# HG changeset patch # User wenzelm # Date 1451340813 -3600 # Node ID 38b73f7940af1764e1aa3e42e54ee8033fdea9dc # Parent e96292f32c3cfae42a5941dabdb21d2ae4d25a6c more symbols; diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/CertifiedEmail.thy --- a/src/HOL/Auth/CertifiedEmail.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/CertifiedEmail.thy Mon Dec 28 23:13:33 2015 +0100 @@ -25,7 +25,7 @@ text\We formalize a fixed way of computing responses. Could be better.\ definition "response" :: "agent => agent => nat => msg" where - "response S R q == Hash {|Agent S, Key (shrK R), Nonce q|}" + "response S R q == Hash \Agent S, Key (shrK R), Nonce q\" inductive_set certified_mail :: "event list set" @@ -42,28 +42,28 @@ | FakeSSL: \\The Spy may open SSL sessions with TTP, who is the only agent equipped with the necessary credentials to serve as an SSL server.\ "[| evsfssl \ certified_mail; X \ synth(analz(spies evsfssl))|] - ==> Notes TTP {|Agent Spy, Agent TTP, X|} # evsfssl \ certified_mail" + ==> Notes TTP \Agent Spy, Agent TTP, X\ # evsfssl \ certified_mail" | CM1: \\The sender approaches the recipient. The message is a number.\ "[|evs1 \ certified_mail; Key K \ used evs1; K \ symKeys; Nonce q \ used evs1; - hs = Hash{|Number cleartext, Nonce q, response S R q, Crypt K (Number m)|}; - S2TTP = Crypt(pubEK TTP) {|Agent S, Number BothAuth, Key K, Agent R, hs|}|] - ==> Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number BothAuth, - Number cleartext, Nonce q, S2TTP|} # evs1 + hs = Hash\Number cleartext, Nonce q, response S R q, Crypt K (Number m)\; + S2TTP = Crypt(pubEK TTP) \Agent S, Number BothAuth, Key K, Agent R, hs\|] + ==> Says S R \Agent S, Agent TTP, Crypt K (Number m), Number BothAuth, + Number cleartext, Nonce q, S2TTP\ # evs1 \ certified_mail" | CM2: \\The recipient records @{term S2TTP} while transmitting it and her password to @{term TTP} over an SSL channel.\ "[|evs2 \ certified_mail; - Gets R {|Agent S, Agent TTP, em, Number BothAuth, Number cleartext, - Nonce q, S2TTP|} \ set evs2; + Gets R \Agent S, Agent TTP, em, Number BothAuth, Number cleartext, + Nonce q, S2TTP\ \ set evs2; TTP \ R; - hr = Hash {|Number cleartext, Nonce q, response S R q, em|} |] + hr = Hash \Number cleartext, Nonce q, response S R q, em\ |] ==> - Notes TTP {|Agent R, Agent TTP, S2TTP, Key(RPwd R), hr|} # evs2 + Notes TTP \Agent R, Agent TTP, S2TTP, Key(RPwd R), hr\ # evs2 \ certified_mail" | CM3: \\@{term TTP} simultaneously reveals the key to the recipient and gives @@ -72,12 +72,12 @@ if the given password is that of the claimed sender, @{term R}. He replies over the established SSL channel.\ "[|evs3 \ certified_mail; - Notes TTP {|Agent R, Agent TTP, S2TTP, Key(RPwd R), hr|} \ set evs3; + Notes TTP \Agent R, Agent TTP, S2TTP, Key(RPwd R), hr\ \ set evs3; S2TTP = Crypt (pubEK TTP) - {|Agent S, Number BothAuth, Key k, Agent R, hs|}; + \Agent S, Number BothAuth, Key k, Agent R, hs\; TTP \ R; hs = hr; k \ symKeys|] ==> - Notes R {|Agent TTP, Agent R, Key k, hr|} # + Notes R \Agent TTP, Agent R, Key k, hr\ # Gets S (Crypt (priSK TTP) S2TTP) # Says TTP S (Crypt (priSK TTP) S2TTP) # evs3 \ certified_mail" @@ -116,8 +116,8 @@ done lemma CM2_S2TTP_analz_knows_Spy: - "[|Gets R {|Agent A, Agent B, em, Number AO, Number cleartext, - Nonce q, S2TTP|} \ set evs; + "[|Gets R \Agent A, Agent B, em, Number AO, Number cleartext, + Nonce q, S2TTP\ \ set evs; evs \ certified_mail|] ==> S2TTP \ analz(spies evs)" apply (drule Gets_imp_Says, simp) @@ -130,9 +130,9 @@ lemma hr_form_lemma [rule_format]: "evs \ certified_mail ==> hr \ synth (analz (spies evs)) --> - (\S2TTP. Notes TTP {|Agent R, Agent TTP, S2TTP, pwd, hr|} + (\S2TTP. Notes TTP \Agent R, Agent TTP, S2TTP, pwd, hr\ \ set evs --> - (\clt q S em. hr = Hash {|Number clt, Nonce q, response S R q, em|}))" + (\clt q S em. hr = Hash \Number clt, Nonce q, response S R q, em\))" apply (erule certified_mail.induct) apply (synth_analz_mono_contra, simp_all, blast+) done @@ -141,10 +141,10 @@ the fakessl rule allows Spy to spoof the sender's name. Maybe can strengthen the second disjunct with @{term "R\Spy"}.\ lemma hr_form: - "[|Notes TTP {|Agent R, Agent TTP, S2TTP, pwd, hr|} \ set evs; + "[|Notes TTP \Agent R, Agent TTP, S2TTP, pwd, hr\ \ set evs; evs \ certified_mail|] ==> hr \ synth (analz (spies evs)) | - (\clt q S em. hr = Hash {|Number clt, Nonce q, response S R q, em|})" + (\clt q S em. hr = Hash \Number clt, Nonce q, response S R q, em\)" by (blast intro: hr_form_lemma) lemma Spy_dont_know_private_keys [dest!]: @@ -184,9 +184,9 @@ lemma CM3_k_parts_knows_Spy: "[| evs \ certified_mail; - Notes TTP {|Agent A, Agent TTP, - Crypt (pubEK TTP) {|Agent S, Number AO, Key K, - Agent R, hs|}, Key (RPwd R), hs|} \ set evs|] + Notes TTP \Agent A, Agent TTP, + Crypt (pubEK TTP) \Agent S, Number AO, Key K, + Agent R, hs\, Key (RPwd R), hs\ \ set evs|] ==> Key K \ parts(spies evs)" apply (rotate_tac 1) apply (erule rev_mp) @@ -273,7 +273,7 @@ provided @{term K} is secure. Proof is surprisingly hard.\ lemma Notes_SSL_imp_used: - "[|Notes B {|Agent A, Agent B, X|} \ set evs|] ==> X \ used evs" + "[|Notes B \Agent A, Agent B, X\ \ set evs|] ==> X \ used evs" by (blast dest!: Notes_imp_used) @@ -283,14 +283,14 @@ "evs \ certified_mail ==> Key K \ analz (spies evs) --> (\AO. Crypt (pubEK TTP) - {|Agent S, Number AO, Key K, Agent R, hs|} \ used evs --> + \Agent S, Number AO, Key K, Agent R, hs\ \ used evs --> (\m ctxt q. - hs = Hash{|Number ctxt, Nonce q, response S R q, Crypt K (Number m)|} & + hs = Hash\Number ctxt, Nonce q, response S R q, Crypt K (Number m)\ & Says S R - {|Agent S, Agent TTP, Crypt K (Number m), Number AO, + \Agent S, Agent TTP, Crypt K (Number m), Number AO, Number ctxt, Nonce q, Crypt (pubEK TTP) - {|Agent S, Number AO, Key K, Agent R, hs |}|} \ set evs))" + \Agent S, Number AO, Key K, Agent R, hs \\ \ set evs))" apply (erule certified_mail.induct, analz_mono_contra) apply (drule_tac [5] CM2_S2TTP_parts_knows_Spy, simp) apply (simp add: used_Nil Crypt_notin_initState, simp_all) @@ -310,16 +310,16 @@ done lemma S2TTP_sender: - "[|Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|} \ used evs; + "[|Crypt (pubEK TTP) \Agent S, Number AO, Key K, Agent R, hs\ \ used evs; Key K \ analz (spies evs); evs \ certified_mail|] ==> \m ctxt q. - hs = Hash{|Number ctxt, Nonce q, response S R q, Crypt K (Number m)|} & + hs = Hash\Number ctxt, Nonce q, response S R q, Crypt K (Number m)\ & Says S R - {|Agent S, Agent TTP, Crypt K (Number m), Number AO, + \Agent S, Agent TTP, Crypt K (Number m), Number AO, Number ctxt, Nonce q, Crypt (pubEK TTP) - {|Agent S, Number AO, Key K, Agent R, hs |}|} \ set evs" + \Agent S, Number AO, Key K, Agent R, hs\\ \ set evs" by (blast intro: S2TTP_sender_lemma) @@ -348,15 +348,15 @@ Key K \ analz (spies evs) --> (\m cleartext q hs. Says S R - {|Agent S, Agent TTP, Crypt K (Number m), Number AO, + \Agent S, Agent TTP, Crypt K (Number m), Number AO, Number cleartext, Nonce q, - Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|}|} + Crypt (pubEK TTP) \Agent S, Number AO, Key K, Agent R, hs\\ \ set evs --> (\m' cleartext' q' hs'. Says S' R' - {|Agent S', Agent TTP, Crypt K (Number m'), Number AO', + \Agent S', Agent TTP, Crypt K (Number m'), Number AO', Number cleartext', Nonce q', - Crypt (pubEK TTP) {|Agent S', Number AO', Key K, Agent R', hs'|}|} + Crypt (pubEK TTP) \Agent S', Number AO', Key K, Agent R', hs'\\ \ set evs --> R' = R & S' = S & AO' = AO & hs' = hs))" apply (erule certified_mail.induct, analz_mono_contra, simp_all) prefer 2 @@ -369,14 +369,14 @@ text\The key determines the sender, recipient and protocol options.\ lemma Key_unique: "[|Says S R - {|Agent S, Agent TTP, Crypt K (Number m), Number AO, + \Agent S, Agent TTP, Crypt K (Number m), Number AO, Number cleartext, Nonce q, - Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|}|} + Crypt (pubEK TTP) \Agent S, Number AO, Key K, Agent R, hs\\ \ set evs; Says S' R' - {|Agent S', Agent TTP, Crypt K (Number m'), Number AO', + \Agent S', Agent TTP, Crypt K (Number m'), Number AO', Number cleartext', Nonce q', - Crypt (pubEK TTP) {|Agent S', Number AO', Key K, Agent R', hs'|}|} + Crypt (pubEK TTP) \Agent S', Number AO', Key K, Agent R', hs'\\ \ set evs; Key K \ analz (spies evs); evs \ certified_mail|] @@ -390,9 +390,9 @@ If Spy gets the key then @{term R} is bad and @{term S} moreover gets his return receipt (and therefore has no grounds for complaint).\ theorem S_fairness_bad_R: - "[|Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number AO, - Number cleartext, Nonce q, S2TTP|} \ set evs; - S2TTP = Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|}; + "[|Says S R \Agent S, Agent TTP, Crypt K (Number m), Number AO, + Number cleartext, Nonce q, S2TTP\ \ set evs; + S2TTP = Crypt (pubEK TTP) \Agent S, Number AO, Key K, Agent R, hs\; Key K \ analz (spies evs); evs \ certified_mail; S\Spy|] @@ -418,9 +418,9 @@ text\Confidentially for the symmetric key\ theorem Spy_not_see_encrypted_key: - "[|Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number AO, - Number cleartext, Nonce q, S2TTP|} \ set evs; - S2TTP = Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|}; + "[|Says S R \Agent S, Agent TTP, Crypt K (Number m), Number AO, + Number cleartext, Nonce q, S2TTP\ \ set evs; + S2TTP = Crypt (pubEK TTP) \Agent S, Number AO, Key K, Agent R, hs\; evs \ certified_mail; S\Spy; R \ bad|] ==> Key K \ analz(spies evs)" @@ -430,10 +430,10 @@ text\Agent @{term R}, who may be the Spy, doesn't receive the key until @{term S} has access to the return receipt.\ theorem S_guarantee: - "[|Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number AO, - Number cleartext, Nonce q, S2TTP|} \ set evs; - S2TTP = Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|}; - Notes R {|Agent TTP, Agent R, Key K, hs|} \ set evs; + "[|Says S R \Agent S, Agent TTP, Crypt K (Number m), Number AO, + Number cleartext, Nonce q, S2TTP\ \ set evs; + S2TTP = Crypt (pubEK TTP) \Agent S, Number AO, Key K, Agent R, hs\; + Notes R \Agent TTP, Agent R, Key K, hs\ \ set evs; S\Spy; evs \ certified_mail|] ==> Gets S (Crypt (priSK TTP) S2TTP) \ set evs" apply (erule rev_mp) @@ -453,11 +453,11 @@ theorem RR_validity: "[|Crypt (priSK TTP) S2TTP \ used evs; S2TTP = Crypt (pubEK TTP) - {|Agent S, Number AO, Key K, Agent R, - Hash {|Number cleartext, Nonce q, r, em|}|}; - hr = Hash {|Number cleartext, Nonce q, r, em|}; + \Agent S, Number AO, Key K, Agent R, + Hash \Number cleartext, Nonce q, r, em\\; + hr = Hash \Number cleartext, Nonce q, r, em\; R\Spy; evs \ certified_mail|] - ==> Notes R {|Agent TTP, Agent R, Key K, hr|} \ set evs" + ==> Notes R \Agent TTP, Agent R, Key K, hr\ \ set evs" apply (erule rev_mp) apply (erule ssubst) apply (erule ssubst) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Guard/Analz.thy --- a/src/HOL/Auth/Guard/Analz.