19 By induction on a list of agents (no repetitions) |
18 By induction on a list of agents (no repetitions) |
20 **) |
19 **) |
21 |
20 |
22 |
21 |
23 (*Simplest case: Alice goes directly to the server*) |
22 (*Simplest case: Alice goes directly to the server*) |
24 Goal "A ~= Server \ |
23 Goal "EX K NA. EX evs: recur. \ |
25 \ ==> EX K NA. EX evs: recur. \ |
24 \ Says Server A {|Crypt (shrK A) {|Key K, Agent Server, Nonce NA|}, \ |
26 \ Says Server A {|Crypt (shrK A) {|Key K, Agent Server, Nonce NA|}, \ |
25 \ END|} : set evs"; |
27 \ Agent Server|} : set evs"; |
|
28 by (REPEAT (resolve_tac [exI,bexI] 1)); |
26 by (REPEAT (resolve_tac [exI,bexI] 1)); |
29 by (rtac (recur.Nil RS recur.RA1 RS |
27 by (rtac (recur.Nil RS recur.RA1 RS (respond.One RSN (3,recur.RA3))) 2); |
30 (respond.One RSN (4,recur.RA3))) 2); |
|
31 by possibility_tac; |
28 by possibility_tac; |
32 result(); |
29 result(); |
33 |
30 |
34 |
31 |
35 (*Case two: Alice, Bob and the server*) |
32 (*Case two: Alice, Bob and the server*) |
36 Goal "[| A ~= B; A ~= Server; B ~= Server |] \ |
33 Goal "EX K. EX NA. EX evs: recur. \ |
37 \ ==> EX K. EX NA. EX evs: recur. \ |
34 \ Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|}, \ |
38 \ Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|}, \ |
35 \ END|} : set evs"; |
39 \ Agent Server|} : set evs"; |
|
40 by (cut_facts_tac [Nonce_supply2, Key_supply2] 1); |
36 by (cut_facts_tac [Nonce_supply2, Key_supply2] 1); |
41 by (REPEAT (eresolve_tac [exE, conjE] 1)); |
37 by (REPEAT (eresolve_tac [exE, conjE] 1)); |
42 by (REPEAT (resolve_tac [exI,bexI] 1)); |
38 by (REPEAT (resolve_tac [exI,bexI] 1)); |
43 by (rtac (recur.Nil RS recur.RA1 RS recur.RA2 RS |
39 by (rtac (recur.Nil RS recur.RA1 RS recur.RA2 RS |
44 (respond.One RS respond.Cons RSN (4,recur.RA3)) RS |
40 (respond.One RS respond.Cons RSN (3,recur.RA3)) RS |
45 recur.RA4) 2); |
41 recur.RA4) 2); |
46 by basic_possibility_tac; |
42 by basic_possibility_tac; |
47 by (DEPTH_SOLVE (eresolve_tac [asm_rl, less_not_refl2, less_not_refl3] 1)); |
43 by (DEPTH_SOLVE (eresolve_tac [asm_rl, less_not_refl2, less_not_refl3] 1)); |
48 result(); |
44 result(); |
49 |
45 |
50 |
46 |
51 (*Case three: Alice, Bob, Charlie and the server |
47 (*Case three: Alice, Bob, Charlie and the server |
52 TOO SLOW to run every time! |
48 TOO SLOW to run every time! |
53 Goal "[| A ~= B; B ~= C; A ~= Server; B ~= Server; C ~= Server |] \ |
49 Goal "EX K. EX NA. EX evs: recur. \ |
54 \ ==> EX K. EX NA. EX evs: recur. \ |
50 \ Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|}, \ |
55 \ Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|}, \ |
51 \ END|} : set evs"; |
56 \ Agent Server|} : set evs"; |
|
57 by (cut_facts_tac [Nonce_supply3, Key_supply3] 1); |
52 by (cut_facts_tac [Nonce_supply3, Key_supply3] 1); |
58 by (REPEAT (eresolve_tac [exE, conjE] 1)); |
