109 |
109 |
110 (*** Future keys can't be seen or used! ***) |
110 (*** Future keys can't be seen or used! ***) |
111 |
111 |
112 (*Nobody can have SEEN keys that will be generated in the future. *) |
112 (*Nobody can have SEEN keys that will be generated in the future. *) |
113 goal thy "!!evs. evs : ns_shared lost ==> \ |
113 goal thy "!!evs. evs : ns_shared lost ==> \ |
114 \ length evs <= length evs' --> \ |
114 \ length evs <= i --> Key (newK i) ~: parts (sees lost Spy evs)"; |
115 \ Key (newK evs') ~: parts (sees lost Spy evs)"; |
|
116 by (parts_induct_tac 1); |
115 by (parts_induct_tac 1); |
117 by (ALLGOALS (fast_tac (!claset addEs [leD RS notE] |
116 by (ALLGOALS (fast_tac (!claset addEs [leD RS notE] |
118 addDs [impOfSubs analz_subset_parts, |
117 addDs [impOfSubs analz_subset_parts, |
119 impOfSubs parts_insert_subset_Un, |
118 impOfSubs parts_insert_subset_Un, |
120 Suc_leD] |
119 Suc_leD] |
122 qed_spec_mp "new_keys_not_seen"; |
121 qed_spec_mp "new_keys_not_seen"; |
123 Addsimps [new_keys_not_seen]; |
122 Addsimps [new_keys_not_seen]; |
124 |
123 |
125 (*Variant: old messages must contain old keys!*) |
124 (*Variant: old messages must contain old keys!*) |
126 goal thy |
125 goal thy |
127 "!!evs. [| Says A B X : set_of_list evs; \ |
126 "!!evs. [| Says A B X : set_of_list evs; \ |
128 \ Key (newK evt) : parts {X}; \ |
127 \ Key (newK i) : parts {X}; \ |
129 \ evs : ns_shared lost \ |
128 \ evs : ns_shared lost \ |
130 \ |] ==> length evt < length evs"; |
129 \ |] ==> i < length evs"; |
131 by (rtac ccontr 1); |
130 by (rtac ccontr 1); |
132 by (dtac leI 1); |
131 by (dtac leI 1); |
133 by (fast_tac (!claset addSDs [new_keys_not_seen, Says_imp_sees_Spy] |
132 by (fast_tac (!claset addSDs [new_keys_not_seen, Says_imp_sees_Spy] |
134 addIs [impOfSubs parts_mono]) 1); |
133 addIs [impOfSubs parts_mono]) 1); |
135 qed "Says_imp_old_keys"; |
134 qed "Says_imp_old_keys"; |
137 |
136 |
138 |
137 |
139 (*** Future nonces can't be seen or used! ***) |
138 (*** Future nonces can't be seen or used! ***) |
140 |
139 |
141 goal thy "!!evs. evs : ns_shared lost ==> \ |
140 goal thy "!!evs. evs : ns_shared lost ==> \ |
142 \ length evs <= length evt --> \ |
141 \ length evs <= i --> Nonce (newN i) ~: parts (sees lost Spy evs)"; |
143 \ Nonce (newN evt) ~: parts (sees lost Spy evs)"; |
|
144 by (parts_induct_tac 1); |
142 by (parts_induct_tac 1); |
145 by (REPEAT_FIRST |
143 by (REPEAT_FIRST |
146 (fast_tac (!claset addSEs partsEs |
144 (fast_tac (!claset addSEs partsEs |
147 addSDs [Says_imp_sees_Spy RS parts.Inj] |
145 addSDs [Says_imp_sees_Spy RS parts.Inj] |
148 addEs [leD RS notE] |
146 addEs [leD RS notE] |
154 |
152 |
155 |
153 |
156 (*Nobody can have USED keys that will be generated in the future. |
154 (*Nobody can have USED keys that will be generated in the future. |
157 ...very like new_keys_not_seen*) |
155 ...very like new_keys_not_seen*) |
