65 (KeyCryptNonce DK N evs | |
65 (KeyCryptNonce DK N evs | |
66 (case ev of |
66 (case ev of |
67 Says A B Z => |
67 Says A B Z => |
68 A \<noteq> Spy & |
68 A \<noteq> Spy & |
69 ((\<exists>X Y. DK \<in> symKeys & |
69 ((\<exists>X Y. DK \<in> symKeys & |
70 Z = (EXHcrypt DK X {|Agent A, Nonce N|} Y)) | |
70 Z = (EXHcrypt DK X \<lbrace>Agent A, Nonce N\<rbrace> Y)) | |
71 (\<exists>X Y. DK \<in> symKeys & |
71 (\<exists>X Y. DK \<in> symKeys & |
72 Z = {|Crypt DK {|Agent A, Nonce N, X|}, Y|}) | |
72 Z = \<lbrace>Crypt DK \<lbrace>Agent A, Nonce N, X\<rbrace>, Y\<rbrace>) | |
73 (\<exists>K i X Y. |
73 (\<exists>K i X Y. |
74 K \<in> symKeys & |
74 K \<in> symKeys & |
75 Z = Crypt K {|sign (priSK (CA i)) {|Agent B, Nonce N, X|}, Y|} & |
75 Z = Crypt K \<lbrace>sign (priSK (CA i)) \<lbrace>Agent B, Nonce N, X\<rbrace>, Y\<rbrace> & |
76 (DK=K | KeyCryptKey DK K evs)) | |
76 (DK=K | KeyCryptKey DK K evs)) | |
77 (\<exists>K C NC3 Y. |
77 (\<exists>K C NC3 Y. |
78 K \<in> symKeys & |
78 K \<in> symKeys & |
79 Z = Crypt K |
79 Z = Crypt K |
80 {|sign (priSK C) {|Agent B, Nonce NC3, Agent C, Nonce N|}, |
80 \<lbrace>sign (priSK C) \<lbrace>Agent B, Nonce NC3, Agent C, Nonce N\<rbrace>, |
81 Y|} & |
81 Y\<rbrace> & |
82 (DK=K | KeyCryptKey DK K evs)) | |
82 (DK=K | KeyCryptKey DK K evs)) | |
83 (\<exists>C. DK = priEK C)) |
83 (\<exists>C. DK = priEK C)) |
84 | Gets A' X => False |
84 | Gets A' X => False |
85 | Notes A' X => False))" |
85 | Notes A' X => False))" |
86 |
86 |
102 "[| evsr \<in> set_cr; Says A B X \<in> set evsr |] |
102 "[| evsr \<in> set_cr; Says A B X \<in> set evsr |] |
103 ==> Gets B X # evsr \<in> set_cr" |
103 ==> Gets B X # evsr \<in> set_cr" |
104 |
104 |
105 | SET_CR1: --{*CardCInitReq: C initiates a run, sending a nonce to CCA*} |
105 | SET_CR1: --{*CardCInitReq: C initiates a run, sending a nonce to CCA*} |
106 "[| evs1 \<in> set_cr; C = Cardholder k; Nonce NC1 \<notin> used evs1 |] |
106 "[| evs1 \<in> set_cr; C = Cardholder k; Nonce NC1 \<notin> used evs1 |] |
107 ==> Says C (CA i) {|Agent C, Nonce NC1|} # evs1 \<in> set_cr" |
107 ==> Says C (CA i) \<lbrace>Agent C, Nonce NC1\<rbrace> # evs1 \<in> set_cr" |
108 |
108 |
109 | SET_CR2: --{*CardCInitRes: CA responds sending NC1 and its certificates*} |
109 | SET_CR2: --{*CardCInitRes: CA responds sending NC1 and its certificates*} |
110 "[| evs2 \<in> set_cr; |
110 "[| evs2 \<in> set_cr; |
111 Gets (CA i) {|Agent C, Nonce NC1|} \<in> set evs2 |] |
111 Gets (CA i) \<lbrace>Agent C, Nonce NC1\<rbrace> \<in> set evs2 |] |
112 ==> Says (CA i) C |
112 ==> Says (CA i) C |
113 {|sign (priSK (CA i)) {|Agent C, Nonce NC1|}, |
113 \<lbrace>sign (priSK (CA i)) \<lbrace>Agent C, Nonce NC1\<rbrace>, |
114 cert (CA i) (pubEK (CA i)) onlyEnc (priSK RCA), |
114 cert (CA i) (pubEK (CA i)) onlyEnc (priSK RCA), |
115 cert (CA i) (pubSK (CA i)) onlySig (priSK RCA)|} |
115 cert (CA i) (pubSK (CA i)) onlySig (priSK RCA)\<rbrace> |
116 # evs2 \<in> set_cr" |
116 # evs2 \<in> set_cr" |
117 |
117 |
118 | SET_CR3: |
118 | SET_CR3: |
119 --{*RegFormReq: C sends his PAN and a new nonce to CA. |
119 --{*RegFormReq: C sends his PAN and a new nonce to CA. |
120 C verifies that |
120 C verifies that |
123 - certificates are an encryption certificate (flag is onlyEnc) and a |
123 - certificates are an encryption certificate (flag is onlyEnc) and a |
124 signature certificate (flag is onlySig); |
124 signature certificate (flag is onlySig); |
125 - certificates pertain to the CA that C contacted (this is done by |
125 - certificates pertain to the CA that C contacted (this is done by |
126 checking the signature). |
126 checking the signature). |
127 C generates a fresh symmetric key KC1. |
127 C generates a fresh symmetric key KC1. |
128 The point of encrypting @{term "{|Agent C, Nonce NC2, Hash (Pan(pan C))|}"} |
128 The point of encrypting @{term "\<lbrace>Agent C, Nonce NC2, Hash (Pan(pan C))\<rbrace>"} |
129 is not clear. *} |
129 is not clear. *} |
130 "[| evs3 \<in> set_cr; C = Cardholder k; |
130 "[| evs3 \<in> set_cr; C = Cardholder k; |
131 Nonce NC2 \<notin> used evs3; |
131 Nonce NC2 \<notin> used evs3; |
132 Key KC1 \<notin> used evs3; KC1 \<in> symKeys; |
132 Key KC1 \<notin> used evs3; KC1 \<in> symKeys; |
133 Gets C {|sign (invKey SKi) {|Agent X, Nonce NC1|}, |
133 Gets C \<lbrace>sign (invKey SKi) \<lbrace>Agent X, Nonce NC1\<rbrace>, |
134 cert (CA i) EKi onlyEnc (priSK RCA), |
134 cert (CA i) EKi onlyEnc (priSK RCA), |
135 cert (CA i) SKi onlySig (priSK RCA)|} |
