150 # evsPReqU \<in> set_pur" |
150 # evsPReqU \<in> set_pur" |
151 |
151 |
152 | PReqS: |
152 | PReqS: |
153 \<comment> \<open>SIGNED Purchase request. Page 77 of Formal Protocol Desc. |
153 \<comment> \<open>SIGNED Purchase request. Page 77 of Formal Protocol Desc. |
154 We could specify the equation |
154 We could specify the equation |
155 @{term "PIReqSigned = \<lbrace> PIDualSigned, OIDualSigned \<rbrace>"}, since the |
155 \<^term>\<open>PIReqSigned = \<lbrace> PIDualSigned, OIDualSigned \<rbrace>\<close>, since the |
156 Formal Desc. gives PIHead the same format in the unsigned case. |
156 Formal Desc. gives PIHead the same format in the unsigned case. |
157 However, there's little point, as P treats the signed and |
157 However, there's little point, as P treats the signed and |
158 unsigned cases differently.\<close> |
158 unsigned cases differently.\<close> |
159 "!!C Chall_C Chall_M EKj HOD KC2 LID_M M OIData |
159 "!!C Chall_C Chall_M EKj HOD KC2 LID_M M OIData |
160 OIDualSigned OrderDesc P PANData PIData PIDualSigned |
160 OIDualSigned OrderDesc P PANData PIData PIDualSigned |
429 lemma parts_image_priEK: |
429 lemma parts_image_priEK: |
430 "[|Key (priEK C) \<in> parts (Key`KK \<union> (knows Spy evs)); |
430 "[|Key (priEK C) \<in> parts (Key`KK \<union> (knows Spy evs)); |
431 evs \<in> set_pur|] ==> priEK C \<in> KK | C \<in> bad" |
431 evs \<in> set_pur|] ==> priEK C \<in> KK | C \<in> bad" |
432 by auto |
432 by auto |
433 |
433 |
434 text\<open>trivial proof because @{term"priEK C"} never appears even in |
434 text\<open>trivial proof because \<^term>\<open>priEK C\<close> never appears even in |
435 @{term "parts evs"}.\<close> |
435 \<^term>\<open>parts evs\<close>.\<close> |
436 lemma analz_image_priEK: |
436 lemma analz_image_priEK: |
437 "evs \<in> set_pur ==> |
437 "evs \<in> set_pur ==> |
438 (Key (priEK C) \<in> analz (Key`KK \<union> (knows Spy evs))) = |
438 (Key (priEK C) \<in> analz (Key`KK \<union> (knows Spy evs))) = |
439 (priEK C \<in> KK | C \<in> bad)" |
439 (priEK C \<in> KK | C \<in> bad)" |
440 by (blast dest!: parts_image_priEK intro: analz_mono [THEN [2] rev_subsetD]) |
440 by (blast dest!: parts_image_priEK intro: analz_mono [THEN [2] rev_subsetD]) |
732 lemma M_Notes_PG: |
732 lemma M_Notes_PG: |
733 "[|Notes M \<lbrace>Number LID_M, Agent P, Agent M, Agent C, etc\<rbrace> \<in> set evs; |
733 "[|Notes M \<lbrace>Number LID_M, Agent P, Agent M, Agent C, etc\<rbrace> \<in> set evs; |
734 evs \<in> set_pur|] ==> \<exists>j. P = PG j" |
734 evs \<in> set_pur|] ==> \<exists>j. P = PG j" |
735 by (erule rev_mp, erule set_pur.induct, simp_all) |
735 by (erule rev_mp, erule set_pur.induct, simp_all) |
736 |
736 |
737 text\<open>If we trust M, then @{term LID_M} determines his choice of P |
737 text\<open>If we trust M, then \<^term>\<open>LID_M\<close> determines his choice of P |
738 (Payment Gateway)\<close> |
738 (Payment Gateway)\<close> |
739 lemma goodM_gives_correct_PG: |
739 lemma goodM_gives_correct_PG: |
740 "[| MsgPInitRes = |
740 "[| MsgPInitRes = |
741 \<lbrace>Number LID_M, xid, cc, cm, cert P EKj onlyEnc (priSK RCA)\<rbrace>; |
741 \<lbrace>Number LID_M, xid, cc, cm, cert P EKj onlyEnc (priSK RCA)\<rbrace>; |
742 Crypt (priSK M) (Hash MsgPInitRes) \<in> parts (knows Spy evs); |
742 Crypt (priSK M) (Hash MsgPInitRes) \<in> parts (knows Spy evs); |
818 text\<open>When M receives AuthRes, he knows that P signed it, including |
818 text\<open>When M receives AuthRes, he knows that P signed it, including |
