diff -r e381884c09d4 -r cdc14f94c754 src/HOL/Auth/TLS.thy --- a/src/HOL/Auth/TLS.thy Thu Oct 13 14:49:15 2022 +0200 +++ b/src/HOL/Auth/TLS.thy Thu Oct 13 15:38:32 2022 +0100 @@ -102,14 +102,14 @@ | Fake: \ \The Spy may say anything he can say. The sender field is correct, but agents don't use that information.\ - "[| evsf \ tls; X \ synth (analz (spies evsf)) |] - ==> Says Spy B X # evsf \ tls" + "\evsf \ tls; X \ synth (analz (spies evsf))\ + \ Says Spy B X # evsf \ tls" | SpyKeys: \ \The spy may apply \<^term>\PRF\ and \<^term>\sessionK\ to available nonces\ - "[| evsSK \ tls; - {Nonce NA, Nonce NB, Nonce M} \ analz (spies evsSK) |] - ==> Notes Spy \ Nonce (PRF(M,NA,NB)), + "\evsSK \ tls; + {Nonce NA, Nonce NB, Nonce M} \ analz (spies evsSK)\ + \ Notes Spy \ Nonce (PRF(M,NA,NB)), Key (sessionK((NA,NB,M),role))\ # evsSK \ tls" | ClientHello: @@ -120,8 +120,8 @@ UNIX TIME is omitted because the protocol doesn't use it. May assume \<^term>\NA \ range PRF\ because CLIENT RANDOM is 28 bytes while MASTER SECRET is 48 bytes\ - "[| evsCH \ tls; Nonce NA \ used evsCH; NA \ range PRF |] - ==> Says A B \Agent A, Nonce NA, Number SID, Number PA\ + "\evsCH \ tls; Nonce NA \ used evsCH; NA \ range PRF\ + \ Says A B \Agent A, Nonce NA, Number SID, Number PA\ # evsCH \ tls" | ServerHello: @@ -129,14 +129,14 @@ PB represents \CLIENT_VERSION\, \CIPHER_SUITE\ and \COMPRESSION_METHOD\. SERVER CERTIFICATE (7.4.2) is always present. \CERTIFICATE_REQUEST\ (7.4.4) is implied.\ - "[| evsSH \ tls; Nonce NB \ used evsSH; NB \ range PRF; + "\evsSH \ tls; Nonce NB \ used evsSH; NB \ range PRF; Says A' B \Agent A, Nonce NA, Number SID, Number PA\ - \ set evsSH |] - ==> Says B A \Nonce NB, Number SID, Number PB\ # evsSH \ tls" + \ set evsSH\ + \ Says B A \Nonce NB, Number SID, Number PB\ # evsSH \ tls" | Certificate: \ \SERVER (7.4.2) or CLIENT (7.4.6) CERTIFICATE.\ - "evsC \ tls ==> Says B A (certificate B (pubK B)) # evsC \ tls" + "evsC \ tls \ Says B A (certificate B (pubK B)) # evsC \ tls" | ClientKeyExch: \ \CLIENT KEY EXCHANGE (7.4.7). @@ -147,9 +147,9 @@ both items have the same length, 48 bytes). The Note event records in the trace that she knows PMS (see REMARK at top).\ - "[| evsCX \ tls; Nonce PMS \ used evsCX; PMS \ range PRF; - Says B' A (certificate B KB) \ set evsCX |] - ==> Says A B (Crypt KB (Nonce PMS)) + "\evsCX \ tls; Nonce PMS \ used evsCX; PMS \ range PRF; + Says B' A (certificate B KB) \ set evsCX\ + \ Says A B (Crypt KB (Nonce PMS)) # Notes A \Agent B, Nonce PMS\ # evsCX \ tls" @@ -159,10 +159,10 @@ It adds the pre-master-secret, which is also essential! Checking the signature, which is the only use of A's certificate, assures B of A's presence\ - "[| evsCV \ tls; + "\evsCV \ tls; Says B' A \Nonce NB, Number SID, Number PB\ \ set evsCV; - Notes A \Agent B, Nonce PMS\ \ set evsCV |] - ==> Says A B (Crypt (priK A) (Hash\Nonce NB, Agent B, Nonce PMS\)) + Notes A \Agent B, Nonce PMS\ \ set evsCV\ + \ Says A B (Crypt (priK A) (Hash\Nonce NB, Agent B, Nonce PMS\)) # evsCV \ tls" \ \Finally come the FINISHED messages (7.4.8), confirming PA and PB @@ -176,13 +176,13 @@ Spy does not know PMS and could not send ClientFinished. One could simply put \<^term>\A\Spy\ into the rule, but one should not expect the spy to be well-behaved.