135 cert (CA i) SKi onlySig (priSK RCA)\<rbrace> |
136 \<in> set evs3; |
136 \<in> set evs3; |
137 Says C (CA i) {|Agent C, Nonce NC1|} \<in> set evs3|] |
137 Says C (CA i) \<lbrace>Agent C, Nonce NC1\<rbrace> \<in> set evs3|] |
138 ==> Says C (CA i) (EXHcrypt KC1 EKi {|Agent C, Nonce NC2|} (Pan(pan C))) |
138 ==> Says C (CA i) (EXHcrypt KC1 EKi \<lbrace>Agent C, Nonce NC2\<rbrace> (Pan(pan C))) |
139 # Notes C {|Key KC1, Agent (CA i)|} |
139 # Notes C \<lbrace>Key KC1, Agent (CA i)\<rbrace> |
140 # evs3 \<in> set_cr" |
140 # evs3 \<in> set_cr" |
141 |
141 |
142 | SET_CR4: |
142 | SET_CR4: |
143 --{*RegFormRes: |
143 --{*RegFormRes: |
144 CA responds sending NC2 back with a new nonce NCA, after checking that |
144 CA responds sending NC2 back with a new nonce NCA, after checking that |
145 - the digital envelope is correctly encrypted by @{term "pubEK (CA i)"} |
145 - the digital envelope is correctly encrypted by @{term "pubEK (CA i)"} |
146 - the entire message is encrypted with the same key found inside the |
146 - the entire message is encrypted with the same key found inside the |
147 envelope (here, KC1) *} |
147 envelope (here, KC1) *} |
148 "[| evs4 \<in> set_cr; |
148 "[| evs4 \<in> set_cr; |
149 Nonce NCA \<notin> used evs4; KC1 \<in> symKeys; |
149 Nonce NCA \<notin> used evs4; KC1 \<in> symKeys; |
150 Gets (CA i) (EXHcrypt KC1 EKi {|Agent C, Nonce NC2|} (Pan(pan X))) |
150 Gets (CA i) (EXHcrypt KC1 EKi \<lbrace>Agent C, Nonce NC2\<rbrace> (Pan(pan X))) |
151 \<in> set evs4 |] |
151 \<in> set evs4 |] |
152 ==> Says (CA i) C |
152 ==> Says (CA i) C |
153 {|sign (priSK (CA i)) {|Agent C, Nonce NC2, Nonce NCA|}, |
153 \<lbrace>sign (priSK (CA i)) \<lbrace>Agent C, Nonce NC2, Nonce NCA\<rbrace>, |
154 cert (CA i) (pubEK (CA i)) onlyEnc (priSK RCA), |
154 cert (CA i) (pubEK (CA i)) onlyEnc (priSK RCA), |
155 cert (CA i) (pubSK (CA i)) onlySig (priSK RCA)|} |
155 cert (CA i) (pubSK (CA i)) onlySig (priSK RCA)\<rbrace> |
156 # evs4 \<in> set_cr" |
156 # evs4 \<in> set_cr" |
157 |
157 |
158 | SET_CR5: |
158 | SET_CR5: |
159 --{*CertReq: C sends his PAN, a new nonce, its proposed public signature key |
159 --{*CertReq: C sends his PAN, a new nonce, its proposed public signature key |
160 and its half of the secret value to CA. |
160 and its half of the secret value to CA. |
163 The encryption below is actually EncX.*} |
163 The encryption below is actually EncX.*} |
164 "[| evs5 \<in> set_cr; C = Cardholder k; |
164 "[| evs5 \<in> set_cr; C = Cardholder k; |
165 Nonce NC3 \<notin> used evs5; Nonce CardSecret \<notin> used evs5; NC3\<noteq>CardSecret; |
165 Nonce NC3 \<notin> used evs5; Nonce CardSecret \<notin> used evs5; NC3\<noteq>CardSecret; |
166 Key KC2 \<notin> used evs5; KC2 \<in> symKeys; |
166 Key KC2 \<notin> used evs5; KC2 \<in> symKeys; |
167 Key KC3 \<notin> used evs5; KC3 \<in> symKeys; KC2\<noteq>KC3; |
167 Key KC3 \<notin> used evs5; KC3 \<in> symKeys; KC2\<noteq>KC3; |
168 Gets C {|sign (invKey SKi) {|Agent C, Nonce NC2, Nonce NCA|}, |
168 Gets C \<lbrace>sign (invKey SKi) \<lbrace>Agent C, Nonce NC2, Nonce NCA\<rbrace>, |
169 cert (CA i) EKi onlyEnc (priSK RCA), |
169 cert (CA i) EKi onlyEnc (priSK RCA), |
170 cert (CA i) SKi onlySig (priSK RCA) |} |
170 cert (CA i) SKi onlySig (priSK RCA) \<rbrace> |
171 \<in> set evs5; |
171 \<in> set evs5; |
172 Says C (CA i) (EXHcrypt KC1 EKi {|Agent C, Nonce NC2|} (Pan(pan C))) |
172 Says C (CA i) (EXHcrypt KC1 EKi \<lbrace>Agent C, Nonce NC2\<rbrace> (Pan(pan C))) |
173 \<in> set evs5 |] |
173 \<in> set evs5 |] |
174 ==> Says C (CA i) |
174 ==> Says C (CA i) |
175 {|Crypt KC3 |
175 \<lbrace>Crypt KC3 |
176 {|Agent C, Nonce NC3, Key KC2, Key (pubSK C), |
176 \<lbrace>Agent C, Nonce NC3, Key KC2, Key (pubSK C), |
177 Crypt (priSK C) |
177 Crypt (priSK C) |
178 (Hash {|Agent C, Nonce NC3, Key KC2, |
178 (Hash \<lbrace>Agent C, Nonce NC3, Key KC2, |
179 Key (pubSK C), Pan (pan C), Nonce CardSecret|})|}, |
179 Key (pubSK C), Pan (pan C), Nonce CardSecret\<rbrace>)\<rbrace>, |
180 Crypt EKi {|Key KC3, Pan (pan C), Nonce CardSecret|} |} |
180 Crypt EKi \<lbrace>Key KC3, Pan (pan C), Nonce CardSecret\<rbrace> \<rbrace> |
181 # Notes C {|Key KC2, Agent (CA i)|} |
181 # Notes C \<lbrace>Key KC2, Agent (CA i)\<rbrace> |
182 # Notes C {|Key KC3, Agent (CA i)|} |
182 # Notes C \<lbrace>Key KC3, Agent (CA i)\<rbrace> |
183 # evs5 \<in> set_cr" |
183 # evs5 \<in> set_cr" |
184 |
184 |
185 |
185 |
