32 by possibility_tac; |
32 by possibility_tac; |
33 result(); |
33 result(); |
34 |
34 |
35 |
35 |
36 (**** Inductive proofs about yahalom ****) |
36 (**** Inductive proofs about yahalom ****) |
37 |
|
38 (*Monotonicity*) |
|
39 goal thy "!!evs. lost' <= lost ==> yahalom lost' <= yahalom lost"; |
|
40 by (rtac subsetI 1); |
|
41 by (etac yahalom.induct 1); |
|
42 by (REPEAT_FIRST |
|
43 (blast_tac (!claset addIs (impOfSubs(sees_mono RS analz_mono RS synth_mono) |
|
44 :: yahalom.intrs)))); |
|
45 qed "yahalom_mono"; |
|
46 |
|
47 |
37 |
48 (*Nobody sends themselves messages*) |
38 (*Nobody sends themselves messages*) |
49 goal thy "!!evs. evs: yahalom lost ==> ALL A X. Says A A X ~: set evs"; |
39 goal thy "!!evs. evs: yahalom lost ==> ALL A X. Says A A X ~: set evs"; |
50 by (etac yahalom.induct 1); |
40 by (etac yahalom.induct 1); |
51 by (Auto_tac()); |
41 by (Auto_tac()); |
266 by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1); |
256 by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1); |
267 by (blast_tac (!claset addSEs [lemma]) 1); |
257 by (blast_tac (!claset addSEs [lemma]) 1); |
268 qed "Spy_not_see_encrypted_key"; |
258 qed "Spy_not_see_encrypted_key"; |
269 |
259 |
270 |
260 |
271 (*And other agents don't see the key either.*) |
|
272 goal thy |
|
273 "!!evs. [| C ~: {A,B,Server}; \ |
|
274 \ Says Server A \ |
|
275 \ {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, \ |
|
276 \ Crypt (shrK B) {|nb, Key K, Agent A|}|} \ |
|
277 \ : set evs; \ |
|
278 \ Says A Spy {|na, nb, Key K|} ~: set evs; \ |
|
279 \ A ~: lost; B ~: lost; evs : yahalom lost |] \ |
|
280 \ ==> Key K ~: analz (sees lost C evs)"; |
|
281 by (rtac (subset_insertI RS sees_mono RS analz_mono RS contra_subsetD) 1); |
|
282 by (rtac (sees_lost_agent_subset_sees_Spy RS analz_mono RS contra_subsetD) 1); |
|
283 by (FIRSTGOAL (rtac Spy_not_see_encrypted_key)); |
|
284 by (REPEAT_FIRST (blast_tac (!claset addIs [yahalom_mono RS subsetD]))); |
|
285 qed "Agent_not_see_encrypted_key"; |
|
286 |
|
287 |
|
288 (** Security Guarantee for A upon receiving YM3 **) |
261 (** Security Guarantee for A upon receiving YM3 **) |
289 |
262 |
290 (*If the encrypted message appears then it originated with the Server. |
263 (*If the encrypted message appears then it originated with the Server. |
291 May now apply Spy_not_see_encrypted_key, subject to its conditions.*) |
264 May now apply Spy_not_see_encrypted_key, subject to its conditions.*) |
292 goal thy |
265 goal thy |
397 |
370 |
398 (*Induction for theorems of the form X ~: analz (sees lost Spy evs) --> ... |
371 (*Induction for theorems of the form X ~: analz (sees lost Spy evs) --> ... |
399 It simplifies the proof by discarding needless information about |
372 It simplifies the proof by discarding needless information about |
400 analz (insert X (sees lost Spy evs)) |
373 analz (insert X (sees lost Spy evs)) |
401 *) |
374 *) |
402 val analz_mono_parts_induct_tac = |
375 fun analz_mono_parts_induct_tac i = |
403 etac yahalom.induct 1 |
376 etac yahalom.induct i |
404 THEN |
377 THEN |
405 REPEAT_FIRST |
378 REPEAT_FIRST analz_mono_contra_tac |
406 (rtac impI THEN' |
|
407 dtac (sees_subset_sees_Says RS analz_mono RS contra_subsetD) THEN' |
|
408 mp_tac) |
|
409 THEN parts_sees_tac; |
379 THEN parts_sees_tac; |
|
380 |
410 |
381 |
411 (*Assuming the session key is secure, if both certificates are present then |
382 (*Assuming the session key is secure, if both certificates are present then |
412 A has said NB. We can't be sure about the rest of A's message, but only |
383 A has said NB. We can't be sure about the rest of A's message, but only |
413 NB matters for freshness.*) |
384 NB matters for freshness.*) |
414 goal thy |
385 goal thy |
417 \ Crypt K (Nonce NB) : parts (sees lost Spy evs) --> \ |
388 \ Crypt K (Nonce NB) : parts (sees lost Spy evs) --> \ |
418 \ Crypt (shrK B) {|Nonce NB, Key K, Agent A|} \ |
389 \ Crypt (shrK B) {|Nonce NB, Key K, Agent A|} \ |
419 \ : parts (sees lost Spy evs) --> \ |
390 \ : parts (sees lost Spy evs) --> \ |
420 \ B ~: lost --> \ |
391 \ B ~: lost --> \ |
421 \ (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs)"; |
392 \ (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs)"; |
422 by analz_mono_parts_induct_tac; |
393 by (analz_mono_parts_induct_tac 1); |
423 (*Fake*) |
394 (*Fake*) |
424 by (Fake_parts_insert_tac 1); |
395 by (Fake_parts_insert_tac 1); |
425 (*YM3: by new_keys_not_used we note that Crypt K (Nonce NB) could not exist*) |
396 (*YM3: by new_keys_not_used we note that Crypt K (Nonce NB) could not exist*) |
426 by (fast_tac (!claset addSDs [Crypt_imp_invKey_keysFor] addss (!simpset)) 1); |
397 by (fast_tac (!claset addSDs [Crypt_imp_invKey_keysFor] addss (!simpset)) 1); |
427 (*YM4: was Crypt K (Nonce NB) the very last message? If not, use ind. hyp.*) |
398 (*YM4: was Crypt K (Nonce NB) the very last message? If not, use ind. hyp.*) |