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Guard/Analz.thy Mon Dec 28 23:13:33 2015 +0100 @@ -17,8 +17,8 @@ for H :: "msg set" where Inj [intro]: "[| X:H; is_MPair X |] ==> X:pparts H" -| Fst [dest]: "[| {|X,Y|}:pparts H; is_MPair X |] ==> X:pparts H" -| Snd [dest]: "[| {|X,Y|}:pparts H; is_MPair Y |] ==> Y:pparts H" +| Fst [dest]: "[| \X,Y\:pparts H; is_MPair X |] ==> X:pparts H" +| Snd [dest]: "[| \X,Y\:pparts H; is_MPair Y |] ==> Y:pparts H" subsection\basic facts about @{term pparts}\ @@ -53,8 +53,8 @@ = pparts {X} Un pparts {Y} Un pparts H" by (rule eq, (erule pparts.induct, auto)+) -lemma pparts_insert_MPair [iff]: "pparts (insert {|X,Y|} H) -= insert {|X,Y|} (pparts ({X,Y} Un H))" +lemma pparts_insert_MPair [iff]: "pparts (insert \X,Y\ H) += insert \X,Y\ (pparts ({X,Y} \ H))" apply (rule eq, (erule pparts.induct, auto)+) apply (rule_tac Y=Y in pparts.Fst, auto) apply (erule pparts.induct, auto) @@ -119,8 +119,8 @@ for H :: "msg set" where Inj [intro]: "[| X:H; not_MPair X |] ==> X:kparts H" -| Fst [intro]: "[| {|X,Y|}:pparts H; not_MPair X |] ==> X:kparts H" -| Snd [intro]: "[| {|X,Y|}:pparts H; not_MPair Y |] ==> Y:kparts H" +| Fst [intro]: "[| \X,Y\ \ pparts H; not_MPair X |] ==> X:kparts H" +| Snd [intro]: "[| \X,Y\ \ pparts H; not_MPair Y |] ==> Y:kparts H" subsection\basic facts about @{term kparts}\ @@ -137,8 +137,8 @@ = kparts {X} Un kparts {Y} Un kparts H" by (rule eq, (erule kparts.induct, auto)+) -lemma kparts_insert_MPair [iff]: "kparts (insert {|X,Y|} H) -= kparts ({X,Y} Un H)" +lemma kparts_insert_MPair [iff]: "kparts (insert \X,Y\ H) += kparts ({X,Y} \ H)" by (rule eq, (erule kparts.induct, auto)+) lemma kparts_insert_Nonce [iff]: "kparts (insert (Nonce n) H) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Guard/Extensions.thy --- a/src/HOL/Auth/Guard/Extensions.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Guard/Extensions.thy Mon Dec 28 23:13:33 2015 +0100 @@ -51,11 +51,11 @@ subsubsection\messages that are pairs\ definition is_MPair :: "msg => bool" where -"is_MPair X == EX Y Z. X = {|Y,Z|}" +"is_MPair X == EX Y Z. X = \Y,Z\" declare is_MPair_def [simp] -lemma MPair_is_MPair [iff]: "is_MPair {|X,Y|}" +lemma MPair_is_MPair [iff]: "is_MPair \X,Y\" by simp lemma Agent_isnt_MPair [iff]: "~ is_MPair (Agent A)" @@ -86,7 +86,7 @@ declare is_MPair_def [simp del] definition has_no_pair :: "msg set => bool" where -"has_no_pair H == ALL X Y. {|X,Y|} ~:H" +"has_no_pair H == ALL X Y. \X,Y\ \ H" declare has_no_pair_def [simp] @@ -218,7 +218,7 @@ fun greatest_msg :: "msg => nat" where "greatest_msg (Nonce n) = n" -| "greatest_msg {|X,Y|} = max (greatest_msg X) (greatest_msg Y)" +| "greatest_msg \X,Y\ = max (greatest_msg X) (greatest_msg Y)" | "greatest_msg (Crypt K X) = greatest_msg X" | "greatest_msg other = 0" @@ -233,7 +233,7 @@ lemma keyset_in [dest]: "[| keyset G; X:G |] ==> EX K. X = Key K" by (auto simp: keyset_def) -lemma MPair_notin_keyset [simp]: "keyset G ==> {|X,Y|} ~:G" +lemma MPair_notin_keyset [simp]: "keyset G ==> \X,Y\ \ G" by auto lemma Crypt_notin_keyset [simp]: "keyset G ==> Crypt K X ~:G" @@ -332,7 +332,7 @@ subsubsection\lemma on knows\ -lemma Says_imp_spies2: "Says A B {|X,Y|}:set evs ==> Y:parts (spies evs)" +lemma Says_imp_spies2: "Says A B \X,Y\ \ set evs ==> Y \ parts (spies evs)" by (drule Says_imp_spies, drule parts.Inj, drule parts.Snd, simp) lemma Says_not_parts: "[| Says A B X:set evs; Y ~:parts (spies evs) |] diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Guard/Guard.thy --- a/src/HOL/Auth/Guard/Guard.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Guard/Guard.thy Mon Dec 28 23:13:33 2015 +0100 @@ -19,7 +19,7 @@ No_Nonce [intro]: "Nonce n ~:parts {X} ==> X:guard n Ks" | Guard_Nonce [intro]: "invKey K:Ks ==> Crypt K X:guard n Ks" | Crypt [intro]: "X:guard n Ks ==> Crypt K X:guard n Ks" -| Pair [intro]: "[| X:guard n Ks; Y:guard n Ks |] ==> {|X,Y|}:guard n Ks" +| Pair [intro]: "[| X:guard n Ks; Y:guard n Ks |] ==> \X,Y\ \ guard n Ks" subsection\basic facts about @{term guard}\ @@ -58,8 +58,8 @@ lemma guard_Crypt: "[| Crypt K Y:guard n Ks; K ~:invKey`Ks |] ==> Y:guard n Ks" by (ind_cases "Crypt K Y:guard n Ks") (auto intro!: image_eqI) -lemma guard_MPair [iff]: "({|X,Y|}:guard n Ks) = (X:guard n Ks & Y:guard n Ks)" -by (auto, (ind_cases "{|X,Y|}:guard n Ks", auto)+) +lemma guard_MPair [iff]: "(\X,Y\ \ guard n Ks) = (X \ guard n Ks \ Y \ guard n Ks)" +by (auto, (ind_cases "\X,Y\ \ guard n Ks", auto)+) lemma guard_not_guard [rule_format]: "X:guard n Ks ==> Crypt K Y:kparts {X} --> Nonce n:kparts {Y} --> Y ~:guard n Ks" @@ -175,7 +175,7 @@ fun crypt_nb :: "msg => nat" where "crypt_nb (Crypt K X) = Suc (crypt_nb X)" -| "crypt_nb {|X,Y|} = crypt_nb X + crypt_nb Y" +| "crypt_nb \X,Y\ = crypt_nb X + crypt_nb Y" | "crypt_nb X = 0" (* otherwise *) subsection\basic facts about @{term crypt_nb}\ diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Guard/GuardK.thy --- a/src/HOL/Auth/Guard/GuardK.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Guard/GuardK.thy Mon Dec 28 23:13:33 2015 +0100 @@ -26,7 +26,7 @@ No_Key [intro]: "Key n ~:parts {X} ==> X:guardK n Ks" | Guard_Key [intro]: "invKey K:Ks ==> Crypt K X:guardK n Ks" | Crypt [intro]: "X:guardK n Ks ==> Crypt K X:guardK n Ks" -| Pair [intro]: "[| X:guardK n Ks; Y:guardK n Ks |] ==> {|X,Y|}:guardK n Ks" +| Pair [intro]: "[| X:guardK n Ks; Y:guardK n Ks |] ==> \X,Y\:guardK n Ks" subsection\basic facts about @{term guardK}\ @@ -65,9 +65,9 @@ lemma guardK_Crypt: "[| Crypt K Y:guardK n Ks; K ~:invKey`Ks |] ==> Y:guardK n Ks" by (ind_cases "Crypt K Y:guardK n Ks") (auto intro!: image_eqI) -lemma guardK_MPair [iff]: "({|X,Y|}:guardK n Ks) +lemma guardK_MPair [iff]: "(\X,Y\:guardK n Ks) = (X:guardK n Ks & Y:guardK n Ks)" -by (auto, (ind_cases "{|X,Y|}:guardK n Ks", auto)+) +by (auto, (ind_cases "\X,Y\:guardK n Ks", auto)+) lemma guardK_not_guardK [rule_format]: "X:guardK n Ks ==> Crypt K Y:kparts {X} --> Key n:kparts {Y} --> Y ~:guardK n Ks" @@ -172,7 +172,7 @@ fun crypt_nb :: "msg => nat" where "crypt_nb (Crypt K X) = Suc (crypt_nb X)" | -"crypt_nb {|X,Y|} = crypt_nb X + crypt_nb Y" | +"crypt_nb \X,Y\ = crypt_nb X + crypt_nb Y" | "crypt_nb X = 0" (* otherwise *) subsection\basic facts about @{term crypt_nb}\ diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Guard/Guard_NS_Public.thy --- a/src/HOL/Auth/Guard/Guard_NS_Public.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Guard/Guard_NS_Public.thy Mon Dec 28 23:13:33 2015 +0100 @@ -13,19 +13,19 @@ abbreviation (input) ns1 :: "agent => agent => nat => event" where - "ns1 A B NA == Says A B (Crypt (pubK B) {|Nonce NA, Agent A|})" + "ns1 A B NA == Says A B (Crypt (pubK B) \Nonce NA, Agent A\)" abbreviation (input) ns1' :: "agent => agent => agent => nat => event" where - "ns1' A' A B NA == Says A' B (Crypt (pubK B) {|Nonce NA, Agent A|})" + "ns1' A' A B NA == Says A' B (Crypt (pubK B) \Nonce NA, Agent A\)" abbreviation (input) ns2 :: "agent => agent => nat => nat => event" where - "ns2 B A NA NB == Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|})" + "ns2 B A NA NB == Says B A (Crypt (pubK A) \Nonce NA, Nonce NB, Agent B\)" abbreviation (input) ns2' :: "agent => agent => agent => nat => nat => event" where - "ns2' B' B A NA NB == Says B' A (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|})" + "ns2' B' B A NA NB == Says B' A (Crypt (pubK A) \Nonce NA, Nonce NB, Agent B\)" abbreviation (input) ns3 :: "agent => agent => nat => event" where @@ -80,28 +80,28 @@ subsection\nonce are used only once\ lemma NA_is_uniq [rule_format]: "evs:nsp ==> -Crypt (pubK B) {|Nonce NA, Agent A|}:parts (spies evs) ---> Crypt (pubK B') {|Nonce NA, Agent A'|}:parts (spies evs) +Crypt (pubK B) \Nonce NA, Agent A\:parts (spies evs) +--> Crypt (pubK B') \Nonce NA, Agent A'\:parts (spies evs) --> Nonce NA ~:analz (spies evs) --> A=A' & B=B'" apply (erule nsp.induct, simp_all) by (blast intro: analz_insertI)+ lemma no_Nonce_NS1_NS2 [rule_format]: "evs:nsp ==> -Crypt (pubK B') {|Nonce NA', Nonce NA, Agent A'|}:parts (spies evs) ---> Crypt (pubK B) {|Nonce NA, Agent A|}:parts (spies evs) +Crypt (pubK B') \Nonce NA', Nonce NA, Agent A'\:parts (spies evs) +--> Crypt (pubK B) \Nonce NA, Agent A\:parts (spies evs) --> Nonce NA:analz (spies evs)" apply (erule nsp.induct, simp_all) by (blast intro: analz_insertI)+ lemma no_Nonce_NS1_NS2' [rule_format]: -"[| Crypt (pubK B') {|Nonce NA', Nonce NA, Agent A'|}:parts (spies evs); -Crypt (pubK B) {|Nonce NA, Agent A|}:parts (spies evs); evs:nsp |] +"[| Crypt (pubK B') \Nonce NA', Nonce NA, Agent A'\:parts (spies evs); +Crypt (pubK B) \Nonce NA, Agent A\:parts (spies evs); evs:nsp |] ==> Nonce NA:analz (spies evs)" by (rule no_Nonce_NS1_NS2, auto) lemma NB_is_uniq [rule_format]: "evs:nsp ==> -Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}:parts (spies evs) ---> Crypt (pubK A') {|Nonce NA', Nonce NB, Agent B'|}:parts (spies evs) +Crypt (pubK A) \Nonce NA, Nonce NB, Agent B\:parts (spies evs) +--> Crypt (pubK A') \Nonce NA', Nonce NB, Agent B'\:parts (spies evs) --> Nonce NB ~:analz (spies evs) --> A=A' & B=B' & NA=NA'" apply (erule nsp.induct, simp_all) by (blast intro: analz_insertI)+ @@ -166,13 +166,13 @@ subsection\Agents' Authentication\ lemma B_trusts_NS1: "[| evs:nsp; A ~:bad; B ~:bad |] ==> -Crypt (pubK B) {|Nonce NA, Agent A|}:parts (spies evs) +Crypt (pubK B) \Nonce NA, Agent A\:parts (spies evs) --> Nonce NA ~:analz (spies evs) --> ns1 A B NA:set evs" apply (erule nsp.induct, simp_all) by (blast intro: analz_insertI)+ lemma A_trusts_NS2: "[| evs:nsp; A ~:bad; B ~:bad |] ==> ns1 A B NA:set evs ---> Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}:parts (spies evs) +--> Crypt (pubK A) \Nonce NA, Nonce NB, Agent B\:parts (spies evs) --> ns2 B A NA NB:set evs" apply (erule nsp.induct, simp_all, safe) apply (frule_tac B=B in ns1_imp_Guard, simp+) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Guard/Guard_OtwayRees.thy --- a/src/HOL/Auth/Guard/Guard_OtwayRees.