10 From page 244 of |
10 From page 244 of |
11 Burrows, Abadi and Needham. A Logic of Authentication. |
11 Burrows, Abadi and Needham. A Logic of Authentication. |
12 Proc. Royal Soc. 426 (1989) |
12 Proc. Royal Soc. 426 (1989) |
13 *) |
13 *) |
14 |
14 |
15 AddEs knows_Spy_partsEs; |
15 AddDs [Says_imp_knows_Spy RS parts.Inj, parts.Body]; |
16 AddDs [impOfSubs analz_subset_parts]; |
16 AddDs [impOfSubs analz_subset_parts, impOfSubs Fake_parts_insert]; |
17 AddDs [impOfSubs Fake_parts_insert]; |
|
18 |
17 |
19 |
18 |
20 (*A "possibility property": there are traces that reach the end*) |
19 (*A "possibility property": there are traces that reach the end*) |
21 Goal "[| B ~= Server |] \ |
20 Goal "[| B ~= Server |] \ |
22 \ ==> EX NA K. EX evs: otway. \ |
21 \ ==> EX NA K. EX evs: otway. \ |
38 |
37 |
39 (*Must be proved separately for each protocol*) |
38 (*Must be proved separately for each protocol*) |
40 Goal "[| Gets B X : set evs; evs : otway |] ==> X : knows Spy evs"; |
39 Goal "[| Gets B X : set evs; evs : otway |] ==> X : knows Spy evs"; |
41 by (blast_tac (claset() addSDs [Gets_imp_Says, Says_imp_knows_Spy]) 1); |
40 by (blast_tac (claset() addSDs [Gets_imp_Says, Says_imp_knows_Spy]) 1); |
42 qed"Gets_imp_knows_Spy"; |
41 qed"Gets_imp_knows_Spy"; |
43 AddDs [Gets_imp_knows_Spy RS parts.Inj]; |
42 AddSDs [Gets_imp_knows_Spy RS parts.Inj]; |
44 |
43 |
45 |
44 |
46 (**** Inductive proofs about otway ****) |
45 (**** Inductive proofs about otway ****) |
47 |
46 |
48 (** For reasoning about the encrypted portion of messages **) |
47 (** For reasoning about the encrypted portion of messages **) |
101 (*Fake*) |
100 (*Fake*) |
102 by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1); |
101 by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1); |
103 (*OR2, OR3*) |
102 (*OR2, OR3*) |
104 by (ALLGOALS Blast_tac); |
103 by (ALLGOALS Blast_tac); |
105 qed_spec_mp "new_keys_not_used"; |
104 qed_spec_mp "new_keys_not_used"; |
106 |
105 Addsimps [new_keys_not_used]; |
107 bind_thm ("new_keys_not_analzd", |
|
108 [analz_subset_parts RS keysFor_mono, |
|
109 new_keys_not_used] MRS contra_subsetD); |
|
110 |
|
111 Addsimps [new_keys_not_used, new_keys_not_analzd]; |
|
112 |
106 |
113 |
107 |
114 |
108 |
115 (*** Proofs involving analz ***) |
109 (*** Proofs involving analz ***) |
116 |
110 |
231 val nonce_OR1_OR2_E = no_nonce_OR1_OR2 RSN (2, rev_notE); |
225 val nonce_OR1_OR2_E = no_nonce_OR1_OR2 RSN (2, rev_notE); |
232 |
226 |
233 (*Crucial property: If the encrypted message appears, and A has used NA |
227 (*Crucial property: If the encrypted message appears, and A has used NA |
234 to start a run, then it originated with the Server!*) |
228 to start a run, then it originated with the Server!*) |
235 Goal "[| A ~: bad; evs : otway |] \ |
229 Goal "[| A ~: bad; evs : otway |] \ |
236 \ ==> Crypt (shrK A) {|NA, Key K|} : parts (knows Spy evs) \ |
230 \ ==> Says A B {|NA, Agent A, Agent B, \ |
