194 Says Server B' \<lbrace>NA',X',Crypt (shrK B') \<lbrace>NB',K\<rbrace>\<rbrace> \<in> set evs; |
194 Says Server B' \<lbrace>NA',X',Crypt (shrK B') \<lbrace>NB',K\<rbrace>\<rbrace> \<in> set evs; |
195 evs \<in> otway\<rbrakk> \<Longrightarrow> X=X' & B=B' & NA=NA' & NB=NB'" |
195 evs \<in> otway\<rbrakk> \<Longrightarrow> X=X' & B=B' & NA=NA' & NB=NB'" |
196 apply (erule rev_mp) |
196 apply (erule rev_mp) |
197 apply (erule rev_mp) |
197 apply (erule rev_mp) |
198 apply (erule otway.induct, simp_all) |
198 apply (erule otway.induct, simp_all) |
199 apply blast+ \<comment>\<open>OR3 and OR4\<close> |
199 apply blast+ \<comment> \<open>OR3 and OR4\<close> |
200 done |
200 done |
201 |
201 |
202 |
202 |
203 subsection\<open>Authenticity properties relating to NA\<close> |
203 subsection\<open>Authenticity properties relating to NA\<close> |
204 |
204 |
257 \<lbrace>NA, |
257 \<lbrace>NA, |
258 Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>, |
258 Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>, |
259 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs)" |
259 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs)" |
260 apply (erule otway.induct, force, |
260 apply (erule otway.induct, force, |
261 drule_tac [4] OR2_parts_knows_Spy, simp_all, blast) |
261 drule_tac [4] OR2_parts_knows_Spy, simp_all, blast) |
262 subgoal \<comment>\<open>OR1: by freshness\<close> |
262 subgoal \<comment> \<open>OR1: by freshness\<close> |
263 by blast |
263 by blast |
264 subgoal \<comment>\<open>OR3\<close> |
264 subgoal \<comment> \<open>OR3\<close> |
265 by (blast dest!: no_nonce_OR1_OR2 intro: unique_NA) |
265 by (blast dest!: no_nonce_OR1_OR2 intro: unique_NA) |
266 subgoal \<comment>\<open>OR4\<close> |
266 subgoal \<comment> \<open>OR4\<close> |
267 by (blast intro!: Crypt_imp_OR1) |
267 by (blast intro!: Crypt_imp_OR1) |
268 done |
268 done |
269 |
269 |
270 |
270 |
271 text\<open>Corollary: if A receives B's OR4 message and the nonce NA agrees |
271 text\<open>Corollary: if A receives B's OR4 message and the nonce NA agrees |
294 \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>, |
294 \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>, |
295 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs --> |
295 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs --> |
296 Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs --> |
296 Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs --> |
297 Key K \<notin> analz (knows Spy evs)" |
297 Key K \<notin> analz (knows Spy evs)" |
298 apply (erule otway.induct, force, simp_all) |
298 apply (erule otway.induct, force, simp_all) |
299 subgoal \<comment>\<open>Fake\<close> |
299 subgoal \<comment> \<open>Fake\<close> |
300 by spy_analz |
300 by spy_analz |
301 subgoal \<comment>\<open>OR2\<close> |
301 subgoal \<comment> \<open>OR2\<close> |
302 by (drule OR2_analz_knows_Spy) (auto simp: analz_insert_eq) |
302 by (drule OR2_analz_knows_Spy) (auto simp: analz_insert_eq) |
303 subgoal \<comment>\<open>OR3\<close> |
303 subgoal \<comment> \<open>OR3\<close> |
304 by (auto simp add: analz_insert_freshK pushes) |
304 by (auto simp add: analz_insert_freshK pushes) |
305 subgoal \<comment>\<open>OR4\<close> |
305 subgoal \<comment> \<open>OR4\<close> |
306 by (drule OR4_analz_knows_Spy) (auto simp: analz_insert_eq) |
306 by (drule OR4_analz_knows_Spy) (auto simp: analz_insert_eq) |
307 subgoal \<comment>\<open>Oops\<close> |
307 subgoal \<comment> \<open>Oops\<close> |
308 by (auto simp add: Says_Server_message_form analz_insert_freshK unique_session_keys) |
308 by (auto simp add: Says_Server_message_form analz_insert_freshK unique_session_keys) |
309 done |
309 done |
310 |
310 |
311 theorem Spy_not_see_encrypted_key: |
311 theorem Spy_not_see_encrypted_key: |
312 "\<lbrakk>Says Server B |
312 "\<lbrakk>Says Server B |
370 evs \<in> otway; B \<notin> bad\<rbrakk> |
370 evs \<in> otway; B \<notin> bad\<rbrakk> |
371 \<Longrightarrow> NC = NA & C = A" |
371 \<Longrightarrow> NC = NA & C = A" |
372 apply (erule rev_mp, erule rev_mp) |
372 apply (erule rev_mp, erule rev_mp) |
373 apply (erule otway.induct, force, |
373 apply (erule otway.induct, force, |
374 drule_tac [4] OR2_parts_knows_Spy, simp_all) |
374 drule_tac [4] OR2_parts_knows_Spy, simp_all) |
375 apply blast+ \<comment>\<open>Fake, OR2\<close> |
375 apply blast+ \<comment> \<open>Fake, OR2\<close> |
376 done |
376 done |
377 |
377 |
378 text\<open>If the encrypted message appears, and B has used Nonce NB, |
378 text\<open>If the encrypted message appears, and B has used Nonce NB, |
379 then it originated with the Server! Quite messy proof.\<close> |
379 then it originated with the Server! Quite messy proof.\<close> |
380 lemma NB_Crypt_imp_Server_msg [rule_format]: |
380 lemma NB_Crypt_imp_Server_msg [rule_format]: |
388 \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>, |
388 \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>, |
389 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> |
389 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> |
390 \<in> set evs)" |
390 \<in> set evs)" |
391 apply simp |
391 apply simp |
392 apply (erule otway.induct, force, simp_all) |
392 apply (erule otway.induct, force, simp_all) |
393 subgoal \<comment>\<open>Fake\<close> |
393 subgoal \<comment> \<open>Fake\<close> |
394 by blast |
394 by blast |
395 subgoal \<comment>\<open>OR2\<close> |
395 subgoal \<comment> \<open>OR2\<close> |
396 by (force dest!: OR2_parts_knows_Spy) |
396 by (force dest!: OR2_parts_knows_Spy) |
397 subgoal \<comment>\<open>OR3\<close> |
397 subgoal \<comment> \<open>OR3\<close> |
398 by (blast dest: unique_NB dest!: no_nonce_OR1_OR2) \<comment>\<open>OR3\<close> |
398 by (blast dest: unique_NB dest!: no_nonce_OR1_OR2) \<comment> \<open>OR3\<close> |
399 subgoal \<comment>\<open>OR4\<close> |
399 subgoal \<comment> \<open>OR4\<close> |
400 by (blast dest!: Crypt_imp_OR2) |
400 by (blast dest!: Crypt_imp_OR2) |
401 done |
401 done |
402 |
402 |
403 |
403 |
404 text\<open>Guarantee for B: if it gets a message with matching NB then the Server |
404 text\<open>Guarantee for B: if it gets a message with matching NB then the Server |