198 new_keys_not_used] MRS contra_subsetD); |
197 new_keys_not_used] MRS contra_subsetD); |
199 |
198 |
200 Addsimps [new_keys_not_used, new_keys_not_analzd]; |
199 Addsimps [new_keys_not_used, new_keys_not_analzd]; |
201 |
200 |
202 |
201 |
203 (*Describes the form of Key K when the following message is sent. The use of |
202 (*Describes the form of K when the Server sends this message. Useful for |
204 "parts" strengthens the induction hyp for proving the Fake case. The |
203 Oops as well as main secrecy property.*) |
205 assumption A ~: lost prevents its being a Faked message. (Based |
204 goal thy |
206 on NS_Shared/Says_S_message_form) *) |
205 "!!evs. [| Says Server A {|NB', Crypt {|Agent B, K, NA|} (shrK A), X|} \ |
207 goal thy |
206 \ : set_of_list evs; \ |
208 "!!evs. evs: yahalom lost ==> \ |
207 \ evs : yahalom lost |] \ |
209 \ Crypt {|B, Key K, NA|} (shrK A) : parts (sees lost Spy evs) \ |
208 \ ==> (EX evt: yahalom lost. K = Key(newK evt)) & A ~= B"; |
210 \ --> A ~: lost --> (EX evt: yahalom lost. K = newK evt)"; |
209 by (etac rev_mp 1); |
211 by (parts_induct_tac 1); |
210 by (etac yahalom.induct 1); |
212 by (Auto_tac()); |
211 by (ALLGOALS (fast_tac (!claset addss (!simpset)))); |
213 qed_spec_mp "Reveal_message_lemma"; |
212 qed "Says_Server_message_form"; |
214 |
|
215 (*EITHER describes the form of Key K when the following message is sent, |
|
216 OR reduces it to the Fake case.*) |
|
217 |
|
218 goal thy |
|
219 "!!evs. [| Says S A {|NB, Crypt {|B, Key K, NA|} (shrK A), X|} \ |
|
220 \ : set_of_list evs; \ |
|
221 \ evs : yahalom lost |] \ |
|
222 \ ==> (EX evt: yahalom lost. K = newK evt) \ |
|
223 \ | Key K : analz (sees lost Spy evs)"; |
|
224 br (Reveal_message_lemma RS disjCI) 1; |
|
225 ba 1; |
|
226 by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj] |
|
227 addDs [impOfSubs analz_subset_parts]) 1); |
|
228 by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj] |
|
229 addss (!simpset)) 1); |
|
230 qed "Reveal_message_form"; |
|
231 |
213 |
232 |
214 |
233 (*For proofs involving analz. We again instantiate the variable to "lost".*) |
215 (*For proofs involving analz. We again instantiate the variable to "lost".*) |
234 val analz_Fake_tac = |
216 val analz_Fake_tac = |
235 dres_inst_tac [("lost","lost")] YM4_analz_sees_Spy 6 THEN |
217 dres_inst_tac [("lost","lost")] YM4_analz_sees_Spy 6 THEN |
236 forw_inst_tac [("lost","lost")] Reveal_message_form 7; |
218 forw_inst_tac [("lost","lost")] Says_Server_message_form 7 THEN |
|
219 assume_tac 7 THEN Full_simp_tac 7 THEN |
|
220 REPEAT ((eresolve_tac [bexE,conjE] ORELSE' hyp_subst_tac) 7); |
237 |
221 |
238 |
222 |
239 (**** |
223 (**** |
240 The following is to prove theorems of the form |
224 The following is to prove theorems of the form |
241 |
225 |
316 by (forw_inst_tac [("psi", "ALL C.?P(C)")] asm_rl 1); |
