54 \<comment> \<open>Says is the only important case. |
54 \<comment> \<open>Says is the only important case. |
55 1st case: CR3, where KC1 encrypts NC2 (distinct from CR5 due to EXH); |
55 1st case: CR3, where KC1 encrypts NC2 (distinct from CR5 due to EXH); |
56 2nd case: CR5, where KC3 encrypts NC3; |
56 2nd case: CR5, where KC3 encrypts NC3; |
57 3rd case: CR6, where KC2 encrypts NC3; |
57 3rd case: CR6, where KC2 encrypts NC3; |
58 4th case: CR6, where KC2 encrypts NonceCCA; |
58 4th case: CR6, where KC2 encrypts NonceCCA; |
59 5th case: any use of @{term "priEK C"} (including CardSecret). |
59 5th case: any use of \<^term>\<open>priEK C\<close> (including CardSecret). |
60 NB the only Nonces we need to keep secret are CardSecret and NonceCCA. |
60 NB the only Nonces we need to keep secret are CardSecret and NonceCCA. |
61 But we can't prove \<open>Nonce_compromise\<close> unless the relation covers ALL |
61 But we can't prove \<open>Nonce_compromise\<close> unless the relation covers ALL |
62 nonces that the protocol keeps secret.\<close> |
62 nonces that the protocol keeps secret.\<close> |
63 "KeyCryptNonce DK N (ev # evs) = |
63 "KeyCryptNonce DK N (ev # evs) = |
64 (KeyCryptNonce DK N evs | |
64 (KeyCryptNonce DK N evs | |
122 - certificates are an encryption certificate (flag is onlyEnc) and a |
122 - certificates are an encryption certificate (flag is onlyEnc) and a |
123 signature certificate (flag is onlySig); |
123 signature certificate (flag is onlySig); |
124 - certificates pertain to the CA that C contacted (this is done by |
124 - certificates pertain to the CA that C contacted (this is done by |
125 checking the signature). |
125 checking the signature). |
126 C generates a fresh symmetric key KC1. |
126 C generates a fresh symmetric key KC1. |
127 The point of encrypting @{term "\<lbrace>Agent C, Nonce NC2, Hash (Pan(pan C))\<rbrace>"} |
127 The point of encrypting \<^term>\<open>\<lbrace>Agent C, Nonce NC2, Hash (Pan(pan C))\<rbrace>\<close> |
128 is not clear.\<close> |
128 is not clear.\<close> |
129 "[| evs3 \<in> set_cr; C = Cardholder k; |
129 "[| evs3 \<in> set_cr; C = Cardholder k; |
130 Nonce NC2 \<notin> used evs3; |
130 Nonce NC2 \<notin> used evs3; |
131 Key KC1 \<notin> used evs3; KC1 \<in> symKeys; |
131 Key KC1 \<notin> used evs3; KC1 \<in> symKeys; |
132 Gets C \<lbrace>sign (invKey SKi) \<lbrace>Agent X, Nonce NC1\<rbrace>, |
132 Gets C \<lbrace>sign (invKey SKi) \<lbrace>Agent X, Nonce NC1\<rbrace>, |
139 # evs3 \<in> set_cr" |
139 # evs3 \<in> set_cr" |
140 |
140 |
141 | SET_CR4: |
141 | SET_CR4: |
142 \<comment> \<open>RegFormRes: |
142 \<comment> \<open>RegFormRes: |
143 CA responds sending NC2 back with a new nonce NCA, after checking that |
143 CA responds sending NC2 back with a new nonce NCA, after checking that |
144 - the digital envelope is correctly encrypted by @{term "pubEK (CA i)"} |
144 - the digital envelope is correctly encrypted by \<^term>\<open>pubEK (CA i)\<close> |
145 - the entire message is encrypted with the same key found inside the |
145 - the entire message is encrypted with the same key found inside the |
146 envelope (here, KC1)\<close> |
146 envelope (here, KC1)\<close> |
147 "[| evs4 \<in> set_cr; |
147 "[| evs4 \<in> set_cr; |
148 Nonce NCA \<notin> used evs4; KC1 \<in> symKeys; |
148 Nonce NCA \<notin> used evs4; KC1 \<in> symKeys; |
149 Gets (CA i) (EXHcrypt KC1 EKi \<lbrace>Agent C, Nonce NC2\<rbrace> (Pan(pan X))) |
149 Gets (CA i) (EXHcrypt KC1 EKi \<lbrace>Agent C, Nonce NC2\<rbrace> (Pan(pan X))) |
184 |
184 |
185 \<comment> \<open>CertRes: CA responds sending NC3 back with its half of the secret value, |
185 \<comment> \<open>CertRes: CA responds sending NC3 back with its half of the secret value, |
186 its signature certificate and the new cardholder signature |
186 its signature certificate and the new cardholder signature |
187 certificate. CA checks to have never certified the key proposed by C. |
187 certificate. CA checks to have never certified the key proposed by C. |
