22 |
22 |
23 (*A "possibility property": there are traces that reach the end*) |
23 (*A "possibility property": there are traces that reach the end*) |
24 goal thy |
24 goal thy |
25 "!!A B. [| A ~= B; A ~= Server; B ~= Server |] \ |
25 "!!A B. [| A ~= B; A ~= Server; B ~= Server |] \ |
26 \ ==> EX X NB K. EX evs: yahalom lost. \ |
26 \ ==> EX X NB K. EX evs: yahalom lost. \ |
27 \ Says A B {|X, Crypt K (Nonce NB)|} : set_of_list evs"; |
27 \ Says A B {|X, Crypt K (Nonce NB)|} : set evs"; |
28 by (REPEAT (resolve_tac [exI,bexI] 1)); |
28 by (REPEAT (resolve_tac [exI,bexI] 1)); |
29 by (rtac (yahalom.Nil RS yahalom.YM1 RS yahalom.YM2 RS yahalom.YM3 RS |
29 by (rtac (yahalom.Nil RS yahalom.YM1 RS yahalom.YM2 RS yahalom.YM3 RS |
30 yahalom.YM4) 2); |
30 yahalom.YM4) 2); |
31 by possibility_tac; |
31 by possibility_tac; |
32 result(); |
32 result(); |
43 :: yahalom.intrs)))); |
43 :: yahalom.intrs)))); |
44 qed "yahalom_mono"; |
44 qed "yahalom_mono"; |
45 |
45 |
46 |
46 |
47 (*Nobody sends themselves messages*) |
47 (*Nobody sends themselves messages*) |
48 goal thy "!!evs. evs: yahalom lost ==> ALL A X. Says A A X ~: set_of_list evs"; |
48 goal thy "!!evs. evs: yahalom lost ==> ALL A X. Says A A X ~: set evs"; |
49 by (etac yahalom.induct 1); |
49 by (etac yahalom.induct 1); |
50 by (Auto_tac()); |
50 by (Auto_tac()); |
51 qed_spec_mp "not_Says_to_self"; |
51 qed_spec_mp "not_Says_to_self"; |
52 Addsimps [not_Says_to_self]; |
52 Addsimps [not_Says_to_self]; |
53 AddSEs [not_Says_to_self RSN (2, rev_notE)]; |
53 AddSEs [not_Says_to_self RSN (2, rev_notE)]; |
54 |
54 |
55 |
55 |
56 (** For reasoning about the encrypted portion of messages **) |
56 (** For reasoning about the encrypted portion of messages **) |
57 |
57 |
58 (*Lets us treat YM4 using a similar argument as for the Fake case.*) |
58 (*Lets us treat YM4 using a similar argument as for the Fake case.*) |
59 goal thy "!!evs. Says S A {|Crypt (shrK A) Y, X|} : set_of_list evs ==> \ |
59 goal thy "!!evs. Says S A {|Crypt (shrK A) Y, X|} : set evs ==> \ |
60 \ X : analz (sees lost Spy evs)"; |
60 \ X : analz (sees lost Spy evs)"; |
61 by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]) 1); |
61 by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]) 1); |
62 qed "YM4_analz_sees_Spy"; |
62 qed "YM4_analz_sees_Spy"; |
63 |
63 |
64 bind_thm ("YM4_parts_sees_Spy", |
64 bind_thm ("YM4_parts_sees_Spy", |
65 YM4_analz_sees_Spy RS (impOfSubs analz_subset_parts)); |
65 YM4_analz_sees_Spy RS (impOfSubs analz_subset_parts)); |
66 |
66 |
67 (*Relates to both YM4 and Oops*) |
67 (*Relates to both YM4 and Oops*) |
68 goal thy "!!evs. Says S A {|Crypt (shrK A) {|B, K, NA, NB|}, X|} \ |
68 goal thy "!!evs. Says S A {|Crypt (shrK A) {|B, K, NA, NB|}, X|} \ |
69 \ : set_of_list evs ==> \ |
69 \ : set evs ==> \ |
70 \ K : parts (sees lost Spy evs)"; |
70 \ K : parts (sees lost Spy evs)"; |
71 by (blast_tac (!claset addSEs partsEs |
71 by (blast_tac (!claset addSEs partsEs |
72 addSDs [Says_imp_sees_Spy' RS parts.Inj]) 1); |
72 addSDs [Says_imp_sees_Spy' RS parts.Inj]) 1); |
