diff -r 8fb53badad99 -r cdea44c775fa src/HOL/SET_Protocol/Purchase.thy --- a/src/HOL/SET_Protocol/Purchase.thy Wed Dec 30 18:07:10 2015 +0100 +++ b/src/HOL/SET_Protocol/Purchase.thy Wed Dec 30 18:17:28 2015 +0100 @@ -86,38 +86,38 @@ "[|evsStart \ set_pur; Number LID_M \ used evsStart; C = Cardholder k; M = Merchant i; P = PG j; - Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; + Transaction = \Agent M, Agent C, Number OrderDesc, Number PurchAmt\; LID_M \ range CardSecret; LID_M \ range PANSecret |] - ==> Notes C {|Number LID_M, Transaction|} - # Notes M {|Number LID_M, Agent P, Transaction|} + ==> Notes C \Number LID_M, Transaction\ + # Notes M \Number LID_M, Agent P, Transaction\ # evsStart \ set_pur" | PInitReq: --{*Purchase initialization, page 72 of Formal Protocol Desc.*} "[|evsPIReq \ set_pur; - Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; + Transaction = \Agent M, Agent C, Number OrderDesc, Number PurchAmt\; Nonce Chall_C \ used evsPIReq; Chall_C \ range CardSecret; Chall_C \ range PANSecret; - Notes C {|Number LID_M, Transaction |} \ set evsPIReq |] - ==> Says C M {|Number LID_M, Nonce Chall_C|} # evsPIReq \ set_pur" + Notes C \Number LID_M, Transaction \ \ set evsPIReq |] + ==> Says C M \Number LID_M, Nonce Chall_C\ # evsPIReq \ set_pur" | PInitRes: --{*Merchant replies with his own label XID and the encryption key certificate of his chosen Payment Gateway. Page 74 of Formal Protocol Desc. We use @{text LID_M} to identify Cardholder*} "[|evsPIRes \ set_pur; - Gets M {|Number LID_M, Nonce Chall_C|} \ set evsPIRes; - Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; - Notes M {|Number LID_M, Agent P, Transaction|} \ set evsPIRes; + Gets M \Number LID_M, Nonce Chall_C\ \ set evsPIRes; + Transaction = \Agent M, Agent C, Number OrderDesc, Number PurchAmt\; + Notes M \Number LID_M, Agent P, Transaction\ \ set evsPIRes; Nonce Chall_M \ used evsPIRes; Chall_M \ range CardSecret; Chall_M \ range PANSecret; Number XID \ used evsPIRes; XID \ range CardSecret; XID \ range PANSecret|] ==> Says M C (sign (priSK M) - {|Number LID_M, Number XID, + \Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, - cert P (pubEK P) onlyEnc (priSK RCA)|}) + cert P (pubEK P) onlyEnc (priSK RCA)\) # evsPIRes \ set_pur" | PReqUns: @@ -125,34 +125,34 @@ Page 79 of Formal Protocol Desc. Merchant never sees the amount in clear. This holds of the real protocol, where XID identifies the transaction. We omit - Hash{|Number XID, Nonce (CardSecret k)|} from PIHead because + \Hash\Number XID, Nonce (CardSecret k)\\ from PIHead because the CardSecret is 0 and because AuthReq treated the unsigned case very differently from the signed one anyway.*} "!!Chall_C Chall_M OrderDesc P PurchAmt XID evsPReqU. [|evsPReqU \ set_pur; C = Cardholder k; CardSecret k = 0; Key KC1 \ used evsPReqU; KC1 \ symKeys; - Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; - HOD = Hash{|Number OrderDesc, Number PurchAmt|}; - OIData = {|Number LID_M, Number XID, Nonce Chall_C, HOD,Nonce Chall_M|}; - PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M|}; + Transaction = \Agent M, Agent C, Number OrderDesc, Number PurchAmt\; + HOD = Hash\Number OrderDesc, Number PurchAmt\; + OIData = \Number LID_M, Number XID, Nonce Chall_C, HOD,Nonce Chall_M\; + PIHead = \Number LID_M, Number XID, HOD, Number PurchAmt, Agent M\; Gets C (sign (priSK M) - {|Number LID_M, Number XID, + \Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, - cert P EKj onlyEnc (priSK RCA)|}) + cert P EKj onlyEnc (priSK RCA)\) \ set evsPReqU; - Says C M {|Number LID_M, Nonce Chall_C|} \ set evsPReqU; - Notes C {|Number LID_M, Transaction|} \ set evsPReqU |] + Says C M \Number LID_M, Nonce Chall_C\ \ set evsPReqU; + Notes C \Number LID_M, Transaction\ \ set evsPReqU |] ==> Says C M - {|EXHcrypt KC1 EKj {|PIHead, Hash OIData|} (Pan (pan C)), - OIData, Hash{|PIHead, Pan (pan C)|} |} - # Notes C {|Key KC1, Agent M|} + \EXHcrypt KC1 EKj \PIHead, Hash OIData\ (Pan (pan C)), + OIData, Hash\PIHead, Pan (pan C)\ \ + # Notes C \Key KC1, Agent M\ # evsPReqU \ set_pur" | PReqS: --{*SIGNED Purchase request. Page 77 of Formal Protocol Desc. We could specify the equation - @{term "PIReqSigned = {| PIDualSigned, OIDualSigned |}"}, since the + @{term "PIReqSigned = \ PIDualSigned, OIDualSigned \"}, since the Formal Desc. gives PIHead the same format in the unsigned case. However, there's little point, as P treats the signed and unsigned cases differently.*} @@ -162,25 +162,25 @@ [|evsPReqS \ set_pur; C = Cardholder k; CardSecret k \ 0; Key KC2 \ used evsPReqS; KC2 \ symKeys; - Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; - HOD = Hash{|Number OrderDesc, Number PurchAmt|}; - OIData = {|Number LID_M, Number XID, Nonce Chall_C, HOD, Nonce Chall_M|}; - PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, - Hash{|Number XID, Nonce (CardSecret k)|}|}; - PANData = {|Pan (pan C), Nonce (PANSecret k)|}; - PIData = {|PIHead, PANData|}; - PIDualSigned = {|sign (priSK C) {|Hash PIData, Hash OIData|}, - EXcrypt KC2 EKj {|PIHead, Hash OIData|} PANData|}; - OIDualSigned = {|OIData, Hash PIData|}; + Transaction = \Agent M, Agent C, Number OrderDesc, Number PurchAmt\; + HOD = Hash\Number OrderDesc, Number PurchAmt\; + OIData = \Number LID_M, Number XID, Nonce Chall_C, HOD, Nonce Chall_M\; + PIHead = \Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, + Hash\Number XID, Nonce (CardSecret k)\\; + PANData = \Pan (pan C), Nonce (PANSecret k)\; + PIData = \PIHead, PANData\; + PIDualSigned = \sign (priSK C) \Hash PIData, Hash OIData\, + EXcrypt KC2 EKj \PIHead, Hash OIData\ PANData\; + OIDualSigned = \OIData, Hash PIData\; Gets C (sign (priSK M) - {|Number LID_M, Number XID, + \Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, - cert P EKj onlyEnc (priSK RCA)|}) + cert P EKj onlyEnc (priSK RCA)\) \ set evsPReqS; - Says C M {|Number LID_M, Nonce Chall_C|} \ set evsPReqS; - Notes C {|Number LID_M, Transaction|} \ set evsPReqS |] - ==> Says C M {|PIDualSigned, OIDualSigned|} - # Notes C {|Key KC2, Agent M|} + Says C M \Number LID_M, Nonce Chall_C\ \ set evsPReqS; + Notes C \Number LID_M, Transaction\ \ set evsPReqS |] + ==> Says C M \PIDualSigned, OIDualSigned\ + # Notes C \Key KC2, Agent M\ # evsPReqS \ set_pur" --{*Authorization Request. Page 92 of Formal Protocol Desc. @@ -188,22 +188,22 @@ | AuthReq: "[| evsAReq \ set_pur; Key KM \ used evsAReq; KM \ symKeys; - Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; - HOD = Hash{|Number OrderDesc, Number PurchAmt|}; - OIData = {|Number LID_M, Number XID, Nonce Chall_C, HOD, - Nonce Chall_M|}; + Transaction = \Agent M, Agent C, Number OrderDesc, Number PurchAmt\; + HOD = Hash\Number OrderDesc, Number PurchAmt\; + OIData = \Number LID_M, Number XID, Nonce Chall_C, HOD, + Nonce Chall_M\; CardSecret k \ 0 --> - P_I = {|sign (priSK C) {|HPIData, Hash OIData|}, encPANData|}; - Gets M {|P_I, OIData, HPIData|} \ set evsAReq; - Says M C (sign (priSK M) {|Number LID_M, Number XID, + P_I = \sign (priSK C) \HPIData, Hash OIData\, encPANData\; + Gets M \P_I, OIData, HPIData\ \ set evsAReq; + Says M C (sign (priSK M) \Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, - cert P EKj onlyEnc (priSK RCA)|}) + cert P EKj onlyEnc (priSK RCA)\) \ set evsAReq; - Notes M {|Number LID_M, Agent P, Transaction|} + Notes M \Number LID_M, Agent P, Transaction\ \ set evsAReq |] ==> Says M P (EncB (priSK M) KM (pubEK P) - {|Number LID_M, Number XID, Hash OIData, HOD|} P_I) + \Number LID_M, Number XID, Hash OIData, HOD\ P_I) # evsAReq \ set_pur" --{*Authorization Response has two forms: for UNSIGNED and SIGNED PIs. @@ -220,14 +220,14 @@ C = Cardholder k; M = Merchant i; Key KP \ used evsAResU; KP \ symKeys; CardSecret k = 0; KC1 \ symKeys; KM \ symKeys; - PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M|}; - P_I = EXHcrypt KC1 EKj {|PIHead, HOIData|} (Pan (pan C)); + PIHead = \Number LID_M, Number XID, HOD, Number PurchAmt, Agent M\; + P_I = EXHcrypt KC1 EKj \PIHead, HOIData\ (Pan (pan C)); Gets P (EncB (priSK M) KM (pubEK P) - {|Number LID_M, Number XID, HOIData, HOD|} P_I) + \Number LID_M, Number XID, HOIData, HOD\ P_I) \ set evsAResU |] ==> Says P M (EncB (priSK P) KP (pubEK M) - {|Number LID_M, Number XID, Number PurchAmt|} + \Number LID_M, Number XID, Number PurchAmt\ authCode) # evsAResU \ set_pur" @@ -237,41 +237,41 @@ C = Cardholder k; Key KP \ used evsAResS; KP \ symKeys; CardSecret k \ 0; KC2 \ symKeys; KM \ symKeys; - P_I = {|sign (priSK C) {|Hash PIData, HOIData|}, - EXcrypt KC2 (pubEK P) {|PIHead, HOIData|} PANData|}; - PANData = {|Pan (pan C), Nonce (PANSecret k)|}; - PIData = {|PIHead, PANData|}; - PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, - Hash{|Number XID, Nonce (CardSecret k)|}|}; + P_I = \sign (priSK C) \Hash PIData, HOIData\, + EXcrypt KC2 (pubEK P) \PIHead, HOIData\ PANData\; + PANData = \Pan (pan C), Nonce (PANSecret k)\; + PIData = \PIHead, PANData\; + PIHead = \Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, + Hash\Number XID, Nonce (CardSecret k)\\; Gets P (EncB (priSK M) KM (pubEK P) - {|Number LID_M, Number XID, HOIData, HOD|} + \Number LID_M, Number XID, HOIData, HOD\ P_I) \ set evsAResS |] ==> Says P M (EncB (priSK P) KP (pubEK M) - {|Number LID_M, Number XID, Number PurchAmt|} + \Number LID_M, Number XID, Number PurchAmt\ authCode) # evsAResS \ set_pur" | PRes: --{*Purchase response.*} "[| evsPRes \ set_pur; KP \ symKeys; M = Merchant i; - Transaction = {|Agent M, Agent C, Number OrderDesc, Number PurchAmt|}; + Transaction = \Agent M, Agent C, Number OrderDesc, Number PurchAmt\; Gets M (EncB (priSK P) KP (pubEK M) - {|Number LID_M, Number XID, Number PurchAmt|} + \Number LID_M, Number XID, Number PurchAmt\ authCode) \ set evsPRes; - Gets M {|Number LID_M, Nonce Chall_C|} \ set evsPRes; + Gets M \Number LID_M, Nonce Chall_C\ \ set evsPRes; Says M P (EncB (priSK M) KM (pubEK P) - {|Number LID_M, Number XID, Hash OIData, HOD|} P_I) + \Number LID_M, Number XID, Hash OIData, HOD\ P_I) \ set evsPRes; - Notes M {|Number LID_M, Agent P, Transaction|} + Notes M \Number LID_M, Agent P, Transaction\ \ set evsPRes |] ==> Says M C - (sign (priSK M) {|Number LID_M, Number XID, Nonce Chall_C, - Hash (Number PurchAmt)|}) + (sign (priSK M) \Number LID_M, Number XID, Nonce Chall_C, + Hash (Number PurchAmt)\) # evsPRes \ set_pur" @@ -320,8 +320,8 @@ ==> \evs \ set_pur. Says M C (sign (priSK M) - {|Number LID_M, Number XID, Nonce Chall_C, - Hash (Number PurchAmt)|}) + \Number LID_M, Number XID, Nonce Chall_C, + Hash (Number PurchAmt)\) \ set evs" apply (intro exI bexI) apply (rule_tac [2] @@ -356,8 +356,8 @@ LID_M < XID; XID < OrderDesc; OrderDesc < PurchAmt |] ==> \evs \ set_pur. Says M C - (sign (priSK M) {|Number LID_M, Number XID, Nonce Chall_C, - Hash (Number PurchAmt)|}) + (sign (priSK M) \Number LID_M, Number XID, Nonce Chall_C, + Hash (Number PurchAmt)\) \ set evs" apply (intro exI bexI) apply (rule_tac [2] @@ -395,12 +395,12 @@ text{*Forwarding lemmas, to aid simplification*} lemma AuthReq_msg_in_parts_spies: - "[|Gets M {|P_I, OIData, HPIData|} \ set evs; + "[|Gets M \P_I, OIData, HPIData\ \ set evs; evs \ set_pur|] ==> P_I \ parts (knows Spy evs)" by auto lemma AuthReq_msg_in_analz_spies: - "[|Gets M {|P_I, OIData, HPIData|} \ set evs; + "[|Gets M \P_I, OIData, HPIData\ \ set evs; evs \ set_pur|] ==> P_I \ analz (knows Spy evs)" by (blast dest: Gets_imp_knows_Spy [THEN analz.Inj]) @@ -443,13 +443,13 @@ subsection{*Public Keys in Certificates are Correct*} lemma Crypt_valid_pubEK [dest!]: - "[| Crypt (priSK RCA) {|Agent C, Key EKi, onlyEnc|} + "[| Crypt (priSK RCA) \Agent C, Key EKi, onlyEnc\ \ parts (knows Spy evs); evs \ set_pur |] ==> EKi = pubEK C" by (erule rev_mp, erule set_pur.induct, auto) lemma Crypt_valid_pubSK [dest!]: - "[| Crypt (priSK RCA) {|Agent C, Key SKi, onlySig|} + "[| Crypt (priSK RCA) \Agent C, Key SKi, onlySig\ \ parts (knows Spy evs); evs \ set_pur |] ==> SKi = pubSK C" by (erule rev_mp, erule set_pur.induct, auto) @@ -466,15 +466,15 @@ by (unfold cert_def signCert_def, auto) lemma Says_certificate_valid [simp]: - "[| Says A B (sign SK {|lid, xid, cc, cm, - cert C EK onlyEnc (priSK RCA)|}) \ set evs; + "[| Says A B (sign SK \lid, xid, cc, cm, + cert C EK onlyEnc (priSK RCA)\) \ set evs; evs \ set_pur |] ==> EK = pubEK C" by (unfold sign_def, auto) lemma Gets_certificate_valid [simp]: - "[| Gets A (sign SK {|lid, xid, cc, cm, - cert C EK onlyEnc (priSK RCA)|}) \ set evs; + "[| Gets A (sign SK \lid, xid, cc, cm, + cert C EK onlyEnc (priSK RCA)\) \ set evs; evs \ set_pur |] ==> EK = pubEK C" by (frule Gets_imp_Says, auto) @@ -607,8 +607,8 @@ ==> (\V W X Y KC2 M. \P \ bad. Says (Cardholder k) M - {|{|W, EXcrypt KC2 (pubEK P) X {|Y, Nonce (PANSecret k)|}|}, - V|} \ set evs)" + \\W, EXcrypt KC2 (pubEK P) X \Y, Nonce (PANSecret k)\\, + V\ \ set evs)" apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_analz_spies) @@ -679,7 +679,7 @@ "[| Pan (pan C) \ analz(knows Spy evs); C = Cardholder k; CardSecret k = 0; evs \ set_pur|] ==> \P M KC1 K X Y. - Says C M {|EXHcrypt KC1 (pubEK P) X (Pan (pan C)), Y|} + Says C M \EXHcrypt KC1 (pubEK P) X (Pan (pan C)), Y\ \ set evs & P \ bad" apply (erule rev_mp) @@ -703,9 +703,9 @@ "[|Pan (pan C) \ analz(knows Spy evs); C = Cardholder k; CardSecret k \ 0; evs \ set_pur|] ==> \P M KC2 PIDualSign_1 PIDualSign_2 other OIDualSign. - Says C M {|{|PIDualSign_1, - EXcrypt KC2 (pubEK P) PIDualSign_2 {|Pan (pan C), other|}|}, - OIDualSign|} \ set evs & P \ bad" + Says C M \\PIDualSign_1, + EXcrypt KC2 (pubEK P) PIDualSign_2 \Pan (pan C), other\\, + OIDualSign\ \ set evs & P \ bad" apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_analz_spies) --{*AReq*} @@ -730,7 +730,7 @@ subsection{*Proofs Common to Signed and Unsigned Versions*} lemma M_Notes_PG: - "[|Notes M {|Number LID_M, Agent P, Agent M, Agent C, etc|} \ set evs; + "[|Notes M \Number LID_M, Agent P, Agent M, Agent C, etc\ \ set evs; evs \ set_pur|] ==> \j. P = PG j" by (erule rev_mp, erule set_pur.induct, simp_all) @@ -738,12 +738,12 @@ (Payment Gateway)*} lemma goodM_gives_correct_PG: "[| MsgPInitRes = - {|Number LID_M, xid, cc, cm, cert P EKj onlyEnc (priSK RCA)|}; + \Number LID_M, xid, cc, cm, cert P EKj onlyEnc (priSK RCA)\; Crypt (priSK M) (Hash MsgPInitRes) \ parts (knows Spy evs); evs \ set_pur; M \ bad |] ==> \j trans. P = PG j & - Notes M {|Number LID_M, Agent P, trans|} \ set evs" + Notes M \Number LID_M, Agent P, trans\ \ set evs" apply clarify apply (erule rev_mp) apply (erule set_pur.induct) @@ -753,23 +753,23 @@ done lemma C_gets_correct_PG: - "[| Gets A (sign (priSK M) {|Number LID_M, xid, cc, cm, - cert P EKj onlyEnc (priSK RCA)|}) \ set evs; + "[| Gets A (sign (priSK M) \Number LID_M, xid, cc, cm, + cert P EKj onlyEnc (priSK RCA)\) \ set evs; evs \ set_pur; M \ bad|] ==> \j trans. P = PG j & - Notes M {|Number LID_M, Agent P, trans|} \ set evs & + Notes M \Number LID_M, Agent P, trans\ \ set evs & EKj = pubEK P" by (rule refl [THEN goodM_gives_correct_PG, THEN exE], auto) text{*When C receives PInitRes, he