329 \ Crypt K (Nonce NB) : parts (spies evs) --> \ |
336 \ evs : ns_shared |] \ |
330 \ Says B A (Crypt K (Nonce NB)) : set evs"; |
337 \ ==> Says B A (Crypt K (Nonce NB)) : set evs"; |
331 by (etac ns_shared.induct 1); |
338 by (etac rev_mp 1); |
332 by (forward_tac [Says_S_message_form] 5 THEN assume_tac 5); |
339 by (etac rev_mp 1); |
333 by (dtac NS3_msg_in_parts_spies 5); |
340 by (etac rev_mp 1); |
334 by (forward_tac [Oops_parts_spies] 8); |
341 by (parts_induct_tac 1); |
335 by (REPEAT (FIRSTGOAL analz_mono_contra_tac)); |
|
336 by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib]))); |
|
337 (**LEVEL 6**) |
|
338 (*NS3*) |
342 (*NS3*) |
339 by (Blast_tac 3); |
343 by (Blast_tac 3); |
340 by (Fake_parts_insert_tac 1); |
344 by (Fake_parts_insert_tac 1); |
341 by (ALLGOALS Clarify_tac); |
|
342 (*NS2: contradiction from the assumptions |
345 (*NS2: contradiction from the assumptions |
343 Key K ~: used evsa and Crypt K (Nonce NB) : parts (spies evsa) *) |
346 Key K ~: used evs2 and Crypt K (Nonce NB) : parts (spies evs2) *) |
344 by (dtac Crypt_imp_invKey_keysFor 1); |
347 by (blast_tac (claset() addSEs [new_keys_not_used RSN (2,rev_notE)] |
345 by (Asm_full_simp_tac 1); |
348 addSDs [Crypt_imp_keysFor]) 1); |
346 (*NS4*) (**LEVEL 11**) |
349 (**LEVEL 7**) |
347 by (case_tac "Ba : bad" 1); |
350 (*NS4*) |
|
351 by (Clarify_tac 1); |
|
352 by (not_bad_tac "Ba" 1); |
348 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj RS B_trusts_NS3, |
353 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj RS B_trusts_NS3, |
349 unique_session_keys]) 2); |
354 unique_session_keys]) 1); |
350 by (blast_tac (claset() addDs [Says_imp_spies RS analz.Inj RS |
355 qed "A_trusts_NS4_lemma"; |
351 Crypt_Spy_analz_bad]) 1); |
356 |
352 val lemma = result(); |
357 |
353 |
358 (*This version no longer assumes that K is secure*) |
354 goal thy |
359 goal thy |
355 "!!evs. [| Crypt K (Nonce NB) : parts (spies evs); \ |
360 "!!evs. [| Crypt K (Nonce NB) : parts (spies evs); \ |
356 \ Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
361 \ Crypt (shrK A) {|NA, Agent B, Key K, X|} : parts (spies evs); \ |
357 \ : set evs; \ |
|
358 \ ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs; \ |
362 \ ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs; \ |
359 \ A ~: bad; B ~: bad; evs : ns_shared |] \ |
363 \ A ~: bad; B ~: bad; evs : ns_shared |] \ |
360 \ ==> Says B A (Crypt K (Nonce NB)) : set evs"; |
364 \ ==> Says B A (Crypt K (Nonce NB)) : set evs"; |
361 by (blast_tac (claset() addSIs [lemma RS mp RS mp RS mp] |
365 by (blast_tac (claset() addSIs [A_trusts_NS2, A_trusts_NS4_lemma] |
362 addSEs [Spy_not_see_encrypted_key RSN (2,rev_notE)]) 1); |
366 addSEs [Spy_not_see_encrypted_key RSN (2,rev_notE)]) 1); |
363 qed "A_trusts_NS4"; |
367 qed "A_trusts_NS4"; |
|
368 |
|
369 |
|
370 (*If the session key has been used in NS4 then somebody has forwarded |
|
