125 |
125 |
126 (*There could be OR4_parts_knows_Spy and Oops_parts_knows_Spy, but for |
126 (*There could be OR4_parts_knows_Spy and Oops_parts_knows_Spy, but for |
127 some reason proofs work without them!*) |
127 some reason proofs work without them!*) |
128 |
128 |
129 |
129 |
130 text\<open>Theorems of the form @{term "X \<notin> parts (spies evs)"} imply that |
130 text\<open>Theorems of the form \<^term>\<open>X \<notin> parts (spies evs)\<close> imply that |
131 NOBODY sends messages containing X!\<close> |
131 NOBODY sends messages containing X!\<close> |
132 |
132 |
133 text\<open>Spy never sees a good agent's shared key!\<close> |
133 text\<open>Spy never sees a good agent's shared key!\<close> |
134 lemma Spy_see_shrK [simp]: |
134 lemma Spy_see_shrK [simp]: |
135 "evs \<in> otway \<Longrightarrow> (Key (shrK A) \<in> parts (knows Spy evs)) = (A \<in> bad)" |
135 "evs \<in> otway \<Longrightarrow> (Key (shrK A) \<in> parts (knows Spy evs)) = (A \<in> bad)" |
144 lemma Spy_see_shrK_D [dest!]: |
144 lemma Spy_see_shrK_D [dest!]: |
145 "\<lbrakk>Key (shrK A) \<in> parts (knows Spy evs); evs \<in> otway\<rbrakk> \<Longrightarrow> A \<in> bad" |
145 "\<lbrakk>Key (shrK A) \<in> parts (knows Spy evs); evs \<in> otway\<rbrakk> \<Longrightarrow> A \<in> bad" |
146 by (blast dest: Spy_see_shrK) |
146 by (blast dest: Spy_see_shrK) |
147 |
147 |
148 |
148 |
149 subsection\<open>Towards Secrecy: Proofs Involving @{term analz}\<close> |
149 subsection\<open>Towards Secrecy: Proofs Involving \<^term>\<open>analz\<close>\<close> |
150 |
150 |
151 (*Describes the form of K and NA when the Server sends this message. Also |
151 (*Describes the form of K and NA when the Server sends this message. Also |
152 for Oops case.*) |
152 for Oops case.*) |
153 lemma Says_Server_message_form: |
153 lemma Says_Server_message_form: |
154 "\<lbrakk>Says Server B \<lbrace>NA, X, Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs; |
154 "\<lbrakk>Says Server B \<lbrace>NA, X, Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs; |
285 by (blast intro!: NA_Crypt_imp_Server_msg) |
285 by (blast intro!: NA_Crypt_imp_Server_msg) |
286 |
286 |
287 |
287 |
288 text\<open>Crucial secrecy property: Spy does not see the keys sent in msg OR3 |
288 text\<open>Crucial secrecy property: Spy does not see the keys sent in msg OR3 |
289 Does not in itself guarantee security: an attack could violate |
289 Does not in itself guarantee security: an attack could violate |
290 the premises, e.g. by having @{term "A=Spy"}\<close> |
290 the premises, e.g. by having \<^term>\<open>A=Spy\<close>\<close> |
291 lemma secrecy_lemma: |
291 lemma secrecy_lemma: |
292 "\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> otway\<rbrakk> |
292 "\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> otway\<rbrakk> |
293 \<Longrightarrow> Says Server B |
293 \<Longrightarrow> Says Server B |
294 \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>, |
294 \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>, |
295 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs \<longrightarrow> |
295 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs \<longrightarrow> |
317 \<Longrightarrow> Key K \<notin> analz (knows Spy evs)" |
317 \<Longrightarrow> Key K \<notin> analz (knows Spy evs)" |
318 by (blast dest: Says_Server_message_form secrecy_lemma) |
318 by (blast dest: Says_Server_message_form secrecy_lemma) |
319 |
319 |
320 text\<open>This form is an immediate consequence of the previous result. It is |
320 text\<open>This form is an immediate consequence of the previous result. It is |
321 similar to the assertions established by other methods. It is equivalent |
321 similar to the assertions established by other methods. It is equivalent |
322 to the previous result in that the Spy already has @{term analz} and |
322 to the previous result in that the Spy already has \<^term>\<open>analz\<close> and |
323 @{term synth} at his disposal. However, the conclusion |
323 \<^term>\<open>synth\<close> at his disposal. However, the conclusion |
324 @{term "Key K \<notin> knows Spy evs"} appears not to be inductive: all the cases |
324 \<^term>\<open>Key K \<notin> knows Spy evs\<close> appears not to be inductive: all the cases |
325 other than Fake are trivial, while Fake requires |
325 other than Fake are trivial, while Fake requires |
326 @{term "Key K \<notin> analz (knows Spy evs)"}.\<close> |
326 \<^term>\<open>Key K \<notin> analz (knows Spy evs)\<close>.\<close> |
327 lemma Spy_not_know_encrypted_key: |
327 lemma Spy_not_know_encrypted_key: |
328 "\<lbrakk>Says Server B |
328 "\<lbrakk>Says Server B |
329 \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>, |
329 \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>, |
330 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs; |
330 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs; |
331 Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs; |
331 Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs; |