295 by (forw_inst_tac [("psi", "ALL C.?P(C)")] asm_rl 1); |
317 by (fast_tac (!claset addSDs [spec]) 1); |
296 by (fast_tac (!claset addSDs [spec]) 1); |
318 qed "unique_session_keys"; |
297 qed "unique_session_keys"; |
319 |
298 |
320 |
299 |
321 (*If the encrypted message appears then it originated with the Server*) |
|
322 goal thy |
|
323 "!!evs. [| Crypt {|Agent B, Key K, Nonce NA|} (shrK A) \ |
|
324 \ : parts (sees lost Spy evs); \ |
|
325 \ A ~: lost; evs : yahalom lost |] \ |
|
326 \ ==> EX NB. Says Server A \ |
|
327 \ {|NB, Crypt {|Agent B, Key K, Nonce NA|} (shrK A), \ |
|
328 \ Crypt {|Agent A, Key K, NB, NB|} (shrK B)|} \ |
|
329 \ : set_of_list evs"; |
|
330 by (etac rev_mp 1); |
|
331 by (parts_induct_tac 1); |
|
332 by (Fast_tac 1); |
|
333 qed "A_trust_YM3"; |
|
334 |
|
335 |
|
336 (*Describes the form of K when the Server sends this message.*) |
|
337 goal thy |
|
338 "!!evs. [| Says Server A \ |
|
339 \ {|NB, Crypt {|Agent B, K, NA|} (shrK A), \ |
|
340 \ Crypt {|Agent A, K, NB, NB|} (shrK B)|} \ |
|
341 \ : set_of_list evs; \ |
|
342 \ evs : yahalom lost |] \ |
|
343 \ ==> (EX evt: yahalom lost. K = Key(newK evt))"; |
|
344 by (etac rev_mp 1); |
|
345 by (etac yahalom.induct 1); |
|
346 by (ALLGOALS (fast_tac (!claset addss (!simpset)))); |
|
347 qed "Says_Server_message_form"; |
|
348 |
|
349 |
|
350 (** Crucial secrecy property: Spy does not see the keys sent in msg YM3 **) |
300 (** Crucial secrecy property: Spy does not see the keys sent in msg YM3 **) |
351 |
301 |
352 goal thy |
302 goal thy |
353 "!!evs. [| A ~: lost; B ~: lost; \ |
303 "!!evs. [| A ~: lost; B ~: lost; A ~= B; \ |
354 \ evs : yahalom lost; evt : yahalom lost |] \ |
304 \ evs : yahalom lost |] \ |
355 \ ==> Says Server A \ |
305 \ ==> Says Server A \ |
356 \ {|NB, Crypt {|Agent B, Key K, NA|} (shrK A), \ |
306 \ {|NB, Crypt {|Agent B, Key K, NA|} (shrK A), \ |
357 \ Crypt {|Agent A, Key K, NB, NB|} (shrK B)|} \ |
307 \ Crypt {|NB, Key K, Agent A|} (shrK B)|} \ |
358 \ : set_of_list evs --> \ |
308 \ : set_of_list evs --> \ |
359 \ Says A Spy {|NA, Key K|} ~: set_of_list evs --> \ |
309 \ Says A Spy {|NA, NB, Key K|} ~: set_of_list evs --> \ |
360 \ Key K ~: analz (sees lost Spy evs)"; |
310 \ Key K ~: analz (sees lost Spy evs)"; |
361 by (etac yahalom.induct 1); |
311 by (etac yahalom.induct 1); |
362 by analz_Fake_tac; |
312 by analz_Fake_tac; |
363 by (REPEAT_FIRST (eresolve_tac [asm_rl, bexE, disjE] ORELSE' hyp_subst_tac)); |
|
364 by (ALLGOALS |
313 by (ALLGOALS |
365 (asm_simp_tac |
314 (asm_simp_tac |
366 (!simpset addsimps ([analz_subset_parts RS contra_subsetD, |
315 (!simpset addsimps ([analz_subset_parts RS contra_subsetD, |
367 analz_insert_Key_newK] @ pushes) |
316 analz_insert_Key_newK] @ pushes) |
368 setloop split_tac [expand_if]))); |
317 setloop split_tac [expand_if]))); |
369 (*YM3*) |
318 (*YM3*) |