186 --{* CertRes: CA responds sending NC3 back with its half of the secret value, |
186 --{* CertRes: CA responds sending NC3 back with its half of the secret value, |
187 its signature certificate and the new cardholder signature |
187 its signature certificate and the new cardholder signature |
195 "[| evs6 \<in> set_cr; |
195 "[| evs6 \<in> set_cr; |
196 Nonce NonceCCA \<notin> used evs6; |
196 Nonce NonceCCA \<notin> used evs6; |
197 KC2 \<in> symKeys; KC3 \<in> symKeys; cardSK \<notin> symKeys; |
197 KC2 \<in> symKeys; KC3 \<in> symKeys; cardSK \<notin> symKeys; |
198 Notes (CA i) (Key cardSK) \<notin> set evs6; |
198 Notes (CA i) (Key cardSK) \<notin> set evs6; |
199 Gets (CA i) |
199 Gets (CA i) |
200 {|Crypt KC3 {|Agent C, Nonce NC3, Key KC2, Key cardSK, |
200 \<lbrace>Crypt KC3 \<lbrace>Agent C, Nonce NC3, Key KC2, Key cardSK, |
201 Crypt (invKey cardSK) |
201 Crypt (invKey cardSK) |
202 (Hash {|Agent C, Nonce NC3, Key KC2, |
202 (Hash \<lbrace>Agent C, Nonce NC3, Key KC2, |
203 Key cardSK, Pan (pan C), Nonce CardSecret|})|}, |
203 Key cardSK, Pan (pan C), Nonce CardSecret\<rbrace>)\<rbrace>, |
204 Crypt (pubEK (CA i)) {|Key KC3, Pan (pan C), Nonce CardSecret|} |} |
204 Crypt (pubEK (CA i)) \<lbrace>Key KC3, Pan (pan C), Nonce CardSecret\<rbrace> \<rbrace> |
205 \<in> set evs6 |] |
205 \<in> set evs6 |] |
206 ==> Says (CA i) C |
206 ==> Says (CA i) C |
207 (Crypt KC2 |
207 (Crypt KC2 |
208 {|sign (priSK (CA i)) |
208 \<lbrace>sign (priSK (CA i)) |
209 {|Agent C, Nonce NC3, Agent(CA i), Nonce NonceCCA|}, |
209 \<lbrace>Agent C, Nonce NC3, Agent(CA i), Nonce NonceCCA\<rbrace>, |
210 certC (pan C) cardSK (XOR(CardSecret,NonceCCA)) onlySig (priSK (CA i)), |
210 certC (pan C) cardSK (XOR(CardSecret,NonceCCA)) onlySig (priSK (CA i)), |
211 cert (CA i) (pubSK (CA i)) onlySig (priSK RCA)|}) |
211 cert (CA i) (pubSK (CA i)) onlySig (priSK RCA)\<rbrace>) |
212 # Notes (CA i) (Key cardSK) |
212 # Notes (CA i) (Key cardSK) |
213 # evs6 \<in> set_cr" |
213 # evs6 \<in> set_cr" |
214 |
214 |
215 |
215 |
216 declare Says_imp_knows_Spy [THEN parts.Inj, dest] |
216 declare Says_imp_knows_Spy [THEN parts.Inj, dest] |
385 subsection{*Messages signed by CA*} |
385 subsection{*Messages signed by CA*} |
386 |
386 |
387 text{*Message @{text SET_CR2}: C can check CA's signature if he has received |
387 text{*Message @{text SET_CR2}: C can check CA's signature if he has received |
388 CA's certificate.*} |
388 CA's certificate.*} |
389 lemma CA_Says_2_lemma: |
389 lemma CA_Says_2_lemma: |
390 "[| Crypt (priSK (CA i)) (Hash{|Agent C, Nonce NC1|}) |
390 "[| Crypt (priSK (CA i)) (Hash\<lbrace>Agent C, Nonce NC1\<rbrace>) |
391 \<in> parts (knows Spy evs); |
391 \<in> parts (knows Spy evs); |
392 evs \<in> set_cr; (CA i) \<notin> bad |] |
392 evs \<in> set_cr; (CA i) \<notin> bad |] |
393 ==> \<exists>Y. Says (CA i) C {|sign (priSK (CA i)) {|Agent C, Nonce NC1|}, Y|} |
393 ==> \<exists>Y. Says (CA i) C \<lbrace>sign (priSK (CA i)) \<lbrace>Agent C, Nonce NC1\<rbrace>, Y\<rbrace> |
394 \<in> set evs" |
394 \<in> set evs" |
395 apply (erule rev_mp) |
395 apply (erule rev_mp) |
396 apply (erule set_cr.induct, auto) |
396 apply (erule set_cr.induct, auto) |
397 done |
397 done |
398 |
398 |
399 text{*Ever used?*} |
399 text{*Ever used?*} |
400 lemma CA_Says_2: |
400 lemma CA_Says_2: |
401 "[| Crypt (invKey SK) (Hash{|Agent C, Nonce NC1|}) |
401 "[| Crypt (invKey SK) (Hash\<lbrace>Agent C, Nonce NC1\<rbrace>) |
402 \<in> parts (knows Spy evs); |
402 \<in> parts (knows Spy evs); |
403 cert (CA i) SK onlySig (priSK RCA) \<in> parts (knows Spy evs); |
403 cert (CA i) SK onlySig (priSK RCA) \<in> parts (knows Spy evs); |
404 evs \<in> set_cr; (CA i) \<notin> bad |] |
404 evs \<in> set_cr; (CA i) \<notin> bad |] |
405 ==> \<exists>Y. Says (CA i) C {|sign (priSK (CA i)) {|Agent C, Nonce NC1|}, Y|} |
405 ==> \<exists>Y. Says (CA i) C \<lbrace>sign (priSK (CA i)) \<lbrace>Agent C, Nonce NC1\<rbrace>, Y\<rbrace> |
406 \<in> set evs" |
406 \<in> set evs" |
407 by (blast dest!: certificate_valid_pubSK intro!: CA_Says_2_lemma) |
407 by (blast dest!: certificate_valid_pubSK intro!: CA_Says_2_lemma) |
408 |
408 |
409 |
409 |
410 text{*Message @{text SET_CR4}: C can check CA's signature if he has received |
410 text{*Message @{text SET_CR4}: C can check CA's signature if he has received |
411 CA's certificate.*} |
411 CA's certificate.*} |
412 lemma CA_Says_4_lemma: |
412 lemma CA_Says_4_lemma: |
413 "[| Crypt (priSK (CA i)) (Hash{|Agent C, Nonce NC2, Nonce NCA|}) |