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Guard/Guard_OtwayRees.thy Mon Dec 28 23:13:33 2015 +0100 @@ -16,43 +16,43 @@ abbreviation or1 :: "agent => agent => nat => event" where "or1 A B NA == - Says A B {|Nonce NA, Agent A, Agent B, Ciph A {|Nonce NA, Agent A, Agent B|}|}" + Says A B \Nonce NA, Agent A, Agent B, Ciph A \Nonce NA, Agent A, Agent B\\" abbreviation or1' :: "agent => agent => agent => nat => msg => event" where - "or1' A' A B NA X == Says A' B {|Nonce NA, Agent A, Agent B, X|}" + "or1' A' A B NA X == Says A' B \Nonce NA, Agent A, Agent B, X\" abbreviation or2 :: "agent => agent => nat => nat => msg => event" where "or2 A B NA NB X == - Says B Server {|Nonce NA, Agent A, Agent B, X, - Ciph B {|Nonce NA, Nonce NB, Agent A, Agent B|}|}" + Says B Server \Nonce NA, Agent A, Agent B, X, + Ciph B \Nonce NA, Nonce NB, Agent A, Agent B\\" abbreviation or2' :: "agent => agent => agent => nat => nat => event" where "or2' B' A B NA NB == - Says B' Server {|Nonce NA, Agent A, Agent B, - Ciph A {|Nonce NA, Agent A, Agent B|}, - Ciph B {|Nonce NA, Nonce NB, Agent A, Agent B|}|}" + Says B' Server \Nonce NA, Agent A, Agent B, + Ciph A \Nonce NA, Agent A, Agent B\, + Ciph B \Nonce NA, Nonce NB, Agent A, Agent B\\" abbreviation or3 :: "agent => agent => nat => nat => key => event" where "or3 A B NA NB K == - Says Server B {|Nonce NA, Ciph A {|Nonce NA, Key K|}, - Ciph B {|Nonce NB, Key K|}|}" + Says Server B \Nonce NA, Ciph A \Nonce NA, Key K\, + Ciph B \Nonce NB, Key K\\" abbreviation or3':: "agent => msg => agent => agent => nat => nat => key => event" where "or3' S Y A B NA NB K == - Says S B {|Nonce NA, Y, Ciph B {|Nonce NB, Key K|}|}" + Says S B \Nonce NA, Y, Ciph B \Nonce NB, Key K\\" abbreviation or4 :: "agent => agent => nat => msg => event" where - "or4 A B NA X == Says B A {|Nonce NA, X, nil|}" + "or4 A B NA X == Says B A \Nonce NA, X, nil\" abbreviation or4' :: "agent => agent => nat => key => event" where - "or4' B' A NA K == Says B' A {|Nonce NA, Ciph A {|Nonce NA, Key K|}, nil|}" + "or4' B' A NA K == Says B' A \Nonce NA, Ciph A \Nonce NA, Key K\, nil\" subsection\definition of the protocol\ @@ -108,7 +108,7 @@ ==> X:parts (spies evs)" by blast -lemma or3_parts_spies [dest]: "Says S B {|NA, Y, Ciph B {|NB, K|}|}:set evs +lemma or3_parts_spies [dest]: "Says S B \NA, Y, Ciph B \NB, K\\:set evs ==> K:parts (spies evs)" by blast @@ -169,13 +169,13 @@ apply (case_tac "Aa=B", clarsimp) apply (case_tac "NAa=NB", clarsimp) apply (drule Says_imp_spies) -apply (drule_tac Y="{|Nonce NB, Agent Aa, Agent Ba|}" +apply (drule_tac Y="\Nonce NB, Agent Aa, Agent Ba\" and K="shrK Aa" in in_Guard_kparts_Crypt, simp+) apply (simp add: No_Nonce) apply (case_tac "Ba=B", clarsimp) apply (case_tac "NBa=NB", clarify) apply (drule Says_imp_spies) -apply (drule_tac Y="{|Nonce NAa, Nonce NB, Agent Aa, Agent Ba|}" +apply (drule_tac Y="\Nonce NAa, Nonce NB, Agent Aa, Agent Ba\" and K="shrK Ba" in in_Guard_kparts_Crypt, simp+) apply (simp add: No_Nonce) (* OR4 *) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Guard/Guard_Public.thy --- a/src/HOL/Auth/Guard/Guard_Public.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Guard/Guard_Public.thy Mon Dec 28 23:13:33 2015 +0100 @@ -14,7 +14,7 @@ subsubsection\signature\ definition sign :: "agent => msg => msg" where -"sign A X == {|Agent A, X, Crypt (priK A) (Hash X)|}" +"sign A X == \Agent A, X, Crypt (priK A) (Hash X)\" lemma sign_inj [iff]: "(sign A X = sign A' X') = (A=A' & X=X')" by (auto simp: sign_def) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Guard/Guard_Yahalom.thy --- a/src/HOL/Auth/Guard/Guard_Yahalom.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Guard/Guard_Yahalom.thy Mon Dec 28 23:13:33 2015 +0100 @@ -11,38 +11,38 @@ abbreviation (input) ya1 :: "agent => agent => nat => event" where - "ya1 A B NA == Says A B {|Agent A, Nonce NA|}" + "ya1 A B NA == Says A B \Agent A, Nonce NA\" abbreviation (input) ya1' :: "agent => agent => agent => nat => event" where - "ya1' A' A B NA == Says A' B {|Agent A, Nonce NA|}" + "ya1' A' A B NA == Says A' B \Agent A, Nonce NA\" abbreviation (input) ya2 :: "agent => agent => nat => nat => event" where - "ya2 A B NA NB == Says B Server {|Agent B, Ciph B {|Agent A, Nonce NA, Nonce NB|}|}" + "ya2 A B NA NB == Says B Server \Agent B, Ciph B \Agent A, Nonce NA, Nonce NB\\" abbreviation (input) ya2' :: "agent => agent => agent => nat => nat => event" where - "ya2' B' A B NA NB == Says B' Server {|Agent B, Ciph B {|Agent A, Nonce NA, Nonce NB|}|}" + "ya2' B' A B NA NB == Says B' Server \Agent B, Ciph B \Agent A, Nonce NA, Nonce NB\\" abbreviation (input) ya3 :: "agent => agent => nat => nat => key => event" where "ya3 A B NA NB K == - Says Server A {|Ciph A {|Agent B, Key K, Nonce NA, Nonce NB|}, - Ciph B {|Agent A, Key K|}|}" + Says Server A \Ciph A \Agent B, Key K, Nonce NA, Nonce NB\, + Ciph B \Agent A, Key K\\" abbreviation (input) ya3':: "agent => msg => agent => agent => nat => nat => key => event" where "ya3' S Y A B NA NB K == - Says S A {|Ciph A {|Agent B, Key K, Nonce NA, Nonce NB|}, Y|}" + Says S A \Ciph A \Agent B, Key K, Nonce NA, Nonce NB\, Y\" abbreviation (input) ya4 :: "agent => agent => nat => nat => msg => event" where - "ya4 A B K NB Y == Says A B {|Y, Crypt K (Nonce NB)|}" + "ya4 A B K NB Y == Says A B \Y, Crypt K (Nonce NB)\" abbreviation (input) ya4' :: "agent => agent => nat => nat => msg => event" where - "ya4' A' B K NB Y == Says A' B {|Y, Crypt K (Nonce NB)|}" + "ya4' A' B K NB Y == Says A' B \Y, Crypt K (Nonce NB)\" subsection\definition of the protocol\ @@ -128,19 +128,19 @@ lemma ya2'_parts_imp_ya1'_parts [rule_format]: "[| evs:ya; B ~:bad |] ==> - Ciph B {|Agent A, Nonce NA, Nonce NB|}:parts (spies evs) --> - {|Agent A, Nonce NA|}:spies evs" + Ciph B \Agent A, Nonce NA, Nonce NB\:parts (spies evs) --> + \Agent A, Nonce NA\:spies evs" by (erule ya.induct, auto dest: Says_imp_spies intro: parts_parts) lemma ya2'_imp_ya1'_parts: "[| ya2' B' A B NA NB:set evs; evs:ya; B ~:bad |] -==> {|Agent A, Nonce NA|}:spies evs" +==> \Agent A, Nonce NA\:spies evs" by (blast dest: Says_imp_spies ya2'_parts_imp_ya1'_parts) subsection\uniqueness of NB\ lemma NB_is_uniq_in_ya2'_parts [rule_format]: "[| evs:ya; B ~:bad; B' ~:bad |] ==> -Ciph B {|Agent A, Nonce NA, Nonce NB|}:parts (spies evs) --> -Ciph B' {|Agent A', Nonce NA', Nonce NB|}:parts (spies evs) --> +Ciph B \Agent A, Nonce NA, Nonce NB\:parts (spies evs) --> +Ciph B' \Agent A', Nonce NA', Nonce NB\:parts (spies evs) --> A=A' & B=B' & NA=NA'" apply (erule ya.induct, simp_all, clarify) apply (drule Crypt_synth_insert, simp+) @@ -156,15 +156,15 @@ subsection\ya3' implies ya2'\ lemma ya3'_parts_imp_ya2'_parts [rule_format]: "[| evs:ya; A ~:bad |] ==> -Ciph A {|Agent B, Key K, Nonce NA, Nonce NB|}:parts (spies evs) ---> Ciph B {|Agent A, Nonce NA, Nonce NB|}:parts (spies evs)" +Ciph A \Agent B, Key K, Nonce NA, Nonce NB\:parts (spies evs) +--> Ciph B \Agent A, Nonce NA, Nonce NB\:parts (spies evs)" apply (erule ya.induct, simp_all) apply (clarify, drule Crypt_synth_insert, simp+) apply (blast intro: parts_sub, blast) by (auto dest: Says_imp_spies parts_parts) lemma ya3'_parts_imp_ya2' [rule_format]: "[| evs:ya; A ~:bad |] ==> -Ciph A {|Agent B, Key K, Nonce NA, Nonce NB|}:parts (spies evs) +Ciph A \Agent B, Key K, Nonce NA, Nonce NB\:parts (spies evs) --> (EX B'. ya2' B' A B NA NB:set evs)" apply (erule ya.induct, simp_all, safe) apply (drule Crypt_synth_insert, simp+) @@ -180,7 +180,7 @@ subsection\ya3' implies ya3\ lemma ya3'_parts_imp_ya3 [rule_format]: "[| evs:ya; A ~:bad |] ==> -Ciph A {|Agent B, Key K, Nonce NA, Nonce NB|}:parts(spies evs) +Ciph A \Agent B, Key K, Nonce NA, Nonce NB\:parts(spies evs) --> ya3 A B NA NB K:set evs" apply (erule ya.induct, simp_all, safe) apply (drule Crypt_synth_insert, simp+) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Guard/List_Msg.thy --- a/src/HOL/Auth/Guard/List_Msg.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Guard/List_Msg.thy Mon Dec 28 23:13:33 2015 +0100 @@ -13,7 +13,7 @@ abbreviation (input) cons :: "msg => msg => msg" where - "cons x l == {|x,l|}" + "cons x l == \x,l\" subsubsection\induction principle\ diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Guard/P1.thy --- a/src/HOL/Auth/Guard/P1.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Guard/P1.thy Mon Dec 28 23:13:33 2015 +0100 @@ -18,7 +18,7 @@ the contents of the messages are not completely specified in the paper we assume that the user sends his request and his itinerary in the clear -we will adopt the following format for messages: {|A,r,I,L|} +we will adopt the following format for messages: \A,r,I,L\ A: originator (agent) r: request (number) I: next shops (agent list) @@ -36,8 +36,8 @@ definition chain :: "agent => nat => agent => msg => agent => msg" where "chain B ofr A L C == let m1= Crypt (pubK A) (Nonce ofr) in -let m2= Hash {|head L, Agent C|} in -sign B {|m1,m2|}" +let m2= Hash \head L, Agent C\ in +sign B \m1,m2\" declare Let_def [simp] @@ -51,7 +51,7 @@ subsubsection\agent whose key is used to sign an offer\ fun shop :: "msg => msg" where -"shop {|B,X,Crypt K H|} = Agent (agt K)" +"shop \B,X,Crypt K H\ = Agent (agt K)" lemma shop_chain [simp]: "shop (chain B ofr A L C) = Agent B" by (simp add: chain_def sign_def) @@ -59,7 +59,7 @@ subsubsection\nonce used in an offer\ fun nonce :: "msg => msg" where -"nonce {|B,{|Crypt K ofr,m2|},CryptH|} = ofr" +"nonce \B,\Crypt K ofr,m2\,CryptH\ = ofr" lemma nonce_chain [simp]: "nonce (chain B ofr A L C) = Nonce ofr" by (simp add: chain_def sign_def) @@ -67,7 +67,7 @@ subsubsection\next shop\ fun next_shop :: "msg => agent" where -"next_shop {|B,{|m1,Hash{|headL,Agent C|}|},CryptH|} = C" +"next_shop \B,\m1,Hash\headL,Agent C\\,CryptH\ = C" lemma next_shop_chain [iff]: "next_shop (chain B ofr A L C) = C" by (simp add: chain_def sign_def) @@ -96,8 +96,8 @@ subsubsection\request event\ definition reqm :: "agent => nat => nat => msg => agent => msg" where -"reqm A r n I B == {|Agent A, Number r, cons (Agent A) (cons (Agent B) I), -cons (anchor A n B) nil|}" +"reqm A r n I B == \Agent A, Number r, cons (Agent A) (cons (Agent B) I), +cons (anchor A n B) nil\" lemma reqm_inj [iff]: "(reqm A r n I B = reqm A' r' n' I' B') = (A=A' & r=r' & n=n' & I=I' & B=B')" @@ -117,8 +117,8 @@ definition prom :: "agent => nat => agent => nat => msg => msg => msg => agent => msg" where -"prom B ofr A r I L J C == {|Agent A, Number r, -app (J, del (Agent B, I)), cons (chain B ofr A L C) L|}" +"prom B ofr A r I L J C == \Agent A, Number r, +app (J, del (Agent B, I)), cons (chain B ofr A L C) L\" lemma prom_inj [dest]: "prom B ofr A r I L J C = prom B' ofr' A' r' I' L' J' C' @@ -147,7 +147,7 @@ | Request: "[| evsr:p1; Nonce n ~:used evsr; I:agl |] ==> req A r n I B # evsr : p1" -| Propose: "[| evsp:p1; Says A' B {|Agent A,Number r,I,cons M L|}:set evsp; +| Propose: "[| evsp:p1; Says A' B \Agent A,Number r,I,cons M L\:set evsp; I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I))); Nonce ofr ~:used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp : p1" @@ -198,7 +198,7 @@ subsubsection\list of offers\ fun offers :: "msg => msg" where -"offers (cons M L) = cons {|shop M, nonce M|} (offers L)" | +"offers (cons M L) = cons \shop M, nonce M\ (offers L)" | "offers other = nil" subsubsection\list of agents whose keys are used to sign a list of offers\ @@ -262,15 +262,15 @@ apply clarify apply (frule len_not_empty, clarsimp) apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,xa,l'a|}:valid A n B" for x xa l'a) -apply (ind_cases "{|x,M,l'a|}:valid A n B" for x l'a) +apply (ind_cases "\x,xa,l'a\:valid A n B" for x xa l'a) +apply (ind_cases "\x,M,l'a\:valid A n B" for x l'a) apply (simp add: chain_def) (* i > 0 *) apply clarify apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,repl(l',Suc na,M)|}:valid A n B" for x l' na) +apply (ind_cases "\x,repl(l',Suc na,M)\:valid A n B" for x l' na) apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,l'|}:valid A n B" for x l') +apply (ind_cases "\x,l'\:valid A n B" for x l') by (drule_tac x=l' in spec, simp, blast) subsubsection\insertion resilience: @@ -286,15 +286,15 @@ (* i = 0 *) apply clarify apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,l'|}:valid A n B" for x l', simp) -apply (ind_cases "{|x,M,l'|}:valid A n B" for x l', clarsimp) -apply (ind_cases "{|head l',l'|}:valid A n B" for