Mercurial Mercurial > repos > isabelle / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
src/HOL/Auth/TLS.thy
changeset 3687 fb7d096d7884
parent 3686 4b484805b4c4
child 3704 2f99d7a0dccc
equal deleted inserted replaced
3686:4b484805b4c4 3687:fb7d096d7884 
    64   "serverK (x)"	== "sessionK(x,False)"
 
    64   "serverK (x)"	== "sessionK(x,False)"
 
    65 
    65 
    66 rules
 
    66 rules
 
    67   inj_PRF       "inj PRF"	
    67   inj_PRF       "inj PRF"	
    68 
    68 
    69   (*sessionK is collision-free and makes symmetric keys*)
 
    69   (*sessionK is collision-free and makes symmetric keys.  Also, no clientK
 
       
    70     clashes with any serverK.*)
 
    70   inj_sessionK  "inj sessionK"	
    71   inj_sessionK  "inj sessionK"	
    71 
    72 
    72   isSym_sessionK "isSymKey (sessionK x)"
 
    73   isSym_sessionK "isSymKey (sessionK x)"
 
    73 
    74 
    74   (*serverK is similar*)
 
    75   (*serverK is similar*)
 
    75   inj_serverK   "inj serverK"	
    76   inj_serverK   "inj serverK"	
    76   isSym_serverK "isSymKey (serverK x)"
 
    77   isSym_serverK "isSymKey (serverK x)"
 
    77 
       
    78   (*Clashes with pubK and priK are impossible, but this axiom is needed.*)
 
       
    79   clientK_range "range clientK <= Compl (range serverK)"
 
       
    80 
    78 
    81 
    79 
    82 consts    tls :: event list set
 
    80 consts    tls :: event list set
 
    83 inductive tls
 
    81 inductive tls
 
    84   intrs 
    82   intrs 
    88     Fake (*The spy, an active attacker, MAY say anything he CAN say.*)
 
    86     Fake (*The spy, an active attacker, MAY say anything he CAN say.*)
 
    89          "[| evs: tls;  B ~= Spy;  
    87          "[| evs: tls;  B ~= Spy;  
    90              X: synth (analz (spies evs)) |]
 
    88              X: synth (analz (spies evs)) |]
 
    91           ==> Says Spy B X # evs : tls"
 
    89           ==> Says Spy B X # evs : tls"
 
    92 
    90 
    93     SpyKeys (*The spy may apply PRF, clientK & serverK to available nonces*)
 
    91     SpyKeys (*The spy may apply PRF & sessionK to available nonces*)
 
    94          "[| evsSK: tls;
 
    92          "[| evsSK: tls;
 
    95 	     Says Spy B {|Nonce NA, Nonce NB, Nonce M|} : set evsSK |]
 
    93 	     Says Spy B {|Nonce NA, Nonce NB, Nonce M|} : set evsSK |]
 
    96           ==> Says Spy B {| Nonce (PRF(M,NA,NB)),
 
    94           ==> Says Spy B {| Nonce (PRF(M,NA,NB)),
 
    97 			    Key (clientK(NA,NB,M)),
 
    95 			    Key (sessionK((NA,NB,M),b)) |} # evsSK : tls"
 
    98 			    Key (serverK(NA,NB,M)) |} # evsSK : tls"
 
       
    99 
    96 
   100     ClientHello
 
    97     ClientHello
 
   101 	 (*(7.4.1.2)
 
    98 	 (*(7.4.1.2)
 
   102 	   XA represents CLIENT_VERSION, CIPHER_SUITES and COMPRESSION_METHODS.
 
    99 	   XA represents CLIENT_VERSION, CIPHER_SUITES and COMPRESSION_METHODS.
 
   103 	   It is uninterpreted but will be confirmed in the FINISHED messages.
 
   100 	   It is uninterpreted but will be confirmed in the FINISHED messages.
 
   194               # evsSF  :  tls"
 
   191               # evsSF  :  tls"
 
   195 
   192 
   196     ClientAccepts
 
   193     ClientAccepts
 
   197 	(*Having transmitted ClientFinished and received an identical
 
   194 	(*Having transmitted ClientFinished and received an identical
 
   198           message encrypted with serverK, the client stores the parameters
 
   195           message encrypted with serverK, the client stores the parameters
 
   199           needed to resume this session.*)
 
   196           needed to resume this session.  The "Notes A ..." premise is
 
       
   197           used to prove Notes_master_imp_Crypt_PMS.*)
 
   200          "[| evsCA: tls;
 
   198          "[| evsCA: tls;
 
   201 	     Notes A {|Agent B, Nonce PMS|} : set evsCA;
 
   199 	     Notes A {|Agent B, Nonce PMS|} : set evsCA;
 
   202 	     M = PRF(PMS,NA,NB);  
   200 	     M = PRF(PMS,NA,NB);  
   203 	     X = Hash{|Nonce M, Number SID,
 
   201 	     X = Hash{|Nonce M, Number SID,
 
   204 	               Nonce NA, Number XA, Agent A, 
   202 	               Nonce NA, Number XA, Agent A, 
   209              Notes A {|Number SID, Agent A, Agent B, Nonce M|} # evsCA  :  tls"
 
   207              Notes A {|Number SID, Agent A, Agent B, Nonce M|} # evsCA  :  tls"
 
   210 
   208 
   211     ServerAccepts
 
   209     ServerAccepts
 
   212 	(*Having transmitted ServerFinished and received an identical
 
   210 	(*Having transmitted ServerFinished and received an identical
 
   213           message encrypted with clientK, the server stores the parameters
 
   211           message encrypted with clientK, the server stores the parameters
 
   214           needed to resume this session.*)
 
   212           needed to resume this session.  The "Says A'' B ..." premise is
 
       
   213           used to prove Notes_master_imp_Crypt_PMS.*)
 
   215          "[| evsSA: tls;
 
   214          "[| evsSA: tls;
 
   216              Says A'' B {|certificate A KA, Crypt (pubK B) (Nonce PMS)|}
 
   215              Says A'' B {|certificate A KA, Crypt (pubK B) (Nonce PMS)|}
 
   217 	       : set evsSA;
 
   216 	       : set evsSA;
 
   218 	     M = PRF(PMS,NA,NB);  
   217 	     M = PRF(PMS,NA,NB);  
   219 	     X = Hash{|Nonce M, Number SID,
 
   218 	     X = Hash{|Nonce M, Number SID,
isabelle