|
1 (* Title: HOL/Auth/KerberosIV |
|
2 ID: $Id$ |
|
3 Author: Giampaolo Bella, Cambridge University Computer Laboratory |
|
4 Copyright 1998 University of Cambridge |
|
5 |
|
6 The Kerberos protocol, version IV. |
|
7 *) |
|
8 |
|
9 Pretty.setdepth 20; |
|
10 proof_timing:=true; |
|
11 HOL_quantifiers := false; |
|
12 |
|
13 AddIffs [AuthLife_LB, ServLife_LB, AutcLife_LB, RespLife_LB, Tgs_not_bad]; |
|
14 |
|
15 |
|
16 (** Reversed traces **) |
|
17 |
|
18 Goal "spies (evs @ [Says A B X]) = insert X (spies evs)"; |
|
19 by (induct_tac "evs" 1); |
|
20 by (induct_tac "a" 2); |
|
21 by Auto_tac; |
|
22 qed "spies_Says_rev"; |
|
23 |
|
24 Goal "spies (evs @ [Gets A X]) = spies evs"; |
|
25 by (induct_tac "evs" 1); |
|
26 by (induct_tac "a" 2); |
|
27 by Auto_tac; |
|
28 qed "spies_Gets_rev"; |
|
29 |
|
30 Goal "spies (evs @ [Notes A X]) = \ |
|
31 \ (if A:bad then insert X (spies evs) else spies evs)"; |
|
32 by (induct_tac "evs" 1); |
|
33 by (induct_tac "a" 2); |
|
34 by Auto_tac; |
|
35 qed "spies_Notes_rev"; |
|
36 |
|
37 Goal "spies evs = spies (rev evs)"; |
|
38 by (induct_tac "evs" 1); |
|
39 by (induct_tac "a" 2); |
|
40 by (ALLGOALS |
|
41 (asm_simp_tac (simpset() addsimps [spies_Says_rev, spies_Gets_rev, |
|
42 spies_Notes_rev]))); |
|
43 qed "spies_evs_rev"; |
|
44 bind_thm ("parts_spies_evs_revD2", spies_evs_rev RS equalityD2 RS parts_mono); |
|
45 |
|
46 Goal "spies (takeWhile P evs) <= spies evs"; |
|
47 by (induct_tac "evs" 1); |
|
48 by (induct_tac "a" 2); |
|
49 by Auto_tac; |
|
50 (* Resembles "used_subset_append" in Event.ML*) |
|
51 qed "spies_takeWhile"; |
|
52 bind_thm ("parts_spies_takeWhile_mono", spies_takeWhile RS parts_mono); |
|
53 |
|
54 Goal "~P(x) --> takeWhile P (xs @ [x]) = takeWhile P xs"; |
|
55 by (induct_tac "xs" 1); |
|
56 by Auto_tac; |
|
57 qed "takeWhile_tail"; |
|
58 |
|
59 |
|
60 (*****************LEMMAS ABOUT AuthKeys****************) |
|
61 |
|
62 Goalw [AuthKeys_def] "AuthKeys [] = {}"; |
|
63 by (Simp_tac 1); |
|
64 qed "AuthKeys_empty"; |
|
65 |
|
66 Goalw [AuthKeys_def] |
|
67 "(ALL A Tk akey Peer. \ |
|
68 \ ev ~= Says Kas A (Crypt (shrK A) {|akey, Agent Peer, Tk, \ |
|
69 \ (Crypt (shrK Peer) {|Agent A, Agent Peer, akey, Tk|})|}))\ |
|
70 \ ==> AuthKeys (ev # evs) = AuthKeys evs"; |
|
71 by Auto_tac; |
|
72 qed "AuthKeys_not_insert"; |
|
73 |
|
74 Goalw [AuthKeys_def] |
|
75 "AuthKeys \ |
|
76 \ (Says Kas A (Crypt (shrK A) {|Key K, Agent Peer, Number Tk, \ |
|
77 \ (Crypt (shrK Peer) {|Agent A, Agent Peer, Key K, Number Tk|})|}) # evs) \ |
|
78 \ = insert K (AuthKeys evs)"; |
|
79 by Auto_tac; |
|
80 qed "AuthKeys_insert"; |
|
81 |
|
82 Goalw [AuthKeys_def] |
|
83 "K : AuthKeys \ |
|
84 \ (Says Kas A (Crypt (shrK A) {|Key K', Agent Peer, Number Tk, \ |
|
85 \ (Crypt (shrK Peer) {|Agent A, Agent Peer, Key K', Number Tk|})|}) # evs) \ |
|
86 \ ==> K = K' | K : AuthKeys evs"; |
|
87 by Auto_tac; |
|
88 qed "AuthKeys_simp"; |
|
89 |
|
90 Goalw [AuthKeys_def] |
|
91 "Says Kas A (Crypt (shrK A) {|Key K, Agent Tgs, Number Tk, \ |
|
92 \ (Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key K, Number Tk|})|}) : set evs \ |
|
93 \ ==> K : AuthKeys evs"; |
|
94 by Auto_tac; |
|
95 qed "AuthKeysI"; |
|
96 |
|
97 Goalw [AuthKeys_def] "K : AuthKeys evs ==> Key K : used evs"; |
|
98 by (Simp_tac 1); |
|
99 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
100 qed "AuthKeys_used"; |
|
101 |
|
102 |
|
103 (**** FORWARDING LEMMAS ****) |
|
104 |
|
105 (*--For reasoning about the encrypted portion of message K3--*) |
|
106 Goal "Says Kas' A (Crypt KeyA {|AuthKey, Peer, Tk, AuthTicket|}) \ |
|
107 \ : set evs ==> AuthTicket : parts (spies evs)"; |
|
108 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
109 qed "K3_msg_in_parts_spies"; |
|
110 |
|
111 Goal "Says Kas A (Crypt KeyA {|AuthKey, Peer, Tk, AuthTicket|}) \ |
|
112 \ : set evs ==> AuthKey : parts (spies evs)"; |
|
113 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
114 qed "Oops_parts_spies1"; |
|
115 |
|
116 Goal "[| Says Kas A (Crypt KeyA {|Key AuthKey, Peer, Tk, AuthTicket|}) \ |
|
117 \ : set evs ;\ |
|
118 \ evs : kerberos |] ==> AuthKey ~: range shrK"; |
|
119 by (etac rev_mp 1); |
|
120 by (etac kerberos.induct 1); |
|
121 by Auto_tac; |
|
122 qed "Oops_range_spies1"; |
|
123 |
|
124 (*--For reasoning about the encrypted portion of message K5--*) |
|
125 Goal "Says Tgs' A (Crypt AuthKey {|ServKey, Agent B, Tt, ServTicket|})\ |
|
126 \ : set evs ==> ServTicket : parts (spies evs)"; |
|
127 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
128 qed "K5_msg_in_parts_spies"; |
|
129 |
|
130 Goal "Says Tgs A (Crypt AuthKey {|ServKey, Agent B, Tt, ServTicket|})\ |
|
131 \ : set evs ==> ServKey : parts (spies evs)"; |
|
132 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
133 qed "Oops_parts_spies2"; |
|
134 |
|
135 Goal "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|}) \ |
|
136 \ : set evs ;\ |
|
137 \ evs : kerberos |] ==> ServKey ~: range shrK"; |
|
138 by (etac rev_mp 1); |
|
139 by (etac kerberos.induct 1); |
|
140 by Auto_tac; |
|
141 qed "Oops_range_spies2"; |
|
142 |
|
143 Goal "Says S A (Crypt K {|SesKey, B, TimeStamp, Ticket|}) : set evs \ |
|
144 \ ==> Ticket : parts (spies evs)"; |
|
145 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
146 qed "Says_ticket_in_parts_spies"; |
|
147 (*Replaces both K3_msg_in_parts_spies and K5_msg_in_parts_spies*) |
|
148 |
|
149 fun parts_induct_tac i = |
|
150 etac kerberos.induct i THEN |
|
151 REPEAT (FIRSTGOAL analz_mono_contra_tac) THEN |
|
152 forward_tac [K3_msg_in_parts_spies] (i+4) THEN |
|
153 forward_tac [K5_msg_in_parts_spies] (i+6) THEN |
|
154 forward_tac [Oops_parts_spies1] (i+8) THEN |
|
155 forward_tac [Oops_parts_spies2] (i+9) THEN |
|
156 prove_simple_subgoals_tac 1; |
|
157 |
|
158 |
|
159 (*Spy never sees another agent's shared key! (unless it's lost at start)*) |
|
160 Goal "evs : kerberos ==> (Key (shrK A) : parts (spies evs)) = (A : bad)"; |
|
161 by (parts_induct_tac 1); |
|
162 by (Fake_parts_insert_tac 1); |
|
163 by (ALLGOALS Blast_tac); |
|
164 qed "Spy_see_shrK"; |
|
165 Addsimps [Spy_see_shrK]; |
|
166 |
|
167 Goal "evs : kerberos ==> (Key (shrK A) : analz (spies evs)) = (A : bad)"; |
|
168 by (auto_tac (claset() addDs [impOfSubs analz_subset_parts], simpset())); |
|
169 qed "Spy_analz_shrK"; |
|
170 Addsimps [Spy_analz_shrK]; |
|
171 |
|
172 Goal "[| Key (shrK A) : parts (spies evs); evs : kerberos |] ==> A:bad"; |
|
173 by (blast_tac (claset() addDs [Spy_see_shrK]) 1); |
|
174 qed "Spy_see_shrK_D"; |
|
175 bind_thm ("Spy_analz_shrK_D", analz_subset_parts RS subsetD RS Spy_see_shrK_D); |
|
176 AddSDs [Spy_see_shrK_D, Spy_analz_shrK_D]; |
|
177 |
|
178 (*Nobody can have used non-existent keys!*) |
|
179 Goal "evs : kerberos ==> \ |
|
180 \ Key K ~: used evs --> K ~: keysFor (parts (spies evs))"; |
|
181 by (parts_induct_tac 1); |
|
182 (*Fake*) |
|
183 by (best_tac |
|
184 (claset() addSDs [impOfSubs (parts_insert_subset_Un RS keysFor_mono)] |
|
185 addIs [impOfSubs analz_subset_parts] |
|
186 addDs [impOfSubs (analz_subset_parts RS keysFor_mono)] |
|
187 addss (simpset())) 1); |
|
188 (*Others*) |
|
189 by (ALLGOALS (blast_tac (claset() addSEs spies_partsEs))); |
|
190 qed_spec_mp "new_keys_not_used"; |
|
191 |
|
192 bind_thm ("new_keys_not_analzd", |
|
193 [analz_subset_parts RS keysFor_mono, |
|
194 new_keys_not_used] MRS contra_subsetD); |
|
195 |
|
196 Addsimps [new_keys_not_used, new_keys_not_analzd]; |
|
197 |
|
198 |
|
199 (*********************** REGULARITY LEMMAS ***********************) |
|
200 (* concerning the form of items passed in messages *) |
|
201 (*****************************************************************) |
|
202 |
|
203 (*Describes the form of AuthKey, AuthTicket, and K sent by Kas*) |
|
204 Goal "[| Says Kas A (Crypt K {|Key AuthKey, Agent Peer, Tk, AuthTicket|}) \ |
|
