16 |
16 |
17 proof_timing:=true; |
17 proof_timing:=true; |
18 HOL_quantifiers := false; |
18 HOL_quantifiers := false; |
19 |
19 |
20 |
20 |
21 (*Weak liveness: there are traces that reach the end*) |
21 (*A "possibility property": there are traces that reach the end*) |
22 goal thy |
22 goal thy |
23 "!!A B. [| A ~= B; A ~= Server; B ~= Server |] \ |
23 "!!A B. [| A ~= B; A ~= Server; B ~= Server |] \ |
24 \ ==> EX K. EX NA. EX evs: otway lost. \ |
24 \ ==> EX K. EX NA. EX evs: otway lost. \ |
25 \ Says B A (Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}) \ |
25 \ Says B A (Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}) \ |
26 \ : set_of_list evs"; |
26 \ : set_of_list evs"; |
27 by (REPEAT (resolve_tac [exI,bexI] 1)); |
27 by (REPEAT (resolve_tac [exI,bexI] 1)); |
28 by (rtac (otway.Nil RS otway.OR1 RS otway.OR2 RS otway.OR3 RS otway.OR4) 2); |
28 by (rtac (otway.Nil RS otway.OR1 RS otway.OR2 RS otway.OR3 RS otway.OR4) 2); |
29 by (ALLGOALS (simp_tac (!simpset setsolver safe_solver))); |
29 by (ALLGOALS (simp_tac (!simpset setsolver safe_solver))); |
118 |
118 |
119 |
119 |
120 (*** Future keys can't be seen or used! ***) |
120 (*** Future keys can't be seen or used! ***) |
121 |
121 |
122 (*Nobody can have SEEN keys that will be generated in the future. *) |
122 (*Nobody can have SEEN keys that will be generated in the future. *) |
123 goal thy "!!evs. evs : otway lost ==> \ |
123 goal thy "!!evs. evs : otway lost ==> \ |
124 \ length evs <= length evs' --> \ |
124 \ length evs <= length evs' --> \ |
125 \ Key (newK evs') ~: parts (sees lost Spy evs)"; |
125 \ Key (newK evs') ~: parts (sees lost Spy evs)"; |
126 by (parts_induct_tac 1); |
126 by (parts_induct_tac 1); |
127 by (REPEAT_FIRST (best_tac (!claset addEs [leD RS notE] |
127 by (REPEAT_FIRST (best_tac (!claset addEs [leD RS notE] |
128 addDs [impOfSubs analz_subset_parts, |
128 addDs [impOfSubs analz_subset_parts, |
129 impOfSubs parts_insert_subset_Un, |
129 impOfSubs parts_insert_subset_Un, |
145 qed "Says_imp_old_keys"; |
145 qed "Says_imp_old_keys"; |
146 |
146 |
147 |
147 |
148 (*Nobody can have USED keys that will be generated in the future. |
148 (*Nobody can have USED keys that will be generated in the future. |
149 ...very like new_keys_not_seen*) |
149 ...very like new_keys_not_seen*) |
150 goal thy "!!evs. evs : otway lost ==> \ |
150 goal thy "!!evs. evs : otway lost ==> \ |
151 \ length evs <= length evs' --> \ |
151 \ length evs <= length evs' --> \ |
152 \ newK evs' ~: keysFor (parts (sees lost Spy evs))"; |
152 \ newK evs' ~: keysFor (parts (sees lost Spy evs))"; |
153 by (parts_induct_tac 1); |
153 by (parts_induct_tac 1); |
154 (*OR1 and OR3*) |
154 (*OR1 and OR3*) |
155 by (EVERY (map (fast_tac (!claset addDs [Suc_leD] addss (!simpset))) [4,2])); |
155 by (EVERY (map (fast_tac (!claset addDs [Suc_leD] addss (!simpset))) [4,2])); |
174 (*** Proofs involving analz ***) |
174 (*** Proofs involving analz ***) |
175 |
175 |
176 (*Describes the form of K and NA when the Server sends this message.*) |
176 (*Describes the form of K and NA when the Server sends this message.*) |