158 goal thy "!!evs. evs : ns_shared lost ==> \ |
156 goal thy "!!evs. evs : ns_shared lost ==> \ |
159 \ length evs <= length evs' --> \ |
157 \ length evs <= i --> \ |
160 \ newK evs' ~: keysFor (parts (sees lost Spy evs))"; |
158 \ newK i ~: keysFor (parts (sees lost Spy evs))"; |
161 by (parts_induct_tac 1); |
159 by (parts_induct_tac 1); |
162 (*NS1 and NS2*) |
160 (*NS1 and NS2*) |
163 by (EVERY (map (fast_tac (!claset addDs [Suc_leD] addss (!simpset))) [3,2])); |
161 by (EVERY (map (fast_tac (!claset addDs [Suc_leD] addss (!simpset))) [3,2])); |
164 (*Fake and NS3*) |
162 (*Fake and NS3*) |
165 by (EVERY |
163 by (EVERY |
187 (** Lemmas concerning the form of items passed in messages **) |
185 (** Lemmas concerning the form of items passed in messages **) |
188 |
186 |
189 (*Describes the form of K, X and K' when the Server sends this message.*) |
187 (*Describes the form of K, X and K' when the Server sends this message.*) |
190 goal thy |
188 goal thy |
191 "!!evs. [| Says Server A (Crypt K' {|N, Agent B, K, X|}) : set_of_list evs; \ |
189 "!!evs. [| Says Server A (Crypt K' {|N, Agent B, K, X|}) : set_of_list evs; \ |
192 \ evs : ns_shared lost |] \ |
190 \ evs : ns_shared lost |] \ |
193 \ ==> (EX evt: ns_shared lost. \ |
191 \ ==> (EX i. K = Key(newK i) & \ |
194 \ K = Key(newK evt) & \ |
192 \ X = (Crypt (shrK B) {|K, Agent A|}) & \ |
195 \ X = (Crypt (shrK B) {|K, Agent A|}) & \ |
193 \ K' = shrK A)"; |
196 \ K' = shrK A)"; |
|
197 by (etac rev_mp 1); |
194 by (etac rev_mp 1); |
198 by (etac ns_shared.induct 1); |
195 by (etac ns_shared.induct 1); |
199 by (ALLGOALS (fast_tac (!claset addss (!simpset)))); |
196 by (ALLGOALS (fast_tac (!claset addss (!simpset)))); |
200 qed "Says_Server_message_form"; |
197 qed "Says_Server_message_form"; |
201 |
198 |
220 OR reduces it to the Fake case. |
217 OR reduces it to the Fake case. |
221 Use Says_Server_message_form if applicable.*) |
218 Use Says_Server_message_form if applicable.*) |
222 goal thy |
219 goal thy |
223 "!!evs. [| Says S A (Crypt (shrK A) {|Nonce NA, Agent B, Key K, X|}) \ |
220 "!!evs. [| Says S A (Crypt (shrK A) {|Nonce NA, Agent B, Key K, X|}) \ |
224 \ : set_of_list evs; evs : ns_shared lost |] \ |
221 \ : set_of_list evs; evs : ns_shared lost |] \ |
225 \ ==> (EX evt: ns_shared lost. K = newK evt & \ |
222 \ ==> (EX i. K = newK i & i < length evs & \ |
226 \ length evt < length evs & \ |
223 \ X = (Crypt (shrK B) {|Key K, Agent A|})) \ |
227 \ X = (Crypt (shrK B) {|Key K, Agent A|})) \ |
|
228 \ | X : analz (sees lost Spy evs)"; |
224 \ | X : analz (sees lost Spy evs)"; |
229 by (case_tac "A : lost" 1); |
225 by (case_tac "A : lost" 1); |
230 by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj] |
226 by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj] |
231 addss (!simpset)) 1); |
227 addss (!simpset)) 1); |
232 by (forward_tac [Says_imp_sees_Spy RS parts.Inj] 1); |
228 by (forward_tac [Says_imp_sees_Spy RS parts.Inj] 1); |