205 \ : set evs; \ |
|
206 \ evs : kerberos |] \ |
|
207 \ ==> AuthKey ~: range shrK & AuthKey : AuthKeys evs & \ |
|
208 \ AuthTicket = (Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|} ) &\ |
|
209 \ K = shrK A & Peer = Tgs"; |
|
210 by (etac rev_mp 1); |
|
211 by (etac kerberos.induct 1); |
|
212 by (ALLGOALS (simp_tac (simpset() addsimps [AuthKeys_def, AuthKeys_insert]))); |
|
213 by (ALLGOALS Blast_tac); |
|
214 qed "Says_Kas_message_form"; |
|
215 |
|
216 (*This lemma is essential for proving Says_Tgs_message_form: |
|
217 |
|
218 the session key AuthKey |
|
219 supplied by Kas in the authentication ticket |
|
220 cannot be a long-term key! |
|
221 |
|
222 Generalised to any session keys (both AuthKey and ServKey). |
|
223 *) |
|
224 Goal "[| Crypt (shrK Tgs_B) {|Agent A, Agent Tgs_B, Key SesKey, Number T|}\ |
|
225 \ : parts (spies evs); Tgs_B ~: bad;\ |
|
226 \ evs : kerberos |] \ |
|
227 \ ==> SesKey ~: range shrK"; |
|
228 by (etac rev_mp 1); |
|
229 by (parts_induct_tac 1); |
|
230 by (Fake_parts_insert_tac 1); |
|
231 qed "SesKey_is_session_key"; |
|
232 |
|
233 Goal "[| Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|} \ |
|
234 \ : parts (spies evs); \ |
|
235 \ evs : kerberos |] \ |
|
236 \ ==> Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Tk, \ |
|
237 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|}|}) \ |
|
238 \ : set evs"; |
|
239 by (etac rev_mp 1); |
|
240 by (parts_induct_tac 1); |
|
241 (*Fake*) |
|
242 by (Fake_parts_insert_tac 1); |
|
243 (*K4*) |
|
244 by (Blast_tac 1); |
|
245 qed "A_trusts_AuthTicket"; |
|
246 |
|
247 Goal "[| Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}\ |
|
248 \ : parts (spies evs);\ |
|
249 \ evs : kerberos |] \ |
|
250 \ ==> AuthKey : AuthKeys evs"; |
|
251 by (forward_tac [A_trusts_AuthTicket] 1); |
|
252 by (assume_tac 1); |
|
253 by (simp_tac (simpset() addsimps [AuthKeys_def]) 1); |
|
254 by (Blast_tac 1); |
|
255 qed "AuthTicket_crypt_AuthKey"; |
|
256 |
|
257 (*Describes the form of ServKey, ServTicket and AuthKey sent by Tgs*) |
|
258 Goal "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|})\ |
|
259 \ : set evs; \ |
|
260 \ evs : kerberos |] \ |
|
261 \ ==> B ~= Tgs & ServKey ~: range shrK & ServKey ~: AuthKeys evs &\ |
|
262 \ ServTicket = (Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|} ) & \ |
|
263 \ AuthKey ~: range shrK & AuthKey : AuthKeys evs"; |
|
264 by (etac rev_mp 1); |
|
265 by (etac kerberos.induct 1); |
|
266 by (ALLGOALS |
|
267 (asm_full_simp_tac |
|
268 (simpset() addsimps [AuthKeys_insert, AuthKeys_not_insert, |
|
269 AuthKeys_empty, AuthKeys_simp]))); |
|
270 by (blast_tac (claset() addEs spies_partsEs) 1); |
|
271 by Auto_tac; |
|
272 by (blast_tac (claset() addSDs [AuthKeys_used, Says_Kas_message_form]) 1); |
|
273 by (blast_tac (claset() addSDs [SesKey_is_session_key] |
|
274 addEs spies_partsEs) 1); |
|
275 by (blast_tac (claset() addDs [AuthTicket_crypt_AuthKey] |
|
276 addEs spies_partsEs) 1); |
|
277 qed "Says_Tgs_message_form"; |
|
278 |
|
279 (*If a certain encrypted message appears then it originated with Kas*) |
|
280 Goal "[| Crypt (shrK A) {|Key AuthKey, Peer, Tk, AuthTicket|} \ |
|
281 \ : parts (spies evs); \ |
|
282 \ A ~: bad; evs : kerberos |] \ |
|
283 \ ==> Says Kas A (Crypt (shrK A) {|Key AuthKey, Peer, Tk, AuthTicket|}) \ |
|
284 \ : set evs"; |
|
285 by (etac rev_mp 1); |
|
286 by (parts_induct_tac 1); |
|
287 (*Fake*) |
|
288 by (Fake_parts_insert_tac 1); |
|
289 (*K4*) |
|
290 by (blast_tac (claset() addSDs [Says_imp_spies RS parts.Inj RS parts.Fst, |
|
291 A_trusts_AuthTicket RS Says_Kas_message_form]) |
|
292 1); |
|
293 qed "A_trusts_AuthKey"; |
|
294 |
|
295 |
|
296 (*If a certain encrypted message appears then it originated with Tgs*) |
|
297 Goal "[| Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|} \ |
|
298 \ : parts (spies evs); \ |
|
299 \ Key AuthKey ~: analz (spies evs); \ |
|
300 \ AuthKey ~: range shrK; \ |
|
301 \ evs : kerberos |] \ |
|
302 \==> EX A. Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|})\ |
|
303 \ : set evs"; |
|
304 by (etac rev_mp 1); |
|
305 by (etac rev_mp 1); |
|
306 by (parts_induct_tac 1); |
|
307 (*Fake*) |
|
308 by (Fake_parts_insert_tac 1); |
|
309 (*K2*) |
|
310 by (Blast_tac 1); |
|
311 (*K4*) |
|
312 by Auto_tac; |
|
313 qed "A_trusts_K4"; |
|
314 |
|
315 Goal "[| Crypt (shrK A) {|Key AuthKey, Agent Tgs, Tk, AuthTicket|} \ |
|
316 \ : parts (spies evs); \ |
|
317 \ A ~: bad; \ |
|
318 \ evs : kerberos |] \ |
|
319 \ ==> AuthKey ~: range shrK & \ |
|
320 \ AuthTicket = Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|}"; |
|
321 by (etac rev_mp 1); |
|
322 by (parts_induct_tac 1); |
|
323 by (Fake_parts_insert_tac 1); |
|
324 by (Blast_tac 1); |
|
325 qed "AuthTicket_form"; |
|
326 |
|
327 (* This form holds also over an AuthTicket, but is not needed below. *) |
|
328 Goal "[| Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|} \ |
|
329 \ : parts (spies evs); \ |
|
330 \ Key AuthKey ~: analz (spies evs); \ |
|
331 \ evs : kerberos |] \ |
|
332 \ ==> ServKey ~: range shrK & \ |
|
333 \ (EX A. ServTicket = Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|})"; |
|
334 by (etac rev_mp 1); |
|
335 by (etac rev_mp 1); |
|
336 by (parts_induct_tac 1); |
|
337 by (Fake_parts_insert_tac 1); |
|
338 qed "ServTicket_form"; |
|
339 |
|
340 Goal "[| Says Kas' A (Crypt (shrK A) \ |
|
341 \ {|Key AuthKey, Agent Tgs, Tk, AuthTicket|} ) : set evs; \ |
|
342 \ evs : kerberos |] \ |
|
343 \ ==> AuthKey ~: range shrK & \ |
|
344 \ AuthTicket = \ |
|
345 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|}\ |
|
346 \ | AuthTicket : analz (spies evs)"; |
|
347 by (case_tac "A : bad" 1); |
|
348 by (force_tac (claset() addSDs [Says_imp_spies RS analz.Inj], simpset()) 1); |
|
349 by (forward_tac [Says_imp_spies RS parts.Inj] 1); |
|
350 by (blast_tac (claset() addSDs [AuthTicket_form]) 1); |
|
351 qed "Says_kas_message_form"; |
|
352 (* Essentially the same as AuthTicket_form *) |
|
353 |
|
354 Goal "[| Says Tgs' A (Crypt AuthKey \ |
|
355 \ {|Key ServKey, Agent B, Tt, ServTicket|} ) : set evs; \ |
|
356 \ evs : kerberos |] \ |
|
357 \ ==> ServKey ~: range shrK & \ |
|
358 \ (EX A. ServTicket = \ |
|
359 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|}) \ |
|
360 \ | ServTicket : analz (spies evs)"; |
|
361 by (case_tac "Key AuthKey : analz (spies evs)" 1); |
|
362 by (force_tac (claset() addSDs [Says_imp_spies RS analz.Inj], simpset()) 1); |
|
363 by (forward_tac [Says_imp_spies RS parts.Inj] 1); |
|
364 by (blast_tac (claset() addSDs [ServTicket_form]) 1); |
|
365 qed "Says_tgs_message_form"; |
|
366 (* This form MUST be used in analz_sees_tac below *) |
|
367 |
|
368 |
|
369 (*****************UNICITY THEOREMS****************) |
|
370 |
|
371 (* The session key, if secure, uniquely identifies the Ticket |
|
372 whether AuthTicket or ServTicket. As a matter of fact, one can read |
|
373 also Tgs in the place of B. *) |
|
374 Goal "evs : kerberos ==> \ |
|
375 \ Key SesKey ~: analz (spies evs) --> \ |
|
376 \ (EX A B T. ALL A' B' T'. \ |
|
377 \ Crypt (shrK B') {|Agent A', Agent B', Key SesKey, T'|} \ |
|
378 \ : parts (spies evs) --> A'=A & B'=B & T'=T)"; |
|
379 by (parts_induct_tac 1); |
|
380 by (REPEAT (etac (exI RSN (2,exE)) 1) (*stripping EXs makes proof faster*) |
|
381 THEN Fake_parts_insert_tac 1); |
|
382 by (asm_simp_tac (simpset() addsimps [all_conj_distrib]) 1); |
|
383 by (expand_case_tac "SesKey = ?y" 1); |
|
384 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
385 by (expand_case_tac "SesKey = ?y" 1); |
|
386 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
387 val lemma = result(); |
|
388 |
|
389 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key SesKey, T|} \ |
|
390 \ : parts (spies evs); \ |
|
391 \ Crypt (shrK B') {|Agent A', Agent B', Key SesKey, T'|} \ |
|
392 \ : parts (spies evs); \ |