370 by (fast_tac (!claset addIs [parts_insertI] |
319 by (fast_tac (!claset addIs [parts_insertI] |
371 addEs [Says_imp_old_keys RS less_irrefl] |
320 addEs [Says_imp_old_keys RS less_irrefl] |
372 addss (!simpset)) 2); |
321 addss (!simpset)) 2); |
373 (*Reveal case 2, OR4, Fake*) |
322 (*OR4, Fake*) |
374 by (REPEAT_FIRST (resolve_tac [conjI, impI] ORELSE' spy_analz_tac)); |
323 by (REPEAT_FIRST (resolve_tac [conjI, impI] ORELSE' spy_analz_tac)); |
375 (*Reveal case 1*) (** LEVEL 6 **) |
324 (*Oops*) |
376 by (case_tac "Aa : lost" 1); |
|
377 (*But this contradicts Key K ~: analz (sees lost Spy evsa) *) |
|
378 by (dtac (Says_imp_sees_Spy RS analz.Inj) 1); |
|
379 by (fast_tac (!claset addSDs [analz.Decrypt] addss (!simpset)) 1); |
|
380 (*So now we have Aa ~: lost *) |
|
381 bd (Says_imp_sees_Spy RS parts.Inj) 1; |
|
382 by (fast_tac (!claset delrules [disjE] |
325 by (fast_tac (!claset delrules [disjE] |
383 addSEs [MPair_parts] |
326 addDs [unique_session_keys] |
384 addDs [A_trust_YM3, unique_session_keys] |
|
385 addss (!simpset)) 1); |
327 addss (!simpset)) 1); |
386 val lemma = result() RS mp RS mp RSN(2,rev_notE); |
328 val lemma = result() RS mp RS mp RSN(2,rev_notE); |
387 |
329 |
388 |
330 |
389 (*Final version: Server's message in the most abstract form*) |
331 (*Final version: Server's message in the most abstract form*) |
390 goal thy |
332 goal thy |
391 "!!evs. [| Says Server A \ |
333 "!!evs. [| Says Server A \ |
392 \ {|NB, Crypt {|Agent B, K, NA|} (shrK A), \ |
334 \ {|NB, Crypt {|Agent B, K, NA|} (shrK A), \ |
393 \ Crypt {|Agent A, K, NB, NB|} (shrK B)|} \ |
335 \ Crypt {|NB, K, Agent A|} (shrK B)|} \ |
394 \ : set_of_list evs; \ |
336 \ : set_of_list evs; \ |
395 \ Says A Spy {|NA, K|} ~: set_of_list evs; \ |
337 \ Says A Spy {|NA, NB, K|} ~: set_of_list evs; \ |
396 \ A ~: lost; B ~: lost; evs : yahalom lost |] ==> \ |
338 \ A ~: lost; B ~: lost; evs : yahalom lost |] \ |
397 \ K ~: analz (sees lost Spy evs)"; |
339 \ ==> K ~: analz (sees lost Spy evs)"; |
398 by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1); |
340 by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1); |
399 by (fast_tac (!claset addSEs [lemma]) 1); |
341 by (fast_tac (!claset addSEs [lemma]) 1); |
400 qed "Spy_not_see_encrypted_key"; |
342 qed "Spy_not_see_encrypted_key"; |
401 |
343 |
402 |
344 |
403 goal thy |
345 goal thy |
404 "!!evs. [| C ~: {A,B,Server}; \ |
346 "!!evs. [| C ~: {A,B,Server}; \ |
405 \ Says Server A \ |
347 \ Says Server A \ |
406 \ {|NB, Crypt {|Agent B, K, NA|} (shrK A), \ |
348 \ {|NB, Crypt {|Agent B, K, NA|} (shrK A), \ |
407 \ Crypt {|Agent A, K, NB, NB|} (shrK B)|} \ |
349 \ Crypt {|NB, K, Agent A|} (shrK B)|} \ |
408 \ : set_of_list evs; \ |
350 \ : set_of_list evs; \ |
409 \ Says A Spy {|NA, K|} ~: set_of_list evs; \ |
351 \ Says A Spy {|NA, NB, K|} ~: set_of_list evs; \ |