73 qed "YM4_Key_parts_sees_Spy"; |
73 qed "YM4_Key_parts_sees_Spy"; |
74 |
74 |
138 |
138 |
139 (*Describes the form of K when the Server sends this message. Useful for |
139 (*Describes the form of K when the Server sends this message. Useful for |
140 Oops as well as main secrecy property.*) |
140 Oops as well as main secrecy property.*) |
141 goal thy |
141 goal thy |
142 "!!evs. [| Says Server A {|Crypt (shrK A) {|Agent B, Key K, NA, NB|}, X|} \ |
142 "!!evs. [| Says Server A {|Crypt (shrK A) {|Agent B, Key K, NA, NB|}, X|} \ |
143 \ : set_of_list evs; \ |
143 \ : set evs; \ |
144 \ evs : yahalom lost |] \ |
144 \ evs : yahalom lost |] \ |
145 \ ==> K ~: range shrK"; |
145 \ ==> K ~: range shrK"; |
146 by (etac rev_mp 1); |
146 by (etac rev_mp 1); |
147 by (etac yahalom.induct 1); |
147 by (etac yahalom.induct 1); |
148 by (ALLGOALS Asm_simp_tac); |
148 by (ALLGOALS Asm_simp_tac); |
197 goal thy |
197 goal thy |
198 "!!evs. evs : yahalom lost ==> \ |
198 "!!evs. evs : yahalom lost ==> \ |
199 \ EX A' B' na' nb' X'. ALL A B na nb X. \ |
199 \ EX A' B' na' nb' X'. ALL A B na nb X. \ |
200 \ Says Server A \ |
200 \ Says Server A \ |
201 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \ |
201 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \ |
202 \ : set_of_list evs --> A=A' & B=B' & na=na' & nb=nb' & X=X'"; |
202 \ : set evs --> A=A' & B=B' & na=na' & nb=nb' & X=X'"; |
203 by (etac yahalom.induct 1); |
203 by (etac yahalom.induct 1); |
204 by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib]))); |
204 by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib]))); |
205 by (Step_tac 1); |
205 by (Step_tac 1); |
206 by (ex_strip_tac 2); |
206 by (ex_strip_tac 2); |
207 by (Blast_tac 2); |
207 by (Blast_tac 2); |
214 val lemma = result(); |
214 val lemma = result(); |
215 |
215 |
216 goal thy |
216 goal thy |
217 "!!evs. [| Says Server A \ |
217 "!!evs. [| Says Server A \ |
218 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \ |
218 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \ |
219 \ : set_of_list evs; \ |
219 \ : set evs; \ |
220 \ Says Server A' \ |
220 \ Says Server A' \ |
221 \ {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|} \ |
221 \ {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|} \ |
222 \ : set_of_list evs; \ |
222 \ : set evs; \ |
223 \ evs : yahalom lost |] \ |
223 \ evs : yahalom lost |] \ |
224 \ ==> A=A' & B=B' & na=na' & nb=nb'"; |
224 \ ==> A=A' & B=B' & na=na' & nb=nb'"; |
225 by (prove_unique_tac lemma 1); |
225 by (prove_unique_tac lemma 1); |
226 qed "unique_session_keys"; |
226 qed "unique_session_keys"; |
227 |
227 |
231 goal thy |
231 goal thy |
232 "!!evs. [| A ~: lost; B ~: lost; evs : yahalom lost |] \ |
232 "!!evs. [| A ~: lost; B ~: lost; evs : yahalom lost |] \ |
233 \ ==> Says Server A \ |
233 \ ==> Says Server A \ |
234 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \ |
234 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \ |
235 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
235 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