learns M's choice of P*} lemma C_verifies_PInitRes: - "[| MsgPInitRes = {|Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, - cert P EKj onlyEnc (priSK RCA)|}; + "[| MsgPInitRes = \Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, + cert P EKj onlyEnc (priSK RCA)\; Crypt (priSK M) (Hash MsgPInitRes) \ parts (knows Spy evs); evs \ set_pur; M \ bad|] ==> \j trans. - Notes M {|Number LID_M, Agent P, trans|} \ set evs & + Notes M \Number LID_M, Agent P, trans\ \ set evs & P = PG j & EKj = pubEK P" apply clarify @@ -783,12 +783,12 @@ text{*Corollary of previous one*} lemma Says_C_PInitRes: "[|Says A C (sign (priSK M) - {|Number LID_M, Number XID, + \Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, - cert P EKj onlyEnc (priSK RCA)|}) + cert P EKj onlyEnc (priSK RCA)\) \ set evs; M \ bad; evs \ set_pur|] ==> \j trans. - Notes M {|Number LID_M, Agent P, trans|} \ set evs & + Notes M \Number LID_M, Agent P, trans\ \ set evs & P = PG j & EKj = pubEK (PG j)" apply (frule Says_certificate_valid) @@ -800,13 +800,13 @@ text{*When P receives an AuthReq, he knows that the signed part originated with M. PIRes also has a signed message from M....*} lemma P_verifies_AuthReq: - "[| AuthReqData = {|Number LID_M, Number XID, HOIData, HOD|}; - Crypt (priSK M) (Hash {|AuthReqData, Hash P_I|}) + "[| AuthReqData = \Number LID_M, Number XID, HOIData, HOD\; + Crypt (priSK M) (Hash \AuthReqData, Hash P_I\) \ parts (knows Spy evs); evs \ set_pur; M \ bad|] ==> \j trans KM OIData HPIData. - Notes M {|Number LID_M, Agent (PG j), trans|} \ set evs & - Gets M {|P_I, OIData, HPIData|} \ set evs & + Notes M \Number LID_M, Agent (PG j), trans\ \ set evs & + Gets M \P_I, OIData, HPIData\ \ set evs & Says M (PG j) (EncB (priSK M) KM (pubEK (PG j)) AuthReqData P_I) \ set evs" apply clarify @@ -825,18 +825,18 @@ @{term "Crypt K (sign SK M)"} requires assuming @{term K} to be secure, since otherwise the Spy could create that message.*} theorem M_verifies_AuthRes: - "[| MsgAuthRes = {|{|Number LID_M, Number XID, Number PurchAmt|}, - Hash authCode|}; + "[| MsgAuthRes = \\Number LID_M, Number XID, Number PurchAmt\, + Hash authCode\; Crypt (priSK (PG j)) (Hash MsgAuthRes) \ parts (knows Spy evs); PG j \ bad; evs \ set_pur|] ==> \M KM KP HOIData HOD P_I. Gets (PG j) (EncB (priSK M) KM (pubEK (PG j)) - {|Number LID_M, Number XID, HOIData, HOD|} + \Number LID_M, Number XID, HOIData, HOD\ P_I) \ set evs & Says (PG j) M (EncB (priSK (PG j)) KP (pubEK M) - {|Number LID_M, Number XID, Number PurchAmt|} + \Number LID_M, Number XID, Number PurchAmt\ authCode) \ set evs" apply clarify apply (erule rev_mp) @@ -852,12 +852,12 @@ text{*What we can derive from the ASSUMPTION that C issued a purchase request. In the unsigned case, we must trust "C": there's no authentication.*} lemma C_determines_EKj: - "[| Says C M {|EXHcrypt KC1 EKj {|PIHead, Hash OIData|} (Pan (pan C)), - OIData, Hash{|PIHead, Pan (pan C)|} |} \ set evs; - PIHead = {|Number LID_M, Trans_details|}; + "[| Says C M \EXHcrypt KC1 EKj \PIHead, Hash OIData\ (Pan (pan C)), + OIData, Hash\PIHead, Pan (pan C)\ \ \ set evs; + PIHead = \Number LID_M, Trans_details\; evs \ set_pur; C = Cardholder k; M \ bad|] ==> \trans j. - Notes M {|Number LID_M, Agent (PG j), trans |} \ set evs & + Notes M \Number LID_M, Agent (PG j), trans \ \ set evs & EKj = pubEK (PG j)" apply clarify apply (erule rev_mp) @@ -870,11 +870,11 @@ text{*Unicity of @{term LID_M} between Merchant and Cardholder notes*} lemma unique_LID_M: - "[|Notes (Merchant i) {|Number LID_M, Agent P, Trans|} \ set evs; - Notes C {|Number LID_M, Agent M, Agent C, Number OD, - Number PA|} \ set evs; + "[|Notes (Merchant i) \Number LID_M, Agent P, Trans\ \ set evs; + Notes C \Number LID_M, Agent M, Agent C, Number