108 Says Tgs A (Crypt authK |
108 Says Tgs A (Crypt authK |
109 \<lbrace>Key servK, Agent B, Number Ts, |
109 \<lbrace>Key servK, Agent B, Number Ts, |
110 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> \<rbrace>) |
110 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> \<rbrace>) |
111 \<in> set evs" |
111 \<in> set evs" |
112 |
112 |
113 consts |
113 inductive_set kerbIV :: "event list set" |
114 |
114 where |
115 kerbIV :: "event list set" |
|
116 inductive "kerbIV" |
|
117 intros |
|
118 |
115 |
119 Nil: "[] \<in> kerbIV" |
116 Nil: "[] \<in> kerbIV" |
120 |
117 |
121 Fake: "\<lbrakk> evsf \<in> kerbIV; X \<in> synth (analz (spies evsf)) \<rbrakk> |
118 | Fake: "\<lbrakk> evsf \<in> kerbIV; X \<in> synth (analz (spies evsf)) \<rbrakk> |
122 \<Longrightarrow> Says Spy B X # evsf \<in> kerbIV" |
119 \<Longrightarrow> Says Spy B X # evsf \<in> kerbIV" |
123 |
120 |
124 (* FROM the initiator *) |
121 (* FROM the initiator *) |
125 K1: "\<lbrakk> evs1 \<in> kerbIV \<rbrakk> |
122 | K1: "\<lbrakk> evs1 \<in> kerbIV \<rbrakk> |
126 \<Longrightarrow> Says A Kas \<lbrace>Agent A, Agent Tgs, Number (CT evs1)\<rbrace> # evs1 |
123 \<Longrightarrow> Says A Kas \<lbrace>Agent A, Agent Tgs, Number (CT evs1)\<rbrace> # evs1 |
127 \<in> kerbIV" |
124 \<in> kerbIV" |
128 |
125 |
129 (* Adding the timestamp serves to A in K3 to check that |
126 (* Adding the timestamp serves to A in K3 to check that |
130 she doesn't get a reply too late. This kind of timeouts are ordinary. |
127 she doesn't get a reply too late. This kind of timeouts are ordinary. |
131 If a server's reply is late, then it is likely to be fake. *) |
128 If a server's reply is late, then it is likely to be fake. *) |
132 |
129 |
133 (*---------------------------------------------------------------------*) |
130 (*---------------------------------------------------------------------*) |
134 |
131 |
135 (*FROM Kas *) |
132 (*FROM Kas *) |
136 K2: "\<lbrakk> evs2 \<in> kerbIV; Key authK \<notin> used evs2; authK \<in> symKeys; |
133 | K2: "\<lbrakk> evs2 \<in> kerbIV; Key authK \<notin> used evs2; authK \<in> symKeys; |
137 Says A' Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs2 \<rbrakk> |
134 Says A' Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs2 \<rbrakk> |
138 \<Longrightarrow> Says Kas A |
135 \<Longrightarrow> Says Kas A |
139 (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number (CT evs2), |
136 (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number (CT evs2), |
140 (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, |
137 (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, |
141 Number (CT evs2)\<rbrace>)\<rbrace>) # evs2 \<in> kerbIV" |
138 Number (CT evs2)\<rbrace>)\<rbrace>) # evs2 \<in> kerbIV" |
147 *) |
144 *) |
148 |
145 |
149 (*---------------------------------------------------------------------*) |
146 (*---------------------------------------------------------------------*) |
150 |
147 |
151 (* FROM the initiator *) |
148 (* FROM the initiator *) |
152 K3: "\<lbrakk> evs3 \<in> kerbIV; |
149 | K3: "\<lbrakk> evs3 \<in> kerbIV; |
153 Says A Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs3; |
150 Says A Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs3; |
154 Says Kas' A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, |
151 Says Kas' A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, |
155 authTicket\<rbrace>) \<in> set evs3; |
152 authTicket\<rbrace>) \<in> set evs3; |
156 valid Ta wrt T1 |
153 valid Ta wrt T1 |
157 \<rbrakk> |
154 \<rbrakk> |
167 (* Note that the last temporal check is not mentioned in the original MIT |
164 (* Note that the last temporal check is not mentioned in the original MIT |
