40 Unique :: "[event, event list] => bool" ("Unique _ on _") |
40 Unique :: "[event, event list] => bool" ("Unique _ on _") |
41 "Unique ev on evs == |
41 "Unique ev on evs == |
42 ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs))" |
42 ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs))" |
43 |
43 |
44 |
44 |
45 consts srb :: "event list set" |
45 inductive_set srb :: "event list set" |
46 inductive "srb" |
46 where |
47 intros |
|
48 |
47 |
49 Nil: "[]\<in> srb" |
48 Nil: "[]\<in> srb" |
50 |
49 |
51 |
50 |
52 |
51 |
53 Fake: "\<lbrakk> evsF \<in> srb; X \<in> synth (analz (knows Spy evsF)); |
52 | Fake: "\<lbrakk> evsF \<in> srb; X \<in> synth (analz (knows Spy evsF)); |
54 illegalUse(Card B) \<rbrakk> |
53 illegalUse(Card B) \<rbrakk> |
55 \<Longrightarrow> Says Spy A X # |
54 \<Longrightarrow> Says Spy A X # |
56 Inputs Spy (Card B) X # evsF \<in> srb" |
55 Inputs Spy (Card B) X # evsF \<in> srb" |
57 |
56 |
58 (*In general this rule causes the assumption Card B \<notin> cloned |
57 (*In general this rule causes the assumption Card B \<notin> cloned |
59 in most guarantees for B - starting with confidentiality - |
58 in most guarantees for B - starting with confidentiality - |
60 otherwise pairK_confidential could not apply*) |
59 otherwise pairK_confidential could not apply*) |
61 Forge: |
60 | Forge: |
62 "\<lbrakk> evsFo \<in> srb; Nonce Nb \<in> analz (knows Spy evsFo); |
61 "\<lbrakk> evsFo \<in> srb; Nonce Nb \<in> analz (knows Spy evsFo); |
63 Key (pairK(A,B)) \<in> knows Spy evsFo \<rbrakk> |
62 Key (pairK(A,B)) \<in> knows Spy evsFo \<rbrakk> |
64 \<Longrightarrow> Notes Spy (Key (sesK(Nb,pairK(A,B)))) # evsFo \<in> srb" |
63 \<Longrightarrow> Notes Spy (Key (sesK(Nb,pairK(A,B)))) # evsFo \<in> srb" |
65 |
64 |
66 |
65 |
67 |
66 |
68 Reception: "\<lbrakk> evsrb\<in> srb; Says A B X \<in> set evsrb \<rbrakk> |
67 | Reception: "\<lbrakk> evsrb\<in> srb; Says A B X \<in> set evsrb \<rbrakk> |
69 \<Longrightarrow> Gets B X # evsrb \<in> srb" |
68 \<Longrightarrow> Gets B X # evsrb \<in> srb" |
70 |
69 |
71 |
70 |
72 |
71 |
73 (*A AND THE SERVER*) |
72 (*A AND THE SERVER*) |
74 SR_U1: "\<lbrakk> evs1 \<in> srb; A \<noteq> Server \<rbrakk> |
73 | SR_U1: "\<lbrakk> evs1 \<in> srb; A \<noteq> Server \<rbrakk> |
75 \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B\<rbrace> |
74 \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B\<rbrace> |
76 # evs1 \<in> srb" |
75 # evs1 \<in> srb" |
77 |
76 |
78 SR_U2: "\<lbrakk> evs2 \<in> srb; |
77 | SR_U2: "\<lbrakk> evs2 \<in> srb; |
79 Gets Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs2 \<rbrakk> |
78 Gets Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs2 \<rbrakk> |
80 \<Longrightarrow> Says Server A \<lbrace>Nonce (Pairkey(A,B)), |
79 \<Longrightarrow> Says Server A \<lbrace>Nonce (Pairkey(A,B)), |
81 Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), Agent B\<rbrace> |
80 Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), Agent B\<rbrace> |
82 \<rbrace> |
81 \<rbrace> |
83 # evs2 \<in> srb" |
82 # evs2 \<in> srb" |
86 |
85 |
87 |
86 |
88 (*A AND HER CARD*) |
87 (*A AND HER CARD*) |
89 (*A cannot decrypt the verifier for she dosn't know shrK A, |
88 (*A cannot decrypt the verifier for she dosn't know shrK A, |
90 but the pairkey is recognisable*) |
89 but the pairkey is recognisable*) |
91 SR_U3: "\<lbrakk> evs3 \<in> srb; legalUse(Card A); |
90 | SR_U3: "\<lbrakk> evs3 \<in> srb; legalUse(Card A); |
92 Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs3; |
91 Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs3; |
93 Gets A \<lbrace>Nonce Pk, Certificate\<rbrace> \<in> set evs3 \<rbrakk> |
92 Gets A \<lbrace>Nonce Pk, Certificate\<rbrace> \<in> set evs3 \<rbrakk> |
