84 Guide, in absence of @{text LID_M}, states that the merchant uniquely |
84 Guide, in absence of @{text LID_M}, states that the merchant uniquely |
85 identifies the order out of some data contained in OrderDesc.*} |
85 identifies the order out of some data contained in OrderDesc.*} |
86 "[|evsStart \<in> set_pur; |
86 "[|evsStart \<in> set_pur; |
87 Number LID_M \<notin> used evsStart; |
87 Number LID_M \<notin> used evsStart; |
88 C = Cardholder k; M = Merchant i; P = PG j; |
88 C = Cardholder k; M = Merchant i; P = PG j; |
89 Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; |
89 Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>; |
90 LID_M \<notin> range CardSecret; |
90 LID_M \<notin> range CardSecret; |
91 LID_M \<notin> range PANSecret |] |
91 LID_M \<notin> range PANSecret |] |
92 ==> Notes C {|Number LID_M, Transaction|} |
92 ==> Notes C \<lbrace>Number LID_M, Transaction\<rbrace> |
93 # Notes M {|Number LID_M, Agent P, Transaction|} |
93 # Notes M \<lbrace>Number LID_M, Agent P, Transaction\<rbrace> |
94 # evsStart \<in> set_pur" |
94 # evsStart \<in> set_pur" |
95 |
95 |
96 | PInitReq: |
96 | PInitReq: |
97 --{*Purchase initialization, page 72 of Formal Protocol Desc.*} |
97 --{*Purchase initialization, page 72 of Formal Protocol Desc.*} |
98 "[|evsPIReq \<in> set_pur; |
98 "[|evsPIReq \<in> set_pur; |
99 Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; |
99 Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>; |
100 Nonce Chall_C \<notin> used evsPIReq; |
100 Nonce Chall_C \<notin> used evsPIReq; |
101 Chall_C \<notin> range CardSecret; Chall_C \<notin> range PANSecret; |
101 Chall_C \<notin> range CardSecret; Chall_C \<notin> range PANSecret; |
102 Notes C {|Number LID_M, Transaction |} \<in> set evsPIReq |] |
102 Notes C \<lbrace>Number LID_M, Transaction \<rbrace> \<in> set evsPIReq |] |
103 ==> Says C M {|Number LID_M, Nonce Chall_C|} # evsPIReq \<in> set_pur" |
103 ==> Says C M \<lbrace>Number LID_M, Nonce Chall_C\<rbrace> # evsPIReq \<in> set_pur" |
104 |
104 |
105 | PInitRes: |
105 | PInitRes: |
106 --{*Merchant replies with his own label XID and the encryption |
106 --{*Merchant replies with his own label XID and the encryption |
107 key certificate of his chosen Payment Gateway. Page 74 of Formal |
107 key certificate of his chosen Payment Gateway. Page 74 of Formal |
108 Protocol Desc. We use @{text LID_M} to identify Cardholder*} |
108 Protocol Desc. We use @{text LID_M} to identify Cardholder*} |
109 "[|evsPIRes \<in> set_pur; |
109 "[|evsPIRes \<in> set_pur; |
110 Gets M {|Number LID_M, Nonce Chall_C|} \<in> set evsPIRes; |
110 Gets M \<lbrace>Number LID_M, Nonce Chall_C\<rbrace> \<in> set evsPIRes; |
111 Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; |
111 Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>; |
112 Notes M {|Number LID_M, Agent P, Transaction|} \<in> set evsPIRes; |
112 Notes M \<lbrace>Number LID_M, Agent P, Transaction\<rbrace> \<in> set evsPIRes; |
113 Nonce Chall_M \<notin> used evsPIRes; |
113 Nonce Chall_M \<notin> used evsPIRes; |
114 Chall_M \<notin> range CardSecret; Chall_M \<notin> range PANSecret; |
114 Chall_M \<notin> range CardSecret; Chall_M \<notin> range PANSecret; |
115 Number XID \<notin> used evsPIRes; |
115 Number XID \<notin> used evsPIRes; |
116 XID \<notin> range CardSecret; XID \<notin> range PANSecret|] |
116 XID \<notin> range CardSecret; XID \<notin> range PANSecret|] |
117 ==> Says M C (sign (priSK M) |
117 ==> Says M C (sign (priSK M) |
118 {|Number LID_M, Number XID, |
118 \<lbrace>Number LID_M, Number XID, |
119 Nonce Chall_C, Nonce Chall_M, |
119 Nonce Chall_C, Nonce Chall_M, |
120 cert P (pubEK P) onlyEnc (priSK RCA)|}) |
120 cert P (pubEK P) onlyEnc (priSK RCA)\<rbrace>) |
121 # evsPIRes \<in> set_pur" |
121 # evsPIRes \<in> set_pur" |
122 |
122 |
123 | PReqUns: |
123 | PReqUns: |
124 --{*UNSIGNED Purchase request (CardSecret = 0). |
124 --{*UNSIGNED Purchase request (CardSecret = 0). |
125 Page 79 of Formal Protocol Desc. |
125 Page 79 of Formal Protocol Desc. |
126 Merchant never sees the amount in clear. This holds of the real |
126 Merchant never sees the amount in clear. This holds of the real |
