96 \<in> set evs" |
96 \<in> set evs" |
97 apply (intro exI bexI) |
97 apply (intro exI bexI) |
98 apply (rule_tac [2] otway.Nil |
98 apply (rule_tac [2] otway.Nil |
99 [THEN otway.OR1, THEN otway.Reception, |
99 [THEN otway.OR1, THEN otway.Reception, |
100 THEN otway.OR2, THEN otway.Reception, |
100 THEN otway.OR2, THEN otway.Reception, |
101 THEN otway.OR3, THEN otway.Reception, THEN otway.OR4]) |
101 THEN otway.OR3, THEN otway.Reception, THEN otway.OR4], possibility) |
102 apply possibility |
|
103 done |
102 done |
104 |
103 |
105 lemma Gets_imp_Says [dest!]: |
104 lemma Gets_imp_Says [dest!]: |
106 "[| Gets B X \<in> set evs; evs \<in> otway |] ==> \<exists>A. Says A B X \<in> set evs" |
105 "[| Gets B X \<in> set evs; evs \<in> otway |] ==> \<exists>A. Says A B X \<in> set evs" |
107 apply (erule rev_mp) |
106 apply (erule rev_mp) |
108 apply (erule otway.induct) |
107 apply (erule otway.induct, auto) |
109 apply auto |
|
110 done |
108 done |
111 |
109 |
112 |
110 |
113 (**** Inductive proofs about otway ****) |
111 (**** Inductive proofs about otway ****) |
114 |
112 |
140 |
138 |
141 (*Spy never sees a good agent's shared key!*) |
139 (*Spy never sees a good agent's shared key!*) |
142 lemma Spy_see_shrK [simp]: |
140 lemma Spy_see_shrK [simp]: |
143 "evs \<in> otway ==> (Key (shrK A) \<in> parts (knows Spy evs)) = (A \<in> bad)" |
141 "evs \<in> otway ==> (Key (shrK A) \<in> parts (knows Spy evs)) = (A \<in> bad)" |
144 apply (erule otway.induct, force, |
142 apply (erule otway.induct, force, |
145 drule_tac [4] OR2_parts_knows_Spy, simp_all) |
143 drule_tac [4] OR2_parts_knows_Spy, simp_all, blast+) |
146 apply blast+ |
|
147 done |
144 done |
148 |
145 |
149 lemma Spy_analz_shrK [simp]: |
146 lemma Spy_analz_shrK [simp]: |
150 "evs \<in> otway ==> (Key (shrK A) \<in> analz (knows Spy evs)) = (A \<in> bad)" |
147 "evs \<in> otway ==> (Key (shrK A) \<in> analz (knows Spy evs)) = (A \<in> bad)" |
151 by auto |
148 by auto |
162 lemma Says_Server_message_form: |
159 lemma Says_Server_message_form: |
163 "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \<in> set evs; |
160 "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \<in> set evs; |
164 evs \<in> otway |] |
161 evs \<in> otway |] |
165 ==> K \<notin> range shrK & (\<exists>i. NA = Nonce i) & (\<exists>j. NB = Nonce j)" |
162 ==> K \<notin> range shrK & (\<exists>i. NA = Nonce i) & (\<exists>j. NB = Nonce j)" |
166 apply (erule rev_mp) |
163 apply (erule rev_mp) |
167 apply (erule otway.induct, simp_all) |
164 apply (erule otway.induct, simp_all, blast) |
168 apply blast |
|
169 done |
165 done |
170 |
166 |
171 |
167 |
172 (**** |
168 (**** |
173 The following is to prove theorems of the form |
169 The following is to prove theorems of the form |
188 (Key K \<in> analz (Key`KK Un (knows Spy evs))) = |
184 (Key K \<in> analz (Key`KK Un (knows Spy evs))) = |
189 (K \<in> KK | Key K \<in> analz (knows Spy evs))" |
185 (K \<in> KK | Key K \<in> analz (knows Spy evs))" |
190 apply (erule otway.induct, force) |
186 apply (erule otway.induct, force) |
191 apply (frule_tac [7] Says_Server_message_form) |
187 apply (frule_tac [7] Says_Server_message_form) |
