20 |
22 |
21 axioms |
23 axioms |
22 Tgs_not_bad [iff]: "Tgs \<notin> bad" |
24 Tgs_not_bad [iff]: "Tgs \<notin> bad" |
23 --{*Tgs is secure --- we already know that Kas is secure*} |
25 --{*Tgs is secure --- we already know that Kas is secure*} |
24 |
26 |
25 (*The current time is just the length of the trace!*) |
27 (*The current time is the length of the trace*) |
26 syntax |
28 syntax |
27 CT :: "event list=>nat" |
29 CT :: "event list=>nat" |
28 |
30 |
29 ExpirAuth :: "[nat, event list] => bool" |
31 expiredAK :: "[nat, event list] => bool" |
30 |
32 |
31 ExpirServ :: "[nat, event list] => bool" |
33 expiredSK :: "[nat, event list] => bool" |
32 |
34 |
33 ExpirAutc :: "[nat, event list] => bool" |
35 expiredA :: "[nat, event list] => bool" |
34 |
36 |
35 RecentResp :: "[nat, nat] => bool" |
37 valid :: "[nat, nat] => bool" ("valid _ wrt _") |
36 |
38 |
37 |
39 |
38 constdefs |
40 constdefs |
39 (* AuthKeys are those contained in an AuthTicket *) |
41 (* authKeys are those contained in an authTicket *) |
40 AuthKeys :: "event list => key set" |
42 authKeys :: "event list => key set" |
41 "AuthKeys evs == {AuthKey. \<exists>A Peer Tk. Says Kas A |
43 "authKeys evs == {authK. \<exists>A Peer Ta. Says Kas A |
42 (Crypt (shrK A) {|Key AuthKey, Agent Peer, Tk, |
44 (Crypt (shrK A) \<lbrace>Key authK, Agent Peer, Number Ta, |
43 (Crypt (shrK Peer) {|Agent A, Agent Peer, Key AuthKey, Tk|}) |
45 (Crypt (shrK Peer) \<lbrace>Agent A, Agent Peer, Key authK, Number Ta\<rbrace>) |
44 |}) \<in> set evs}" |
46 \<rbrace>) \<in> set evs}" |
45 |
47 |
46 (* A is the true creator of X if she has sent X and X never appeared on |
48 (* A is the true creator of X if she has sent X and X never appeared on |
47 the trace before this event. Recall that traces grow from head. *) |
49 the trace before this event. Recall that traces grow from head. *) |
48 Issues :: "[agent, agent, msg, event list] => bool" |
50 Issues :: "[agent, agent, msg, event list] => bool" |
49 ("_ Issues _ with _ on _") |
51 ("_ Issues _ with _ on _") |
50 "A Issues B with X on evs == |
52 "A Issues B with X on evs == |
51 \<exists>Y. Says A B Y \<in> set evs & X \<in> parts {Y} & |
53 \<exists>Y. Says A B Y \<in> set evs & X \<in> parts {Y} & |
52 X \<notin> parts (spies (takeWhile (% z. z \<noteq> Says A B Y) (rev evs)))" |
54 X \<notin> parts (spies (takeWhile (% z. z \<noteq> Says A B Y) (rev evs)))" |
53 |
55 |
|
56 (* Yields the subtrace of a given trace from its beginning to a given event *) |
|
57 before :: "[event, event list] => event list" ("before _ on _") |
|
58 "before ev on evs == takeWhile (% z. z ~= ev) (rev evs)" |
|
59 |
|
60 (* States than an event really appears only once on a trace *) |
|
61 Unique :: "[event, event list] => bool" ("Unique _ on _") |
|
62 "Unique ev on evs == |
|
63 ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs))" |
|
64 |
54 |
65 |
55 consts |
66 consts |
56 (*Duration of the authentication key*) |
67 (*Duration of the authentication key*) |
57 AuthLife :: nat |
68 authKlife :: nat |
58 |
69 |
59 (*Duration of the service key*) |
70 (*Duration of the service key*) |
60 ServLife :: nat |
71 servKlife :: nat |
61 |
72 |
62 (*Duration of an authenticator*) |
73 (*Duration of an authenticator*) |
63 AutcLife :: nat |
74 authlife :: nat |
64 |
75 |
65 (*Upper bound on the time of reaction of a server*) |
76 (*Upper bound on the time of reaction of a server*) |
66 RespLife :: nat |
77 replylife :: nat |
67 |
78 |
68 specification (AuthLife) |
79 specification (authKlife) |
69 AuthLife_LB [iff]: "2 \<le> AuthLife" |
80 authKlife_LB [iff]: "2 \<le> authKlife" |
70 by blast |
81 by blast |
71 |
82 |
72 specification (ServLife) |
83 specification (servKlife) |
73 ServLife_LB [iff]: "2 \<le> ServLife" |
84 servKlife_LB [iff]: "2 + authKlife \<le> servKlife" |
74 by blast |
85 by blast |
75 |
86 |
76 specification (AutcLife) |
87 specification (authlife) |
77 AutcLife_LB [iff]: "Suc 0 \<le> AutcLife" |
88 authlife_LB [iff]: "Suc 0 \<le> authlife" |
78 by blast |
89 by blast |
79 |
90 |
80 specification (RespLife) |
91 specification (replylife) |
81 RespLife_LB [iff]: "Suc 0 \<le> RespLife" |
92 replylife_LB [iff]: "Suc 0 \<le> replylife" |
82 by blast |
93 by blast |
83 |
94 |
84 translations |
95 translations |
85 "CT" == "length " |
96 "CT" == "length " |
86 |
97 |
87 "ExpirAuth T evs" == "AuthLife + T < CT evs" |
98 "expiredAK Ta evs" == "authKlife + Ta < CT evs" |
88 |
99 |
89 "ExpirServ T evs" == "ServLife + T < CT evs" |
100 "expiredSK Ts evs" == "servKlife + Ts < CT evs" |
90 |
101 |
91 "ExpirAutc T evs" == "AutcLife + T < CT evs" |
102 "expiredA T evs" == "authlife + T < CT evs" |
92 |
103 |
93 "RecentResp T1 T2" == "T1 <= RespLife + T2" |
104 "valid T1 wrt T2" == "T1 <= replylife + T2" |
94 |
105 |
95 (*---------------------------------------------------------------------*) |
106 (*---------------------------------------------------------------------*) |
96 |
107 |
97 |
108 |
98 (* Predicate formalising the association between AuthKeys and ServKeys *) |
109 (* Predicate formalising the association between authKeys and servKeys *) |
99 constdefs |
110 constdefs |
100 KeyCryptKey :: "[key, key, event list] => bool" |
111 AKcryptSK :: "[key, key, event list] => bool" |
101 "KeyCryptKey AuthKey ServKey evs == |
112 "AKcryptSK authK servK evs == |
102 \<exists>A B tt. |
113 \<exists>A B Ts. |
103 Says Tgs A (Crypt AuthKey |
114 Says Tgs A (Crypt authK |
104 {|Key ServKey, Agent B, tt, |
115 \<lbrace>Key servK, Agent B, Number Ts, |
105 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, tt|} |}) |
116 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> \<rbrace>) |
106 \<in> set evs" |
117 \<in> set evs" |
107 |
118 |
108 consts |
119 consts |
109 |
120 |
110 kerberos :: "event list set" |
121 kerbIV :: "event list set" |
111 inductive "kerberos" |
122 inductive "kerbIV" |
112 intros |
123 intros |
113 |
124 |
114 Nil: "[] \<in> kerberos" |
125 Nil: "[] \<in> kerbIV" |
115 |
126 |
116 Fake: "[| evsf \<in> kerberos; X \<in> synth (analz (spies evsf)) |] |
127 Fake: "\<lbrakk> evsf \<in> kerbIV; X \<in> synth (analz (spies evsf)) \<rbrakk> |
117 ==> Says Spy B X # evsf \<in> kerberos" |
128 \<Longrightarrow> Says Spy B X # evsf \<in> kerbIV" |
118 |
129 |
119 (* FROM the initiator *) |
130 (* FROM the initiator *) |
120 K1: "[| evs1 \<in> kerberos |] |
131 K1: "\<lbrakk> evs1 \<in> kerbIV \<rbrakk> |
121 ==> Says A Kas {|Agent A, Agent Tgs, Number (CT evs1)|} # evs1 |
132 \<Longrightarrow> Says A Kas \<lbrace>Agent A, Agent Tgs, Number (CT evs1)\<rbrace> # evs1 |
122 \<in> kerberos" |
133 \<in> kerbIV" |
123 |
134 |
124 (* Adding the timestamp serves to A in K3 to check that |
135 (* Adding the timestamp serves to A in K3 to check that |
125 she doesn't get a reply too late. This kind of timeouts are ordinary. |
136 she doesn't get a reply too late. This kind of timeouts are ordinary. |
126 If a server's reply is late, then it is likely to be fake. *) |
137 If a server's reply is late, then it is likely to be fake. *) |
127 |
138 |
128 (*---------------------------------------------------------------------*) |
139 (*---------------------------------------------------------------------*) |
129 |
140 |
130 (*FROM Kas *) |
141 (*FROM Kas *) |
131 K2: "[| evs2 \<in> kerberos; Key AuthKey \<notin> used evs2; AuthKey \<in> symKeys; |
142 K2: "\<lbrakk> evs2 \<in> kerbIV; Key authK \<notin> used evs2; authK \<in> symKeys; |
132 Says A' Kas {|Agent A, Agent Tgs, Number Ta|} \<in> set evs2 |] |
143 Says A' Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs2 \<rbrakk> |
133 ==> Says Kas A |
144 \<Longrightarrow> Says Kas A |
134 (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number (CT evs2), |
145 (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number (CT evs2), |
135 (Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, |
146 (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, |
136 Number (CT evs2)|})|}) # evs2 \<in> kerberos" |
147 Number (CT evs2)\<rbrace>)\<rbrace>) # evs2 \<in> kerbIV" |
137 (* |
148 (* |
138 The internal encryption builds the AuthTicket. |
149 The internal encryption builds the authTicket. |
139 The timestamp doesn't change inside the two encryptions: the external copy |
150 The timestamp doesn't change inside the two encryptions: the external copy |
140 will be used by the initiator in K3; the one inside the |
151 will be used by the initiator in K3; the one inside the |
141 AuthTicket by Tgs in K4. |
152 authTicket by Tgs in K4. |
142 *) |
153 *) |
143 |
154 |
144 (*---------------------------------------------------------------------*) |
155 (*---------------------------------------------------------------------*) |
145 |
156 |
146 (* FROM the initiator *) |
157 (* FROM the initiator *) |
147 K3: "[| evs3 \<in> kerberos; |
158 K3: "\<lbrakk> evs3 \<in> kerbIV; |
148 Says A Kas {|Agent A, Agent Tgs, Number Ta|} \<in> set evs3; |
159 Says A Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs3; |
149 Says Kas' A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, |
160 Says Kas' A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, |
150 AuthTicket|}) \<in> set evs3; |
161 authTicket\<rbrace>) \<in> set evs3; |
151 RecentResp Tk Ta |
162 valid Ta wrt T1 |
152 |] |
163 \<rbrakk> |
153 ==> Says A Tgs {|AuthTicket, |
164 \<Longrightarrow> Says A Tgs \<lbrace>authTicket, |
154 (Crypt AuthKey {|Agent A, Number (CT evs3)|}), |
165 (Crypt authK \<lbrace>Agent A, Number (CT evs3)\<rbrace>), |
155 Agent B|} # evs3 \<in> kerberos" |
166 Agent B\<rbrace> # evs3 \<in> kerbIV" |
156 (*The two events amongst the premises allow A to accept only those AuthKeys |
167 (*The two events amongst the premises allow A to accept only those authKeys |
157 that are not issued late. *) |
168 that are not issued late. *) |
158 |
169 |
159 (*---------------------------------------------------------------------*) |
170 (*---------------------------------------------------------------------*) |
160 |
171 |
161 (* FROM Tgs *) |
172 (* FROM Tgs *) |
162 (* Note that the last temporal check is not mentioned in the original MIT |
173 (* Note that the last temporal check is not mentioned in the original MIT |
163 specification. Adding it strengthens the guarantees assessed by the |
174 specification. Adding it makes many goals "available" to the peers. |
164 protocol. Theorems that exploit it have the suffix `_refined' |
175 Theorems that exploit it have the suffix `_u', which stands for updated |
|
176 protocol. |
165 *) |
177 *) |
166 K4: "[| evs4 \<in> kerberos; Key ServKey \<notin> used evs4; ServKey \<in> symKeys; |
178 K4: "\<lbrakk> evs4 \<in> kerbIV; Key servK \<notin> used evs4; servK \<in> symKeys; |
167 B \<noteq> Tgs; AuthKey \<in> symKeys; |
179 B \<noteq> Tgs; authK \<in> symKeys; |
168 Says A' Tgs {| |
180 Says A' Tgs \<lbrace> |
169 (Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, |
181 (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, |
170 Number Tk|}), |
182 Number Ta\<rbrace>), |
171 (Crypt AuthKey {|Agent A, Number Ta1|}), Agent B|} |
183 (Crypt authK \<lbrace>Agent A, Number T2\<rbrace>), Agent B\<rbrace> |
172 \<in> set evs4; |
184 \<in> set evs4; |
173 ~ ExpirAuth Tk evs4; |
185 \<not> expiredAK Ta evs4; |
174 ~ ExpirAutc Ta1 evs4; |
186 \<not> expiredA T2 evs4; |
175 ServLife + (CT evs4) <= AuthLife + Tk |
187 servKlife + (CT evs4) <= authKlife + Ta |
176 |] |
188 \<rbrakk> |
177 ==> Says Tgs A |
189 \<Longrightarrow> Says Tgs A |
178 (Crypt AuthKey {|Key ServKey, Agent B, Number (CT evs4), |
190 (Crypt authK \<lbrace>Key servK, Agent B, Number (CT evs4), |
179 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, |
191 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, |
180 Number (CT evs4)|} |}) |
192 Number (CT evs4)\<rbrace> \<rbrace>) |
181 # evs4 \<in> kerberos" |
193 # evs4 \<in> kerbIV" |
182 (* Tgs creates a new session key per each request for a service, without |
194 (* Tgs creates a new session key per each request for a service, without |
183 checking if there is still a fresh one for that service. |
195 checking if there is still a fresh one for that service. |
184 The cipher under Tgs' key is the AuthTicket, the cipher under B's key |
196 The cipher under Tgs' key is the authTicket, the cipher under B's key |
185 is the ServTicket, which is built now. |
197 is the servTicket, which is built now. |
186 NOTE that the last temporal check is not present in the MIT specification. |
198 NOTE that the last temporal check is not present in the MIT specification. |
187 |
199 |
188 *) |
200 *) |
189 |
201 |
190 (*---------------------------------------------------------------------*) |
202 (*---------------------------------------------------------------------*) |
191 |
203 |
192 (* FROM the initiator *) |
204 (* FROM the initiator *) |
193 K5: "[| evs5 \<in> kerberos; AuthKey \<in> symKeys; ServKey \<in> symKeys; |
205 K5: "\<lbrakk> evs5 \<in> kerbIV; authK \<in> symKeys; servK \<in> symKeys; |
194 Says A Tgs |
206 Says A Tgs |
195 {|AuthTicket, Crypt AuthKey {|Agent A, Number Ta1|}, |
207 \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, |
196 Agent B|} |
208 Agent B\<rbrace> |
197 \<in> set evs5; |
209 \<in> set evs5; |
198 Says Tgs' A |
210 Says Tgs' A |
199 (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) |
211 (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
200 \<in> set evs5; |
212 \<in> set evs5; |
201 RecentResp Tt Ta1 |] |
213 valid Ts wrt T2 \<rbrakk> |
202 ==> Says A B {|ServTicket, |
214 \<Longrightarrow> Says A B \<lbrace>servTicket, |
203 Crypt ServKey {|Agent A, Number (CT evs5)|} |} |
215 Crypt servK \<lbrace>Agent A, Number (CT evs5)\<rbrace> \<rbrace> |
204 # evs5 \<in> kerberos" |
216 # evs5 \<in> kerbIV" |
205 (* Checks similar to those in K3. *) |
217 (* Checks similar to those in K3. *) |
206 |
218 |
207 (*---------------------------------------------------------------------*) |
219 (*---------------------------------------------------------------------*) |
208 |
220 |
209 (* FROM the responder*) |
221 (* FROM the responder*) |
210 K6: "[| evs6 \<in> kerberos; |
222 K6: "\<lbrakk> evs6 \<in> kerbIV; |
211 Says A' B {| |
223 Says A' B \<lbrace> |
212 (Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}), |
224 (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>), |
213 (Crypt ServKey {|Agent A, Number Ta2|})|} |
225 (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>)\<rbrace> |
214 \<in> set evs6; |
226 \<in> set evs6; |
215 ~ ExpirServ Tt evs6; |
227 \<not> expiredSK Ts evs6; |
216 ~ ExpirAutc Ta2 evs6 |
228 \<not> expiredA T3 evs6 |
217 |] |
229 \<rbrakk> |
218 ==> Says B A (Crypt ServKey (Number Ta2)) |
230 \<Longrightarrow> Says B A (Crypt servK (Number T3)) |
219 # evs6 \<in> kerberos" |
231 # evs6 \<in> kerbIV" |
220 (* Checks similar to those in K4. *) |
232 (* Checks similar to those in K4. *) |
221 |
233 |
222 (*---------------------------------------------------------------------*) |
234 (*---------------------------------------------------------------------*) |
223 |
235 |
224 (* Leaking an AuthKey... *) |
236 (* Leaking an authK... *) |
225 Oops1: "[| evsO1 \<in> kerberos; A \<noteq> Spy; |
237 Oops1: "\<lbrakk> evsO1 \<in> kerbIV; A \<noteq> Spy; |
226 Says Kas A |
238 Says Kas A |
227 (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, |
239 (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, |
228 AuthTicket|}) \<in> set evsO1; |
240 authTicket\<rbrace>) \<in> set evsO1; |
229 ExpirAuth Tk evsO1 |] |
241 expiredAK Ta evsO1 \<rbrakk> |
230 ==> Says A Spy {|Agent A, Agent Tgs, Number Tk, Key AuthKey|} |
242 \<Longrightarrow> Says A Spy \<lbrace>Agent A, Agent Tgs, Number Ta, Key authK\<rbrace> |
231 # evsO1 \<in> kerberos" |
243 # evsO1 \<in> kerbIV" |
232 |
244 |
233 (*---------------------------------------------------------------------*) |
245 (*---------------------------------------------------------------------*) |
234 |
246 |
235 (*Leaking a ServKey... *) |
247 (*Leaking a servK... *) |
236 Oops2: "[| evsO2 \<in> kerberos; A \<noteq> Spy; |
248 Oops2: "\<lbrakk> evsO2 \<in> kerbIV; A \<noteq> Spy; |
237 Says Tgs A |
249 Says Tgs A |
238 (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) |
250 (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
239 \<in> set evsO2; |
251 \<in> set evsO2; |
240 ExpirServ Tt evsO2 |] |
252 expiredSK Ts evsO2 \<rbrakk> |
241 ==> Says A Spy {|Agent A, Agent B, Number Tt, Key ServKey|} |
253 \<Longrightarrow> Says A Spy \<lbrace>Agent A, Agent B, Number Ts, Key servK\<rbrace> |
242 # evsO2 \<in> kerberos" |
254 # evsO2 \<in> kerbIV" |
243 |
255 |