127 protocol, where XID identifies the transaction. We omit |
127 protocol, where XID identifies the transaction. We omit |
128 Hash{|Number XID, Nonce (CardSecret k)|} from PIHead because |
128 \<open>Hash\<lbrace>Number XID, Nonce (CardSecret k)\<rbrace>\<close> from PIHead because |
129 the CardSecret is 0 and because AuthReq treated the unsigned case |
129 the CardSecret is 0 and because AuthReq treated the unsigned case |
130 very differently from the signed one anyway.*} |
130 very differently from the signed one anyway.*} |
131 "!!Chall_C Chall_M OrderDesc P PurchAmt XID evsPReqU. |
131 "!!Chall_C Chall_M OrderDesc P PurchAmt XID evsPReqU. |
132 [|evsPReqU \<in> set_pur; |
132 [|evsPReqU \<in> set_pur; |
133 C = Cardholder k; CardSecret k = 0; |
133 C = Cardholder k; CardSecret k = 0; |
134 Key KC1 \<notin> used evsPReqU; KC1 \<in> symKeys; |
134 Key KC1 \<notin> used evsPReqU; KC1 \<in> symKeys; |
135 Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; |
135 Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>; |
136 HOD = Hash{|Number OrderDesc, Number PurchAmt|}; |
136 HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>; |
137 OIData = {|Number LID_M, Number XID, Nonce Chall_C, HOD,Nonce Chall_M|}; |
137 OIData = \<lbrace>Number LID_M, Number XID, Nonce Chall_C, HOD,Nonce Chall_M\<rbrace>; |
138 PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M|}; |
138 PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M\<rbrace>; |
139 Gets C (sign (priSK M) |
139 Gets C (sign (priSK M) |
140 {|Number LID_M, Number XID, |
140 \<lbrace>Number LID_M, Number XID, |
141 Nonce Chall_C, Nonce Chall_M, |
141 Nonce Chall_C, Nonce Chall_M, |
142 cert P EKj onlyEnc (priSK RCA)|}) |
142 cert P EKj onlyEnc (priSK RCA)\<rbrace>) |
143 \<in> set evsPReqU; |
143 \<in> set evsPReqU; |
144 Says C M {|Number LID_M, Nonce Chall_C|} \<in> set evsPReqU; |
144 Says C M \<lbrace>Number LID_M, Nonce Chall_C\<rbrace> \<in> set evsPReqU; |
145 Notes C {|Number LID_M, Transaction|} \<in> set evsPReqU |] |
145 Notes C \<lbrace>Number LID_M, Transaction\<rbrace> \<in> set evsPReqU |] |
146 ==> Says C M |
146 ==> Says C M |
147 {|EXHcrypt KC1 EKj {|PIHead, Hash OIData|} (Pan (pan C)), |
147 \<lbrace>EXHcrypt KC1 EKj \<lbrace>PIHead, Hash OIData\<rbrace> (Pan (pan C)), |
148 OIData, Hash{|PIHead, Pan (pan C)|} |} |
148 OIData, Hash\<lbrace>PIHead, Pan (pan C)\<rbrace> \<rbrace> |
149 # Notes C {|Key KC1, Agent M|} |
149 # Notes C \<lbrace>Key KC1, Agent M\<rbrace> |
150 # evsPReqU \<in> set_pur" |
150 # evsPReqU \<in> set_pur" |
151 |
151 |
152 | PReqS: |
152 | PReqS: |
153 --{*SIGNED Purchase request. Page 77 of Formal Protocol Desc. |
153 --{*SIGNED Purchase request. Page 77 of Formal Protocol Desc. |
154 We could specify the equation |
154 We could specify the equation |
155 @{term "PIReqSigned = {| PIDualSigned, OIDualSigned |}"}, since the |
155 @{term "PIReqSigned = \<lbrace> PIDualSigned, OIDualSigned \<rbrace>"}, since the |
156 Formal Desc. gives PIHead the same format in the unsigned case. |
156 Formal Desc. gives PIHead the same format in the unsigned case. |
157 However, there's little point, as P treats the signed and |
157 However, there's little point, as P treats the signed and |
158 unsigned cases differently.*} |
158 unsigned cases differently.*} |
159 "!!C Chall_C Chall_M EKj HOD KC2 LID_M M OIData |
159 "!!C Chall_C Chall_M EKj HOD KC2 LID_M M OIData |
160 OIDualSigned OrderDesc P PANData PIData PIDualSigned |
160 OIDualSigned OrderDesc P PANData PIData PIDualSigned |
161 PIHead PurchAmt Transaction XID evsPReqS k. |
161 PIHead PurchAmt Transaction XID evsPReqS k. |
162 [|evsPReqS \<in> set_pur; |
162 [|evsPReqS \<in> set_pur; |
163 C = Cardholder k; |
163 C = Cardholder k; |
164 CardSecret k \<noteq> 0; Key KC2 \<notin> used evsPReqS; KC2 \<in> symKeys; |
164 CardSecret k \<noteq> 0; Key KC2 \<notin> used evsPReqS; KC2 \<in> symKeys; |
165 Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; |
165 Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>; |
166 HOD = Hash{|Number OrderDesc, Number PurchAmt|}; |
166 HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>; |
167 OIData = {|Number LID_M, Number XID, Nonce Chall_C, HOD, Nonce Chall_M|}; |
