18 section\<open>Agents and Messages\<close> |
18 section\<open>Agents and Messages\<close> |
19 |
19 |
20 text \<open> |
20 text \<open> |
21 All protocol specifications refer to a syntactic theory of messages. |
21 All protocol specifications refer to a syntactic theory of messages. |
22 Datatype |
22 Datatype |
23 @{text agent} introduces the constant @{text Server} (a trusted central |
23 \<open>agent\<close> introduces the constant \<open>Server\<close> (a trusted central |
24 machine, needed for some protocols), an infinite population of |
24 machine, needed for some protocols), an infinite population of |
25 friendly agents, and the~@{text Spy}: |
25 friendly agents, and the~\<open>Spy\<close>: |
26 \<close> |
26 \<close> |
27 |
27 |
28 datatype agent = Server | Friend nat | Spy |
28 datatype agent = Server | Friend nat | Spy |
29 |
29 |
30 text \<open> |
30 text \<open> |
31 Keys are just natural numbers. Function @{text invKey} maps a public key to |
31 Keys are just natural numbers. Function \<open>invKey\<close> maps a public key to |
32 the matching private key, and vice versa: |
32 the matching private key, and vice versa: |
33 \<close> |
33 \<close> |
34 |
34 |
35 type_synonym key = nat |
35 type_synonym key = nat |
36 consts invKey :: "key \<Rightarrow> key" |
36 consts invKey :: "key \<Rightarrow> key" |
50 "symKeys == {K. invKey K = K}" |
50 "symKeys == {K. invKey K = K}" |
51 (*>*) |
51 (*>*) |
52 |
52 |
53 text \<open> |
53 text \<open> |
54 Datatype |
54 Datatype |
55 @{text msg} introduces the message forms, which include agent names, nonces, |
55 \<open>msg\<close> introduces the message forms, which include agent names, nonces, |
56 keys, compound messages, and encryptions. |
56 keys, compound messages, and encryptions. |
57 \<close> |
57 \<close> |
58 |
58 |
59 datatype |
59 datatype |
60 msg = Agent agent |
60 msg = Agent agent |
177 by (blast dest: parts.Fst parts.Snd) |
177 by (blast dest: parts.Fst parts.Snd) |
178 |
178 |
179 declare MPair_parts [elim!] parts.Body [dest!] |
179 declare MPair_parts [elim!] parts.Body [dest!] |
180 text\<open>NB These two rules are UNSAFE in the formal sense, as they discard the |
180 text\<open>NB These two rules are UNSAFE in the formal sense, as they discard the |
181 compound message. They work well on THIS FILE. |
181 compound message. They work well on THIS FILE. |
182 @{text MPair_parts} is left as SAFE because it speeds up proofs. |
182 \<open>MPair_parts\<close> is left as SAFE because it speeds up proofs. |
183 The Crypt rule is normally kept UNSAFE to avoid breaking up certificates.\<close> |
183 The Crypt rule is normally kept UNSAFE to avoid breaking up certificates.\<close> |
184 |
184 |
185 lemma parts_increasing: "H \<subseteq> parts(H)" |
185 lemma parts_increasing: "H \<subseteq> parts(H)" |
186 by blast |
186 by blast |
187 |
187 |
239 |
239 |
240 text\<open>Added to simplify arguments to parts, analz and synth. |
240 text\<open>Added to simplify arguments to parts, analz and synth. |
241 NOTE: the UN versions are no longer used!\<close> |
241 NOTE: the UN versions are no longer used!\<close> |
242 |
242 |
243 |
243 |
244 text\<open>This allows @{text blast} to simplify occurrences of |
244 text\<open>This allows \<open>blast\<close> to simplify occurrences of |
245 @{term "parts(G\<union>H)"} in the assumption.\<close> |
245 @{term "parts(G\<union>H)"} in the assumption.\<close> |
246 lemmas in_parts_UnE = parts_Un [THEN equalityD1, THEN subsetD, THEN UnE] |
246 lemmas in_parts_UnE = parts_Un [THEN equalityD1, THEN subsetD, THEN UnE] |
247 declare in_parts_UnE [elim!] |
247 declare in_parts_UnE [elim!] |
248 |
248 |
249 |
249 |
342 a malicious user who does not have to follow the protocol. He |