413 "[| Crypt (priSK (CA i)) (Hash\<lbrace>Agent C, Nonce NC2, Nonce NCA\<rbrace>) |
414 \<in> parts (knows Spy evs); |
414 \<in> parts (knows Spy evs); |
415 evs \<in> set_cr; (CA i) \<notin> bad |] |
415 evs \<in> set_cr; (CA i) \<notin> bad |] |
416 ==> \<exists>Y. Says (CA i) C {|sign (priSK (CA i)) |
416 ==> \<exists>Y. Says (CA i) C \<lbrace>sign (priSK (CA i)) |
417 {|Agent C, Nonce NC2, Nonce NCA|}, Y|} \<in> set evs" |
417 \<lbrace>Agent C, Nonce NC2, Nonce NCA\<rbrace>, Y\<rbrace> \<in> set evs" |
418 apply (erule rev_mp) |
418 apply (erule rev_mp) |
419 apply (erule set_cr.induct, auto) |
419 apply (erule set_cr.induct, auto) |
420 done |
420 done |
421 |
421 |
422 text{*NEVER USED*} |
422 text{*NEVER USED*} |
423 lemma CA_Says_4: |
423 lemma CA_Says_4: |
424 "[| Crypt (invKey SK) (Hash{|Agent C, Nonce NC2, Nonce NCA|}) |
424 "[| Crypt (invKey SK) (Hash\<lbrace>Agent C, Nonce NC2, Nonce NCA\<rbrace>) |
425 \<in> parts (knows Spy evs); |
425 \<in> parts (knows Spy evs); |
426 cert (CA i) SK onlySig (priSK RCA) \<in> parts (knows Spy evs); |
426 cert (CA i) SK onlySig (priSK RCA) \<in> parts (knows Spy evs); |
427 evs \<in> set_cr; (CA i) \<notin> bad |] |
427 evs \<in> set_cr; (CA i) \<notin> bad |] |
428 ==> \<exists>Y. Says (CA i) C {|sign (priSK (CA i)) |
428 ==> \<exists>Y. Says (CA i) C \<lbrace>sign (priSK (CA i)) |
429 {|Agent C, Nonce NC2, Nonce NCA|}, Y|} \<in> set evs" |
429 \<lbrace>Agent C, Nonce NC2, Nonce NCA\<rbrace>, Y\<rbrace> \<in> set evs" |
430 by (blast dest!: certificate_valid_pubSK intro!: CA_Says_4_lemma) |
430 by (blast dest!: certificate_valid_pubSK intro!: CA_Says_4_lemma) |
431 |
431 |
432 |
432 |
433 text{*Message @{text SET_CR6}: C can check CA's signature if he has |
433 text{*Message @{text SET_CR6}: C can check CA's signature if he has |
434 received CA's certificate.*} |
434 received CA's certificate.*} |
435 lemma CA_Says_6_lemma: |
435 lemma CA_Says_6_lemma: |
436 "[| Crypt (priSK (CA i)) |
436 "[| Crypt (priSK (CA i)) |
437 (Hash{|Agent C, Nonce NC3, Agent (CA i), Nonce NonceCCA|}) |
437 (Hash\<lbrace>Agent C, Nonce NC3, Agent (CA i), Nonce NonceCCA\<rbrace>) |
438 \<in> parts (knows Spy evs); |
438 \<in> parts (knows Spy evs); |
439 evs \<in> set_cr; (CA i) \<notin> bad |] |
439 evs \<in> set_cr; (CA i) \<notin> bad |] |
440 ==> \<exists>Y K. Says (CA i) C (Crypt K {|sign (priSK (CA i)) |
440 ==> \<exists>Y K. Says (CA i) C (Crypt K \<lbrace>sign (priSK (CA i)) |
441 {|Agent C, Nonce NC3, Agent (CA i), Nonce NonceCCA|}, Y|}) \<in> set evs" |
441 \<lbrace>Agent C, Nonce NC3, Agent (CA i), Nonce NonceCCA\<rbrace>, Y\<rbrace>) \<in> set evs" |
442 apply (erule rev_mp) |
442 apply (erule rev_mp) |
443 apply (erule set_cr.induct, auto) |
443 apply (erule set_cr.induct, auto) |
444 done |
444 done |
445 |
445 |
446 text{*NEVER USED*} |
446 text{*NEVER USED*} |
447 lemma CA_Says_6: |
447 lemma CA_Says_6: |
448 "[| Crypt (invKey SK) (Hash{|Agent C, Nonce NC3, Agent (CA i), Nonce NonceCCA|}) |
448 "[| Crypt (invKey SK) (Hash\<lbrace>Agent C, Nonce NC3, Agent (CA i), Nonce NonceCCA\<rbrace>) |
449 \<in> parts (knows Spy evs); |
449 \<in> parts (knows Spy evs); |
450 cert (CA i) SK onlySig (priSK RCA) \<in> parts (knows Spy evs); |
450 cert (CA i) SK onlySig (priSK RCA) \<in> parts (knows Spy evs); |
451 evs \<in> set_cr; (CA i) \<notin> bad |] |
451 evs \<in> set_cr; (CA i) \<notin> bad |] |
452 ==> \<exists>Y K. Says (CA i) C (Crypt K {|sign (priSK (CA i)) |
452 ==> \<exists>Y K. Says (CA i) C (Crypt K \<lbrace>sign (priSK (CA i)) |
453 {|Agent C, Nonce NC3, Agent (CA i), Nonce NonceCCA|}, Y|}) \<in> set evs" |
453 \<lbrace>Agent C, Nonce NC3, Agent (CA i), Nonce NonceCCA\<rbrace>, Y\<rbrace>) \<in> set evs" |
454 by (blast dest!: certificate_valid_pubSK intro!: CA_Says_6_lemma) |
454 by (blast dest!: certificate_valid_pubSK intro!: CA_Says_6_lemma) |
455 (*>*) |
455 (*>*) |
456 |
456 |
457 |
457 |
458 subsection{*Useful lemmas *} |
458 subsection{*Useful lemmas *} |
519 text{*Lemma for message 6: either cardSK is compromised (when we don't care) |
519 text{*Lemma for message 6: either cardSK is compromised (when we don't care) |
520 or else cardSK hasn't been used to encrypt K. Previously we treated |
520 or else cardSK hasn't been used to encrypt K. Previously we treated |
521 message 5 in the same way, but the current model assumes that rule |
521 message 5 in the same way, but the current model assumes that rule |
522 @{text SET_CR5} is executed only by honest agents.*} |