237 \ --> Says A B {|NA, Agent A, Agent B, \ |
231 \ Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs --> \ |
238 \ Crypt (shrK A) {|NA, Agent A, Agent B|}|} \ |
232 \ Crypt (shrK A) {|NA, Key K|} : parts (knows Spy evs) \ |
239 \ : set evs --> \ |
233 \ --> (EX NB. Says Server B \ |
240 \ (EX NB. Says Server B \ |
234 \ {|NA, \ |
241 \ {|NA, \ |
235 \ Crypt (shrK A) {|NA, Key K|}, \ |
242 \ Crypt (shrK A) {|NA, Key K|}, \ |
236 \ Crypt (shrK B) {|NB, Key K|}|} : set evs)"; |
243 \ Crypt (shrK B) {|NB, Key K|}|} \ |
|
244 \ : set evs)"; |
|
245 by (parts_induct_tac 1); |
237 by (parts_induct_tac 1); |
246 by (Blast_tac 1); |
238 by (Blast_tac 1); |
247 (*OR1: it cannot be a new Nonce, contradiction.*) |
239 (*OR1: it cannot be a new Nonce, contradiction.*) |
248 by (Blast_tac 1); |
240 by (Blast_tac 1); |
249 (*OR3 and OR4*) |
241 (*OR4*) |
|
242 by (blast_tac (claset() addSIs [Crypt_imp_OR1]) 2); |
250 by (asm_simp_tac (simpset() addsimps [ex_disj_distrib]) 1); |
243 by (asm_simp_tac (simpset() addsimps [ex_disj_distrib]) 1); |
251 by (rtac conjI 1); |
244 by (blast_tac (claset() addSEs [nonce_OR1_OR2_E] addIs [unique_NA]) 1); |
252 by (ALLGOALS Clarify_tac); |
|
253 (*OR4*) |
|
254 by (blast_tac (claset() addSIs [Crypt_imp_OR1]) 3); |
|
255 (*OR3, two cases*) (** LEVEL 7 **) |
|
256 by (blast_tac (claset() addSEs [nonce_OR1_OR2_E] |
|
257 delrules [conjI] (*stop split-up into 4 subgoals*)) 2); |
|
258 by (blast_tac (claset() addIs [unique_NA]) 1); |
|
259 qed_spec_mp "NA_Crypt_imp_Server_msg"; |
245 qed_spec_mp "NA_Crypt_imp_Server_msg"; |
260 |
246 |
261 |
247 |
262 (*Corollary: if A receives B's OR4 message and the nonce NA agrees |
248 (*Corollary: if A receives B's OR4 message and the nonce NA agrees |
263 then the key really did come from the Server! CANNOT prove this of the |
249 then the key really did come from the Server! CANNOT prove this of the |
306 \ {|NA, Crypt (shrK A) {|NA, Key K|}, \ |
292 \ {|NA, Crypt (shrK A) {|NA, Key K|}, \ |
307 \ Crypt (shrK B) {|NB, Key K|}|} : set evs; \ |
293 \ Crypt (shrK B) {|NB, Key K|}|} : set evs; \ |
308 \ Notes Spy {|NA, NB, Key K|} ~: set evs; \ |
294 \ Notes Spy {|NA, NB, Key K|} ~: set evs; \ |
309 \ A ~: bad; B ~: bad; evs : otway |] \ |
295 \ A ~: bad; B ~: bad; evs : otway |] \ |
310 \ ==> Key K ~: analz (knows Spy evs)"; |
296 \ ==> Key K ~: analz (knows Spy evs)"; |
311 by (ftac Says_Server_message_form 1 THEN assume_tac 1); |
297 by (blast_tac (claset() addDs [Says_Server_message_form] addSEs [lemma]) 1); |
312 by (blast_tac (claset() addSEs [lemma]) 1); |
|
313 qed "Spy_not_see_encrypted_key"; |
298 qed "Spy_not_see_encrypted_key"; |
314 |
299 |
315 |
300 |
316 (*A's guarantee. The Oops premise quantifies over NB because A cannot know |
301 (*A's guarantee. The Oops premise quantifies over NB because A cannot know |
317 what it is.*) |
302 what it is.*) |
354 (*Fake, OR2*) |
339 (*Fake, OR2*) |
355 by (REPEAT (Blast_tac 1)); |