342 a malicious user who does not have to follow the protocol. He |
343 watches the network and uses any keys he knows to decrypt messages. |
343 watches the network and uses any keys he knows to decrypt messages. |
344 Thus he accumulates additional keys and nonces. These he can use to |
344 Thus he accumulates additional keys and nonces. These he can use to |
345 compose new messages, which he may send to anybody. |
345 compose new messages, which he may send to anybody. |
346 |
346 |
347 Two functions enable us to formalize this behaviour: @{text analz} and |
347 Two functions enable us to formalize this behaviour: \<open>analz\<close> and |
348 @{text synth}. Each function maps a sets of messages to another set of |
348 \<open>synth\<close>. Each function maps a sets of messages to another set of |
349 messages. The set @{text "analz H"} formalizes what the adversary can learn |
349 messages. The set \<open>analz H\<close> formalizes what the adversary can learn |
350 from the set of messages~$H$. The closure properties of this set are |
350 from the set of messages~$H$. The closure properties of this set are |
351 defined inductively. |
351 defined inductively. |
352 \<close> |
352 \<close> |
353 |
353 |
354 inductive_set |
354 inductive_set |
481 analz (insert (Crypt K X) H) = |
481 analz (insert (Crypt K X) H) = |
482 insert (Crypt K X) (analz (insert X H))" |
482 insert (Crypt K X) (analz (insert X H))" |
483 by (intro equalityI lemma1 lemma2) |
483 by (intro equalityI lemma1 lemma2) |
484 |
484 |
485 text\<open>Case analysis: either the message is secure, or it is not! Effective, |
485 text\<open>Case analysis: either the message is secure, or it is not! Effective, |
486 but can cause subgoals to blow up! Use with @{text "if_split"}; apparently |
486 but can cause subgoals to blow up! Use with \<open>if_split\<close>; apparently |
487 @{text "split_tac"} does not cope with patterns such as @{term"analz (insert |
487 \<open>split_tac\<close> does not cope with patterns such as @{term"analz (insert |
488 (Crypt K X) H)"}\<close> |
488 (Crypt K X) H)"}\<close> |
489 lemma analz_Crypt_if [simp]: |
489 lemma analz_Crypt_if [simp]: |
490 "analz (insert (Crypt K X) H) = |
490 "analz (insert (Crypt K X) H) = |
491 (if (Key (invKey K) \<in> analz H) |
491 (if (Key (invKey K) \<in> analz H) |
492 then insert (Crypt K X) (analz (insert X H)) |
492 then insert (Crypt K X) (analz (insert X H)) |
575 |
575 |
576 lemma analz_UN_analz [simp]: "analz (\<Union>i\<in>A. analz (H i)) = analz (\<Union>i\<in>A. H i)" |
576 lemma analz_UN_analz [simp]: "analz (\<Union>i\<in>A. analz (H i)) = analz (\<Union>i\<in>A. H i)" |
577 by (blast intro: analz_UN_analz_lemma analz_mono [THEN [2] rev_subsetD]) |
577 by (blast intro: analz_UN_analz_lemma analz_mono [THEN [2] rev_subsetD]) |
578 (*>*) |
578 (*>*) |
579 text \<open> |
579 text \<open> |
580 Note the @{text Decrypt} rule: the spy can decrypt a |
580 Note the \<open>Decrypt\<close> rule: the spy can decrypt a |
581 message encrypted with key~$K$ if he has the matching key,~$K^{-1}$. |
581 message encrypted with key~$K$ if he has the matching key,~$K^{-1}$. |
582 Properties proved by rule induction include the following: |
582 Properties proved by rule induction include the following: |
583 @{named_thms [display,indent=0] analz_mono [no_vars] (analz_mono) analz_idem [no_vars] (analz_idem)} |
583 @{named_thms [display,indent=0] analz_mono [no_vars] (analz_mono) analz_idem [no_vars] (analz_idem)} |
584 |
584 |
585 The set of fake messages that an intruder could invent |
585 The set of fake messages that an intruder could invent |
586 starting from~@{text H} is @{text "synth(analz H)"}, where @{text "synth H"} |
586 starting from~\<open>H\<close> is \<open>synth(analz H)\<close>, where \<open>synth H\<close> |