522 @{text SET_CR5} is executed only by honest agents.*} |
523 lemma msg6_KeyCryptKey_disj: |
523 lemma msg6_KeyCryptKey_disj: |
524 "[|Gets B {|Crypt KC3 {|Agent C, Nonce N, Key KC2, Key cardSK, X|}, Y|} |
524 "[|Gets B \<lbrace>Crypt KC3 \<lbrace>Agent C, Nonce N, Key KC2, Key cardSK, X\<rbrace>, Y\<rbrace> |
525 \<in> set evs; |
525 \<in> set evs; |
526 cardSK \<notin> symKeys; evs \<in> set_cr|] |
526 cardSK \<notin> symKeys; evs \<in> set_cr|] |
527 ==> Key cardSK \<in> analz (knows Spy evs) | |
527 ==> Key cardSK \<in> analz (knows Spy evs) | |
528 (\<forall>K. ~ KeyCryptKey cardSK K evs)" |
528 (\<forall>K. ~ KeyCryptKey cardSK K evs)" |
529 by (blast dest: not_KeyCryptKey_cardSK intro: cardSK_neq_priEK) |
529 by (blast dest: not_KeyCryptKey_cardSK intro: cardSK_neq_priEK) |
600 text{*The cardholder's certificate really was created by the CA, provided the |
600 text{*The cardholder's certificate really was created by the CA, provided the |
601 CA is uncompromised *} |
601 CA is uncompromised *} |
602 |
602 |
603 text{*Lemma concerning the actual signed message digest*} |
603 text{*Lemma concerning the actual signed message digest*} |
604 lemma cert_valid_lemma: |
604 lemma cert_valid_lemma: |
605 "[|Crypt (priSK (CA i)) {|Hash {|Nonce N, Pan(pan C)|}, Key cardSK, N1|} |
605 "[|Crypt (priSK (CA i)) \<lbrace>Hash \<lbrace>Nonce N, Pan(pan C)\<rbrace>, Key cardSK, N1\<rbrace> |
606 \<in> parts (knows Spy evs); |
606 \<in> parts (knows Spy evs); |
607 CA i \<notin> bad; evs \<in> set_cr|] |
607 CA i \<notin> bad; evs \<in> set_cr|] |
608 ==> \<exists>KC2 X Y. Says (CA i) C |
608 ==> \<exists>KC2 X Y. Says (CA i) C |
609 (Crypt KC2 |
609 (Crypt KC2 |
610 {|X, certC (pan C) cardSK N onlySig (priSK (CA i)), Y|}) |
610 \<lbrace>X, certC (pan C) cardSK N onlySig (priSK (CA i)), Y\<rbrace>) |
611 \<in> set evs" |
611 \<in> set evs" |
612 apply (erule rev_mp) |
612 apply (erule rev_mp) |
613 apply (erule set_cr.induct) |
613 apply (erule set_cr.induct) |
614 apply (simp_all (no_asm_simp)) |
614 apply (simp_all (no_asm_simp)) |
615 apply auto |
615 apply auto |
616 done |
616 done |
617 |
617 |
618 text{*Pre-packaged version for cardholder. We don't try to confirm the values |
618 text{*Pre-packaged version for cardholder. We don't try to confirm the values |
619 of KC2, X and Y, since they are not important.*} |
619 of KC2, X and Y, since they are not important.*} |
620 lemma certificate_valid_cardSK: |
620 lemma certificate_valid_cardSK: |
621 "[|Gets C (Crypt KC2 {|X, certC (pan C) cardSK N onlySig (invKey SKi), |
621 "[|Gets C (Crypt KC2 \<lbrace>X, certC (pan C) cardSK N onlySig (invKey SKi), |
622 cert (CA i) SKi onlySig (priSK RCA)|}) \<in> set evs; |
622 cert (CA i) SKi onlySig (priSK RCA)\<rbrace>) \<in> set evs; |
623 CA i \<notin> bad; evs \<in> set_cr|] |
623 CA i \<notin> bad; evs \<in> set_cr|] |
624 ==> \<exists>KC2 X Y. Says (CA i) C |
624 ==> \<exists>KC2 X Y. Says (CA i) C |
625 (Crypt KC2 |
625 (Crypt KC2 |
626 {|X, certC (pan C) cardSK N onlySig (priSK (CA i)), Y|}) |
626 \<lbrace>X, certC (pan C) cardSK N onlySig (priSK (CA i)), Y\<rbrace>) |
627 \<in> set evs" |
627 \<in> set evs" |
628 by (force dest!: Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Body] |
628 by (force dest!: Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Body] |
629 certificate_valid_pubSK cert_valid_lemma) |
629 certificate_valid_pubSK cert_valid_lemma) |
630 |
630 |
631 |
631 |
632 lemma Hash_imp_parts [rule_format]: |
632 lemma Hash_imp_parts [rule_format]: |
633 "evs \<in> set_cr |
633 "evs \<in> set_cr |
634 ==> Hash{|X, Nonce N|} \<in> parts (knows Spy evs) --> |
634 ==> Hash\<lbrace>X, Nonce N\<rbrace> \<in> parts (knows Spy evs) --> |
635 Nonce N \<in> parts (knows Spy evs)" |
635 Nonce N \<in> parts (knows Spy evs)" |
636 apply (erule set_cr.induct, force) |
636 apply (erule set_cr.induct, force) |
637 apply (simp_all (no_asm_simp)) |
637 apply (simp_all (no_asm_simp)) |
638 apply (blast intro: parts_mono [THEN [2] rev_subsetD]) |
638 apply (blast intro: parts_mono [THEN [2] rev_subsetD]) |
639 done |
639 done |
640 |
640 |
641 lemma Hash_imp_parts2 [rule_format]: |
641 lemma Hash_imp_parts2 [rule_format]: |
642 "evs \<in> set_cr |
642 "evs \<in> set_cr |
643 ==> Hash{|X, Nonce M, Y, Nonce N|} \<in> parts (knows Spy evs) --> |
643 ==> Hash\<lbrace>X, Nonce M, Y, Nonce N\<rbrace> \<in> parts (knows Spy evs) --> |
644 Nonce M \<in> parts (knows Spy evs) & Nonce N \<in> parts (knows Spy evs)" |