244 (*---------------------------------------------------------------------*) |
256 (*---------------------------------------------------------------------*) |
245 |
257 |
246 declare Says_imp_knows_Spy [THEN parts.Inj, dest] |
258 declare Says_imp_knows_Spy [THEN parts.Inj, dest] |
247 declare parts.Body [dest] |
259 declare parts.Body [dest] |
248 declare analz_into_parts [dest] |
260 declare analz_into_parts [dest] |
249 declare Fake_parts_insert_in_Un [dest] |
261 declare Fake_parts_insert_in_Un [dest] |
250 |
262 |
251 |
263 |
252 subsection{*Lemmas about Lists*} |
264 subsection{*Lemmas about lists, for reasoning about Issues*} |
253 |
265 |
254 lemma spies_Says_rev: "spies (evs @ [Says A B X]) = insert X (spies evs)" |
266 lemma spies_Says_rev: "spies (evs @ [Says A B X]) = insert X (spies evs)" |
255 apply (induct_tac "evs") |
267 apply (induct_tac "evs") |
256 apply (induct_tac [2] "a", auto) |
268 apply (induct_tac [2] "a", auto) |
257 done |
269 done |
391 done |
405 done |
392 |
406 |
393 (*Earlier, all protocol proofs declared this theorem. |
407 (*Earlier, all protocol proofs declared this theorem. |
394 But few of them actually need it! (Another is Yahalom) *) |
408 But few of them actually need it! (Another is Yahalom) *) |
395 lemma new_keys_not_analzd: |
409 lemma new_keys_not_analzd: |
396 "[|evs \<in> kerberos; K \<in> symKeys; Key K \<notin> used evs|] |
410 "\<lbrakk>evs \<in> kerbIV; K \<in> symKeys; Key K \<notin> used evs\<rbrakk> |
397 ==> K \<notin> keysFor (analz (spies evs))" |
411 \<Longrightarrow> K \<notin> keysFor (analz (spies evs))" |
398 by (blast dest: new_keys_not_used intro: keysFor_mono [THEN subsetD]) |
412 by (blast dest: new_keys_not_used intro: keysFor_mono [THEN subsetD]) |
|
413 |
|
414 |
|
415 |
|
416 subsection{*Lemmas for reasoning about predicate "before"*} |
|
417 |
|
418 lemma used_Says_rev: "used (evs @ [Says A B X]) = parts {X} \<union> (used evs)"; |
|
419 apply (induct_tac "evs") |
|
420 apply simp |
|
421 apply (induct_tac "a") |
|
422 apply auto |
|
423 done |
|
424 |
|
425 lemma used_Notes_rev: "used (evs @ [Notes A X]) = parts {X} \<union> (used evs)"; |
|
426 apply (induct_tac "evs") |
|
427 apply simp |
|
428 apply (induct_tac "a") |
|
429 apply auto |
|
430 done |
|
431 |
|
432 lemma used_Gets_rev: "used (evs @ [Gets B X]) = used evs"; |
|
433 apply (induct_tac "evs") |
|
434 apply simp |
|
435 apply (induct_tac "a") |
|
436 apply auto |
|
437 done |
|
438 |
|
439 lemma used_evs_rev: "used evs = used (rev evs)" |
|
440 apply (induct_tac "evs") |
|
441 apply simp |
|
442 apply (induct_tac "a") |
|
443 apply (simp add: used_Says_rev) |
|
444 apply (simp add: used_Gets_rev) |
|
445 apply (simp add: used_Notes_rev) |
|
446 done |
|
447 |
|
448 lemma used_takeWhile_used [rule_format]: |
|
449 "x : used (takeWhile P X) --> x : used X" |
|
450 apply (induct_tac "X") |
|
451 apply simp |
|
452 apply (induct_tac "a") |
|
453 apply (simp_all add: used_Nil) |
|
454 apply (blast dest!: initState_into_used)+ |
|
455 done |
|
456 |
|
457 lemma set_evs_rev: "set evs = set (rev evs)" |
|
458 apply auto |
|
459 done |
|
460 |
|
461 lemma takeWhile_void [rule_format]: |
|
462 "x \<notin> set evs \<longrightarrow> takeWhile (\<lambda>z. z \<noteq> x) evs = evs" |
|
463 apply auto |
|
464 done |
399 |
465 |
400 |
466 |
401 subsection{*Regularity Lemmas*} |
467 subsection{*Regularity Lemmas*} |
402 text{*These concern the form of items passed in messages*} |
468 text{*These concern the form of items passed in messages*} |
403 |
469 |
404 text{*Describes the form of AuthKey, AuthTicket, and K sent by Kas*} |
470 text{*Describes the form of all components sent by Kas*} |
405 lemma Says_Kas_message_form: |
471 lemma Says_Kas_message_form: |
406 "[| Says Kas A (Crypt K {|Key AuthKey, Agent Peer, Tk, AuthTicket|}) |
472 "\<lbrakk> Says Kas A (Crypt K \<lbrace>Key authK, Agent Peer, Number Ta, authTicket\<rbrace>) |
407 \<in> set evs; |
473 \<in> set evs; |
408 evs \<in> kerberos |] |
474 evs \<in> kerbIV \<rbrakk> \<Longrightarrow> |
409 ==> AuthKey \<notin> range shrK & AuthKey \<in> AuthKeys evs & AuthKey \<in> symKeys & |
475 K = shrK A & Peer = Tgs & |
410 AuthTicket = (Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|}) & |
476 authK \<notin> range shrK & authK \<in> authKeys evs & authK \<in> symKeys & |
411 K = shrK A & Peer = Tgs" |
477 authTicket = (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>) & |
412 apply (erule rev_mp) |
478 Key authK \<notin> used(before |
413 apply (erule kerberos.induct) |
479 Says Kas A (Crypt K \<lbrace>Key authK, Agent Peer, Number Ta, authTicket\<rbrace>) |
414 apply (simp_all (no_asm) add: AuthKeys_def AuthKeys_insert) |
480 on evs) & |
415 apply (blast+) |
481 Ta = CT (before |
416 done |
482 Says Kas A (Crypt K \<lbrace>Key authK, Agent Peer, Number Ta, authTicket\<rbrace>) |
|
483 on evs)" |
|
484 apply (unfold before_def) |
|
485 apply (erule rev_mp) |
|
486 apply (erule kerbIV.induct) |
|
487 apply (simp_all (no_asm) add: authKeys_def authKeys_insert, blast, blast) |
|
488 txt{*K2*} |
|
489 apply (simp (no_asm) add: takeWhile_tail) |
|
490 apply (rule conjI) |
|
491 apply clarify |
|
492 apply (rule conjI) |
|
493 apply clarify |
|
494 apply (rule conjI) |
|
495 apply blast |
|
496 apply (rule conjI) |
|
497 apply clarify |
|
498 apply (rule conjI) |
|
499 txt{*subcase: used before*} |
|
500 apply (blast dest: used_evs_rev [THEN equalityD2, THEN contra_subsetD] |
|
501 used_takeWhile_used) |
|
502 txt{*subcase: CT before*} |
|
503 apply (fastsimp dest!: set_evs_rev [THEN equalityD2, THEN contra_subsetD, THEN takeWhile_void]) |
|
504 apply blast |
|
505 txt{*rest*} |
|
506 apply blast+ |
|
507 done |
|
508 |
|
509 |
417 |
510 |
418 (*This lemma is essential for proving Says_Tgs_message_form: |
511 (*This lemma is essential for proving Says_Tgs_message_form: |
419 |
512 |
420 the session key AuthKey |
513 the session key authK |
421 supplied by Kas in the authentication ticket |
514 supplied by Kas in the authentication ticket |
422 cannot be a long-term key! |
515 cannot be a long-term key! |
423 |
516 |
424 Generalised to any session keys (both AuthKey and ServKey). |
517 Generalised to any session keys (both authK and servK). |
425 *) |
518 *) |
426 lemma SesKey_is_session_key: |
519 lemma SesKey_is_session_key: |
427 "[| Crypt (shrK Tgs_B) {|Agent A, Agent Tgs_B, Key SesKey, Number T|} |
520 "\<lbrakk> Crypt (shrK Tgs_B) \<lbrace>Agent A, Agent Tgs_B, Key SesKey, Number T\<rbrace> |
428 \<in> parts (spies evs); Tgs_B \<notin> bad; |
521 \<in> parts (spies evs); Tgs_B \<notin> bad; |
429 evs \<in> kerberos |] |
522 evs \<in> kerbIV \<rbrakk> |
430 ==> SesKey \<notin> range shrK" |
523 \<Longrightarrow> SesKey \<notin> range shrK" |
431 apply (erule rev_mp) |
524 apply (erule rev_mp) |
432 apply (erule kerberos.induct) |
525 apply (erule kerbIV.induct) |
433 apply (frule_tac [7] K5_msg_in_parts_spies) |
526 apply (frule_tac [7] K5_msg_in_parts_spies) |
434 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast) |
527 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast) |
435 done |
528 done |
436 |
529 |
437 lemma A_trusts_AuthTicket: |
530 lemma authTicket_authentic: |
438 "[| Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|} |
531 "\<lbrakk> Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace> |
439 \<in> parts (spies evs); |
532 \<in> parts (spies evs); |
440 evs \<in> kerberos |] |
533 evs \<in> kerbIV \<rbrakk> |
441 ==> Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Tk, |
534 \<Longrightarrow> Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, |
442 Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|}|}) |
535 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>) |
443 \<in> set evs" |
536 \<in> set evs" |
444 apply (erule rev_mp) |
537 apply (erule rev_mp) |
445 apply (erule kerberos.induct) |
538 apply (erule kerbIV.induct) |
446 apply (frule_tac [7] K5_msg_in_parts_spies) |
539 apply (frule_tac [7] K5_msg_in_parts_spies) |
447 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
540 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
448 txt{*Fake, K4*} |
541 txt{*Fake, K4*} |
449 apply (blast+) |
542 apply (blast+) |
450 done |
543 done |
451 |
544 |
452 lemma AuthTicket_crypt_AuthKey: |
545 lemma authTicket_crypt_authK: |
453 "[| Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|} |
546 "\<lbrakk> Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace> |
454 \<in> parts (spies evs); |
547 \<in> parts (spies evs); |
455 evs \<in> kerberos |] |
548 evs \<in> kerbIV \<rbrakk> |
456 ==> AuthKey \<in> AuthKeys evs" |
549 \<Longrightarrow> authK \<in> authKeys evs" |
457 apply (frule A_trusts_AuthTicket, assumption) |
550 apply (frule authTicket_authentic, assumption) |
458 apply (simp (no_asm) add: AuthKeys_def) |
551 apply (simp (no_asm) add: authKeys_def) |
459 apply blast |
552 apply blast |
460 done |
553 done |
461 |
554 |
462 text{*Describes the form of ServKey, ServTicket and AuthKey sent by Tgs*} |
555 text{*Describes the form of servK, servTicket and authK sent by Tgs*} |
463 lemma Says_Tgs_message_form: |
556 lemma Says_Tgs_message_form: |
464 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|}) |
557 "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
465 \<in> set evs; |
558 \<in> set evs; |
466 evs \<in> kerberos |] |
559 evs \<in> kerbIV \<rbrakk> |
467 ==> B \<noteq> Tgs & |
560 \<Longrightarrow> B \<noteq> Tgs & |
468 ServKey \<notin> range shrK & ServKey \<notin> AuthKeys evs & ServKey \<in> symKeys & |
561 authK \<notin> range shrK & authK \<in> authKeys evs & authK \<in> symKeys & |
469 ServTicket = (Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|}) & |
562 servK \<notin> range shrK & servK \<notin> authKeys evs & servK \<in> symKeys & |
470 AuthKey \<notin> range shrK & AuthKey \<in> AuthKeys evs & AuthKey \<in> symKeys" |
563 servTicket = (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>) & |
471 apply (erule rev_mp) |
564 Key servK \<notin> used (before |
472 apply (erule kerberos.induct) |
565 Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
473 apply (simp_all add: AuthKeys_insert AuthKeys_not_insert AuthKeys_empty AuthKeys_simp, blast, auto) |
566 on evs) & |
474 txt{*Three subcases of Message 4*} |
567 Ts = CT(before |
475 apply (blast dest!: AuthKeys_used Says_Kas_message_form) |
568 Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
|
569 on evs) " |
|
570 apply (unfold before_def) |
|
571 apply (erule rev_mp) |
|
572 apply (erule kerbIV.induct) |
|
573 apply (simp_all add: authKeys_insert authKeys_not_insert authKeys_empty authKeys_simp, blast) |
|
574 txt{*We need this simplification only for Message 4*} |
|
575 apply (simp (no_asm) add: takeWhile_tail) |
|
576 apply auto |
|
577 txt{*Five subcases of Message 4*} |
476 apply (blast dest!: SesKey_is_session_key) |
578 apply (blast dest!: SesKey_is_session_key) |
477 apply (blast dest: AuthTicket_crypt_AuthKey) |
579 apply (blast dest: authTicket_crypt_authK) |
478 done |
580 apply (blast dest!: authKeys_used Says_Kas_message_form) |
479 |
581 txt{*subcase: used before*} |
480 text{*Authenticity of AuthKey for A: |
582 apply (blast dest: used_evs_rev [THEN equalityD2, THEN contra_subsetD] |
481 If a certain encrypted message appears then it originated with Kas*} |
583 used_takeWhile_used) |
482 lemma A_trusts_AuthKey: |
584 txt{*subcase: CT before*} |
483 "[| Crypt (shrK A) {|Key AuthKey, Peer, Tk, AuthTicket|} |
585 apply (fastsimp dest!: set_evs_rev [THEN equalityD2, THEN contra_subsetD, THEN takeWhile_void]) |
484 \<in> parts (spies evs); |
586 done |
485 A \<notin> bad; evs \<in> kerberos |] |
587 |
486 ==> Says Kas A (Crypt (shrK A) {|Key AuthKey, Peer, Tk, AuthTicket|}) |
588 lemma authTicket_form: |
|
589 "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace> |
|
590 \<in> parts (spies evs); |
|
591 A \<notin> bad; |
|
592 evs \<in> kerbIV \<rbrakk> |
|
593 \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys & |
|
594 authTicket = Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Ta\<rbrace>" |
|
595 apply (erule rev_mp) |
|
596 apply (erule kerbIV.induct) |
|
597 apply (frule_tac [7] K5_msg_in_parts_spies) |
|
598 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
|
599 apply (blast+) |
|
600 done |
|
601 |
|
602 text{* This form holds also over an authTicket, but is not needed below.*} |
|
603 lemma servTicket_form: |
|
604 "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace> |
|
605 \<in> parts (spies evs); |
|
606 Key authK \<notin> analz (spies evs); |
|
607 evs \<in> kerbIV \<rbrakk> |
|
608 \<Longrightarrow> servK \<notin> range shrK & servK \<in> symKeys & |
|
609 (\<exists>A. servTicket = Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)" |
|
610 apply (erule rev_mp) |
|
611 apply (erule rev_mp) |
|
612 apply (erule kerbIV.induct, analz_mono_contra) |
|
613 apply (frule_tac [7] K5_msg_in_parts_spies) |
|
614 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast) |
|
615 done |
|
616 |
|
617 text{* Essentially the same as @{text authTicket_form} *} |
|
618 lemma Says_kas_message_form: |
|
619 "\<lbrakk> Says Kas' A (Crypt (shrK A) |
|
620 \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>) \<in> set evs; |
|
621 evs \<in> kerbIV \<rbrakk> |
|
622 \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys & |
|
623 authTicket = |
|
624 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Ta\<rbrace> |
|
625 | authTicket \<in> analz (spies evs)" |
|
626 by (blast dest: analz_shrK_Decrypt authTicket_form |
|
627 Says_imp_spies [THEN analz.Inj]) |
|
628 |
|
629 lemma Says_tgs_message_form: |
|
630 "\<lbrakk> Says Tgs' A (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>) |
|
631 \<in> set evs; authK \<in> symKeys; |
|
632 evs \<in> kerbIV \<rbrakk> |
|
633 \<Longrightarrow> servK \<notin> range shrK & |
|
634 (\<exists>A. servTicket = |
|
635 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>) |
|
636 | servTicket \<in> analz (spies evs)" |
|
637 apply (frule Says_imp_spies [THEN analz.Inj], auto) |
|
638 apply (force dest!: servTicket_form) |
|
639 apply (frule analz_into_parts) |
|
640 apply (frule servTicket_form, auto) |
|
641 done |
|
642 |
|
643 |
|
644 subsection{*Authenticity theorems: confirm origin of sensitive messages*} |
|
645 |
|
646 lemma authK_authentic: |
|
647 "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace> |
|
648 \<in> parts (spies evs); |
|
649 A \<notin> bad; evs \<in> kerbIV \<rbrakk> |
|
650 \<Longrightarrow> Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>) |
487 \<in> set evs" |
651 \<in> set evs" |
488 apply (erule rev_mp) |
652 apply (erule rev_mp) |
489 apply (erule kerberos.induct) |
653 apply (erule kerbIV.induct) |
490 apply (frule_tac [7] K5_msg_in_parts_spies) |
654 apply (frule_tac [7] K5_msg_in_parts_spies) |
491 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
655 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
492 txt{*Fake*} |
656 txt{*Fake*} |
493 apply blast |
657 apply blast |
494 txt{*K4*} |
658 txt{*K4*} |
495 apply (blast dest!: A_trusts_AuthTicket [THEN Says_Kas_message_form]) |
659 apply (blast dest!: authTicket_authentic [THEN Says_Kas_message_form]) |
496 done |
660 done |
497 |
|
498 |
661 |
499 text{*If a certain encrypted message appears then it originated with Tgs*} |
662 text{*If a certain encrypted message appears then it originated with Tgs*} |
500 lemma A_trusts_K4: |
663 lemma servK_authentic: |
501 "[| Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|} |
664 "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
502 \<in> parts (spies evs); |
665 \<in> parts (spies evs); |
503 Key AuthKey \<notin> analz (spies evs); |
666 Key authK \<notin> analz (spies evs); |
504 AuthKey \<notin> range shrK; |
667 authK \<notin> range shrK; |
505 evs \<in> kerberos |] |
668 evs \<in> kerbIV \<rbrakk> |
506 ==> \<exists>A. Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|}) |
669 \<Longrightarrow> \<exists>A. Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
507 \<in> set evs" |
670 \<in> set evs" |
508 apply (erule rev_mp) |
671 apply (erule rev_mp) |
509 apply (erule rev_mp) |
672 apply (erule rev_mp) |
510 apply (erule kerberos.induct, analz_mono_contra) |
673 apply (erule kerbIV.induct, analz_mono_contra) |
511 apply (frule_tac [7] K5_msg_in_parts_spies) |
674 apply (frule_tac [7] K5_msg_in_parts_spies) |
512 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
675 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
513 txt{*Fake*} |
676 txt{*Fake*} |
514 apply blast |
677 apply blast |
515 txt{*K2*} |
678 txt{*K2*} |
516 apply blast |
679 apply blast |
517 txt{*K4*} |
680 txt{*K4*} |
518 apply auto |