587 formalizes what the adversary can build from the set of messages~$H$. |
587 formalizes what the adversary can build from the set of messages~$H$. |
588 \<close> |
588 \<close> |
589 |
589 |
590 inductive_set |
590 inductive_set |
591 synth :: "msg set \<Rightarrow> msg set" |
591 synth :: "msg set \<Rightarrow> msg set" |
622 The set includes all agent names. Nonces and keys are assumed to be |
622 The set includes all agent names. Nonces and keys are assumed to be |
623 unguessable, so none are included beyond those already in~$H$. Two |
623 unguessable, so none are included beyond those already in~$H$. Two |
624 elements of @{term "synth H"} can be combined, and an element can be encrypted |
624 elements of @{term "synth H"} can be combined, and an element can be encrypted |
625 using a key present in~$H$. |
625 using a key present in~$H$. |
626 |
626 |
627 Like @{text analz}, this set operator is monotone and idempotent. It also |
627 Like \<open>analz\<close>, this set operator is monotone and idempotent. It also |
628 satisfies an interesting equation involving @{text analz}: |
628 satisfies an interesting equation involving \<open>analz\<close>: |
629 @{named_thms [display,indent=0] analz_synth [no_vars] (analz_synth)} |
629 @{named_thms [display,indent=0] analz_synth [no_vars] (analz_synth)} |
630 Rule inversion plays a major role in reasoning about @{text synth}, through |
630 Rule inversion plays a major role in reasoning about \<open>synth\<close>, through |
631 declarations such as this one: |
631 declarations such as this one: |
632 \<close> |
632 \<close> |
633 |
633 |
634 inductive_cases Nonce_synth [elim!]: "Nonce n \<in> synth H" |
634 inductive_cases Nonce_synth [elim!]: "Nonce n \<in> synth H" |
635 |
635 |
637 \noindent |
637 \noindent |
638 The resulting elimination rule replaces every assumption of the form |
638 The resulting elimination rule replaces every assumption of the form |
639 @{term "Nonce n \<in> synth H"} by @{term "Nonce n \<in> H"}, |
639 @{term "Nonce n \<in> synth H"} by @{term "Nonce n \<in> H"}, |
640 expressing that a nonce cannot be guessed. |
640 expressing that a nonce cannot be guessed. |
641 |
641 |
642 A third operator, @{text parts}, is useful for stating correctness |
642 A third operator, \<open>parts\<close>, is useful for stating correctness |
643 properties. The set |
643 properties. The set |
644 @{term "parts H"} consists of the components of elements of~$H$. This set |
644 @{term "parts H"} consists of the components of elements of~$H$. This set |
645 includes~@{text H} and is closed under the projections from a compound |
645 includes~\<open>H\<close> and is closed under the projections from a compound |
646 message to its immediate parts. |
646 message to its immediate parts. |
647 Its definition resembles that of @{text analz} except in the rule |
647 Its definition resembles that of \<open>analz\<close> except in the rule |
648 corresponding to the constructor @{text Crypt}: |
648 corresponding to the constructor \<open>Crypt\<close>: |
649 @{thm [display,indent=5] parts.Body [no_vars]} |
649 @{thm [display,indent=5] parts.Body [no_vars]} |
650 The body of an encrypted message is always regarded as part of it. We can |
650 The body of an encrypted message is always regarded as part of it. We can |
651 use @{text parts} to express general well-formedness properties of a protocol, |
651 use \<open>parts\<close> to express general well-formedness properties of a protocol, |
652 for example, that an uncompromised agent's private key will never be |
652 for example, that an uncompromised agent's private key will never be |
653 included as a component of any message. |
653 included as a component of any message. |