644 Nonce M \<in> parts (knows Spy evs) & Nonce N \<in> parts (knows Spy evs)" |
645 apply (erule set_cr.induct, force) |
645 apply (erule set_cr.induct, force) |
646 apply (simp_all (no_asm_simp)) |
646 apply (simp_all (no_asm_simp)) |
647 apply (blast intro: parts_mono [THEN [2] rev_subsetD]) |
647 apply (blast intro: parts_mono [THEN [2] rev_subsetD]) |
648 done |
648 done |
749 |
749 |
750 |
750 |
751 subsection{*Secrecy of CardSecret: the Cardholder's secret*} |
751 subsection{*Secrecy of CardSecret: the Cardholder's secret*} |
752 |
752 |
753 lemma NC2_not_CardSecret: |
753 lemma NC2_not_CardSecret: |
754 "[|Crypt EKj {|Key K, Pan p, Hash {|Agent D, Nonce N|}|} |
754 "[|Crypt EKj \<lbrace>Key K, Pan p, Hash \<lbrace>Agent D, Nonce N\<rbrace>\<rbrace> |
755 \<in> parts (knows Spy evs); |
755 \<in> parts (knows Spy evs); |
756 Key K \<notin> analz (knows Spy evs); |
756 Key K \<notin> analz (knows Spy evs); |
757 Nonce N \<notin> analz (knows Spy evs); |
757 Nonce N \<notin> analz (knows Spy evs); |
758 evs \<in> set_cr|] |
758 evs \<in> set_cr|] |
759 ==> Crypt EKi {|Key K', Pan p', Nonce N|} \<notin> parts (knows Spy evs)" |
759 ==> Crypt EKi \<lbrace>Key K', Pan p', Nonce N\<rbrace> \<notin> parts (knows Spy evs)" |
760 apply (erule rev_mp) |
760 apply (erule rev_mp) |
761 apply (erule rev_mp) |
761 apply (erule rev_mp) |
762 apply (erule rev_mp) |
762 apply (erule rev_mp) |
763 apply (erule set_cr.induct, analz_mono_contra, simp_all) |
763 apply (erule set_cr.induct, analz_mono_contra, simp_all) |
764 apply (blast dest: Hash_imp_parts)+ |
764 apply (blast dest: Hash_imp_parts)+ |
765 done |
765 done |
766 |
766 |
767 lemma KC2_secure_lemma [rule_format]: |
767 lemma KC2_secure_lemma [rule_format]: |
768 "[|U = Crypt KC3 {|Agent C, Nonce N, Key KC2, X|}; |
768 "[|U = Crypt KC3 \<lbrace>Agent C, Nonce N, Key KC2, X\<rbrace>; |
769 U \<in> parts (knows Spy evs); |
769 U \<in> parts (knows Spy evs); |
770 evs \<in> set_cr|] |
770 evs \<in> set_cr|] |
771 ==> Nonce N \<notin> analz (knows Spy evs) --> |
771 ==> Nonce N \<notin> analz (knows Spy evs) --> |
772 (\<exists>k i W. Says (Cardholder k) (CA i) {|U,W|} \<in> set evs & |
772 (\<exists>k i W. Says (Cardholder k) (CA i) \<lbrace>U,W\<rbrace> \<in> set evs & |
773 Cardholder k \<notin> bad & CA i \<notin> bad)" |
773 Cardholder k \<notin> bad & CA i \<notin> bad)" |
774 apply (erule_tac P = "U \<in> H" for H in rev_mp) |
774 apply (erule_tac P = "U \<in> H" for H in rev_mp) |
775 apply (erule set_cr.induct) |
775 apply (erule set_cr.induct) |
776 apply (valid_certificate_tac [8]) --{*for message 5*} |
776 apply (valid_certificate_tac [8]) --{*for message 5*} |
777 apply (simp_all del: image_insert image_Un imp_disjL |
777 apply (simp_all del: image_insert image_Un imp_disjL |
781 apply (simp_all (no_asm_simp)) --{*leaves 4 subgoals*} |
781 apply (simp_all (no_asm_simp)) --{*leaves 4 subgoals*} |
782 apply (blast intro!: analz_insertI)+ |
782 apply (blast intro!: analz_insertI)+ |
783 done |
783 done |
784 |
784 |
785 lemma KC2_secrecy: |
785 lemma KC2_secrecy: |
786 "[|Gets B {|Crypt K {|Agent C, Nonce N, Key KC2, X|}, Y|} \<in> set evs; |
786 "[|Gets B \<lbrace>Crypt K \<lbrace>Agent C, Nonce N, Key KC2, X\<rbrace>, Y\<rbrace> \<in> set evs; |
787 Nonce N \<notin> analz (knows Spy evs); KC2 \<in> symKeys; |
787 Nonce N \<notin> analz (knows Spy evs); KC2 \<in> symKeys; |
788 evs \<in> set_cr|] |
788 evs \<in> set_cr|] |
789 ==> Key KC2 \<notin> analz (knows Spy evs)" |
789 ==> Key KC2 \<notin> analz (knows Spy evs)" |
790 by (force dest!: refl [THEN KC2_secure_lemma] symKey_secrecy) |
790 by (force dest!: refl [THEN KC2_secure_lemma] symKey_secrecy) |
791 |
791 |
792 |
792 |
793 text{*Inductive version*} |
793 text{*Inductive version*} |
794 lemma CardSecret_secrecy_lemma [rule_format]: |
794 lemma CardSecret_secrecy_lemma [rule_format]: |
795 "[|CA i \<notin> bad; evs \<in> set_cr|] |
795 "[|CA i \<notin> bad; evs \<in> set_cr|] |
796 ==> Key K \<notin> analz (knows Spy evs) --> |
796 ==> Key K \<notin> analz (knows Spy evs) --> |
797 Crypt (pubEK (CA i)) {|Key K, Pan p, Nonce CardSecret|} |
797 Crypt (pubEK (CA i)) \<lbrace>Key K, Pan p, Nonce CardSecret\<rbrace> |
798 \<in> parts (knows Spy evs) --> |
798 \<in> parts (knows Spy evs) --> |
799 Nonce CardSecret \<notin> analz (knows Spy evs)" |
799 Nonce CardSecret \<notin> analz (knows Spy evs)" |
800 apply (erule set_cr.induct, analz_mono_contra) |
800 apply (erule set_cr.induct, analz_mono_contra) |