371 component X in some instance of NS4. Perhaps an interesting property, |
|
372 but not needed (after all) for the proofs below.*) |
|
373 goal thy |
|
374 "!!evs. [| Crypt K (Nonce NB) : parts (spies evs); \ |
|
375 \ Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
|
376 \ : set evs; \ |
|
377 \ Key K ~: analz (spies evs); \ |
|
378 \ evs : ns_shared |] \ |
|
379 \ ==> EX A'. Says A' B X : set evs"; |
|
380 by (etac rev_mp 1); |
|
381 by (etac rev_mp 1); |
|
382 by (etac rev_mp 1); |
|
383 by (parts_induct_tac 1); |
|
384 by (ALLGOALS (asm_simp_tac (simpset() addsimps [ex_disj_distrib]))); |
|
385 by (ALLGOALS Clarify_tac); |
|
386 by (Fake_parts_insert_tac 1); |
|
387 (**LEVEL 7**) |
|
388 (*NS2*) |
|
389 by (blast_tac (claset() addSEs [new_keys_not_used RSN (2,rev_notE)] |
|
390 addSDs [Crypt_imp_keysFor]) 1); |
|
391 (*NS4*) |
|
392 by (not_bad_tac "Ba" 1); |
|
393 by (Asm_full_simp_tac 1); |
|
394 by (forward_tac [Says_imp_spies RS parts.Inj RS B_trusts_NS3] 1); |
|
395 by (ALLGOALS Clarify_tac); |
|
396 by (blast_tac (claset() addDs [unique_session_keys]) 1); |
|
397 qed "NS4_implies_NS3"; |
|
398 |
|
399 |
|
400 goal thy |
|
401 "!!evs. [| B ~: bad; evs : ns_shared |] \ |
|
402 \ ==> Key K ~: analz (spies evs) --> \ |
|
403 \ Says Server A \ |
|
404 \ (Crypt (shrK A) {|NA, Agent B, Key K, \ |
|
405 \ Crypt (shrK B) {|Key K, Agent A|}|}) \ |
|
406 \ : set evs --> \ |
|
407 \ Says B A (Crypt K (Nonce NB)) : set evs --> \ |
|
408 \ Crypt K {|Nonce NB, Nonce NB|} : parts (spies evs) --> \ |
|
409 \ Says A B (Crypt K {|Nonce NB, Nonce NB|}) : set evs"; |
|
410 by (parts_induct_tac 1); |
|
411 (*NS4*) |
|
412 by (blast_tac (claset() addSEs spies_partsEs) 4); |
|
413 (*NS3*) |
|
414 by (blast_tac (claset() addSDs [Says_imp_spies RS parts.Inj, cert_A_form]) 3); |
|
415 (*NS2*) |
|
416 by (blast_tac (claset() addSEs [new_keys_not_used RSN (2,rev_notE)] |
|
417 addSDs [Crypt_imp_keysFor]) 2); |
|
418 by (Fake_parts_insert_tac 1); |
|
419 (**LEVEL 5**) |
|
420 (*NS5*) |
|
421 by (Clarify_tac 1); |
|
422 by (not_bad_tac "Aa" 1); |
|
423 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj RS A_trusts_NS2, |
|
424 unique_session_keys]) 1); |
|
425 val lemma = result(); |
|
426 |
|
427 |
|
428 (*Very strong Oops condition reveals protocol's weakness*) |
|
429 goal thy |
|
430 "!!evs. [| Crypt K {|Nonce NB, Nonce NB|} : parts (spies evs); \ |
|
431 \ Says B A (Crypt K (Nonce NB)) : set evs; \ |
|
432 \ Crypt (shrK B) {|Key K, Agent A|} : parts (spies evs); \ |
|
433 \ ALL NA NB. Says A Spy {|NA, NB, Key K|} ~: set evs; \ |
|
434 \ A ~: bad; B ~: bad; evs : ns_shared |] \ |
|
435 \ ==> Says A B (Crypt K {|Nonce NB, Nonce NB|}) : set evs"; |
|
436 by (dtac B_trusts_NS3 1); |
|
437 by (ALLGOALS Clarify_tac); |
|
438 by (blast_tac (claset() addSIs [normalize_thm [RSspec, RSmp] lemma] |
|
439 addSEs [Spy_not_see_encrypted_key RSN (2,rev_notE)]) 1); |
|
440 qed "B_trusts_NS5"; |