653 Goal "[| KK <= -(range shrK); Key K : analz (spies evs); evs: kerberos |] \ |
653 Goal "[| KK <= -(range shrK); Key K : analz (spies evs); evs: kerberos |] \ |
654 \ ==> Key K : analz (Key `` KK Un spies evs)"; |
654 \ ==> Key K : analz (Key `` KK Un spies evs)"; |
655 by (blast_tac (claset() addDs [impOfSubs analz_mono]) 1); |
655 by (blast_tac (claset() addDs [impOfSubs analz_mono]) 1); |
656 qed "analz_mono_KK"; |
656 qed "analz_mono_KK"; |
657 |
657 |
|
658 (*For the Oops2 case of the next theorem*) |
|
659 Goal "[| evs : kerberos; \ |
|
660 \ Says Tgs A (Crypt AuthKey \ |
|
661 \ {|Key ServKey, Agent B, Number Tt, ServTicket|}) \ |
|
662 \ : set evs |] \ |
|
663 \ ==> ~ KeyCryptKey ServKey SK evs"; |
|
664 by (blast_tac (claset() addDs [KeyCryptKeyI, KeyCryptKey_not_KeyCryptKey]) 1); |
|
665 qed "Oops2_not_KeyCryptKey"; |
|
666 |
|
667 |
658 (* Big simplification law for keys SK that are not crypted by keys in KK *) |
668 (* Big simplification law for keys SK that are not crypted by keys in KK *) |
659 (* It helps prove three, otherwise hard, facts about keys. These facts are *) |
669 (* It helps prove three, otherwise hard, facts about keys. These facts are *) |
660 (* exploited as simplification laws for analz, and also "limit the damage" *) |
670 (* exploited as simplification laws for analz, and also "limit the damage" *) |
661 (* in case of loss of a key to the spy. See ESORICS98. *) |
671 (* in case of loss of a key to the spy. See ESORICS98. *) |
|
672 (* [simplified by LCP] *) |
662 Goal "evs : kerberos ==> \ |
673 Goal "evs : kerberos ==> \ |
663 \ (ALL SK KK. KK <= -(range shrK) --> \ |
674 \ (ALL SK KK. KK <= -(range shrK) --> \ |
664 \ (ALL K: KK. ~ KeyCryptKey K SK evs) --> \ |
675 \ (ALL K: KK. ~ KeyCryptKey K SK evs) --> \ |
665 \ (Key SK : analz (Key``KK Un (spies evs))) = \ |
676 \ (Key SK : analz (Key``KK Un (spies evs))) = \ |
666 \ (SK : KK | Key SK : analz (spies evs)))"; |
677 \ (SK : KK | Key SK : analz (spies evs)))"; |
667 by (etac kerberos.induct 1); |
678 by (etac kerberos.induct 1); |
668 by analz_sees_tac; |
679 by analz_sees_tac; |
669 by (REPEAT_FIRST (rtac allI)); |
680 by (REPEAT_FIRST (rtac allI)); |
670 by (REPEAT_FIRST (rtac (Key_analz_image_Key_lemma RS impI))); |
681 by (REPEAT_FIRST (rtac (Key_analz_image_Key_lemma RS impI))); |
|
682 (*Case-splits for Oops1 & 5: the negated case simplifies using the ind hyp*) |
|
683 by (case_tac "KeyCryptKey AuthKey SK evsO1" 11); |
|
684 by (case_tac "KeyCryptKey ServKey SK evs5" 8); |
671 by (ALLGOALS |
685 by (ALLGOALS |
672 (asm_simp_tac |
686 (asm_simp_tac |
673 (analz_image_freshK_ss addsimps |
687 (analz_image_freshK_ss addsimps |
674 [KeyCryptKey_Says, shrK_not_KeyCryptKey, |
688 [KeyCryptKey_Says, shrK_not_KeyCryptKey, Oops2_not_KeyCryptKey, |
675 Auth_fresh_not_KeyCryptKey, Serv_fresh_not_KeyCryptKey, |
689 Auth_fresh_not_KeyCryptKey, Serv_fresh_not_KeyCryptKey, |
676 Says_Tgs_KeyCryptKey, Spy_analz_shrK]))); |
690 Says_Tgs_KeyCryptKey, Spy_analz_shrK]))); |
677 (*Fake*) |
691 (*Fake*) |
678 by (spy_analz_tac 1); |
692 by (spy_analz_tac 1); |
679 (* Base + K2 done by the simplifier! *) |
693 (* Base + K2 done by the simplifier! *) |
681 by (Blast_tac 1); |