801 apply (valid_certificate_tac [8]) --{*for message 5*} |
801 apply (valid_certificate_tac [8]) --{*for message 5*} |
802 apply (valid_certificate_tac [6]) --{*for message 5*} |
802 apply (valid_certificate_tac [6]) --{*for message 5*} |
823 |
823 |
824 text{*Packaged version for cardholder*} |
824 text{*Packaged version for cardholder*} |
825 lemma CardSecret_secrecy: |
825 lemma CardSecret_secrecy: |
826 "[|Cardholder k \<notin> bad; CA i \<notin> bad; |
826 "[|Cardholder k \<notin> bad; CA i \<notin> bad; |
827 Says (Cardholder k) (CA i) |
827 Says (Cardholder k) (CA i) |
828 {|X, Crypt EKi {|Key KC3, Pan p, Nonce CardSecret|}|} \<in> set evs; |
828 \<lbrace>X, Crypt EKi \<lbrace>Key KC3, Pan p, Nonce CardSecret\<rbrace>\<rbrace> \<in> set evs; |
829 Gets A {|Z, cert (CA i) EKi onlyEnc (priSK RCA), |
829 Gets A \<lbrace>Z, cert (CA i) EKi onlyEnc (priSK RCA), |
830 cert (CA i) SKi onlySig (priSK RCA)|} \<in> set evs; |
830 cert (CA i) SKi onlySig (priSK RCA)\<rbrace> \<in> set evs; |
831 KC3 \<in> symKeys; evs \<in> set_cr|] |
831 KC3 \<in> symKeys; evs \<in> set_cr|] |
832 ==> Nonce CardSecret \<notin> analz (knows Spy evs)" |
832 ==> Nonce CardSecret \<notin> analz (knows Spy evs)" |
833 apply (frule Gets_certificate_valid, assumption) |
833 apply (frule Gets_certificate_valid, assumption) |
834 apply (subgoal_tac "Key KC3 \<notin> analz (knows Spy evs) ") |
834 apply (subgoal_tac "Key KC3 \<notin> analz (knows Spy evs) ") |
835 apply (blast dest: CardSecret_secrecy_lemma) |
835 apply (blast dest: CardSecret_secrecy_lemma) |
856 text{*Inductive version*} |
856 text{*Inductive version*} |
857 lemma NonceCCA_secrecy_lemma [rule_format]: |
857 lemma NonceCCA_secrecy_lemma [rule_format]: |
858 "[|CA i \<notin> bad; evs \<in> set_cr|] |
858 "[|CA i \<notin> bad; evs \<in> set_cr|] |
859 ==> Key K \<notin> analz (knows Spy evs) --> |
859 ==> Key K \<notin> analz (knows Spy evs) --> |
860 Crypt K |
860 Crypt K |
861 {|sign (priSK (CA i)) |
861 \<lbrace>sign (priSK (CA i)) |
862 {|Agent C, Nonce N, Agent(CA i), Nonce NonceCCA|}, |
862 \<lbrace>Agent C, Nonce N, Agent(CA i), Nonce NonceCCA\<rbrace>, |
863 X, Y|} |
863 X, Y\<rbrace> |
864 \<in> parts (knows Spy evs) --> |
864 \<in> parts (knows Spy evs) --> |
865 Nonce NonceCCA \<notin> analz (knows Spy evs)" |
865 Nonce NonceCCA \<notin> analz (knows Spy evs)" |
866 apply (erule set_cr.induct, analz_mono_contra) |
866 apply (erule set_cr.induct, analz_mono_contra) |
867 apply (valid_certificate_tac [8]) --{*for message 5*} |
867 apply (valid_certificate_tac [8]) --{*for message 5*} |
868 apply (valid_certificate_tac [6]) --{*for message 5*} |
868 apply (valid_certificate_tac [6]) --{*for message 5*} |
889 text{*Packaged version for cardholder*} |
889 text{*Packaged version for cardholder*} |
890 lemma NonceCCA_secrecy: |
890 lemma NonceCCA_secrecy: |
891 "[|Cardholder k \<notin> bad; CA i \<notin> bad; |
891 "[|Cardholder k \<notin> bad; CA i \<notin> bad; |
892 Gets (Cardholder k) |
892 Gets (Cardholder k) |
893 (Crypt KC2 |
893 (Crypt KC2 |
894 {|sign (priSK (CA i)) {|Agent C, Nonce N, Agent(CA i), Nonce NonceCCA|}, |
894 \<lbrace>sign (priSK (CA i)) \<lbrace>Agent C, Nonce N, Agent(CA i), Nonce NonceCCA\<rbrace>, |
895 X, Y|}) \<in> set evs; |
895 X, Y\<rbrace>) \<in> set evs; |
896 Says (Cardholder k) (CA i) |
896 Says (Cardholder k) (CA i) |
897 {|Crypt KC3 {|Agent C, Nonce NC3, Key KC2, X'|}, Y'|} \<in> set evs; |
897 \<lbrace>Crypt KC3 \<lbrace>Agent C, Nonce NC3, Key KC2, X'\<rbrace>, Y'\<rbrace> \<in> set evs; |
898 Gets A {|Z, cert (CA i) EKi onlyEnc (priSK RCA), |
898 Gets A \<lbrace>Z, cert (CA i) EKi onlyEnc (priSK RCA), |
899 cert (CA i) SKi onlySig (priSK RCA)|} \<in> set evs; |
899 cert (CA i) SKi onlySig (priSK RCA)\<rbrace> \<in> set evs; |
900 KC2 \<in> symKeys; evs \<in> set_cr|] |
900 KC2 \<in> symKeys; evs \<in> set_cr|] |
901 ==> Nonce NonceCCA \<notin> analz (knows Spy evs)" |
901 ==> Nonce NonceCCA \<notin> analz (knows Spy evs)" |
902 apply (frule Gets_certificate_valid, assumption) |
902 apply (frule Gets_certificate_valid, assumption) |
903 apply (subgoal_tac "Key KC2 \<notin> analz (knows Spy evs) ") |
903 apply (subgoal_tac "Key KC2 \<notin> analz (knows Spy evs) ") |
904 apply (blast dest: NonceCCA_secrecy_lemma) |
904 apply (blast dest: NonceCCA_secrecy_lemma) |
915 text{*Lemma for message 6: either cardSK isn't a CA's private encryption key, |
915 text{*Lemma for message 6: either cardSK isn't a CA's private encryption key, |