|
393 \ evs : kerberos; Key SesKey ~: analz (spies evs) |] \ |
|
394 \ ==> A=A' & B=B' & T=T'"; |
|
395 by (prove_unique_tac lemma 1); |
|
396 qed "unique_CryptKey"; |
|
397 |
|
398 Goal "evs : kerberos \ |
|
399 \ ==> Key SesKey ~: analz (spies evs) --> \ |
|
400 \ (EX K' B' T' Ticket'. ALL K B T Ticket. \ |
|
401 \ Crypt K {|Key SesKey, Agent B, T, Ticket|} \ |
|
402 \ : parts (spies evs) --> K=K' & B=B' & T=T' & Ticket=Ticket')"; |
|
403 by (parts_induct_tac 1); |
|
404 by (REPEAT (etac (exI RSN (2,exE)) 1) THEN Fake_parts_insert_tac 1); |
|
405 by (asm_simp_tac (simpset() addsimps [all_conj_distrib]) 1); |
|
406 by (expand_case_tac "SesKey = ?y" 1); |
|
407 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
408 by (expand_case_tac "SesKey = ?y" 1); |
|
409 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
410 val lemma = result(); |
|
411 |
|
412 (*An AuthKey is encrypted by one and only one Shared key. |
|
413 A ServKey is encrypted by one and only one AuthKey. |
|
414 *) |
|
415 Goal "[| Crypt K {|Key SesKey, Agent B, T, Ticket|} \ |
|
416 \ : parts (spies evs); \ |
|
417 \ Crypt K' {|Key SesKey, Agent B', T', Ticket'|} \ |
|
418 \ : parts (spies evs); \ |
|
419 \ evs : kerberos; Key SesKey ~: analz (spies evs) |] \ |
|
420 \ ==> K=K' & B=B' & T=T' & Ticket=Ticket'"; |
|
421 by (prove_unique_tac lemma 1); |
|
422 qed "Key_unique_SesKey"; |
|
423 |
|
424 |
|
425 (* |
|
426 At reception of any message mentioning A, Kas associates shrK A with |
|
427 a new AuthKey. Realistic, as the user gets a new AuthKey at each login. |
|
428 Similarly, at reception of any message mentioning an AuthKey |
|
429 (a legitimate user could make several requests to Tgs - by K3), Tgs |
|
430 associates it with a new ServKey. |
|
431 |
|
432 Therefore, a goal like |
|
433 |
|
434 "evs : kerberos \ |
|
435 \ ==> Key Kc ~: analz (spies evs) --> \ |
|
436 \ (EX K' B' T' Ticket'. ALL K B T Ticket. \ |
|
437 \ Crypt Kc {|Key K, Agent B, T, Ticket|} \ |
|
438 \ : parts (spies evs) --> K=K' & B=B' & T=T' & Ticket=Ticket')"; |
|
439 |
|
440 would fail on the K2 and K4 cases. |
|
441 *) |
|
442 |
|
443 (* AuthKey uniquely identifies the message from Kas *) |
|
444 Goal "evs : kerberos ==> \ |
|
445 \ EX A' Ka' Tk' X'. ALL A Ka Tk X. \ |
|
446 \ Says Kas A (Crypt Ka {|Key AuthKey, Agent Tgs, Tk, X|}) \ |
|
447 \ : set evs --> A=A' & Ka=Ka' & Tk=Tk' & X=X'"; |
|
448 by (etac kerberos.induct 1); |
|
449 by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib]))); |
|
450 by (Step_tac 1); |
|
451 (*K2: it can't be a new key*) |
|
452 by (expand_case_tac "AuthKey = ?y" 1); |
|
453 by (REPEAT (ares_tac [refl,exI,impI,conjI] 2)); |
|
454 by (blast_tac (claset() delrules [conjI] (*prevent split-up into 4 subgoals*) |
|
455 addSEs spies_partsEs) 1); |
|
456 val lemma = result(); |
|
457 |
|
458 Goal "[| Says Kas A \ |
|
459 \ (Crypt Ka {|Key AuthKey, Agent Tgs, Tk, X|}) : set evs; \ |
|
460 \ Says Kas A' \ |
|
461 \ (Crypt Ka' {|Key AuthKey, Agent Tgs, Tk', X'|}) : set evs; \ |
|
462 \ evs : kerberos |] ==> A=A' & Ka=Ka' & Tk=Tk' & X=X'"; |
|
463 by (prove_unique_tac lemma 1); |
|
464 qed "unique_AuthKeys"; |
|
465 |
|
466 (* ServKey uniquely identifies the message from Tgs *) |
|
467 Goal "evs : kerberos ==> \ |
|
468 \ EX A' B' AuthKey' Tk' X'. ALL A B AuthKey Tk X. \ |
|
469 \ Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tk, X|}) \ |
|
470 \ : set evs --> A=A' & B=B' & AuthKey=AuthKey' & Tk=Tk' & X=X'"; |
|
471 by (etac kerberos.induct 1); |
|
472 by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib]))); |
|
473 by (Step_tac 1); |
|
474 (*K4: it can't be a new key*) |
|
475 by (expand_case_tac "ServKey = ?y" 1); |
|
476 by (REPEAT (ares_tac [refl,exI,impI,conjI] 2)); |
|
477 by (blast_tac (claset() delrules [conjI] (*prevent split-up into 4 subgoals*) |
|
478 addSEs spies_partsEs) 1); |
|
479 val lemma = result(); |
|
480 |
|
481 Goal "[| Says Tgs A \ |
|
482 \ (Crypt K {|Key ServKey, Agent B, Tt, X|}) : set evs; \ |
|
483 \ Says Tgs A' \ |
|
484 \ (Crypt K' {|Key ServKey, Agent B', Tt', X'|}) : set evs; \ |
|
485 \ evs : kerberos |] ==> A=A' & B=B' & K=K' & Tt=Tt' & X=X'"; |
|
486 by (prove_unique_tac lemma 1); |
|
487 qed "unique_ServKeys"; |
|
488 |
|
489 |
|
490 (*****************LEMMAS ABOUT the predicate KeyCryptKey****************) |
|
491 |
|
492 Goalw [KeyCryptKey_def] "~ KeyCryptKey AuthKey ServKey []"; |
|
493 by (Simp_tac 1); |
|
494 qed "not_KeyCryptKey_Nil"; |
|
495 AddIffs [not_KeyCryptKey_Nil]; |
|
496 |
|
497 Goalw [KeyCryptKey_def] |
|
498 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, tt, X |}) \ |
|
499 \ : set evs; \ |
|
500 \ evs : kerberos |] ==> KeyCryptKey AuthKey ServKey evs"; |
|
501 by (forward_tac [Says_Tgs_message_form] 1); |
|
502 by (assume_tac 1); |
|
503 by (Blast_tac 1); |
|
504 qed "KeyCryptKeyI"; |
|
505 |
|
506 Goalw [KeyCryptKey_def] |
|
507 "KeyCryptKey AuthKey ServKey (Says S A X # evs) = \ |
|
508 \ (Tgs = S & \ |
|
509 \ (EX B tt. X = Crypt AuthKey \ |
|
510 \ {|Key ServKey, Agent B, tt, \ |
|
511 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, tt|} |}) \ |
|
512 \ | KeyCryptKey AuthKey ServKey evs)"; |
|
513 by (Simp_tac 1); |
|
514 by (Blast_tac 1); |
|
515 qed "KeyCryptKey_Says"; |
|
516 Addsimps [KeyCryptKey_Says]; |
|
517 |
|
518 (*A fresh AuthKey cannot be associated with any other |
|
519 (with respect to a given trace). *) |
|
520 Goalw [KeyCryptKey_def] |
|
521 "[| Key AuthKey ~: used evs; evs : kerberos |] \ |
|
522 \ ==> ~ KeyCryptKey AuthKey ServKey evs"; |
|
523 by (etac rev_mp 1); |
|
524 by (parts_induct_tac 1); |
|
525 by (Asm_full_simp_tac 1); |
|
526 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
527 qed "Auth_fresh_not_KeyCryptKey"; |
|
528 |
|
529 (*A fresh ServKey cannot be associated with any other |
|
530 (with respect to a given trace). *) |
|
531 Goalw [KeyCryptKey_def] |
|
532 "Key ServKey ~: used evs ==> ~ KeyCryptKey AuthKey ServKey evs"; |
|
533 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
534 qed "Serv_fresh_not_KeyCryptKey"; |
|
535 |
|
536 Goalw [KeyCryptKey_def] |
|
537 "[| Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, tk|}\ |
|
538 \ : parts (spies evs); evs : kerberos |] \ |
|
539 \ ==> ~ KeyCryptKey K AuthKey evs"; |
|
540 by (etac rev_mp 1); |
|
541 by (parts_induct_tac 1); |
|
542 (*K4*) |
|
543 by (blast_tac (claset() addEs spies_partsEs) 3); |
|
544 (*K2: by freshness*) |
|
545 by (blast_tac (claset() addEs spies_partsEs) 2); |
|
546 by (Fake_parts_insert_tac 1); |
|
547 qed "AuthKey_not_KeyCryptKey"; |
|
548 |
|
549 (*A secure serverkey cannot have been used to encrypt others*) |
|
550 Goalw [KeyCryptKey_def] |
|
551 "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, tt|} \ |
|
552 \ : parts (spies evs); \ |
|
553 \ Key ServKey ~: analz (spies evs); \ |
|
554 \ B ~= Tgs; evs : kerberos |] \ |
|
555 \ ==> ~ KeyCryptKey ServKey K evs"; |
|
556 by (etac rev_mp 1); |
|
557 by (etac rev_mp 1); |
|
558 by (parts_induct_tac 1); |
|
559 by (Fake_parts_insert_tac 1); |
|
560 (*K4 splits into distinct subcases*) |
|
561 by (Step_tac 1); |
|
562 by (ALLGOALS Asm_full_simp_tac); |
|
563 (*ServKey can't have been enclosed in two certificates*) |
|
564 by (blast_tac (claset() addSDs [Says_imp_spies RS parts.Inj] |
|
565 addSEs [MPair_parts] |
|
566 addDs [unique_CryptKey]) 4); |
|
567 (*ServKey is fresh and so could not have been used, by new_keys_not_used*) |
|
568 by (force_tac (claset() addSDs [Says_imp_spies RS parts.Inj, |
|
569 Crypt_imp_invKey_keysFor], |
|
570 simpset()) 2); |
|
571 (*Others by freshness*) |
|
572 by (REPEAT (blast_tac (claset() addSEs spies_partsEs) 1)); |
|
573 qed "ServKey_not_KeyCryptKey"; |
|
574 |
|
575 (*Long term keys are not issued as ServKeys*) |
|
576 Goalw [KeyCryptKey_def] |
|
577 "evs : kerberos ==> ~ KeyCryptKey K (shrK A) evs"; |
|
578 by (parts_induct_tac 1); |