\ - "[| evsCF \ tls; + "\evsCF \ tls; Says A B \Agent A, Nonce NA, Number SID, Number PA\ \ set evsCF; Says B' A \Nonce NB, Number SID, Number PB\ \ set evsCF; Notes A \Agent B, Nonce PMS\ \ set evsCF; - M = PRF(PMS,NA,NB) |] - ==> Says A B (Crypt (clientK(NA,NB,M)) + M = PRF(PMS,NA,NB)\ + \ Says A B (Crypt (clientK(NA,NB,M)) (Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, Nonce NB, Number PB, Agent B\)) @@ -191,13 +191,13 @@ | ServerFinished: \ \Keeping A' and A'' distinct means B cannot even check that the two messages originate from the same source.\ - "[| evsSF \ tls; + "\evsSF \ tls; Says A' B \Agent A, Nonce NA, Number SID, Number PA\ \ set evsSF; Says B A \Nonce NB, Number SID, Number PB\ \ set evsSF; Says A'' B (Crypt (pubK B) (Nonce PMS)) \ set evsSF; - M = PRF(PMS,NA,NB) |] - ==> Says B A (Crypt (serverK(NA,NB,M)) + M = PRF(PMS,NA,NB)\ + \ Says B A (Crypt (serverK(NA,NB,M)) (Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, Nonce NB, Number PB, Agent B\)) @@ -208,15 +208,15 @@ message encrypted with serverK, the client stores the parameters needed to resume this session. The "Notes A ..." premise is used to prove \Notes_master_imp_Crypt_PMS\.\ - "[| evsCA \ tls; + "\evsCA \ tls; Notes A \Agent B, Nonce PMS\ \ set evsCA; M = PRF(PMS,NA,NB); X = Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, Nonce NB, Number PB, Agent B\; Says A B (Crypt (clientK(NA,NB,M)) X) \ set evsCA; - Says B' A (Crypt (serverK(NA,NB,M)) X) \ set evsCA |] - ==> + Says B' A (Crypt (serverK(NA,NB,M)) X) \ set evsCA\ + \ Notes A \Number SID, Agent A, Agent B, Nonce M\ # evsCA \ tls" | ServerAccepts: @@ -224,7 +224,7 @@ message encrypted with clientK, the server stores the parameters needed to resume this session. The "Says A'' B ..." premise is used to prove \Notes_master_imp_Crypt_PMS\.\ - "[| evsSA \ tls; + "\evsSA \ tls; A \ B; Says A'' B (Crypt (pubK B) (Nonce PMS)) \ set evsSA; M = PRF(PMS,NA,NB); @@ -232,18 +232,18 @@ Nonce NA, Number PA, Agent A, Nonce NB, Number PB, Agent B\; Says B A (Crypt (serverK(NA,NB,M)) X) \ set evsSA; - Says A' B (Crypt (clientK(NA,NB,M)) X) \ set evsSA |] - ==> + Says A' B (Crypt (clientK(NA,NB,M)) X) \ set evsSA\ + \ Notes B \Number SID, Agent A, Agent B, Nonce M\ # evsSA \ tls" | ClientResume: \ \If A recalls the \SESSION_ID\, then she sends a FINISHED message using the new nonces and stored MASTER SECRET.