57 Crypt (shrK B) \<lbrace>Nonce NB, Agent A, Agent B, Key KAB\<rbrace>\<rbrace> |
57 Crypt (shrK B) \<lbrace>Nonce NB, Agent A, Agent B, Key KAB\<rbrace>\<rbrace> |
58 # evs3 \<in> otway" |
58 # evs3 \<in> otway" |
59 |
59 |
60 | OR4: \<comment> \<open>Bob receives the Server's (?) message and compares the Nonces with |
60 | OR4: \<comment> \<open>Bob receives the Server's (?) message and compares the Nonces with |
61 those in the message he previously sent the Server. |
61 those in the message he previously sent the Server. |
62 Need @{term "B \<noteq> Server"} because we allow messages to self.\<close> |
62 Need \<^term>\<open>B \<noteq> Server\<close> because we allow messages to self.\<close> |
63 "[| evs4 \<in> otway; B \<noteq> Server; |
63 "[| evs4 \<in> otway; B \<noteq> Server; |
64 Says B Server \<lbrace>Agent A, Agent B, Nonce NA, Nonce NB\<rbrace> \<in>set evs4; |
64 Says B Server \<lbrace>Agent A, Agent B, Nonce NA, Nonce NB\<rbrace> \<in>set evs4; |
65 Gets B \<lbrace>X, Crypt(shrK B)\<lbrace>Nonce NB,Agent A,Agent B,Key K\<rbrace>\<rbrace> |
65 Gets B \<lbrace>X, Crypt(shrK B)\<lbrace>Nonce NB,Agent A,Agent B,Key K\<rbrace>\<rbrace> |
66 \<in>set evs4 |] |
66 \<in>set evs4 |] |
67 ==> Says B A X # evs4 \<in> otway" |
67 ==> Says B A X # evs4 \<in> otway" |
107 "[| Gets B \<lbrace>X, Crypt(shrK B) X'\<rbrace> \<in> set evs; evs \<in> otway |] |
107 "[| Gets B \<lbrace>X, Crypt(shrK B) X'\<rbrace> \<in> set evs; evs \<in> otway |] |
108 ==> X \<in> analz (knows Spy evs)" |
108 ==> X \<in> analz (knows Spy evs)" |
109 by blast |
109 by blast |
110 |
110 |
111 |
111 |
112 text\<open>Theorems of the form @{term "X \<notin> parts (spies evs)"} imply that |
112 text\<open>Theorems of the form \<^term>\<open>X \<notin> parts (spies evs)\<close> imply that |
113 NOBODY sends messages containing X!\<close> |
113 NOBODY sends messages containing X!\<close> |
114 |
114 |
115 text\<open>Spy never sees a good agent's shared key!\<close> |
115 text\<open>Spy never sees a good agent's shared key!\<close> |
116 lemma Spy_see_shrK [simp]: |
116 lemma Spy_see_shrK [simp]: |
117 "evs \<in> otway ==> (Key (shrK A) \<in> parts (knows Spy evs)) = (A \<in> bad)" |
117 "evs \<in> otway ==> (Key (shrK A) \<in> parts (knows Spy evs)) = (A \<in> bad)" |
217 by (blast intro!: NA_Crypt_imp_Server_msg) |
217 by (blast intro!: NA_Crypt_imp_Server_msg) |
218 |
218 |
219 |
219 |
220 text\<open>Crucial secrecy property: Spy does not see the keys sent in msg OR3 |
220 text\<open>Crucial secrecy property: Spy does not see the keys sent in msg OR3 |
221 Does not in itself guarantee security: an attack could violate |
221 Does not in itself guarantee security: an attack could violate |
222 the premises, e.g. by having @{term "A=Spy"}\<close> |
222 the premises, e.g. by having \<^term>\<open>A=Spy\<close>\<close> |
223 lemma secrecy_lemma: |
223 lemma secrecy_lemma: |
224 "[| A \<notin> bad; B \<notin> bad; evs \<in> otway |] |
224 "[| A \<notin> bad; B \<notin> bad; evs \<in> otway |] |
225 ==> Says Server B |
225 ==> Says Server B |
226 \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>, |
226 \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>, |
227 Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace> |
227 Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace> |