654 \<close> |
654 \<close> |
655 (*<*) |
655 (*<*) |
656 lemma synth_increasing: "H \<subseteq> synth(H)" |
656 lemma synth_increasing: "H \<subseteq> synth(H)" |
778 text\<open>We do NOT want Crypt... messages broken up in protocols!!\<close> |
778 text\<open>We do NOT want Crypt... messages broken up in protocols!!\<close> |
779 declare parts.Body [rule del] |
779 declare parts.Body [rule del] |
780 |
780 |
781 |
781 |
782 text\<open>Rewrites to push in Key and Crypt messages, so that other messages can |
782 text\<open>Rewrites to push in Key and Crypt messages, so that other messages can |
783 be pulled out using the @{text analz_insert} rules\<close> |
783 be pulled out using the \<open>analz_insert\<close> rules\<close> |
784 |
784 |
785 lemmas pushKeys = |
785 lemmas pushKeys = |
786 insert_commute [of "Key K" "Agent C"] |
786 insert_commute [of "Key K" "Agent C"] |
787 insert_commute [of "Key K" "Nonce N"] |
787 insert_commute [of "Key K" "Nonce N"] |
788 insert_commute [of "Key K" "MPair X Y"] |
788 insert_commute [of "Key K" "MPair X Y"] |
794 insert_commute [of "Crypt X K" "Agent C"] |
794 insert_commute [of "Crypt X K" "Agent C"] |
795 insert_commute [of "Crypt X K" "Nonce N"] |
795 insert_commute [of "Crypt X K" "Nonce N"] |
796 insert_commute [of "Crypt X K" "MPair X' Y"] |
796 insert_commute [of "Crypt X K" "MPair X' Y"] |
797 for X K C N X' Y |
797 for X K C N X' Y |
798 |
798 |
799 text\<open>Cannot be added with @{text "[simp]"} -- messages should not always be |
799 text\<open>Cannot be added with \<open>[simp]\<close> -- messages should not always be |
800 re-ordered.\<close> |
800 re-ordered.\<close> |
801 lemmas pushes = pushKeys pushCrypts |
801 lemmas pushes = pushKeys pushCrypts |
802 |
802 |
803 |
803 |
804 subsection\<open>Tactics useful for many protocol proofs\<close> |
804 subsection\<open>Tactics useful for many protocol proofs\<close> |
854 simp_tac ctxt 1, |
854 simp_tac ctxt 1, |
855 REPEAT (FIRSTGOAL (resolve_tac ctxt [allI,impI,notI,conjI,iffI])), |
855 REPEAT (FIRSTGOAL (resolve_tac ctxt [allI,impI,notI,conjI,iffI])), |
856 DEPTH_SOLVE (atomic_spy_analz_tac ctxt 1)]) i); |
856 DEPTH_SOLVE (atomic_spy_analz_tac ctxt 1)]) i); |
857 \<close> |
857 \<close> |
858 |
858 |
859 text\<open>By default only @{text o_apply} is built-in. But in the presence of |
859 text\<open>By default only \<open>o_apply\<close> is built-in. But in the presence of |
860 eta-expansion this means that some terms displayed as @{term "f o g"} will be |
860 eta-expansion this means that some terms displayed as @{term "f o g"} will be |
861 rewritten, and others will not!\<close> |
861 rewritten, and others will not!\<close> |
862 declare o_def [simp] |
862 declare o_def [simp] |
863 |
863 |
864 |
864 |
877 apply (rule equalityI) |
877 apply (rule equalityI) |
878 apply (simp add: ) |
878 apply (simp add: ) |
879 apply (rule synth_analz_mono, blast) |
879 apply (rule synth_analz_mono, blast) |
880 done |
880 done |
881 |
881 |
882 text\<open>Two generalizations of @{text analz_insert_eq}\<close> |
882 text\<open>Two generalizations of \<open>analz_insert_eq\<close>\<close> |
883 lemma gen_analz_insert_eq [rule_format]: |
883 lemma gen_analz_insert_eq [rule_format]: |
884 "X \<in> analz H \<Longrightarrow> \<forall>G. H \<subseteq> G \<longrightarrow> analz (insert X G) = analz G" |
884 "X \<in> analz H \<Longrightarrow> \<forall>G. H \<subseteq> G \<longrightarrow> analz (insert X G) = analz G" |
885 by (blast intro: analz_cut analz_insertI analz_mono [THEN [2] rev_subsetD]) |
885 by (blast intro: analz_cut analz_insertI analz_mono [THEN [2] rev_subsetD]) |
886 |
886 |
887 lemma synth_analz_insert_eq [rule_format]: |
887 lemma synth_analz_insert_eq [rule_format]: |