equal
deleted
inserted
replaced
4 |
4 |
5 Inductive relation "ns_public" for the Needham-Schroeder Public-Key protocol. |
5 Inductive relation "ns_public" for the Needham-Schroeder Public-Key protocol. |
6 Version incorporating Lowe's fix (inclusion of B's identity in round 2). |
6 Version incorporating Lowe's fix (inclusion of B's identity in round 2). |
7 *) |
7 *) |
8 |
8 |
9 section{*Verifying the Needham-Schroeder-Lowe Public-Key Protocol*} |
9 section\<open>Verifying the Needham-Schroeder-Lowe Public-Key Protocol\<close> |
10 |
10 |
11 theory NS_Public imports Public begin |
11 theory NS_Public imports Public begin |
12 |
12 |
13 inductive_set ns_public :: "event list set" |
13 inductive_set ns_public :: "event list set" |
14 where |
14 where |
61 |
61 |
62 lemma Spy_analz_priEK [simp]: |
62 lemma Spy_analz_priEK [simp]: |
63 "evs \<in> ns_public \<Longrightarrow> (Key (priEK A) \<in> analz (spies evs)) = (A \<in> bad)" |
63 "evs \<in> ns_public \<Longrightarrow> (Key (priEK A) \<in> analz (spies evs)) = (A \<in> bad)" |
64 by auto |
64 by auto |
65 |
65 |
66 subsection{*Authenticity properties obtained from NS2*} |
66 subsection\<open>Authenticity properties obtained from NS2\<close> |
67 |
67 |
68 |
68 |
69 (*It is impossible to re-use a nonce in both NS1 and NS2, provided the nonce |
69 (*It is impossible to re-use a nonce in both NS1 and NS2, provided the nonce |
70 is secret. (Honest users generate fresh nonces.)*) |
70 is secret. (Honest users generate fresh nonces.)*) |
71 lemma no_nonce_NS1_NS2 [rule_format]: |
71 lemma no_nonce_NS1_NS2 [rule_format]: |
133 (*Fake*) |
133 (*Fake*) |
134 apply (blast intro!: analz_insertI) |
134 apply (blast intro!: analz_insertI) |
135 done |
135 done |
136 |
136 |
137 |
137 |
138 subsection{*Authenticity properties obtained from NS2*} |
138 subsection\<open>Authenticity properties obtained from NS2\<close> |
139 |
139 |
140 (*Unicity for NS2: nonce NB identifies nonce NA and agents A, B |
140 (*Unicity for NS2: nonce NB identifies nonce NA and agents A, B |
141 [unicity of B makes Lowe's fix work] |
141 [unicity of B makes Lowe's fix work] |
142 [proof closely follows that for unique_NA] *) |
142 [proof closely follows that for unique_NA] *) |
143 |
143 |
178 Says A' B (Crypt (pubEK B) (Nonce NB)) \<in> set evs; |
178 Says A' B (Crypt (pubEK B) (Nonce NB)) \<in> set evs; |
179 A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> |
179 A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> |
180 \<Longrightarrow> Says A B (Crypt (pubEK B) (Nonce NB)) \<in> set evs" |
180 \<Longrightarrow> Says A B (Crypt (pubEK B) (Nonce NB)) \<in> set evs" |
181 by (blast intro: B_trusts_NS3_lemma) |
181 by (blast intro: B_trusts_NS3_lemma) |
182 |
182 |
183 subsection{*Overall guarantee for B*} |
183 subsection\<open>Overall guarantee for B\<close> |
184 |
184 |
185 (*If NS3 has been sent and the nonce NB agrees with the nonce B joined with |
185 (*If NS3 has been sent and the nonce NB agrees with the nonce B joined with |
186 NA, then A initiated the run using NA.*) |
186 NA, then A initiated the run using NA.*) |
187 theorem B_trusts_protocol: |
187 theorem B_trusts_protocol: |
188 "\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> \<Longrightarrow> |
188 "\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> \<Longrightarrow> |