681 apply auto |
519 done |
682 done |
520 |
683 |
521 lemma AuthTicket_form: |
684 lemma servK_authentic_bis: |
522 "[| Crypt (shrK A) {|Key AuthKey, Agent Tgs, Tk, AuthTicket|} |
685 "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
523 \<in> parts (spies evs); |
686 \<in> parts (spies evs); |
524 A \<notin> bad; |
687 Key authK \<notin> analz (spies evs); |
525 evs \<in> kerberos |] |
688 B \<noteq> Tgs; |
526 ==> AuthKey \<notin> range shrK & AuthKey \<in> symKeys & |
689 evs \<in> kerbIV \<rbrakk> |
527 AuthTicket = Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|}" |
690 \<Longrightarrow> \<exists>A. Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
528 apply (erule rev_mp) |
691 \<in> set evs" |
529 apply (erule kerberos.induct) |
692 apply (erule rev_mp) |
|
693 apply (erule rev_mp) |
|
694 apply (erule kerbIV.induct, analz_mono_contra) |
530 apply (frule_tac [7] K5_msg_in_parts_spies) |
695 apply (frule_tac [7] K5_msg_in_parts_spies) |
531 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
696 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
532 apply (blast+) |
697 txt{*Fake*} |
533 done |
698 apply blast |
534 |
699 txt{*K4*} |
535 text{* This form holds also over an AuthTicket, but is not needed below.*} |
700 apply blast |
536 lemma ServTicket_form: |
701 done |
537 "[| Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|} |
702 |
538 \<in> parts (spies evs); |
703 text{*Authenticity of servK for B*} |
539 Key AuthKey \<notin> analz (spies evs); |
704 lemma servTicket_authentic_Tgs: |
540 evs \<in> kerberos |] |
705 "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
541 ==> ServKey \<notin> range shrK & ServKey \<in> symKeys & |
706 \<in> parts (spies evs); B \<noteq> Tgs; B \<notin> bad; |
542 (\<exists>A. ServTicket = Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|})" |
707 evs \<in> kerbIV \<rbrakk> |
543 apply (erule rev_mp) |
708 \<Longrightarrow> \<exists>authK. |
544 apply (erule rev_mp) |
709 Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, |
545 apply (erule kerberos.induct, analz_mono_contra) |
710 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>) |
546 apply (frule_tac [7] K5_msg_in_parts_spies) |
711 \<in> set evs" |
547 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast) |
712 apply (erule rev_mp) |
548 done |
713 apply (erule rev_mp) |
549 |
714 apply (erule kerbIV.induct) |
550 text{* Essentially the same as @{text AuthTicket_form} *} |
715 apply (frule_tac [7] K5_msg_in_parts_spies) |
551 lemma Says_kas_message_form: |
716 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
552 "[| Says Kas' A (Crypt (shrK A) |
717 apply blast+ |
553 {|Key AuthKey, Agent Tgs, Tk, AuthTicket|}) \<in> set evs; |
718 done |
554 evs \<in> kerberos |] |
719 |
555 ==> AuthKey \<notin> range shrK & AuthKey \<in> symKeys & |
720 text{*Anticipated here from next subsection*} |
556 AuthTicket = |
721 lemma K4_imp_K2: |
557 Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|} |
722 "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
558 | AuthTicket \<in> analz (spies evs)" |
723 \<in> set evs; evs \<in> kerbIV\<rbrakk> |
559 by (blast dest: analz_shrK_Decrypt AuthTicket_form |
724 \<Longrightarrow> \<exists>Ta. Says Kas A |
560 Says_imp_spies [THEN analz.Inj]) |
725 (Crypt (shrK A) |
561 |
726 \<lbrace>Key authK, Agent Tgs, Number Ta, |
562 |
727 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>) |
563 lemma Says_tgs_message_form: |
728 \<in> set evs" |
564 "[| Says Tgs' A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|}) |
729 apply (erule rev_mp) |
565 \<in> set evs; AuthKey \<in> symKeys; |
730 apply (erule kerbIV.induct) |
566 evs \<in> kerberos |] |
731 apply (frule_tac [7] K5_msg_in_parts_spies) |
567 ==> ServKey \<notin> range shrK & |
732 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, auto) |
568 (\<exists>A. ServTicket = |
733 apply (blast dest!: Says_imp_spies [THEN parts.Inj, THEN parts.Fst, THEN authTicket_authentic]) |
569 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|}) |
734 done |
570 | ServTicket \<in> analz (spies evs)" |
735 |
571 apply (frule Says_imp_spies [THEN analz.Inj], auto) |
736 text{*Anticipated here from next subsection*} |
572 apply (force dest!: ServTicket_form) |
737 lemma u_K4_imp_K2: |
573 apply (frule analz_into_parts) |
738 "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
574 apply (frule ServTicket_form, auto) |
739 \<in> set evs; evs \<in> kerbIV\<rbrakk> |
575 done |
740 \<Longrightarrow> \<exists>Ta. (Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, |
576 |
741 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>) |
577 subsection{*Unicity Theorems*} |
742 \<in> set evs |
578 |
743 & servKlife + Ts <= authKlife + Ta)" |
579 text{* The session key, if secure, uniquely identifies the Ticket |
744 apply (erule rev_mp) |
580 whether AuthTicket or ServTicket. As a matter of fact, one can read |
745 apply (erule kerbIV.induct) |
581 also Tgs in the place of B. *} |
746 apply (frule_tac [7] K5_msg_in_parts_spies) |
582 |
747 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, auto) |
583 lemma unique_CryptKey: |
748 apply (blast dest!: Says_imp_spies [THEN parts.Inj, THEN parts.Fst, THEN authTicket_authentic]) |
584 "[| Crypt (shrK B) {|Agent A, Agent B, Key SesKey, T|} |
749 done |
585 \<in> parts (spies evs); |
750 |
586 Crypt (shrK B') {|Agent A', Agent B', Key SesKey, T'|} |
751 lemma servTicket_authentic_Kas: |
|
752 "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
|
753 \<in> parts (spies evs); B \<noteq> Tgs; B \<notin> bad; |
|
754 evs \<in> kerbIV \<rbrakk> |
|
755 \<Longrightarrow> \<exists>authK Ta. |
|
756 Says Kas A |
|
757 (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, |
|
758 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>) |
|
759 \<in> set evs" |
|
760 apply (blast dest!: servTicket_authentic_Tgs K4_imp_K2) |
|
761 done |
|
762 |
|
763 lemma u_servTicket_authentic_Kas: |
|
764 "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
|
765 \<in> parts (spies evs); B \<noteq> Tgs; B \<notin> bad; |
|
766 evs \<in> kerbIV \<rbrakk> |
|
767 \<Longrightarrow> \<exists>authK Ta. Says Kas A (Crypt(shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, |
|
768 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>) |
|
769 \<in> set evs |
|
770 & servKlife + Ts <= authKlife + Ta" |
|
771 apply (blast dest!: servTicket_authentic_Tgs u_K4_imp_K2) |
|
772 done |
|
773 |
|
774 lemma servTicket_authentic: |
|
775 "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
|
776 \<in> parts (spies evs); B \<noteq> Tgs; B \<notin> bad; |
|
777 evs \<in> kerbIV \<rbrakk> |
|
778 \<Longrightarrow> \<exists>Ta authK. |
|
779 Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, |
|
780 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>) |
|
781 \<in> set evs |
|
782 & Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, |
|
783 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>) |
|
784 \<in> set evs" |
|
785 apply (blast dest: servTicket_authentic_Tgs K4_imp_K2) |
|
786 done |
|
787 |
|
788 lemma u_servTicket_authentic: |
|
789 "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
|
790 \<in> parts (spies evs); B \<noteq> Tgs; B \<notin> bad; |
|
791 evs \<in> kerbIV \<rbrakk> |
|
792 \<Longrightarrow> \<exists>Ta authK. |
|
793 (Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, |
|
794 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>) |
|
795 \<in> set evs |
|
796 & Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, |
|
797 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>) |
|
798 \<in> set evs |
|
799 & servKlife + Ts <= authKlife + Ta)" |
|
800 apply (blast dest: servTicket_authentic_Tgs u_K4_imp_K2) |
|
801 done |
|
802 |
|
803 lemma u_NotexpiredSK_NotexpiredAK: |
|
804 "\<lbrakk> \<not> expiredSK Ts evs; servKlife + Ts <= authKlife + Ta \<rbrakk> |
|
805 \<Longrightarrow> \<not> expiredAK Ta evs" |
|
806 apply (blast dest: leI le_trans dest: leD) |
|
807 done |
|
808 |
|
809 |
|
810 subsection{* Reliability: friendly agents send something if something else happened*} |
|
811 |
|
812 lemma K3_imp_K2: |
|
813 "\<lbrakk> Says A Tgs |
|
814 \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B\<rbrace> |
|
815 \<in> set evs; |
|
816 A \<notin> bad; evs \<in> kerbIV \<rbrakk> |
|
817 \<Longrightarrow> \<exists>Ta. Says Kas A (Crypt (shrK A) |
|
818 \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>) |
|
819 \<in> set evs" |
|
820 apply (erule rev_mp) |
|
821 apply (erule kerbIV.induct) |
|
822 apply (frule_tac [7] K5_msg_in_parts_spies) |
|
823 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast, blast) |
|
824 apply (blast dest: Says_imp_spies [THEN parts.Inj, THEN authK_authentic]) |
|
825 done |
|
826 |
|
827 text{*Anticipated here from next subsection. An authK is encrypted by one and only one Shared key. A servK is encrypted by one and only one authK.*} |
|
828 lemma Key_unique_SesKey: |
|
829 "\<lbrakk> Crypt K \<lbrace>Key SesKey, Agent B, T, Ticket\<rbrace> |
|
830 \<in> parts (spies evs); |
|
831 Crypt K' \<lbrace>Key SesKey, Agent B', T', Ticket'\<rbrace> |
587 \<in> parts (spies evs); Key SesKey \<notin> analz (spies evs); |
832 \<in> parts (spies evs); Key SesKey \<notin> analz (spies evs); |
588 evs \<in> kerberos |] |
833 evs \<in> kerbIV \<rbrakk> |
589 ==> A=A' & B=B' & T=T'" |
834 \<Longrightarrow> K=K' & B=B' & T=T' & Ticket=Ticket'" |
590 apply (erule rev_mp) |
835 apply (erule rev_mp) |
591 apply (erule rev_mp) |
836 apply (erule rev_mp) |
592 apply (erule rev_mp) |
837 apply (erule rev_mp) |
593 apply (erule kerberos.induct, analz_mono_contra) |
838 apply (erule kerbIV.induct, analz_mono_contra) |
594 apply (frule_tac [7] K5_msg_in_parts_spies) |
839 apply (frule_tac [7] K5_msg_in_parts_spies) |
595 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
840 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
596 txt{*Fake, K2, K4*} |
841 txt{*Fake, K2, K4*} |
597 apply (blast+) |
842 apply (blast+) |
598 done |
843 done |
599 |
844 |
600 text{*An AuthKey is encrypted by one and only one Shared key. |
845 lemma Tgs_authenticates_A: |
601 A ServKey is encrypted by one and only one AuthKey. |
846 "\<lbrakk> Crypt authK \<lbrace>Agent A, Number T2\<rbrace> \<in> parts (spies evs); |
602 *} |
847 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace> |
603 lemma Key_unique_SesKey: |
848 \<in> parts (spies evs); |
604 "[| Crypt K {|Key SesKey, Agent B, T, Ticket|} |
849 Key authK \<notin> analz (spies evs); A \<notin> bad; evs \<in> kerbIV \<rbrakk> |
605 \<in> parts (spies evs); |
850 \<Longrightarrow> \<exists> B. Says A Tgs \<lbrace> |
606 Crypt K' {|Key SesKey, Agent B', T', Ticket'|} |
851 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>, |
|
852 Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B \<rbrace> \<in> set evs" |
|
853 apply (drule authTicket_authentic, assumption, rotate_tac 4) |
|
854 apply (erule rev_mp, erule rev_mp, erule rev_mp) |
|
855 apply (erule kerbIV.induct, analz_mono_contra) |
|
856 apply (frule_tac [5] Says_ticket_parts) |
|
857 apply (frule_tac [7] Says_ticket_parts) |
|
858 apply (simp_all (no_asm_simp) add: all_conj_distrib) |
|
859 txt{*Fake*} |
|
860 apply blast |
|
861 txt{*K2*} |
|
862 apply (force dest!: Crypt_imp_keysFor) |
|
863 txt{*K3*} |
|
864 apply (blast dest: Key_unique_SesKey) |
|
865 txt{*K5*} |
|
866 txt{*If authKa were compromised, so would be authK*} |
|
867 apply (case_tac "Key authKa \<in> analz (spies evs5)") |
|
868 apply (force dest!: Says_imp_spies [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst]) |
|
869 txt{*Besides, since authKa originated with Kas anyway...*} |
|
870 apply (clarify, drule K3_imp_K2, assumption, assumption) |
|
871 apply (clarify, drule Says_Kas_message_form, assumption) |
|
872 txt{*...it cannot be a shared key*. Therefore @{text servK_authentic} applies. |
|
873 Contradition: Tgs used authK as a servkey, |
|
874 while Kas used it as an authkey*} |
|
875 apply (blast dest: servK_authentic Says_Tgs_message_form) |
|
876 done |
|
877 |
|
878 lemma Says_K5: |
|
879 "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs); |
|
880 Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, |
|
881 servTicket\<rbrace>) \<in> set evs; |
|
882 Key servK \<notin> analz (spies evs); |
|
883 A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
|
884 \<Longrightarrow> Says A B \<lbrace>servTicket, Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> \<in> set evs" |
|
885 apply (erule rev_mp) |
|
886 apply (erule rev_mp) |
|
887 apply (erule rev_mp) |
|
888 apply (erule kerbIV.induct, analz_mono_contra) |
|
889 apply (frule_tac [5] Says_ticket_parts) |
|
890 apply (frule_tac [7] Says_ticket_parts) |
|
891 apply (simp_all (no_asm_simp) add: all_conj_distrib) |
|
892 apply blast |
|
893 txt{*K3*} |
|
894 apply (blast dest: authK_authentic Says_Kas_message_form Says_Tgs_message_form) |
|
895 txt{*K4*} |
|
896 apply (force dest!: Crypt_imp_keysFor) |
|
897 txt{*K5*} |
|
898 apply (blast dest: Key_unique_SesKey) |
|
899 done |
|
900 |
|
901 text{*Anticipated here from next subsection*} |
|
902 lemma unique_CryptKey: |
|
903 "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key SesKey, T\<rbrace> |
|
904 \<in> parts (spies evs); |
|
905 Crypt (shrK B') \<lbrace>Agent A', Agent B', Key SesKey, T'\<rbrace> |
607 \<in> parts (spies evs); Key SesKey \<notin> analz (spies evs); |
906 \<in> parts (spies evs); Key SesKey \<notin> analz (spies evs); |
608 evs \<in> kerberos |] |
907 evs \<in> kerbIV \<rbrakk> |
609 ==> K=K' & B=B' & T=T' & Ticket=Ticket'" |
908 \<Longrightarrow> A=A' & B=B' & T=T'" |
610 apply (erule rev_mp) |
909 apply (erule rev_mp) |
611 apply (erule rev_mp) |
910 apply (erule rev_mp) |
612 apply (erule rev_mp) |
911 apply (erule rev_mp) |
613 apply (erule kerberos.induct, analz_mono_contra) |
912 apply (erule kerbIV.induct, analz_mono_contra) |
614 apply (frule_tac [7] K5_msg_in_parts_spies) |
913 apply (frule_tac [7] K5_msg_in_parts_spies) |
615 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
914 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
616 txt{*Fake, K2, K4*} |
915 txt{*Fake, K2, K4*} |
617 apply (blast+) |
916 apply (blast+) |
618 done |
917 done |
619 |
918 |
|
919 lemma Says_K6: |
|
920 "\<lbrakk> Crypt servK (Number T3) \<in> parts (spies evs); |
|
921 Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, |
|
922 servTicket\<rbrace>) \<in> set evs; |
|
923 Key servK \<notin> analz (spies evs); |
|
924 A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
|
925 \<Longrightarrow> Says B A (Crypt servK (Number T3)) \<in> set evs" |
|
926 apply (erule rev_mp) |
|
927 apply (erule rev_mp) |
|
928 apply (erule rev_mp) |
|
929 apply (erule kerbIV.induct, analz_mono_contra) |
|
930 apply (frule_tac [5] Says_ticket_parts) |
|
931 apply (frule_tac [7] Says_ticket_parts) |
|
932 apply (simp_all (no_asm_simp)) |
|
933 apply blast |
|
934 apply (force dest!: Crypt_imp_keysFor, clarify) |
|
935 apply (frule Says_Tgs_message_form, assumption, clarify) (*PROOF FAILED if omitted*) |
|
936 apply (blast dest: unique_CryptKey) |
|
937 done |
|
938 |
|
939 text{*Needs a unicity theorem, hence moved here*} |
|
940 lemma servK_authentic_ter: |
|
941 "\<lbrakk> Says Kas A |
|
942 (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>) \<in> set evs; |
|
943 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
|
944 \<in> parts (spies evs); |
|
945 Key authK \<notin> analz (spies evs); |
|
946 evs \<in> kerbIV \<rbrakk> |
|
947 \<Longrightarrow> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
|
948 \<in> set evs" |
|
949 apply (frule Says_Kas_message_form, assumption) |
|
950 apply (erule rev_mp) |
|
951 apply (erule rev_mp) |
|
952 apply (erule rev_mp) |
|
953 apply (erule kerbIV.induct, analz_mono_contra) |
|
954 apply (frule_tac [7] K5_msg_in_parts_spies) |
|
955 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast) |
|
956 txt{*K2 and K4 remain*} |
|
957 prefer 2 apply (blast dest!: unique_CryptKey) |
|
958 apply (blast dest!: servK_authentic Says_Tgs_message_form authKeys_used) |
|
959 done |
|
960 |
|
961 |
|
962 subsection{*Unicity Theorems*} |
|
963 |
|
964 text{* The session key, if secure, uniquely identifies the Ticket |
|
965 whether authTicket or servTicket. As a matter of fact, one can read |
|
966 also Tgs in the place of B. *} |
|
967 |
620 |
968 |
621 (* |
969 (* |
622 At reception of any message mentioning A, Kas associates shrK A with |
970 At reception of any message mentioning A, Kas associates shrK A with |
623 a new AuthKey. Realistic, as the user gets a new AuthKey at each login. |