340 by (REPEAT (Blast_tac 1)); |
356 qed "unique_NB"; |
341 qed "unique_NB"; |
357 |
342 |
358 (*If the encrypted message appears, and B has used Nonce NB, |
343 (*If the encrypted message appears, and B has used Nonce NB, |
359 then it originated with the Server!*) |
344 then it originated with the Server! Quite messy proof.*) |
360 Goal "[| B ~: bad; evs : otway |] \ |
345 Goal "[| B ~: bad; evs : otway |] \ |
361 \ ==> Crypt (shrK B) {|NB, Key K|} : parts (knows Spy evs) \ |
346 \ ==> Crypt (shrK B) {|NB, Key K|} : parts (knows Spy evs) \ |
362 \ --> (ALL X'. Says B Server \ |
347 \ --> (ALL X'. Says B Server \ |
363 \ {|NA, Agent A, Agent B, X', \ |
348 \ {|NA, Agent A, Agent B, X', \ |
364 \ Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|} \ |
349 \ Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|} \ |
365 \ : set evs \ |
350 \ : set evs \ |
366 \ --> Says Server B \ |
351 \ --> Says Server B \ |
367 \ {|NA, Crypt (shrK A) {|NA, Key K|}, \ |
352 \ {|NA, Crypt (shrK A) {|NA, Key K|}, \ |
368 \ Crypt (shrK B) {|NB, Key K|}|} \ |
353 \ Crypt (shrK B) {|NB, Key K|}|} \ |
369 \ : set evs)"; |
354 \ : set evs)"; |
|
355 by (asm_full_simp_tac (simpset() addsimps []) 1); |
370 by (parts_induct_tac 1); |
356 by (parts_induct_tac 1); |
371 by (Blast_tac 1); |
357 by (Blast_tac 1); |
372 (*OR1: it cannot be a new Nonce, contradiction.*) |
358 (*OR1: it cannot be a new Nonce, contradiction.*) |
373 by (Blast_tac 1); |
359 by (Blast_tac 1); |
374 (*OR4*) |
360 (*OR4*) |
375 by (blast_tac (claset() addSDs [Crypt_imp_OR2]) 2); |
361 by (blast_tac (claset() addSDs [Crypt_imp_OR2]) 2); |
376 (*OR3*) |
362 (*OR3: needs AddSEs [MPair_parts] or it takes forever!*) |
377 by (blast_tac (claset() addDs [unique_NB] addEs [nonce_OR1_OR2_E]) 1); |
363 by (blast_tac (claset() addDs [unique_NB] |
|
364 addEs [nonce_OR1_OR2_E]) 1); |
378 qed_spec_mp "NB_Crypt_imp_Server_msg"; |
365 qed_spec_mp "NB_Crypt_imp_Server_msg"; |
379 |
366 |
380 |
367 |
381 (*Guarantee for B: if it gets a message with matching NB then the Server |
368 (*Guarantee for B: if it gets a message with matching NB then the Server |
382 has sent the correct message.*) |
369 has sent the correct message.*) |
429 \ Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \ |
416 \ Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \ |
430 \ A ~: bad; B ~: bad; evs : otway |] \ |
417 \ A ~: bad; B ~: bad; evs : otway |] \ |
431 \ ==> EX NB X. Says B Server {|NA, Agent A, Agent B, X, \ |
418 \ ==> EX NB X. Says B Server {|NA, Agent A, Agent B, X, \ |
432 \ Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |}\ |
419 \ Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |}\ |
433 \ : set evs"; |
420 \ : set evs"; |
434 by (blast_tac (claset() addSDs [A_trusts_OR4, OR3_imp_OR2]) 1); |
421 by (blast_tac (claset() delrules [Gets_imp_knows_Spy RS parts.Inj] |
|
422 addSDs [A_trusts_OR4, OR3_imp_OR2]) 1); |
435 qed "A_auths_B"; |
423 qed "A_auths_B"; |