192 apply (drule_tac [6] OR4_analz_knows_Spy) |
188 apply (drule_tac [6] OR4_analz_knows_Spy) |
193 apply (drule_tac [4] OR2_analz_knows_Spy) |
189 apply (drule_tac [4] OR2_analz_knows_Spy, analz_freshK, spy_analz) |
194 apply analz_freshK |
|
195 apply spy_analz |
|
196 done |
190 done |
197 |
191 |
198 lemma analz_insert_freshK: |
192 lemma analz_insert_freshK: |
199 "[| evs \<in> otway; KAB \<notin> range shrK |] ==> |
193 "[| evs \<in> otway; KAB \<notin> range shrK |] ==> |
200 (Key K \<in> analz (insert (Key KAB) (knows Spy evs))) = |
194 (Key K \<in> analz (insert (Key KAB) (knows Spy evs))) = |
229 Key K \<notin> analz (knows Spy evs)" |
223 Key K \<notin> analz (knows Spy evs)" |
230 apply (erule otway.induct, force) |
224 apply (erule otway.induct, force) |
231 apply (frule_tac [7] Says_Server_message_form) |
225 apply (frule_tac [7] Says_Server_message_form) |
232 apply (drule_tac [6] OR4_analz_knows_Spy) |
226 apply (drule_tac [6] OR4_analz_knows_Spy) |
233 apply (drule_tac [4] OR2_analz_knows_Spy) |
227 apply (drule_tac [4] OR2_analz_knows_Spy) |
234 apply (simp_all add: analz_insert_eq analz_insert_freshK pushes) |
228 apply (simp_all add: analz_insert_eq analz_insert_freshK pushes, spy_analz) (*Fake*) |
235 apply spy_analz (*Fake*) |
|
236 (*OR3, OR4, Oops*) |
229 (*OR3, OR4, Oops*) |
237 apply (blast dest: unique_session_keys)+ |
230 apply (blast dest: unique_session_keys)+ |
238 done |
231 done |
239 |
232 |
240 |
233 |
257 "[| A \<notin> bad; A \<noteq> B; evs \<in> otway |] |
250 "[| A \<notin> bad; A \<noteq> B; evs \<in> otway |] |
258 ==> Crypt (shrK A) {|NA, Agent A, Agent B|} \<in> parts (knows Spy evs) --> |
251 ==> Crypt (shrK A) {|NA, Agent A, Agent B|} \<in> parts (knows Spy evs) --> |
259 Says A B {|NA, Agent A, Agent B, |
252 Says A B {|NA, Agent A, Agent B, |
260 Crypt (shrK A) {|NA, Agent A, Agent B|}|} \<in> set evs" |
253 Crypt (shrK A) {|NA, Agent A, Agent B|}|} \<in> set evs" |
261 apply (erule otway.induct, force, |
254 apply (erule otway.induct, force, |
262 drule_tac [4] OR2_parts_knows_Spy, simp_all) |
255 drule_tac [4] OR2_parts_knows_Spy, simp_all, blast+) |
263 apply blast+ |
|
264 done |
256 done |
265 |
257 |
266 |
258 |
267 (*Crucial property: If the encrypted message appears, and A has used NA |
259 (*Crucial property: If the encrypted message appears, and A has used NA |
268 to start a run, then it originated with the Server! |
260 to start a run, then it originated with the Server! |
277 (\<exists>B NB. Says Server B |
269 (\<exists>B NB. Says Server B |
278 {|NA, |
270 {|NA, |
279 Crypt (shrK A) {|NA, Key K|}, |
271 Crypt (shrK A) {|NA, Key K|}, |
280 Crypt (shrK B) {|NB, Key K|}|} \<in> set evs)" |
272 Crypt (shrK B) {|NB, Key K|}|} \<in> set evs)" |
281 apply (erule otway.induct, force, |
273 apply (erule otway.induct, force, |
282 drule_tac [4] OR2_parts_knows_Spy) |
274 drule_tac [4] OR2_parts_knows_Spy, simp_all) |
283 apply simp_all |
|
284 (*Fake*) |
275 (*Fake*) |
285 apply blast |
276 apply blast |
286 (*OR1: it cannot be a new Nonce, contradiction.*) |
277 (*OR1: it cannot be a new Nonce, contradiction.*) |
287 apply blast |
278 apply blast |
288 (*OR3 and OR4*) |
279 (*OR3 and OR4*) |