240 (*For proofs involving analz. We again instantiate the variable to "lost".*) |
236 (*For proofs involving analz. We again instantiate the variable to "lost".*) |
241 val analz_Fake_tac = |
237 val analz_Fake_tac = |
242 forw_inst_tac [("lost","lost")] Says_Server_message_form 8 THEN |
238 forw_inst_tac [("lost","lost")] Says_Server_message_form 8 THEN |
243 forw_inst_tac [("lost","lost")] Says_S_message_form 5 THEN |
239 forw_inst_tac [("lost","lost")] Says_S_message_form 5 THEN |
244 Full_simp_tac 7 THEN |
240 Full_simp_tac 7 THEN |
245 REPEAT_FIRST (eresolve_tac [asm_rl, bexE, disjE] ORELSE' hyp_subst_tac); |
241 REPEAT_FIRST (eresolve_tac [asm_rl, exE, disjE] ORELSE' hyp_subst_tac); |
246 |
242 |
247 |
243 |
248 (**** |
244 (**** |
249 The following is to prove theorems of the form |
245 The following is to prove theorems of the form |
250 |
246 |
251 Key K : analz (insert (Key (newK evt)) (sees lost Spy evs)) ==> |
247 Key K : analz (insert (Key (newK i)) (sees lost Spy evs)) ==> |
252 Key K : analz (sees lost Spy evs) |
248 Key K : analz (sees lost Spy evs) |
253 |
249 |
254 A more general formula must be proved inductively. |
250 A more general formula must be proved inductively. |
255 |
251 |
256 ****) |
252 ****) |
257 |
253 |
259 (*NOT useful in this form, but it says that session keys are not used |
255 (*NOT useful in this form, but it says that session keys are not used |
260 to encrypt messages containing other keys, in the actual protocol. |
256 to encrypt messages containing other keys, in the actual protocol. |
261 We require that agents should behave like this subsequently also.*) |
257 We require that agents should behave like this subsequently also.*) |
262 goal thy |
258 goal thy |
263 "!!evs. evs : ns_shared lost ==> \ |
259 "!!evs. evs : ns_shared lost ==> \ |
264 \ (Crypt (newK evt) X) : parts (sees lost Spy evs) & \ |
260 \ (Crypt (newK i) X) : parts (sees lost Spy evs) & \ |
265 \ Key K : parts {X} --> Key K : parts (sees lost Spy evs)"; |
261 \ Key K : parts {X} --> Key K : parts (sees lost Spy evs)"; |
266 by (etac ns_shared.induct 1); |
262 by (etac ns_shared.induct 1); |
267 by parts_Fake_tac; |
263 by parts_Fake_tac; |
268 by (ALLGOALS Asm_simp_tac); |
264 by (ALLGOALS Asm_simp_tac); |
269 (*Deals with Faked messages*) |
265 (*Deals with Faked messages*) |
283 \ ALL K E. (Key K : analz (Key``(newK``E) Un (sees lost Spy evs))) = \ |
279 \ ALL K E. (Key K : analz (Key``(newK``E) Un (sees lost Spy evs))) = \ |
284 \ (K : newK``E | Key K : analz (sees lost Spy evs))"; |
280 \ (K : newK``E | Key K : analz (sees lost Spy evs))"; |
285 by (etac ns_shared.induct 1); |
281 by (etac ns_shared.induct 1); |
286 by analz_Fake_tac; |
282 by analz_Fake_tac; |
287 by (REPEAT_FIRST (resolve_tac [allI, analz_image_newK_lemma])); |
283 by (REPEAT_FIRST (resolve_tac [allI, analz_image_newK_lemma])); |
288 by (ALLGOALS |