94 \<Longrightarrow> Inputs A (Card A) (Agent A) |
93 \<Longrightarrow> Inputs A (Card A) (Agent A) |
95 # evs3 \<in> srb" (*however A only queries her card |
94 # evs3 \<in> srb" (*however A only queries her card |
96 if she has previously contacted the server to initiate with some B. |
95 if she has previously contacted the server to initiate with some B. |
97 Otherwise she would do so even if the Server had not been active. |
96 Otherwise she would do so even if the Server had not been active. |
98 Still, this doesn't and can't mean that the pairkey originated with |
97 Still, this doesn't and can't mean that the pairkey originated with |
99 the server*) |
98 the server*) |
100 |
99 |
101 (*The card outputs the nonce Na to A*) |
100 (*The card outputs the nonce Na to A*) |
102 SR_U4: "\<lbrakk> evs4 \<in> srb; |
101 | SR_U4: "\<lbrakk> evs4 \<in> srb; |
103 Nonce Na \<notin> used evs4; legalUse(Card A); A \<noteq> Server; |
102 Nonce Na \<notin> used evs4; legalUse(Card A); A \<noteq> Server; |
104 Inputs A (Card A) (Agent A) \<in> set evs4 \<rbrakk> |
103 Inputs A (Card A) (Agent A) \<in> set evs4 \<rbrakk> |
105 \<Longrightarrow> Outpts (Card A) A \<lbrace>Nonce Na, Crypt (crdK (Card A)) (Nonce Na)\<rbrace> |
104 \<Longrightarrow> Outpts (Card A) A \<lbrace>Nonce Na, Crypt (crdK (Card A)) (Nonce Na)\<rbrace> |
106 # evs4 \<in> srb" |
105 # evs4 \<in> srb" |
107 |
106 |
108 (*The card can be exploited by the spy*) |
107 (*The card can be exploited by the spy*) |
109 (*because of the assumptions on the card, A is certainly not server nor spy*) |
108 (*because of the assumptions on the card, A is certainly not server nor spy*) |
110 SR_U4Fake: "\<lbrakk> evs4F \<in> srb; Nonce Na \<notin> used evs4F; |
109 | SR_U4Fake: "\<lbrakk> evs4F \<in> srb; Nonce Na \<notin> used evs4F; |
111 illegalUse(Card A); |
110 illegalUse(Card A); |
112 Inputs Spy (Card A) (Agent A) \<in> set evs4F \<rbrakk> |
111 Inputs Spy (Card A) (Agent A) \<in> set evs4F \<rbrakk> |
113 \<Longrightarrow> Outpts (Card A) Spy \<lbrace>Nonce Na, Crypt (crdK (Card A)) (Nonce Na)\<rbrace> |
112 \<Longrightarrow> Outpts (Card A) Spy \<lbrace>Nonce Na, Crypt (crdK (Card A)) (Nonce Na)\<rbrace> |
114 # evs4F \<in> srb" |
113 # evs4F \<in> srb" |
115 |
114 |
116 |
115 |
117 |
116 |
118 |
117 |
119 (*A TOWARDS B*) |
118 (*A TOWARDS B*) |
120 SR_U5: "\<lbrakk> evs5 \<in> srb; |
119 | SR_U5: "\<lbrakk> evs5 \<in> srb; |
121 Outpts (Card A) A \<lbrace>Nonce Na, Certificate\<rbrace> \<in> set evs5; |
120 Outpts (Card A) A \<lbrace>Nonce Na, Certificate\<rbrace> \<in> set evs5; |
122 \<forall> p q. Certificate \<noteq> \<lbrace>p, q\<rbrace> \<rbrakk> |
121 \<forall> p q. Certificate \<noteq> \<lbrace>p, q\<rbrace> \<rbrakk> |
123 \<Longrightarrow> Says A B \<lbrace>Agent A, Nonce Na\<rbrace> # evs5 \<in> srb" |
122 \<Longrightarrow> Says A B \<lbrace>Agent A, Nonce Na\<rbrace> # evs5 \<in> srb" |
124 (*A must check that the verifier is not a compound message, |
123 (*A must check that the verifier is not a compound message, |
125 otherwise this would also fire after SR_U7 *) |
124 otherwise this would also fire after SR_U7 *) |
126 |
125 |
127 |
126 |
128 |
127 |
129 |
128 |
130 (*B AND HIS CARD*) |
129 (*B AND HIS CARD*) |
131 SR_U6: "\<lbrakk> evs6 \<in> srb; legalUse(Card B); |
130 | SR_U6: "\<lbrakk> evs6 \<in> srb; legalUse(Card B); |
132 Gets B \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs6 \<rbrakk> |
131 Gets B \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs6 \<rbrakk> |
133 \<Longrightarrow> Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> |
132 \<Longrightarrow> Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> |
134 # evs6 \<in> srb" |