53 by (REPEAT (eresolve_tac [exE, conjE] 1)); |
59 by (REPEAT (resolve_tac [exI,bexI] 1)); |
54 by (REPEAT (resolve_tac [exI,bexI] 1)); |
60 by (rtac (recur.Nil RS recur.RA1 RS recur.RA2 RS recur.RA2 RS |
55 by (rtac (recur.Nil RS recur.RA1 RS recur.RA2 RS recur.RA2 RS |
61 (respond.One RS respond.Cons RS respond.Cons RSN |
56 (respond.One RS respond.Cons RS respond.Cons RSN |
62 (4,recur.RA3)) RS recur.RA4 RS recur.RA4) 2); |
57 (3,recur.RA3)) RS recur.RA4 RS recur.RA4) 2); |
63 (*SLOW: 70 seconds*) |
58 (*SLOW: 33 seconds*) |
64 by basic_possibility_tac; |
59 by basic_possibility_tac; |
65 by (DEPTH_SOLVE (swap_res_tac [refl, conjI, disjCI] 1 |
60 by (DEPTH_SOLVE (swap_res_tac [refl, conjI, disjCI] 1 |
66 ORELSE |
61 ORELSE |
67 eresolve_tac [asm_rl, less_not_refl2, less_not_refl3] 1)); |
62 eresolve_tac [asm_rl, less_not_refl2, less_not_refl3] 1)); |
68 result(); |
63 result(); |
69 ****************) |
64 ****************) |
70 |
65 |
71 (**** Inductive proofs about recur ****) |
66 (**** Inductive proofs about recur ****) |
72 |
|
73 (*Nobody sends themselves messages*) |
|
74 Goal "evs : recur ==> ALL X. Says A A X ~: set evs"; |
|
75 by (etac recur.induct 1); |
|
76 by Auto_tac; |
|
77 qed_spec_mp "not_Says_to_self"; |
|
78 Addsimps [not_Says_to_self]; |
|
79 AddSEs [not_Says_to_self RSN (2, rev_notE)]; |
|
80 |
|
81 |
67 |
82 |
68 |
83 Goal "(PA,RB,KAB) : respond evs ==> Key KAB : parts{RB}"; |
69 Goal "(PA,RB,KAB) : respond evs ==> Key KAB : parts{RB}"; |
84 by (etac respond.induct 1); |
70 by (etac respond.induct 1); |
85 by (ALLGOALS Simp_tac); |
71 by (ALLGOALS Simp_tac); |
321 bind_thm ("resp_analz_insert", |
307 bind_thm ("resp_analz_insert", |
322 raw_analz_image_freshK RSN |
308 raw_analz_image_freshK RSN |
323 (2, resp_analz_insert_lemma) RSN(2, rev_mp)); |
309 (2, resp_analz_insert_lemma) RSN(2, rev_mp)); |
324 |
310 |
325 |
311 |
326 (*The Server does not send such messages. This theorem lets us avoid |
|
327 assuming B~=Server in RA4.*) |
|
328 Goal "evs : recur \ |
|
329 \ ==> ALL C X Y. Says Server C {|X, Agent Server, Y|} ~: set evs"; |
|
330 by (etac recur.induct 1); |
|
331 by (etac (respond.induct) 5); |
|
332 by Auto_tac; |
|
333 qed_spec_mp "Says_Server_not"; |
|
334 AddSEs [Says_Server_not RSN (2,rev_notE)]; |
|
335 |
|
336 |
|
337 (*The last key returned by respond indeed appears in a certificate*) |
312 (*The last key returned by respond indeed appears in a certificate*) |
338 Goal "(Hash[Key(shrK A)] {|Agent A, B, NA, P|}, RA, K) : respond evs \ |
313 Goal "(Hash[Key(shrK A)] {|Agent A, B, NA, P|}, RA, K) : respond evs \ |
339 \ ==> Crypt (shrK A) {|Key K, B, NA|} : parts {RA}"; |
314 \ ==> Crypt (shrK A) {|Key K, B, NA|} : parts {RA}"; |
340 by (etac respond.elim 1); |
315 by (etac respond.elim 1); |
341 by (ALLGOALS Asm_full_simp_tac); |
316 by (ALLGOALS Asm_full_simp_tac); |