|
579 qed "shrK_not_KeyCryptKey"; |
|
580 |
|
581 (*The Tgs message associates ServKey with AuthKey and therefore not with any |
|
582 other key AuthKey.*) |
|
583 Goalw [KeyCryptKey_def] |
|
584 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, tt, X |}) \ |
|
585 \ : set evs; \ |
|
586 \ AuthKey' ~= AuthKey; evs : kerberos |] \ |
|
587 \ ==> ~ KeyCryptKey AuthKey' ServKey evs"; |
|
588 by (blast_tac (claset() addDs [unique_ServKeys]) 1); |
|
589 qed "Says_Tgs_KeyCryptKey"; |
|
590 |
|
591 Goal "[| KeyCryptKey AuthKey ServKey evs; evs : kerberos |] \ |
|
592 \ ==> ~ KeyCryptKey ServKey K evs"; |
|
593 by (etac rev_mp 1); |
|
594 by (parts_induct_tac 1); |
|
595 by (Step_tac 1); |
|
596 by (ALLGOALS Asm_full_simp_tac); |
|
597 (*K4 splits into subcases*) |
|
598 by (blast_tac (claset() addEs spies_partsEs |
|
599 addSDs [AuthKey_not_KeyCryptKey]) 4); |
|
600 (*ServKey is fresh and so could not have been used, by new_keys_not_used*) |
|
601 by (force_tac (claset() addSDs [Says_imp_spies RS parts.Inj, |
|
602 Crypt_imp_invKey_keysFor], |
|
603 simpset() addsimps [KeyCryptKey_def]) 2); |
|
604 (*Others by freshness*) |
|
605 by (REPEAT (blast_tac (claset() addSEs spies_partsEs) 1)); |
|
606 qed "KeyCryptKey_not_KeyCryptKey"; |
|
607 |
|
608 (*The only session keys that can be found with the help of session keys are |
|
609 those sent by Tgs in step K4. *) |
|
610 |
|
611 (*We take some pains to express the property |
|
612 as a logical equivalence so that the simplifier can apply it.*) |
|
613 Goal "P --> (Key K : analz (Key``KK Un H)) --> (K:KK | Key K : analz H) \ |
|
614 \ ==> \ |
|
615 \ P --> (Key K : analz (Key``KK Un H)) = (K:KK | Key K : analz H)"; |
|
616 by (blast_tac (claset() addIs [impOfSubs analz_mono]) 1); |
|
617 qed "Key_analz_image_Key_lemma"; |
|
618 |
|
619 Goal "[| KeyCryptKey K K' evs; evs : kerberos |] \ |
|
620 \ ==> Key K' : analz (insert (Key K) (spies evs))"; |
|
621 by (full_simp_tac (simpset() addsimps [KeyCryptKey_def]) 1); |
|
622 by (Clarify_tac 1); |
|
623 by (dresolve_tac [Says_imp_spies RS analz.Inj RS analz_insertI] 1); |
|
624 by Auto_tac; |
|
625 qed "KeyCryptKey_analz_insert"; |
|
626 |
|
627 Goal "[| K : AuthKeys evs Un range shrK; evs : kerberos |] \ |
|
628 \ ==> ALL SK. ~ KeyCryptKey SK K evs"; |
|
629 by (asm_full_simp_tac (simpset() addsimps [KeyCryptKey_def]) 1); |
|
630 by (blast_tac (claset() addDs [Says_Tgs_message_form]) 1); |
|
631 qed "AuthKeys_are_not_KeyCryptKey"; |
|
632 |
|
633 Goal "[| K ~: AuthKeys evs; \ |
|
634 \ K ~: range shrK; evs : kerberos |] \ |
|
635 \ ==> ALL SK. ~ KeyCryptKey K SK evs"; |
|
636 by (asm_full_simp_tac (simpset() addsimps [KeyCryptKey_def]) 1); |
|
637 by (blast_tac (claset() addDs [Says_Tgs_message_form]) 1); |
|
638 qed "not_AuthKeys_not_KeyCryptKey"; |
|
639 |
|
640 |
|
641 (*****************SECRECY THEOREMS****************) |
|
642 |
|
643 (*For proofs involving analz.*) |
|
644 val analz_sees_tac = |
|
645 EVERY |
|
646 [REPEAT (FIRSTGOAL analz_mono_contra_tac), |
|
647 forward_tac [Oops_range_spies2] 10, |
|
648 forward_tac [Oops_range_spies1] 9, |
|
649 forward_tac [Says_tgs_message_form] 7, |
|
650 forward_tac [Says_kas_message_form] 5, |
|
651 REPEAT_FIRST (eresolve_tac [asm_rl, conjE, disjE, exE] |
|
652 ORELSE' hyp_subst_tac)]; |
|
653 |
|
654 Goal "[| KK <= -(range shrK); Key K : analz (spies evs); evs: kerberos |] \ |
|
655 \ ==> Key K : analz (Key `` KK Un spies evs)"; |
|
656 by (blast_tac (claset() addDs [impOfSubs analz_mono]) 1); |
|
657 qed "analz_mono_KK"; |
|
658 |
|
659 (* Big simplification law for keys SK that are not crypted by keys in KK *) |
|
660 (* It helps prove three, otherwise hard, facts about keys. These facts are *) |
|
661 (* exploited as simplification laws for analz, and also "limit the damage" *) |
|
662 (* in case of loss of a key to the spy. See ESORICS98. *) |
|
663 Goal "evs : kerberos ==> \ |
|
664 \ (ALL SK KK. KK <= -(range shrK) --> \ |
|
665 \ (ALL K: KK. ~ KeyCryptKey K SK evs) --> \ |
|
666 \ (Key SK : analz (Key``KK Un (spies evs))) = \ |
|
667 \ (SK : KK | Key SK : analz (spies evs)))"; |
|
668 by (etac kerberos.induct 1); |
|
669 by analz_sees_tac; |
|
670 by (REPEAT_FIRST (rtac allI)); |
|
671 by (REPEAT_FIRST (rtac (Key_analz_image_Key_lemma RS impI))); |
|
672 by (ALLGOALS |
|
673 (asm_simp_tac |
|
674 (analz_image_freshK_ss addsimps |
|
675 [KeyCryptKey_Says, shrK_not_KeyCryptKey, |
|
676 Auth_fresh_not_KeyCryptKey, Serv_fresh_not_KeyCryptKey, |
|
677 Says_Tgs_KeyCryptKey, Spy_analz_shrK]))); |
|
678 (*Fake*) |
|
679 by (spy_analz_tac 1); |
|
680 (* Base + K2 done by the simplifier! *) |
|
681 (*K3*) |
|
682 by (Blast_tac 1); |
|
683 (*K4*) |
|
684 by (blast_tac (claset() addEs spies_partsEs |
|
685 addSDs [AuthKey_not_KeyCryptKey]) 1); |
|
686 (*K5*) |
|
687 by (rtac impI 1); |
|
688 by (case_tac "Key ServKey : analz (spies evs5)" 1); |
|
689 (*If ServKey is compromised then the result follows directly...*) |
|
690 by (asm_simp_tac |
|
691 (simpset() addsimps [analz_insert_eq, |
|
692 impOfSubs (Un_upper2 RS analz_mono)]) 1); |
|
693 (*...therefore ServKey is uncompromised.*) |
|
694 by (case_tac "KeyCryptKey ServKey SK evs5" 1); |
|
695 by (asm_simp_tac analz_image_freshK_ss 2); |
|
696 (*The KeyCryptKey ServKey SK evs5 case leads to a contradiction.*) |
|
697 by (blast_tac (claset() addSEs [ServKey_not_KeyCryptKey RSN(2, rev_notE)] |
|
698 addEs spies_partsEs delrules [allE, ballE]) 1); |
|
699 (** Level 14: Oops1 and Oops2 **) |
|
700 by (ALLGOALS Clarify_tac); |
|
701 (*Oops 2*) |
|
702 by (case_tac "Key ServKey : analz (spies evsO2)" 2); |
|
703 by (ALLGOALS Asm_full_simp_tac); |
|
704 by (forward_tac [analz_mono_KK] 2 |
|
705 THEN assume_tac 2 |
|
706 THEN assume_tac 2); |
|
707 by (forward_tac [analz_cut] 2 THEN assume_tac 2); |
|
708 by (blast_tac (claset() addDs [analz_cut, impOfSubs analz_mono]) 2); |
|
709 by (dres_inst_tac [("x","SK")] spec 2); |
|
710 by (dres_inst_tac [("x","insert ServKey KK")] spec 2); |
|
711 by (forward_tac [Says_Tgs_message_form] 2 THEN assume_tac 2); |
|
712 by (Clarify_tac 2); |
|
713 by (forward_tac [Says_imp_spies RS parts.Inj RS parts.Body |
|
714 RS parts.Snd RS parts.Snd RS parts.Snd] 2); |
|
715 by (Asm_full_simp_tac 2); |
|
716 by (blast_tac (claset() addSDs [ServKey_not_KeyCryptKey] |
|
717 addDs [impOfSubs analz_mono]) 2); |
|
718 (*Level 28: Oops 1*) |
|
719 by (dres_inst_tac [("x","SK")] spec 1); |
|
720 by (dres_inst_tac [("x","insert AuthKey KK")] spec 1); |
|
721 by (case_tac "KeyCryptKey AuthKey SK evsO1" 1); |
|
722 by (ALLGOALS Asm_full_simp_tac); |
|
723 by (blast_tac (claset() addSDs [KeyCryptKey_analz_insert]) 1); |
|
724 by (blast_tac (claset() addDs [impOfSubs analz_mono]) 1); |
|
725 qed_spec_mp "Key_analz_image_Key"; |
|
726 |
|
727 |
|
728 (* First simplification law for analz: no session keys encrypt *) |
|
729 (* authentication keys or shared keys. *) |
|
730 Goal "[| evs : kerberos; K : (AuthKeys evs) Un range shrK; \ |
|
731 \ SesKey ~: range shrK |] \ |
|
732 \ ==> Key K : analz (insert (Key SesKey) (spies evs)) = \ |
|
733 \ (K = SesKey | Key K : analz (spies evs))"; |
|
734 by (forward_tac [AuthKeys_are_not_KeyCryptKey] 1 THEN assume_tac 1); |
|
735 by (asm_full_simp_tac (analz_image_freshK_ss addsimps [Key_analz_image_Key]) 1); |
|
736 qed "analz_insert_freshK1"; |
|
737 |
|
738 |
|
739 (* Second simplification law for analz: no service keys encrypt *) |
|
740 (* any other keys. *) |
|
741 Goal "[| evs : kerberos; ServKey ~: (AuthKeys evs); ServKey ~: range shrK|]\ |
|
742 \ ==> Key K : analz (insert (Key ServKey) (spies evs)) = \ |
|
743 \ (K = ServKey | Key K : analz (spies evs))"; |
|
744 by (forward_tac [not_AuthKeys_not_KeyCryptKey] 1 |
|
745 THEN assume_tac 1 |
|
746 THEN assume_tac 1); |
|
747 by (asm_full_simp_tac (analz_image_freshK_ss addsimps [Key_analz_image_Key]) 1); |
|