236 \ : set_of_list evs --> \ |
236 \ : set evs --> \ |
237 \ Says A Spy {|na, nb, Key K|} ~: set_of_list evs --> \ |
237 \ Says A Spy {|na, nb, Key K|} ~: set evs --> \ |
238 \ Key K ~: analz (sees lost Spy evs)"; |
238 \ Key K ~: analz (sees lost Spy evs)"; |
239 by (etac yahalom.induct 1); |
239 by (etac yahalom.induct 1); |
240 by analz_sees_tac; |
240 by analz_sees_tac; |
241 by (ALLGOALS |
241 by (ALLGOALS |
242 (asm_simp_tac |
242 (asm_simp_tac |
257 (*Final version*) |
257 (*Final version*) |
258 goal thy |
258 goal thy |
259 "!!evs. [| Says Server A \ |
259 "!!evs. [| Says Server A \ |
260 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \ |
260 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \ |
261 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
261 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
262 \ : set_of_list evs; \ |
262 \ : set evs; \ |
263 \ Says A Spy {|na, nb, Key K|} ~: set_of_list evs; \ |
263 \ Says A Spy {|na, nb, Key K|} ~: set evs; \ |
264 \ A ~: lost; B ~: lost; evs : yahalom lost |] \ |
264 \ A ~: lost; B ~: lost; evs : yahalom lost |] \ |
265 \ ==> Key K ~: analz (sees lost Spy evs)"; |
265 \ ==> Key K ~: analz (sees lost Spy evs)"; |
266 by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1); |
266 by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1); |
267 by (blast_tac (!claset addSEs [lemma]) 1); |
267 by (blast_tac (!claset addSEs [lemma]) 1); |
268 qed "Spy_not_see_encrypted_key"; |
268 qed "Spy_not_see_encrypted_key"; |
272 goal thy |
272 goal thy |
273 "!!evs. [| C ~: {A,B,Server}; \ |
273 "!!evs. [| C ~: {A,B,Server}; \ |
274 \ Says Server A \ |
274 \ Says Server A \ |
275 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \ |
275 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \ |
276 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
276 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
277 \ : set_of_list evs; \ |
277 \ : set evs; \ |
278 \ Says A Spy {|na, nb, Key K|} ~: set_of_list evs; \ |
278 \ Says A Spy {|na, nb, Key K|} ~: set evs; \ |
279 \ A ~: lost; B ~: lost; evs : yahalom lost |] \ |
279 \ A ~: lost; B ~: lost; evs : yahalom lost |] \ |
280 \ ==> Key K ~: analz (sees lost C evs)"; |
280 \ ==> Key K ~: analz (sees lost C evs)"; |
281 by (rtac (subset_insertI RS sees_mono RS analz_mono RS contra_subsetD) 1); |
281 by (rtac (subset_insertI RS sees_mono RS analz_mono RS contra_subsetD) 1); |
282 by (rtac (sees_lost_agent_subset_sees_Spy RS analz_mono RS contra_subsetD) 1); |
282 by (rtac (sees_lost_agent_subset_sees_Spy RS analz_mono RS contra_subsetD) 1); |
283 by (FIRSTGOAL (rtac Spy_not_see_encrypted_key)); |
283 by (FIRSTGOAL (rtac Spy_not_see_encrypted_key)); |
307 \ : parts (sees lost Spy evs); \ |
307 \ : parts (sees lost Spy evs); \ |
308 \ A ~: lost; evs : yahalom lost |] \ |
308 \ A ~: lost; evs : yahalom lost |] \ |
309 \ ==> Says Server A \ |
309 \ ==> Says Server A \ |
310 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \ |
310 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \ |
311 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
311 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
312 \ : set_of_list evs"; |
312 \ : set evs"; |
313 by (etac rev_mp 1); |
313 by (etac rev_mp 1); |
314 by parts_induct_tac; |
314 by parts_induct_tac; |
315 by (Fake_parts_insert_tac 1); |
315 by (Fake_parts_insert_tac 1); |
316 qed "A_trusts_YM3"; |
316 qed "A_trusts_YM3"; |
317 |
317 |
325 \ B ~: lost; evs : yahalom lost |] \ |
325 \ B ~: lost; evs : yahalom lost |] \ |
326 \ ==> EX NA NB. Says Server A \ |
326 \ ==> EX NA NB. Says Server A \ |
327 \ {|Crypt (shrK A) {|Agent B, Key K, \ |
327 \ {|Crypt (shrK A) {|Agent B, Key K, \ |
328 \ Nonce NA, Nonce NB|}, \ |
328 \ Nonce NA, Nonce NB|}, \ |
329 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
329 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
330 \ : set_of_list evs"; |
330 \ : set evs"; |
331 by (etac rev_mp 1); |
331 by (etac rev_mp 1); |
332 by parts_induct_tac; |
332 by parts_induct_tac; |
333 by (Fake_parts_insert_tac 1); |
333 by (Fake_parts_insert_tac 1); |
334 (*YM3*) |
334 (*YM3*) |
335 by (Blast_tac 1); |
335 by (Blast_tac 1); |
344 \ Crypt K (Nonce NB) : parts (sees lost Spy evs) --> \ |
344 \ Crypt K (Nonce NB) : parts (sees lost Spy evs) --> \ |
345 \ (EX A B NA. Says Server A \ |
345 \ (EX A B NA. Says Server A \ |
346 \ {|Crypt (shrK A) {|Agent B, Key K, \ |
346 \ {|Crypt (shrK A) {|Agent B, Key K, \ |
347 \ Nonce NA, Nonce NB|}, \ |
347 \ Nonce NA, Nonce NB|}, \ |
348 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
348 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
349 \ : set_of_list evs)"; |
349 \ : set evs)"; |
350 by analz_mono_parts_induct_tac; |
350 by analz_mono_parts_induct_tac; |
351 (*YM3 & Fake*) |
351 (*YM3 & Fake*) |
352 by (Blast_tac 2); |
352 by (Blast_tac 2); |
353 by (Fake_parts_insert_tac 1); |
353 by (Fake_parts_insert_tac 1); |
354 (*YM4*) |
354 (*YM4*) |
366 (** Lemmas about the predicate KeyWithNonce **) |
366 (** Lemmas about the predicate KeyWithNonce **) |
367 |
367 |
368 goalw thy [KeyWithNonce_def] |
368 goalw thy [KeyWithNonce_def] |
369 "!!evs. Says Server A \ |
369 "!!evs. Says Server A \ |
370 \ {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB|}, X|} \ |
370 \ {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB|}, X|} \ |
371 \ : set_of_list evs ==> KeyWithNonce K NB evs"; |
371 \ : set evs ==> KeyWithNonce K NB evs"; |
372 by (Blast_tac 1); |
372 by (Blast_tac 1); |
373 qed "KeyWithNonceI"; |
373 qed "KeyWithNonceI"; |
374 |
374 |
375 goalw thy [KeyWithNonce_def] |
375 goalw thy [KeyWithNonce_def] |
376 "KeyWithNonce K NB (Says S A X # evs) = \ |
376 "KeyWithNonce K NB (Says S A X # evs) = \ |
392 (*The Server message associates K with NB' and therefore not with any |
392 (*The Server message associates K with NB' and therefore not with any |
393 other nonce NB.*) |
393 other nonce NB.*) |
394 goalw thy [KeyWithNonce_def] |
394 goalw thy [KeyWithNonce_def] |
395 "!!evs. [| Says Server A \ |
395 "!!evs. [| Says Server A \ |
396 \ {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB'|}, X|} \ |