\ - "[| evsCR \ tls; + "\evsCR \ tls; Says A B \Agent A, Nonce NA, Number SID, Number PA\ \ set evsCR; Says B' A \Nonce NB, Number SID, Number PB\ \ set evsCR; - Notes A \Number SID, Agent A, Agent B, Nonce M\ \ set evsCR |] - ==> Says A B (Crypt (clientK(NA,NB,M)) + Notes A \Number SID, Agent A, Agent B, Nonce M\ \ set evsCR\ + \ Says A B (Crypt (clientK(NA,NB,M)) (Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, Nonce NB, Number PB, Agent B\)) @@ -252,11 +252,11 @@ | ServerResume: \ \Resumption (7.3): If B finds the \SESSION_ID\ then he can send a FINISHED message using the recovered MASTER SECRET\ - "[| evsSR \ tls; + "\evsSR \ tls; Says A' B \Agent A, Nonce NA, Number SID, Number PA\ \ set evsSR; Says B A \Nonce NB, Number SID, Number PB\ \ set evsSR; - Notes B \Number SID, Agent A, Agent B, Nonce M\ \ set evsSR |] - ==> Says B A (Crypt (serverK(NA,NB,M)) + Notes B \Number SID, Agent A, Agent B, Nonce M\ \ set evsSR\ + \ Says B A (Crypt (serverK(NA,NB,M)) (Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, Nonce NB, Number PB, Agent B\)) # evsSR @@ -268,9 +268,9 @@ rather unlikely. The assumption \<^term>\A\Spy\ is essential: otherwise the Spy could learn session keys merely by replaying messages!\ - "[| evso \ tls; A \ Spy; - Says A B (Crypt (sessionK((NA,NB,M),role)) X) \ set evso |] - ==> Says A Spy (Key (sessionK((NA,NB,M),role))) # evso \ tls" + "\evso \ tls; A \ Spy; + Says A B (Crypt (sessionK((NA,NB,M),role)) X) \ set evso\ + \ Says A Spy (Key (sessionK((NA,NB,M),role))) # evso \ tls" (* Protocol goals: @@ -331,8 +331,8 @@ text\Possibility property ending with ClientAccepts.\ -lemma "[| \evs. (SOME N. Nonce N \ used evs) \ range PRF; A \ B |] - ==> \SID M. \evs \ tls. +lemma "\\evs. (SOME N. Nonce N \ used evs) \ range PRF; A \ B\ + \ \SID M. \evs \ tls. Notes A \Number SID, Agent A, Agent B, Nonce M\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] tls.Nil @@ -344,8 +344,8 @@ text\And one for ServerAccepts. Either FINISHED message may come first.\ -lemma "[| \evs. (SOME N. Nonce N \ used evs) \ range PRF; A \ B |] - ==> \SID NA PA NB PB M. \evs \ tls. +lemma "\\evs. (SOME N. Nonce N \ used evs) \ range PRF; A \ B\ + \ \SID NA PA NB PB M. \evs \ tls. Notes B \Number SID, Agent A, Agent B, Nonce M\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] tls.Nil @@ -357,8 +357,8 @@ text\Another one, for CertVerify (which is optional)\ -lemma "[| \evs. (SOME N. Nonce N \ used evs) \ range PRF; A \ B |] - ==> \NB PMS. \evs \ tls. +lemma "\\evs. (SOME N. Nonce N \ used evs) \ range PRF; A \ B\ + \ \NB PMS. \evs \ tls. Says A B (Crypt (priK A) (Hash\Nonce NB, Agent B, Nonce PMS\)) \ set evs" apply (intro exI bexI) @@ -371,12 +371,12 @@ text\Another one, for session resumption (both ServerResume and ClientResume). NO tls.Nil here: we refer to a previous session, not the empty trace.