l', simp, simp) +apply (ind_cases "\x,l'\:valid A n B" for x l', simp) +apply (ind_cases "\x,M,l'\:valid A n B" for x l', clarsimp) +apply (ind_cases "\head l',l'\:valid A n B" for l', simp, simp) (* i > 0 *) apply clarify apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,l'|}:valid A n B" for x l') +apply (ind_cases "\x,l'\:valid A n B" for x l') apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,ins(l',Suc na,M)|}:valid A n B" for x l' na) +apply (ind_cases "\x,ins(l',Suc na,M)\:valid A n B" for x l' na) apply (frule len_not_empty, clarsimp) by (drule_tac x=l' in spec, clarsimp) @@ -307,14 +307,14 @@ (* i = 0 *) apply clarify apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,l'|}:valid A n B" for x l') +apply (ind_cases "\x,l'\:valid A n B" for x l') apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|M,l'|}:valid A n B" for l') +apply (ind_cases "\M,l'\:valid A n B" for l') apply (frule len_not_empty, clarsimp, simp) (* i > 0 *) apply clarify apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,l'|}:valid A n B" for x l') +apply (ind_cases "\x,l'\:valid A n B" for x l') apply (frule len_not_empty, clarsimp) by (drule_tac x=l' in spec, clarsimp) @@ -326,7 +326,7 @@ subsubsection\get components of a message\ -lemma get_ML [dest]: "Says A' B {|A,r,I,M,L|}:set evs ==> +lemma get_ML [dest]: "Says A' B \A,r,I,M,L\:set evs ==> M:parts (spies evs) & L:parts (spies evs)" by blast @@ -400,15 +400,15 @@ lemma agl_guard [intro]: "I:agl ==> I:guard n Ks" by (erule agl.induct, auto) -lemma Says_to_knows_max'_guard: "[| Says A' C {|A'',r,I,L|}:set evs; +lemma Says_to_knows_max'_guard: "[| Says A' C \A'',r,I,L\:set evs; Guard n Ks (knows_max' C evs) |] ==> L:guard n Ks" by (auto dest: Says_to_knows_max') -lemma Says_from_knows_max'_guard: "[| Says C A' {|A'',r,I,L|}:set evs; +lemma Says_from_knows_max'_guard: "[| Says C A' \A'',r,I,L\:set evs; Guard n Ks (knows_max' C evs) |] ==> L:guard n Ks" by (auto dest: Says_from_knows_max') -lemma Says_Nonce_not_used_guard: "[| Says A' B {|A'',r,I,L|}:set evs; +lemma Says_Nonce_not_used_guard: "[| Says A' B \A'',r,I,L\:set evs; Nonce n ~:used evs |] ==> L:guard n Ks" by (drule not_used_not_parts, auto) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Guard/P2.thy --- a/src/HOL/Auth/Guard/P2.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Guard/P2.thy Mon Dec 28 23:13:33 2015 +0100 @@ -23,8 +23,8 @@ definition chain :: "agent => nat => agent => msg => agent => msg" where "chain B ofr A L C == let m1= sign B (Nonce ofr) in -let m2= Hash {|head L, Agent C|} in -{|Crypt (pubK A) m1, m2|}" +let m2= Hash \head L, Agent C\ in +\Crypt (pubK A) m1, m2\" declare Let_def [simp] @@ -38,7 +38,7 @@ subsubsection\agent whose key is used to sign an offer\ fun shop :: "msg => msg" where -"shop {|Crypt K {|B,ofr,Crypt K' H|},m2|} = Agent (agt K')" +"shop \Crypt K \B,ofr,Crypt K' H\,m2\ = Agent (agt K')" lemma shop_chain [simp]: "shop (chain B ofr A L C) = Agent B" by (simp add: chain_def sign_def) @@ -46,7 +46,7 @@ subsubsection\nonce used in an offer\ fun nonce :: "msg => msg" where -"nonce {|Crypt K {|B,ofr,CryptH|},m2|} = ofr" +"nonce \Crypt K \B,ofr,CryptH\,m2\ = ofr" lemma nonce_chain [simp]: "nonce (chain B ofr A L C) = Nonce ofr" by (simp add: chain_def sign_def) @@ -54,7 +54,7 @@ subsubsection\next shop\ fun next_shop :: "msg => agent" where -"next_shop {|m1,Hash {|headL,Agent C|}|} = C" +"next_shop \m1,Hash \headL,Agent C\\ = C" lemma "next_shop (chain B ofr A L C) = C" by (simp add: chain_def sign_def) @@ -77,8 +77,8 @@ subsubsection\request event\ definition reqm :: "agent => nat => nat => msg => agent => msg" where -"reqm A r n I B == {|Agent A, Number r, cons (Agent A) (cons (Agent B) I), -cons (anchor A n B) nil|}" +"reqm A r n I B == \Agent A, Number r, cons (Agent A) (cons (Agent B) I), +cons (anchor A n B) nil\" lemma reqm_inj [iff]: "(reqm A r n I B = reqm A' r' n' I' B') = (A=A' & r=r' & n=n' & I=I' & B=B')" @@ -98,8 +98,8 @@ definition prom :: "agent => nat => agent => nat => msg => msg => msg => agent => msg" where -"prom B ofr A r I L J C == {|Agent A, Number r, -app (J, del (Agent B, I)), cons (chain B ofr A L C) L|}" +"prom B ofr A r I L J C == \Agent A, Number r, +app (J, del (Agent B, I)), cons (chain B ofr A L C) L\" lemma prom_inj [dest]: "prom B ofr A r I L J C = prom B' ofr' A' r' I' L' J' C' ==> B=B' & ofr=ofr' & A=A' & r=r' & L=L' & C=C'" @@ -127,7 +127,7 @@ | Request: "[| evsr:p2; Nonce n ~:used evsr; I:agl |] ==> req A r n I B # evsr : p2" -| Propose: "[| evsp:p2; Says A' B {|Agent A,Number r,I,cons M L|}:set evsp; +| Propose: "[| evsp:p2; Says A' B \Agent A,Number r,I,cons M L\:set evsp; I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I))); Nonce ofr ~:used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp : p2" @@ -154,7 +154,7 @@ fun offers :: "msg => msg" where - "offers (cons M L) = cons {|shop M, nonce M|} (offers L)" + "offers (cons M L) = cons \shop M, nonce M\ (offers L)" | "offers other = nil" @@ -173,15 +173,15 @@ apply clarify apply (frule len_not_empty, clarsimp) apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,xa,l'a|}:valid A n B" for x xa l'a) -apply (ind_cases "{|x,M,l'a|}:valid A n B" for x l'a) +apply (ind_cases "\x,xa,l'a\:valid A n B" for x xa l'a) +apply (ind_cases "\x,M,l'a\:valid A n B" for x l'a) apply (simp add: chain_def) (* i > 0 *) apply clarify apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,repl(l',Suc na,M)|}:valid A n B" for x l' na) +apply (ind_cases "\x,repl(l',Suc na,M)\:valid A n B" for x l' na) apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,l'|}:valid A n B" for x l') +apply (ind_cases "\x,l'\:valid A n B" for x l') by (drule_tac x=l' in spec, simp, blast) subsection\insertion resilience: @@ -197,15 +197,15 @@ (* i = 0 *) apply clarify apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,l'|}:valid A n B" for x l', simp) -apply (ind_cases "{|x,M,l'|}:valid A n B" for x l', clarsimp) -apply (ind_cases "{|head l',l'|}:valid A n B" for l', simp, simp) +apply (ind_cases "\x,l'\:valid A n B" for x l', simp) +apply (ind_cases "\x,M,l'\:valid A n B" for x l', clarsimp) +apply (ind_cases "\head l',l'\:valid A n B" for l', simp, simp) (* i > 0 *) apply clarify apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,l'|}:valid A n B" for x l') +apply (ind_cases "\x,l'\:valid A n B" for x l') apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,ins(l',Suc na,M)|}:valid A n B" for x l' na) +apply (ind_cases "\x,ins(l',Suc na,M)\:valid A n B" for x l' na) apply (frule len_not_empty, clarsimp) by (drule_tac x=l' in spec, clarsimp) @@ -218,14 +218,14 @@ (* i = 0 *) apply clarify apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,l'|}:valid A n B" for x l') +apply (ind_cases "\x,l'\:valid A n B" for x l') apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|M,l'|}:valid A n B" for l') +apply (ind_cases "\M,l'\:valid A n B" for l') apply (frule len_not_empty, clarsimp, simp) (* i > 0 *) apply clarify apply (frule len_not_empty, clarsimp) -apply (ind_cases "{|x,l'|}:valid A n B" for x l') +apply (ind_cases "\x,l'\:valid A n B" for x l') apply (frule len_not_empty, clarsimp) by (drule_tac x=l' in spec, clarsimp) @@ -237,7 +237,7 @@ subsection\get components of a message\ -lemma get_ML [dest]: "Says A' B {|A,R,I,M,L|}:set evs ==> +lemma get_ML [dest]: "Says A' B \A,R,I,M,L\:set evs ==> M:parts (spies evs) & L:parts (spies evs)" by blast @@ -312,15 +312,15 @@ lemma agl_guard [intro]: "I:agl ==> I:guard n Ks" by (erule agl.induct, auto) -lemma Says_to_knows_max'_guard: "[| Says A' C {|A'',r,I,L|}:set evs; +lemma Says_to_knows_max'_guard: "[| Says A' C \A'',r,I,L\:set evs; Guard n Ks (knows_max' C evs) |] ==> L:guard n Ks" by (auto dest: Says_to_knows_max') -lemma Says_from_knows_max'_guard: "[| Says C A' {|A'',r,I,L|}:set evs; +lemma Says_from_knows_max'_guard: "[| Says C A' \A'',r,I,L\:set evs; Guard n Ks (knows_max' C evs) |] ==> L:guard n Ks" by (auto dest: Says_from_knows_max') -lemma Says_Nonce_not_used_guard: "[| Says A' B {|A'',r,I,L|}:set evs; +lemma Says_Nonce_not_used_guard: "[| Says A' B \A'',r,I,L\:set evs; Nonce n ~:used evs |] ==> L:guard n Ks" by (drule not_used_not_parts, auto) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Guard/Proto.thy --- a/src/HOL/Auth/Guard/Proto.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Guard/Proto.thy Mon Dec 28 23:13:33 2015 +0100 @@ -39,7 +39,7 @@ if (EX A. K = pubK A) then Crypt (pubK (agent s (agt K))) (apm s X) else if (EX A. K = priK A) then Crypt (priK (agent s (agt K))) (apm s X) else Crypt (key s K) (apm s X))" -| "apm s {|X,Y|} = {|apm s X, apm s Y|}" +| "apm s \X,Y\ = \apm s X, apm s Y\" lemma apm_parts: "X:parts {Y} ==> apm s X:parts {apm s Y}" apply (erule parts.induct, simp_all, blast) @@ -371,17 +371,17 @@ abbreviation ns1 :: rule where - "ns1 == ({}, Says a b (Crypt (pubK b) {|Nonce Na, Agent a|}))" + "ns1 == ({}, Says a b (Crypt (pubK b) \Nonce Na, Agent a\))" abbreviation ns2 :: rule where - "ns2 == ({Says a' b (Crypt (pubK b) {|Nonce Na, Agent a|})}, - Says b a (Crypt (pubK a) {|Nonce Na, Nonce Nb, Agent b|}))" + "ns2 == ({Says a' b (Crypt (pubK b) \Nonce Na, Agent a\)}, + Says b a (Crypt (pubK a) \Nonce Na, Nonce Nb, Agent b\))" abbreviation ns3 :: rule where - "ns3 == ({Says a b (Crypt (pubK b) {|Nonce Na, Agent a|}), - Says b' a (Crypt (pubK a) {|Nonce Na, Nonce Nb, Agent b|})}, + "ns3 == ({Says a b (Crypt (pubK b) \Nonce Na, Agent a\), + Says b' a (Crypt (pubK a) \Nonce Na, Nonce Nb, Agent b\)}, Says a b (Crypt (pubK b) (Nonce Nb)))" inductive_set ns :: proto where @@ -391,11 +391,11 @@ abbreviation (input) ns3a :: event where - "ns3a == Says a b (Crypt (pubK b) {|Nonce Na, Agent a|})" + "ns3a == Says a b (Crypt (pubK b) \Nonce Na, Agent a\)" abbreviation (input) ns3b :: event where - "ns3b == Says b' a (Crypt (pubK a) {|Nonce Na, Nonce Nb, Agent b|})" + "ns3b == Says b' a (Crypt (pubK a) \Nonce Na, Nonce Nb, Agent b\)" definition keys :: "keyfun" where "keys R' s' n evs == {priK' s' a, priK' s' b}" @@ -405,8 +405,8 @@ definition secret :: "secfun" where "secret R n s Ks == -(if R=ns1 then apm s (Crypt (pubK b) {|Nonce Na, Agent a|}) -else if R=ns2 then apm s (Crypt (pubK a) {|Nonce Na, Nonce Nb, Agent b|}) +(if R=ns1 then apm s (Crypt (pubK b) \Nonce Na, Agent a\) +else if R=ns2 then apm s (Crypt (pubK a) \Nonce Na, Nonce Nb, Agent b\) else Number 0)" definition inf :: "rule => rule => bool" where diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Message.thy --- a/src/HOL/Auth/Message.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Message.thy Mon Dec 28 23:13:33 2015 +0100 @@ -48,21 +48,17 @@ | Crypt key msg \\Encryption, public- or shared-key\ -text\Concrete syntax: messages appear as {|A,B,NA|}, etc...\ +text\Concrete syntax: messages appear as \\A,B,NA\\, etc...