188 NOTE: In Merchant Registration, the corresponding rule (4) |
188 NOTE: In Merchant Registration, the corresponding rule (4) |
189 uses the "sign" primitive. The encryption below is actually @{term EncK}, |
189 uses the "sign" primitive. The encryption below is actually \<^term>\<open>EncK\<close>, |
190 which is just @{term "Crypt K (sign SK X)"}.\<close> |
190 which is just \<^term>\<open>Crypt K (sign SK X)\<close>.\<close> |
191 |
191 |
192 | SET_CR6: |
192 | SET_CR6: |
193 "[| evs6 \<in> set_cr; |
193 "[| evs6 \<in> set_cr; |
194 Nonce NonceCCA \<notin> used evs6; |
194 Nonce NonceCCA \<notin> used evs6; |
195 KC2 \<in> symKeys; KC3 \<in> symKeys; cardSK \<notin> symKeys; |
195 KC2 \<in> symKeys; KC3 \<in> symKeys; cardSK \<notin> symKeys; |
494 apply (auto simp add: parts_insert2 split: event.split) |
494 apply (auto simp add: parts_insert2 split: event.split) |
495 done |
495 done |
496 |
496 |
497 |
497 |
498 text\<open>This holds because if (priEK (CA i)) appears in any traffic then it must |
498 text\<open>This holds because if (priEK (CA i)) appears in any traffic then it must |
499 be known to the Spy, by @{term Spy_see_private_Key}\<close> |
499 be known to the Spy, by \<^term>\<open>Spy_see_private_Key\<close>\<close> |
500 lemma cardSK_neq_priEK: |
500 lemma cardSK_neq_priEK: |
501 "[|Key cardSK \<notin> analz (knows Spy evs); |
501 "[|Key cardSK \<notin> analz (knows Spy evs); |
502 Key cardSK \<in> parts (knows Spy evs); |
502 Key cardSK \<in> parts (knows Spy evs); |
503 evs \<in> set_cr|] ==> cardSK \<noteq> priEK C" |
503 evs \<in> set_cr|] ==> cardSK \<noteq> priEK C" |
504 by blast |
504 by blast |
911 subsection\<open>Rewriting Rule for PANs\<close> |
911 subsection\<open>Rewriting Rule for PANs\<close> |
912 |
912 |
913 text\<open>Lemma for message 6: either cardSK isn't a CA's private encryption key, |
913 text\<open>Lemma for message 6: either cardSK isn't a CA's private encryption key, |
914 or if it is then (because it appears in traffic) that CA is bad, |
914 or if it is then (because it appears in traffic) that CA is bad, |
915 and so the Spy knows that key already. Either way, we can simplify |
915 and so the Spy knows that key already. Either way, we can simplify |
916 the expression @{term "analz (insert (Key cardSK) X)"}.\<close> |
916 the expression \<^term>\<open>analz (insert (Key cardSK) X)\<close>.\<close> |
917 lemma msg6_cardSK_disj: |
917 lemma msg6_cardSK_disj: |
918 "[|Gets A \<lbrace>Crypt K \<lbrace>c, n, k', Key cardSK, X\<rbrace>, Y\<rbrace> |
918 "[|Gets A \<lbrace>Crypt K \<lbrace>c, n, k', Key cardSK, X\<rbrace>, Y\<rbrace> |
919 \<in> set evs; evs \<in> set_cr |] |
919 \<in> set evs; evs \<in> set_cr |] |
920 ==> cardSK \<notin> range(invKey o pubEK o CA) | Key cardSK \<in> knows Spy evs" |
920 ==> cardSK \<notin> range(invKey o pubEK o CA) | Key cardSK \<in> knows Spy evs" |
921 by auto |
921 by auto |
952 by (simp del: image_insert image_Un |
952 by (simp del: image_insert image_Un |
953 add: analz_image_keys_simps analz_image_pan) |
953 add: analz_image_keys_simps analz_image_pan) |
954 |
954 |
955 |
955 |
956 text\<open>Confidentiality of the PAN\@. Maybe we could combine the statements of |
956 text\<open>Confidentiality of the PAN\@. Maybe we could combine the statements of |
957 this theorem with @{term analz_image_pan}, requiring a single induction but |
957 this theorem with \<^term>\<open>analz_image_pan\<close>, requiring a single induction but |
958 a much more difficult proof.\<close> |
958 a much more difficult proof.\<close> |
959 lemma pan_confidentiality: |
959 lemma pan_confidentiality: |
960 "[| Pan (pan C) \<in> analz(knows Spy evs); C \<noteq>Spy; evs \<in> set_cr|] |
960 "[| Pan (pan C) \<in> analz(knows Spy evs); C \<noteq>Spy; evs \<in> set_cr|] |
961 ==> \<exists>i X K HN. |
961 ==> \<exists>i X K HN. |
962 Says C (CA i) \<lbrace>X, Crypt (pubEK (CA i)) \<lbrace>Key K, Pan (pan C), HN\<rbrace> \<rbrace> |
962 Says C (CA i) \<lbrace>X, Crypt (pubEK (CA i)) \<lbrace>Key K, Pan (pan C), HN\<rbrace> \<rbrace> |