167 OIData = \<lbrace>Number LID_M, Number XID, Nonce Chall_C, HOD, Nonce Chall_M\<rbrace>; |
168 PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, |
168 PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, |
169 Hash{|Number XID, Nonce (CardSecret k)|}|}; |
169 Hash\<lbrace>Number XID, Nonce (CardSecret k)\<rbrace>\<rbrace>; |
170 PANData = {|Pan (pan C), Nonce (PANSecret k)|}; |
170 PANData = \<lbrace>Pan (pan C), Nonce (PANSecret k)\<rbrace>; |
171 PIData = {|PIHead, PANData|}; |
171 PIData = \<lbrace>PIHead, PANData\<rbrace>; |
172 PIDualSigned = {|sign (priSK C) {|Hash PIData, Hash OIData|}, |
172 PIDualSigned = \<lbrace>sign (priSK C) \<lbrace>Hash PIData, Hash OIData\<rbrace>, |
173 EXcrypt KC2 EKj {|PIHead, Hash OIData|} PANData|}; |
173 EXcrypt KC2 EKj \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>; |
174 OIDualSigned = {|OIData, Hash PIData|}; |
174 OIDualSigned = \<lbrace>OIData, Hash PIData\<rbrace>; |
175 Gets C (sign (priSK M) |
175 Gets C (sign (priSK M) |
176 {|Number LID_M, Number XID, |
176 \<lbrace>Number LID_M, Number XID, |
177 Nonce Chall_C, Nonce Chall_M, |
177 Nonce Chall_C, Nonce Chall_M, |
178 cert P EKj onlyEnc (priSK RCA)|}) |
178 cert P EKj onlyEnc (priSK RCA)\<rbrace>) |
179 \<in> set evsPReqS; |
179 \<in> set evsPReqS; |
180 Says C M {|Number LID_M, Nonce Chall_C|} \<in> set evsPReqS; |
180 Says C M \<lbrace>Number LID_M, Nonce Chall_C\<rbrace> \<in> set evsPReqS; |
181 Notes C {|Number LID_M, Transaction|} \<in> set evsPReqS |] |
181 Notes C \<lbrace>Number LID_M, Transaction\<rbrace> \<in> set evsPReqS |] |
182 ==> Says C M {|PIDualSigned, OIDualSigned|} |
182 ==> Says C M \<lbrace>PIDualSigned, OIDualSigned\<rbrace> |
183 # Notes C {|Key KC2, Agent M|} |
183 # Notes C \<lbrace>Key KC2, Agent M\<rbrace> |
184 # evsPReqS \<in> set_pur" |
184 # evsPReqS \<in> set_pur" |
185 |
185 |
186 --{*Authorization Request. Page 92 of Formal Protocol Desc. |
186 --{*Authorization Request. Page 92 of Formal Protocol Desc. |
187 Sent in response to Purchase Request.*} |
187 Sent in response to Purchase Request.*} |
188 | AuthReq: |
188 | AuthReq: |
189 "[| evsAReq \<in> set_pur; |
189 "[| evsAReq \<in> set_pur; |
190 Key KM \<notin> used evsAReq; KM \<in> symKeys; |
190 Key KM \<notin> used evsAReq; KM \<in> symKeys; |
191 Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; |
191 Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>; |
192 HOD = Hash{|Number OrderDesc, Number PurchAmt|}; |
192 HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>; |
193 OIData = {|Number LID_M, Number XID, Nonce Chall_C, HOD, |
193 OIData = \<lbrace>Number LID_M, Number XID, Nonce Chall_C, HOD, |
194 Nonce Chall_M|}; |
194 Nonce Chall_M\<rbrace>; |
195 CardSecret k \<noteq> 0 --> |
195 CardSecret k \<noteq> 0 --> |
196 P_I = {|sign (priSK C) {|HPIData, Hash OIData|}, encPANData|}; |
196 P_I = \<lbrace>sign (priSK C) \<lbrace>HPIData, Hash OIData\<rbrace>, encPANData\<rbrace>; |
197 Gets M {|P_I, OIData, HPIData|} \<in> set evsAReq; |
197 Gets M \<lbrace>P_I, OIData, HPIData\<rbrace> \<in> set evsAReq; |
198 Says M C (sign (priSK M) {|Number LID_M, Number XID, |
198 Says M C (sign (priSK M) \<lbrace>Number LID_M, Number XID, |
199 Nonce Chall_C, Nonce Chall_M, |
199 Nonce Chall_C, Nonce Chall_M, |
200 cert P EKj onlyEnc (priSK RCA)|}) |
200 cert P EKj onlyEnc (priSK RCA)\<rbrace>) |
201 \<in> set evsAReq; |
201 \<in> set evsAReq; |
202 Notes M {|Number LID_M, Agent P, Transaction|} |
202 Notes M \<lbrace>Number LID_M, Agent P, Transaction\<rbrace> |
203 \<in> set evsAReq |] |
203 \<in> set evsAReq |] |
204 ==> Says M P |
204 ==> Says M P |
205 (EncB (priSK M) KM (pubEK P) |
205 (EncB (priSK M) KM (pubEK P) |
206 {|Number LID_M, Number XID, Hash OIData, HOD|} P_I) |
206 \<lbrace>Number LID_M, Number XID, Hash OIData, HOD\<rbrace> P_I) |
207 # evsAReq \<in> set_pur" |
207 # evsAReq \<in> set_pur" |
208 |
208 |
209 --{*Authorization Response has two forms: for UNSIGNED and SIGNED PIs. |
209 --{*Authorization Response has two forms: for UNSIGNED and SIGNED PIs. |
210 Page 99 of Formal Protocol Desc. |
210 Page 99 of Formal Protocol Desc. |
211 PI is a keyword (product!), so we call it @{text P_I}. The hashes HOD and |