OD, + Number PA\ \ set evs; evs \ set_pur|] - ==> M = Merchant i & Trans = {|Agent M, Agent C, Number OD, Number PA|}" + ==> M = Merchant i & Trans = \Agent M, Agent C, Number OD, Number PA\" apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur.induct, simp_all) @@ -883,8 +883,8 @@ text{*Unicity of @{term LID_M}, for two Merchant Notes events*} lemma unique_LID_M2: - "[|Notes M {|Number LID_M, Trans|} \ set evs; - Notes M {|Number LID_M, Trans'|} \ set evs; + "[|Notes M \Number LID_M, Trans\ \ set evs; + Notes M \Number LID_M, Trans'\ \ set evs; evs \ set_pur|] ==> Trans' = Trans" apply (erule rev_mp) apply (erule rev_mp) @@ -907,7 +907,7 @@ text{*Similar, with nested Hash*} lemma signed_Hash_imp_used: - "[| Crypt (priSK C) (Hash {|H, Hash X|}) \ parts (knows Spy evs); + "[| Crypt (priSK C) (Hash \H, Hash X\) \ parts (knows Spy evs); C \ bad; evs \ set_pur|] ==> parts {X} \ used evs" apply (erule rev_mp) apply (erule set_pur.induct) @@ -920,7 +920,7 @@ text{*Lemma needed below: for the case that if PRes is present, then @{text LID_M} has been used.*} lemma PRes_imp_LID_used: - "[| Crypt (priSK M) (Hash {|N, X|}) \ parts (knows Spy evs); + "[| Crypt (priSK M) (Hash \N, X\) \ parts (knows Spy evs); M \ bad; evs \ set_pur|] ==> N \ used evs" by (drule signed_imp_used, auto) @@ -928,16 +928,16 @@ He also knows that P is the same PG as before*} lemma C_verifies_PRes_lemma: "[| Crypt (priSK M) (Hash MsgPRes) \ parts (knows Spy evs); - Notes C {|Number LID_M, Trans |} \ set evs; - Trans = {| Agent M, Agent C, Number OrderDesc, Number PurchAmt |}; - MsgPRes = {|Number LID_M, Number XID, Nonce Chall_C, - Hash (Number PurchAmt)|}; + Notes C \Number LID_M, Trans \ \ set evs; + Trans = \ Agent M, Agent C, Number OrderDesc, Number PurchAmt \; + MsgPRes = \Number LID_M, Number XID, Nonce Chall_C, + Hash (Number PurchAmt)\; evs \ set_pur; M \ bad|] ==> \j KP. - Notes M {|Number LID_M, Agent (PG j), Trans |} + Notes M \Number LID_M, Agent (PG j), Trans \ \ set evs & Gets M (EncB (priSK (PG j)) KP (pubEK M) - {|Number LID_M, Number XID, Number PurchAmt|} + \Number LID_M, Number XID, Number PurchAmt\ authCode) \ set evs & Says M C (sign (priSK M) MsgPRes) \ set evs" @@ -958,16 +958,16 @@ Merchant, he knows that M sent it. He also knows that M received a message signed by a Payment Gateway chosen by M to authorize the purchase.*} theorem C_verifies_PRes: - "[| MsgPRes = {|Number LID_M, Number XID, Nonce Chall_C, - Hash (Number PurchAmt)|}; + "[| MsgPRes = \Number LID_M, Number XID, Nonce Chall_C, + Hash (Number PurchAmt)\; Gets C (sign (priSK M) MsgPRes) \ set evs; - Notes C {|Number LID_M, Agent M, Agent C, Number OrderDesc, - Number PurchAmt|} \ set evs; + Notes C \Number LID_M, Agent M, Agent C, Number OrderDesc, + Number PurchAmt\ \ set evs; evs \ set_pur; M \ bad|] ==> \P KP trans. - Notes M {|Number LID_M,Agent P, trans|} \ set evs & + Notes M \Number LID_M,Agent P, trans\ \ set evs & Gets M (EncB (priSK P) KP (pubEK M) - {|Number LID_M, Number XID, Number PurchAmt|} + \Number LID_M, Number XID, Number PurchAmt\ authCode) \ set evs & Says M C (sign (priSK M) MsgPRes) \ set evs" apply (rule C_verifies_PRes_lemma [THEN exE]) @@ -979,17 +979,17 @@ text{*Some Useful Lemmas: the cardholder knows what he is doing*} lemma Crypt_imp_Says_Cardholder: - "[| Crypt K {|{|{|Number LID_M, others|}, Hash OIData|}, Hash PANData|} + "[| Crypt K \\\Number LID_M, others\, Hash OIData\, Hash PANData\ \ parts (knows Spy evs); - PANData = {|Pan (pan (Cardholder k)), Nonce (PANSecret k)|}; + PANData = \Pan (pan (Cardholder k)), Nonce (PANSecret k)\; Key K \ analz (knows Spy evs); evs \ set_pur|] ==> \M shash EK HPIData. - Says (Cardholder k) M {|{|shash, + Says (Cardholder k) M \\shash, Crypt K - {|{|{|Number