748 qed "analz_insert_freshK2"; |
|
749 |
|
750 |
|
751 (* Third simplification law for analz: only one authentication key *) |
|
752 (* encrypts a certain service key. *) |
|
753 Goal |
|
754 "[| Says Tgs A \ |
|
755 \ (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) \ |
|
756 \ : set evs; \ |
|
757 \ AuthKey ~= AuthKey'; AuthKey' ~: range shrK; evs : kerberos |] \ |
|
758 \ ==> Key ServKey : analz (insert (Key AuthKey') (spies evs)) = \ |
|
759 \ (ServKey = AuthKey' | Key ServKey : analz (spies evs))"; |
|
760 by (dres_inst_tac [("AuthKey'","AuthKey'")] Says_Tgs_KeyCryptKey 1); |
|
761 by (Blast_tac 1); |
|
762 by (assume_tac 1); |
|
763 by (asm_full_simp_tac (analz_image_freshK_ss addsimps [Key_analz_image_Key]) 1); |
|
764 qed "analz_insert_freshK3"; |
|
765 |
|
766 |
|
767 (*a weakness of the protocol*) |
|
768 Goal "[| Says Tgs A \ |
|
769 \ (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) \ |
|
770 \ : set evs; \ |
|
771 \ Key AuthKey : analz (spies evs); evs : kerberos |] \ |
|
772 \ ==> Key ServKey : analz (spies evs)"; |
|
773 by (force_tac (claset() addDs [Says_imp_spies RS analz.Inj RS |
|
774 analz.Decrypt RS analz.Fst], |
|
775 simpset()) 1); |
|
776 qed "AuthKey_compromises_ServKey"; |
|
777 |
|
778 |
|
779 (********************** Guarantees for Kas *****************************) |
|
780 Goal "[| Crypt AuthKey {|Key ServKey, Agent B, Tt, \ |
|
781 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|}|}\ |
|
782 \ : parts (spies evs); \ |
|
783 \ Key ServKey ~: analz (spies evs); \ |
|
784 \ B ~= Tgs; evs : kerberos |] \ |
|
785 \ ==> ServKey ~: AuthKeys evs"; |
|
786 by (etac rev_mp 1); |
|
787 by (etac rev_mp 1); |
|
788 by (asm_full_simp_tac (simpset() addsimps [AuthKeys_def]) 1); |
|
789 by (parts_induct_tac 1); |
|
790 by (Fake_parts_insert_tac 1); |
|
791 by (ALLGOALS (blast_tac (claset() addSEs spies_partsEs))); |
|
792 bind_thm ("ServKey_notin_AuthKeys", result() RSN (2, rev_notE)); |
|
793 bind_thm ("ServKey_notin_AuthKeysD", result()); |
|
794 |
|
795 |
|
796 (** If Spy sees the Authentication Key sent in msg K2, then |
|
797 the Key has expired **) |
|
798 Goal "[| A ~: bad; evs : kerberos |] \ |
|
799 \ ==> Says Kas A \ |
|
800 \ (Crypt (shrK A) \ |
|
801 \ {|Key AuthKey, Agent Tgs, Number Tk, \ |
|
802 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\ |
|
803 \ : set evs --> \ |
|
804 \ Key AuthKey : analz (spies evs) --> \ |
|
805 \ ExpirAuth Tk evs"; |
|
806 by (etac kerberos.induct 1); |
|
807 by analz_sees_tac; |
|
808 by (ALLGOALS |
|
809 (asm_simp_tac |
|
810 (simpset() addsimps ([Says_Kas_message_form, |
|
811 analz_insert_eq, not_parts_not_analz, |
|
812 analz_insert_freshK1] @ pushes)))); |
|
813 (*Fake*) |
|
814 by (spy_analz_tac 1); |
|
815 (*K2*) |
|
816 by (blast_tac (claset() addSEs spies_partsEs |
|
817 addIs [parts_insertI, impOfSubs analz_subset_parts, less_SucI]) 1); |
|
818 (*K4*) |
|
819 by (blast_tac (claset() addSEs spies_partsEs) 1); |
|
820 (*Level 8: K5*) |
|
821 by (blast_tac (claset() addEs [ServKey_notin_AuthKeys] |
|
822 addDs [Says_Kas_message_form, |
|
823 Says_imp_spies RS parts.Inj] |
|
824 addIs [less_SucI]) 1); |
|
825 (*Oops1*) |
|
826 by (blast_tac (claset() addDs [unique_AuthKeys] addIs [less_SucI]) 1); |
|
827 (*Oops2*) |
|
828 by (blast_tac (claset() addDs [Says_Tgs_message_form, |
|
829 Says_Kas_message_form]) 1); |
|
830 val lemma = result() RS mp RS mp RSN(1,rev_notE); |
|
831 |
|
832 |
|
833 Goal "[| Says Kas A \ |
|
834 \ (Crypt Ka {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}) \ |
|
835 \ : set evs; \ |
|
836 \ ~ ExpirAuth Tk evs; \ |
|
837 \ A ~: bad; evs : kerberos |] \ |
|
838 \ ==> Key AuthKey ~: analz (spies evs)"; |
|
839 by (forward_tac [Says_Kas_message_form] 1 THEN assume_tac 1); |
|
840 by (blast_tac (claset() addSDs [lemma]) 1); |
|
841 qed "Confidentiality_Kas"; |
|
842 |
|
843 |
|
844 |
|
845 |
|
846 |
|
847 |
|
848 (********************** Guarantees for Tgs *****************************) |
|
849 |
|
850 (** If Spy sees the Service Key sent in msg K4, then |
|
851 the Key has expired **) |
|
852 Goal "[| A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \ |
|
853 \ ==> Key AuthKey ~: analz (spies evs) --> \ |
|
854 \ Says Tgs A \ |
|
855 \ (Crypt AuthKey \ |
|
856 \ {|Key ServKey, Agent B, Number Tt, \ |
|
857 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}|})\ |
|
858 \ : set evs --> \ |
|
859 \ Key ServKey : analz (spies evs) --> \ |
|
860 \ ExpirServ Tt evs"; |
|
861 by (etac kerberos.induct 1); |
|
862 (*The Oops1 case is unusual: must simplify Authkey ~: analz (spies (ev#evs)) |
|
863 rather than weakening it to Authkey ~: analz (spies evs), for we then |
|
864 conclude AuthKey ~= AuthKeya.*) |
|
865 by (Clarify_tac 9); |
|
866 by analz_sees_tac; |
|
867 by (rotate_tac ~1 11); |
|
868 by (ALLGOALS |
|
869 (asm_full_simp_tac |
|
870 (simpset() addsimps ([Says_Kas_message_form, Says_Tgs_message_form, |
|
871 analz_insert_eq, not_parts_not_analz, |
|
872 analz_insert_freshK1, analz_insert_freshK2] @ pushes)))); |
|
873 (*Fake*) |
|
874 by (spy_analz_tac 1); |
|
875 (*K2*) |
|
876 by (blast_tac (claset() addSEs spies_partsEs |
|
877 addIs [parts_insertI, impOfSubs analz_subset_parts, less_SucI]) 1); |
|
878 (*K4*) |
|
879 by (case_tac "A ~= Aa" 1); |
|
880 by (blast_tac (claset() addSEs spies_partsEs |
|
881 addIs [less_SucI]) 1); |
|
882 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj RS parts.Fst, |
|
883 A_trusts_AuthTicket, |
|
884 Confidentiality_Kas, |
|
885 impOfSubs analz_subset_parts]) 1); |
|
886 by (ALLGOALS Clarify_tac); |
|
887 (*Oops2*) |
|
888 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj, |
|
889 Key_unique_SesKey] addIs [less_SucI]) 3); |
|
890 (** Level 12 **) |
|
891 (*Oops1*) |
|
892 by (forward_tac [Says_Kas_message_form] 2); |
|
893 by (assume_tac 2); |
|
894 by (blast_tac (claset() addDs [analz_insert_freshK3, |
|
895 Says_Kas_message_form, Says_Tgs_message_form] |
|
896 addIs [less_SucI]) 2); |
|
897 (** Level 16 **) |
|
898 by (thin_tac "Says Aa Tgs ?X : set ?evs" 1); |
|
899 by (forward_tac [Says_imp_spies RS parts.Inj RS ServKey_notin_AuthKeysD] 1); |
|
900 by (assume_tac 1 THEN Blast_tac 1 THEN assume_tac 1); |
|
901 by (rotate_tac ~1 1); |
|
902 by (asm_full_simp_tac (simpset() addsimps [analz_insert_freshK2]) 1); |
|
903 by (etac disjE 1); |
|
904 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj, |
|
905 Key_unique_SesKey]) 1); |
|
906 by (blast_tac (claset() addIs [less_SucI]) 1); |
|
907 val lemma = result() RS mp RS mp RS mp RSN(1,rev_notE); |
|
908 |
|
909 |
|
910 (* In the real world Tgs can't check wheter AuthKey is secure! *) |
|
911 Goal |
|
912 "[| Says Tgs A \ |
|
913 \ (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) \ |
|
914 \ : set evs; \ |
|
915 \ Key AuthKey ~: analz (spies evs); \ |
|
916 \ ~ ExpirServ Tt evs; \ |
|
917 \ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \ |
|
918 \ ==> Key ServKey ~: analz (spies evs)"; |
|
919 by (forward_tac [Says_Tgs_message_form] 1 THEN assume_tac 1); |
|
920 by (blast_tac (claset() addDs [lemma]) 1); |
|
921 qed "Confidentiality_Tgs1"; |
|
922 |
|
923 (* In the real world Tgs CAN check what Kas sends! *) |
|
924 Goal |
|
925 "[| Says Kas A \ |
|
926 \ (Crypt Ka {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}) \ |
|
927 \ : set evs; \ |
|
928 \ Says Tgs A \ |
|
929 \ (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) \ |
|
930 \ : set evs; \ |
|
931 \ ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; \ |
|
932 \ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \ |
|
933 \ ==> Key ServKey ~: analz (spies evs)"; |
|
934 by (blast_tac (claset() addSDs [Confidentiality_Kas, |
|
935 Confidentiality_Tgs1]) 1); |
|
936 qed "Confidentiality_Tgs2"; |
|
937 |
|
938 (*Most general form*) |
|
939 val Confidentiality_Tgs3 = A_trusts_AuthTicket RS Confidentiality_Tgs2; |