\ syntax - "_MTuple" :: "['a, args] => 'a * 'b" ("(2{|_,/ _|})") - -syntax (xsymbols) - "_MTuple" :: "['a, args] => 'a * 'b" ("(2\_,/ _\)") - + "_MTuple" :: "['a, args] \ 'a * 'b" ("(2\_,/ _\)") translations - "{|x, y, z|}" == "{|x, {|y, z|}|}" - "{|x, y|}" == "CONST MPair x y" + "\x, y, z\" \ "\x, \y, z\\" + "\x, y\" \ "CONST MPair x y" definition HPair :: "[msg,msg] => msg" ("(4Hash[_] /_)" [0, 1000]) where \\Message Y paired with a MAC computed with the help of X\ - "Hash[X] Y == {| Hash{|X,Y|}, Y|}" + "Hash[X] Y == \Hash\X,Y\, Y\" definition keysFor :: "msg set => key set" where \\Keys useful to decrypt elements of a message set\ @@ -75,9 +71,9 @@ parts :: "msg set => msg set" for H :: "msg set" where - Inj [intro]: "X \ H ==> X \ parts H" - | Fst: "{|X,Y|} \ parts H ==> X \ parts H" - | Snd: "{|X,Y|} \ parts H ==> Y \ parts H" + Inj [intro]: "X \ H ==> X \ parts H" + | Fst: "\X,Y\ \ parts H ==> X \ parts H" + | Snd: "\X,Y\ \ parts H ==> Y \ parts H" | Body: "Crypt K X \ parts H ==> X \ parts H" @@ -136,7 +132,7 @@ lemma keysFor_insert_Hash [simp]: "keysFor (insert (Hash X) H) = keysFor H" by (unfold keysFor_def, auto) -lemma keysFor_insert_MPair [simp]: "keysFor (insert {|X,Y|} H) = keysFor H" +lemma keysFor_insert_MPair [simp]: "keysFor (insert \X,Y\ H) = keysFor H" by (unfold keysFor_def, auto) lemma keysFor_insert_Crypt [simp]: @@ -153,7 +149,7 @@ subsection\Inductive relation "parts"\ lemma MPair_parts: - "[| {|X,Y|} \ parts H; + "[| \X,Y\ \ parts H; [| X \ parts H; Y \ parts H |] ==> P |] ==> P" by (blast dest: parts.Fst parts.Snd) @@ -294,8 +290,8 @@ done lemma parts_insert_MPair [simp]: - "parts (insert {|X,Y|} H) = - insert {|X,Y|} (parts (insert X (insert Y H)))" + "parts (insert \X,Y\ H) = + insert \X,Y\ (parts (insert X (insert Y H)))" apply (rule equalityI) apply (rule subsetI) apply (erule parts.induct, auto) @@ -330,9 +326,9 @@ analz :: "msg set => msg set" for H :: "msg set" where - Inj [intro,simp] : "X \ H ==> X \ analz H" - | Fst: "{|X,Y|} \ analz H ==> X \ analz H" - | Snd: "{|X,Y|} \ analz H ==> Y \ analz H" + Inj [intro,simp]: "X \ H ==> X \ analz H" + | Fst: "\X,Y\ \ analz H ==> X \ analz H" + | Snd: "\X,Y\ \ analz H ==> Y \ analz H" | Decrypt [dest]: "[|Crypt K X \ analz H; Key(invKey K): analz H|] ==> X \ analz H" @@ -346,7 +342,7 @@ text\Making it safe speeds up proofs\ lemma MPair_analz [elim!]: - "[| {|X,Y|} \ analz H; + "[| \X,Y\ \ analz H; [| X \ analz H; Y \ analz H |] ==> P |] ==> P" by (blast dest: analz.Fst analz.Snd) @@ -427,8 +423,8 @@ done lemma analz_insert_MPair [simp]: - "analz (insert {|X,Y|} H) = - insert {|X,Y|} (analz (insert X (insert Y H)))" + "analz (insert \X,Y\ H) = + insert \X,Y\ (analz (insert X (insert Y H)))" apply (rule equalityI) apply (rule subsetI) apply (erule analz.induct, auto) @@ -540,7 +536,7 @@ text\If there are no pairs or encryptions then analz does nothing\ lemma analz_trivial: - "[| \X Y. {|X,Y|} \ H; \X K. Crypt K X \ H |] ==> analz H = H" + "[| \X Y. \X,Y\ \ H; \X K. Crypt K X \ H |] ==> analz H = H" apply safe apply (erule analz.induct, blast+) done @@ -571,7 +567,7 @@ | Agent [intro]: "Agent agt \ synth H" | Number [intro]: "Number n \ synth H" | Hash [intro]: "X \ synth H ==> Hash X \ synth H" - | MPair [intro]: "[|X \ synth H; Y \ synth H|] ==> {|X,Y|} \ synth H" + | MPair [intro]: "[|X \ synth H; Y \ synth H|] ==> \X,Y\ \ synth H" | Crypt [intro]: "[|X \ synth H; Key(K) \ H|] ==> Crypt K X \ synth H" text\Monotonicity\ @@ -585,7 +581,7 @@ "Nonce n \ synth H" "Key K \ synth H" "Hash X \ synth H" - "{|X,Y|} \ synth H" + "\X,Y\ \ synth H" "Crypt K X \ synth H" lemma synth_increasing: "H \ synth(H)" @@ -694,7 +690,7 @@ text\Without this equation, other rules for synth and analz would yield redundant cases\ lemma MPair_synth_analz [iff]: - "({|X,Y|} \ synth (analz H)) = + "(\X,Y\ \ synth (analz H)) = (X \ synth (analz H) & Y \ synth (analz H))" by blast @@ -706,7 +702,7 @@ lemma Hash_synth_analz [simp]: "X \ synth (analz H) - ==> (Hash{|X,Y|} \ synth (analz H)) = (Hash{|X,Y|} \ analz H)" + ==> (Hash\X,Y\ \ synth (analz H)) = (Hash\X,Y\ \ analz H)" by blast @@ -742,11 +738,11 @@ by (simp add: HPair_def) lemma MPair_eq_HPair [iff]: - "({|X',Y'|} = Hash[X] Y) = (X' = Hash{|X,Y|} & Y'=Y)" + "(\X',Y'\ = Hash[X] Y) = (X' = Hash\X,Y\ & Y'=Y)" by (simp add: HPair_def) lemma HPair_eq_MPair [iff]: - "(Hash[X] Y = {|X',Y'|}) = (X' = Hash{|X,Y|} & Y'=Y)" + "(Hash[X] Y = \X',Y'\) = (X' = Hash\X,Y\ & Y'=Y)" by (auto simp add: HPair_def) @@ -757,18 +753,18 @@ lemma parts_insert_HPair [simp]: "parts (insert (Hash[X] Y) H) = - insert (Hash[X] Y) (insert (Hash{|X,Y|}) (parts (insert Y H)))" + insert (Hash[X] Y) (insert (Hash\X,Y\) (parts (insert Y H)))" by (simp add: HPair_def) lemma analz_insert_HPair [simp]: "analz (insert (Hash[X] Y) H) = - insert (Hash[X] Y) (insert (Hash{|X,Y|}) (analz (insert Y H)))" + insert (Hash[X] Y) (insert (Hash\X,Y\) (analz (insert Y H)))" by (simp add: HPair_def) lemma HPair_synth_analz [simp]: "X \ synth (analz H) ==> (Hash[X] Y \ synth (analz H)) = - (Hash {|X, Y|} \ analz H & Y \ synth (analz H))" + (Hash \X, Y\ \ analz H & Y \ synth (analz H))" by (auto simp add: HPair_def) @@ -814,14 +810,14 @@ | Number: "Number N \ keyfree" | Nonce: "Nonce N \ keyfree" | Hash: "Hash X \ keyfree" - | MPair: "[|X \ keyfree; Y \ keyfree|] ==> {|X,Y|} \ keyfree" + | MPair: "[|X \ keyfree; Y \ keyfree|] ==> \X,Y\ \ keyfree" | Crypt: "[|X \ keyfree|] ==> Crypt K X \ keyfree" declare keyfree.intros [intro] inductive_cases keyfree_KeyE: "Key K \ keyfree" -inductive_cases keyfree_MPairE: "{|X,Y|} \ keyfree" +inductive_cases keyfree_MPairE: "\X,Y\ \ keyfree" inductive_cases keyfree_CryptE: "Crypt K X \ keyfree" lemma parts_keyfree: "parts (keyfree) \ keyfree" diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/OtwayRees.thy --- a/src/HOL/Auth/OtwayRees.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/OtwayRees.thy Mon Dec 28 23:13:33 2015 +0100 @@ -31,17 +31,17 @@ (*Alice initiates a protocol run*) | OR1: "[| evs1 \ otway; Nonce NA \ used evs1 |] - ==> Says A B {|Nonce NA, Agent A, Agent B, - Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |} + ==> Says A B \Nonce NA, Agent A, Agent B, + Crypt (shrK A) \Nonce NA, Agent A, Agent B\ \ # evs1 : otway" (*Bob's response to Alice's message. Note that NB is encrypted.*) | OR2: "[| evs2 \ otway; Nonce NB \ used evs2; - Gets B {|Nonce NA, Agent A, Agent B, X|} : set evs2 |] + Gets B \Nonce NA, Agent A, Agent B, X\ : set evs2 |] ==> Says B Server - {|Nonce NA, Agent A, Agent B, X, + \Nonce NA, Agent A, Agent B, X, Crypt (shrK B) - {|Nonce NA, Nonce NB, Agent A, Agent B|}|} + \Nonce NA, Nonce NB, Agent A, Agent B\\ # evs2 : otway" (*The Server receives Bob's message and checks that the three NAs @@ -49,34 +49,34 @@ forwarding to Alice.*) | OR3: "[| evs3 \ otway; Key KAB \ used evs3; Gets Server - {|Nonce NA, Agent A, Agent B, - Crypt (shrK A) {|Nonce NA, Agent A, Agent B|}, - Crypt (shrK B) {|Nonce NA, Nonce NB, Agent A, Agent B|}|} + \Nonce NA, Agent A, Agent B, + Crypt (shrK A) \Nonce NA, Agent A, Agent B\, + Crypt (shrK B) \Nonce NA, Nonce NB, Agent A, Agent B\\ : set evs3 |] ==> Says Server B - {|Nonce NA, - Crypt (shrK A) {|Nonce NA, Key KAB|}, - Crypt (shrK B) {|Nonce NB, Key KAB|}|} + \Nonce NA, + Crypt (shrK A) \Nonce NA, Key KAB\, + Crypt (shrK B) \Nonce NB, Key KAB\\ # evs3 : otway" (*Bob receives the Server's (?) message and compares the Nonces with those in the message he previously sent the Server. Need B \ Server because we allow messages to self.*) | OR4: "[| evs4 \ otway; B \ Server; - Says B Server {|Nonce NA, Agent A, Agent B, X', + Says B Server \Nonce NA, Agent A, Agent B, X', Crypt (shrK B) - {|Nonce NA, Nonce NB, Agent A, Agent B|}|} + \Nonce NA, Nonce NB, Agent A, Agent B\\ : set evs4; - Gets B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|} + Gets B \Nonce NA, X, Crypt (shrK B) \Nonce NB, Key K\\ : set evs4 |] - ==> Says B A {|Nonce NA, X|} # evs4 : otway" + ==> Says B A \Nonce NA, X\ # evs4 : otway" (*This message models possible leaks of session keys. The nonces identify the protocol run.*) | Oops: "[| evso \ otway; - Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|} + Says Server B \Nonce NA, X, Crypt (shrK B) \Nonce NB, Key K\\ : set evso |] - ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : otway" + ==> Notes Spy \Nonce NA, Nonce NB, Key K\ # evso : otway" declare Says_imp_analz_Spy [dest] @@ -88,7 +88,7 @@ text\A "possibility property": there are traces that reach the end\ lemma "[| B \ Server; Key K \ used [] |] ==> \evs \ otway. - Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|} + Says B A \Nonce NA, Crypt (shrK A) \Nonce NA, Key K\\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] otway.Nil @@ -108,12 +108,12 @@ (** For reasoning about the encrypted portion of messages **) lemma OR2_analz_knows_Spy: - "[| Gets B {|N, Agent A, Agent B, X|} \ set evs; evs \ otway |] + "[| Gets B \N, Agent A, Agent B, X\ \ set evs; evs \ otway |] ==> X \ analz (knows Spy evs)" by blast lemma OR4_analz_knows_Spy: - "[| Gets B {|N, X, Crypt (shrK B) X'|} \ set evs; evs \ otway |] + "[| Gets B \N, X, Crypt (shrK B) X'\ \ set evs; evs \ otway |] ==> X \ analz (knows Spy evs)" by blast @@ -151,7 +151,7 @@ (*Describes the form of K and NA when the Server sends this message. Also for Oops case.*) lemma Says_Server_message_form: - "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \ set evs; + "[| Says Server B \NA, X, Crypt (shrK B) \NB, Key K\\ \ set evs; evs \ otway |] ==> K \ range shrK & (\i. NA = Nonce i) & (\j. NB = Nonce j)" by (erule rev_mp, erule otway.induct, simp_all) @@ -190,8 +190,8 @@ text\The Key K uniquely identifies the Server's message.\ lemma unique_session_keys: - "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|} \ set evs; - Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} \ set evs; + "[| Says Server B \NA, X, Crypt (shrK B) \NB, K\\ \ set evs; + Says Server B' \NA',X',Crypt (shrK B') \NB',K\\ \ set evs; evs \ otway |] ==> X=X' & B=B' & NA=NA' & NB=NB'" apply (erule rev_mp) apply (erule rev_mp) @@ -205,27 +205,27 @@ text\Only OR1 can have caused such a part of a message to appear.\ lemma Crypt_imp_OR1 [rule_format]: "[| A \ bad; evs \ otway |] - ==> Crypt (shrK A) {|NA, Agent A, Agent B|} \ parts (knows Spy evs) --> - Says A B {|NA, Agent A, Agent B, - Crypt (shrK A) {|NA, Agent A, Agent B|}|} + ==> Crypt (shrK A) \NA, Agent A, Agent B\ \ parts (knows Spy evs) --> + Says A B \NA, Agent A, Agent B, + Crypt (shrK A) \NA, Agent A, Agent B\\ \ set evs" by (erule otway.induct, force, drule_tac [4] OR2_parts_knows_Spy, simp_all, blast+) lemma Crypt_imp_OR1_Gets: - "[| Gets B {|NA, Agent A, Agent B, - Crypt (shrK A) {|NA, Agent A, Agent B|}|} \ set evs; + "[| Gets B \NA, Agent A, Agent B, + Crypt (shrK A) \NA, Agent A, Agent B\\ \ set evs; A \ bad; evs \ otway |] - ==> Says A B {|NA, Agent A, Agent B, - Crypt (shrK A) {|NA, Agent A, Agent B|}|} + ==> Says A B \NA, Agent A, Agent B, + Crypt (shrK A) \NA, Agent A, Agent B\\ \ set evs" by (blast dest: Crypt_imp_OR1) text\The Nonce NA uniquely identifies A's message\ lemma unique_NA: - "[| Crypt (shrK A) {|NA, Agent A, Agent B|} \ parts (knows Spy evs); - Crypt (shrK A) {|NA, Agent A, Agent C|} \ parts (knows Spy evs); + "[| Crypt (shrK A) \NA, Agent A, Agent B\ \ parts (knows Spy evs); + Crypt (shrK A) \NA, Agent A, Agent C\ \ parts (knows Spy evs); evs \ otway; A \ bad |] ==> B = C" apply (erule rev_mp, erule rev_mp) @@ -238,9 +238,9 @@ OR2 encrypts Nonce NB. It prevents the attack that can occur in the over-simplified version of this protocol: see \OtwayRees_Bad\.