396 \ {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB'|}, X|} \ |
397 \ : set_of_list evs; \ |
397 \ : set evs; \ |
398 \ NB ~= NB'; evs : yahalom lost |] \ |
398 \ NB ~= NB'; evs : yahalom lost |] \ |
399 \ ==> ~ KeyWithNonce K NB evs"; |
399 \ ==> ~ KeyWithNonce K NB evs"; |
400 by (blast_tac (!claset addDs [unique_session_keys]) 1); |
400 by (blast_tac (!claset addDs [unique_session_keys]) 1); |
401 qed "Says_Server_KeyWithNonce"; |
401 qed "Says_Server_KeyWithNonce"; |
402 |
402 |
451 was distributed with that key. The more general form above is required |
451 was distributed with that key. The more general form above is required |
452 for the induction to carry through.*) |
452 for the induction to carry through.*) |
453 goal thy |
453 goal thy |
454 "!!evs. [| Says Server A \ |
454 "!!evs. [| Says Server A \ |
455 \ {|Crypt (shrK A) {|Agent B, Key KAB, na, Nonce NB'|}, X|} \ |
455 \ {|Crypt (shrK A) {|Agent B, Key KAB, na, Nonce NB'|}, X|} \ |
456 \ : set_of_list evs; \ |
456 \ : set evs; \ |
457 \ NB ~= NB'; KAB ~: range shrK; evs : yahalom lost |] \ |
457 \ NB ~= NB'; KAB ~: range shrK; evs : yahalom lost |] \ |
458 \ ==> (Nonce NB : analz (insert (Key KAB) (sees lost Spy evs))) = \ |
458 \ ==> (Nonce NB : analz (insert (Key KAB) (sees lost Spy evs))) = \ |
459 \ (Nonce NB : analz (sees lost Spy evs))"; |
459 \ (Nonce NB : analz (sees lost Spy evs))"; |
460 by (asm_simp_tac (analz_image_freshK_ss addsimps |
460 by (asm_simp_tac (analz_image_freshK_ss addsimps |
461 [Nonce_secrecy, Says_Server_KeyWithNonce]) 1); |
461 [Nonce_secrecy, Says_Server_KeyWithNonce]) 1); |
493 |
493 |
494 (*Variant useful for proving secrecy of NB: the Says... form allows |
494 (*Variant useful for proving secrecy of NB: the Says... form allows |
495 not_lost_tac to remove the assumption B' ~: lost.*) |
495 not_lost_tac to remove the assumption B' ~: lost.*) |
496 goal thy |
496 goal thy |
497 "!!evs.[| Says C D {|X, Crypt (shrK B) {|Agent A, Nonce NA, NB|}|} \ |
497 "!!evs.[| Says C D {|X, Crypt (shrK B) {|Agent A, Nonce NA, NB|}|} \ |
498 \ : set_of_list evs; B ~: lost; \ |
498 \ : set evs; B ~: lost; \ |
499 \ Says C' D' {|X', Crypt (shrK B') {|Agent A', Nonce NA', NB|}|} \ |
499 \ Says C' D' {|X', Crypt (shrK B') {|Agent A', Nonce NA', NB|}|} \ |
500 \ : set_of_list evs; \ |
500 \ : set evs; \ |
501 \ NB ~: analz (sees lost Spy evs); evs : yahalom lost |] \ |
501 \ NB ~: analz (sees lost Spy evs); evs : yahalom lost |] \ |
502 \ ==> NA' = NA & A' = A & B' = B"; |
502 \ ==> NA' = NA & A' = A & B' = B"; |
503 by (not_lost_tac "B'" 1); |
503 by (not_lost_tac "B'" 1); |
504 by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj] |
504 by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj] |
505 addSEs [MPair_parts] |
505 addSEs [MPair_parts] |
526 bind_thm ("no_nonce_YM1_YM2", result() RS mp RSN (2,rev_mp) RSN (2,rev_notE)); |
526 bind_thm ("no_nonce_YM1_YM2", result() RS mp RSN (2,rev_mp) RSN (2,rev_notE)); |
527 |
527 |
528 (*The Server sends YM3 only in response to YM2.*) |
528 (*The Server sends YM3 only in response to YM2.*) |
