1 (* Title: HOL/Auth/OtwayRees |
1 (* Title: HOL/Auth/OtwayRees |
2 ID: $Id$ |
2 ID: $Id$ |
3 Author: Lawrence C Paulson, Cambridge University Computer Laboratory |
3 Author: Lawrence C Paulson, Cambridge University Computer Laboratory |
4 Copyright 1996 University of Cambridge |
4 Copyright 1996 University of Cambridge |
5 |
5 *) |
6 Inductive relation "otway" for the Otway-Rees protocol. |
6 |
7 |
7 header{*The Otway-Rees Protocol as Modified by Abadi and Needham*} |
8 Abadi-Needham simplified version: minimal encryption, explicit messages |
8 |
|
9 theory OtwayRees_AN = Public: |
|
10 |
|
11 text{* |
|
12 This simplified version has minimal encryption and explicit messages. |
9 |
13 |
10 Note that the formalization does not even assume that nonces are fresh. |
14 Note that the formalization does not even assume that nonces are fresh. |
11 This is because the protocol does not rely on uniqueness of nonces for |
15 This is because the protocol does not rely on uniqueness of nonces for |
12 security, only for freshness, and the proof script does not prove freshness |
16 security, only for freshness, and the proof script does not prove freshness |
13 properties. |
17 properties. |
14 |
18 |
15 From page 11 of |
19 From page 11 of |
16 Abadi and Needham. Prudent Engineering Practice for Cryptographic Protocols. |
20 Abadi and Needham (1996). |
17 IEEE Trans. SE 22 (1), 1996 |
21 Prudent Engineering Practice for Cryptographic Protocols. |
18 *) |
22 IEEE Trans. SE 22 (1) |
19 |
23 *} |
20 theory OtwayRees_AN = Shared: |
|
21 |
24 |
22 consts otway :: "event list set" |
25 consts otway :: "event list set" |
23 inductive "otway" |
26 inductive "otway" |
24 intros |
27 intros |
25 (*Initial trace is empty*) |
28 (*Initial trace is empty*) |
136 Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} |
139 Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} |
137 \<in> set evs; |
140 \<in> set evs; |
138 evs \<in> otway |] |
141 evs \<in> otway |] |
139 ==> K \<notin> range shrK & (\<exists>i. NA = Nonce i) & (\<exists>j. NB = Nonce j)" |
142 ==> K \<notin> range shrK & (\<exists>i. NA = Nonce i) & (\<exists>j. NB = Nonce j)" |
140 apply (erule rev_mp) |
143 apply (erule rev_mp) |
141 apply (erule otway.induct, simp_all, blast) |
144 apply (erule otway.induct, auto) |
142 done |
145 done |
143 |
146 |
144 |
147 |
145 |
148 |
146 (**** |
149 (**** |
159 lemma analz_image_freshK [rule_format]: |
162 lemma analz_image_freshK [rule_format]: |
160 "evs \<in> otway ==> |
163 "evs \<in> otway ==> |
161 \<forall>K KK. KK <= -(range shrK) --> |
164 \<forall>K KK. KK <= -(range shrK) --> |
162 (Key K \<in> analz (Key`KK Un (knows Spy evs))) = |
165 (Key K \<in> analz (Key`KK Un (knows Spy evs))) = |
163 (K \<in> KK | Key K \<in> analz (knows Spy evs))" |
166 (K \<in> KK | Key K \<in> analz (knows Spy evs))" |
164 apply (erule otway.induct, force) |
167 apply (erule otway.induct) |
165 apply (frule_tac [7] Says_Server_message_form) |
168 apply (frule_tac [8] Says_Server_message_form) |
166 apply (drule_tac [6] OR4_analz_knows_Spy, analz_freshK, spy_analz) |
169 apply (drule_tac [7] OR4_analz_knows_Spy, analz_freshK, spy_analz, auto) |
167 done |
170 done |
168 |
171 |
169 lemma analz_insert_freshK: |
172 lemma analz_insert_freshK: |
170 "[| evs \<in> otway; KAB \<notin> range shrK |] ==> |
173 "[| evs \<in> otway; KAB \<notin> range shrK |] ==> |
171 (Key K \<in> analz (insert (Key KAB) (knows Spy evs))) = |
174 (Key K \<in> analz (insert (Key KAB) (knows Spy evs))) = |