971 a new authK. Realistic, as the user gets a new authK at each login. |
624 Similarly, at reception of any message mentioning an AuthKey |
972 Similarly, at reception of any message mentioning an authK |
625 (a legitimate user could make several requests to Tgs - by K3), Tgs |
973 (a legitimate user could make several requests to Tgs - by K3), Tgs |
626 associates it with a new ServKey. |
974 associates it with a new servK. |
627 |
975 |
628 Therefore, a goal like |
976 Therefore, a goal like |
629 |
977 |
630 "evs \<in> kerberos |
978 "evs \<in> kerbIV |
631 ==> Key Kc \<notin> analz (spies evs) --> |
979 \<Longrightarrow> Key Kc \<notin> analz (spies evs) \<longrightarrow> |
632 (\<exists>K' B' T' Ticket'. \<forall>K B T Ticket. |
980 (\<exists>K' B' T' Ticket'. \<forall>K B T Ticket. |
633 Crypt Kc {|Key K, Agent B, T, Ticket|} |
981 Crypt Kc \<lbrace>Key K, Agent B, T, Ticket\<rbrace> |
634 \<in> parts (spies evs) --> K=K' & B=B' & T=T' & Ticket=Ticket')" |
982 \<in> parts (spies evs) \<longrightarrow> K=K' & B=B' & T=T' & Ticket=Ticket')" |
635 |
983 |
636 would fail on the K2 and K4 cases. |
984 would fail on the K2 and K4 cases. |
637 *) |
985 *) |
638 |
986 |
639 lemma unique_AuthKeys: |
987 lemma unique_authKeys: |
640 "[| Says Kas A |
988 "\<lbrakk> Says Kas A |
641 (Crypt Ka {|Key AuthKey, Agent Tgs, Tk, X|}) \<in> set evs; |
989 (Crypt Ka \<lbrace>Key authK, Agent Tgs, Ta, X\<rbrace>) \<in> set evs; |
642 Says Kas A' |
990 Says Kas A' |
643 (Crypt Ka' {|Key AuthKey, Agent Tgs, Tk', X'|}) \<in> set evs; |
991 (Crypt Ka' \<lbrace>Key authK, Agent Tgs, Ta', X'\<rbrace>) \<in> set evs; |
644 evs \<in> kerberos |] ==> A=A' & Ka=Ka' & Tk=Tk' & X=X'" |
992 evs \<in> kerbIV \<rbrakk> \<Longrightarrow> A=A' & Ka=Ka' & Ta=Ta' & X=X'" |
645 apply (erule rev_mp) |
993 apply (erule rev_mp) |
646 apply (erule rev_mp) |
994 apply (erule rev_mp) |
647 apply (erule kerberos.induct) |
995 apply (erule kerbIV.induct) |
648 apply (frule_tac [7] K5_msg_in_parts_spies) |
996 apply (frule_tac [7] K5_msg_in_parts_spies) |
649 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
997 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
650 txt{*K2*} |
998 txt{*K2*} |
651 apply blast |
999 apply blast |
652 done |
1000 done |
653 |
1001 |
654 text{* ServKey uniquely identifies the message from Tgs *} |
1002 text{* servK uniquely identifies the message from Tgs *} |
655 lemma unique_ServKeys: |
1003 lemma unique_servKeys: |
656 "[| Says Tgs A |
1004 "\<lbrakk> Says Tgs A |
657 (Crypt K {|Key ServKey, Agent B, Tt, X|}) \<in> set evs; |
1005 (Crypt K \<lbrace>Key servK, Agent B, Ts, X\<rbrace>) \<in> set evs; |
658 Says Tgs A' |
1006 Says Tgs A' |
659 (Crypt K' {|Key ServKey, Agent B', Tt', X'|}) \<in> set evs; |
1007 (Crypt K' \<lbrace>Key servK, Agent B', Ts', X'\<rbrace>) \<in> set evs; |
660 evs \<in> kerberos |] ==> A=A' & B=B' & K=K' & Tt=Tt' & X=X'" |
1008 evs \<in> kerbIV \<rbrakk> \<Longrightarrow> A=A' & B=B' & K=K' & Ts=Ts' & X=X'" |
661 apply (erule rev_mp) |
1009 apply (erule rev_mp) |
662 apply (erule rev_mp) |
1010 apply (erule rev_mp) |
663 apply (erule kerberos.induct) |
1011 apply (erule kerbIV.induct) |
664 apply (frule_tac [7] K5_msg_in_parts_spies) |
1012 apply (frule_tac [7] K5_msg_in_parts_spies) |
665 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
1013 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
666 txt{*K4*} |
1014 txt{*K4*} |
667 apply blast |
1015 apply blast |
668 done |
1016 done |
669 |
1017 |
670 |
1018 text{* Revised unicity theorems *} |
671 subsection{*Lemmas About the Predicate @{term KeyCryptKey}*} |
1019 |
672 |
1020 lemma Kas_Unique: |
673 lemma not_KeyCryptKey_Nil [iff]: "~ KeyCryptKey AuthKey ServKey []" |
1021 "\<lbrakk> Says Kas A |
674 by (simp add: KeyCryptKey_def) |
1022 (Crypt Ka \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>) \<in> set evs; |
675 |
1023 evs \<in> kerbIV \<rbrakk> \<Longrightarrow> |
676 lemma KeyCryptKeyI: |
1024 Unique (Says Kas A (Crypt Ka \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>)) |
677 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, tt, X |}) \<in> set evs; |
1025 on evs" |
678 evs \<in> kerberos |] ==> KeyCryptKey AuthKey ServKey evs" |
1026 apply (erule rev_mp, erule kerbIV.induct, simp_all add: Unique_def) |
679 apply (unfold KeyCryptKey_def) |
1027 apply blast |
|
1028 done |
|
1029 |
|
1030 lemma Tgs_Unique: |
|
1031 "\<lbrakk> Says Tgs A |
|
1032 (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>) \<in> set evs; |
|
1033 evs \<in> kerbIV \<rbrakk> \<Longrightarrow> |
|
1034 Unique (Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>)) |
|
1035 on evs" |
|
1036 apply (erule rev_mp, erule kerbIV.induct, simp_all add: Unique_def) |
|
1037 apply blast |
|
1038 done |
|
1039 |
|
1040 |
|
1041 subsection{*Lemmas About the Predicate @{term AKcryptSK}*} |
|
1042 |
|
1043 lemma not_AKcryptSK_Nil [iff]: "\<not> AKcryptSK authK servK []" |
|
1044 by (simp add: AKcryptSK_def) |
|
1045 |
|
1046 lemma AKcryptSKI: |
|
1047 "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, X \<rbrace>) \<in> set evs; |
|
1048 evs \<in> kerbIV \<rbrakk> \<Longrightarrow> AKcryptSK authK servK evs" |
|
1049 apply (unfold AKcryptSK_def) |
680 apply (blast dest: Says_Tgs_message_form) |
1050 apply (blast dest: Says_Tgs_message_form) |
681 done |
1051 done |
682 |
1052 |
683 lemma KeyCryptKey_Says [simp]: |
1053 lemma AKcryptSK_Says [simp]: |
684 "KeyCryptKey AuthKey ServKey (Says S A X # evs) = |
1054 "AKcryptSK authK servK (Says S A X # evs) = |
685 (Tgs = S & |
1055 (Tgs = S & |
686 (\<exists>B tt. X = Crypt AuthKey |
1056 (\<exists>B Ts. X = Crypt authK |
687 {|Key ServKey, Agent B, tt, |
1057 \<lbrace>Key servK, Agent B, Number Ts, |
688 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, tt|} |}) |
1058 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> \<rbrace>) |
689 | KeyCryptKey AuthKey ServKey evs)" |
1059 | AKcryptSK authK servK evs)" |
690 apply (unfold KeyCryptKey_def) |
1060 apply (unfold AKcryptSK_def) |
691 apply (simp (no_asm)) |
1061 apply (simp (no_asm)) |
692 apply blast |
1062 apply blast |
693 done |
1063 done |
694 |
1064 |
695 (*A fresh AuthKey cannot be associated with any other |
1065 (*A fresh authK cannot be associated with any other |
696 (with respect to a given trace). *) |
1066 (with respect to a given trace). *) |
697 lemma Auth_fresh_not_KeyCryptKey: |
1067 lemma Auth_fresh_not_AKcryptSK: |
698 "[| Key AuthKey \<notin> used evs; evs \<in> kerberos |] |
1068 "\<lbrakk> Key authK \<notin> used evs; evs \<in> kerbIV \<rbrakk> |
699 ==> ~ KeyCryptKey AuthKey ServKey evs" |
1069 \<Longrightarrow> \<not> AKcryptSK authK servK evs" |
700 apply (unfold KeyCryptKey_def) |
1070 apply (unfold AKcryptSK_def) |
701 apply (erule rev_mp) |
1071 apply (erule rev_mp) |
702 apply (erule kerberos.induct) |
1072 apply (erule kerbIV.induct) |
703 apply (frule_tac [7] K5_msg_in_parts_spies) |
1073 apply (frule_tac [7] K5_msg_in_parts_spies) |
704 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast) |
1074 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast) |
705 done |
1075 done |
706 |
1076 |
707 (*A fresh ServKey cannot be associated with any other |
1077 (*A fresh servK cannot be associated with any other |
708 (with respect to a given trace). *) |
1078 (with respect to a given trace). *) |
709 lemma Serv_fresh_not_KeyCryptKey: |
1079 lemma Serv_fresh_not_AKcryptSK: |
710 "Key ServKey \<notin> used evs ==> ~ KeyCryptKey AuthKey ServKey evs" |
1080 "Key servK \<notin> used evs \<Longrightarrow> \<not> AKcryptSK authK servK evs" |
711 apply (unfold KeyCryptKey_def, blast) |
1081 apply (unfold AKcryptSK_def, blast) |
712 done |
1082 done |
713 |
1083 |
714 lemma AuthKey_not_KeyCryptKey: |
1084 lemma authK_not_AKcryptSK: |
715 "[| Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, tk|} |
1085 "\<lbrakk> Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, tk\<rbrace> |
716 \<in> parts (spies evs); evs \<in> kerberos |] |
1086 \<in> parts (spies evs); evs \<in> kerbIV \<rbrakk> |
717 ==> ~ KeyCryptKey K AuthKey evs" |
1087 \<Longrightarrow> \<not> AKcryptSK K authK evs" |
718 apply (erule rev_mp) |
1088 apply (erule rev_mp) |
719 apply (erule kerberos.induct) |
1089 apply (erule kerbIV.induct) |
720 apply (frule_tac [7] K5_msg_in_parts_spies) |
1090 apply (frule_tac [7] K5_msg_in_parts_spies) |
721 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
1091 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
722 txt{*Fake*} |
1092 txt{*Fake*} |
723 apply blast |
1093 apply blast |
724 txt{*K2: by freshness*} |
1094 txt{*K2: by freshness*} |
725 apply (simp add: KeyCryptKey_def) |
1095 apply (simp add: AKcryptSK_def) |
726 txt{*K4*} |
1096 txt{*K4*} |
727 apply (blast+) |
1097 apply (blast+) |
728 done |
1098 done |
729 |
1099 |
730 text{*A secure serverkey cannot have been used to encrypt others*} |
1100 text{*A secure serverkey cannot have been used to encrypt others*} |
731 lemma ServKey_not_KeyCryptKey: |
1101 lemma servK_not_AKcryptSK: |
732 "[| Crypt (shrK B) {|Agent A, Agent B, Key SK, tt|} \<in> parts (spies evs); |
1102 "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key SK, Number Ts\<rbrace> \<in> parts (spies evs); |
733 Key SK \<notin> analz (spies evs); SK \<in> symKeys; |
1103 Key SK \<notin> analz (spies evs); SK \<in> symKeys; |
734 B \<noteq> Tgs; evs \<in> kerberos |] |
1104 B \<noteq> Tgs; evs \<in> kerbIV \<rbrakk> |
735 ==> ~ KeyCryptKey SK K evs" |
1105 \<Longrightarrow> \<not> AKcryptSK SK K evs" |
736 apply (erule rev_mp) |
1106 apply (erule rev_mp) |
737 apply (erule rev_mp) |
1107 apply (erule rev_mp) |
738 apply (erule kerberos.induct, analz_mono_contra) |
1108 apply (erule kerbIV.induct, analz_mono_contra) |
739 apply (frule_tac [7] K5_msg_in_parts_spies) |
1109 apply (frule_tac [7] K5_msg_in_parts_spies) |
740 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast) |
1110 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast) |
741 txt{*K4 splits into distinct subcases*} |
1111 txt{*K4 splits into distinct subcases*} |
742 apply auto |
1112 apply auto |
743 txt{*ServKey can't have been enclosed in two certificates*} |
1113 txt{*servK can't have been enclosed in two certificates*} |
744 prefer 2 apply (blast dest: unique_CryptKey) |
1114 prefer 2 apply (blast dest: unique_CryptKey) |
745 txt{*ServKey is fresh and so could not have been used, by |
1115 txt{*servK is fresh and so could not have been used, by |
746 @{text new_keys_not_used}*} |
1116 @{text new_keys_not_used}*} |
747 apply (force dest!: Crypt_imp_invKey_keysFor simp add: KeyCryptKey_def) |
1117 apply (force dest!: Crypt_imp_invKey_keysFor simp add: AKcryptSK_def) |
748 done |
1118 done |
749 |
1119 |
750 text{*Long term keys are not issued as ServKeys*} |
1120 text{*Long term keys are not issued as servKeys*} |
751 lemma shrK_not_KeyCryptKey: |
1121 lemma shrK_not_AKcryptSK: |
752 "evs \<in> kerberos ==> ~ KeyCryptKey K (shrK A) evs" |
1122 "evs \<in> kerbIV \<Longrightarrow> \<not> AKcryptSK K (shrK A) evs" |
753 apply (unfold KeyCryptKey_def) |
1123 apply (unfold AKcryptSK_def) |
754 apply (erule kerberos.induct) |
1124 apply (erule kerbIV.induct) |
755 apply (frule_tac [7] K5_msg_in_parts_spies) |
1125 apply (frule_tac [7] K5_msg_in_parts_spies) |
756 apply (frule_tac [5] K3_msg_in_parts_spies, auto) |
1126 apply (frule_tac [5] K3_msg_in_parts_spies, auto) |
757 done |
1127 done |
758 |
1128 |
759 text{*The Tgs message associates ServKey with AuthKey and therefore not with any |
1129 text{*The Tgs message associates servK with authK and therefore not with any |
760 other key AuthKey.*} |
1130 other key authK.*} |
761 lemma Says_Tgs_KeyCryptKey: |
1131 lemma Says_Tgs_AKcryptSK: |
762 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, tt, X |}) |
1132 "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, X \<rbrace>) |
763 \<in> set evs; |
1133 \<in> set evs; |
764 AuthKey' \<noteq> AuthKey; evs \<in> kerberos |] |
1134 authK' \<noteq> authK; evs \<in> kerbIV \<rbrakk> |
765 ==> ~ KeyCryptKey AuthKey' ServKey evs" |
1135 \<Longrightarrow> \<not> AKcryptSK authK' servK evs" |
766 apply (unfold KeyCryptKey_def) |
1136 apply (unfold AKcryptSK_def) |
767 apply (blast dest: unique_ServKeys) |
1137 apply (blast dest: unique_servKeys) |
768 done |
1138 done |
769 |
1139 |
770 lemma KeyCryptKey_not_KeyCryptKey: |
1140 text{*Equivalently*} |
771 "[| KeyCryptKey AuthKey ServKey evs; evs \<in> kerberos |] |
1141 lemma not_different_AKcryptSK: |
772 ==> ~ KeyCryptKey ServKey K evs" |
1142 "\<lbrakk> AKcryptSK authK servK evs; |
773 apply (erule rev_mp) |
1143 authK' \<noteq> authK; evs \<in> kerbIV \<rbrakk> |
774 apply (erule kerberos.induct) |
1144 \<Longrightarrow> \<not> AKcryptSK authK' servK evs \<and> servK \<in> symKeys" |
|
1145 apply (simp add: AKcryptSK_def) |
|
1146 apply (blast dest: unique_servKeys Says_Tgs_message_form) |
|
1147 done |
|
1148 |
|
1149 lemma AKcryptSK_not_AKcryptSK: |
|
1150 "\<lbrakk> AKcryptSK authK servK evs; evs \<in> kerbIV \<rbrakk> |
|
1151 \<Longrightarrow> \<not> AKcryptSK servK K evs" |
|
1152 apply (erule rev_mp) |
|
1153 apply (erule kerbIV.induct) |
775 apply (frule_tac [7] K5_msg_in_parts_spies) |
1154 apply (frule_tac [7] K5_msg_in_parts_spies) |
776 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, safe) |
1155 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, safe) |
777 txt{*K4 splits into subcases*} |
1156 txt{*K4 splits into subcases*} |
778 apply simp_all |
1157 apply simp_all |
779 prefer 4 apply (blast dest!: AuthKey_not_KeyCryptKey) |
1158 prefer 4 apply (blast dest!: authK_not_AKcryptSK) |
780 txt{*ServKey is fresh and so could not have been used, by |
1159 txt{*servK is fresh and so could not have been used, by |
781 @{text new_keys_not_used}*} |
1160 @{text new_keys_not_used}*} |
782 prefer 2 |
1161 prefer 2 |
783 apply (force dest!: Crypt_imp_invKey_keysFor simp add: KeyCryptKey_def) |
1162 apply (force dest!: Crypt_imp_invKey_keysFor simp add: AKcryptSK_def) |
784 txt{*Others by freshness*} |
1163 txt{*Others by freshness*} |
785 apply (blast+) |
1164 apply (blast+) |
786 done |
1165 done |
787 |
1166 |
788 text{*The only session keys that can be found with the help of session keys are |
1167 text{*The only session keys that can be found with the help of session keys are |
789 those sent by Tgs in step K4. *} |
1168 those sent by Tgs in step K4. *} |
790 |
1169 |
791 text{*We take some pains to express the property |
1170 text{*We take some pains to express the property |
792 as a logical equivalence so that the simplifier can apply it.*} |
1171 as a logical equivalence so that the simplifier can apply it.*} |
793 lemma Key_analz_image_Key_lemma: |
1172 lemma Key_analz_image_Key_lemma: |
794 "P --> (Key K \<in> analz (Key`KK Un H)) --> (K:KK | Key K \<in> analz H) |
1173 "P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) \<longrightarrow> (K:KK | Key K \<in> analz H) |
795 ==> |
1174 \<Longrightarrow> |
796 P --> (Key K \<in> analz (Key`KK Un H)) = (K:KK | Key K \<in> analz H)" |
1175 P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) = (K:KK | Key K \<in> analz H)" |
797 by (blast intro: analz_mono [THEN subsetD]) |
1176 by (blast intro: analz_mono [THEN subsetD]) |
798 |
1177 |
799 |
1178 |
800 lemma KeyCryptKey_analz_insert: |
1179 lemma AKcryptSK_analz_insert: |
801 "[| KeyCryptKey K K' evs; K \<in> symKeys; evs \<in> kerberos |] |
1180 "\<lbrakk> AKcryptSK K K' evs; K \<in> symKeys; evs \<in> kerbIV \<rbrakk> |
802 ==> Key K' \<in> analz (insert (Key K) (spies evs))" |
1181 \<Longrightarrow> Key K' \<in> analz (insert (Key K) (spies evs))" |
803 apply (simp add: KeyCryptKey_def, clarify) |
1182 apply (simp add: AKcryptSK_def, clarify) |
804 apply (drule Says_imp_spies [THEN analz.Inj, THEN analz_insertI], auto) |
1183 apply (drule Says_imp_spies [THEN analz.Inj, THEN analz_insertI], auto) |
805 done |
1184 done |
806 |
1185 |
807 lemma AuthKeys_are_not_KeyCryptKey: |
1186 lemma authKeys_are_not_AKcryptSK: |
808 "[| K \<in> AuthKeys evs Un range shrK; evs \<in> kerberos |] |
1187 "\<lbrakk> K \<in> authKeys evs Un range shrK; evs \<in> kerbIV \<rbrakk> |
809 ==> \<forall>SK. ~ KeyCryptKey SK K evs" |
1188 \<Longrightarrow> \<forall>SK. \<not> AKcryptSK SK K evs \<and> K \<in> symKeys" |
810 apply (simp add: KeyCryptKey_def) |
1189 apply (simp add: authKeys_def AKcryptSK_def) |
|
1190 apply (blast dest: Says_Kas_message_form Says_Tgs_message_form) |
|
1191 done |
|
1192 |
|
1193 lemma not_authKeys_not_AKcryptSK: |
|
1194 "\<lbrakk> K \<notin> authKeys evs; |
|
1195 K \<notin> range shrK; evs \<in> kerbIV \<rbrakk> |
|
1196 \<Longrightarrow> \<forall>SK. \<not> AKcryptSK K SK evs" |