|
940 |
|
941 |
|
942 (********************** Guarantees for Alice *****************************) |
|
943 |
|
944 val Confidentiality_Auth_A = A_trusts_AuthKey RS Confidentiality_Kas; |
|
945 |
|
946 Goal |
|
947 "[| Says Kas A \ |
|
948 \ (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Tk, AuthTicket|}) : set evs;\ |
|
949 \ Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|} \ |
|
950 \ : parts (spies evs); \ |
|
951 \ Key AuthKey ~: analz (spies evs); \ |
|
952 \ evs : kerberos |] \ |
|
953 \==> Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|})\ |
|
954 \ : set evs"; |
|
955 by (forward_tac [Says_Kas_message_form] 1 THEN assume_tac 1); |
|
956 by (etac rev_mp 1); |
|
957 by (etac rev_mp 1); |
|
958 by (etac rev_mp 1); |
|
959 by (parts_induct_tac 1); |
|
960 by (Fake_parts_insert_tac 1); |
|
961 (*K2 and K4 remain*) |
|
962 by (blast_tac (claset() addEs spies_partsEs addSEs [MPair_parts] |
|
963 addSDs [unique_CryptKey]) 2); |
|
964 by (blast_tac (claset() addSDs [A_trusts_K4, Says_Tgs_message_form, |
|
965 AuthKeys_used]) 1); |
|
966 qed "A_trusts_K4_bis"; |
|
967 |
|
968 |
|
969 Goal "[| Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} \ |
|
970 \ : parts (spies evs); \ |
|
971 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \ |
|
972 \ : parts (spies evs); \ |
|
973 \ ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; \ |
|
974 \ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \ |
|
975 \ ==> Key ServKey ~: analz (spies evs)"; |
|
976 by (dtac A_trusts_AuthKey 1); |
|
977 by (assume_tac 1); |
|
978 by (assume_tac 1); |
|
979 by (blast_tac (claset() addDs [Confidentiality_Kas, |
|
980 Says_Kas_message_form, |
|
981 A_trusts_K4_bis, Confidentiality_Tgs2]) 1); |
|
982 qed "Confidentiality_Serv_A"; |
|
983 |
|
984 |
|
985 (********************** Guarantees for Bob *****************************) |
|
986 (* Theorems for the refined model have suffix "refined" *) |
|
987 |
|
988 Goal |
|
989 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|})\ |
|
990 \ : set evs; evs : kerberos|] \ |
|
991 \ ==> EX Tk. Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,\ |
|
992 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\ |
|
993 \ : set evs"; |
|
994 by (etac rev_mp 1); |
|
995 by (parts_induct_tac 1); |
|
996 by Auto_tac; |
|
997 by (blast_tac (claset() addSDs [Says_imp_spies RS parts.Inj RS parts.Fst RS |
|
998 A_trusts_AuthTicket]) 1); |
|
999 qed "K4_imp_K2"; |
|
1000 |
|
1001 Goal |
|
1002 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|})\ |
|
1003 \ : set evs; evs : kerberos|] \ |
|
1004 \ ==> EX Tk. (Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,\ |
|
1005 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\ |
|
1006 \ : set evs \ |
|
1007 \ & ServLife + Tt <= AuthLife + Tk)"; |
|
1008 by (etac rev_mp 1); |
|
1009 by (parts_induct_tac 1); |
|
1010 by Auto_tac; |
|
1011 by (blast_tac (claset() addSDs [Says_imp_spies RS parts.Inj RS parts.Fst RS |
|
1012 A_trusts_AuthTicket]) 1); |
|
1013 qed "K4_imp_K2_refined"; |
|
1014 |
|
1015 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|} \ |
|
1016 \ : parts (spies evs); B ~= Tgs; B ~: bad; \ |
|
1017 \ evs : kerberos |] \ |
|
1018 \==> EX AuthKey. \ |
|
1019 \ Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, \ |
|
1020 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|}|}) \ |
|
1021 \ : set evs"; |
|
1022 by (etac rev_mp 1); |
|
1023 by (parts_induct_tac 1); |
|
1024 by (Fake_parts_insert_tac 1); |
|
1025 by (Blast_tac 1); |
|
1026 qed "B_trusts_ServKey"; |
|
1027 |
|
1028 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \ |
|
1029 \ : parts (spies evs); B ~= Tgs; B ~: bad; \ |
|
1030 \ evs : kerberos |] \ |
|
1031 \ ==> EX AuthKey Tk. Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,\ |
|
1032 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\ |
|
1033 \ : set evs"; |
|
1034 by (blast_tac (claset() addSDs [B_trusts_ServKey, K4_imp_K2]) 1); |
|
1035 qed "B_trusts_ServTicket_Kas"; |
|
1036 |
|
1037 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \ |
|
1038 \ : parts (spies evs); B ~= Tgs; B ~: bad; \ |
|
1039 \ evs : kerberos |] \ |
|
1040 \ ==> EX AuthKey Tk. (Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,\ |
|
1041 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\ |
|
1042 \ : set evs \ |
|
1043 \ & ServLife + Tt <= AuthLife + Tk)"; |
|
1044 by (blast_tac (claset() addSDs [B_trusts_ServKey,K4_imp_K2_refined]) 1); |
|
1045 qed "B_trusts_ServTicket_Kas_refined"; |
|
1046 |
|
1047 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \ |
|
1048 \ : parts (spies evs); B ~= Tgs; B ~: bad; \ |
|
1049 \ evs : kerberos |] \ |
|
1050 \==> EX Tk AuthKey. \ |
|
1051 \ Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, \ |
|
1052 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\ |
|
1053 \ : set evs \ |
|
1054 \ & Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, \ |
|
1055 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}|}) \ |
|
1056 \ : set evs"; |
|
1057 by (forward_tac [B_trusts_ServKey] 1); |
|
1058 by (etac exE 4); |
|
1059 by (forward_tac [K4_imp_K2] 4); |
|
1060 by (Blast_tac 5); |
|
1061 by (ALLGOALS assume_tac); |
|
1062 qed "B_trusts_ServTicket"; |
|
1063 |
|
1064 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \ |
|
1065 \ : parts (spies evs); B ~= Tgs; B ~: bad; \ |
|
1066 \ evs : kerberos |] \ |
|
1067 \==> EX Tk AuthKey. \ |
|
1068 \ (Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, \ |
|
1069 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\ |
|
1070 \ : set evs \ |
|
1071 \ & Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, \ |
|
1072 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}|}) \ |
|
1073 \ : set evs \ |
|
1074 \ & ServLife + Tt <= AuthLife + Tk)"; |
|
1075 by (forward_tac [B_trusts_ServKey] 1); |
|
1076 by (etac exE 4); |
|
1077 by (forward_tac [K4_imp_K2_refined] 4); |
|
1078 by (Blast_tac 5); |
|
1079 by (ALLGOALS assume_tac); |
|
1080 qed "B_trusts_ServTicket_refined"; |
|
1081 |
|
1082 |
|
1083 Goal "[| ~ ExpirServ Tt evs; ServLife + Tt <= AuthLife + Tk |] \ |
|
1084 \ ==> ~ ExpirAuth Tk evs"; |
|
1085 by (blast_tac (claset() addDs [leI,le_trans] addEs [leE]) 1); |
|
1086 qed "NotExpirServ_NotExpirAuth_refined"; |
|
1087 |
|
1088 |
|
1089 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \ |
|
1090 \ : parts (spies evs); \ |
|
1091 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \ |
|
1092 \ : parts (spies evs); \ |
|
1093 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}\ |
|
1094 \ : parts (spies evs); \ |
|
1095 \ ~ ExpirServ Tt evs; ~ ExpirAuth Tk evs; \ |
|
1096 \ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \ |
|
1097 \ ==> Key ServKey ~: analz (spies evs)"; |
|
1098 by (forward_tac [A_trusts_AuthKey] 1); |
|
1099 by (forward_tac [Confidentiality_Kas] 3); |
|
1100 by (forward_tac [B_trusts_ServTicket] 6); |
|
1101 by (etac exE 9); |
|
1102 by (etac exE 9); |
|
1103 by (forward_tac [Says_Kas_message_form] 9); |
|
1104 by (blast_tac (claset() addDs [A_trusts_K4, |
|
1105 unique_ServKeys, unique_AuthKeys, |
|
1106 Confidentiality_Tgs2]) 10); |
|
1107 by (ALLGOALS assume_tac); |
|
1108 (* |
|
1109 The proof above executes in 8 secs. It can be done in one command in 50 secs: |
|
1110 by (blast_tac (claset() addDs [A_trusts_AuthKey, A_trusts_K4, |
|
1111 Says_Kas_message_form, B_trusts_ServTicket, |
|
1112 unique_ServKeys, unique_AuthKeys, |
|
1113 Confidentiality_Kas, |
|
1114 Confidentiality_Tgs2]) 1); |
|
1115 *) |
|
1116 qed "Confidentiality_B"; |
|
1117 |
|
1118 |
|
1119 (*Most general form -- only for refined model! *) |
|
1120 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \ |
|
1121 \ : parts (spies evs); \ |
|
1122 \ ~ ExpirServ Tt evs; \ |
|
1123 \ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \ |
|
1124 \ ==> Key ServKey ~: analz (spies evs)"; |
|