\ -lemma "[| evs0 \ tls; +lemma "\evs0 \ tls; Notes A \Number SID, Agent A, Agent B, Nonce M\ \ set evs0; Notes B \Number SID, Agent A, Agent B, Nonce M\ \ set evs0; \evs. (SOME N. Nonce N \ used evs) \ range PRF; - A \ B |] - ==> \NA PA NB PB X. \evs \ tls. + A \ B\ + \ \NA PA NB PB X. \evs \ tls. X = Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, Nonce NB, Number PB, Agent B\ \ @@ -397,15 +397,15 @@ text\Spy never sees a good agent's private key!\ lemma Spy_see_priK [simp]: - "evs \ tls ==> (Key (privateKey b A) \ parts (spies evs)) = (A \ bad)" + "evs \ tls \ (Key (privateKey b A) \ parts (spies evs)) = (A \ bad)" by (erule tls.induct, force, simp_all, blast) lemma Spy_analz_priK [simp]: - "evs \ tls ==> (Key (privateKey b A) \ analz (spies evs)) = (A \ bad)" + "evs \ tls \ (Key (privateKey b A) \ analz (spies evs)) = (A \ bad)" by auto lemma Spy_see_priK_D [dest!]: - "[|Key (privateKey b A) \ parts (knows Spy evs); evs \ tls|] ==> A \ bad" + "\Key (privateKey b A) \ parts (knows Spy evs); evs \ tls\ \ A \ bad" by (blast dest: Spy_see_priK) @@ -414,7 +414,7 @@ little point in doing so: the loss of their private keys is a worse breach of security.\ lemma certificate_valid: - "[| certificate B KB \ parts (spies evs); evs \ tls |] ==> KB = pubK B" + "\certificate B KB \ parts (spies evs); evs \ tls\ \ KB = pubK B" apply (erule rev_mp) apply (erule tls.induct, force, simp_all, blast) done @@ -425,8 +425,8 @@ subsubsection\Properties of items found in Notes\ lemma Notes_Crypt_parts_spies: - "[| Notes A \Agent B, X\ \ set evs; evs \ tls |] - ==> Crypt (pubK B) X \ parts (spies evs)" + "\Notes A \Agent B, X\ \ set evs; evs \ tls\ + \ Crypt (pubK B) X \ parts (spies evs)" apply (erule rev_mp) apply (erule tls.induct, frule_tac [7] CX_KB_is_pubKB, force, simp_all) @@ -435,9 +435,9 @@ text\C may be either A or B\ lemma Notes_master_imp_Crypt_PMS: - "[| Notes C \s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))\ \ set evs; - evs \ tls |] - ==> Crypt (pubK B) (Nonce PMS) \ parts (spies evs)" + "\Notes C \s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))\ \ set evs; + evs \ tls\ + \ Crypt (pubK B) (Nonce PMS) \ parts (spies evs)" apply (erule rev_mp) apply (erule tls.induct, force, simp_all) txt\Fake\ @@ -448,9 +448,9 @@ text\Compared with the theorem above, both premise and conclusion are stronger\ lemma Notes_master_imp_Notes_PMS: - "[| Notes A \s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))\ \ set evs; - evs \ tls |] - ==> Notes A \Agent B, Nonce PMS\ \ set evs" + "\Notes A \s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))\ \ set evs; + evs \ tls\ + \ Notes A \Agent B, Nonce PMS\ \ set evs" apply (erule rev_mp) apply (erule tls.induct, force, simp_all) txt\ServerAccepts\ @@ -462,45 +462,45 @@ text\B can check A's signature if he has received A's certificate.