65 Crypt (shrK B) \<lbrace>Nonce NB, Key KAB\<rbrace>\<rbrace> |
65 Crypt (shrK B) \<lbrace>Nonce NB, Key KAB\<rbrace>\<rbrace> |
66 # evs3 \<in> otway" |
66 # evs3 \<in> otway" |
67 |
67 |
68 | OR4: \<comment> \<open>Bob receives the Server's (?) message and compares the Nonces with |
68 | OR4: \<comment> \<open>Bob receives the Server's (?) message and compares the Nonces with |
69 those in the message he previously sent the Server. |
69 those in the message he previously sent the Server. |
70 Need @{term "B \<noteq> Server"} because we allow messages to self.\<close> |
70 Need \<^term>\<open>B \<noteq> Server\<close> because we allow messages to self.\<close> |
71 "[| evs4 \<in> otway; B \<noteq> Server; |
71 "[| evs4 \<in> otway; B \<noteq> Server; |
72 Says B Server \<lbrace>Nonce NA, Agent A, Agent B, X', Nonce NB, |
72 Says B Server \<lbrace>Nonce NA, Agent A, Agent B, X', Nonce NB, |
73 Crypt (shrK B) \<lbrace>Nonce NA, Agent A, Agent B\<rbrace>\<rbrace> |
73 Crypt (shrK B) \<lbrace>Nonce NA, Agent A, Agent B\<rbrace>\<rbrace> |
74 \<in> set evs4; |
74 \<in> set evs4; |
75 Gets B \<lbrace>Nonce NA, X, Crypt (shrK B) \<lbrace>Nonce NB, Key K\<rbrace>\<rbrace> |
75 Gets B \<lbrace>Nonce NA, X, Crypt (shrK B) \<lbrace>Nonce NB, Key K\<rbrace>\<rbrace> |
129 text\<open>Forwarding lemma: see comments in OtwayRees.thy\<close> |
129 text\<open>Forwarding lemma: see comments in OtwayRees.thy\<close> |
130 lemmas OR2_parts_knows_Spy = |
130 lemmas OR2_parts_knows_Spy = |
131 OR2_analz_knows_Spy [THEN analz_into_parts] |
131 OR2_analz_knows_Spy [THEN analz_into_parts] |
132 |
132 |
133 |
133 |
134 text\<open>Theorems of the form @{term "X \<notin> parts (spies evs)"} imply that |
134 text\<open>Theorems of the form \<^term>\<open>X \<notin> parts (spies evs)\<close> imply that |
135 NOBODY sends messages containing X!\<close> |
135 NOBODY sends messages containing X!\<close> |
136 |
136 |
137 text\<open>Spy never sees a good agent's shared key!\<close> |
137 text\<open>Spy never sees a good agent's shared key!\<close> |
138 lemma Spy_see_shrK [simp]: |
138 lemma Spy_see_shrK [simp]: |
139 "evs \<in> otway ==> (Key (shrK A) \<in> parts (knows Spy evs)) = (A \<in> bad)" |
139 "evs \<in> otway ==> (Key (shrK A) \<in> parts (knows Spy evs)) = (A \<in> bad)" |
206 done |
206 done |
207 |
207 |
208 |
208 |
209 text\<open>Crucial secrecy property: Spy does not see the keys sent in msg OR3 |
209 text\<open>Crucial secrecy property: Spy does not see the keys sent in msg OR3 |
210 Does not in itself guarantee security: an attack could violate |
210 Does not in itself guarantee security: an attack could violate |
211 the premises, e.g. by having @{term "A=Spy"}\<close> |
211 the premises, e.g. by having \<^term>\<open>A=Spy\<close>\<close> |
212 lemma secrecy_lemma: |
212 lemma secrecy_lemma: |
213 "[| A \<notin> bad; B \<notin> bad; evs \<in> otway |] |
213 "[| A \<notin> bad; B \<notin> bad; evs \<in> otway |] |
214 ==> Says Server B |
214 ==> Says Server B |
215 \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>, |
215 \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>, |
216 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs \<longrightarrow> |
216 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs \<longrightarrow> |
237 |
237 |
238 |
238 |
239 subsection\<open>Attempting to prove stronger properties\<close> |
239 subsection\<open>Attempting to prove stronger properties\<close> |
240 |
240 |
241 text\<open>Only OR1 can have caused such a part of a message to appear. The premise |
241 text\<open>Only OR1 can have caused such a part of a message to appear. The premise |
242 @{term "A \<noteq> B"} prevents OR2's similar-looking cryptogram from being picked |
242 \<^term>\<open>A \<noteq> B\<close> prevents OR2's similar-looking cryptogram from being picked |
243 up. Original Otway-Rees doesn't need it.\<close> |
243 up. Original Otway-Rees doesn't need it.\<close> |
244 lemma Crypt_imp_OR1 [rule_format]: |
244 lemma Crypt_imp_OR1 [rule_format]: |
245 "[| A \<notin> bad; A \<noteq> B; evs \<in> otway |] |
245 "[| A \<notin> bad; A \<noteq> B; evs \<in> otway |] |
246 ==> Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow> |
246 ==> Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow> |
247 Says A B \<lbrace>NA, Agent A, Agent B, |
247 Says A B \<lbrace>NA, Agent A, Agent B, |
250 drule_tac [4] OR2_parts_knows_Spy, simp_all, blast+) |
250 drule_tac [4] OR2_parts_knows_Spy, simp_all, blast+) |
251 |
251 |
252 |
252 |
253 text\<open>Crucial property: If the encrypted message appears, and A has used NA |
253 text\<open>Crucial property: If the encrypted message appears, and A has used NA |
254 to start a run, then it originated with the Server! |
254 to start a run, then it originated with the Server! |
255 The premise @{term "A \<noteq> B"} allows use of \<open>Crypt_imp_OR1\<close>\<close> |
255 The premise \<^term>\<open>A \<noteq> B\<close> allows use of \<open>Crypt_imp_OR1\<close>\<close> |
256 text\<open>Only it is FALSE. Somebody could make a fake message to Server |
256 text\<open>Only it is FALSE. Somebody could make a fake message to Server |
257 substituting some other nonce NA' for NB.\<close> |
257 substituting some other nonce NA' for NB.\<close> |
258 lemma "[| A \<notin> bad; A \<noteq> B; evs \<in> otway |] |
258 lemma "[| A \<notin> bad; A \<noteq> B; evs \<in> otway |] |
259 ==> Crypt (shrK A) \<lbrace>NA, Key K\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow> |
259 ==> Crypt (shrK A) \<lbrace>NA, Key K\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow> |
260 Says A B \<lbrace>NA, Agent A, Agent B, |
260 Says A B \<lbrace>NA, Agent A, Agent B, |