1125 by (blast_tac (claset() addDs [B_trusts_ServTicket_refined, |
|
1126 NotExpirServ_NotExpirAuth_refined, |
|
1127 Confidentiality_Tgs2]) 1); |
|
1128 qed "Confidentiality_B_refined"; |
|
1129 |
|
1130 |
|
1131 (********************** Authenticity theorems *****************************) |
|
1132 |
|
1133 (***1. Session Keys authenticity: they originated with servers.***) |
|
1134 |
|
1135 (*Authenticity of AuthKey for A: "A_trusts_AuthKey"*) |
|
1136 |
|
1137 (*Authenticity of ServKey for A: "A_trusts_ServKey"*) |
|
1138 Goal "[| Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} \ |
|
1139 \ : parts (spies evs); \ |
|
1140 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \ |
|
1141 \ : parts (spies evs); \ |
|
1142 \ ~ ExpirAuth Tk evs; A ~: bad; evs : kerberos |] \ |
|
1143 \==>Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|})\ |
|
1144 \ : set evs"; |
|
1145 by (forward_tac [A_trusts_AuthKey] 1 THEN assume_tac 1 THEN assume_tac 1); |
|
1146 by (blast_tac (claset() addDs [Confidentiality_Auth_A, A_trusts_K4_bis]) 1); |
|
1147 qed "A_trusts_ServKey"; |
|
1148 (*Note: requires a temporal check*) |
|
1149 |
|
1150 |
|
1151 (*Authenticity of ServKey for B: "B_trusts_ServKey"*) |
|
1152 |
|
1153 (***2. Parties authenticity: each party verifies "the identity of |
|
1154 another party who generated some data" (quoted from Neuman & Ts'o).***) |
|
1155 |
|
1156 (*These guarantees don't assess whether two parties agree on |
|
1157 the same session key: sending a message containing a key |
|
1158 doesn't a priori state knowledge of the key.***) |
|
1159 |
|
1160 (*B checks authenticity of A: theorems "A_Authenticity", |
|
1161 "A_authenticity_refined" *) |
|
1162 Goal "[| Crypt ServKey {|Agent A, Number Ta|} : parts (spies evs); \ |
|
1163 \ Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, \ |
|
1164 \ ServTicket|}) : set evs; \ |
|
1165 \ Key ServKey ~: analz (spies evs); \ |
|
1166 \ A ~: bad; B ~: bad; evs : kerberos |] \ |
|
1167 \==> Says A B {|ServTicket, Crypt ServKey {|Agent A, Number Ta|}|} : set evs"; |
|
1168 by (etac rev_mp 1); |
|
1169 by (etac rev_mp 1); |
|
1170 by (etac rev_mp 1); |
|
1171 by (etac kerberos.induct 1); |
|
1172 by (forward_tac [Says_ticket_in_parts_spies] 5); |
|
1173 by (forward_tac [Says_ticket_in_parts_spies] 7); |
|
1174 by (REPEAT (FIRSTGOAL analz_mono_contra_tac)); |
|
1175 by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib]))); |
|
1176 by (Fake_parts_insert_tac 1); |
|
1177 (*K3*) |
|
1178 by (blast_tac (claset() addEs spies_partsEs |
|
1179 addDs [A_trusts_AuthKey, |
|
1180 Says_Kas_message_form, |
|
1181 Says_Tgs_message_form]) 1); |
|
1182 (*K4*) |
|
1183 by (force_tac (claset() addSDs [Crypt_imp_keysFor], simpset()) 1); |
|
1184 (*K5*) |
|
1185 by (blast_tac (claset() addDs [Key_unique_SesKey] addEs spies_partsEs) 1); |
|
1186 qed "Says_Auth"; |
|
1187 |
|
1188 (*The second assumption tells B what kind of key ServKey is.*) |
|
1189 Goal "[| Crypt ServKey {|Agent A, Number Ta|} : parts (spies evs); \ |
|
1190 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \ |
|
1191 \ : parts (spies evs); \ |
|
1192 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \ |
|
1193 \ : parts (spies evs); \ |
|
1194 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} \ |
|
1195 \ : parts (spies evs); \ |
|
1196 \ ~ ExpirServ Tt evs; ~ ExpirAuth Tk evs; \ |
|
1197 \ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \ |
|
1198 \ ==> Says A B {|Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|},\ |
|
1199 \ Crypt ServKey {|Agent A, Number Ta|} |} : set evs"; |
|
1200 by (forward_tac [Confidentiality_B] 1); |
|
1201 by (forward_tac [B_trusts_ServKey] 9); |
|
1202 by (etac exE 12); |
|
1203 by (blast_tac (claset() addSDs [Says_imp_spies RS parts.Inj, Key_unique_SesKey] |
|
1204 addSIs [Says_Auth]) 12); |
|
1205 by (ALLGOALS assume_tac); |
|
1206 qed "A_Authenticity"; |
|
1207 |
|
1208 (*Stronger form in the refined model*) |
|
1209 Goal "[| Crypt ServKey {|Agent A, Number Ta2|} : parts (spies evs); \ |
|
1210 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \ |
|
1211 \ : parts (spies evs); \ |
|
1212 \ ~ ExpirServ Tt evs; \ |
|
1213 \ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \ |
|
1214 \ ==> Says A B {|Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|},\ |
|
1215 \ Crypt ServKey {|Agent A, Number Ta2|} |} : set evs"; |
|
1216 by (forward_tac [Confidentiality_B_refined] 1); |
|
1217 by (forward_tac [B_trusts_ServKey] 6); |
|
1218 by (etac exE 9); |
|
1219 by (blast_tac (claset() addSDs [Says_imp_spies RS parts.Inj, Key_unique_SesKey] |
|
1220 addSIs [Says_Auth]) 9); |
|
1221 by (ALLGOALS assume_tac); |
|
1222 qed "A_Authenticity_refined"; |
|
1223 |
|
1224 |
|
1225 (*A checks authenticity of B: theorem "B_authenticity"*) |
|
1226 |
|
1227 Goal "[| Crypt ServKey (Number Ta) : parts (spies evs); \ |
|
1228 \ Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, \ |
|
1229 \ ServTicket|}) : set evs; \ |
|
1230 \ Key ServKey ~: analz (spies evs); \ |
|
1231 \ A ~: bad; B ~: bad; evs : kerberos |] \ |
|
1232 \ ==> Says B A (Crypt ServKey (Number Ta)) : set evs"; |
|
1233 by (etac rev_mp 1); |
|
1234 by (etac rev_mp 1); |
|
1235 by (etac rev_mp 1); |
|
1236 by (etac kerberos.induct 1); |
|
1237 by (forward_tac [Says_ticket_in_parts_spies] 5); |
|
1238 by (forward_tac [Says_ticket_in_parts_spies] 7); |
|
1239 by (REPEAT (FIRSTGOAL analz_mono_contra_tac)); |
|
1240 by (ALLGOALS Asm_simp_tac); |
|
1241 by (Fake_parts_insert_tac 1); |
|
1242 by (force_tac (claset() addSDs [Crypt_imp_keysFor], simpset()) 1); |
|
1243 by (Clarify_tac 1); |
|
1244 by (forward_tac [Says_Tgs_message_form] 1 THEN assume_tac 1); |
|
1245 by (Clarify_tac 1); (*PROOF FAILED if omitted*) |
|
1246 by (blast_tac (claset() addDs [unique_CryptKey] addEs spies_partsEs) 1); |
|
1247 qed "Says_K6"; |
|
1248 |
|
1249 Goal "[| Crypt AuthKey {|Key ServKey, Agent B, T, ServTicket|} \ |
|
1250 \ : parts (spies evs); \ |
|
1251 \ Key AuthKey ~: analz (spies evs); AuthKey ~: range shrK; \ |
|
1252 \ evs : kerberos |] \ |
|
1253 \ ==> EX A. Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, T, ServTicket|})\ |
|
1254 \ : set evs"; |
|
1255 by (etac rev_mp 1); |
|
1256 by (etac rev_mp 1); |
|
1257 by (parts_induct_tac 1); |
|
1258 by (Fake_parts_insert_tac 1); |
|
1259 by (Blast_tac 1); |
|
1260 by (Blast_tac 1); |
|
1261 qed "K4_trustworthy"; |
|
1262 |
|
1263 Goal "[| Crypt ServKey (Number Ta) : parts (spies evs); \ |
|
1264 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \ |
|
1265 \ : parts (spies evs); \ |
|
1266 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}\ |
|
1267 \ : parts (spies evs); \ |
|
1268 \ ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; \ |
|
1269 \ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \ |
|
1270 \ ==> Says B A (Crypt ServKey (Number Ta)) : set evs"; |
|
1271 by (forward_tac [A_trusts_AuthKey] 1); |
|
1272 by (forward_tac [Says_Kas_message_form] 3); |
|
1273 by (forward_tac [Confidentiality_Kas] 4); |
|
1274 by (forward_tac [K4_trustworthy] 7); |
|
1275 by (Blast_tac 8); |
|
1276 by (etac exE 9); |
|
1277 by (forward_tac [K4_imp_K2] 9); |
|
1278 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj, Key_unique_SesKey] |
|
1279 addSIs [Says_K6] |
|
1280 addSEs [Confidentiality_Tgs1 RSN (2,rev_notE)]) 10); |
|
1281 by (ALLGOALS assume_tac); |
|
1282 qed "B_Authenticity"; |
|
1283 |
|
1284 |
|
1285 (***3. Parties' knowledge of session keys. A knows a session key if she |
|
1286 used it to build a cipher.***) |
|
1287 |
|
1288 Goal "[| Says B A (Crypt ServKey (Number Ta)) : set evs; \ |
|
1289 \ Key ServKey ~: analz (spies evs); \ |
|
1290 \ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \ |
|
1291 \ ==> B Issues A with (Crypt ServKey (Number Ta)) on evs"; |
|
1292 by (simp_tac (simpset() addsimps [Issues_def]) 1); |
|
1293 by (rtac exI 1); |