|
1197 apply (simp add: AKcryptSK_def) |
811 apply (blast dest: Says_Tgs_message_form) |
1198 apply (blast dest: Says_Tgs_message_form) |
812 done |
1199 done |
813 |
1200 |
814 lemma not_AuthKeys_not_KeyCryptKey: |
|
815 "[| K \<notin> AuthKeys evs; |
|
816 K \<notin> range shrK; evs \<in> kerberos |] |
|
817 ==> \<forall>SK. ~ KeyCryptKey K SK evs" |
|
818 apply (simp add: KeyCryptKey_def) |
|
819 apply (blast dest: Says_Tgs_message_form) |
|
820 done |
|
821 |
|
822 |
1201 |
823 subsection{*Secrecy Theorems*} |
1202 subsection{*Secrecy Theorems*} |
824 |
1203 |
825 text{*For the Oops2 case of the next theorem*} |
1204 text{*For the Oops2 case of the next theorem*} |
826 lemma Oops2_not_KeyCryptKey: |
1205 lemma Oops2_not_AKcryptSK: |
827 "[| evs \<in> kerberos; |
1206 "\<lbrakk> evs \<in> kerbIV; |
828 Says Tgs A (Crypt AuthKey |
1207 Says Tgs A (Crypt authK |
829 {|Key ServKey, Agent B, Number Tt, ServTicket|}) |
1208 \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
830 \<in> set evs |] |
1209 \<in> set evs \<rbrakk> |
831 ==> ~ KeyCryptKey ServKey SK evs" |
1210 \<Longrightarrow> \<not> AKcryptSK servK SK evs" |
832 apply (blast dest: KeyCryptKeyI KeyCryptKey_not_KeyCryptKey) |
1211 apply (blast dest: AKcryptSKI AKcryptSK_not_AKcryptSK) |
833 done |
1212 done |
834 |
1213 |
835 |
|
836 text{* Big simplification law for keys SK that are not crypted by keys in KK |
1214 text{* Big simplification law for keys SK that are not crypted by keys in KK |
837 It helps prove three, otherwise hard, facts about keys. These facts are |
1215 It helps prove three, otherwise hard, facts about keys. These facts are |
838 exploited as simplification laws for analz, and also "limit the damage" |
1216 exploited as simplification laws for analz, and also "limit the damage" |
839 in case of loss of a key to the spy. See ESORICS98. |
1217 in case of loss of a key to the spy. See ESORICS98. |
840 [simplified by LCP] *} |
1218 [simplified by LCP] *} |
841 lemma Key_analz_image_Key [rule_format (no_asm)]: |
1219 lemma Key_analz_image_Key [rule_format (no_asm)]: |
842 "evs \<in> kerberos ==> |
1220 "evs \<in> kerbIV \<Longrightarrow> |
843 (\<forall>SK KK. SK \<in> symKeys & KK <= -(range shrK) --> |
1221 (\<forall>SK KK. SK \<in> symKeys & KK <= -(range shrK) \<longrightarrow> |
844 (\<forall>K \<in> KK. ~ KeyCryptKey K SK evs) --> |
1222 (\<forall>K \<in> KK. \<not> AKcryptSK K SK evs) \<longrightarrow> |
845 (Key SK \<in> analz (Key`KK Un (spies evs))) = |
1223 (Key SK \<in> analz (Key`KK Un (spies evs))) = |
846 (SK \<in> KK | Key SK \<in> analz (spies evs)))" |
1224 (SK \<in> KK | Key SK \<in> analz (spies evs)))" |
847 apply (erule kerberos.induct) |
1225 apply (erule kerbIV.induct) |
848 apply (frule_tac [10] Oops_range_spies2) |
1226 apply (frule_tac [10] Oops_range_spies2) |
849 apply (frule_tac [9] Oops_range_spies1) |
1227 apply (frule_tac [9] Oops_range_spies1) |
850 apply (frule_tac [7] Says_tgs_message_form) |
1228 apply (frule_tac [7] Says_tgs_message_form) |
851 apply (frule_tac [5] Says_kas_message_form) |
1229 apply (frule_tac [5] Says_kas_message_form) |
852 apply (safe del: impI intro!: Key_analz_image_Key_lemma [THEN impI]) |
1230 apply (safe del: impI intro!: Key_analz_image_Key_lemma [THEN impI]) |
853 txt{*Case-splits for Oops1 and message 5: the negated case simplifies using |
1231 txt{*Case-splits for Oops1 and message 5: the negated case simplifies using |
854 the induction hypothesis*} |
1232 the induction hypothesis*} |
855 apply (case_tac [11] "KeyCryptKey AuthKey SK evsO1") |
1233 apply (case_tac [11] "AKcryptSK authK SK evsO1") |
856 apply (case_tac [8] "KeyCryptKey ServKey SK evs5") |
1234 apply (case_tac [8] "AKcryptSK servK SK evs5") |
857 apply (simp_all del: image_insert |
1235 apply (simp_all del: image_insert |
858 add: analz_image_freshK_simps KeyCryptKey_Says) |
1236 add: analz_image_freshK_simps AKcryptSK_Says shrK_not_AKcryptSK |
|
1237 Oops2_not_AKcryptSK Auth_fresh_not_AKcryptSK |
|
1238 Serv_fresh_not_AKcryptSK Says_Tgs_AKcryptSK Spy_analz_shrK) |
859 txt{*Fake*} |
1239 txt{*Fake*} |
860 apply spy_analz |
1240 apply spy_analz |
861 apply (simp_all del: image_insert |
|
862 add: shrK_not_KeyCryptKey |
|
863 Oops2_not_KeyCryptKey Auth_fresh_not_KeyCryptKey |
|
864 Serv_fresh_not_KeyCryptKey Says_Tgs_KeyCryptKey Spy_analz_shrK) |
|
865 --{*Splitting the @{text simp_all} into two parts makes it faster.*} |
|
866 txt{*K2*} |
1241 txt{*K2*} |
867 apply blast |
1242 apply blast |
868 txt{*K3*} |
1243 txt{*K3*} |
869 apply blast |
1244 apply blast |
870 txt{*K4*} |
1245 txt{*K4*} |
871 apply (blast dest!: AuthKey_not_KeyCryptKey) |
1246 apply (blast dest!: authK_not_AKcryptSK) |
872 txt{*K5*} |
1247 txt{*K5*} |
873 apply (case_tac "Key ServKey \<in> analz (spies evs5) ") |
1248 apply (case_tac "Key servK \<in> analz (spies evs5) ") |
874 txt{*If ServKey is compromised then the result follows directly...*} |
1249 txt{*If servK is compromised then the result follows directly...*} |
875 apply (simp (no_asm_simp) add: analz_insert_eq Un_upper2 [THEN analz_mono, THEN subsetD]) |
1250 apply (simp (no_asm_simp) add: analz_insert_eq Un_upper2 [THEN analz_mono, THEN subsetD]) |
876 txt{*...therefore ServKey is uncompromised.*} |
1251 txt{*...therefore servK is uncompromised.*} |
877 txt{*The KeyCryptKey ServKey SK evs5 case leads to a contradiction.*} |
1252 txt{*The AKcryptSK servK SK evs5 case leads to a contradiction.*} |
878 apply (blast elim!: ServKey_not_KeyCryptKey [THEN [2] rev_notE] del: allE ballE) |
1253 apply (blast elim!: servK_not_AKcryptSK [THEN [2] rev_notE] del: allE ballE) |
879 txt{*Another K5 case*} |
1254 txt{*Another K5 case*} |
880 apply blast |
1255 apply blast |
881 txt{*Oops1*} |
1256 txt{*Oops1*} |
882 apply simp |
1257 apply simp |
883 apply (blast dest!: KeyCryptKey_analz_insert) |
1258 apply (blast dest!: AKcryptSK_analz_insert) |
884 done |
1259 done |
885 |
1260 |
886 text{* First simplification law for analz: no session keys encrypt |
1261 text{* First simplification law for analz: no session keys encrypt |
887 authentication keys or shared keys. *} |
1262 authentication keys or shared keys. *} |
888 lemma analz_insert_freshK1: |
1263 lemma analz_insert_freshK1: |
889 "[| evs \<in> kerberos; K \<in> (AuthKeys evs) Un range shrK; |
1264 "\<lbrakk> evs \<in> kerbIV; K \<in> authKeys evs Un range shrK; |
890 K \<in> symKeys; |
1265 SesKey \<notin> range shrK \<rbrakk> |
891 SesKey \<notin> range shrK |] |
1266 \<Longrightarrow> (Key K \<in> analz (insert (Key SesKey) (spies evs))) = |
892 ==> (Key K \<in> analz (insert (Key SesKey) (spies evs))) = |
|
893 (K = SesKey | Key K \<in> analz (spies evs))" |
1267 (K = SesKey | Key K \<in> analz (spies evs))" |
894 apply (frule AuthKeys_are_not_KeyCryptKey, assumption) |
1268 apply (frule authKeys_are_not_AKcryptSK, assumption) |
895 apply (simp del: image_insert |
1269 apply (simp del: image_insert |
896 add: analz_image_freshK_simps add: Key_analz_image_Key) |
1270 add: analz_image_freshK_simps add: Key_analz_image_Key) |
897 done |
1271 done |
898 |
1272 |
899 |
1273 |
900 text{* Second simplification law for analz: no service keys encrypt any other keys.*} |
1274 text{* Second simplification law for analz: no service keys encrypt any other keys.*} |
901 lemma analz_insert_freshK2: |
1275 lemma analz_insert_freshK2: |
902 "[| evs \<in> kerberos; ServKey \<notin> (AuthKeys evs); ServKey \<notin> range shrK; |
1276 "\<lbrakk> evs \<in> kerbIV; servK \<notin> (authKeys evs); servK \<notin> range shrK; |
903 K \<in> symKeys|] |
1277 K \<in> symKeys \<rbrakk> |
904 ==> (Key K \<in> analz (insert (Key ServKey) (spies evs))) = |
1278 \<Longrightarrow> (Key K \<in> analz (insert (Key servK) (spies evs))) = |
905 (K = ServKey | Key K \<in> analz (spies evs))" |
1279 (K = servK | Key K \<in> analz (spies evs))" |
906 apply (frule not_AuthKeys_not_KeyCryptKey, assumption, assumption) |
1280 apply (frule not_authKeys_not_AKcryptSK, assumption, assumption) |
907 apply (simp del: image_insert |
1281 apply (simp del: image_insert |
908 add: analz_image_freshK_simps add: Key_analz_image_Key) |
1282 add: analz_image_freshK_simps add: Key_analz_image_Key) |
909 done |
1283 done |
910 |
1284 |
911 |
1285 |
912 text{* Third simplification law for analz: only one authentication key encrypts a |
1286 text{* Third simplification law for analz: only one authentication key encrypts a certain service key.*} |
913 certain service key.*} |
1287 |
914 lemma analz_insert_freshK3: |
1288 lemma analz_insert_freshK3: |
915 "[| Says Tgs A |
1289 "\<lbrakk> AKcryptSK authK servK evs; |
916 (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) |
1290 authK' \<noteq> authK; authK' \<notin> range shrK; evs \<in> kerbIV \<rbrakk> |
917 \<in> set evs; ServKey \<in> symKeys; |
1291 \<Longrightarrow> (Key servK \<in> analz (insert (Key authK') (spies evs))) = |
918 AuthKey \<noteq> AuthKey'; AuthKey' \<notin> range shrK; evs \<in> kerberos |] |
1292 (servK = authK' | Key servK \<in> analz (spies evs))" |
919 ==> (Key ServKey \<in> analz (insert (Key AuthKey') (spies evs))) = |
1293 apply (drule_tac authK' = authK' in not_different_AKcryptSK, blast, assumption) |
920 (ServKey = AuthKey' | Key ServKey \<in> analz (spies evs))" |
|
921 apply (drule_tac AuthKey' = AuthKey' in Says_Tgs_KeyCryptKey, blast, assumption) |
|
922 apply (simp del: image_insert |
1294 apply (simp del: image_insert |
923 add: analz_image_freshK_simps add: Key_analz_image_Key) |
1295 add: analz_image_freshK_simps add: Key_analz_image_Key) |
924 done |
1296 done |
925 |
1297 |
|
1298 lemma analz_insert_freshK3_bis: |
|
1299 "\<lbrakk> Says Tgs A |
|
1300 (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
|
1301 \<in> set evs; |
|
1302 authK \<noteq> authK'; authK' \<notin> range shrK; evs \<in> kerbIV \<rbrakk> |
|
1303 \<Longrightarrow> (Key servK \<in> analz (insert (Key authK') (spies evs))) = |
|
1304 (servK = authK' | Key servK \<in> analz (spies evs))" |
|
1305 apply (frule AKcryptSKI, assumption) |
|
1306 apply (simp add: analz_insert_freshK3) |
|
1307 done |
926 |
1308 |
927 text{*a weakness of the protocol*} |
1309 text{*a weakness of the protocol*} |
928 lemma AuthKey_compromises_ServKey: |
1310 lemma authK_compromises_servK: |
929 "[| Says Tgs A |
1311 "\<lbrakk> Says Tgs A |
930 (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) |
1312 (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
931 \<in> set evs; AuthKey \<in> symKeys; |
1313 \<in> set evs; authK \<in> symKeys; |
932 Key AuthKey \<in> analz (spies evs); evs \<in> kerberos |] |
1314 Key authK \<in> analz (spies evs); evs \<in> kerbIV \<rbrakk> |
933 ==> Key ServKey \<in> analz (spies evs)" |
1315 \<Longrightarrow> Key servK \<in> analz (spies evs)" |
934 by (force dest: Says_imp_spies [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst]) |
1316 by (force dest: Says_imp_spies [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst]) |
935 |
1317 |
936 |
1318 lemma servK_notin_authKeysD: |
937 subsection{* Guarantees for Kas *} |
1319 "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Ts, |
938 lemma ServKey_notin_AuthKeysD: |
1320 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>\<rbrace> |
939 "[| Crypt AuthKey {|Key ServKey, Agent B, Tt, |
1321 \<in> parts (spies evs); |
940 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|}|} |
1322 Key servK \<notin> analz (spies evs); |
941 \<in> parts (spies evs); |
1323 B \<noteq> Tgs; evs \<in> kerbIV \<rbrakk> |
942 Key ServKey \<notin> analz (spies evs); |
1324 \<Longrightarrow> servK \<notin> authKeys evs" |
943 B \<noteq> Tgs; evs \<in> kerberos |] |
1325 apply (erule rev_mp) |
944 ==> ServKey \<notin> AuthKeys evs" |
1326 apply (erule rev_mp) |
945 apply (erule rev_mp) |
1327 apply (simp add: authKeys_def) |
946 apply (erule rev_mp) |
1328 apply (erule kerbIV.induct, analz_mono_contra) |
947 apply (simp add: AuthKeys_def) |
|
948 apply (erule kerberos.induct, analz_mono_contra) |
|
949 apply (frule_tac [7] K5_msg_in_parts_spies) |
1329 apply (frule_tac [7] K5_msg_in_parts_spies) |
950 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
1330 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
951 apply (blast+) |
1331 apply (blast+) |
952 done |
1332 done |
953 |
1333 |
954 |
1334 |
955 text{*If Spy sees the Authentication Key sent in msg K2, then |
1335 text{*If Spy sees the Authentication Key sent in msg K2, then |
956 the Key has expired.*} |
1336 the Key has expired.*} |
957 lemma Confidentiality_Kas_lemma [rule_format]: |
1337 lemma Confidentiality_Kas_lemma [rule_format]: |
958 "[| AuthKey \<in> symKeys; A \<notin> bad; evs \<in> kerberos |] |
1338 "\<lbrakk> authK \<in> symKeys; A \<notin> bad; evs \<in> kerbIV \<rbrakk> |
959 ==> Says Kas A |
1339 \<Longrightarrow> Says Kas A |
960 (Crypt (shrK A) |
1340 (Crypt (shrK A) |
961 {|Key AuthKey, Agent Tgs, Number Tk, |
1341 \<lbrace>Key authK, Agent Tgs, Number Ta, |
962 Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|}) |
1342 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>) |
963 \<in> set evs --> |
1343 \<in> set evs \<longrightarrow> |
964 Key AuthKey \<in> analz (spies evs) --> |
1344 Key authK \<in> analz (spies evs) \<longrightarrow> |
965 ExpirAuth Tk evs" |
1345 expiredAK Ta evs" |
966 apply (erule kerberos.induct) |
1346 apply (erule kerbIV.induct) |
967 apply (frule_tac [10] Oops_range_spies2) |
1347 apply (frule_tac [10] Oops_range_spies2) |
968 apply (frule_tac [9] Oops_range_spies1) |
1348 apply (frule_tac [9] Oops_range_spies1) |
969 apply (frule_tac [7] Says_tgs_message_form) |
1349 apply (frule_tac [7] Says_tgs_message_form) |
970 apply (frule_tac [5] Says_kas_message_form) |
1350 apply (frule_tac [5] Says_kas_message_form) |
971 apply (safe del: impI conjI impCE) |
1351 apply (safe del: impI conjI impCE) |
975 txt{*K2*} |
1355 txt{*K2*} |
976 apply blast |
1356 apply blast |
977 txt{*K4*} |
1357 txt{*K4*} |
978 apply blast |
1358 apply blast |
979 txt{*Level 8: K5*} |
1359 txt{*Level 8: K5*} |
980 apply (blast dest: ServKey_notin_AuthKeysD Says_Kas_message_form intro: less_SucI) |
1360 apply (blast dest: servK_notin_authKeysD Says_Kas_message_form intro: less_SucI) |
981 txt{*Oops1*} |
1361 txt{*Oops1*} |
982 apply (blast dest!: unique_AuthKeys intro: less_SucI) |
1362 apply (blast dest!: unique_authKeys intro: less_SucI) |
983 txt{*Oops2*} |
1363 txt{*Oops2*} |
984 apply (blast dest: Says_Tgs_message_form Says_Kas_message_form) |
1364 apply (blast dest: Says_Tgs_message_form Says_Kas_message_form) |
985 done |
1365 done |
986 |
1366 |
987 lemma Confidentiality_Kas: |
1367 lemma Confidentiality_Kas: |
988 "[| Says Kas A |
1368 "\<lbrakk> Says Kas A |
989 (Crypt Ka {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}) |
1369 (Crypt Ka \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>) |
990 \<in> set evs; |
1370 \<in> set evs; |
991 ~ ExpirAuth Tk evs; |
1371 \<not> expiredAK Ta evs; |
992 A \<notin> bad; evs \<in> kerberos |] |
1372 A \<notin> bad; evs \<in> kerbIV \<rbrakk> |
993 ==> Key AuthKey \<notin> analz (spies evs)" |
1373 \<Longrightarrow> Key authK \<notin> analz (spies evs)" |
994 by (blast dest: Says_Kas_message_form Confidentiality_Kas_lemma) |
1374 by (blast dest: Says_Kas_message_form Confidentiality_Kas_lemma) |
995 |
|
996 |
|
997 subsection{* Guarantees for Tgs *} |
|
998 |
1375 |
999 text{*If Spy sees the Service Key sent in msg K4, then |
1376 text{*If Spy sees the Service Key sent in msg K4, then |
1000 the Key has expired.*} |
1377 the Key has expired.*} |
1001 |
1378 |
1002 lemma Confidentiality_lemma [rule_format]: |
1379 lemma Confidentiality_lemma [rule_format]: |
1003 "[| Says Tgs A |
1380 "\<lbrakk> Says Tgs A |
1004 (Crypt AuthKey |
1381 (Crypt authK |
1005 {|Key ServKey, Agent B, Number Tt, |
1382 \<lbrace>Key servK, Agent B, Number Ts, |
1006 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}|}) |
1383 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>) |
1007 \<in> set evs; |
1384 \<in> set evs; |
1008 Key AuthKey \<notin> analz (spies evs); |
1385 Key authK \<notin> analz (spies evs); |
1009 ServKey \<in> symKeys; |
1386 servK \<in> symKeys; |
1010 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerberos |] |
1387 A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
1011 ==> Key ServKey \<in> analz (spies evs) --> |
1388 \<Longrightarrow> Key servK \<in> analz (spies evs) \<longrightarrow> |
1012 ExpirServ Tt evs" |
1389 expiredSK Ts evs" |
1013 apply (erule rev_mp) |
1390 apply (erule rev_mp) |
1014 apply (erule rev_mp) |
1391 apply (erule rev_mp) |
1015 apply (erule kerberos.induct) |
1392 apply (erule kerbIV.induct) |
