253 by (etac rev_mp 1); |
253 by (etac rev_mp 1); |
254 by (parts_induct_tac 1); |
254 by (parts_induct_tac 1); |
255 by (Fake_parts_insert_tac 1); |
255 by (Fake_parts_insert_tac 1); |
256 qed "A_trusts_YM3"; |
256 qed "A_trusts_YM3"; |
257 |
257 |
|
258 (*The obvious combination of A_trusts_YM3 with Spy_not_see_encrypted_key*) |
|
259 goal thy |
|
260 "!!evs. [| Crypt (shrK A) {|Agent B, Key K, na, nb|} : parts (spies evs); \ |
|
261 \ Notes Spy {|na, nb, Key K|} ~: set evs; \ |
|
262 \ A ~: bad; B ~: bad; evs : yahalom |] \ |
|
263 \ ==> Key K ~: analz (spies evs)"; |
|
264 by (blast_tac (claset() addSDs [A_trusts_YM3, Spy_not_see_encrypted_key]) 1); |
|
265 qed "A_gets_good_key"; |
258 |
266 |
259 (** Security Guarantees for B upon receiving YM4 **) |
267 (** Security Guarantees for B upon receiving YM4 **) |
260 |
268 |
261 (*B knows, by the first part of A's message, that the Server distributed |
269 (*B knows, by the first part of A's message, that the Server distributed |
262 the key for A and B. But this part says nothing about nonces.*) |
270 the key for A and B. But this part says nothing about nonces.*) |
539 single conclusion about the Server's message. Note that the "Notes Spy" |
547 single conclusion about the Server's message. Note that the "Notes Spy" |
540 assumption must quantify over ALL POSSIBLE keys instead of our particular K. |
548 assumption must quantify over ALL POSSIBLE keys instead of our particular K. |
541 If this run is broken and the spy substitutes a certificate containing an |
549 If this run is broken and the spy substitutes a certificate containing an |
542 old key, B has no means of telling.*) |
550 old key, B has no means of telling.*) |
543 goal thy |
551 goal thy |
544 "!!evs. [| Says B Server \ |
552 "!!evs. [| Says A' B {|Crypt (shrK B) {|Agent A, Key K|}, \ |
|
553 \ Crypt K (Nonce NB)|} : set evs; \ |
|
554 \ Says B Server \ |
545 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \ |
555 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \ |
546 \ : set evs; \ |
556 \ : set evs; \ |
547 \ Says A' B {|Crypt (shrK B) {|Agent A, Key K|}, \ |
|
548 \ Crypt K (Nonce NB)|} : set evs; \ |
|
549 \ ALL k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs; \ |
557 \ ALL k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs; \ |
550 \ A ~: bad; B ~: bad; evs : yahalom |] \ |
558 \ A ~: bad; B ~: bad; evs : yahalom |] \ |
551 \ ==> Says Server A \ |
559 \ ==> Says Server A \ |
552 \ {|Crypt (shrK A) {|Agent B, Key K, \ |
560 \ {|Crypt (shrK A) {|Agent B, Key K, \ |
553 \ Nonce NA, Nonce NB|}, \ |
561 \ Nonce NA, Nonce NB|}, \ |
562 by (dtac unique_session_keys 1 THEN REPEAT (assume_tac 1)); |
570 by (dtac unique_session_keys 1 THEN REPEAT (assume_tac 1)); |
563 by (blast_tac (claset() addDs [Says_unique_NB]) 1); |
571 by (blast_tac (claset() addDs [Says_unique_NB]) 1); |
564 qed "B_trusts_YM4"; |
572 qed "B_trusts_YM4"; |
565 |
573 |
566 |
574 |
|
575 (*The obvious combination of B_trusts_YM4 with Spy_not_see_encrypted_key*) |
|
576 goal thy |
|
577 "!!evs. [| Says A' B {|Crypt (shrK B) {|Agent A, Key K|}, \ |
|
578 \ Crypt K (Nonce NB)|} : set evs; \ |
|
579 \ Says B Server \ |
|
580 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \ |
|
581 \ : set evs; \ |
|
582 \ ALL k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs; \ |
|
583 \ A ~: bad; B ~: bad; evs : yahalom |] \ |
|
584 \ ==> Key K ~: analz (spies evs)"; |
|
585 by (blast_tac (claset() addSDs [B_trusts_YM4, Spy_not_see_encrypted_key]) 1); |
|
586 qed "B_gets_good_key"; |
|
587 |
567 |
588 |
568 (*** Authenticating B to A ***) |
589 (*** Authenticating B to A ***) |
569 |
590 |
570 (*The encryption in message YM2 tells us it cannot be faked.*) |
591 (*The encryption in message YM2 tells us it cannot be faked.*) |
571 goal thy |
592 goal thy |
636 |
657 |
637 (*If B receives YM4 then A has used nonce NB (and therefore is alive). |
658 (*If B receives YM4 then A has used nonce NB (and therefore is alive). |
638 Moreover, A associates K with NB (thus is talking about the same run). |
659 Moreover, A associates K with NB (thus is talking about the same run). |
639 Other premises guarantee secrecy of K.*) |
660 Other premises guarantee secrecy of K.*) |
640 goal thy |
661 goal thy |
641 "!!evs. [| Says B Server \ |
662 "!!evs. [| Says A' B {|Crypt (shrK B) {|Agent A, Key K|}, \ |
|
663 \ Crypt K (Nonce NB)|} : set evs; \ |
|
664 \ Says B Server \ |
642 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \ |
665 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \ |
643 \ : set evs; \ |
666 \ : set evs; \ |
644 \ Says A' B {|Crypt (shrK B) {|Agent A, Key K|}, \ |
|
645 \ Crypt K (Nonce NB)|} : set evs; \ |
|
646 \ (ALL NA k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs); \ |
667 \ (ALL NA k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs); \ |
647 \ A ~: bad; B ~: bad; evs : yahalom |] \ |
668 \ A ~: bad; B ~: bad; evs : yahalom |] \ |
648 \ ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs"; |
669 \ ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs"; |
649 by (dtac B_trusts_YM4 1); |
670 by (forward_tac [B_trusts_YM4] 1); |
650 by (REPEAT_FIRST (eresolve_tac [asm_rl, spec])); |
671 by (REPEAT_FIRST (eresolve_tac [asm_rl, spec])); |
651 by (etac (Says_imp_spies RS parts.Inj RS MPair_parts) 1); |
672 by (etac (Says_imp_spies RS parts.Inj RS MPair_parts) 1); |
652 by (rtac lemma 1); |
673 by (rtac lemma 1); |
653 by (rtac Spy_not_see_encrypted_key 2); |
674 by (rtac Spy_not_see_encrypted_key 2); |
654 by (REPEAT_FIRST assume_tac); |
675 by (REPEAT_FIRST assume_tac); |