211 PI is a keyword (product!), so we call it @{text P_I}. The hashes HOD and |
218 --{*Authorization Response, UNSIGNED*} |
218 --{*Authorization Response, UNSIGNED*} |
219 "[| evsAResU \<in> set_pur; |
219 "[| evsAResU \<in> set_pur; |
220 C = Cardholder k; M = Merchant i; |
220 C = Cardholder k; M = Merchant i; |
221 Key KP \<notin> used evsAResU; KP \<in> symKeys; |
221 Key KP \<notin> used evsAResU; KP \<in> symKeys; |
222 CardSecret k = 0; KC1 \<in> symKeys; KM \<in> symKeys; |
222 CardSecret k = 0; KC1 \<in> symKeys; KM \<in> symKeys; |
223 PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M|}; |
223 PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M\<rbrace>; |
224 P_I = EXHcrypt KC1 EKj {|PIHead, HOIData|} (Pan (pan C)); |
224 P_I = EXHcrypt KC1 EKj \<lbrace>PIHead, HOIData\<rbrace> (Pan (pan C)); |
225 Gets P (EncB (priSK M) KM (pubEK P) |
225 Gets P (EncB (priSK M) KM (pubEK P) |
226 {|Number LID_M, Number XID, HOIData, HOD|} P_I) |
226 \<lbrace>Number LID_M, Number XID, HOIData, HOD\<rbrace> P_I) |
227 \<in> set evsAResU |] |
227 \<in> set evsAResU |] |
228 ==> Says P M |
228 ==> Says P M |
229 (EncB (priSK P) KP (pubEK M) |
229 (EncB (priSK P) KP (pubEK M) |
230 {|Number LID_M, Number XID, Number PurchAmt|} |
230 \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace> |
231 authCode) |
231 authCode) |
232 # evsAResU \<in> set_pur" |
232 # evsAResU \<in> set_pur" |
233 |
233 |
234 | AuthResS: |
234 | AuthResS: |
235 --{*Authorization Response, SIGNED*} |
235 --{*Authorization Response, SIGNED*} |
236 "[| evsAResS \<in> set_pur; |
236 "[| evsAResS \<in> set_pur; |
237 C = Cardholder k; |
237 C = Cardholder k; |
238 Key KP \<notin> used evsAResS; KP \<in> symKeys; |
238 Key KP \<notin> used evsAResS; KP \<in> symKeys; |
239 CardSecret k \<noteq> 0; KC2 \<in> symKeys; KM \<in> symKeys; |
239 CardSecret k \<noteq> 0; KC2 \<in> symKeys; KM \<in> symKeys; |
240 P_I = {|sign (priSK C) {|Hash PIData, HOIData|}, |
240 P_I = \<lbrace>sign (priSK C) \<lbrace>Hash PIData, HOIData\<rbrace>, |
241 EXcrypt KC2 (pubEK P) {|PIHead, HOIData|} PANData|}; |
241 EXcrypt KC2 (pubEK P) \<lbrace>PIHead, HOIData\<rbrace> PANData\<rbrace>; |
242 PANData = {|Pan (pan C), Nonce (PANSecret k)|}; |
242 PANData = \<lbrace>Pan (pan C), Nonce (PANSecret k)\<rbrace>; |
243 PIData = {|PIHead, PANData|}; |
243 PIData = \<lbrace>PIHead, PANData\<rbrace>; |
244 PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, |
244 PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, |
245 Hash{|Number XID, Nonce (CardSecret k)|}|}; |
245 Hash\<lbrace>Number XID, Nonce (CardSecret k)\<rbrace>\<rbrace>; |
246 Gets P (EncB (priSK M) KM (pubEK P) |
246 Gets P (EncB (priSK M) KM (pubEK P) |
247 {|Number LID_M, Number XID, HOIData, HOD|} |
247 \<lbrace>Number LID_M, Number XID, HOIData, HOD\<rbrace> |
248 P_I) |
248 P_I) |
249 \<in> set evsAResS |] |
249 \<in> set evsAResS |] |
250 ==> Says P M |
250 ==> Says P M |
251 (EncB (priSK P) KP (pubEK M) |
251 (EncB (priSK P) KP (pubEK M) |
252 {|Number LID_M, Number XID, Number PurchAmt|} |
252 \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace> |
253 authCode) |
253 authCode) |
254 # evsAResS \<in> set_pur" |
254 # evsAResS \<in> set_pur" |
255 |
255 |
256 | PRes: |
256 | PRes: |
257 --{*Purchase response.*} |
257 --{*Purchase response.*} |
258 "[| evsPRes \<in> set_pur; KP \<in> symKeys; M = Merchant i; |
258 "[| evsPRes \<in> set_pur; KP \<in> symKeys; M = Merchant i; |
259 Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; |
259 Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>; |
260 Gets M (EncB (priSK P) KP (pubEK M) |
260 Gets M (EncB (priSK P) KP (pubEK M) |
261 {|Number LID_M, Number XID, Number PurchAmt|} |
261 \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace> |
262 authCode) |
262 authCode) |
263 \<in> set evsPRes; |
263 \<in> set evsPRes; |
264 Gets M {|Number LID_M, Nonce Chall_C|} \<in> set evsPRes; |
264 Gets M \<lbrace>Number LID_M, Nonce Chall_C\<rbrace> \<in> set evsPRes; |
265 Says M P |
265 Says M P |
266 (EncB (priSK M) KM (pubEK P) |
266 (EncB (priSK M) KM (pubEK P) |
267 {|Number LID_M, Number XID, Hash OIData, HOD|} P_I) |