\ lemma TrustCertVerify_lemma: - "[| X \ parts (spies evs); + "\X \ parts (spies evs); X = Crypt (priK A) (Hash\nb, Agent B, pms\); - evs \ tls; A \ bad |] - ==> Says A B X \ set evs" + evs \ tls; A \ bad\ + \ Says A B X \ set evs" apply (erule rev_mp, erule ssubst) apply (erule tls.induct, force, simp_all, blast) done text\Final version: B checks X using the distributed KA instead of priK A\ lemma TrustCertVerify: - "[| X \ parts (spies evs); + "\X \ parts (spies evs); X = Crypt (invKey KA) (Hash\nb, Agent B, pms\); certificate A KA \ parts (spies evs); - evs \ tls; A \ bad |] - ==> Says A B X \ set evs" + evs \ tls; A \ bad\ + \ Says A B X \ set evs" by (blast dest!: certificate_valid intro!: TrustCertVerify_lemma) text\If CertVerify is present then A has chosen PMS.\ lemma UseCertVerify_lemma: - "[| Crypt (priK A) (Hash\nb, Agent B, Nonce PMS\) \ parts (spies evs); - evs \ tls; A \ bad |] - ==> Notes A \Agent B, Nonce PMS\ \ set evs" + "\Crypt (priK A) (Hash\nb, Agent B, Nonce PMS\) \ parts (spies evs); + evs \ tls; A \ bad\ + \ Notes A \Agent B, Nonce PMS\ \ set evs" apply (erule rev_mp) apply (erule tls.induct, force, simp_all, blast) done text\Final version using the distributed KA instead of priK A\ lemma UseCertVerify: - "[| Crypt (invKey KA) (Hash\nb, Agent B, Nonce PMS\) + "\Crypt (invKey KA) (Hash\nb, Agent B, Nonce PMS\) \ parts (spies evs); certificate A KA \ parts (spies evs); - evs \ tls; A \ bad |] - ==> Notes A \Agent B, Nonce PMS\ \ set evs" + evs \ tls; A \ bad\ + \ Notes A \Agent B, Nonce PMS\ \ set evs" by (blast dest!: certificate_valid intro!: UseCertVerify_lemma) lemma no_Notes_A_PRF [simp]: - "evs \ tls ==> Notes A \Agent B, Nonce (PRF x)\ \ set evs" + "evs \ tls \ Notes A \Agent B, Nonce (PRF x)\ \ set evs" apply (erule tls.induct, force, simp_all) txt\ClientKeyExch: PMS is assumed to differ from any PRF.\ apply blast @@ -508,8 +508,8 @@ lemma MS_imp_PMS [dest!]: - "[| Nonce (PRF (PMS,NA,NB)) \ parts (spies evs); evs \ tls |] - ==> Nonce PMS \ parts (spies evs)" + "\Nonce (PRF (PMS,NA,NB)) \ parts (spies evs); evs \ tls\ + \ Nonce PMS \ parts (spies evs)" apply (erule rev_mp) apply (erule tls.induct, force, simp_all) txt\Fake\ @@ -525,11 +525,11 @@ text\PMS determines B.\ lemma Crypt_unique_PMS: - "[| Crypt(pubK B) (Nonce PMS) \ parts (spies evs); + "\Crypt(pubK B) (Nonce PMS) \ parts (spies evs); Crypt(pubK B') (Nonce PMS) \ parts (spies evs); Nonce PMS \ analz (spies evs); - evs \ tls |] - ==> B=B'" + evs \ tls\ + \ B=B'" apply (erule rev_mp, erule rev_mp, erule rev_mp) apply (erule tls.induct, analz_mono_contra, force, simp_all (no_asm_simp)) txt\Fake, ClientKeyExch\ @@ -545,10 +545,10 @@ text\In A's internal Note, PMS determines A and B.\ lemma Notes_unique_PMS: - "[| Notes A \Agent B, Nonce PMS\ \ set evs; + "\Notes A \Agent B, Nonce PMS\ \ set evs; Notes A' \Agent B', Nonce PMS\ \ set evs; - evs \ tls |] - ==> A=A' \ B=B'" + evs \ tls\ + \ A=A' \ B=B'" apply (erule rev_mp, erule rev_mp) apply (erule tls.induct, force, simp_all) txt\ClientKeyExch\ @@ -562,7 +562,7 @@ No collection of keys can help the spy get new private keys.