1016 apply (rule_tac [9] impI)+; |
1393 apply (rule_tac [9] impI)+; |
1017 --{*The Oops1 case is unusual: must simplify |
1394 --{*The Oops1 case is unusual: must simplify |
1018 @{term "Authkey \<notin> analz (spies (ev#evs))"}, not letting |
1395 @{term "Authkey \<notin> analz (spies (ev#evs))"}, not letting |
1019 @{text analz_mono_contra} weaken it to |
1396 @{text analz_mono_contra} weaken it to |
1020 @{term "Authkey \<notin> analz (spies evs)"}, |
1397 @{term "Authkey \<notin> analz (spies evs)"}, |
1021 for we then conclude @{term "AuthKey \<noteq> AuthKeya"}.*} |
1398 for we then conclude @{term "authK \<noteq> authKa"}.*} |
1022 apply analz_mono_contra |
1399 apply analz_mono_contra |
1023 apply (frule_tac [10] Oops_range_spies2) |
1400 apply (frule_tac [10] Oops_range_spies2) |
1024 apply (frule_tac [9] Oops_range_spies1) |
1401 apply (frule_tac [9] Oops_range_spies1) |
1025 apply (frule_tac [7] Says_tgs_message_form) |
1402 apply (frule_tac [7] Says_tgs_message_form) |
1026 apply (frule_tac [5] Says_kas_message_form) |
1403 apply (frule_tac [5] Says_kas_message_form) |
1027 apply (safe del: impI conjI impCE) |
1404 apply (safe del: impI conjI impCE) |
1028 apply (simp_all add: less_SucI new_keys_not_analzd Says_Kas_message_form Says_Tgs_message_form analz_insert_eq not_parts_not_analz analz_insert_freshK1 analz_insert_freshK2 analz_insert_freshK3 pushes) |
1405 apply (simp_all add: less_SucI new_keys_not_analzd Says_Kas_message_form Says_Tgs_message_form analz_insert_eq not_parts_not_analz analz_insert_freshK1 analz_insert_freshK2 analz_insert_freshK3_bis pushes) |
1029 txt{*Fake*} |
1406 txt{*Fake*} |
1030 apply spy_analz |
1407 apply spy_analz |
1031 txt{*K2*} |
1408 txt{*K2*} |
1032 apply (blast intro: parts_insertI less_SucI) |
1409 apply (blast intro: parts_insertI less_SucI) |
1033 txt{*K4*} |
1410 txt{*K4*} |
1034 apply (blast dest: A_trusts_AuthTicket Confidentiality_Kas) |
1411 apply (blast dest: authTicket_authentic Confidentiality_Kas) |
1035 txt{*Oops2*} |
1412 txt{*Oops2*} |
1036 prefer 3 |
1413 prefer 3 |
1037 apply (blast dest: Says_imp_spies [THEN parts.Inj] Key_unique_SesKey intro: less_SucI) |
1414 apply (blast dest: Says_imp_spies [THEN parts.Inj] Key_unique_SesKey intro: less_SucI) |
1038 txt{*Oops1*} |
1415 txt{*Oops1*} |
1039 prefer 2 |
1416 prefer 2 |
1040 apply (blast dest: Says_Kas_message_form Says_Tgs_message_form intro: less_SucI) |
1417 apply (blast dest: Says_Kas_message_form Says_Tgs_message_form intro: less_SucI) |
1041 txt{*K5. Not clear how this step could be integrated with the main |
1418 txt{*K5. Not obvious how this step could be integrated with the main |
1042 simplification step.*} |
1419 simplification step. Done in KerberosV.thy *} |
1043 apply clarify |
1420 apply clarify |
1044 apply (erule_tac V = "Says Aa Tgs ?X \<in> set ?evs" in thin_rl) |
1421 apply (erule_tac V = "Says Aa Tgs ?X \<in> set ?evs" in thin_rl) |
1045 apply (frule Says_imp_spies [THEN parts.Inj, THEN ServKey_notin_AuthKeysD]) |
1422 apply (frule Says_imp_spies [THEN parts.Inj, THEN servK_notin_authKeysD]) |
1046 apply (assumption, blast, assumption) |
1423 apply (assumption, blast, assumption) |
1047 apply (simp add: analz_insert_freshK2) |
1424 apply (simp add: analz_insert_freshK2) |
1048 apply (blast dest: Says_imp_spies [THEN parts.Inj] Key_unique_SesKey intro: less_SucI) |
1425 apply (blast dest: Says_imp_spies [THEN parts.Inj] Key_unique_SesKey intro: less_SucI) |
1049 done |
1426 done |
1050 |
1427 |
1051 |
1428 |
1052 text{* In the real world Tgs can't check wheter AuthKey is secure! *} |
1429 text{* In the real world Tgs can't check wheter authK is secure! *} |
1053 lemma Confidentiality_Tgs1: |
1430 lemma Confidentiality_Tgs: |
1054 "[| Says Tgs A |
1431 "\<lbrakk> Says Tgs A |
1055 (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) |
1432 (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
1056 \<in> set evs; |
1433 \<in> set evs; |
1057 Key AuthKey \<notin> analz (spies evs); |
1434 Key authK \<notin> analz (spies evs); |
1058 ~ ExpirServ Tt evs; |
1435 \<not> expiredSK Ts evs; |
1059 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerberos |] |
1436 A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
1060 ==> Key ServKey \<notin> analz (spies evs)" |
1437 \<Longrightarrow> Key servK \<notin> analz (spies evs)" |
1061 apply (blast dest: Says_Tgs_message_form Confidentiality_lemma) |
1438 apply (blast dest: Says_Tgs_message_form Confidentiality_lemma) |
1062 done |
1439 done |
1063 |
1440 |
1064 text{* In the real world Tgs CAN check what Kas sends! *} |
1441 text{* In the real world Tgs CAN check what Kas sends! *} |
1065 lemma Confidentiality_Tgs2: |
1442 lemma Confidentiality_Tgs_bis: |
1066 "[| Says Kas A |
1443 "\<lbrakk> Says Kas A |
1067 (Crypt Ka {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}) |
1444 (Crypt Ka \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>) |
1068 \<in> set evs; |
1445 \<in> set evs; |
1069 Says Tgs A |
1446 Says Tgs A |
1070 (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) |
1447 (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
1071 \<in> set evs; |
1448 \<in> set evs; |
1072 ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; |
1449 \<not> expiredAK Ta evs; \<not> expiredSK Ts evs; |
1073 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerberos |] |
1450 A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
1074 ==> Key ServKey \<notin> analz (spies evs)" |
1451 \<Longrightarrow> Key servK \<notin> analz (spies evs)" |
1075 apply (blast dest!: Confidentiality_Kas Confidentiality_Tgs1) |
1452 apply (blast dest!: Confidentiality_Kas Confidentiality_Tgs) |
1076 done |
1453 done |
1077 |
1454 |
1078 text{*Most general form*} |
1455 text{*Most general form*} |
1079 lemmas Confidentiality_Tgs3 = A_trusts_AuthTicket [THEN Confidentiality_Tgs2] |
1456 lemmas Confidentiality_Tgs_ter = authTicket_authentic [THEN Confidentiality_Tgs_bis] |
1080 |
1457 |
1081 |
1458 lemmas Confidentiality_Auth_A = authK_authentic [THEN Confidentiality_Kas] |
1082 subsection{* Guarantees for Alice *} |
1459 |
1083 |
1460 text{*Needs a confidentiality guarantee, hence moved here. |
1084 lemmas Confidentiality_Auth_A = A_trusts_AuthKey [THEN Confidentiality_Kas] |
1461 Authenticity of servK for A*} |
1085 |
1462 lemma servK_authentic_bis_r: |
1086 lemma A_trusts_K4_bis: |
1463 "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace> |
1087 "[| Says Kas A |
1464 \<in> parts (spies evs); |
1088 (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Tk, AuthTicket|}) \<in> set evs; |
1465 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
1089 Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|} |
1466 \<in> parts (spies evs); |
|
1467 \<not> expiredAK Ta evs; A \<notin> bad; evs \<in> kerbIV \<rbrakk> |
|
1468 \<Longrightarrow>Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
|
1469 \<in> set evs" |
|
1470 apply (blast dest: authK_authentic Confidentiality_Auth_A servK_authentic_ter) |
|
1471 done |
|
1472 |
|
1473 lemma Confidentiality_Serv_A: |
|
1474 "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace> |
|
1475 \<in> parts (spies evs); |
|
1476 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
|
1477 \<in> parts (spies evs); |
|
1478 \<not> expiredAK Ta evs; \<not> expiredSK Ts evs; |
|
1479 A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
|
1480 \<Longrightarrow> Key servK \<notin> analz (spies evs)" |
|
1481 apply (drule authK_authentic, assumption, assumption) |
|
1482 apply (blast dest: Confidentiality_Kas Says_Kas_message_form servK_authentic_ter Confidentiality_Tgs_bis) |
|
1483 done |
|
1484 |
|
1485 lemma Confidentiality_B: |
|
1486 "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
|
1487 \<in> parts (spies evs); |
|
1488 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
|
1489 \<in> parts (spies evs); |
|
1490 Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace> |
|
1491 \<in> parts (spies evs); |
|
1492 \<not> expiredSK Ts evs; \<not> expiredAK Ta evs; |
|
1493 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerbIV \<rbrakk> |
|
1494 \<Longrightarrow> Key servK \<notin> analz (spies evs)" |
|
1495 apply (frule authK_authentic) |
|
1496 apply (frule_tac [3] Confidentiality_Kas) |
|
1497 apply (frule_tac [6] servTicket_authentic, auto) |
|
1498 apply (blast dest!: Confidentiality_Tgs_bis dest: Says_Kas_message_form servK_authentic unique_servKeys unique_authKeys) |
|
1499 done |
|
1500 (* |
|
1501 The proof above is fast. It can be done in one command in 17 secs: |
|
1502 apply (blast dest: authK_authentic servK_authentic |
|
1503 Says_Kas_message_form servTicket_authentic |
|
1504 unique_servKeys unique_authKeys |
|
1505 Confidentiality_Kas |
|
1506 Confidentiality_Tgs_bis) |
|
1507 It is very brittle: we can't use this command partway |
|
1508 through the script above. |
|
1509 *) |
|
1510 |
|
1511 lemma u_Confidentiality_B: |
|
1512 "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
|
1513 \<in> parts (spies evs); |
|
1514 \<not> expiredSK Ts evs; |
|
1515 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerbIV \<rbrakk> |
|
1516 \<Longrightarrow> Key servK \<notin> analz (spies evs)" |
|
1517 apply (blast dest: u_servTicket_authentic u_NotexpiredSK_NotexpiredAK Confidentiality_Tgs_bis) |
|
1518 done |
|
1519 |
|
1520 |
|
1521 |
|
1522 subsection{*Parties authentication: each party verifies "the identity of |
|
1523 another party who generated some data" (quoted from Neuman and Ts'o).*} |
|
1524 |
|
1525 text{*These guarantees don't assess whether two parties agree on |
|
1526 the same session key: sending a message containing a key |
|
1527 doesn't a priori state knowledge of the key.*} |
|
1528 |
|
1529 |
|
1530 text{*@{text Tgs_authenticates_A} can be found above*} |
|
1531 |
|
1532 lemma A_authenticates_Tgs: |
|
1533 "\<lbrakk> Says Kas A |
|
1534 (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>) \<in> set evs; |
|
1535 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
1090 \<in> parts (spies evs); |
1536 \<in> parts (spies evs); |
1091 Key AuthKey \<notin> analz (spies evs); |
1537 Key authK \<notin> analz (spies evs); |
1092 evs \<in> kerberos |] |
1538 evs \<in> kerbIV \<rbrakk> |
1093 ==> Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|}) |
1539 \<Longrightarrow> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
1094 \<in> set evs" |
1540 \<in> set evs" |
1095 apply (frule Says_Kas_message_form, assumption) |
1541 apply (frule Says_Kas_message_form, assumption) |
1096 apply (erule rev_mp) |
1542 apply (erule rev_mp) |
1097 apply (erule rev_mp) |
1543 apply (erule rev_mp) |
1098 apply (erule rev_mp) |
1544 apply (erule rev_mp) |
1099 apply (erule kerberos.induct, analz_mono_contra) |
1545 apply (erule kerbIV.induct, analz_mono_contra) |
1100 apply (frule_tac [7] K5_msg_in_parts_spies) |
1546 apply (frule_tac [7] K5_msg_in_parts_spies) |
1101 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast) |
1547 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast) |
1102 txt{*K2 and K4 remain*} |
1548 txt{*K2 and K4 remain*} |
1103 prefer 2 apply (blast dest!: unique_CryptKey) |
1549 prefer 2 apply (blast dest!: unique_CryptKey) |
1104 apply (blast dest!: A_trusts_K4 Says_Tgs_message_form AuthKeys_used) |
1550 apply (blast dest!: servK_authentic Says_Tgs_message_form authKeys_used) |
1105 done |
1551 done |
1106 |
1552 |
1107 |
1553 |
1108 lemma Confidentiality_Serv_A: |
1554 lemma B_authenticates_A: |
1109 "[| Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} |
1555 "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs); |
1110 \<in> parts (spies evs); |
1556 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
1111 Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} |
1557 \<in> parts (spies evs); |
1112 \<in> parts (spies evs); |
1558 Key servK \<notin> analz (spies evs); |
1113 ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; |
1559 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerbIV \<rbrakk> |
1114 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerberos |] |
1560 \<Longrightarrow> Says A B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>, |
1115 ==> Key ServKey \<notin> analz (spies evs)" |
1561 Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> \<in> set evs" |
1116 apply (drule A_trusts_AuthKey, assumption, assumption) |
1562 apply (blast dest: servTicket_authentic_Tgs intro: Says_K5) |
1117 apply (blast dest: Confidentiality_Kas Says_Kas_message_form A_trusts_K4_bis Confidentiality_Tgs2) |
1563 done |
1118 done |
1564 |
1119 |
1565 text{*The second assumption tells B what kind of key servK is.*} |
1120 |
1566 lemma B_authenticates_A_r: |
1121 subsection{* Guarantees for Bob *} |
1567 "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs); |
1122 text{* Theorems for the refined model have suffix "refined" *} |
1568 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
1123 |
1569 \<in> parts (spies evs); |
1124 lemma K4_imp_K2: |
1570 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
1125 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) |
1571 \<in> parts (spies evs); |
1126 \<in> set evs; evs \<in> kerberos|] |
1572 Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace> |
1127 ==> \<exists>Tk. Says Kas A |
1573 \<in> parts (spies evs); |
1128 (Crypt (shrK A) |
1574 \<not> expiredSK Ts evs; \<not> expiredAK Ta evs; |
1129 {|Key AuthKey, Agent Tgs, Number Tk, |
1575 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
1130 Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|}) |
1576 \<Longrightarrow> Says A B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>, |
1131 \<in> set evs" |
1577 Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<rbrace> \<in> set evs" |
1132 apply (erule rev_mp) |
1578 apply (blast intro: Says_K5 dest: Confidentiality_B servTicket_authentic_Tgs) |
1133 apply (erule kerberos.induct) |
1579 done |
1134 apply (frule_tac [7] K5_msg_in_parts_spies) |
1580 |
1135 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, auto) |
1581 text{* @{text u_B_authenticates_A} would be the same as @{text B_authenticates_A} because the servK confidentiality assumption is yet unrelaxed*} |
1136 apply (blast dest!: Says_imp_spies [THEN parts.Inj, THEN parts.Fst, THEN A_trusts_AuthTicket]) |
1582 |
1137 done |
1583 lemma u_B_authenticates_A_r: |
1138 |
1584 "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs); |
1139 lemma K4_imp_K2_refined: |
1585 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
1140 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) |
1586 \<in> parts (spies evs); |
1141 \<in> set evs; evs \<in> kerberos|] |
1587 \<not> expiredSK Ts evs; |
1142 ==> \<exists>Tk. (Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, |
1588 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
1143 Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|}) |
1589 \<Longrightarrow> Says A B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>, |
1144 \<in> set evs |
1590 Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<rbrace> \<in> set evs" |
1145 & ServLife + Tt <= AuthLife + Tk)" |
1591 apply (blast intro: Says_K5 dest: u_Confidentiality_B servTicket_authentic_Tgs) |
1146 apply (erule rev_mp) |
1592 done |
1147 apply (erule kerberos.induct) |
1593 |
1148 apply (frule_tac [7] K5_msg_in_parts_spies) |
1594 lemma A_authenticates_B: |
1149 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, auto) |
1595 "\<lbrakk> Crypt servK (Number T3) \<in> parts (spies evs); |
1150 apply (blast dest!: Says_imp_spies [THEN parts.Inj, THEN parts.Fst, THEN A_trusts_AuthTicket]) |
1596 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
1151 done |
1597 \<in> parts (spies evs); |
1152 |
1598 Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace> |
1153 text{*Authenticity of ServKey for B*} |
1599 \<in> parts (spies evs); |
1154 lemma B_trusts_ServKey: |
1600 Key authK \<notin> analz (spies evs); Key servK \<notin> analz (spies evs); |
1155 "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|} |
1601 A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
1156 \<in> parts (spies evs); B \<noteq> Tgs; B \<notin> bad; |
1602 \<Longrightarrow> Says B A (Crypt servK (Number T3)) \<in> set evs" |
1157 evs \<in> kerberos |] |
1603 apply (frule authK_authentic) |
1158 ==> \<exists>AuthKey. |
1604 apply assumption+ |
1159 Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, |
1605 apply (frule servK_authentic) |
1160 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|}|}) |
1606 prefer 2 apply (blast dest: authK_authentic Says_Kas_message_form) |
1161 \<in> set evs" |
1607 apply assumption+ |