267 \<lbrace>Number LID_M, Number XID, Hash OIData, HOD\<rbrace> P_I) |
268 \<in> set evsPRes; |
268 \<in> set evsPRes; |
269 Notes M {|Number LID_M, Agent P, Transaction|} |
269 Notes M \<lbrace>Number LID_M, Agent P, Transaction\<rbrace> |
270 \<in> set evsPRes |
270 \<in> set evsPRes |
271 |] |
271 |] |
272 ==> Says M C |
272 ==> Says M C |
273 (sign (priSK M) {|Number LID_M, Number XID, Nonce Chall_C, |
273 (sign (priSK M) \<lbrace>Number LID_M, Number XID, Nonce Chall_C, |
274 Hash (Number PurchAmt)|}) |
274 Hash (Number PurchAmt)\<rbrace>) |
275 # evsPRes \<in> set_pur" |
275 # evsPRes \<in> set_pur" |
276 |
276 |
277 |
277 |
278 specification (CardSecret PANSecret) |
278 specification (CardSecret PANSecret) |
279 inj_CardSecret: "inj CardSecret" |
279 inj_CardSecret: "inj CardSecret" |
728 |
728 |
729 |
729 |
730 subsection{*Proofs Common to Signed and Unsigned Versions*} |
730 subsection{*Proofs Common to Signed and Unsigned Versions*} |
731 |
731 |
732 lemma M_Notes_PG: |
732 lemma M_Notes_PG: |
733 "[|Notes M {|Number LID_M, Agent P, Agent M, Agent C, etc|} \<in> set evs; |
733 "[|Notes M \<lbrace>Number LID_M, Agent P, Agent M, Agent C, etc\<rbrace> \<in> set evs; |
734 evs \<in> set_pur|] ==> \<exists>j. P = PG j" |
734 evs \<in> set_pur|] ==> \<exists>j. P = PG j" |
735 by (erule rev_mp, erule set_pur.induct, simp_all) |
735 by (erule rev_mp, erule set_pur.induct, simp_all) |
736 |
736 |
737 text{*If we trust M, then @{term LID_M} determines his choice of P |
737 text{*If we trust M, then @{term LID_M} determines his choice of P |
738 (Payment Gateway)*} |
738 (Payment Gateway)*} |
739 lemma goodM_gives_correct_PG: |
739 lemma goodM_gives_correct_PG: |
740 "[| MsgPInitRes = |
740 "[| MsgPInitRes = |
741 {|Number LID_M, xid, cc, cm, cert P EKj onlyEnc (priSK RCA)|}; |
741 \<lbrace>Number LID_M, xid, cc, cm, cert P EKj onlyEnc (priSK RCA)\<rbrace>; |
742 Crypt (priSK M) (Hash MsgPInitRes) \<in> parts (knows Spy evs); |
742 Crypt (priSK M) (Hash MsgPInitRes) \<in> parts (knows Spy evs); |
743 evs \<in> set_pur; M \<notin> bad |] |
743 evs \<in> set_pur; M \<notin> bad |] |
744 ==> \<exists>j trans. |
744 ==> \<exists>j trans. |
745 P = PG j & |
745 P = PG j & |
746 Notes M {|Number LID_M, Agent P, trans|} \<in> set evs" |
746 Notes M \<lbrace>Number LID_M, Agent P, trans\<rbrace> \<in> set evs" |
747 apply clarify |
747 apply clarify |
748 apply (erule rev_mp) |
748 apply (erule rev_mp) |
749 apply (erule set_pur.induct) |
749 apply (erule set_pur.induct) |
750 apply (frule_tac [9] AuthReq_msg_in_parts_spies) --{*AuthReq*} |
750 apply (frule_tac [9] AuthReq_msg_in_parts_spies) --{*AuthReq*} |
751 apply simp_all |
751 apply simp_all |
752 apply (blast intro: M_Notes_PG)+ |
752 apply (blast intro: M_Notes_PG)+ |
753 done |
753 done |
754 |
754 |
755 lemma C_gets_correct_PG: |
755 lemma C_gets_correct_PG: |
756 "[| Gets A (sign (priSK M) {|Number LID_M, xid, cc, cm, |
756 "[| Gets A (sign (priSK M) \<lbrace>Number LID_M, xid, cc, cm, |
757 cert P EKj onlyEnc (priSK RCA)|}) \<in> set evs; |
757 cert P EKj onlyEnc (priSK RCA)\<rbrace>) \<in> set evs; |
758 evs \<in> set_pur; M \<notin> bad|] |
758 evs \<in> set_pur; M \<notin> bad|] |
759 ==> \<exists>j trans. |
759 ==> \<exists>j trans. |
760 P = PG j & |
760 P = PG j & |
761 Notes M {|Number LID_M, Agent P, trans|} \<in> set evs & |
761 Notes M \<lbrace>Number LID_M, Agent P, trans\<rbrace> \<in> set evs & |
762 EKj = pubEK P" |
762 EKj = pubEK P" |
763 by (rule refl [THEN goodM_gives_correct_PG, THEN exE], auto) |
763 by (rule refl [THEN goodM_gives_correct_PG, THEN exE], auto) |
764 |
764 |
765 text{*When C receives PInitRes, he learns M's choice of P*} |
765 text{*When C receives PInitRes, he learns M's choice of P*} |
766 lemma C_verifies_PInitRes: |
766 lemma C_verifies_PInitRes: |
767 "[| MsgPInitRes = {|Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, |
767 "[| MsgPInitRes = \<lbrace>Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, |
768 cert P EKj onlyEnc (priSK RCA)|}; |
768 cert P EKj onlyEnc (priSK RCA)\<rbrace>; |
769 Crypt (priSK M) (Hash MsgPInitRes) \<in> parts (knows Spy evs); |
769 Crypt (priSK M) (Hash MsgPInitRes) \<in> parts (knows Spy evs); |