410 \ A ~: lost; B ~: lost; evs : yahalom lost |] ==> \ |
352 \ A ~: lost; B ~: lost; evs : yahalom lost |] \ |
411 \ K ~: analz (sees lost C evs)"; |
353 \ ==> K ~: analz (sees lost C evs)"; |
412 by (rtac (subset_insertI RS sees_mono RS analz_mono RS contra_subsetD) 1); |
354 by (rtac (subset_insertI RS sees_mono RS analz_mono RS contra_subsetD) 1); |
413 by (rtac (sees_lost_agent_subset_sees_Spy RS analz_mono RS contra_subsetD) 1); |
355 by (rtac (sees_lost_agent_subset_sees_Spy RS analz_mono RS contra_subsetD) 1); |
414 by (FIRSTGOAL (rtac Spy_not_see_encrypted_key)); |
356 by (FIRSTGOAL (rtac Spy_not_see_encrypted_key)); |
415 by (REPEAT_FIRST (fast_tac (!claset addIs [yahalom_mono RS subsetD]))); |
357 by (REPEAT_FIRST (fast_tac (!claset addIs [yahalom_mono RS subsetD]))); |
416 qed "Agent_not_see_encrypted_key"; |
358 qed "Agent_not_see_encrypted_key"; |
417 |
359 |
418 |
360 |
419 (*** Security Guarantee for B upon receiving YM4 ***) |
361 (*** Security Guarantees for A and B ***) |
|
362 |
|
363 (*If the encrypted message appears then it originated with the Server.*) |
|
364 goal thy |
|
365 "!!evs. [| Crypt {|Agent B, Key K, NA|} (shrK A) \ |
|
366 \ : parts (sees lost Spy evs); \ |
|
367 \ A ~: lost; evs : yahalom lost |] \ |
|
368 \ ==> EX NB. Says Server A \ |
|
369 \ {|NB, Crypt {|Agent B, Key K, NA|} (shrK A), \ |
|
370 \ Crypt {|NB, Key K, Agent A|} (shrK B)|} \ |
|
371 \ : set_of_list evs"; |
|
372 by (etac rev_mp 1); |
|
373 by (parts_induct_tac 1); |
|
374 (*The nested conjunctions are entirely useless*) |
|
375 by (REPEAT_FIRST (rtac conjI ORELSE' fast_tac (!claset delrules [conjI]))); |
|
376 qed "A_trust_YM3"; |
|
377 |
420 |
378 |
421 (*B knows, by the first part of A's message, that the Server distributed |
379 (*B knows, by the first part of A's message, that the Server distributed |
422 the key for A and B. But this part says nothing about nonces.*) |
380 the key for A and B. *) |
423 goal thy |
381 goal thy |
424 "!!evs. [| Crypt {|Agent A, Key K, Nonce NB, Nonce NB|} (shrK B) \ |
382 "!!evs. [| Crypt {|Nonce NB, Key K, Agent A|} (shrK B) \ |
425 \ : parts (sees lost Spy evs); \ |
383 \ : parts (sees lost Spy evs); \ |
426 \ B ~: lost; evs : yahalom lost |] \ |
384 \ B ~: lost; evs : yahalom lost |] \ |
427 \ ==> EX NA. Says Server A \ |
385 \ ==> EX NA. Says Server A \ |
428 \ {|Nonce NB, \ |
386 \ {|Nonce NB, \ |
429 \ Crypt {|Agent B, Key K, Nonce NA|} (shrK A), \ |
387 \ Crypt {|Agent B, Key K, Nonce NA|} (shrK A), \ |
430 \ Crypt {|Agent A, Key K, Nonce NB, Nonce NB|} (shrK B)|}\ |
388 \ Crypt {|Nonce NB, Key K, Agent A|} (shrK B)|} \ |
431 \ : set_of_list evs"; |
389 \ : set_of_list evs"; |
432 by (etac rev_mp 1); |
390 by (etac rev_mp 1); |
433 by (parts_induct_tac 1); |
391 by (parts_induct_tac 1); |
434 (*YM3*) |
392 (*YM3*) |
435 by (Fast_tac 1); |
393 by (Fast_tac 1); |