27 use the protocol*} |
27 use the protocol*} |
28 "broken == bad - {Spy}" |
28 "broken == bad - {Spy}" |
29 |
29 |
30 declare broken_def [simp] |
30 declare broken_def [simp] |
31 |
31 |
32 consts zg :: "event list set" |
32 inductive_set zg :: "event list set" |
33 |
33 where |
34 inductive zg |
|
35 intros |
|
36 |
34 |
37 Nil: "[] \<in> zg" |
35 Nil: "[] \<in> zg" |
38 |
36 |
39 Fake: "[| evsf \<in> zg; X \<in> synth (analz (spies evsf)) |] |
37 | Fake: "[| evsf \<in> zg; X \<in> synth (analz (spies evsf)) |] |
40 ==> Says Spy B X # evsf \<in> zg" |
38 ==> Says Spy B X # evsf \<in> zg" |
41 |
39 |
42 Reception: "[| evsr \<in> zg; Says A B X \<in> set evsr |] ==> Gets B X # evsr \<in> zg" |
40 | Reception: "[| evsr \<in> zg; Says A B X \<in> set evsr |] ==> Gets B X # evsr \<in> zg" |
43 |
41 |
44 (*L is fresh for honest agents. |
42 (*L is fresh for honest agents. |
45 We don't require K to be fresh because we don't bother to prove secrecy! |
43 We don't require K to be fresh because we don't bother to prove secrecy! |
46 We just assume that the protocol's objective is to deliver K fairly, |
44 We just assume that the protocol's objective is to deliver K fairly, |
47 rather than to keep M secret.*) |
45 rather than to keep M secret.*) |
48 ZG1: "[| evs1 \<in> zg; Nonce L \<notin> used evs1; C = Crypt K (Number m); |
46 | ZG1: "[| evs1 \<in> zg; Nonce L \<notin> used evs1; C = Crypt K (Number m); |
49 K \<in> symKeys; |
47 K \<in> symKeys; |
50 NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}|] |
48 NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}|] |
51 ==> Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} # evs1 \<in> zg" |
49 ==> Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} # evs1 \<in> zg" |
52 |
50 |
53 (*B must check that NRO is A's signature to learn the sender's name*) |
51 (*B must check that NRO is A's signature to learn the sender's name*) |
54 ZG2: "[| evs2 \<in> zg; |
52 | ZG2: "[| evs2 \<in> zg; |
55 Gets B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs2; |
53 Gets B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs2; |
56 NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}; |
54 NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}; |
57 NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}|] |
55 NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}|] |
58 ==> Says B A {|Number f_nrr, Agent A, Nonce L, NRR|} # evs2 \<in> zg" |
56 ==> Says B A {|Number f_nrr, Agent A, Nonce L, NRR|} # evs2 \<in> zg" |
59 |
57 |
60 (*A must check that NRR is B's signature to learn the sender's name; |
58 (*A must check that NRR is B's signature to learn the sender's name; |
61 without spy, the matching label would be enough*) |
59 without spy, the matching label would be enough*) |
62 ZG3: "[| evs3 \<in> zg; C = Crypt K M; K \<in> symKeys; |
60 | ZG3: "[| evs3 \<in> zg; C = Crypt K M; K \<in> symKeys; |
63 Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs3; |
61 Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs3; |
64 Gets A {|Number f_nrr, Agent A, Nonce L, NRR|} \<in> set evs3; |
62 Gets A {|Number f_nrr, Agent A, Nonce L, NRR|} \<in> set evs3; |
65 NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}; |
63 NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}; |
66 sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}|] |
64 sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}|] |
67 ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} |
65 ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} |
71 gives credentials to A and B. The Notes event models the availability of |
69 gives credentials to A and B. The Notes event models the availability of |
72 the credentials, but the act of fetching them is not modelled. We also |
70 the credentials, but the act of fetching them is not modelled. We also |
73 give con_K to the Spy. This makes the threat model more dangerous, while |
71 give con_K to the Spy. This makes the threat model more dangerous, while |
74 also allowing lemma @{text Crypt_used_imp_spies} to omit the condition |
72 also allowing lemma @{text Crypt_used_imp_spies} to omit the condition |
75 @{term "K \<noteq> priK TTP"}. *) |
73 @{term "K \<noteq> priK TTP"}. *) |
76 ZG4: "[| evs4 \<in> zg; K \<in> symKeys; |
74 | ZG4: "[| evs4 \<in> zg; K \<in> symKeys; |
77 Gets TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} |
75 Gets TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} |
78 \<in> set evs4; |
76 \<in> set evs4; |
79 sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}; |
77 sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}; |
80 con_K = Crypt (priK TTP) {|Number f_con, Agent A, Agent B, |
78 con_K = Crypt (priK TTP) {|Number f_con, Agent A, Agent B, |
81 Nonce L, Key K|}|] |
79 Nonce L, Key K|}|] |