\ lemma analz_image_priK [rule_format]: "evs \ tls - ==> \KK. (Key(priK B) \ analz (Key`KK \ (spies evs))) = + \ \KK. (Key(priK B) \ analz (Key`KK \ (spies evs))) = (priK B \ KK | B \ bad)" apply (erule tls.induct) apply (simp_all (no_asm_simp) @@ -582,7 +582,7 @@ text\Lemma for the trivial direction of the if-and-only-if\ lemma analz_image_keys_lemma: - "(X \ analz (G \ H)) \ (X \ analz H) ==> + "(X \ analz (G \ H)) \ (X \ analz H) \ (X \ analz (G \ H)) = (X \ analz H)" by (blast intro: analz_mono [THEN subsetD]) @@ -592,7 +592,7 @@ **) lemma analz_image_keys [rule_format]: - "evs \ tls ==> + "evs \ tls \ \KK. KK \ range sessionK \ (Nonce N \ analz (Key`KK \ (spies evs))) = (Nonce N \ analz (spies evs))" @@ -611,7 +611,7 @@ text\Knowing some session keys is no help in getting new nonces\ lemma analz_insert_key [simp]: - "evs \ tls ==> + "evs \ tls \ (Nonce N \ analz (insert (Key (sessionK z)) (spies evs))) = (Nonce N \ analz (spies evs))" by (simp del: image_insert @@ -628,10 +628,10 @@ Converse doesn't hold; revealing PMS doesn't force the keys to be sent. THEY ARE NOT SUITABLE AS SAFE ELIM RULES.\ lemma PMS_lemma: - "[| Nonce PMS \ parts (spies evs); + "\Nonce PMS \ parts (spies evs); K = sessionK((Na, Nb, PRF(PMS,NA,NB)), role); - evs \ tls |] - ==> Key K \ parts (spies evs) \ (\Y. Crypt K Y \ parts (spies evs))" + evs \ tls\ + \ Key K \ parts (spies evs) \ (\Y. Crypt K Y \ parts (spies evs))" apply (erule rev_mp, erule ssubst) apply (erule tls.induct, frule_tac [7] CX_KB_is_pubKB) apply (force, simp_all (no_asm_simp)) @@ -644,15 +644,15 @@ done lemma PMS_sessionK_not_spied: - "[| Key (sessionK((Na, Nb, PRF(PMS,NA,NB)), role)) \ parts (spies evs); - evs \ tls |] - ==> Nonce PMS \ parts (spies evs)" + "\Key (sessionK((Na, Nb, PRF(PMS,NA,NB)), role)) \ parts (spies evs); + evs \ tls\ + \ Nonce PMS \ parts (spies evs)" by (blast dest: PMS_lemma) lemma PMS_Crypt_sessionK_not_spied: - "[| Crypt (sessionK((Na, Nb, PRF(PMS,NA,NB)), role)) Y - \ parts (spies evs); evs \ tls |] - ==> Nonce PMS \ parts (spies evs)" + "\Crypt (sessionK((Na, Nb, PRF(PMS,NA,NB)), role)) Y + \ parts (spies evs); evs \ tls\ + \ Nonce PMS \ parts (spies evs)" by (blast dest: PMS_lemma) text\Write keys are never sent if M (MASTER SECRET) is secure. @@ -661,9 +661,9 @@ with some effort. NO LONGER USED: see \clientK_not_spied\ and \serverK_not_spied\\ lemma sessionK_not_spied: - "[| \A. Says A Spy (Key (sessionK((NA,NB,M),role))) \ set evs; - Nonce M \ analz (spies evs); evs \ tls |] - ==> Key (sessionK((NA,NB,M),role)) \ parts (spies evs)" + "\\A. Says A Spy (Key (sessionK((NA,NB,M),role))) \ set evs; + Nonce M \ analz (spies evs); evs \ tls\ + \ Key (sessionK((NA,NB,M),role)) \ parts (spies evs)" apply (erule rev_mp, erule rev_mp) apply (erule tls.induct, analz_mono_contra) apply (force, simp_all (no_asm_simp)) @@ -674,9 +674,9 @@ text\If A sends ClientKeyExch to an honest B, then the PMS will stay secret.