133 # evs6 \<in> srb" |
135 (*B gets back from the card the session key and various verifiers*) |
134 (*B gets back from the card the session key and various verifiers*) |
136 SR_U7: "\<lbrakk> evs7 \<in> srb; |
135 | SR_U7: "\<lbrakk> evs7 \<in> srb; |
137 Nonce Nb \<notin> used evs7; legalUse(Card B); B \<noteq> Server; |
136 Nonce Nb \<notin> used evs7; legalUse(Card B); B \<noteq> Server; |
138 K = sesK(Nb,pairK(A,B)); |
137 K = sesK(Nb,pairK(A,B)); |
139 Key K \<notin> used evs7; |
138 Key K \<notin> used evs7; |
140 Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs7\<rbrakk> |
139 Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs7\<rbrakk> |
141 \<Longrightarrow> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, |
140 \<Longrightarrow> Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, |
142 Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>, |
141 Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>, |
143 Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> |
142 Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> |
144 # evs7 \<in> srb" |
143 # evs7 \<in> srb" |
145 (*The card can be exploited by the spy*) |
144 (*The card can be exploited by the spy*) |
146 (*because of the assumptions on the card, A is certainly not server nor spy*) |
145 (*because of the assumptions on the card, A is certainly not server nor spy*) |
147 SR_U7Fake: "\<lbrakk> evs7F \<in> srb; Nonce Nb \<notin> used evs7F; |
146 | SR_U7Fake: "\<lbrakk> evs7F \<in> srb; Nonce Nb \<notin> used evs7F; |
148 illegalUse(Card B); |
147 illegalUse(Card B); |
149 K = sesK(Nb,pairK(A,B)); |
148 K = sesK(Nb,pairK(A,B)); |
150 Key K \<notin> used evs7F; |
149 Key K \<notin> used evs7F; |
151 Inputs Spy (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs7F \<rbrakk> |
150 Inputs Spy (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs7F \<rbrakk> |
152 \<Longrightarrow> Outpts (Card B) Spy \<lbrace>Nonce Nb, Agent A, Key K, |
151 \<Longrightarrow> Outpts (Card B) Spy \<lbrace>Nonce Nb, Agent A, Key K, |
170 |
169 |
171 |
170 |
172 (*A AND HER CARD*) |
171 (*A AND HER CARD*) |
173 (*A cannot check the form of the verifiers - although I can prove the form of |
172 (*A cannot check the form of the verifiers - although I can prove the form of |
174 Cert2 - and just feeds her card with what she's got*) |
173 Cert2 - and just feeds her card with what she's got*) |
175 SR_U9: "\<lbrakk> evs9 \<in> srb; legalUse(Card A); |
174 | SR_U9: "\<lbrakk> evs9 \<in> srb; legalUse(Card A); |
176 Gets A \<lbrace>Nonce Pk, Cert1\<rbrace> \<in> set evs9; |
175 Gets A \<lbrace>Nonce Pk, Cert1\<rbrace> \<in> set evs9; |
177 Outpts (Card A) A \<lbrace>Nonce Na, Cert2\<rbrace> \<in> set evs9; |
176 Outpts (Card A) A \<lbrace>Nonce Na, Cert2\<rbrace> \<in> set evs9; |
178 Gets A \<lbrace>Nonce Nb, Cert3\<rbrace> \<in> set evs9; |
177 Gets A \<lbrace>Nonce Nb, Cert3\<rbrace> \<in> set evs9; |
179 \<forall> p q. Cert2 \<noteq> \<lbrace>p, q\<rbrace> \<rbrakk> |
178 \<forall> p q. Cert2 \<noteq> \<lbrace>p, q\<rbrace> \<rbrakk> |
180 \<Longrightarrow> Inputs A (Card A) |
179 \<Longrightarrow> Inputs A (Card A) |
181 \<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce Pk, |
180 \<lbrace>Agent B, Nonce Na, Nonce Nb, Nonce Pk, |
182 Cert1, Cert3, Cert2\<rbrace> |
181 Cert1, Cert3, Cert2\<rbrace> |
183 # evs9 \<in> srb" |
182 # evs9 \<in> srb" |
184 (*But the card will only give outputs to the inputs of the correct form*) |
183 (*But the card will only give outputs to the inputs of the correct form*) |
185 SR_U10: "\<lbrakk> evs10 \<in> srb; legalUse(Card A); A \<noteq> Server; |
184 | SR_U10: "\<lbrakk> evs10 \<in> srb; legalUse(Card A); A \<noteq> Server; |