\ lemma no_nonce_OR1_OR2: - "[| Crypt (shrK A) {|NA, Agent A, Agent B|} \ parts (knows Spy evs); + "[| Crypt (shrK A) \NA, Agent A, Agent B\ \ parts (knows Spy evs); A \ bad; evs \ otway |] - ==> Crypt (shrK A) {|NA', NA, Agent A', Agent A|} \ parts (knows Spy evs)" + ==> Crypt (shrK A) \NA', NA, Agent A', Agent A\ \ parts (knows Spy evs)" apply (erule rev_mp) apply (erule otway.induct, force, drule_tac [4] OR2_parts_knows_Spy, simp_all, blast+) @@ -250,13 +250,13 @@ to start a run, then it originated with the Server!\ lemma NA_Crypt_imp_Server_msg [rule_format]: "[| A \ bad; evs \ otway |] - ==> Says A B {|NA, Agent A, Agent B, - Crypt (shrK A) {|NA, Agent A, Agent B|}|} \ set evs --> - Crypt (shrK A) {|NA, Key K|} \ parts (knows Spy evs) + ==> Says A B \NA, Agent A, Agent B, + Crypt (shrK A) \NA, Agent A, Agent B\\ \ set evs --> + Crypt (shrK A) \NA, Key K\ \ parts (knows Spy evs) --> (\NB. Says Server B - {|NA, - Crypt (shrK A) {|NA, Key K|}, - Crypt (shrK B) {|NB, Key K|}|} \ set evs)" + \NA, + Crypt (shrK A) \NA, Key K\, + Crypt (shrK B) \NB, Key K\\ \ set evs)" apply (erule otway.induct, force, drule_tac [4] OR2_parts_knows_Spy, simp_all, blast) apply blast \\OR1: by freshness\ @@ -270,14 +270,14 @@ bad form of this protocol, even though we can prove \Spy_not_see_encrypted_key\\ lemma A_trusts_OR4: - "[| Says A B {|NA, Agent A, Agent B, - Crypt (shrK A) {|NA, Agent A, Agent B|}|} \ set evs; - Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} \ set evs; + "[| Says A B \NA, Agent A, Agent B, + Crypt (shrK A) \NA, Agent A, Agent B\\ \ set evs; + Says B' A \NA, Crypt (shrK A) \NA, Key K\\ \ set evs; A \ bad; evs \ otway |] ==> \NB. Says Server B - {|NA, - Crypt (shrK A) {|NA, Key K|}, - Crypt (shrK B) {|NB, Key K|}|} + \NA, + Crypt (shrK A) \NA, Key K\, + Crypt (shrK B) \NB, Key K\\ \ set evs" by (blast intro!: NA_Crypt_imp_Server_msg) @@ -288,9 +288,9 @@ lemma secrecy_lemma: "[| A \ bad; B \ bad; evs \ otway |] ==> Says Server B - {|NA, Crypt (shrK A) {|NA, Key K|}, - Crypt (shrK B) {|NB, Key K|}|} \ set evs --> - Notes Spy {|NA, NB, Key K|} \ set evs --> + \NA, Crypt (shrK A) \NA, Key K\, + Crypt (shrK B) \NB, Key K\\ \ set evs --> + Notes Spy \NA, NB, Key K\ \ set evs --> Key K \ analz (knows Spy evs)" apply (erule otway.induct, force) apply (frule_tac [7] Says_Server_message_form) @@ -303,9 +303,9 @@ theorem Spy_not_see_encrypted_key: "[| Says Server B - {|NA, Crypt (shrK A) {|NA, Key K|}, - Crypt (shrK B) {|NB, Key K|}|} \ set evs; - Notes Spy {|NA, NB, Key K|} \ set evs; + \NA, Crypt (shrK A) \NA, Key K\, + Crypt (shrK B) \NB, Key K\\ \ set evs; + Notes Spy \NA, NB, Key K\ \ set evs; A \ bad; B \ bad; evs \ otway |] ==> Key K \ analz (knows Spy evs)" by (blast dest: Says_Server_message_form secrecy_lemma) @@ -319,9 +319,9 @@ @{term "Key K \ analz (knows Spy evs)"}.\ lemma Spy_not_know_encrypted_key: "[| Says Server B - {|NA, Crypt (shrK A) {|NA, Key K|}, - Crypt (shrK B) {|NB, Key K|}|} \ set evs; - Notes Spy {|NA, NB, Key K|} \ set evs; + \NA, Crypt (shrK A) \NA, Key K\, + Crypt (shrK B) \NB, Key K\\ \ set evs; + Notes Spy \NA, NB, Key K\ \ set evs; A \ bad; B \ bad; evs \ otway |] ==> Key K \ knows Spy evs" by (blast dest: Spy_not_see_encrypted_key) @@ -330,10 +330,10 @@ text\A's guarantee. The Oops premise quantifies over NB because A cannot know what it is.\ lemma A_gets_good_key: - "[| Says A B {|NA, Agent A, Agent B, - Crypt (shrK A) {|NA, Agent A, Agent B|}|} \ set evs; - Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} \ set evs; - \NB. Notes Spy {|NA, NB, Key K|} \ set evs; + "[| Says A B \NA, Agent A, Agent B, + Crypt (shrK A) \NA, Agent A, Agent B\\ \ set evs; + Says B' A \NA, Crypt (shrK A) \NA, Key K\\ \ set evs; + \NB. Notes Spy \NA, NB, Key K\ \ set evs; A \ bad; B \ bad; evs \ otway |] ==> Key K \ analz (knows Spy evs)" by (blast dest!: A_trusts_OR4 Spy_not_see_encrypted_key) @@ -344,11 +344,11 @@ text\Only OR2 can have caused such a part of a message to appear. We do not know anything about X: it does NOT have to have the right form.\ lemma Crypt_imp_OR2: - "[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} \ parts (knows Spy evs); + "[| Crypt (shrK B) \NA, NB, Agent A, Agent B\ \ parts (knows Spy evs); B \ bad; evs \ otway |] ==> \X. Says B Server - {|NA, Agent A, Agent B, X, - Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|} + \NA, Agent A, Agent B, X, + Crypt (shrK B) \NA, NB, Agent A, Agent B\\ \ set evs" apply (erule rev_mp) apply (erule otway.induct, force, @@ -358,8 +358,8 @@ text\The Nonce NB uniquely identifies B's message\ lemma unique_NB: - "[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} \ parts(knows Spy evs); - Crypt (shrK B) {|NC, NB, Agent C, Agent B|} \ parts(knows Spy evs); + "[| Crypt (shrK B) \NA, NB, Agent A, Agent B\ \ parts(knows Spy evs); + Crypt (shrK B) \NC, NB, Agent C, Agent B\ \ parts(knows Spy evs); evs \ otway; B \ bad |] ==> NC = NA & C = A" apply (erule rev_mp, erule rev_mp) @@ -372,14 +372,14 @@ then it originated with the Server! Quite messy proof.\ lemma NB_Crypt_imp_Server_msg [rule_format]: "[| B \ bad; evs \ otway |] - ==> Crypt (shrK B) {|NB, Key K|} \ parts (knows Spy evs) + ==> Crypt (shrK B) \NB, Key K\ \ parts (knows Spy evs) --> (\X'. Says B Server - {|NA, Agent A, Agent B, X', - Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|} + \NA, Agent A, Agent B, X', + Crypt (shrK B) \NA, NB, Agent A, Agent B\\ \ set evs --> Says Server B - {|NA, Crypt (shrK A) {|NA, Key K|}, - Crypt (shrK B) {|NB, Key K|}|} + \NA, Crypt (shrK A) \NA, Key K\, + Crypt (shrK B) \NB, Key K\\ \ set evs)" apply simp apply (erule otway.induct, force, @@ -394,15 +394,15 @@ text\Guarantee for B: if it gets a message with matching NB then the Server has sent the correct message.\ theorem B_trusts_OR3: - "[| Says B Server {|NA, Agent A, Agent B, X', - Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} + "[| Says B Server \NA, Agent A, Agent B, X', + Crypt (shrK B) \NA, NB, Agent A, Agent B\\ \ set evs; - Gets B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \ set evs; + Gets B \NA, X, Crypt (shrK B) \NB, Key K\\ \ set evs; B \ bad; evs \ otway |] ==> Says Server B - {|NA, - Crypt (shrK A) {|NA, Key K|}, - Crypt (shrK B) {|NB, Key K|}|} + \NA, + Crypt (shrK A) \NA, Key K\, + Crypt (shrK B) \NB, Key K\\ \ set evs" by (blast intro!: NB_Crypt_imp_Server_msg) @@ -410,11 +410,11 @@ text\The obvious combination of \B_trusts_OR3\ with \Spy_not_see_encrypted_key\\ lemma B_gets_good_key: - "[| Says B Server {|NA, Agent A, Agent B, X', - Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} + "[| Says B Server \NA, Agent A, Agent B, X', + Crypt (shrK B) \NA, NB, Agent A, Agent B\\ \ set evs; - Gets B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \ set evs; - Notes Spy {|NA, NB, Key K|} \ set evs; + Gets B \NA, X, Crypt (shrK B) \NB, Key K\\ \ set evs; + Notes Spy \NA, NB, Key K\ \ set evs; A \ bad; B \ bad; evs \ otway |] ==> Key K \ analz (knows Spy evs)" by (blast dest!: B_trusts_OR3 Spy_not_see_encrypted_key) @@ -422,11 +422,11 @@ lemma OR3_imp_OR2: "[| Says Server B - {|NA, Crypt (shrK A) {|NA, Key K|}, - Crypt (shrK B) {|NB, Key K|}|} \ set evs; + \NA, Crypt (shrK A) \NA, Key K\, + Crypt (shrK B) \NB, Key K\\ \ set evs; B \ bad; evs \ otway |] - ==> \X. Says B Server {|NA, Agent A, Agent B, X, - Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} + ==> \X. Says B Server \NA, Agent A, Agent B, X, + Crypt (shrK B) \NA, NB, Agent A, Agent B\\ \ set evs" apply (erule rev_mp) apply (erule otway.induct, simp_all) @@ -438,12 +438,12 @@ We could probably prove that X has the expected form, but that is not strictly necessary for authentication.\ theorem A_auths_B: - "[| Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} \ set evs; - Says A B {|NA, Agent A, Agent B, - Crypt (shrK A) {|NA, Agent A, Agent B|}|} \ set evs; + "[| Says B' A \NA, Crypt (shrK A) \NA, Key K\\ \ set evs; + Says A B \NA, Agent A, Agent B, + Crypt (shrK A) \NA, Agent A, Agent B\\ \ set evs; A \ bad; B \ bad; evs \ otway |] - ==> \NB X. Says B Server {|NA, Agent A, Agent B, X, - Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} + ==> \NB X. Says B Server \NA, Agent A, Agent B, X, + Crypt (shrK B) \NA, NB, Agent A, Agent B\\ \ set evs" by (blast dest!: A_trusts_OR4 OR3_imp_OR2) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/OtwayRees_AN.thy --- a/src/HOL/Auth/OtwayRees_AN.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/OtwayRees_AN.thy Mon Dec 28 23:13:33 2015 +0100 @@ -39,30 +39,30 @@ | OR1: \\Alice initiates a protocol run\ "evs1 \ otway - ==> Says A B {|Agent A, Agent B, Nonce NA|} # evs1 \ otway" + ==> Says A B \Agent A, Agent B, Nonce NA\ # evs1 \ otway" | OR2: \\Bob's response to Alice's message.\ "[| evs2 \ otway; - Gets B {|Agent A, Agent B, Nonce NA|} \set evs2 |] - ==> Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} + Gets B \Agent A, Agent B, Nonce NA\ \set evs2 |] + ==> Says B Server \Agent A, Agent B, Nonce NA, Nonce NB\ # evs2 \ otway" | OR3: \\The Server receives Bob's message. Then he sends a new session key to Bob with a packet for forwarding to Alice.\ "[| evs3 \ otway; Key KAB \ used evs3; - Gets Server {|Agent A, Agent B, Nonce NA, Nonce NB|} + Gets Server \Agent A, Agent B, Nonce NA, Nonce NB\ \set evs3 |] ==> Says Server B - {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key KAB|}, - Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key KAB|}|} + \Crypt (shrK A) \Nonce NA, Agent A, Agent B, Key KAB\, + Crypt (shrK B) \Nonce NB, Agent A, Agent B, Key KAB\\ # evs3 \ otway" | OR4: \\Bob receives the Server's (?) message and compares the Nonces with those in the message he previously sent the Server. Need @{term "B \ Server"} because we allow messages to self.\ "[| evs4 \ otway; B \ Server; - Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} \set evs4; - Gets B {|X, Crypt(shrK B){|Nonce NB,Agent A,Agent B,Key K|}|} + Says B Server \Agent A, Agent B, Nonce NA, Nonce NB\ \set evs4; + Gets B \X, Crypt(shrK B)\Nonce NB,Agent A,Agent B,Key K\\ \set evs4 |] ==> Says B A X # evs4 \ otway" @@ -70,10 +70,10 @@ identify the protocol run.\ "[| evso \ otway; Says Server B - {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}, - Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key K|}|} + \Crypt (shrK A) \Nonce NA, Agent A, Agent B, Key K\, + Crypt (shrK B) \Nonce NB, Agent A, Agent B, Key K\\ \set evso |] - ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \ otway" + ==> Notes Spy \Nonce NA, Nonce NB, Key K\ # evso \ otway" declare Says_imp_knows_Spy [THEN analz.Inj, dest] @@ -85,7 +85,7 @@ text\A "possibility property": there are traces that reach the end\ lemma "[| B \ Server; Key K \ used [] |] ==> \evs \ otway. - Says B A (Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}) + Says B A (Crypt (shrK A) \Nonce NA, Agent A, Agent B, Key K\) \ set evs" apply (intro exI bexI) apply (rule_tac [2] otway.Nil @@ -104,7 +104,7 @@ text\For reasoning about the encrypted portion of messages\ lemma OR4_analz_knows_Spy: - "[| Gets B {|X, Crypt(shrK B) X'|} \ set evs; evs \ otway |] + "[| Gets B \X, Crypt(shrK B) X'\ \ set evs; evs \ otway |] ==> X \ analz (knows Spy evs)" by blast @@ -131,8 +131,8 @@ text\Describes the form of K and NA when the Server sends this message.