284 by (ALLGOALS (*Takes 18 secs*) |
289 (asm_simp_tac |
285 (asm_simp_tac |
290 (!simpset addsimps ([insert_Key_singleton, insert_Key_image, pushKey_newK] |
286 (!simpset addsimps [Un_assoc RS sym, |
291 @ pushes) |
287 insert_Key_singleton, insert_Key_image, pushKey_newK] |
292 setloop split_tac [expand_if]))); |
288 setloop split_tac [expand_if]))); |
293 (*NS3, Fake*) |
289 (*NS4, Fake*) |
294 by (EVERY (map spy_analz_tac [5,2])); |
290 by (EVERY (map spy_analz_tac [5,2])); |
|
291 (*NS3, NS2, Base*) |
295 by (REPEAT (fast_tac (!claset addIs [image_eqI] addss (!simpset)) 1)); |
292 by (REPEAT (fast_tac (!claset addIs [image_eqI] addss (!simpset)) 1)); |
296 (*NS3, NS2, Base*) |
|
297 by (REPEAT (Fast_tac 3)); |
|
298 qed_spec_mp "analz_image_newK"; |
293 qed_spec_mp "analz_image_newK"; |
299 |
294 |
300 |
295 |
301 goal thy |
296 goal thy |
302 "!!evs. evs : ns_shared lost ==> \ |
297 "!!evs. evs : ns_shared lost ==> \ |
303 \ Key K : analz (insert (Key (newK evt)) (sees lost Spy evs)) = \ |
298 \ Key K : analz (insert (Key(newK i)) (sees lost Spy evs)) = \ |
304 \ (K = newK evt | Key K : analz (sees lost Spy evs))"; |
299 \ (K = newK i | Key K : analz (sees lost Spy evs))"; |
305 by (asm_simp_tac (HOL_ss addsimps [pushKey_newK, analz_image_newK, |
300 by (asm_simp_tac (HOL_ss addsimps [pushKey_newK, analz_image_newK, |
306 insert_Key_singleton]) 1); |
301 insert_Key_singleton]) 1); |
307 by (Fast_tac 1); |
302 by (Fast_tac 1); |
308 qed "analz_insert_Key_newK"; |
303 qed "analz_insert_Key_newK"; |
309 |
304 |
310 |
305 |
311 (** The session key K uniquely identifies the message, if encrypted |
306 (** The session key K uniquely identifies the message, if encrypted |
312 with a secure key **) |
307 with a secure key **) |
313 |
308 |
314 goal thy |
309 goal thy |
315 "!!evs. evs : ns_shared lost ==> \ |
310 "!!evs. evs : ns_shared lost ==> \ |
316 \ EX A' NA' B' X'. ALL A NA B X. \ |
311 \ EX A' NA' B' X'. ALL A NA B X. \ |
317 \ Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
312 \ Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) \ |
318 \ : set_of_list evs --> A=A' & NA=NA' & B=B' & X=X'"; |
313 \ : set_of_list evs --> A=A' & NA=NA' & B=B' & X=X'"; |
319 by (etac ns_shared.induct 1); |
314 by (etac ns_shared.induct 1); |
320 by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib]))); |
315 by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib]))); |
321 by (Step_tac 1); |
316 by (Step_tac 1); |
337 \ : set_of_list evs; \ |
332 \ : set_of_list evs; \ |
338 \ Says Server A' \ |
333 \ Says Server A' \ |
339 \ (Crypt (shrK A') {|NA', Agent B', Key K, X'|}) \ |
334 \ (Crypt (shrK A') {|NA', Agent B', Key K, X'|}) \ |
340 \ : set_of_list evs; \ |
335 \ : set_of_list evs; \ |
341 \ evs : ns_shared lost |] ==> A=A' & NA=NA' & B=B' & X = X'"; |
336 \ evs : ns_shared lost |] ==> A=A' & NA=NA' & B=B' & X = X'"; |
342 by (dtac lemma 1); |
337 by (prove_unique_tac lemma 1); |