\ lemma Spy_not_see_PMS: - "[| Notes A \Agent B, Nonce PMS\ \ set evs; - evs \ tls; A \ bad; B \ bad |] - ==> Nonce PMS \ analz (spies evs)" + "\Notes A \Agent B, Nonce PMS\ \ set evs; + evs \ tls; A \ bad; B \ bad\ + \ Nonce PMS \ analz (spies evs)" apply (erule rev_mp, erule tls.induct, frule_tac [7] CX_KB_is_pubKB) apply (force, simp_all (no_asm_simp)) txt\Fake\ @@ -696,9 +696,9 @@ text\If A sends ClientKeyExch to an honest B, then the MASTER SECRET will stay secret.\ lemma Spy_not_see_MS: - "[| Notes A \Agent B, Nonce PMS\ \ set evs; - evs \ tls; A \ bad; B \ bad |] - ==> Nonce (PRF(PMS,NA,NB)) \ analz (spies evs)" + "\Notes A \Agent B, Nonce PMS\ \ set evs; + evs \ tls; A \ bad; B \ bad\ + \ Nonce (PRF(PMS,NA,NB)) \ analz (spies evs)" apply (erule rev_mp, erule tls.induct, frule_tac [7] CX_KB_is_pubKB) apply (force, simp_all (no_asm_simp)) txt\Fake\ @@ -719,10 +719,10 @@ text\If A created PMS then nobody else (except the Spy in replays) would send a message using a clientK generated from that PMS.\ lemma Says_clientK_unique: - "[| Says A' B' (Crypt (clientK(Na,Nb,PRF(PMS,NA,NB))) Y) \ set evs; + "\Says A' B' (Crypt (clientK(Na,Nb,PRF(PMS,NA,NB))) Y) \ set evs; Notes A \Agent B, Nonce PMS\ \ set evs; - evs \ tls; A' \ Spy |] - ==> A = A'" + evs \ tls; A' \ Spy\ + \ A = A'" apply (erule rev_mp, erule rev_mp) apply (erule tls.induct, frule_tac [7] CX_KB_is_pubKB) apply (force, simp_all) @@ -737,11 +737,11 @@ text\If A created PMS and has not leaked her clientK to the Spy, then it is completely secure: not even in parts!\ lemma clientK_not_spied: - "[| Notes A \Agent B, Nonce PMS\ \ set evs; + "\Notes A \Agent B, Nonce PMS\ \ set evs; Says A Spy (Key (clientK(Na,Nb,PRF(PMS,NA,NB)))) \ set evs; A \ bad; B \ bad; - evs \ tls |] - ==> Key (clientK(Na,Nb,PRF(PMS,NA,NB))) \ parts (spies evs)" + evs \ tls\ + \ Key (clientK(Na,Nb,PRF(PMS,NA,NB))) \ parts (spies evs)" apply (erule rev_mp, erule rev_mp) apply (erule tls.induct, frule_tac [7] CX_KB_is_pubKB) apply (force, simp_all (no_asm_simp)) @@ -761,10 +761,10 @@ text\If A created PMS for B, then nobody other than B or the Spy would send a message using a serverK generated from that PMS.\ lemma Says_serverK_unique: - "[| Says B' A' (Crypt (serverK(Na,Nb,PRF(PMS,NA,NB))) Y) \ set evs; + "\Says B' A' (Crypt (serverK(Na,Nb,PRF(PMS,NA,NB))) Y) \ set evs; Notes A \Agent B, Nonce PMS\ \ set evs; - evs \ tls; A \ bad; B \ bad; B' \ Spy |] - ==> B = B'" + evs \ tls; A \ bad; B \ bad; B' \ Spy\ + \ B = B'" apply (erule rev_mp, erule rev_mp) apply (erule tls.induct, frule_tac [7] CX_KB_is_pubKB) apply (force, simp_all) @@ -779,10 +779,10 @@ text\If A created PMS for B, and B has not leaked his serverK to the Spy, then it is completely secure: not even in parts!