770 evs \<in> set_pur; M \<notin> bad|] |
770 evs \<in> set_pur; M \<notin> bad|] |
771 ==> \<exists>j trans. |
771 ==> \<exists>j trans. |
772 Notes M {|Number LID_M, Agent P, trans|} \<in> set evs & |
772 Notes M \<lbrace>Number LID_M, Agent P, trans\<rbrace> \<in> set evs & |
773 P = PG j & |
773 P = PG j & |
774 EKj = pubEK P" |
774 EKj = pubEK P" |
775 apply clarify |
775 apply clarify |
776 apply (erule rev_mp) |
776 apply (erule rev_mp) |
777 apply (erule set_pur.induct) |
777 apply (erule set_pur.induct) |
977 subsection{*Proofs for Signed Purchases*} |
977 subsection{*Proofs for Signed Purchases*} |
978 |
978 |
979 text{*Some Useful Lemmas: the cardholder knows what he is doing*} |
979 text{*Some Useful Lemmas: the cardholder knows what he is doing*} |
980 |
980 |
981 lemma Crypt_imp_Says_Cardholder: |
981 lemma Crypt_imp_Says_Cardholder: |
982 "[| Crypt K {|{|{|Number LID_M, others|}, Hash OIData|}, Hash PANData|} |
982 "[| Crypt K \<lbrace>\<lbrace>\<lbrace>Number LID_M, others\<rbrace>, Hash OIData\<rbrace>, Hash PANData\<rbrace> |
983 \<in> parts (knows Spy evs); |
983 \<in> parts (knows Spy evs); |
984 PANData = {|Pan (pan (Cardholder k)), Nonce (PANSecret k)|}; |
984 PANData = \<lbrace>Pan (pan (Cardholder k)), Nonce (PANSecret k)\<rbrace>; |
985 Key K \<notin> analz (knows Spy evs); |
985 Key K \<notin> analz (knows Spy evs); |
986 evs \<in> set_pur|] |
986 evs \<in> set_pur|] |
987 ==> \<exists>M shash EK HPIData. |
987 ==> \<exists>M shash EK HPIData. |
988 Says (Cardholder k) M {|{|shash, |
988 Says (Cardholder k) M \<lbrace>\<lbrace>shash, |
989 Crypt K |
989 Crypt K |
990 {|{|{|Number LID_M, others|}, Hash OIData|}, Hash PANData|}, |
990 \<lbrace>\<lbrace>\<lbrace>Number LID_M, others\<rbrace>, Hash OIData\<rbrace>, Hash PANData\<rbrace>, |
991 Crypt EK {|Key K, PANData|}|}, |
991 Crypt EK \<lbrace>Key K, PANData\<rbrace>\<rbrace>, |
992 OIData, HPIData|} \<in> set evs" |
992 OIData, HPIData\<rbrace> \<in> set evs" |
993 apply (erule rev_mp) |
993 apply (erule rev_mp) |
994 apply (erule rev_mp) |
994 apply (erule rev_mp) |
995 apply (erule rev_mp) |
995 apply (erule rev_mp) |
996 apply (erule set_pur.induct, analz_mono_contra) |
996 apply (erule set_pur.induct, analz_mono_contra) |
997 apply (frule_tac [9] AuthReq_msg_in_parts_spies) --{*AuthReq*} |
997 apply (frule_tac [9] AuthReq_msg_in_parts_spies) --{*AuthReq*} |
998 apply simp_all |
998 apply simp_all |
999 apply auto |
999 apply auto |
1000 done |
1000 done |
1001 |
1001 |
1002 lemma Says_PReqS_imp_trans_details_C: |
1002 lemma Says_PReqS_imp_trans_details_C: |
1003 "[| MsgPReqS = {|{|shash, |
1003 "[| MsgPReqS = \<lbrace>\<lbrace>shash, |
1004 Crypt K |
1004 Crypt K |
1005 {|{|{|Number LID_M, PIrest|}, Hash OIData|}, hashpd|}, |
1005 \<lbrace>\<lbrace>\<lbrace>Number LID_M, PIrest\<rbrace>, Hash OIData\<rbrace>, hashpd\<rbrace>, |
1006 cryptek|}, data|}; |
1006 cryptek\<rbrace>, data\<rbrace>; |
1007 Says (Cardholder k) M MsgPReqS \<in> set evs; |
1007 Says (Cardholder k) M MsgPReqS \<in> set evs; |
1008 evs \<in> set_pur |] |
1008 evs \<in> set_pur |] |
1009 ==> \<exists>trans. |
1009 ==> \<exists>trans. |
1010 Notes (Cardholder k) |
1010 Notes (Cardholder k) |
1011 {|Number LID_M, Agent M, Agent (Cardholder k), trans|} |
1011 \<lbrace>Number LID_M, Agent M, Agent (Cardholder k), trans\<rbrace> |
1012 \<in> set evs" |
1012 \<in> set evs" |
1013 apply (erule rev_mp) |
1013 apply (erule rev_mp) |
1014 apply (erule rev_mp) |
1014 apply (erule rev_mp) |
1015 apply (erule set_pur.induct) |
1015 apply (erule set_pur.induct) |
1016 apply (simp_all (no_asm_simp)) |
1016 apply (simp_all (no_asm_simp)) |
1052 text{*When P sees a dual signature, he knows that it originated with C. |
1052 text{*When P sees a dual signature, he knows that it originated with C. |
1053 and was intended for M. This guarantee isn't useful to M, who never gets |
1053 and was intended for M. This guarantee isn't useful to M, who never gets |
1054 PIData. I don't see how to link @{term "PG j"} and @{text LID_M} without |
1054 PIData. I don't see how to link @{term "PG j"} and @{text LID_M} without |
1055 assuming @{term "M \<notin> bad"}.*} |
1055 assuming @{term "M \<notin> bad"}.*} |