177 goal thy |
177 goal thy |
178 "!!evs. [| Says Server B \ |
178 "!!evs. [| Says Server B \ |
179 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, K|}, \ |
179 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, K|}, \ |
180 \ Crypt (shrK B) {|NB, Agent A, Agent B, K|}|} : set_of_list evs; \ |
180 \ Crypt (shrK B) {|NB, Agent A, Agent B, K|}|} : set_of_list evs; \ |
181 \ evs : otway lost |] \ |
181 \ evs : otway lost |] \ |
182 \ ==> (EX evt: otway lost. K = Key(newK evt)) & \ |
182 \ ==> (EX evt: otway lost. K = Key(newK evt)) & \ |
183 \ (EX i. NA = Nonce i) & \ |
183 \ (EX i. NA = Nonce i) & \ |
184 \ (EX j. NB = Nonce j)"; |
184 \ (EX j. NB = Nonce j)"; |
185 by (etac rev_mp 1); |
185 by (etac rev_mp 1); |
186 by (etac otway.induct 1); |
186 by (etac otway.induct 1); |
187 by (ALLGOALS (fast_tac (!claset addss (!simpset)))); |
187 by (ALLGOALS (fast_tac (!claset addss (!simpset)))); |
188 qed "Says_Server_message_form"; |
188 qed "Says_Server_message_form"; |
209 |
209 |
210 (** Session keys are not used to encrypt other session keys **) |
210 (** Session keys are not used to encrypt other session keys **) |
211 |
211 |
212 (*The equality makes the induction hypothesis easier to apply*) |
212 (*The equality makes the induction hypothesis easier to apply*) |
213 goal thy |
213 goal thy |
214 "!!evs. evs : otway lost ==> \ |
214 "!!evs. evs : otway lost ==> \ |
215 \ ALL K E. (Key K : analz (Key``(newK``E) Un (sees lost Spy evs))) = \ |
215 \ ALL K E. (Key K : analz (Key``(newK``E) Un (sees lost Spy evs))) = \ |
216 \ (K : newK``E | Key K : analz (sees lost Spy evs))"; |
216 \ (K : newK``E | Key K : analz (sees lost Spy evs))"; |
217 by (etac otway.induct 1); |
217 by (etac otway.induct 1); |
218 by analz_Fake_tac; |
218 by analz_Fake_tac; |
219 by (REPEAT_FIRST (ares_tac [allI, analz_image_newK_lemma])); |
219 by (REPEAT_FIRST (ares_tac [allI, analz_image_newK_lemma])); |
229 by (REPEAT (fast_tac (!claset addIs [image_eqI] addss (!simpset)) 1)); |
229 by (REPEAT (fast_tac (!claset addIs [image_eqI] addss (!simpset)) 1)); |
230 qed_spec_mp "analz_image_newK"; |
230 qed_spec_mp "analz_image_newK"; |
231 |
231 |
232 |
232 |
233 goal thy |
233 goal thy |
234 "!!evs. evs : otway lost ==> \ |
234 "!!evs. evs : otway lost ==> \ |
235 \ Key K : analz (insert (Key (newK evt)) (sees lost Spy evs)) = \ |
235 \ Key K : analz (insert (Key (newK evt)) (sees lost Spy evs)) = \ |
236 \ (K = newK evt | Key K : analz (sees lost Spy evs))"; |
236 \ (K = newK evt | Key K : analz (sees lost Spy evs))"; |
237 by (asm_simp_tac (HOL_ss addsimps [pushKey_newK, analz_image_newK, |
237 by (asm_simp_tac (HOL_ss addsimps [pushKey_newK, analz_image_newK, |
238 insert_Key_singleton]) 1); |
238 insert_Key_singleton]) 1); |
239 by (Fast_tac 1); |
239 by (Fast_tac 1); |
241 |
241 |
242 |
242 |
243 (*** The Key K uniquely identifies the Server's message. **) |
243 (*** The Key K uniquely identifies the Server's message. **) |
244 |
244 |
245 goal thy |
245 goal thy |
246 "!!evs. evs : otway lost ==> \ |
246 "!!evs. evs : otway lost ==> \ |
247 \ EX A' B' NA' NB'. ALL A B NA NB. \ |