1162 apply (erule rev_mp) |
1608 apply (blast dest: K4_imp_K2 Key_unique_SesKey intro!: Says_K6) |
1163 apply (erule kerberos.induct) |
1609 (*Single command proof: slower! |
1164 apply (frule_tac [7] K5_msg_in_parts_spies) |
1610 apply (blast dest: authK_authentic servK_authentic Says_Kas_message_form Key_unique_SesKey K4_imp_K2 intro!: Says_K6) |
1165 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
|
1166 apply (blast+) |
|
1167 done |
|
1168 |
|
1169 lemma B_trusts_ServTicket_Kas: |
|
1170 "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} |
|
1171 \<in> parts (spies evs); B \<noteq> Tgs; B \<notin> bad; |
|
1172 evs \<in> kerberos |] |
|
1173 ==> \<exists>AuthKey Tk. |
|
1174 Says Kas A |
|
1175 (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, |
|
1176 Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|}) |
|
1177 \<in> set evs" |
|
1178 by (blast dest!: B_trusts_ServKey K4_imp_K2) |
|
1179 |
|
1180 lemma B_trusts_ServTicket_Kas_refined: |
|
1181 "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} |
|
1182 \<in> parts (spies evs); B \<noteq> Tgs; B \<notin> bad; |
|
1183 evs \<in> kerberos |] |
|
1184 ==> \<exists>AuthKey Tk. Says Kas A (Crypt(shrK A) {|Key AuthKey, Agent Tgs, Number Tk, |
|
1185 Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|}) |
|
1186 \<in> set evs |
|
1187 & ServLife + Tt <= AuthLife + Tk" |
|
1188 by (blast dest!: B_trusts_ServKey K4_imp_K2_refined) |
|
1189 |
|
1190 lemma B_trusts_ServTicket: |
|
1191 "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} |
|
1192 \<in> parts (spies evs); B \<noteq> Tgs; B \<notin> bad; |
|
1193 evs \<in> kerberos |] |
|
1194 ==> \<exists>Tk AuthKey. |
|
1195 Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, |
|
1196 Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|}) |
|
1197 \<in> set evs |
|
1198 & Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, |
|
1199 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}|}) |
|
1200 \<in> set evs" |
|
1201 by (blast dest: B_trusts_ServKey K4_imp_K2) |
|
1202 |
|
1203 lemma B_trusts_ServTicket_refined: |
|
1204 "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} |
|
1205 \<in> parts (spies evs); B \<noteq> Tgs; B \<notin> bad; |
|
1206 evs \<in> kerberos |] |
|
1207 ==> \<exists>Tk AuthKey. |
|
1208 (Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, |
|
1209 Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|}) |
|
1210 \<in> set evs |
|
1211 & Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, |
|
1212 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}|}) |
|
1213 \<in> set evs |
|
1214 & ServLife + Tt <= AuthLife + Tk)" |
|
1215 by (blast dest: B_trusts_ServKey K4_imp_K2_refined) |
|
1216 |
|
1217 |
|
1218 lemma NotExpirServ_NotExpirAuth_refined: |
|
1219 "[| ~ ExpirServ Tt evs; ServLife + Tt <= AuthLife + Tk |] |
|
1220 ==> ~ ExpirAuth Tk evs" |
|
1221 by (blast dest: leI le_trans dest: leD) |
|
1222 |
|
1223 |
|
1224 lemma Confidentiality_B: |
|
1225 "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} |
|
1226 \<in> parts (spies evs); |
|
1227 Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} |
|
1228 \<in> parts (spies evs); |
|
1229 Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} |
|
1230 \<in> parts (spies evs); |
|
1231 ~ ExpirServ Tt evs; ~ ExpirAuth Tk evs; |
|
1232 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerberos |] |
|
1233 ==> Key ServKey \<notin> analz (spies evs)" |
|
1234 apply (frule A_trusts_AuthKey) |
|
1235 apply (frule_tac [3] Confidentiality_Kas) |
|
1236 apply (frule_tac [6] B_trusts_ServTicket, auto) |
|
1237 apply (blast dest!: Confidentiality_Tgs2 dest: Says_Kas_message_form A_trusts_K4 unique_ServKeys unique_AuthKeys) |
|
1238 done |
|
1239 (* |
|
1240 The proof above is fast. It can be done in one command in 17 secs: |
|
1241 apply (blast dest: A_trusts_AuthKey A_trusts_K4 |
|
1242 Says_Kas_message_form B_trusts_ServTicket |
|
1243 unique_ServKeys unique_AuthKeys |
|
1244 Confidentiality_Kas |
|
1245 Confidentiality_Tgs2) |
|
1246 It is very brittle: we can't use this command partway |
|
1247 through the script above. |
|
1248 *) |
1611 *) |
1249 |
1612 done |
1250 |
1613 |
1251 |
1614 lemma A_authenticates_B_r: |
1252 text{*Most general form -- only for refined model! *} |
1615 "\<lbrakk> Crypt servK (Number T3) \<in> parts (spies evs); |
1253 lemma Confidentiality_B_refined: |
1616 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
1254 "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} |
1617 \<in> parts (spies evs); |
1255 \<in> parts (spies evs); |
1618 Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace> |
1256 ~ ExpirServ Tt evs; |
1619 \<in> parts (spies evs); |
1257 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerberos |] |
1620 \<not> expiredAK Ta evs; \<not> expiredSK Ts evs; |
1258 ==> Key ServKey \<notin> analz (spies evs)" |
1621 A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
1259 apply (blast dest: B_trusts_ServTicket_refined NotExpirServ_NotExpirAuth_refined Confidentiality_Tgs2) |
1622 \<Longrightarrow> Says B A (Crypt servK (Number T3)) \<in> set evs" |
1260 done |
1623 apply (frule authK_authentic) |
1261 |
|
1262 |
|
1263 subsection{* Authenticity theorems *} |
|
1264 |
|
1265 text{*1. Session Keys authenticity: they originated with servers.*} |
|
1266 |
|
1267 text{*Authenticity of ServKey for A*} |
|
1268 lemma A_trusts_ServKey: |
|
1269 "[| Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} |
|
1270 \<in> parts (spies evs); |
|
1271 Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} |
|
1272 \<in> parts (spies evs); |
|
1273 ~ ExpirAuth Tk evs; A \<notin> bad; evs \<in> kerberos |] |
|
1274 ==>Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) |
|
1275 \<in> set evs" |
|
1276 by (blast dest: A_trusts_AuthKey Confidentiality_Auth_A A_trusts_K4_bis) |
|
1277 |
|
1278 text{*Note: requires a temporal check*} |
|
1279 |
|
1280 |
|
1281 (***2. Parties authenticity: each party verifies "the identity of |
|
1282 another party who generated some data" (quoted from Neuman & Ts'o).***) |
|
1283 |
|
1284 (*These guarantees don't assess whether two parties agree on |
|
1285 the same session key: sending a message containing a key |
|
1286 doesn't a priori state knowledge of the key.***) |
|
1287 |
|
1288 text{*B checks authenticity of A by theorems @{text A_Authenticity} and |
|
1289 @{text A_authenticity_refined} *} |
|
1290 lemma Says_Auth: |
|
1291 "[| Crypt ServKey {|Agent A, Number Ta|} \<in> parts (spies evs); |
|
1292 Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, |
|
1293 ServTicket|}) \<in> set evs; |
|
1294 Key ServKey \<notin> analz (spies evs); |
|
1295 A \<notin> bad; B \<notin> bad; evs \<in> kerberos |] |
|
1296 ==> Says A B {|ServTicket, Crypt ServKey {|Agent A, Number Ta|}|} \<in> set evs" |
|
1297 apply (erule rev_mp) |
|
1298 apply (erule rev_mp) |
|
1299 apply (erule rev_mp) |
|
1300 apply (erule kerberos.induct, analz_mono_contra) |
|
1301 apply (frule_tac [5] Says_ticket_in_parts_spies) |
|
1302 apply (frule_tac [7] Says_ticket_in_parts_spies) |
|
1303 apply (simp_all (no_asm_simp) add: all_conj_distrib) |
|
1304 apply blast |
|
1305 txt{*K3*} |
|
1306 apply (blast dest: A_trusts_AuthKey Says_Kas_message_form Says_Tgs_message_form) |
|
1307 txt{*K4*} |
|
1308 apply (force dest!: Crypt_imp_keysFor) |
|
1309 txt{*K5*} |
|
1310 apply (blast dest: Key_unique_SesKey) |
|
1311 done |
|
1312 |
|
1313 text{*The second assumption tells B what kind of key ServKey is.*} |
|
1314 lemma A_Authenticity: |
|
1315 "[| Crypt ServKey {|Agent A, Number Ta|} \<in> parts (spies evs); |
|
1316 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} |
|
1317 \<in> parts (spies evs); |
|
1318 Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} |
|
1319 \<in> parts (spies evs); |
|
1320 Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} |
|
1321 \<in> parts (spies evs); |
|
1322 ~ ExpirServ Tt evs; ~ ExpirAuth Tk evs; |
|
1323 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerberos |] |
|
1324 ==> Says A B {|Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}, |
|
1325 Crypt ServKey {|Agent A, Number Ta|} |} \<in> set evs" |
|
1326 by (blast intro: Says_Auth dest: Confidentiality_B Key_unique_SesKey B_trusts_ServKey) |
|
1327 |
|
1328 text{*Stronger form in the refined model*} |
|
1329 lemma A_Authenticity_refined: |
|
1330 "[| Crypt ServKey {|Agent A, Number Ta2|} \<in> parts (spies evs); |
|
1331 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} |
|
1332 \<in> parts (spies evs); |
|
1333 ~ ExpirServ Tt evs; |
|
1334 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerberos |] |
|
1335 ==> Says A B {|Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}, |
|
1336 Crypt ServKey {|Agent A, Number Ta2|} |} \<in> set evs" |
|
1337 by (blast dest: Confidentiality_B_refined B_trusts_ServKey Key_unique_SesKey intro: Says_Auth) |
|
1338 |
|
1339 |
|
1340 text{*A checks authenticity of B by theorem @{text B_authenticity}*} |
|
1341 |
|
1342 lemma Says_K6: |
|
1343 "[| Crypt ServKey (Number Ta) \<in> parts (spies evs); |
|
1344 Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, |
|
1345 ServTicket|}) \<in> set evs; |
|
1346 Key ServKey \<notin> analz (spies evs); |
|
1347 A \<notin> bad; B \<notin> bad; evs \<in> kerberos |] |
|
1348 ==> Says B A (Crypt ServKey (Number Ta)) \<in> set evs" |
|
1349 apply (erule rev_mp) |
|
1350 apply (erule rev_mp) |
|
1351 apply (erule rev_mp) |
|
1352 apply (erule kerberos.induct, analz_mono_contra) |
|
1353 apply (frule_tac [5] Says_ticket_in_parts_spies) |
|
1354 apply (frule_tac [7] Says_ticket_in_parts_spies) |
|
1355 apply (simp_all (no_asm_simp)) |
|
1356 apply blast |
|
1357 apply (force dest!: Crypt_imp_keysFor, clarify) |
|
1358 apply (frule Says_Tgs_message_form, assumption, clarify) (*PROOF FAILED if omitted*) |
|
1359 apply (blast dest: unique_CryptKey) |
|
1360 done |
|
1361 |
|
1362 lemma K4_trustworthy: |
|
1363 "[| Crypt AuthKey {|Key ServKey, Agent B, T, ServTicket|} |
|
1364 \<in> parts (spies evs); |
|
1365 Key AuthKey \<notin> analz (spies evs); AuthKey \<notin> range shrK; |
|
1366 evs \<in> kerberos |] |
|
1367 ==> \<exists>A. Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, T, ServTicket|}) |
|
1368 \<in> set evs" |
|
1369 apply (erule rev_mp) |
|
1370 apply (erule rev_mp) |
|
1371 apply (erule kerberos.induct, analz_mono_contra) |
|
1372 apply (frule_tac [7] K5_msg_in_parts_spies) |
|
1373 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all) |
|
1374 apply (blast+) |
|
1375 done |
|
1376 |
|
1377 lemma B_Authenticity: |
|
1378 "[| Crypt ServKey (Number Ta) \<in> parts (spies evs); |
|
1379 Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} |
|
1380 \<in> parts (spies evs); |
|
1381 Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} |
|
1382 \<in> parts (spies evs); |
|
1383 ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; |
|
1384 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerberos |] |
|
1385 ==> Says B A (Crypt ServKey (Number Ta)) \<in> set evs" |
|
1386 apply (frule A_trusts_AuthKey) |
|
1387 apply (frule_tac [3] Says_Kas_message_form) |
1624 apply (frule_tac [3] Says_Kas_message_form) |
1388 apply (frule_tac [4] Confidentiality_Kas) |
1625 apply (frule_tac [4] Confidentiality_Kas) |
1389 apply (frule_tac [7] K4_trustworthy) |
1626 apply (frule_tac [7] servK_authentic) |
1390 prefer 8 apply blast |
1627 prefer 8 apply blast |
1391 apply (erule_tac [9] exE) |
1628 apply (erule_tac [9] exE) |
1392 apply (frule_tac [9] K4_imp_K2) |
1629 apply (frule_tac [9] K4_imp_K2) |
1393 txt{*Yes the proof's a mess, but I don't know how to improve it.*} |
|
1394 apply assumption+ |
1630 apply assumption+ |
1395 apply (blast dest: Key_unique_SesKey intro!: Says_K6 dest: Confidentiality_Tgs1 |
1631 apply (blast dest: Key_unique_SesKey intro!: Says_K6 dest: Confidentiality_Tgs |
1396 ) |
1632 ) |
1397 done |
1633 done |
1398 |
1634 |
1399 |
1635 |
1400 (***3. Parties' knowledge of session keys. A knows a session key if she |
1636 subsection{* Key distribution guarantees |
1401 used it to build a cipher.***) |
1637 An agent knows a session key if he used it to issue a cipher. |
1402 |
1638 These guarantees also convey a stronger form of |
1403 lemma B_Knows_B_Knows_ServKey_lemma: |
1639 authentication - non-injective agreement on the session key*} |
1404 "[| Says B A (Crypt ServKey (Number Ta)) \<in> set evs; |
1640 |
1405 Key ServKey \<notin> analz (spies evs); |
1641 |
1406 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerberos |] |
1642 lemma Kas_Issues_A: |
1407 ==> B Issues A with (Crypt ServKey (Number Ta)) on evs" |
1643 "\<lbrakk> Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>) \<in> set evs; |
|
1644 evs \<in> kerbIV \<rbrakk> |
|
1645 \<Longrightarrow> Kas Issues A with (Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>) |
|
1646 on evs" |
1408 apply (simp (no_asm) add: Issues_def) |
1647 apply (simp (no_asm) add: Issues_def) |
1409 apply (rule exI) |
1648 apply (rule exI) |
1410 apply (rule conjI, assumption) |
1649 apply (rule conjI, assumption) |
1411 apply (simp (no_asm)) |
1650 apply (simp (no_asm)) |
1412 apply (erule rev_mp) |
1651 apply (erule rev_mp) |
1413 apply (erule rev_mp) |
1652 apply (erule kerbIV.induct) |
1414 apply (erule kerberos.induct, analz_mono_contra) |
1653 apply (frule_tac [5] Says_ticket_parts) |
1415 apply (frule_tac [5] Says_ticket_in_parts_spies) |
1654 apply (frule_tac [7] Says_ticket_parts) |
1416 apply (frule_tac [7] Says_ticket_in_parts_spies) |
|
1417 apply (simp_all (no_asm_simp) add: all_conj_distrib) |
1655 apply (simp_all (no_asm_simp) add: all_conj_distrib) |
1418 apply blast |
1656 txt{*K2*} |
1419 txt{*K6 requires numerous lemmas*} |
|
1420 apply (simp add: takeWhile_tail) |
1657 apply (simp add: takeWhile_tail) |
1421 apply (blast dest: B_trusts_ServTicket parts_spies_takeWhile_mono [THEN subsetD] parts_spies_evs_revD2 [THEN subsetD] intro: Says_K6) |
1658 apply (blast dest: authK_authentic parts_spies_takeWhile_mono [THEN subsetD] parts_spies_evs_revD2 [THEN subsetD]) |
1422 done |
1659 done |
1423 (*Key ServKey \<notin> analz (spies evs) could be relaxed by Confidentiality_B |
1660 |
1424 but this is irrelevant because B knows what he knows! *) |
1661 lemma A_authenticates_and_keydist_to_Kas: |
1425 |
1662 "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace> \<in> parts (spies evs); |
1426 lemma B_Knows_B_Knows_ServKey: |
1663 A \<notin> bad; evs \<in> kerbIV \<rbrakk> |
1427 "[| Says B A (Crypt ServKey (Number Ta)) \<in> set evs; |
1664 \<Longrightarrow> Kas Issues A with (Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>) |
1428 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} |
1665 on evs" |
1429 \<in> parts (spies evs); |
1666 apply (blast dest: authK_authentic Kas_Issues_A) |
1430 Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} |
1667 done |
1431 \<in> parts (spies evs); |
1668 |
1432 Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} |
1669 lemma honest_never_says_newer_timestamp_in_auth: |
1433 \<in> parts (spies evs); |
1670 "\<lbrakk> (CT evs) \<le> T; A \<notin> bad; Number T \<in> parts {X}; evs \<in> kerbIV \<rbrakk> |
1434 ~ ExpirServ Tt evs; ~ ExpirAuth Tk evs; |
1671 \<Longrightarrow> \<forall> B Y. Says A B \<lbrace>Y, X\<rbrace> \<notin> set evs" |
1435 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerberos |] |
1672 apply (erule rev_mp) |
1436 ==> B Issues A with (Crypt ServKey (Number Ta)) on evs" |
1673 apply (erule kerbIV.induct) |
1437 by (blast dest!: Confidentiality_B B_Knows_B_Knows_ServKey_lemma) |
1674 apply (simp_all) |
1438 |
1675 apply force+ |
1439 lemma B_Knows_B_Knows_ServKey_refined: |
1676 done |
1440 "[| Says B A (Crypt ServKey (Number Ta)) \<in> set evs; |
1677 |
1441 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} |
1678 lemma honest_never_says_current_timestamp_in_auth: |
1442 \<in> parts (spies evs); |
1679 "\<lbrakk> (CT evs) = T; Number T \<in> parts {X}; evs \<in> kerbIV \<rbrakk> |
1443 ~ ExpirServ Tt evs; |
1680 \<Longrightarrow> \<forall> A B Y. A \<notin> bad \<longrightarrow> Says A B \<lbrace>Y, X\<rbrace> \<notin> set evs" |
1444 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerberos |] |
1681 apply (frule eq_imp_le) |
1445 ==> B Issues A with (Crypt ServKey (Number Ta)) on evs" |
1682 apply (blast dest: honest_never_says_newer_timestamp_in_auth) |
1446 by (blast dest!: Confidentiality_B_refined B_Knows_B_Knows_ServKey_lemma) |
1683 done |
1447 |
1684 |
1448 lemma A_Knows_B_Knows_ServKey: |
1685 lemma A_trusts_secure_authenticator: |
1449 "[| Crypt ServKey (Number Ta) \<in> parts (spies evs); |