168 specification. Adding it makes many goals "available" to the peers. |
165 specification. Adding it makes many goals "available" to the peers. |
169 Theorems that exploit it have the suffix `_u', which stands for updated |
166 Theorems that exploit it have the suffix `_u', which stands for updated |
170 protocol. |
167 protocol. |
171 *) |
168 *) |
172 K4: "\<lbrakk> evs4 \<in> kerbIV; Key servK \<notin> used evs4; servK \<in> symKeys; |
169 | K4: "\<lbrakk> evs4 \<in> kerbIV; Key servK \<notin> used evs4; servK \<in> symKeys; |
173 B \<noteq> Tgs; authK \<in> symKeys; |
170 B \<noteq> Tgs; authK \<in> symKeys; |
174 Says A' Tgs \<lbrace> |
171 Says A' Tgs \<lbrace> |
175 (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, |
172 (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, |
176 Number Ta\<rbrace>), |
173 Number Ta\<rbrace>), |
177 (Crypt authK \<lbrace>Agent A, Number T2\<rbrace>), Agent B\<rbrace> |
174 (Crypt authK \<lbrace>Agent A, Number T2\<rbrace>), Agent B\<rbrace> |
211 (* Checks similar to those in K3. *) |
208 (* Checks similar to those in K3. *) |
212 |
209 |
213 (*---------------------------------------------------------------------*) |
210 (*---------------------------------------------------------------------*) |
214 |
211 |
215 (* FROM the responder*) |
212 (* FROM the responder*) |
216 K6: "\<lbrakk> evs6 \<in> kerbIV; |
213 | K6: "\<lbrakk> evs6 \<in> kerbIV; |
217 Says A' B \<lbrace> |
214 Says A' B \<lbrace> |
218 (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>), |
215 (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>), |
219 (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>)\<rbrace> |
216 (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>)\<rbrace> |
220 \<in> set evs6; |
217 \<in> set evs6; |
221 \<not> expiredSK Ts evs6; |
218 \<not> expiredSK Ts evs6; |
226 (* Checks similar to those in K4. *) |
223 (* Checks similar to those in K4. *) |
227 |
224 |
228 (*---------------------------------------------------------------------*) |
225 (*---------------------------------------------------------------------*) |
229 |
226 |
230 (* Leaking an authK... *) |
227 (* Leaking an authK... *) |
231 Oops1: "\<lbrakk> evsO1 \<in> kerbIV; A \<noteq> Spy; |
228 | Oops1: "\<lbrakk> evsO1 \<in> kerbIV; A \<noteq> Spy; |
232 Says Kas A |
229 Says Kas A |
233 (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, |
230 (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, |
234 authTicket\<rbrace>) \<in> set evsO1; |
231 authTicket\<rbrace>) \<in> set evsO1; |
235 expiredAK Ta evsO1 \<rbrakk> |
232 expiredAK Ta evsO1 \<rbrakk> |
236 \<Longrightarrow> Says A Spy \<lbrace>Agent A, Agent Tgs, Number Ta, Key authK\<rbrace> |
233 \<Longrightarrow> Says A Spy \<lbrace>Agent A, Agent Tgs, Number Ta, Key authK\<rbrace> |
237 # evsO1 \<in> kerbIV" |
234 # evsO1 \<in> kerbIV" |
238 |
235 |
239 (*---------------------------------------------------------------------*) |
236 (*---------------------------------------------------------------------*) |
240 |
237 |
241 (*Leaking a servK... *) |
238 (*Leaking a servK... *) |
242 Oops2: "\<lbrakk> evsO2 \<in> kerbIV; A \<noteq> Spy; |
239 | Oops2: "\<lbrakk> evsO2 \<in> kerbIV; A \<noteq> Spy; |
243 Says Tgs A |
240 Says Tgs A |
244 (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
241 (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>) |
245 \<in> set evsO2; |
242 \<in> set evsO2; |
246 expiredSK Ts evsO2 \<rbrakk> |
243 expiredSK Ts evsO2 \<rbrakk> |
247 \<Longrightarrow> Says A Spy \<lbrace>Agent A, Agent B, Number Ts, Key servK\<rbrace> |
244 \<Longrightarrow> Says A Spy \<lbrace>Agent A, Agent B, Number Ts, Key servK\<rbrace> |