21 IEEE Trans. SE 22 (1) |
21 IEEE Trans. SE 22 (1) |
22 \<close> |
22 \<close> |
23 |
23 |
24 inductive_set otway :: "event list set" |
24 inductive_set otway :: "event list set" |
25 where |
25 where |
26 Nil: \<comment>\<open>The empty trace\<close> |
26 Nil: \<comment> \<open>The empty trace\<close> |
27 "[] \<in> otway" |
27 "[] \<in> otway" |
28 |
28 |
29 | Fake: \<comment>\<open>The Spy may say anything he can say. The sender field is correct, |
29 | Fake: \<comment> \<open>The Spy may say anything he can say. The sender field is correct, |
30 but agents don't use that information.\<close> |
30 but agents don't use that information.\<close> |
31 "[| evsf \<in> otway; X \<in> synth (analz (knows Spy evsf)) |] |
31 "[| evsf \<in> otway; X \<in> synth (analz (knows Spy evsf)) |] |
32 ==> Says Spy B X # evsf \<in> otway" |
32 ==> Says Spy B X # evsf \<in> otway" |
33 |
33 |
34 |
34 |
35 | Reception: \<comment>\<open>A message that has been sent can be received by the |
35 | Reception: \<comment> \<open>A message that has been sent can be received by the |
36 intended recipient.\<close> |
36 intended recipient.\<close> |
37 "[| evsr \<in> otway; Says A B X \<in>set evsr |] |
37 "[| evsr \<in> otway; Says A B X \<in>set evsr |] |
38 ==> Gets B X # evsr \<in> otway" |
38 ==> Gets B X # evsr \<in> otway" |
39 |
39 |
40 | OR1: \<comment>\<open>Alice initiates a protocol run\<close> |
40 | OR1: \<comment> \<open>Alice initiates a protocol run\<close> |
41 "evs1 \<in> otway |
41 "evs1 \<in> otway |
42 ==> Says A B \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> # evs1 \<in> otway" |
42 ==> Says A B \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> # evs1 \<in> otway" |
43 |
43 |
44 | OR2: \<comment>\<open>Bob's response to Alice's message.\<close> |
44 | OR2: \<comment> \<open>Bob's response to Alice's message.\<close> |
45 "[| evs2 \<in> otway; |
45 "[| evs2 \<in> otway; |
46 Gets B \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> \<in>set evs2 |] |
46 Gets B \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> \<in>set evs2 |] |
47 ==> Says B Server \<lbrace>Agent A, Agent B, Nonce NA, Nonce NB\<rbrace> |
47 ==> Says B Server \<lbrace>Agent A, Agent B, Nonce NA, Nonce NB\<rbrace> |
48 # evs2 \<in> otway" |
48 # evs2 \<in> otway" |
49 |
49 |
50 | OR3: \<comment>\<open>The Server receives Bob's message. Then he sends a new |
50 | OR3: \<comment> \<open>The Server receives Bob's message. Then he sends a new |
51 session key to Bob with a packet for forwarding to Alice.\<close> |
51 session key to Bob with a packet for forwarding to Alice.\<close> |
52 "[| evs3 \<in> otway; Key KAB \<notin> used evs3; |
52 "[| evs3 \<in> otway; Key KAB \<notin> used evs3; |
53 Gets Server \<lbrace>Agent A, Agent B, Nonce NA, Nonce NB\<rbrace> |
53 Gets Server \<lbrace>Agent A, Agent B, Nonce NA, Nonce NB\<rbrace> |
54 \<in>set evs3 |] |
54 \<in>set evs3 |] |
55 ==> Says Server B |
55 ==> Says Server B |
56 \<lbrace>Crypt (shrK A) \<lbrace>Nonce NA, Agent A, Agent B, Key KAB\<rbrace>, |
56 \<lbrace>Crypt (shrK A) \<lbrace>Nonce NA, Agent A, Agent B, Key KAB\<rbrace>, |
57 Crypt (shrK B) \<lbrace>Nonce NB, Agent A, Agent B, Key KAB\<rbrace>\<rbrace> |
57 Crypt (shrK B) \<lbrace>Nonce NB, Agent A, Agent B, Key KAB\<rbrace>\<rbrace> |
58 # evs3 \<in> otway" |
58 # evs3 \<in> otway" |
59 |
59 |
60 | OR4: \<comment>\<open>Bob receives the Server's (?) message and compares the Nonces with |
