17 This file illustrates the consequences of such errors. We can still prove |
17 This file illustrates the consequences of such errors. We can still prove |
18 impressive-looking properties such as @{text Spy_not_see_encrypted_key}, yet |
18 impressive-looking properties such as @{text Spy_not_see_encrypted_key}, yet |
19 the protocol is open to a middleperson attack. Attempting to prove some key |
19 the protocol is open to a middleperson attack. Attempting to prove some key |
20 lemmas indicates the possibility of this attack.*} |
20 lemmas indicates the possibility of this attack.*} |
21 |
21 |
22 consts otway :: "event list set" |
22 inductive_set otway :: "event list set" |
23 inductive "otway" |
23 where |
24 intros |
|
25 Nil: --{*The empty trace*} |
24 Nil: --{*The empty trace*} |
26 "[] \<in> otway" |
25 "[] \<in> otway" |
27 |
26 |
28 Fake: --{*The Spy may say anything he can say. The sender field is correct, |
27 | Fake: --{*The Spy may say anything he can say. The sender field is correct, |
29 but agents don't use that information.*} |
28 but agents don't use that information.*} |
30 "[| evsf \<in> otway; X \<in> synth (analz (knows Spy evsf)) |] |
29 "[| evsf \<in> otway; X \<in> synth (analz (knows Spy evsf)) |] |
31 ==> Says Spy B X # evsf \<in> otway" |
30 ==> Says Spy B X # evsf \<in> otway" |
32 |
31 |
33 |
32 |
34 Reception: --{*A message that has been sent can be received by the |
33 | Reception: --{*A message that has been sent can be received by the |
35 intended recipient.*} |
34 intended recipient.*} |
36 "[| evsr \<in> otway; Says A B X \<in>set evsr |] |
35 "[| evsr \<in> otway; Says A B X \<in>set evsr |] |
37 ==> Gets B X # evsr \<in> otway" |
36 ==> Gets B X # evsr \<in> otway" |
38 |
37 |
39 OR1: --{*Alice initiates a protocol run*} |
38 | OR1: --{*Alice initiates a protocol run*} |
40 "[| evs1 \<in> otway; Nonce NA \<notin> used evs1 |] |
39 "[| evs1 \<in> otway; Nonce NA \<notin> used evs1 |] |
41 ==> Says A B {|Nonce NA, Agent A, Agent B, |
40 ==> Says A B {|Nonce NA, Agent A, Agent B, |
42 Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |} |
41 Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |} |
43 # evs1 \<in> otway" |
42 # evs1 \<in> otway" |
44 |
43 |
45 OR2: --{*Bob's response to Alice's message. |
44 | OR2: --{*Bob's response to Alice's message. |
46 This variant of the protocol does NOT encrypt NB.*} |
45 This variant of the protocol does NOT encrypt NB.*} |
47 "[| evs2 \<in> otway; Nonce NB \<notin> used evs2; |
46 "[| evs2 \<in> otway; Nonce NB \<notin> used evs2; |
48 Gets B {|Nonce NA, Agent A, Agent B, X|} \<in> set evs2 |] |
47 Gets B {|Nonce NA, Agent A, Agent B, X|} \<in> set evs2 |] |
49 ==> Says B Server |
48 ==> Says B Server |
50 {|Nonce NA, Agent A, Agent B, X, Nonce NB, |
49 {|Nonce NA, Agent A, Agent B, X, Nonce NB, |
51 Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|} |
50 Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|} |
52 # evs2 \<in> otway" |
51 # evs2 \<in> otway" |
53 |
52 |
54 OR3: --{*The Server receives Bob's message and checks that the three NAs |
53 | OR3: --{*The Server receives Bob's message and checks that the three NAs |
55 match. Then he sends a new session key to Bob with a packet for |
54 match. Then he sends a new session key to Bob with a packet for |
56 forwarding to Alice.*} |
55 forwarding to Alice.*} |
57 "[| evs3 \<in> otway; Key KAB \<notin> used evs3; |
56 "[| evs3 \<in> otway; Key KAB \<notin> used evs3; |
58 Gets Server |
57 Gets Server |
59 {|Nonce NA, Agent A, Agent B, |
58 {|Nonce NA, Agent A, Agent B, |
65 {|Nonce NA, |
64 {|Nonce NA, |
66 Crypt (shrK A) {|Nonce NA, Key KAB|}, |
65 Crypt (shrK A) {|Nonce NA, Key KAB|}, |
67 Crypt (shrK B) {|Nonce NB, Key KAB|}|} |
66 Crypt (shrK B) {|Nonce NB, Key KAB|}|} |
68 # evs3 \<in> otway" |
67 # evs3 \<in> otway" |
69 |
68 |
70 OR4: --{*Bob receives the Server's (?) message and compares the Nonces with |
69 | OR4: --{*Bob receives the Server's (?) message and compares the Nonces with |
71 those in the message he previously sent the Server. |
70 those in the message he previously sent the Server. |
72 Need @{term "B \<noteq> Server"} because we allow messages to self.*} |
71 Need @{term "B \<noteq> Server"} because we allow messages to self.*} |
73 "[| evs4 \<in> otway; B \<noteq> Server; |
72 "[| evs4 \<in> otway; B \<noteq> Server; |
74 Says B Server {|Nonce NA, Agent A, Agent B, X', Nonce NB, |
73 Says B Server {|Nonce NA, Agent A, Agent B, X', Nonce NB, |
75 Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|} |
74 Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|} |
76 \<in> set evs4; |
75 \<in> set evs4; |
77 Gets B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|} |
76 Gets B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|} |
78 \<in> set evs4 |] |
77 \<in> set evs4 |] |
79 ==> Says B A {|Nonce NA, X|} # evs4 \<in> otway" |
78 ==> Says B A {|Nonce NA, X|} # evs4 \<in> otway" |
80 |
79 |
81 Oops: --{*This message models possible leaks of session keys. The nonces |
80 | Oops: --{*This message models possible leaks of session keys. The nonces |
82 identify the protocol run.*} |
81 identify the protocol run.*} |
83 "[| evso \<in> otway; |
82 "[| evso \<in> otway; |
84 Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|} |
83 Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|} |
85 \<in> set evso |] |
84 \<in> set evso |] |
86 ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \<in> otway" |
85 ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \<in> otway" |