819 the identifying tags and the purchase amount, which he can verify. |
819 the identifying tags and the purchase amount, which he can verify. |
820 (Although the spec has SIGNED and UNSIGNED forms of AuthRes, they |
820 (Although the spec has SIGNED and UNSIGNED forms of AuthRes, they |
821 send the same message to M.) The conclusion is weak: M is existentially |
821 send the same message to M.) The conclusion is weak: M is existentially |
822 quantified! That is because Authorization Response does not refer to M, while |
822 quantified! That is because Authorization Response does not refer to M, while |
823 the digital envelope weakens the link between @{term MsgAuthRes} and |
823 the digital envelope weakens the link between \<^term>\<open>MsgAuthRes\<close> and |
824 @{term"priSK M"}. Changing the precondition to refer to |
824 \<^term>\<open>priSK M\<close>. Changing the precondition to refer to |
825 @{term "Crypt K (sign SK M)"} requires assuming @{term K} to be secure, since |
825 \<^term>\<open>Crypt K (sign SK M)\<close> requires assuming \<^term>\<open>K\<close> to be secure, since |
826 otherwise the Spy could create that message.\<close> |
826 otherwise the Spy could create that message.\<close> |
827 theorem M_verifies_AuthRes: |
827 theorem M_verifies_AuthRes: |
828 "[| MsgAuthRes = \<lbrace>\<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>, |
828 "[| MsgAuthRes = \<lbrace>\<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>, |
829 Hash authCode\<rbrace>; |
829 Hash authCode\<rbrace>; |
830 Crypt (priSK (PG j)) (Hash MsgAuthRes) \<in> parts (knows Spy evs); |
830 Crypt (priSK (PG j)) (Hash MsgAuthRes) \<in> parts (knows Spy evs); |
866 apply auto |
866 apply auto |
867 apply (blast dest: Gets_imp_Says Says_C_PInitRes) |
867 apply (blast dest: Gets_imp_Says Says_C_PInitRes) |
868 done |
868 done |
869 |
869 |
870 |
870 |
871 text\<open>Unicity of @{term LID_M} between Merchant and Cardholder notes\<close> |
871 text\<open>Unicity of \<^term>\<open>LID_M\<close> between Merchant and Cardholder notes\<close> |
872 lemma unique_LID_M: |
872 lemma unique_LID_M: |
873 "[|Notes (Merchant i) \<lbrace>Number LID_M, Agent P, Trans\<rbrace> \<in> set evs; |
873 "[|Notes (Merchant i) \<lbrace>Number LID_M, Agent P, Trans\<rbrace> \<in> set evs; |
874 Notes C \<lbrace>Number LID_M, Agent M, Agent C, Number OD, |
874 Notes C \<lbrace>Number LID_M, Agent M, Agent C, Number OD, |
875 Number PA\<rbrace> \<in> set evs; |
875 Number PA\<rbrace> \<in> set evs; |
876 evs \<in> set_pur|] |
876 evs \<in> set_pur|] |
879 apply (erule rev_mp) |
879 apply (erule rev_mp) |
880 apply (erule set_pur.induct, simp_all) |
880 apply (erule set_pur.induct, simp_all) |
881 apply (force dest!: Notes_imp_parts_subset_used) |
881 apply (force dest!: Notes_imp_parts_subset_used) |
882 done |
882 done |
883 |
883 |
884 text\<open>Unicity of @{term LID_M}, for two Merchant Notes events\<close> |
884 text\<open>Unicity of \<^term>\<open>LID_M\<close>, for two Merchant Notes events\<close> |
885 lemma unique_LID_M2: |
885 lemma unique_LID_M2: |
886 "[|Notes M \<lbrace>Number LID_M, Trans\<rbrace> \<in> set evs; |
886 "[|Notes M \<lbrace>Number LID_M, Trans\<rbrace> \<in> set evs; |
887 Notes M \<lbrace>Number LID_M, Trans'\<rbrace> \<in> set evs; |
887 Notes M \<lbrace>Number LID_M, Trans'\<rbrace> \<in> set evs; |
888 evs \<in> set_pur|] ==> Trans' = Trans" |
888 evs \<in> set_pur|] ==> Trans' = Trans" |