1686 "\<lbrakk> Crypt K \<lbrace>Agent A, Number T\<rbrace> \<in> parts (spies evs); |
1450 Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} |
1687 Key K \<notin> analz (spies evs); evs \<in> kerbIV \<rbrakk> |
1451 \<in> parts (spies evs); |
1688 \<Longrightarrow> \<exists> B X. Says A Tgs \<lbrace>X, Crypt K \<lbrace>Agent A, Number T\<rbrace>, Agent B\<rbrace> \<in> set evs \<or> |
1452 Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} |
1689 Says A B \<lbrace>X, Crypt K \<lbrace>Agent A, Number T\<rbrace>\<rbrace> \<in> set evs"; |
1453 \<in> parts (spies evs); |
1690 apply (erule rev_mp) |
1454 ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; |
1691 apply (erule rev_mp) |
1455 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerberos |] |
1692 apply (erule kerbIV.induct, analz_mono_contra) |
1456 ==> B Issues A with (Crypt ServKey (Number Ta)) on evs" |
1693 apply (frule_tac [5] Says_ticket_parts) |
1457 by (blast dest!: B_Authenticity Confidentiality_Serv_A B_Knows_B_Knows_ServKey_lemma) |
1694 apply (frule_tac [7] Says_ticket_parts) |
1458 |
1695 apply (simp_all add: all_conj_distrib) |
1459 lemma K3_imp_K2: |
1696 apply blast+ |
1460 "[| Says A Tgs |
1697 done |
1461 {|AuthTicket, Crypt AuthKey {|Agent A, Number Ta|}, Agent B|} |
1698 |
1462 \<in> set evs; |
1699 lemma A_Issues_Tgs: |
1463 A \<notin> bad; evs \<in> kerberos |] |
1700 "\<lbrakk> Says A Tgs \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>, Agent B\<rbrace> |
1464 ==> \<exists>Tk. Says Kas A (Crypt (shrK A) |
1701 \<in> set evs; |
1465 {|Key AuthKey, Agent Tgs, Tk, AuthTicket|}) |
1702 Key authK \<notin> analz (spies evs); |
1466 \<in> set evs" |
1703 A \<notin> bad; evs \<in> kerbIV \<rbrakk> |
1467 apply (erule rev_mp) |
1704 \<Longrightarrow> A Issues Tgs with (Crypt authK \<lbrace>Agent A, Number T2\<rbrace>) on evs" |
1468 apply (erule kerberos.induct) |
|
1469 apply (frule_tac [7] K5_msg_in_parts_spies) |
|
1470 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast, blast) |
|
1471 apply (blast dest: Says_imp_spies [THEN parts.Inj, THEN A_trusts_AuthKey]) |
|
1472 done |
|
1473 |
|
1474 lemma K4_trustworthy': |
|
1475 "[| Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} |
|
1476 \<in> parts (spies evs); |
|
1477 Says Kas A (Crypt (shrK A) |
|
1478 {|Key AuthKey, Agent Tgs, Tk, AuthTicket|}) |
|
1479 \<in> set evs; |
|
1480 Key AuthKey \<notin> analz (spies evs); |
|
1481 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerberos |] |
|
1482 ==> Says Tgs A (Crypt AuthKey |
|
1483 {|Key ServKey, Agent B, Number Tt, ServTicket|}) |
|
1484 \<in> set evs" |
|
1485 apply (erule rev_mp) |
|
1486 apply (erule rev_mp) |
|
1487 apply (erule rev_mp) |
|
1488 apply (erule kerberos.induct, analz_mono_contra) |
|
1489 apply (frule_tac [7] K5_msg_in_parts_spies) |
|
1490 apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast) |
|
1491 apply (force dest!: Crypt_imp_keysFor) |
|
1492 apply (blast dest: Says_imp_spies [THEN parts.Inj, THEN parts.Fst, THEN A_trusts_AuthTicket] unique_AuthKeys) |
|
1493 done |
|
1494 |
|
1495 lemma A_Knows_A_Knows_ServKey_lemma: |
|
1496 "[| Says A B {|ServTicket, Crypt ServKey {|Agent A, Number Ta|}|} |
|
1497 \<in> set evs; |
|
1498 Key ServKey \<notin> analz (spies evs); |
|
1499 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerberos |] |
|
1500 ==> A Issues B with (Crypt ServKey {|Agent A, Number Ta|}) on evs" |
|
1501 apply (simp (no_asm) add: Issues_def) |
1705 apply (simp (no_asm) add: Issues_def) |
1502 apply (rule exI) |
1706 apply (rule exI) |
1503 apply (rule conjI, assumption) |
1707 apply (rule conjI, assumption) |
1504 apply (simp (no_asm)) |
1708 apply (simp (no_asm)) |
1505 apply (erule rev_mp) |
1709 apply (erule rev_mp) |
1506 apply (erule rev_mp) |
1710 apply (erule rev_mp) |
1507 apply (erule kerberos.induct, analz_mono_contra) |
1711 apply (erule kerbIV.induct, analz_mono_contra) |
1508 apply (frule_tac [5] Says_ticket_in_parts_spies) |
1712 apply (frule_tac [5] Says_ticket_parts) |
1509 apply (frule_tac [7] Says_ticket_in_parts_spies) |
1713 apply (frule_tac [7] Says_ticket_parts) |
|
1714 apply (simp_all (no_asm_simp) add: all_conj_distrib) |
|
1715 txt{*fake*} |
|
1716 apply blast |
|
1717 txt{*K3*} |
|
1718 (* |
|
1719 apply clarify |
|
1720 apply (drule Says_imp_knows_Spy [THEN parts.Inj, THEN authK_authentic, THEN Says_Kas_message_form], assumption, assumption, assumption) |
|
1721 *) |
|
1722 apply (simp add: takeWhile_tail) |
|
1723 apply auto |
|
1724 apply (force dest!: authK_authentic Says_Kas_message_form) |
|
1725 apply (drule parts_spies_takeWhile_mono [THEN subsetD, THEN parts_spies_evs_revD2 [THEN subsetD]]) |
|
1726 apply (drule A_trusts_secure_authenticator, assumption, assumption) |
|
1727 apply (simp add: honest_never_says_current_timestamp_in_auth) |
|
1728 done |
|
1729 |
|
1730 lemma Tgs_authenticates_and_keydist_to_A: |
|
1731 "\<lbrakk> Crypt authK \<lbrace>Agent A, Number T2\<rbrace> \<in> parts (spies evs); |
|
1732 Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace> |
|
1733 \<in> parts (spies evs); |
|
1734 Key authK \<notin> analz (spies evs); |
|
1735 A \<notin> bad; evs \<in> kerbIV \<rbrakk> |
|
1736 \<Longrightarrow> A Issues Tgs with (Crypt authK \<lbrace>Agent A, Number T2\<rbrace>) on evs" |
|
1737 apply (blast dest: A_Issues_Tgs Tgs_authenticates_A) |
|
1738 done |
|
1739 |
|
1740 lemma Tgs_Issues_A: |
|
1741 "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket \<rbrace>) |
|
1742 \<in> set evs; |
|
1743 Key authK \<notin> analz (spies evs); evs \<in> kerbIV \<rbrakk> |
|
1744 \<Longrightarrow> Tgs Issues A with |
|
1745 (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket \<rbrace>) on evs" |
|
1746 apply (simp (no_asm) add: Issues_def) |
|
1747 apply (rule exI) |
|
1748 apply (rule conjI, assumption) |
|
1749 apply (simp (no_asm)) |
|
1750 apply (erule rev_mp) |
|
1751 apply (erule rev_mp) |
|
1752 apply (erule kerbIV.induct, analz_mono_contra) |
|
1753 apply (frule_tac [5] Says_ticket_parts) |
|
1754 apply (frule_tac [7] Says_ticket_parts) |
|
1755 apply (simp_all (no_asm_simp) add: all_conj_distrib) |
|
1756 txt{*K4*} |
|
1757 apply (simp add: takeWhile_tail) |
|
1758 (*Last two thms installed only to derive authK \<notin> range shrK*) |
|
1759 apply (blast dest: servK_authentic parts_spies_takeWhile_mono [THEN subsetD] parts_spies_evs_revD2 [THEN subsetD] authTicket_authentic Says_Kas_message_form) |
|
1760 done |
|
1761 |
|
1762 lemma A_authenticates_and_keydist_to_Tgs: |
|
1763 "\<lbrakk>Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> \<in> parts (spies evs); |
|
1764 Key authK \<notin> analz (spies evs); B \<noteq> Tgs; evs \<in> kerbIV \<rbrakk> |
|
1765 \<Longrightarrow> \<exists>A. Tgs Issues A with |
|
1766 (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket \<rbrace>) on evs" |
|
1767 apply (blast dest: Tgs_Issues_A servK_authentic_bis) |
|
1768 done |
|
1769 |
|
1770 |
|
1771 |
|
1772 lemma B_Issues_A: |
|
1773 "\<lbrakk> Says B A (Crypt servK (Number T3)) \<in> set evs; |
|
1774 Key servK \<notin> analz (spies evs); |
|
1775 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerbIV \<rbrakk> |
|
1776 \<Longrightarrow> B Issues A with (Crypt servK (Number T3)) on evs" |
|
1777 apply (simp (no_asm) add: Issues_def) |
|
1778 apply (rule exI) |
|
1779 apply (rule conjI, assumption) |
|
1780 apply (simp (no_asm)) |
|
1781 apply (erule rev_mp) |
|
1782 apply (erule rev_mp) |
|
1783 apply (erule kerbIV.induct, analz_mono_contra) |
|
1784 apply (frule_tac [5] Says_ticket_parts) |
|
1785 apply (frule_tac [7] Says_ticket_parts) |
|
1786 apply (simp_all (no_asm_simp) add: all_conj_distrib) |
|
1787 apply blast |
|
1788 txt{*K6 requires numerous lemmas*} |
|
1789 apply (simp add: takeWhile_tail) |
|
1790 apply (blast dest: servTicket_authentic parts_spies_takeWhile_mono [THEN subsetD] parts_spies_evs_revD2 [THEN subsetD] intro: Says_K6) |
|
1791 done |
|
1792 |
|
1793 lemma B_Issues_A_r: |
|
1794 "\<lbrakk> Says B A (Crypt servK (Number T3)) \<in> set evs; |
|
1795 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
|
1796 \<in> parts (spies evs); |
|
1797 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
|
1798 \<in> parts (spies evs); |
|
1799 Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace> |
|
1800 \<in> parts (spies evs); |
|
1801 \<not> expiredSK Ts evs; \<not> expiredAK Ta evs; |
|
1802 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerbIV \<rbrakk> |
|
1803 \<Longrightarrow> B Issues A with (Crypt servK (Number T3)) on evs" |
|
1804 apply (blast dest!: Confidentiality_B B_Issues_A) |
|
1805 done |
|
1806 |
|
1807 lemma u_B_Issues_A_r: |
|
1808 "\<lbrakk> Says B A (Crypt servK (Number T3)) \<in> set evs; |
|
1809 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
|
1810 \<in> parts (spies evs); |
|
1811 \<not> expiredSK Ts evs; |
|
1812 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerbIV \<rbrakk> |
|
1813 \<Longrightarrow> B Issues A with (Crypt servK (Number T3)) on evs" |
|
1814 apply (blast dest!: u_Confidentiality_B B_Issues_A) |
|
1815 done |
|
1816 |
|
1817 lemma A_authenticates_and_keydist_to_B: |
|
1818 "\<lbrakk> Crypt servK (Number T3) \<in> parts (spies evs); |
|
1819 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
|
1820 \<in> parts (spies evs); |
|
1821 Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace> |
|
1822 \<in> parts (spies evs); |
|
1823 Key authK \<notin> analz (spies evs); Key servK \<notin> analz (spies evs); |
|
1824 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerbIV \<rbrakk> |
|
1825 \<Longrightarrow> B Issues A with (Crypt servK (Number T3)) on evs" |
|
1826 apply (blast dest!: A_authenticates_B B_Issues_A) |
|
1827 done |
|
1828 |
|
1829 lemma A_authenticates_and_keydist_to_B_r: |
|
1830 "\<lbrakk> Crypt servK (Number T3) \<in> parts (spies evs); |
|
1831 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
|
1832 \<in> parts (spies evs); |
|
1833 Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace> |
|
1834 \<in> parts (spies evs); |
|
1835 \<not> expiredAK Ta evs; \<not> expiredSK Ts evs; |
|
1836 A \<notin> bad; B \<notin> bad; B \<noteq> Tgs; evs \<in> kerbIV \<rbrakk> |
|
1837 \<Longrightarrow> B Issues A with (Crypt servK (Number T3)) on evs" |
|
1838 apply (blast dest!: A_authenticates_B_r Confidentiality_Serv_A B_Issues_A) |
|
1839 done |
|
1840 |
|
1841 |
|
1842 lemma A_Issues_B: |
|
1843 "\<lbrakk> Says A B \<lbrace>servTicket, Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> |
|
1844 \<in> set evs; |
|
1845 Key servK \<notin> analz (spies evs); |
|
1846 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
|
1847 \<Longrightarrow> A Issues B with (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>) on evs" |
|
1848 apply (simp (no_asm) add: Issues_def) |
|
1849 apply (rule exI) |
|
1850 apply (rule conjI, assumption) |
|
1851 apply (simp (no_asm)) |
|
1852 apply (erule rev_mp) |
|
1853 apply (erule rev_mp) |
|
1854 apply (erule kerbIV.induct, analz_mono_contra) |
|
1855 apply (frule_tac [5] Says_ticket_parts) |
|
1856 apply (frule_tac [7] Says_ticket_parts) |
1510 apply (simp_all (no_asm_simp)) |
1857 apply (simp_all (no_asm_simp)) |
1511 apply clarify |
1858 apply clarify |
1512 txt{*K5*} |
1859 txt{*K5*} |
1513 apply auto |
1860 apply auto |
1514 apply (simp add: takeWhile_tail) |
1861 apply (simp add: takeWhile_tail) |
1515 txt{*Level 15: case study necessary because the assumption doesn't state |
1862 txt{*Level 15: case study necessary because the assumption doesn't state |
1516 the form of ServTicket. The guarantee becomes stronger.*} |
1863 the form of servTicket. The guarantee becomes stronger.*} |
1517 apply (blast dest: Says_imp_spies [THEN analz.Inj, THEN analz_Decrypt'] |
1864 apply (blast dest: Says_imp_spies [THEN analz.Inj, THEN analz_Decrypt'] |
1518 K3_imp_K2 K4_trustworthy' |
1865 K3_imp_K2 servK_authentic_ter |
1519 parts_spies_takeWhile_mono [THEN subsetD] |
1866 parts_spies_takeWhile_mono [THEN subsetD] |
1520 parts_spies_evs_revD2 [THEN subsetD] |
1867 parts_spies_evs_revD2 [THEN subsetD] |
1521 intro: Says_Auth) |
1868 intro: Says_K5) |
1522 apply (simp add: takeWhile_tail) |
1869 apply (simp add: takeWhile_tail) |
1523 done |
1870 done |
1524 |
1871 |
1525 lemma A_Knows_A_Knows_ServKey: |
1872 lemma A_Issues_B_r: |
1526 "[| Says A B {|ServTicket, Crypt ServKey {|Agent A, Number Ta|}|} |
1873 "\<lbrakk> Says A B \<lbrace>servTicket, Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> |
1527 \<in> set evs; |
1874 \<in> set evs; |
1528 Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} |
1875 Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace> |
1529 \<in> parts (spies evs); |
1876 \<in> parts (spies evs); |
1530 Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} |
1877 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
1531 \<in> parts (spies evs); |
1878 \<in> parts (spies evs); |
1532 ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; |
1879 \<not> expiredAK Ta evs; \<not> expiredSK Ts evs; |
1533 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerberos |] |
1880 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
1534 ==> A Issues B with (Crypt ServKey {|Agent A, Number Ta|}) on evs" |
1881 \<Longrightarrow> A Issues B with (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>) on evs" |
1535 by (blast dest!: Confidentiality_Serv_A A_Knows_A_Knows_ServKey_lemma) |
1882 apply (blast dest!: Confidentiality_Serv_A A_Issues_B) |
1536 |
1883 done |
1537 lemma B_Knows_A_Knows_ServKey: |
1884 |
1538 "[| Crypt ServKey {|Agent A, Number Ta|} \<in> parts (spies evs); |
1885 lemma B_authenticates_and_keydist_to_A: |
1539 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} |
1886 "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs); |
1540 \<in> parts (spies evs); |
1887 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
1541 Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} |
1888 \<in> parts (spies evs); |
1542 \<in> parts (spies evs); |
1889 Key servK \<notin> analz (spies evs); |
1543 Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} |
1890 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
1544 \<in> parts (spies evs); |
1891 \<Longrightarrow> A Issues B with (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>) on evs" |
1545 ~ ExpirServ Tt evs; ~ ExpirAuth Tk evs; |
1892 apply (blast dest: B_authenticates_A A_Issues_B) |
1546 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerberos |] |
1893 done |
1547 ==> A Issues B with (Crypt ServKey {|Agent A, Number Ta|}) on evs" |
1894 |
1548 by (blast dest: A_Authenticity Confidentiality_B A_Knows_A_Knows_ServKey_lemma) |
1895 lemma B_authenticates_and_keydist_to_A_r: |
1549 |
1896 "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs); |
1550 |
1897 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
1551 lemma B_Knows_A_Knows_ServKey_refined: |
1898 \<in> parts (spies evs); |
1552 "[| Crypt ServKey {|Agent A, Number Ta|} \<in> parts (spies evs); |
1899 Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace> |
1553 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} |
1900 \<in> parts (spies evs); |
1554 \<in> parts (spies evs); |
1901 Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace> |
1555 ~ ExpirServ Tt evs; |
1902 \<in> parts (spies evs); |
1556 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerberos |] |
1903 \<not> expiredSK Ts evs; \<not> expiredAK Ta evs; |
1557 ==> A Issues B with (Crypt ServKey {|Agent A, Number Ta|}) on evs" |
1904 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
1558 by (blast dest: A_Authenticity_refined Confidentiality_B_refined A_Knows_A_Knows_ServKey_lemma) |
1905 \<Longrightarrow> A Issues B with (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>) on evs" |
|
1906 apply (blast dest: B_authenticates_A Confidentiality_B A_Issues_B) |
|
1907 done |
|
1908 |
|
1909 text{* @{text u_B_authenticates_and_keydist_to_A} would be the same as @{text B_authenticates_and_keydist_to_A} because the |
|
1910 servK confidentiality assumption is yet unrelaxed*} |
|
1911 |
|
1912 lemma u_B_authenticates_and_keydist_to_A_r: |
|
1913 "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs); |
|
1914 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> |
|
1915 \<in> parts (spies evs); |
|
1916 \<not> expiredSK Ts evs; |
|
1917 B \<noteq> Tgs; A \<notin> bad; B \<notin> bad; evs \<in> kerbIV \<rbrakk> |
|
1918 \<Longrightarrow> A Issues B with (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>) on evs" |
|
1919 apply (blast dest: u_B_authenticates_A_r u_Confidentiality_B A_Issues_B) |
|
1920 done |
|
1921 |
|
1922 |
|
1923 |
1559 |
1924 |
1560 end |
1925 end |