60 | OR4: \<comment> \<open>Bob receives the Server's (?) message and compares the Nonces with |
61 those in the message he previously sent the Server. |
61 those in the message he previously sent the Server. |
62 Need @{term "B \<noteq> Server"} because we allow messages to self.\<close> |
62 Need @{term "B \<noteq> Server"} because we allow messages to self.\<close> |
63 "[| evs4 \<in> otway; B \<noteq> Server; |
63 "[| evs4 \<in> otway; B \<noteq> Server; |
64 Says B Server \<lbrace>Agent A, Agent B, Nonce NA, Nonce NB\<rbrace> \<in>set evs4; |
64 Says B Server \<lbrace>Agent A, Agent B, Nonce NA, Nonce NB\<rbrace> \<in>set evs4; |
65 Gets B \<lbrace>X, Crypt(shrK B)\<lbrace>Nonce NB,Agent A,Agent B,Key K\<rbrace>\<rbrace> |
65 Gets B \<lbrace>X, Crypt(shrK B)\<lbrace>Nonce NB,Agent A,Agent B,Key K\<rbrace>\<rbrace> |
66 \<in>set evs4 |] |
66 \<in>set evs4 |] |
67 ==> Says B A X # evs4 \<in> otway" |
67 ==> Says B A X # evs4 \<in> otway" |
68 |
68 |
69 | Oops: \<comment>\<open>This message models possible leaks of session keys. The nonces |
69 | Oops: \<comment> \<open>This message models possible leaks of session keys. The nonces |
70 identify the protocol run.\<close> |
70 identify the protocol run.\<close> |
71 "[| evso \<in> otway; |
71 "[| evso \<in> otway; |
72 Says Server B |
72 Says Server B |
73 \<lbrace>Crypt (shrK A) \<lbrace>Nonce NA, Agent A, Agent B, Key K\<rbrace>, |
73 \<lbrace>Crypt (shrK A) \<lbrace>Nonce NA, Agent A, Agent B, Key K\<rbrace>, |
74 Crypt (shrK B) \<lbrace>Nonce NB, Agent A, Agent B, Key K\<rbrace>\<rbrace> |
74 Crypt (shrK B) \<lbrace>Nonce NB, Agent A, Agent B, Key K\<rbrace>\<rbrace> |
199 \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>, |
199 \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>, |
200 Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace> |
200 Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace> |
201 \<in> set evs)" |
201 \<in> set evs)" |
202 apply (erule otway.induct, force) |
202 apply (erule otway.induct, force) |
203 apply (simp_all add: ex_disj_distrib) |
203 apply (simp_all add: ex_disj_distrib) |
204 apply blast+ \<comment>\<open>Fake, OR3\<close> |
204 apply blast+ \<comment> \<open>Fake, OR3\<close> |
205 done |
205 done |
206 |
206 |
207 |
207 |
208 text\<open>Corollary: if A receives B's OR4 message then it originated with the |
208 text\<open>Corollary: if A receives B's OR4 message then it originated with the |
209 Server. Freshness may be inferred from nonce NA.\<close> |
209 Server. Freshness may be inferred from nonce NA.\<close> |
268 --> (\<exists>NA. Says Server B |
268 --> (\<exists>NA. Says Server B |
269 \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>, |
269 \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>, |
270 Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace> |
270 Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace> |
271 \<in> set evs)" |
271 \<in> set evs)" |
272 apply (erule otway.induct, force, simp_all add: ex_disj_distrib) |
272 apply (erule otway.induct, force, simp_all add: ex_disj_distrib) |
273 apply blast+ \<comment>\<open>Fake, OR3\<close> |
273 apply blast+ \<comment> \<open>Fake, OR3\<close> |
274 done |
274 done |
275 |
275 |
276 |
276 |
277 |
277 |
278 text\<open>Guarantee for B: if it gets a well-formed certificate then the Server |
278 text\<open>Guarantee for B: if it gets a well-formed certificate then the Server |