136 |
136 |
137 |
137 |
138 (*Describes the form of K when the Server sends this message. Useful for |
138 (*Describes the form of K when the Server sends this message. Useful for |
139 Oops as well as main secrecy property.*) |
139 Oops as well as main secrecy property.*) |
140 goal thy |
140 goal thy |
141 "!!evs. [| Says Server A {|Crypt (shrK A) {|Agent B, Key K, NA, NB|}, X|} \ |
141 "!!evs. [| Says Server A {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \ |
142 \ : set evs; \ |
142 \ : set evs; \ |
143 \ evs : yahalom lost |] \ |
143 \ evs : yahalom lost |] \ |
144 \ ==> K ~: range shrK"; |
144 \ ==> K ~: range shrK"; |
145 by (etac rev_mp 1); |
145 by (etac rev_mp 1); |
146 by (etac yahalom.induct 1); |
146 by (etac yahalom.induct 1); |
464 (*** The Nonce NB uniquely identifies B's message. ***) |
464 (*** The Nonce NB uniquely identifies B's message. ***) |
465 |
465 |
466 goal thy |
466 goal thy |
467 "!!evs. evs : yahalom lost ==> \ |
467 "!!evs. evs : yahalom lost ==> \ |
468 \ EX NA' A' B'. ALL NA A B. \ |
468 \ EX NA' A' B'. ALL NA A B. \ |
469 \ Crypt (shrK B) {|Agent A, Nonce NA, NB|} : parts(sees lost Spy evs) \ |
469 \ Crypt (shrK B) {|Agent A, Nonce NA, nb|} : parts(sees lost Spy evs) \ |
470 \ --> B ~: lost --> NA = NA' & A = A' & B = B'"; |
470 \ --> B ~: lost --> NA = NA' & A = A' & B = B'"; |
471 by parts_induct_tac; |
471 by parts_induct_tac; |
472 (*Fake*) |
472 (*Fake*) |
473 by (REPEAT (etac (exI RSN (2,exE)) 1) (*stripping EXs makes proof faster*) |
473 by (REPEAT (etac (exI RSN (2,exE)) 1) (*stripping EXs makes proof faster*) |
474 THEN Fake_parts_insert_tac 1); |
474 THEN Fake_parts_insert_tac 1); |
475 by (asm_simp_tac (!simpset addsimps [all_conj_distrib]) 1); |
475 by (asm_simp_tac (!simpset addsimps [all_conj_distrib]) 1); |
476 (*YM2: creation of new Nonce. Move assertion into global context*) |
476 (*YM2: creation of new Nonce. Move assertion into global context*) |
477 by (expand_case_tac "NB = ?y" 1); |
477 by (expand_case_tac "nb = ?y" 1); |
478 by (REPEAT (resolve_tac [exI, conjI, impI, refl] 1)); |
478 by (REPEAT (resolve_tac [exI, conjI, impI, refl] 1)); |
479 by (blast_tac (!claset addSEs sees_Spy_partsEs) 1); |
479 by (blast_tac (!claset addSEs sees_Spy_partsEs) 1); |
480 val lemma = result(); |
480 val lemma = result(); |
481 |
481 |
482 goal thy |
482 goal thy |
483 "!!evs.[| Crypt (shrK B) {|Agent A, Nonce NA, NB|} \ |
483 "!!evs.[| Crypt (shrK B) {|Agent A, Nonce NA, nb|} \ |
484 \ : parts (sees lost Spy evs); \ |
484 \ : parts (sees lost Spy evs); \ |
485 \ Crypt (shrK B') {|Agent A', Nonce NA', NB|} \ |
485 \ Crypt (shrK B') {|Agent A', Nonce NA', nb|} \ |
486 \ : parts (sees lost Spy evs); \ |
486 \ : parts (sees lost Spy evs); \ |
487 \ evs : yahalom lost; B ~: lost; B' ~: lost |] \ |
487 \ evs : yahalom lost; B ~: lost; B' ~: lost |] \ |
488 \ ==> NA' = NA & A' = A & B' = B"; |
488 \ ==> NA' = NA & A' = A & B' = B"; |
489 by (prove_unique_tac lemma 1); |
489 by (prove_unique_tac lemma 1); |
490 qed "unique_NB"; |
490 qed "unique_NB"; |
491 |
491 |
492 |
492 |
493 (*Variant useful for proving secrecy of NB: the Says... form allows |
493 (*Variant useful for proving secrecy of NB: the Says... form allows |
494 not_lost_tac to remove the assumption B' ~: lost.*) |
494 not_lost_tac to remove the assumption B' ~: lost.*) |
495 goal thy |
495 goal thy |
496 "!!evs.[| Says C D {|X, Crypt (shrK B) {|Agent A, Nonce NA, NB|}|} \ |
496 "!!evs.[| Says C D {|X, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \ |
497 \ : set evs; B ~: lost; \ |
497 \ : set evs; B ~: lost; \ |
498 \ Says C' D' {|X', Crypt (shrK B') {|Agent A', Nonce NA', NB|}|} \ |
498 \ Says C' D' {|X', Crypt (shrK B') {|Agent A', Nonce NA', nb|}|} \ |
499 \ : set evs; \ |
499 \ : set evs; \ |
500 \ NB ~: analz (sees lost Spy evs); evs : yahalom lost |] \ |
500 \ nb ~: analz (sees lost Spy evs); evs : yahalom lost |] \ |
501 \ ==> NA' = NA & A' = A & B' = B"; |
501 \ ==> NA' = NA & A' = A & B' = B"; |
502 by (not_lost_tac "B'" 1); |
502 by (not_lost_tac "B'" 1); |
503 by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj] |
503 by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj] |
504 addSEs [MPair_parts] |
504 addSEs [MPair_parts] |
505 addDs [unique_NB]) 1); |
505 addDs [unique_NB]) 1); |
511 (** A nonce value is never used both as NA and as NB **) |
511 (** A nonce value is never used both as NA and as NB **) |
512 |
512 |
513 goal thy |
513 goal thy |
514 "!!evs. [| B ~: lost; evs : yahalom lost |] \ |
514 "!!evs. [| B ~: lost; evs : yahalom lost |] \ |
515 \ ==> Nonce NB ~: analz (sees lost Spy evs) --> \ |
515 \ ==> Nonce NB ~: analz (sees lost Spy evs) --> \ |
516 \ Crypt (shrK B') {|Agent A', Nonce NB, NB'|} \ |
516 \ Crypt (shrK B') {|Agent A', Nonce NB, nb'|} \ |
517 \ : parts(sees lost Spy evs) \ |
517 \ : parts(sees lost Spy evs) \ |
518 \ --> Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|} \ |
518 \ --> Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|} \ |
519 \ ~: parts(sees lost Spy evs)"; |
519 \ ~: parts(sees lost Spy evs)"; |
520 by analz_mono_parts_induct_tac; |
520 by analz_mono_parts_induct_tac; |
521 by (Fake_parts_insert_tac 1); |
521 by (Fake_parts_insert_tac 1); |