529 goal thy |
529 goal thy |
530 "!!evs. [| Says Server A \ |
530 "!!evs. [| Says Server A \ |
531 \ {|Crypt (shrK A) {|Agent B, k, na, nb|}, X|} : set_of_list evs; \ |
531 \ {|Crypt (shrK A) {|Agent B, k, na, nb|}, X|} : set evs; \ |
532 \ evs : yahalom lost |] \ |
532 \ evs : yahalom lost |] \ |
533 \ ==> EX B'. Says B' Server \ |
533 \ ==> EX B'. Says B' Server \ |
534 \ {| Agent B, Crypt (shrK B) {|Agent A, na, nb|} |} \ |
534 \ {| Agent B, Crypt (shrK B) {|Agent A, na, nb|} |} \ |
535 \ : set_of_list evs"; |
535 \ : set evs"; |
536 by (etac rev_mp 1); |
536 by (etac rev_mp 1); |
537 by (etac yahalom.induct 1); |
537 by (etac yahalom.induct 1); |
538 by (ALLGOALS Asm_simp_tac); |
538 by (ALLGOALS Asm_simp_tac); |
539 by (ALLGOALS Blast_tac); |
539 by (ALLGOALS Blast_tac); |
540 qed "Says_Server_imp_YM2"; |
540 qed "Says_Server_imp_YM2"; |
544 Unusually, the Fake case requires Spy:lost.*) |
544 Unusually, the Fake case requires Spy:lost.*) |
545 goal thy |
545 goal thy |
546 "!!evs. [| A ~: lost; B ~: lost; Spy: lost; evs : yahalom lost |] \ |
546 "!!evs. [| A ~: lost; B ~: lost; Spy: lost; evs : yahalom lost |] \ |
547 \ ==> Says B Server \ |
547 \ ==> Says B Server \ |
548 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \ |
548 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \ |
549 \ : set_of_list evs --> \ |
549 \ : set evs --> \ |
550 \ (ALL k. Says A Spy {|Nonce NA, Nonce NB, k|} ~: set_of_list evs) --> \ |
550 \ (ALL k. Says A Spy {|Nonce NA, Nonce NB, k|} ~: set evs) --> \ |
551 \ Nonce NB ~: analz (sees lost Spy evs)"; |
551 \ Nonce NB ~: analz (sees lost Spy evs)"; |
552 by (etac yahalom.induct 1); |
552 by (etac yahalom.induct 1); |
553 by analz_sees_tac; |
553 by analz_sees_tac; |
554 by (ALLGOALS |
554 by (ALLGOALS |
555 (asm_simp_tac |
555 (asm_simp_tac |
604 If this run is broken and the spy substitutes a certificate containing an |
604 If this run is broken and the spy substitutes a certificate containing an |
605 old key, B has no means of telling.*) |
605 old key, B has no means of telling.*) |
606 goal thy |
606 goal thy |
607 "!!evs. [| Says B Server \ |
607 "!!evs. [| Says B Server \ |
608 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \ |
608 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \ |
609 \ : set_of_list evs; \ |
609 \ : set evs; \ |
610 \ Says A' B {|Crypt (shrK B) {|Agent A, Key K|}, \ |
610 \ Says A' B {|Crypt (shrK B) {|Agent A, Key K|}, \ |
611 \ Crypt K (Nonce NB)|} : set_of_list evs; \ |
611 \ Crypt K (Nonce NB)|} : set evs; \ |
612 \ ALL k. Says A Spy {|Nonce NA, Nonce NB, k|} ~: set_of_list evs; \ |
612 \ ALL k. Says A Spy {|Nonce NA, Nonce NB, k|} ~: set evs; \ |
613 \ A ~: lost; B ~: lost; Spy: lost; evs : yahalom lost |] \ |
613 \ A ~: lost; B ~: lost; Spy: lost; evs : yahalom lost |] \ |
614 \ ==> Says Server A \ |
614 \ ==> Says Server A \ |
615 \ {|Crypt (shrK A) {|Agent B, Key K, \ |
615 \ {|Crypt (shrK A) {|Agent B, Key K, \ |
616 \ Nonce NA, Nonce NB|}, \ |
616 \ Nonce NA, Nonce NB|}, \ |
617 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