343 by (REPEAT (etac exE 1)); |
|
344 (*Duplicate the assumption*) |
|
345 by (forw_inst_tac [("psi", "ALL A.?P(A)")] asm_rl 1); |
|
346 by (fast_tac (!claset addSDs [ spec] |
|
347 delrules [conjI] addss (!simpset)) 1); |
|
348 qed "unique_session_keys"; |
338 qed "unique_session_keys"; |
349 |
339 |
350 |
340 |
351 (** Crucial secrecy property: Spy does not see the keys sent in msg NS2 **) |
341 (** Crucial secrecy property: Spy does not see the keys sent in msg NS2 **) |
352 |
342 |
367 setloop split_tac [expand_if]))); |
357 setloop split_tac [expand_if]))); |
368 (*NS2*) |
358 (*NS2*) |
369 by (fast_tac (!claset addIs [parts_insertI] |
359 by (fast_tac (!claset addIs [parts_insertI] |
370 addEs [Says_imp_old_keys RS less_irrefl] |
360 addEs [Says_imp_old_keys RS less_irrefl] |
371 addss (!simpset)) 2); |
361 addss (!simpset)) 2); |
372 (*OR4, OR2, Fake*) |
362 (*NS4, Fake*) |
373 by (REPEAT_FIRST spy_analz_tac); |
363 by (EVERY (map spy_analz_tac [3,1])); |
374 (*NS3 and Oops subcases*) (**LEVEL 7 **) |
364 (*NS3 and Oops subcases*) (**LEVEL 5 **) |
375 by (step_tac (!claset delrules [impCE]) 1); |
365 by (step_tac (!claset delrules [impCE]) 1); |
376 by (full_simp_tac (!simpset addsimps [all_conj_distrib]) 2); |
366 by (full_simp_tac (!simpset addsimps [all_conj_distrib]) 2); |
377 by (etac conjE 2); |
367 by (etac conjE 2); |
378 by (mp_tac 2); |
368 by (mp_tac 2); |
379 (**LEVEL 11 **) |
369 (**LEVEL 9 **) |
380 by (forward_tac [Says_imp_sees_Spy RS parts.Inj RS A_trusts_NS2] 2); |
370 by (forward_tac [Says_imp_sees_Spy RS parts.Inj RS A_trusts_NS2] 2); |
381 by (assume_tac 3); |
371 by (assume_tac 3); |
382 by (fast_tac (!claset addSEs [Says_Crypt_not_lost]) 2); |
372 by (fast_tac (!claset addSEs [Says_Crypt_not_lost]) 2); |
383 by (fast_tac (!claset addDs [unique_session_keys] addss (!simpset)) 2); |
373 by (fast_tac (!claset addDs [unique_session_keys] addss (!simpset)) 2); |
384 (*NS3*) |
374 (*NS3*) |
458 by (fast_tac (!claset addSDs [Crypt_Fake_parts_insert] |
448 by (fast_tac (!claset addSDs [Crypt_Fake_parts_insert] |
459 addDs [impOfSubs analz_subset_parts]) 1); |
449 addDs [impOfSubs analz_subset_parts]) 1); |
460 by (Fast_tac 2); |
450 by (Fast_tac 2); |
461 by (REPEAT_FIRST (rtac impI ORELSE' etac conjE ORELSE' hyp_subst_tac)); |
451 by (REPEAT_FIRST (rtac impI ORELSE' etac conjE ORELSE' hyp_subst_tac)); |
462 (*Contradiction from the assumption |
452 (*Contradiction from the assumption |
463 Crypt (newK evsa) (Nonce NB) : parts (sees lost Spy evsa) *) |
453 Crypt (newK(length evsa)) (Nonce NB) : parts (sees lost Spy evsa) *) |
464 by (dtac Crypt_imp_invKey_keysFor 1); |
454 by (dtac Crypt_imp_invKey_keysFor 1); |
465 (**LEVEL 10**) |
455 (**LEVEL 10**) |
466 by (Asm_full_simp_tac 1); |
456 by (Asm_full_simp_tac 1); |
467 by (rtac disjI1 1); |
457 by (rtac disjI1 1); |
468 by (thin_tac "?PP-->?QQ" 1); |
458 by (thin_tac "?PP-->?QQ" 1); |