\ lemma Says_Server_message_form: "[| Says Server B - {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, - Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} + \Crypt (shrK A) \NA, Agent A, Agent B, Key K\, + Crypt (shrK B) \NB, Agent A, Agent B, Key K\\ \ set evs; evs \ otway |] ==> K \ range shrK & (\i. NA = Nonce i) & (\j. NB = Nonce j)" @@ -175,12 +175,12 @@ text\The Key K uniquely identifies the Server's message.\ lemma unique_session_keys: "[| Says Server B - {|Crypt (shrK A) {|NA, Agent A, Agent B, K|}, - Crypt (shrK B) {|NB, Agent A, Agent B, K|}|} + \Crypt (shrK A) \NA, Agent A, Agent B, K\, + Crypt (shrK B) \NB, Agent A, Agent B, K\\ \ set evs; Says Server B' - {|Crypt (shrK A') {|NA', Agent A', Agent B', K|}, - Crypt (shrK B') {|NB', Agent A', Agent B', K|}|} + \Crypt (shrK A') \NA', Agent A', Agent B', K\, + Crypt (shrK B') \NB', Agent A', Agent B', K\\ \ set evs; evs \ otway |] ==> A=A' & B=B' & NA=NA' & NB=NB'" @@ -194,10 +194,10 @@ text\If the encrypted message appears then it originated with the Server!\ lemma NA_Crypt_imp_Server_msg [rule_format]: "[| A \ bad; A \ B; evs \ otway |] - ==> Crypt (shrK A) {|NA, Agent A, Agent B, Key K|} \ parts (knows Spy evs) + ==> Crypt (shrK A) \NA, Agent A, Agent B, Key K\ \ parts (knows Spy evs) --> (\NB. Says Server B - {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, - Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} + \Crypt (shrK A) \NA, Agent A, Agent B, Key K\, + Crypt (shrK B) \NB, Agent A, Agent B, Key K\\ \ set evs)" apply (erule otway.induct, force) apply (simp_all add: ex_disj_distrib) @@ -208,11 +208,11 @@ text\Corollary: if A receives B's OR4 message then it originated with the Server. Freshness may be inferred from nonce NA.\ lemma A_trusts_OR4: - "[| Says B' A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}) \ set evs; + "[| Says B' A (Crypt (shrK A) \NA, Agent A, Agent B, Key K\) \ set evs; A \ bad; A \ B; evs \ otway |] ==> \NB. Says Server B - {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, - Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} + \Crypt (shrK A) \NA, Agent A, Agent B, Key K\, + Crypt (shrK B) \NB, Agent A, Agent B, Key K\\ \ set evs" by (blast intro!: NA_Crypt_imp_Server_msg) @@ -223,10 +223,10 @@ lemma secrecy_lemma: "[| A \ bad; B \ bad; evs \ otway |] ==> Says Server B - {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, - Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} + \Crypt (shrK A) \NA, Agent A, Agent B, Key K\, + Crypt (shrK B) \NB, Agent A, Agent B, Key K\\ \ set evs --> - Notes Spy {|NA, NB, Key K|} \ set evs --> + Notes Spy \NA, NB, Key K\ \ set evs --> Key K \ analz (knows Spy evs)" apply (erule otway.induct, force) apply (frule_tac [7] Says_Server_message_form) @@ -239,10 +239,10 @@ lemma Spy_not_see_encrypted_key: "[| Says Server B - {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, - Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} + \Crypt (shrK A) \NA, Agent A, Agent B, Key K\, + Crypt (shrK B) \NB, Agent A, Agent B, Key K\\ \ set evs; - Notes Spy {|NA, NB, Key K|} \ set evs; + Notes Spy \NA, NB, Key K\ \ set evs; A \ bad; B \ bad; evs \ otway |] ==> Key K \ analz (knows Spy evs)" by (metis secrecy_lemma) @@ -251,8 +251,8 @@ text\A's guarantee. The Oops premise quantifies over NB because A cannot know what it is.\ lemma A_gets_good_key: - "[| Says B' A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}) \ set evs; - \NB. Notes Spy {|NA, NB, Key K|} \ set evs; + "[| Says B' A (Crypt (shrK A) \NA, Agent A, Agent B, Key K\) \ set evs; + \NB. Notes Spy \NA, NB, Key K\ \ set evs; A \ bad; B \ bad; A \ B; evs \ otway |] ==> Key K \ analz (knows Spy evs)" by (metis A_trusts_OR4 secrecy_lemma) @@ -264,10 +264,10 @@ text\If the encrypted message appears then it originated with the Server!\ lemma NB_Crypt_imp_Server_msg [rule_format]: "[| B \ bad; A \ B; evs \ otway |] - ==> Crypt (shrK B) {|NB, Agent A, Agent B, Key K|} \ parts (knows Spy evs) + ==> Crypt (shrK B) \NB, Agent A, Agent B, Key K\ \ parts (knows Spy evs) --> (\NA. Says Server B - {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, - Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} + \Crypt (shrK A) \NA, Agent A, Agent B, Key K\, + Crypt (shrK B) \NB, Agent A, Agent B, Key K\\ \ set evs)" apply (erule otway.induct, force, simp_all add: ex_disj_distrib) apply blast+ \\Fake, OR3\ @@ -278,12 +278,12 @@ text\Guarantee for B: if it gets a well-formed certificate then the Server has sent the correct message in round 3.\ lemma B_trusts_OR3: - "[| Says S B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} + "[| Says S B \X, Crypt (shrK B) \NB, Agent A, Agent B, Key K\\ \ set evs; B \ bad; A \ B; evs \ otway |] ==> \NA. Says Server B - {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, - Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} + \Crypt (shrK A) \NA, Agent A, Agent B, Key K\, + Crypt (shrK B) \NB, Agent A, Agent B, Key K\\ \ set evs" by (blast intro!: NB_Crypt_imp_Server_msg) @@ -291,9 +291,9 @@ text\The obvious combination of \B_trusts_OR3\ with \Spy_not_see_encrypted_key\\ lemma B_gets_good_key: - "[| Gets B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} + "[| Gets B \X, Crypt (shrK B) \NB, Agent A, Agent B, Key K\\ \ set evs; - \NA. Notes Spy {|NA, NB, Key K|} \ set evs; + \NA. Notes Spy \NA, NB, Key K\ \ set evs; A \ bad; B \ bad; A \ B; evs \ otway |] ==> Key K \ analz (knows Spy evs)" by (blast dest: B_trusts_OR3 Spy_not_see_encrypted_key) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/OtwayRees_Bad.thy --- a/src/HOL/Auth/OtwayRees_Bad.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/OtwayRees_Bad.thy Mon Dec 28 23:13:33 2015 +0100 @@ -36,17 +36,17 @@ | OR1: \\Alice initiates a protocol run\ "[| evs1 \ otway; Nonce NA \ used evs1 |] - ==> Says A B {|Nonce NA, Agent A, Agent B, - Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |} + ==> Says A B \Nonce NA, Agent A, Agent B, + Crypt (shrK A) \Nonce NA, Agent A, Agent B\\ # evs1 \ otway" | OR2: \\Bob's response to Alice's message. This variant of the protocol does NOT encrypt NB.\ "[| evs2 \ otway; Nonce NB \ used evs2; - Gets B {|Nonce NA, Agent A, Agent B, X|} \ set evs2 |] + Gets B \Nonce NA, Agent A, Agent B, X\ \ set evs2 |] ==> Says B Server - {|Nonce NA, Agent A, Agent B, X, Nonce NB, - Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|} + \Nonce NA, Agent A, Agent B, X, Nonce NB, + Crypt (shrK B) \Nonce NA, Agent A, Agent B\\ # evs2 \ otway" | OR3: \\The Server receives Bob's message and checks that the three NAs @@ -54,34 +54,34 @@ forwarding to Alice.\ "[| evs3 \ otway; Key KAB \ used evs3; Gets Server - {|Nonce NA, Agent A, Agent B, - Crypt (shrK A) {|Nonce NA, Agent A, Agent B|}, + \Nonce NA, Agent A, Agent B, + Crypt (shrK A) \Nonce NA, Agent A, Agent B\, Nonce NB, - Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|} + Crypt (shrK B) \Nonce NA, Agent A, Agent B\\ \ set evs3 |] ==> Says Server B - {|Nonce NA, - Crypt (shrK A) {|Nonce NA, Key KAB|}, - Crypt (shrK B) {|Nonce NB, Key KAB|}|} + \Nonce NA, + Crypt (shrK A) \Nonce NA, Key KAB\, + Crypt (shrK B) \Nonce NB, Key KAB\\ # evs3 \ otway" | OR4: \\Bob receives the Server's (?) message and compares the Nonces with those in the message he previously sent the Server. Need @{term "B \ Server"} because we allow messages to self.\ "[| evs4 \ otway; B \ Server; - Says B Server {|Nonce NA, Agent A, Agent B, X', Nonce NB, - Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|} + Says B Server \Nonce NA, Agent A, Agent B, X', Nonce NB, + Crypt (shrK B) \Nonce NA, Agent A, Agent B\\ \ set evs4; - Gets B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|} + Gets B \Nonce NA, X, Crypt (shrK B) \Nonce NB, Key K\\ \ set evs4 |] - ==> Says B A {|Nonce NA, X|} # evs4 \ otway" + ==> Says B A \Nonce NA, X\ # evs4 \ otway" | Oops: \\This message models possible leaks of session keys. The nonces identify the protocol run.\ "[| evso \ otway; - Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|} + Says Server B \Nonce NA, X, Crypt (shrK B) \Nonce NB, Key K\\ \ set evso |] - ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \ otway" + ==> Notes Spy \Nonce NA, Nonce NB, Key K\ # evso \ otway" declare Says_imp_knows_Spy [THEN analz.Inj, dest] @@ -92,7 +92,7 @@ text\A "possibility property": there are traces that reach the end\ lemma "[| B \ Server; Key K \ used [] |] ==> \NA. \evs \ otway. - Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|} + Says B A \Nonce NA, Crypt (shrK A) \Nonce NA, Key K\\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] otway.Nil @@ -112,17 +112,17 @@ subsection\For reasoning about the encrypted portion of messages\ lemma OR2_analz_knows_Spy: - "[| Gets B {|N, Agent A, Agent B, X|} \ set evs; evs \ otway |] + "[| Gets B \N, Agent A, Agent B, X\ \ set evs; evs \ otway |] ==> X \ analz (knows Spy evs)" by blast lemma OR4_analz_knows_Spy: - "[| Gets B {|N, X, Crypt (shrK B) X'|} \ set evs; evs \ otway |] + "[| Gets B \N, X, Crypt (shrK B) X'\ \ set evs; evs \ otway |] ==> X \ analz (knows Spy evs)" by blast lemma Oops_parts_knows_Spy: - "Says Server B {|NA, X, Crypt K' {|NB,K|}|} \ set evs + "Says Server B \NA, X, Crypt K' \NB,K\\ \ set evs ==> K \ parts (knows Spy evs)" by blast @@ -155,7 +155,7 @@ text\Describes the form of K and NA when the Server sends this message. Also for Oops case.\ lemma Says_Server_message_form: - "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \ set evs; + "[| Says Server B \NA, X, Crypt (shrK B) \NB, Key K\\ \ set evs; evs \ otway |] ==> K \ range shrK & (\i. NA = Nonce i) & (\j. NB = Nonce j)" apply (erule rev_mp) @@ -196,8 +196,8 @@ text\The Key K uniquely identifies the Server's message.\ lemma unique_session_keys: - "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|} \ set evs; - Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} \ set evs; + "[| Says Server B \NA, X, Crypt (shrK B) \NB, K\\ \ set evs; + Says Server B' \NA',X',Crypt (shrK B') \NB',K\\ \ set evs; evs \ otway |] ==> X=X' & B=B' & NA=NA' & NB=NB'" apply (erule rev_mp) apply (erule rev_mp) @@ -212,9 +212,9 @@ lemma secrecy_lemma: "[| A \ bad; B \ bad; evs \ otway |] ==> Says Server B - {|NA, Crypt (shrK A) {|NA, Key K|}, - Crypt (shrK B) {|NB, Key K|}|} \ set evs --> - Notes Spy {|NA, NB, Key K|} \ set evs --> + \NA, Crypt (shrK A) \NA, Key K\, + Crypt (shrK B) \NB, Key K\\ \ set evs --> + Notes Spy \NA, NB, Key K\ \ set evs --> Key K \ analz (knows Spy evs)" apply (erule otway.induct, force) apply (frule_tac [7] Says_Server_message_form) @@ -228,9 +228,9 @@ lemma Spy_not_see_encrypted_key: "[| Says Server B - {|NA, Crypt (shrK A) {|NA, Key K|}, - Crypt (shrK B) {|NB, Key K|}|} \ set evs; - Notes Spy {|NA, NB, Key K|} \ set evs; + \NA, Crypt (shrK A) \NA, Key K\, + Crypt (shrK B) \NB, Key K\\ \ set evs; + Notes Spy \NA, NB, Key K\ \ set evs; A \ bad; B \ bad; evs \ otway |] ==> Key K \ analz (knows Spy evs)" by (blast dest: Says_Server_message_form secrecy_lemma) @@ -243,9 +243,9 @@ up. Original Otway-Rees doesn't need it.