\ lemma serverK_not_spied: - "[| Notes A \Agent B, Nonce PMS\ \ set evs; + "\Notes A \Agent B, Nonce PMS\ \ set evs; Says B Spy (Key(serverK(Na,Nb,PRF(PMS,NA,NB)))) \ set evs; - A \ bad; B \ bad; evs \ tls |] - ==> Key (serverK(Na,Nb,PRF(PMS,NA,NB))) \ parts (spies evs)" + A \ bad; B \ bad; evs \ tls\ + \ Key (serverK(Na,Nb,PRF(PMS,NA,NB))) \ parts (spies evs)" apply (erule rev_mp, erule rev_mp) apply (erule tls.induct, frule_tac [7] CX_KB_is_pubKB) apply (force, simp_all (no_asm_simp)) @@ -803,13 +803,13 @@ text\The mention of her name (A) in X assures A that B knows who she is.\ lemma TrustServerFinished [rule_format]: - "[| X = Crypt (serverK(Na,Nb,M)) + "\X = Crypt (serverK(Na,Nb,M)) (Hash\Number SID, Nonce M, Nonce Na, Number PA, Agent A, Nonce Nb, Number PB, Agent B\); M = PRF(PMS,NA,NB); - evs \ tls; A \ bad; B \ bad |] - ==> Says B Spy (Key(serverK(Na,Nb,M))) \ set evs \ + evs \ tls; A \ bad; B \ bad\ + \ Says B Spy (Key(serverK(Na,Nb,M))) \ set evs \ Notes A \Agent B, Nonce PMS\ \ set evs \ X \ parts (spies evs) \ Says B A X \ set evs" apply (erule ssubst)+ @@ -827,8 +827,8 @@ that B sends his message to A. If CLIENT KEY EXCHANGE were augmented to bind A's identity with PMS, then we could replace A' by A below.\ lemma TrustServerMsg [rule_format]: - "[| M = PRF(PMS,NA,NB); evs \ tls; A \ bad; B \ bad |] - ==> Says B Spy (Key(serverK(Na,Nb,M))) \ set evs \ + "\M = PRF(PMS,NA,NB); evs \ tls; A \ bad; B \ bad\ + \ Says B Spy (Key(serverK(Na,Nb,M))) \ set evs \ Notes A \Agent B, Nonce PMS\ \ set evs \ Crypt (serverK(Na,Nb,M)) Y \ parts (spies evs) \ (\A'. Says B A' (Crypt (serverK(Na,Nb,M)) Y) \ set evs)" @@ -853,8 +853,8 @@ ClientFinished, then B can then check the quoted values PA, PB, etc.\ lemma TrustClientMsg [rule_format]: - "[| M = PRF(PMS,NA,NB); evs \ tls; A \ bad; B \ bad |] - ==> Says A Spy (Key(clientK(Na,Nb,M))) \ set evs \ + "\M = PRF(PMS,NA,NB); evs \ tls; A \ bad; B \ bad\ + \ Says A Spy (Key(clientK(Na,Nb,M))) \ set evs \ Notes A \Agent B, Nonce PMS\ \ set evs \ Crypt (clientK(Na,Nb,M)) Y \ parts (spies evs) \ Says A B (Crypt (clientK(Na,Nb,M)) Y) \ set evs" @@ -874,14 +874,14 @@ check a CertVerify from A, then A has used the quoted values PA, PB, etc. Even this one requires A to be uncompromised.\ lemma AuthClientFinished: - "[| M = PRF(PMS,NA,NB); + "\M = PRF(PMS,NA,NB); Says A Spy (Key(clientK(Na,Nb,M))) \ set evs; Says A' B (Crypt (clientK(Na,Nb,M)) Y) \ set evs; certificate A KA \ parts (spies evs); Says A'' B (Crypt (invKey KA) (Hash\nb, Agent B, Nonce PMS\)) \ set evs; - evs \ tls; A \ bad; B \ bad |] - ==> Says A B (Crypt (clientK(Na,Nb,M)) Y) \ set evs" + evs \ tls; A \ bad; B \ bad\ + \ Says A B (Crypt (clientK(Na,Nb,M)) Y) \ set evs" by (blast intro!: TrustClientMsg UseCertVerify) (*22/9/97: loads in 622s, which is 10 minutes 22 seconds*)