1056 theorem P_verifies_Signed_PReq: |
1056 theorem P_verifies_Signed_PReq: |
1057 "[| MsgDualSign = {|Hash PIData, HOIData|}; |
1057 "[| MsgDualSign = \<lbrace>Hash PIData, HOIData\<rbrace>; |
1058 PIData = {|PIHead, PANData|}; |
1058 PIData = \<lbrace>PIHead, PANData\<rbrace>; |
1059 PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, |
1059 PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, |
1060 TransStain|}; |
1060 TransStain\<rbrace>; |
1061 Crypt (priSK C) (Hash MsgDualSign) \<in> parts (knows Spy evs); |
1061 Crypt (priSK C) (Hash MsgDualSign) \<in> parts (knows Spy evs); |
1062 evs \<in> set_pur; C \<notin> bad; M \<notin> bad|] |
1062 evs \<in> set_pur; C \<notin> bad; M \<notin> bad|] |
1063 ==> \<exists>OIData OrderDesc K j trans. |
1063 ==> \<exists>OIData OrderDesc K j trans. |
1064 HOD = Hash{|Number OrderDesc, Number PurchAmt|} & |
1064 HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace> & |
1065 HOIData = Hash OIData & |
1065 HOIData = Hash OIData & |
1066 Notes M {|Number LID_M, Agent (PG j), trans|} \<in> set evs & |
1066 Notes M \<lbrace>Number LID_M, Agent (PG j), trans\<rbrace> \<in> set evs & |
1067 Says C M {|{|sign (priSK C) MsgDualSign, |
1067 Says C M \<lbrace>\<lbrace>sign (priSK C) MsgDualSign, |
1068 EXcrypt K (pubEK (PG j)) |
1068 EXcrypt K (pubEK (PG j)) |
1069 {|PIHead, Hash OIData|} PANData|}, |
1069 \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>, |
1070 OIData, Hash PIData|} |
1070 OIData, Hash PIData\<rbrace> |
1071 \<in> set evs" |
1071 \<in> set evs" |
1072 apply clarify |
1072 apply clarify |
1073 apply (erule rev_mp) |
1073 apply (erule rev_mp) |
1074 apply (erule set_pur.induct, simp_all) |
1074 apply (erule set_pur.induct, simp_all) |
1075 apply (auto dest!: C_gets_correct_PG) |
1075 apply (auto dest!: C_gets_correct_PG) |
1076 done |
1076 done |
1077 |
1077 |
1078 lemma C_determines_EKj_signed: |
1078 lemma C_determines_EKj_signed: |
1079 "[| Says C M {|{|sign (priSK C) text, |
1079 "[| Says C M \<lbrace>\<lbrace>sign (priSK C) text, |
1080 EXcrypt K EKj {|PIHead, X|} Y|}, Z|} \<in> set evs; |
1080 EXcrypt K EKj \<lbrace>PIHead, X\<rbrace> Y\<rbrace>, Z\<rbrace> \<in> set evs; |
1081 PIHead = {|Number LID_M, Number XID, W|}; |
1081 PIHead = \<lbrace>Number LID_M, Number XID, W\<rbrace>; |
1082 C = Cardholder k; evs \<in> set_pur; M \<notin> bad|] |
1082 C = Cardholder k; evs \<in> set_pur; M \<notin> bad|] |
1083 ==> \<exists> trans j. |
1083 ==> \<exists> trans j. |
1084 Notes M {|Number LID_M, Agent (PG j), trans|} \<in> set evs & |
1084 Notes M \<lbrace>Number LID_M, Agent (PG j), trans\<rbrace> \<in> set evs & |
1085 EKj = pubEK (PG j)" |
1085 EKj = pubEK (PG j)" |
1086 apply clarify |
1086 apply clarify |
1087 apply (erule rev_mp) |
1087 apply (erule rev_mp) |
1088 apply (erule set_pur.induct, simp_all, auto) |
1088 apply (erule set_pur.induct, simp_all, auto) |
1089 apply (blast dest: C_gets_correct_PG) |
1089 apply (blast dest: C_gets_correct_PG) |
1090 done |
1090 done |
1091 |
1091 |
1092 lemma M_Says_AuthReq: |
1092 lemma M_Says_AuthReq: |
1093 "[| AuthReqData = {|Number LID_M, Number XID, HOIData, HOD|}; |
1093 "[| AuthReqData = \<lbrace>Number LID_M, Number XID, HOIData, HOD\<rbrace>; |
1094 sign (priSK M) {|AuthReqData, Hash P_I|} \<in> parts (knows Spy evs); |
1094 sign (priSK M) \<lbrace>AuthReqData, Hash P_I\<rbrace> \<in> parts (knows Spy evs); |
1095 evs \<in> set_pur; M \<notin> bad|] |
1095 evs \<in> set_pur; M \<notin> bad|] |
1096 ==> \<exists>j trans KM. |
1096 ==> \<exists>j trans KM. |
1097 Notes M {|Number LID_M, Agent (PG j), trans |} \<in> set evs & |
1097 Notes M \<lbrace>Number LID_M, Agent (PG j), trans \<rbrace> \<in> set evs & |
1098 Says M (PG j) |
1098 Says M (PG j) |
1099 (EncB (priSK M) KM (pubEK (PG j)) AuthReqData P_I) |
1099 (EncB (priSK M) KM (pubEK (PG j)) AuthReqData P_I) |
1100 \<in> set evs" |
1100 \<in> set evs" |
1101 apply (rule refl [THEN P_verifies_AuthReq, THEN exE]) |
1101 apply (rule refl [THEN P_verifies_AuthReq, THEN exE]) |
1102 apply (auto simp add: sign_def) |
1102 apply (auto simp add: sign_def) |
1126 done |
1126 done |
1127 |
1127 |
1128 text{*When P receives an AuthReq and a dual signature, he knows that C and M |