695 by (Blast_tac 1); |
682 (*K4*) |
696 (*K4*) |
683 by (blast_tac (claset() addEs spies_partsEs |
697 by (blast_tac (claset() addEs spies_partsEs |
684 addSDs [AuthKey_not_KeyCryptKey]) 1); |
698 addSDs [AuthKey_not_KeyCryptKey]) 1); |
685 (*K5*) |
699 (*K5*) |
686 by (rtac impI 1); |
|
687 by (case_tac "Key ServKey : analz (spies evs5)" 1); |
700 by (case_tac "Key ServKey : analz (spies evs5)" 1); |
688 (*If ServKey is compromised then the result follows directly...*) |
701 (*If ServKey is compromised then the result follows directly...*) |
689 by (asm_simp_tac |
702 by (asm_simp_tac |
690 (simpset() addsimps [analz_insert_eq, |
703 (simpset() addsimps [analz_insert_eq, |
691 impOfSubs (Un_upper2 RS analz_mono)]) 1); |
704 impOfSubs (Un_upper2 RS analz_mono)]) 1); |
692 (*...therefore ServKey is uncompromised.*) |
705 (*...therefore ServKey is uncompromised.*) |
693 by (case_tac "KeyCryptKey ServKey SK evs5" 1); |
|
694 by (asm_simp_tac analz_image_freshK_ss 2); |
|
695 (*The KeyCryptKey ServKey SK evs5 case leads to a contradiction.*) |
706 (*The KeyCryptKey ServKey SK evs5 case leads to a contradiction.*) |
696 by (blast_tac (claset() addSEs [ServKey_not_KeyCryptKey RSN(2, rev_notE)] |
707 by (blast_tac (claset() addSEs [ServKey_not_KeyCryptKey RSN(2, rev_notE)] |
697 addEs spies_partsEs delrules [allE, ballE]) 1); |
708 addEs spies_partsEs delrules [allE, ballE]) 1); |
698 (** Level 14: Oops1 and Oops2 **) |
709 (** Level 13: Oops1 **) |
699 by (ALLGOALS Clarify_tac); |
710 by (Asm_full_simp_tac 1); |
700 (*Oops 2*) |
|
701 by (case_tac "Key ServKey : analz (spies evsO2)" 2); |
|
702 by (ALLGOALS Asm_full_simp_tac); |
|
703 by (ftac analz_mono_KK 2 |
|
704 THEN assume_tac 2 |
|
705 THEN assume_tac 2); |
|
706 by (ftac analz_cut 2 THEN assume_tac 2); |
|
707 by (blast_tac (claset() addDs [analz_cut, impOfSubs analz_mono]) 2); |
|
708 by (dres_inst_tac [("x","SK")] spec 2); |
|
709 by (dres_inst_tac [("x","insert ServKey KK")] spec 2); |
|
710 by (ftac Says_Tgs_message_form 2 THEN assume_tac 2); |
|
711 by (Clarify_tac 2); |
|
712 by (forward_tac [Says_imp_spies RS parts.Inj RS parts.Body |
|
713 RS parts.Snd RS parts.Snd RS parts.Snd] 2); |
|
714 by (Asm_full_simp_tac 2); |
|
715 by (blast_tac (claset() addSDs [ServKey_not_KeyCryptKey] |
|
716 delrules [le_maxI1, le_maxI2] |
|
717 addDs [impOfSubs analz_mono]) 2); |
|
718 (*Level 27: Oops 1*) |
|
719 by (dres_inst_tac [("x","SK")] spec 1); |
|
720 by (dres_inst_tac [("x","insert AuthKey KK")] spec 1); |
|
721 by (case_tac "KeyCryptKey AuthKey SK evsO1" 1); |
|
722 by (ALLGOALS Asm_full_simp_tac); |
|
723 by (blast_tac (claset() addSDs [KeyCryptKey_analz_insert]) 1); |
711 by (blast_tac (claset() addSDs [KeyCryptKey_analz_insert]) 1); |
724 by (blast_tac (claset() delrules [le_maxI1, le_maxI2] |
|
725 addDs [impOfSubs analz_mono]) 1); |
|
726 qed_spec_mp "Key_analz_image_Key"; |
712 qed_spec_mp "Key_analz_image_Key"; |
727 |
713 |
728 |
714 |
729 (* First simplification law for analz: no session keys encrypt *) |
715 (* First simplification law for analz: no session keys encrypt *) |
730 (* authentication keys or shared keys. *) |
716 (* authentication keys or shared keys. *) |