916 or if it is then (because it appears in traffic) that CA is bad, |
916 or if it is then (because it appears in traffic) that CA is bad, |
917 and so the Spy knows that key already. Either way, we can simplify |
917 and so the Spy knows that key already. Either way, we can simplify |
918 the expression @{term "analz (insert (Key cardSK) X)"}.*} |
918 the expression @{term "analz (insert (Key cardSK) X)"}.*} |
919 lemma msg6_cardSK_disj: |
919 lemma msg6_cardSK_disj: |
920 "[|Gets A {|Crypt K {|c, n, k', Key cardSK, X|}, Y|} |
920 "[|Gets A \<lbrace>Crypt K \<lbrace>c, n, k', Key cardSK, X\<rbrace>, Y\<rbrace> |
921 \<in> set evs; evs \<in> set_cr |] |
921 \<in> set evs; evs \<in> set_cr |] |
922 ==> cardSK \<notin> range(invKey o pubEK o CA) | Key cardSK \<in> knows Spy evs" |
922 ==> cardSK \<notin> range(invKey o pubEK o CA) | Key cardSK \<in> knows Spy evs" |
923 by auto |
923 by auto |
924 |
924 |
925 lemma analz_image_pan_lemma: |
925 lemma analz_image_pan_lemma: |
997 |
997 |
998 text{*Unicity of cardSK: it uniquely identifies the other components. |
998 text{*Unicity of cardSK: it uniquely identifies the other components. |
999 This holds because a CA accepts a cardSK at most once.*} |
999 This holds because a CA accepts a cardSK at most once.*} |
1000 lemma cardholder_key_unicity: |
1000 lemma cardholder_key_unicity: |
1001 "[|Says (CA i) C (Crypt KC2 |
1001 "[|Says (CA i) C (Crypt KC2 |
1002 {|sign (priSK (CA i)) {|Agent C, Nonce NC3, Agent (CA i), Nonce Y|}, |
1002 \<lbrace>sign (priSK (CA i)) \<lbrace>Agent C, Nonce NC3, Agent (CA i), Nonce Y\<rbrace>, |
1003 certC (pan C) cardSK X onlySig (priSK (CA i)), |
1003 certC (pan C) cardSK X onlySig (priSK (CA i)), |
1004 cert (CA i) (pubSK (CA i)) onlySig (priSK RCA)|}) |
1004 cert (CA i) (pubSK (CA i)) onlySig (priSK RCA)\<rbrace>) |
1005 \<in> set evs; |
1005 \<in> set evs; |
1006 Says (CA i) C' (Crypt KC2' |
1006 Says (CA i) C' (Crypt KC2' |
1007 {|sign (priSK (CA i)) {|Agent C', Nonce NC3', Agent (CA i), Nonce Y'|}, |
1007 \<lbrace>sign (priSK (CA i)) \<lbrace>Agent C', Nonce NC3', Agent (CA i), Nonce Y'\<rbrace>, |
1008 certC (pan C') cardSK X' onlySig (priSK (CA i)), |
1008 certC (pan C') cardSK X' onlySig (priSK (CA i)), |
1009 cert (CA i) (pubSK (CA i)) onlySig (priSK RCA)|}) |
1009 cert (CA i) (pubSK (CA i)) onlySig (priSK RCA)\<rbrace>) |
1010 \<in> set evs; |
1010 \<in> set evs; |
1011 evs \<in> set_cr |] ==> C=C' & NC3=NC3' & X=X' & KC2=KC2' & Y=Y'" |
1011 evs \<in> set_cr |] ==> C=C' & NC3=NC3' & X=X' & KC2=KC2' & Y=Y'" |
1012 apply (erule rev_mp) |
1012 apply (erule rev_mp) |
1013 apply (erule rev_mp) |
1013 apply (erule rev_mp) |
1014 apply (erule set_cr.induct) |
1014 apply (erule set_cr.induct) |
1018 |
1018 |
1019 |
1019 |
1020 (*<*) |
1020 (*<*) |
1021 text{*UNUSED unicity result*} |
1021 text{*UNUSED unicity result*} |
1022 lemma unique_KC1: |
1022 lemma unique_KC1: |
1023 "[|Says C B {|Crypt KC1 X, Crypt EK {|Key KC1, Y|}|} |
1023 "[|Says C B \<lbrace>Crypt KC1 X, Crypt EK \<lbrace>Key KC1, Y\<rbrace>\<rbrace> |
1024 \<in> set evs; |
1024 \<in> set evs; |
1025 Says C B' {|Crypt KC1 X', Crypt EK' {|Key KC1, Y'|}|} |
1025 Says C B' \<lbrace>Crypt KC1 X', Crypt EK' \<lbrace>Key KC1, Y'\<rbrace>\<rbrace> |
1026 \<in> set evs; |
1026 \<in> set evs; |
1027 C \<notin> bad; evs \<in> set_cr|] ==> B'=B & Y'=Y" |
1027 C \<notin> bad; evs \<in> set_cr|] ==> B'=B & Y'=Y" |
1028 apply (erule rev_mp) |
1028 apply (erule rev_mp) |
1029 apply (erule rev_mp) |
1029 apply (erule rev_mp) |
1030 apply (erule set_cr.induct, auto) |
1030 apply (erule set_cr.induct, auto) |
1031 done |
1031 done |
1032 |
1032 |
1033 text{*UNUSED unicity result*} |
1033 text{*UNUSED unicity result*} |
1034 lemma unique_KC2: |
1034 lemma unique_KC2: |
1035 "[|Says C B {|Crypt K {|Agent C, nn, Key KC2, X|}, Y|} \<in> set evs; |
1035 "[|Says C B \<lbrace>Crypt K \<lbrace>Agent C, nn, Key KC2, X\<rbrace>, Y\<rbrace> \<in> set evs; |
1036 Says C B' {|Crypt K' {|Agent C, nn', Key KC2, X'|}, Y'|} \<in> set evs; |
1036 Says C B' \<lbrace>Crypt K' \<lbrace>Agent C, nn', Key KC2, X'\<rbrace>, Y'\<rbrace> \<in> set evs; |
1037 C \<notin> bad; evs \<in> set_cr|] ==> B'=B & X'=X" |
1037 C \<notin> bad; evs \<in> set_cr|] ==> B'=B & X'=X" |
1038 apply (erule rev_mp) |
1038 apply (erule rev_mp) |
1039 apply (erule rev_mp) |
1039 apply (erule rev_mp) |
1040 apply (erule set_cr.induct, auto) |
1040 apply (erule set_cr.induct, auto) |
1041 done |
1041 done |