889 apply (erule rev_mp) |
889 apply (erule rev_mp) |
891 apply (erule set_pur.induct, simp_all) |
891 apply (erule set_pur.induct, simp_all) |
892 apply (force dest!: Notes_imp_parts_subset_used) |
892 apply (force dest!: Notes_imp_parts_subset_used) |
893 done |
893 done |
894 |
894 |
895 text\<open>Lemma needed below: for the case that |
895 text\<open>Lemma needed below: for the case that |
896 if PRes is present, then @{term LID_M} has been used.\<close> |
896 if PRes is present, then \<^term>\<open>LID_M\<close> has been used.\<close> |
897 lemma signed_imp_used: |
897 lemma signed_imp_used: |
898 "[| Crypt (priSK M) (Hash X) \<in> parts (knows Spy evs); |
898 "[| Crypt (priSK M) (Hash X) \<in> parts (knows Spy evs); |
899 M \<notin> bad; evs \<in> set_pur|] ==> parts {X} \<subseteq> used evs" |
899 M \<notin> bad; evs \<in> set_pur|] ==> parts {X} \<subseteq> used evs" |
900 apply (erule rev_mp) |
900 apply (erule rev_mp) |
901 apply (erule set_pur.induct) |
901 apply (erule set_pur.induct) |
1049 apply (blast dest!: Notes_Cardholder_self_False) |
1049 apply (blast dest!: Notes_Cardholder_self_False) |
1050 done |
1050 done |
1051 |
1051 |
1052 text\<open>When P sees a dual signature, he knows that it originated with C. |
1052 text\<open>When P sees a dual signature, he knows that it originated with C. |
1053 and was intended for M. This guarantee isn't useful to M, who never gets |
1053 and was intended for M. This guarantee isn't useful to M, who never gets |
1054 PIData. I don't see how to link @{term "PG j"} and \<open>LID_M\<close> without |
1054 PIData. I don't see how to link \<^term>\<open>PG j\<close> and \<open>LID_M\<close> without |
1055 assuming @{term "M \<notin> bad"}.\<close> |
1055 assuming \<^term>\<open>M \<notin> bad\<close>.\<close> |
1056 theorem P_verifies_Signed_PReq: |
1056 theorem P_verifies_Signed_PReq: |
1057 "[| MsgDualSign = \<lbrace>Hash PIData, HOIData\<rbrace>; |
1057 "[| MsgDualSign = \<lbrace>Hash PIData, HOIData\<rbrace>; |
1058 PIData = \<lbrace>PIHead, PANData\<rbrace>; |
1058 PIData = \<lbrace>PIHead, PANData\<rbrace>; |
1059 PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, |
1059 PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, |
1060 TransStain\<rbrace>; |
1060 TransStain\<rbrace>; |
1126 done |
1126 done |
1127 |
1127 |
1128 text\<open>When P receives an AuthReq and a dual signature, he knows that C and M |
1128 text\<open>When P receives an AuthReq and a dual signature, he knows that C and M |
1129 agree on the essential details. PurchAmt however is never sent by M to |
1129 agree on the essential details. PurchAmt however is never sent by M to |
1130 P; instead C and M both send |
1130 P; instead C and M both send |
1131 @{term "HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>"} |
1131 \<^term>\<open>HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>\<close> |
1132 and P compares the two copies of HOD. |
1132 and P compares the two copies of HOD. |
1133 |
1133 |
1134 Agreement can't be proved for some things, including the symmetric keys |
1134 Agreement can't be proved for some things, including the symmetric keys |
1135 used in the digital envelopes. On the other hand, M knows the true identity |
1135 used in the digital envelopes. On the other hand, M knows the true identity |
1136 of PG (namely j'), and sends AReq there; he can't, however, check that |
1136 of PG (namely j'), and sends AReq there; he can't, however, check that |