247 \ EX A' B' NA' NB'. ALL A B NA NB. \ |
248 \ Says Server B \ |
248 \ Says Server B \ |
249 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, K|}, \ |
249 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, K|}, \ |
250 \ Crypt (shrK B) {|NB, Agent A, Agent B, K|}|} : set_of_list evs \ |
250 \ Crypt (shrK B) {|NB, Agent A, Agent B, K|}|} : set_of_list evs \ |
251 \ --> A=A' & B=B' & NA=NA' & NB=NB'"; |
251 \ --> A=A' & B=B' & NA=NA' & NB=NB'"; |
252 by (etac otway.induct 1); |
252 by (etac otway.induct 1); |
253 by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib]))); |
253 by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib]))); |
254 by (Step_tac 1); |
254 by (Step_tac 1); |
289 (*If the encrypted message appears then it originated with the Server!*) |
289 (*If the encrypted message appears then it originated with the Server!*) |
290 goal thy |
290 goal thy |
291 "!!evs. [| A ~: lost; evs : otway lost |] \ |
291 "!!evs. [| A ~: lost; evs : otway lost |] \ |
292 \ ==> Crypt (shrK A) {|NA, Agent A, Agent B, Key K|} \ |
292 \ ==> Crypt (shrK A) {|NA, Agent A, Agent B, Key K|} \ |
293 \ : parts (sees lost Spy evs) \ |
293 \ : parts (sees lost Spy evs) \ |
294 \ --> (EX NB. Says Server B \ |
294 \ --> (EX NB. Says Server B \ |
295 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \ |
295 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \ |
296 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
296 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
297 \ : set_of_list evs)"; |
297 \ : set_of_list evs)"; |
298 by (parts_induct_tac 1); |
298 by (parts_induct_tac 1); |
299 by (ALLGOALS (asm_simp_tac (!simpset addsimps [ex_disj_distrib]))); |
299 by (ALLGOALS (asm_simp_tac (!simpset addsimps [ex_disj_distrib]))); |
316 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
316 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
317 \ : set_of_list evs"; |
317 \ : set_of_list evs"; |
318 by (fast_tac (!claset addSIs [NA_Crypt_imp_Server_msg] |
318 by (fast_tac (!claset addSIs [NA_Crypt_imp_Server_msg] |
319 addEs partsEs |
319 addEs partsEs |
320 addDs [Says_imp_sees_Spy RS parts.Inj]) 1); |
320 addDs [Says_imp_sees_Spy RS parts.Inj]) 1); |
321 qed "A_trust_OR4"; |
321 qed "A_trusts_OR4"; |
322 |
322 |
323 |
323 |
324 (** Crucial secrecy property: Spy does not see the keys sent in msg OR3 |
324 (** Crucial secrecy property: Spy does not see the keys sent in msg OR3 |
325 Does not in itself guarantee security: an attack could violate |
325 Does not in itself guarantee security: an attack could violate |
326 the premises, e.g. by having A=Spy **) |
326 the premises, e.g. by having A=Spy **) |
405 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
405 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
406 \ : set_of_list evs"; |
406 \ : set_of_list evs"; |
407 by (fast_tac (!claset addSIs [NB_Crypt_imp_Server_msg] |
407 by (fast_tac (!claset addSIs [NB_Crypt_imp_Server_msg] |
408 addEs partsEs |
408 addEs partsEs |
409 addDs [Says_imp_sees_Spy RS parts.Inj]) 1); |
409 addDs [Says_imp_sees_Spy RS parts.Inj]) 1); |
410 qed "B_trust_OR3"; |
410 qed "B_trusts_OR3"; |