186 K = sesK(Nb,pairK(A,B)); |
185 K = sesK(Nb,pairK(A,B)); |
187 Inputs A (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, |
186 Inputs A (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, |
188 Nonce (Pairkey(A,B)), |
187 Nonce (Pairkey(A,B)), |
189 Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), |
188 Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), |
190 Agent B\<rbrace>, |
189 Agent B\<rbrace>, |
194 \<Longrightarrow> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, |
193 \<Longrightarrow> Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, |
195 Key K, Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> |
194 Key K, Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> |
196 # evs10 \<in> srb" |
195 # evs10 \<in> srb" |
197 (*The card can be exploited by the spy*) |
196 (*The card can be exploited by the spy*) |
198 (*because of the assumptions on the card, A is certainly not server nor spy*) |
197 (*because of the assumptions on the card, A is certainly not server nor spy*) |
199 SR_U10Fake: "\<lbrakk> evs10F \<in> srb; |
198 | SR_U10Fake: "\<lbrakk> evs10F \<in> srb; |
200 illegalUse(Card A); |
199 illegalUse(Card A); |
201 K = sesK(Nb,pairK(A,B)); |
200 K = sesK(Nb,pairK(A,B)); |
202 Inputs Spy (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, |
201 Inputs Spy (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, |
203 Nonce (Pairkey(A,B)), |
202 Nonce (Pairkey(A,B)), |
204 Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), |
203 Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), |
214 |
213 |
215 |
214 |
216 (*A TOWARDS B*) |
215 (*A TOWARDS B*) |
217 (*having initiated with B is the only memory A relies on, |
216 (*having initiated with B is the only memory A relies on, |
218 since the output doesn't mention B - lack of explicitness*) |
217 since the output doesn't mention B - lack of explicitness*) |
219 SR_U11: "\<lbrakk> evs11 \<in> srb; |
218 | SR_U11: "\<lbrakk> evs11 \<in> srb; |
220 Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs11; |
219 Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs11; |
221 Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace> |
220 Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace> |
222 \<in> set evs11 \<rbrakk> |
221 \<in> set evs11 \<rbrakk> |
223 \<Longrightarrow> Says A B (Certificate) |
222 \<Longrightarrow> Says A B (Certificate) |
224 # evs11 \<in> srb" |
223 # evs11 \<in> srb" |
225 |
224 |
226 |
225 |
227 |
226 |
228 (*Both peers may leak by accident the session keys obtained from their |
227 (*Both peers may leak by accident the session keys obtained from their |
229 cards*) |
228 cards*) |
230 Oops1: |
229 | Oops1: |
231 "\<lbrakk> evsO1 \<in> srb; |
230 "\<lbrakk> evsO1 \<in> srb; |
232 Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, Cert1, Cert2\<rbrace> |
231 Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, Cert1, Cert2\<rbrace> |
233 \<in> set evsO1 \<rbrakk> |
232 \<in> set evsO1 \<rbrakk> |
234 \<Longrightarrow> Notes Spy \<lbrace>Key K, Nonce Nb, Agent A, Agent B\<rbrace> # evsO1 \<in> srb" |
233 \<Longrightarrow> Notes Spy \<lbrace>Key K, Nonce Nb, Agent A, Agent B\<rbrace> # evsO1 \<in> srb" |
235 |
234 |
236 Oops2: |
235 | Oops2: |
237 "\<lbrakk> evsO2 \<in> srb; |
236 "\<lbrakk> evsO2 \<in> srb; |
238 Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace> |
237 Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace> |
239 \<in> set evsO2 \<rbrakk> |
238 \<in> set evsO2 \<rbrakk> |
240 \<Longrightarrow> Notes Spy \<lbrace>Key K, Nonce Nb, Agent A, Agent B\<rbrace> # evsO2 \<in> srb" |
239 \<Longrightarrow> Notes Spy \<lbrace>Key K, Nonce Nb, Agent A, Agent B\<rbrace> # evsO2 \<in> srb" |
241 |
240 |