1128 text{*When P receives an AuthReq and a dual signature, he knows that C and M |
1129 agree on the essential details. PurchAmt however is never sent by M to |
1129 agree on the essential details. PurchAmt however is never sent by M to |
1130 P; instead C and M both send |
1130 P; instead C and M both send |
1131 @{term "HOD = Hash{|Number OrderDesc, Number PurchAmt|}"} |
1131 @{term "HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>"} |
1132 and P compares the two copies of HOD. |
1132 and P compares the two copies of HOD. |
1133 |
1133 |
1134 Agreement can't be proved for some things, including the symmetric keys |
1134 Agreement can't be proved for some things, including the symmetric keys |
1135 used in the digital envelopes. On the other hand, M knows the true identity |
1135 used in the digital envelopes. On the other hand, M knows the true identity |
1136 of PG (namely j'), and sends AReq there; he can't, however, check that |
1136 of PG (namely j'), and sends AReq there; he can't, however, check that |
1137 the EXcrypt involves the correct PG's key. |
1137 the EXcrypt involves the correct PG's key. |
1138 *} |
1138 *} |
1139 theorem P_sees_CM_agreement: |
1139 theorem P_sees_CM_agreement: |
1140 "[| AuthReqData = {|Number LID_M, Number XID, HOIData, HOD|}; |
1140 "[| AuthReqData = \<lbrace>Number LID_M, Number XID, HOIData, HOD\<rbrace>; |
1141 KC \<in> symKeys; |
1141 KC \<in> symKeys; |
1142 Gets (PG j) (EncB (priSK M) KM (pubEK (PG j)) AuthReqData P_I) |
1142 Gets (PG j) (EncB (priSK M) KM (pubEK (PG j)) AuthReqData P_I) |
1143 \<in> set evs; |
1143 \<in> set evs; |
1144 C = Cardholder k; |
1144 C = Cardholder k; |
1145 PI_sign = sign (priSK C) {|Hash PIData, HOIData|}; |
1145 PI_sign = sign (priSK C) \<lbrace>Hash PIData, HOIData\<rbrace>; |
1146 P_I = {|PI_sign, |
1146 P_I = \<lbrace>PI_sign, |
1147 EXcrypt KC (pubEK (PG j)) {|PIHead, HOIData|} PANData|}; |
1147 EXcrypt KC (pubEK (PG j)) \<lbrace>PIHead, HOIData\<rbrace> PANData\<rbrace>; |
1148 PANData = {|Pan (pan C), Nonce (PANSecret k)|}; |
1148 PANData = \<lbrace>Pan (pan C), Nonce (PANSecret k)\<rbrace>; |
1149 PIData = {|PIHead, PANData|}; |
1149 PIData = \<lbrace>PIHead, PANData\<rbrace>; |
1150 PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, |
1150 PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, |
1151 TransStain|}; |
1151 TransStain\<rbrace>; |
1152 evs \<in> set_pur; C \<notin> bad; M \<notin> bad|] |
1152 evs \<in> set_pur; C \<notin> bad; M \<notin> bad|] |
1153 ==> \<exists>OIData OrderDesc KM' trans j' KC' KC'' P_I' P_I''. |
1153 ==> \<exists>OIData OrderDesc KM' trans j' KC' KC'' P_I' P_I''. |
1154 HOD = Hash{|Number OrderDesc, Number PurchAmt|} & |
1154 HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace> & |
1155 HOIData = Hash OIData & |
1155 HOIData = Hash OIData & |
1156 Notes M {|Number LID_M, Agent (PG j'), trans|} \<in> set evs & |
1156 Notes M \<lbrace>Number LID_M, Agent (PG j'), trans\<rbrace> \<in> set evs & |
1157 Says C M {|P_I', OIData, Hash PIData|} \<in> set evs & |
1157 Says C M \<lbrace>P_I', OIData, Hash PIData\<rbrace> \<in> set evs & |
1158 Says M (PG j') (EncB (priSK M) KM' (pubEK (PG j')) |
1158 Says M (PG j') (EncB (priSK M) KM' (pubEK (PG j')) |
1159 AuthReqData P_I'') \<in> set evs & |
1159 AuthReqData P_I'') \<in> set evs & |
1160 P_I' = {|PI_sign, |
1160 P_I' = \<lbrace>PI_sign, |
1161 EXcrypt KC' (pubEK (PG j')) {|PIHead, Hash OIData|} PANData|} & |
1161 EXcrypt KC' (pubEK (PG j')) \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace> & |
1162 P_I'' = {|PI_sign, |
1162 P_I'' = \<lbrace>PI_sign, |
1163 EXcrypt KC'' (pubEK (PG j)) {|PIHead, Hash OIData|} PANData|}" |
1163 EXcrypt KC'' (pubEK (PG j)) \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>" |
1164 apply clarify |
1164 apply clarify |
1165 apply (rule exE) |
1165 apply (rule exE) |
1166 apply (rule P_verifies_Signed_PReq [OF refl refl refl]) |
1166 apply (rule P_verifies_Signed_PReq [OF refl refl refl]) |
1167 apply (simp (no_asm_use) add: sign_def EncB_def, blast) |
1167 apply (simp (no_asm_use) add: sign_def EncB_def, blast) |
1168 apply (assumption+, clarify, simp) |
1168 apply (assumption+, clarify, simp) |