LID_M, others|}, Hash OIData|}, Hash PANData|}, - Crypt EK {|Key K, PANData|}|}, - OIData, HPIData|} \ set evs" + \\\Number LID_M, others\, Hash OIData\, Hash PANData\, + Crypt EK \Key K, PANData\\, + OIData, HPIData\ \ set evs" apply (erule rev_mp) apply (erule rev_mp) apply (erule rev_mp) @@ -1000,15 +1000,15 @@ done lemma Says_PReqS_imp_trans_details_C: - "[| MsgPReqS = {|{|shash, + "[| MsgPReqS = \\shash, Crypt K - {|{|{|Number LID_M, PIrest|}, Hash OIData|}, hashpd|}, - cryptek|}, data|}; + \\\Number LID_M, PIrest\, Hash OIData\, hashpd\, + cryptek\, data\; Says (Cardholder k) M MsgPReqS \ set evs; evs \ set_pur |] ==> \trans. Notes (Cardholder k) - {|Number LID_M, Agent M, Agent (Cardholder k), trans|} + \Number LID_M, Agent M, Agent (Cardholder k), trans\ \ set evs" apply (erule rev_mp) apply (erule rev_mp) @@ -1020,7 +1020,7 @@ text{*Can't happen: only Merchants create this type of Note*} lemma Notes_Cardholder_self_False: "[|Notes (Cardholder k) - {|Number n, Agent P, Agent (Cardholder k), Agent C, etc|} \ set evs; + \Number n, Agent P, Agent (Cardholder k), Agent C, etc\ \ set evs; evs \ set_pur|] ==> False" by (erule rev_mp, erule set_pur.induct, auto) @@ -1028,14 +1028,14 @@ Using XID he knows it was intended for him. This guarantee isn't useful to P, who never gets OIData.*} theorem M_verifies_Signed_PReq: - "[| MsgDualSign = {|HPIData, Hash OIData|}; - OIData = {|Number LID_M, etc|}; + "[| MsgDualSign = \HPIData, Hash OIData\; + OIData = \Number LID_M, etc\; Crypt (priSK C) (Hash MsgDualSign) \ parts (knows Spy evs); - Notes M {|Number LID_M, Agent P, extras|} \ set evs; + Notes M \Number LID_M, Agent P, extras\ \ set evs; M = Merchant i; C = Cardholder k; C \ bad; evs \ set_pur|] ==> \PIData PICrypt. HPIData = Hash PIData & - Says C M {|{|sign (priSK C) MsgDualSign, PICrypt|}, OIData, Hash PIData|} + Says C M \\sign (priSK C) MsgDualSign, PICrypt\, OIData, Hash PIData\ \ set evs" apply clarify apply (erule rev_mp) @@ -1054,20 +1054,20 @@ PIData. I don't see how to link @{term "PG j"} and @{text LID_M} without assuming @{term "M \ bad"}.*} theorem P_verifies_Signed_PReq: - "[| MsgDualSign = {|Hash PIData, HOIData|}; - PIData = {|PIHead, PANData|}; - PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, - TransStain|}; + "[| MsgDualSign = \Hash PIData, HOIData\; + PIData = \PIHead, PANData\; + PIHead = \Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, + TransStain\; Crypt (priSK C) (Hash MsgDualSign) \ parts (knows Spy evs); evs \ set_pur; C \ bad; M \ bad|] ==> \OIData OrderDesc K j trans. - HOD = Hash{|Number OrderDesc, Number PurchAmt|} & + HOD = Hash\Number OrderDesc, Number PurchAmt\ & HOIData = Hash OIData & - Notes M {|Number LID_M, Agent (PG j), trans|} \ set evs & - Says C M {|{|sign (priSK C) MsgDualSign, + Notes M \Number LID_M, Agent (PG j), trans\ \ set evs & + Says C M \\sign (priSK C) MsgDualSign, EXcrypt K (pubEK (PG j)) - {|PIHead, Hash OIData|} PANData|}, - OIData, Hash PIData|} + \PIHead, Hash OIData\ PANData\, + OIData, Hash PIData\ \ set evs" apply clarify apply (erule rev_mp) @@ -1076,12 +1076,12 @@ done lemma C_determines_EKj_signed: - "[| Says C M {|{|sign (priSK C) text, - EXcrypt K EKj {|PIHead, X|} Y|}, Z|} \ set evs; - PIHead = {|Number LID_M, Number XID, W|}; + "[| Says C M \\sign (priSK C) text, + EXcrypt K EKj \PIHead, X\ Y\, Z\ \ set evs; + PIHead = \Number LID_M, Number XID, W\; C = Cardholder k; evs \ set_pur; M \ bad|] ==> \ trans j. - Notes M {|Number LID_M, Agent (PG j), trans|} \ set evs & + Notes M \Number LID_M, Agent (PG j), trans\ \ set evs & EKj = pubEK (PG j)" apply clarify apply (erule rev_mp) @@ -1090,11 +1090,11 @@ done lemma M_Says_AuthReq: - "[| AuthReqData = {|Number LID_M, Number XID, HOIData, HOD|}; - sign (priSK M) {|AuthReqData, Hash P_I|} \ parts (knows Spy evs); + "[| AuthReqData = \Number LID_M, Number XID, HOIData, HOD\; + sign (priSK M) \AuthReqData, Hash P_I\ \ parts (knows Spy evs); evs \ set_pur; M \ bad|] ==> \j trans KM. - Notes M {|Number LID_M, Agent (PG j), trans |} \ set evs & + Notes M \Number LID_M, Agent (PG j), trans \ \ set evs & Says M (PG j) (EncB (priSK M) KM (pubEK (PG j)) AuthReqData P_I) \ set evs" @@ -1106,17 +1106,17 @@ Even here we cannot be certain about what C sent to M, since a bad PG could have replaced the two key fields. (NOT USED)*} lemma Signed_PReq_imp_Says_Cardholder: - "[| MsgDualSign = {|Hash PIData, Hash OIData|}; - OIData = {|Number LID_M, Number XID, Nonce Chall_C, HOD, etc|}; - PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, - TransStain|}; - PIData = {|PIHead, PANData|}; + "[| MsgDualSign = \Hash PIData, Hash OIData\; + OIData = \Number LID_M, Number XID, Nonce Chall_C, HOD, etc\; + PIHead = \Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, + TransStain\; + PIData = \PIHead, PANData\; Crypt (priSK C) (Hash MsgDualSign) \ parts (knows Spy evs); M = Merchant i; C = Cardholder k; C \ bad; evs \ set_pur|] ==> \KC EKj. - Says C M {|{|sign (priSK C) MsgDualSign, - EXcrypt KC EKj {|PIHead, Hash OIData|} PANData|}, - OIData, Hash PIData|} + Says C M \\sign (priSK C) MsgDualSign, + EXcrypt KC EKj \PIHead, Hash OIData\ PANData\, + OIData, Hash PIData\ \ set evs" apply clarify apply hypsubst_thin @@ -1128,7 +1128,7 @@ text{*When P receives an AuthReq and a dual signature, he knows that C and M agree on the essential details. PurchAmt however is never sent by M to P; instead C and M both send - @{term "HOD = Hash{|Number OrderDesc, Number PurchAmt|}"} + @{term "HOD = Hash\Number OrderDesc, Number PurchAmt\"} and P compares the two copies of HOD. Agreement can't be proved for some things, including the symmetric keys @@ -1137,30 +1137,30 @@ the EXcrypt involves the correct PG's key. *} theorem P_sees_CM_agreement: - "[| AuthReqData = {|Number LID_M, Number XID, HOIData, HOD|}; + "[| AuthReqData = \Number LID_M, Number XID, HOIData, HOD\; KC \ symKeys; Gets (PG j) (EncB (priSK M) KM (pubEK (PG j)) AuthReqData P_I) \ set evs; C = Cardholder k; - PI_sign = sign (priSK C) {|Hash PIData, HOIData|}; - P_I = {|PI_sign, - EXcrypt KC (pubEK (PG j)) {|PIHead, HOIData|} PANData|}; - PANData = {|Pan (pan C), Nonce (PANSecret k)|}; - PIData = {|PIHead, PANData|}; - PIHead = {|Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, - TransStain|}; + PI_sign = sign (priSK C) \Hash PIData, HOIData\; + P_I = \PI_sign, + EXcrypt KC (pubEK (PG j)) \PIHead, HOIData\ PANData\; + PANData = \Pan (pan C), Nonce (PANSecret k)\; + PIData = \PIHead, PANData\; + PIHead = \Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, + TransStain\; evs \ set_pur; C \ bad; M \ bad|] ==> \OIData OrderDesc KM' trans j' KC' KC'' P_I' P_I''. - HOD = Hash{|Number OrderDesc, Number PurchAmt|} & + HOD = Hash\Number OrderDesc, Number PurchAmt\ & HOIData = Hash OIData & - Notes M {|Number LID_M, Agent (PG j'), trans|} \ set evs & - Says C M {|P_I', OIData, Hash PIData|} \ set evs & + Notes M \Number LID_M, Agent (PG j'), trans\ \ set evs & + Says C M \P_I', OIData, Hash PIData\ \ set evs & Says M (PG j') (EncB (priSK M) KM' (pubEK (PG j')) AuthReqData P_I'') \ set evs & - P_I' = {|PI_sign, - EXcrypt KC' (pubEK (PG j')) {|PIHead, Hash OIData|} PANData|} & - P_I'' = {|PI_sign, - EXcrypt KC'' (pubEK (PG j)) {|PIHead, Hash OIData|} PANData|}" + P_I' = \PI_sign, + EXcrypt KC' (pubEK (PG j')) \PIHead, Hash OIData\ PANData\ & + P_I'' = \PI_sign, + EXcrypt KC'' (pubEK (PG j)) \PIHead, Hash OIData\ PANData\" apply clarify apply (rule exE) apply (rule P_verifies_Signed_PReq [OF refl refl refl])