617 \ Crypt (shrK B) {|Agent A, Key K|}|} \ |
618 \ : set_of_list evs"; |
618 \ : set evs"; |
619 by (forward_tac [Spy_not_see_NB] 1 THEN REPEAT (assume_tac 1)); |
619 by (forward_tac [Spy_not_see_NB] 1 THEN REPEAT (assume_tac 1)); |
620 by (etac (Says_imp_sees_Spy' RS parts.Inj RS MPair_parts) 1 THEN |
620 by (etac (Says_imp_sees_Spy' RS parts.Inj RS MPair_parts) 1 THEN |
621 dtac B_trusts_YM4_shrK 1); |
621 dtac B_trusts_YM4_shrK 1); |
622 by (dtac B_trusts_YM4_newK 3); |
622 by (dtac B_trusts_YM4_newK 3); |
623 by (REPEAT_FIRST (eresolve_tac [asm_rl, exE])); |
623 by (REPEAT_FIRST (eresolve_tac [asm_rl, exE])); |
636 \ ==> Crypt (shrK B) {|Agent A, Nonce NA, nb|} \ |
636 \ ==> Crypt (shrK B) {|Agent A, Nonce NA, nb|} \ |
637 \ : parts (sees lost Spy evs) --> \ |
637 \ : parts (sees lost Spy evs) --> \ |
638 \ B ~: lost --> \ |
638 \ B ~: lost --> \ |
639 \ Says B Server {|Agent B, \ |
639 \ Says B Server {|Agent B, \ |
640 \ Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \ |
640 \ Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \ |
641 \ : set_of_list evs"; |
641 \ : set evs"; |
642 by parts_induct_tac; |
642 by parts_induct_tac; |
643 by (Fake_parts_insert_tac 1); |
643 by (Fake_parts_insert_tac 1); |
644 bind_thm ("B_Said_YM2", result() RSN (2, rev_mp) RS mp); |
644 bind_thm ("B_Said_YM2", result() RSN (2, rev_mp) RS mp); |
645 |
645 |
646 (*If the server sends YM3 then B sent YM2*) |
646 (*If the server sends YM3 then B sent YM2*) |
647 goal thy |
647 goal thy |
648 "!!evs. evs : yahalom lost \ |
648 "!!evs. evs : yahalom lost \ |
649 \ ==> Says Server A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \ |
649 \ ==> Says Server A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \ |
650 \ : set_of_list evs --> \ |
650 \ : set evs --> \ |
651 \ B ~: lost --> \ |
651 \ B ~: lost --> \ |
652 \ Says B Server {|Agent B, \ |
652 \ Says B Server {|Agent B, \ |
653 \ Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \ |
653 \ Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \ |
654 \ : set_of_list evs"; |
654 \ : set evs"; |
655 by (etac yahalom.induct 1); |
655 by (etac yahalom.induct 1); |
656 by (ALLGOALS Asm_simp_tac); |
656 by (ALLGOALS Asm_simp_tac); |
657 (*YM4*) |
657 (*YM4*) |
658 by (Blast_tac 2); |
658 by (Blast_tac 2); |
659 (*YM3*) |
659 (*YM3*) |
662 val lemma = result() RSN (2, rev_mp) RS mp |> standard; |
662 val lemma = result() RSN (2, rev_mp) RS mp |> standard; |
663 |
663 |
664 (*If A receives YM3 then B has used nonce NA (and therefore is alive)*) |
664 (*If A receives YM3 then B has used nonce NA (and therefore is alive)*) |
665 goal thy |
665 goal thy |
666 "!!evs. [| Says S A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \ |
666 "!!evs. [| Says S A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \ |
667 \ : set_of_list evs; \ |
667 \ : set evs; \ |
668 \ A ~: lost; B ~: lost; evs : yahalom lost |] \ |
668 \ A ~: lost; B ~: lost; evs : yahalom lost |] \ |
669 \ ==> Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \ |
669 \ ==> Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \ |
670 \ : set_of_list evs"; |
670 \ : set evs"; |
671 by (blast_tac (!claset addSDs [A_trusts_YM3, lemma] |
671 by (blast_tac (!claset addSDs [A_trusts_YM3, lemma] |
672 addEs sees_Spy_partsEs) 1); |
672 addEs sees_Spy_partsEs) 1); |
673 qed "YM3_auth_B_to_A"; |
673 qed "YM3_auth_B_to_A"; |
674 |
674 |
675 |
675 |
696 \ ==> Key K ~: analz (sees lost Spy evs) --> \ |
696 \ ==> Key K ~: analz (sees lost Spy evs) --> \ |
697 \ Crypt K (Nonce NB) : parts (sees lost Spy evs) --> \ |
697 \ Crypt K (Nonce NB) : parts (sees lost Spy evs) --> \ |
698 \ Crypt (shrK B) {|Agent A, Key K|} \ |
698 \ Crypt (shrK B) {|Agent A, Key K|} \ |
699 \ : parts (sees lost Spy evs) --> \ |
699 \ : parts (sees lost Spy evs) --> \ |
700 \ B ~: lost --> \ |
700 \ B ~: lost --> \ |
701 \ (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set_of_list evs)"; |
701 \ (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs)"; |
702 by analz_mono_parts_induct_tac; |
702 by analz_mono_parts_induct_tac; |
703 (*Fake*) |
703 (*Fake*) |
704 by (Fake_parts_insert_tac 1); |
704 by (Fake_parts_insert_tac 1); |
705 (*YM3: by new_keys_not_used we note that Crypt K (Nonce NB) could not exist*) |
705 (*YM3: by new_keys_not_used we note that Crypt K (Nonce NB) could not exist*) |
706 by (fast_tac (!claset addSDs [Crypt_imp_invKey_keysFor] addss (!simpset)) 1); |
706 by (fast_tac (!claset addSDs [Crypt_imp_invKey_keysFor] addss (!simpset)) 1); |
718 Moreover, A associates K with NB (thus is talking about the same run). |
718 Moreover, A associates K with NB (thus is talking about the same run). |
719 Other premises guarantee secrecy of K.*) |
719 Other premises guarantee secrecy of K.*) |
720 goal thy |
720 goal thy |
721 "!!evs. [| Says B Server \ |
721 "!!evs. [| Says B Server \ |
722 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \ |
722 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \ |
723 \ : set_of_list evs; \ |
723 \ : set evs; \ |
724 \ Says A' B {|Crypt (shrK B) {|Agent A, Key K|}, \ |
724 \ Says A' B {|Crypt (shrK B) {|Agent A, Key K|}, \ |
725 \ Crypt K (Nonce NB)|} : set_of_list evs; \ |
725 \ Crypt K (Nonce NB)|} : set evs; \ |
726 \ (ALL NA k. Says A Spy {|Nonce NA, Nonce NB, k|} \ |
726 \ (ALL NA k. Says A Spy {|Nonce NA, Nonce NB, k|} \ |
727 \ ~: set_of_list evs); \ |
727 \ ~: set evs); \ |
728 \ A ~: lost; B ~: lost; Spy: lost; evs : yahalom lost |] \ |
728 \ A ~: lost; B ~: lost; Spy: lost; evs : yahalom lost |] \ |
729 \ ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set_of_list evs"; |
729 \ ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs"; |
730 by (dtac B_trusts_YM4 1); |
730 by (dtac B_trusts_YM4 1); |
731 by (REPEAT_FIRST (eresolve_tac [asm_rl, spec])); |
731 by (REPEAT_FIRST (eresolve_tac [asm_rl, spec])); |
732 by (etac (Says_imp_sees_Spy' RS parts.Inj RS MPair_parts) 1); |
732 by (etac (Says_imp_sees_Spy' RS parts.Inj RS MPair_parts) 1); |
733 by (rtac lemma 1); |
733 by (rtac lemma 1); |
734 by (rtac Spy_not_see_encrypted_key 2); |
734 by (rtac Spy_not_see_encrypted_key 2); |