|
1294 by (rtac conjI 1); |
|
1295 by (assume_tac 1); |
|
1296 by (Simp_tac 1); |
|
1297 by (etac rev_mp 1); |
|
1298 by (etac rev_mp 1); |
|
1299 by (etac kerberos.induct 1); |
|
1300 by (forward_tac [Says_ticket_in_parts_spies] 5); |
|
1301 by (forward_tac [Says_ticket_in_parts_spies] 7); |
|
1302 by (REPEAT (FIRSTGOAL analz_mono_contra_tac)); |
|
1303 by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib]))); |
|
1304 by (Fake_parts_insert_tac 1); |
|
1305 (*K6 requires numerous lemmas*) |
|
1306 by (asm_full_simp_tac (simpset() addsimps [takeWhile_tail]) 1); |
|
1307 by (blast_tac (claset() addDs [B_trusts_ServTicket, |
|
1308 impOfSubs parts_spies_takeWhile_mono, |
|
1309 impOfSubs parts_spies_evs_revD2] |
|
1310 addIs [Says_K6] |
|
1311 addEs spies_partsEs) 1); |
|
1312 qed "B_Knows_B_Knows_ServKey_lemma"; |
|
1313 (*Key ServKey ~: analz (spies evs) could be relaxed by Confidentiality_B |
|
1314 but this is irrelevant because B knows what he knows! *) |
|
1315 |
|
1316 Goal "[| Says B A (Crypt ServKey (Number Ta)) : set evs; \ |
|
1317 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}\ |
|
1318 \ : parts (spies evs);\ |
|
1319 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}\ |
|
1320 \ : parts (spies evs);\ |
|
1321 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}\ |
|
1322 \ : parts (spies evs); \ |
|
1323 \ ~ ExpirServ Tt evs; ~ ExpirAuth Tk evs; \ |
|
1324 \ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \ |
|
1325 \ ==> B Issues A with (Crypt ServKey (Number Ta)) on evs"; |
|
1326 by (blast_tac (claset() addSDs [Confidentiality_B, |
|
1327 B_Knows_B_Knows_ServKey_lemma]) 1); |
|
1328 qed "B_Knows_B_Knows_ServKey"; |
|
1329 |
|
1330 Goal "[| Says B A (Crypt ServKey (Number Ta)) : set evs; \ |
|
1331 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}\ |
|
1332 \ : parts (spies evs);\ |
|
1333 \ ~ ExpirServ Tt evs; \ |
|
1334 \ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \ |
|
1335 \ ==> B Issues A with (Crypt ServKey (Number Ta)) on evs"; |
|
1336 by (blast_tac (claset() addSDs [Confidentiality_B_refined, |
|
1337 B_Knows_B_Knows_ServKey_lemma]) 1); |
|
1338 qed "B_Knows_B_Knows_ServKey_refined"; |
|
1339 |
|
1340 |
|
1341 Goal "[| Crypt ServKey (Number Ta) : parts (spies evs); \ |
|
1342 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \ |
|
1343 \ : parts (spies evs); \ |
|
1344 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}\ |
|
1345 \ : parts (spies evs); \ |
|
1346 \ ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; \ |
|
1347 \ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \ |
|
1348 \ ==> B Issues A with (Crypt ServKey (Number Ta)) on evs"; |
|
1349 by (blast_tac (claset() addSDs [B_Authenticity, Confidentiality_Serv_A, |
|
1350 B_Knows_B_Knows_ServKey_lemma]) 1); |
|
1351 qed "A_Knows_B_Knows_ServKey"; |
|
1352 |
|
1353 Goal "[| Says A Tgs \ |
|
1354 \ {|AuthTicket, Crypt AuthKey {|Agent A, Number Ta|}, Agent B|}\ |
|
1355 \ : set evs; \ |
|
1356 \ A ~: bad; evs : kerberos |] \ |
|
1357 \ ==> EX Tk. Says Kas A (Crypt (shrK A) \ |
|
1358 \ {|Key AuthKey, Agent Tgs, Tk, AuthTicket|}) \ |
|
1359 \ : set evs"; |
|
1360 by (etac rev_mp 1); |
|
1361 by (parts_induct_tac 1); |
|
1362 by (Fake_parts_insert_tac 1); |
|
1363 by (Blast_tac 1); |
|
1364 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj RS |
|
1365 A_trusts_AuthKey]) 1); |
|
1366 qed "K3_imp_K2"; |
|
1367 |
|
1368 Goal "[| Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \ |
|
1369 \ : parts (spies evs); \ |
|
1370 \ Says Kas A (Crypt (shrK A) \ |
|
1371 \ {|Key AuthKey, Agent Tgs, Tk, AuthTicket|}) \ |
|
1372 \ : set evs; \ |
|
1373 \ Key AuthKey ~: analz (spies evs); \ |
|
1374 \ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \ |
|
1375 \ ==> Says Tgs A (Crypt AuthKey \ |
|
1376 \ {|Key ServKey, Agent B, Number Tt, ServTicket|}) \ |
|
1377 \ : set evs"; |
|
1378 by (etac rev_mp 1); |
|
1379 by (etac rev_mp 1); |
|
1380 by (etac rev_mp 1); |
|
1381 by (parts_induct_tac 1); |
|
1382 by (Fake_parts_insert_tac 1); |
|
1383 by (force_tac (claset() addSDs [Crypt_imp_keysFor], simpset()) 1); |
|
1384 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj RS parts.Fst RS |
|
1385 A_trusts_AuthTicket, unique_AuthKeys]) 1); |
|
1386 qed "K4_trustworthy'"; |
|
1387 |
|
1388 Goal "[| Says A B {|ServTicket, Crypt ServKey {|Agent A, Number Ta|}|} \ |
|
1389 \ : set evs; \ |
|
1390 \ Key ServKey ~: analz (spies evs); \ |
|
1391 \ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \ |
|
1392 \ ==> A Issues B with (Crypt ServKey {|Agent A, Number Ta|}) on evs"; |
|
1393 by (simp_tac (simpset() addsimps [Issues_def]) 1); |
|
1394 by (rtac exI 1); |
|
1395 by (rtac conjI 1); |
|
1396 by (assume_tac 1); |
|
1397 by (Simp_tac 1); |
|
1398 by (etac rev_mp 1); |
|
1399 by (etac rev_mp 1); |
|
1400 by (etac kerberos.induct 1); |
|
1401 by (forward_tac [Says_ticket_in_parts_spies] 5); |
|
1402 by (forward_tac [Says_ticket_in_parts_spies] 7); |
|
1403 by (REPEAT (FIRSTGOAL analz_mono_contra_tac)); |
|
1404 by (ALLGOALS Asm_simp_tac); |
|
1405 by (Clarify_tac 1); |
|
1406 (*K6*) |
|
1407 by Auto_tac; |
|
1408 by (asm_full_simp_tac (simpset() addsimps [takeWhile_tail]) 1); |
|
1409 (*Level 15: case study necessary because the assumption doesn't state |
|
1410 the form of ServTicket. The guarantee becomes stronger.*) |
|
1411 by (case_tac "Key AuthKey : analz (spies evs5)" 1); |
|
1412 by (force_tac (claset() addDs [Says_imp_spies RS analz.Inj RS |
|
1413 analz.Decrypt RS analz.Fst], |
|
1414 simpset()) 1); |
|
1415 by (blast_tac (claset() addDs [K3_imp_K2, K4_trustworthy', |
|
1416 impOfSubs parts_spies_takeWhile_mono, |
|
1417 impOfSubs parts_spies_evs_revD2] |
|
1418 addIs [Says_Auth] |
|
1419 addEs spies_partsEs) 1); |
|
1420 by (asm_full_simp_tac (simpset() addsimps [takeWhile_tail]) 1); |
|
1421 qed "A_Knows_A_Knows_ServKey_lemma"; |
|
1422 |
|
1423 Goal "[| Says A B {|ServTicket, Crypt ServKey {|Agent A, Number Ta|}|} \ |
|
1424 \ : set evs; \ |
|
1425 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}\ |
|
1426 \ : parts (spies evs);\ |
|
1427 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}\ |
|
1428 \ : parts (spies evs); \ |
|
1429 \ ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs;\ |
|
1430 \ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \ |
|
1431 \ ==> A Issues B with (Crypt ServKey {|Agent A, Number Ta|}) on evs"; |
|
1432 by (blast_tac (claset() addSDs [Confidentiality_Serv_A, |
|
1433 A_Knows_A_Knows_ServKey_lemma]) 1); |
|
1434 qed "A_Knows_A_Knows_ServKey"; |
|
1435 |
|
1436 Goal "[| Crypt ServKey {|Agent A, Number Ta|} : parts (spies evs); \ |
|
1437 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \ |
|
1438 \ : parts (spies evs); \ |
|
1439 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \ |
|
1440 \ : parts (spies evs); \ |
|
1441 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} \ |
|
1442 \ : parts (spies evs); \ |
|
1443 \ ~ ExpirServ Tt evs; ~ ExpirAuth Tk evs; \ |
|
1444 \ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \ |
|
1445 \ ==> A Issues B with (Crypt ServKey {|Agent A, Number Ta|}) on evs"; |
|
1446 by (blast_tac (claset() addDs [A_Authenticity, Confidentiality_B, |
|
1447 A_Knows_A_Knows_ServKey_lemma]) 1); |
|
1448 qed "B_Knows_A_Knows_ServKey"; |
|
1449 |
|
1450 |
|
1451 Goal "[| Crypt ServKey {|Agent A, Number Ta|} : parts (spies evs); \ |
|
1452 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \ |
|
1453 \ : parts (spies evs); \ |
|
1454 \ ~ ExpirServ Tt evs; \ |
|
1455 \ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \ |
|
1456 \ ==> A Issues B with (Crypt ServKey {|Agent A, Number Ta|}) on evs"; |
|
1457 by (blast_tac (claset() addDs [A_Authenticity_refined, |
|
1458 Confidentiality_B_refined, |
|
1459 A_Knows_A_Knows_ServKey_lemma]) 1); |
|
1460 qed "B_Knows_A_Knows_ServKey_refined"; |