\ lemma Crypt_imp_OR1 [rule_format]: "[| A \ bad; A \ B; evs \ otway |] - ==> Crypt (shrK A) {|NA, Agent A, Agent B|} \ parts (knows Spy evs) --> - Says A B {|NA, Agent A, Agent B, - Crypt (shrK A) {|NA, Agent A, Agent B|}|} \ set evs" + ==> Crypt (shrK A) \NA, Agent A, Agent B\ \ parts (knows Spy evs) --> + Says A B \NA, Agent A, Agent B, + Crypt (shrK A) \NA, Agent A, Agent B\\ \ set evs" by (erule otway.induct, force, drule_tac [4] OR2_parts_knows_Spy, simp_all, blast+) @@ -256,14 +256,14 @@ text\Only it is FALSE. Somebody could make a fake message to Server substituting some other nonce NA' for NB.\ lemma "[| A \ bad; A \ B; evs \ otway |] - ==> Crypt (shrK A) {|NA, Key K|} \ parts (knows Spy evs) --> - Says A B {|NA, Agent A, Agent B, - Crypt (shrK A) {|NA, Agent A, Agent B|}|} + ==> Crypt (shrK A) \NA, Key K\ \ parts (knows Spy evs) --> + Says A B \NA, Agent A, Agent B, + Crypt (shrK A) \NA, Agent A, Agent B\\ \ set evs --> (\B NB. Says Server B - {|NA, - Crypt (shrK A) {|NA, Key K|}, - Crypt (shrK B) {|NB, Key K|}|} \ set evs)" + \NA, + Crypt (shrK A) \NA, Key K\, + Crypt (shrK B) \NB, Key K\\ \ set evs)" apply (erule otway.induct, force, drule_tac [4] OR2_parts_knows_Spy, simp_all) apply blast \\Fake\ @@ -276,13 +276,13 @@ (*The hypotheses at this point suggest an attack in which nonce NB is used in two different roles: Gets Server - {|Nonce NA, Agent Aa, Agent A, - Crypt (shrK Aa) {|Nonce NA, Agent Aa, Agent A|}, Nonce NB, - Crypt (shrK A) {|Nonce NA, Agent Aa, Agent A|}|} + \Nonce NA, Agent Aa, Agent A, + Crypt (shrK Aa) \Nonce NA, Agent Aa, Agent A\, Nonce NB, + Crypt (shrK A) \Nonce NA, Agent Aa, Agent A\\ \ set evs3 Says A B - {|Nonce NB, Agent A, Agent B, - Crypt (shrK A) {|Nonce NB, Agent A, Agent B|}|} + \Nonce NB, Agent A, Agent B, + Crypt (shrK A) \Nonce NB, Agent A, Agent B\\ \ set evs3; *) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Public.thy --- a/src/HOL/Auth/Public.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Public.thy Mon Dec 28 23:13:33 2015 +0100 @@ -239,13 +239,13 @@ apply (auto dest!: parts_cut simp add: used_Nil) done -lemma MPair_used_D: "{|X,Y|} \ used H ==> X \ used H & Y \ used H" +lemma MPair_used_D: "\X,Y\ \ used H ==> X \ used H & Y \ used H" by (drule used_parts_subset_parts, simp, blast) text\There was a similar theorem in Event.thy, so perhaps this one can be moved up if proved directly by induction.\ lemma MPair_used [elim!]: - "[| {|X,Y|} \ used H; + "[| \X,Y\ \ used H; [| X \ used H; Y \ used H |] ==> P |] ==> P" by (blast dest: MPair_used_D) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Recur.thy --- a/src/HOL/Auth/Recur.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Recur.thy Mon Dec 28 23:13:33 2015 +0100 @@ -21,18 +21,18 @@ for evs :: "event list" where One: "Key KAB \ used evs - ==> (Hash[Key(shrK A)] {|Agent A, Agent B, Nonce NA, END|}, - {|Crypt (shrK A) {|Key KAB, Agent B, Nonce NA|}, END|}, + ==> (Hash[Key(shrK A)] \Agent A, Agent B, Nonce NA, END\, + \Crypt (shrK A) \Key KAB, Agent B, Nonce NA\, END\, KAB) \ respond evs" (*The most recent session key is passed up to the caller*) | Cons: "[| (PA, RA, KAB) \ respond evs; Key KBC \ used evs; Key KBC \ parts {RA}; - PA = Hash[Key(shrK A)] {|Agent A, Agent B, Nonce NA, P|} |] - ==> (Hash[Key(shrK B)] {|Agent B, Agent C, Nonce NB, PA|}, - {|Crypt (shrK B) {|Key KBC, Agent C, Nonce NB|}, - Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|}, - RA|}, + PA = Hash[Key(shrK A)] \Agent A, Agent B, Nonce NA, P\ |] + ==> (Hash[Key(shrK B)] \Agent B, Agent C, Nonce NB, PA\, + \Crypt (shrK B) \Key KBC, Agent C, Nonce NB\, + Crypt (shrK B) \Key KAB, Agent A, Nonce NB\, + RA\, KBC) \ respond evs" @@ -48,8 +48,8 @@ Nil: "END \ responses evs" | Cons: "[| RA \ responses evs; Key KAB \ used evs |] - ==> {|Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|}, - RA|} \ responses evs" + ==> \Crypt (shrK B) \Key KAB, Agent A, Nonce NB\, + RA\ \ responses evs" inductive_set recur :: "event list set" @@ -65,15 +65,15 @@ (*Alice initiates a protocol run. END is a placeholder to terminate the nesting.*) | RA1: "[| evs1 \ recur; Nonce NA \ used evs1 |] - ==> Says A B (Hash[Key(shrK A)] {|Agent A, Agent B, Nonce NA, END|}) + ==> Says A B (Hash[Key(shrK A)] \Agent A, Agent B, Nonce NA, END\) # evs1 \ recur" (*Bob's response to Alice's message. C might be the Server. - We omit PA = {|XA, Agent A, Agent B, Nonce NA, P|} because + We omit PA = \XA, Agent A, Agent B, Nonce NA, P\ because it complicates proofs, so B may respond to any message at all!*) | RA2: "[| evs2 \ recur; Nonce NB \ used evs2; Says A' B PA \ set evs2 |] - ==> Says B C (Hash[Key(shrK B)] {|Agent B, Agent C, Nonce NB, PA|}) + ==> Says B C (Hash[Key(shrK B)] \Agent B, Agent C, Nonce NB, PA\) # evs2 \ recur" (*The Server receives Bob's message and prepares a response.*) @@ -84,11 +84,11 @@ (*Bob receives the returned message and compares the Nonces with those in the message he previously sent the Server.*) | RA4: "[| evs4 \ recur; - Says B C {|XH, Agent B, Agent C, Nonce NB, - XA, Agent A, Agent B, Nonce NA, P|} \ set evs4; - Says C' B {|Crypt (shrK B) {|Key KBC, Agent C, Nonce NB|}, - Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|}, - RA|} \ set evs4 |] + Says B C \XH, Agent B, Agent C, Nonce NB, + XA, Agent A, Agent B, Nonce NA, P\ \ set evs4; + Says C' B \Crypt (shrK B) \Key KBC, Agent C, Nonce NB\, + Crypt (shrK B) \Key KAB, Agent A, Nonce NB\, + RA\ \ set evs4 |] ==> Says B A RA # evs4 \ recur" (*No "oops" message can easily be expressed. Each session key is @@ -101,7 +101,7 @@ Oops: "[| evso \ recur; Says Server B RB \ set evso; RB \ responses evs'; Key K \ parts {RB} |] - ==> Notes Spy {|Key K, RB|} # evso \ recur" + ==> Notes Spy \Key K, RB\ # evso \ recur" *) @@ -120,8 +120,8 @@ text\Simplest case: Alice goes directly to the server\ lemma "Key K \ used [] ==> \NA. \evs \ recur. - Says Server A {|Crypt (shrK A) {|Key K, Agent Server, Nonce NA|}, - END|} \ set evs" + Says Server A \Crypt (shrK A) \Key K, Agent Server, Nonce NA\, + END\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] recur.Nil [THEN recur.RA1, THEN recur.RA3 [OF _ _ respond.One]]) @@ -133,8 +133,8 @@ lemma "[| Key K \ used []; Key K' \ used []; K \ K'; Nonce NA \ used []; Nonce NB \ used []; NA < NB |] ==> \NA. \evs \ recur. - Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|}, - END|} \ set evs" + Says B A \Crypt (shrK A) \Key K, Agent B, Nonce NA\, + END\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] recur.Nil @@ -152,8 +152,8 @@ Nonce NA \ used []; Nonce NB \ used []; Nonce NC \ used []; NA < NB; NB < NC |] ==> \K. \NA. \evs \ recur. - Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|}, - END|} \ set evs" + Says B A \Crypt (shrK A) \Key K, Agent B, Nonce NA\, + END\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] recur.Nil [THEN recur.RA1, @@ -189,7 +189,7 @@ lemmas RA2_analz_spies = Says_imp_spies [THEN analz.Inj] lemma RA4_analz_spies: - "Says C' B {|Crypt K X, X', RA|} \ set evs ==> RA \ analz (spies evs)" + "Says C' B \Crypt K X, X', RA\ \ set evs ==> RA \ analz (spies evs)" by blast @@ -278,7 +278,7 @@ text\Everything that's hashed is already in past traffic.\ lemma Hash_imp_body: - "[| Hash {|Key(shrK A), X|} \ parts (spies evs); + "[| Hash \Key(shrK A), X\ \ parts (spies evs); evs \ recur; A \ bad |] ==> X \ parts (spies evs)" apply (erule rev_mp) apply (erule recur.induct, @@ -299,8 +299,8 @@ **) lemma unique_NA: - "[| Hash {|Key(shrK A), Agent A, B, NA, P|} \ parts (spies evs); - Hash {|Key(shrK A), Agent A, B',NA, P'|} \ parts (spies evs); + "[| Hash \Key(shrK A), Agent A, B, NA, P\ \ parts (spies evs); + Hash \Key(shrK A), Agent A, B',NA, P'\ \ parts (spies evs); evs \ recur; A \ bad |] ==> B=B' & P=P'" apply (erule rev_mp, erule rev_mp) @@ -348,8 +348,8 @@ text\The last key returned by respond indeed appears in a certificate\ lemma respond_certificate: - "(Hash[Key(shrK A)] {|Agent A, B, NA, P|}, RA, K) \ respond evs - ==> Crypt (shrK A) {|Key K, B, NA|} \ parts {RA}" + "(Hash[Key(shrK A)] \Agent A, B, NA, P\, RA, K) \ respond evs + ==> Crypt (shrK A) \Key K, B, NA\ \ parts {RA}" apply (ind_cases "(Hash[Key (shrK A)] \Agent A, B, NA, P\, RA, K) \ respond evs") apply simp_all done @@ -361,8 +361,8 @@ the quantifiers appear to be necessary.*) lemma unique_lemma [rule_format]: "(PB,RB,KXY) \ respond evs ==> - \A B N. Crypt (shrK A) {|Key K, Agent B, N|} \ parts {RB} --> - (\A' B' N'. Crypt (shrK A') {|Key K, Agent B', N'|} \ parts {RB} --> + \A B N. Crypt (shrK A) \Key K, Agent B, N\ \ parts {RB} --> + (\A' B' N'. Crypt (shrK A') \Key K, Agent B', N'\ \ parts {RB} --> (A'=A & B'=B) | (A'=B & B'=A))" apply (erule respond.induct) apply (simp_all add: all_conj_distrib) @@ -370,8 +370,8 @@ done lemma unique_session_keys: - "[| Crypt (shrK A) {|Key K, Agent B, N|} \ parts {RB}; - Crypt (shrK A') {|Key K, Agent B', N'|} \ parts {RB}; + "[| Crypt (shrK A) \Key K, Agent B, N\ \ parts {RB}; + Crypt (shrK A') \Key K, Agent B', N'\ \ parts {RB}; (PB,RB,KXY) \ respond evs |] ==> (A'=A & B'=B) | (A'=B & B'=A)" by (rule unique_lemma, auto) @@ -384,7 +384,7 @@ lemma respond_Spy_not_see_session_key [rule_format]: "[| (PB,RB,KAB) \ respond evs; evs \ recur |] ==> \A A' N. A \ bad & A' \ bad --> - Crypt (shrK A) {|Key K, Agent A', N|} \ parts{RB} --> + Crypt (shrK A) \Key K, Agent A', N\ \ parts{RB} --> Key K \ analz (insert RB (spies evs))" apply (erule respond.induct) apply (frule_tac [2] respond_imp_responses) @@ -405,7 +405,7 @@ lemma Spy_not_see_session_key: - "[| Crypt (shrK A) {|Key K, Agent A', N|} \ parts (spies evs); + "[| Crypt (shrK A) \Key K, Agent A', N\ \ parts (spies evs); A \ bad; A' \ bad; evs \ recur |] ==> Key K \ analz (spies evs)" apply (erule rev_mp) @@ -430,9 +430,9 @@ text\The response never contains Hashes\ lemma Hash_in_parts_respond: - "[| Hash {|Key (shrK B), M|} \ parts (insert RB H); + "[| Hash \Key (shrK B), M\ \ parts (insert RB H); (PB,RB,K) \ respond evs |] - ==> Hash {|Key (shrK B), M|} \ parts H" + ==> Hash \Key (shrK B), M\ \ parts H" apply (erule rev_mp) apply (erule respond_imp_responses [THEN responses.induct], auto) done @@ -442,9 +442,9 @@ it can say nothing about how recent A's message is. It might later be used to prove B's presence to A at the run's conclusion.\ lemma Hash_auth_sender [rule_format]: - "[| Hash {|Key(shrK A), Agent A, Agent B, NA, P|} \ parts(spies evs); + "[| Hash \Key(shrK A), Agent A, Agent B, NA, P\ \ parts(spies evs); A \ bad; evs \ recur |] - ==> Says A B (Hash[Key(shrK A)] {|Agent A, Agent B, NA, P|}) \ set evs" + ==> Says A B (Hash[Key(shrK A)] \Agent A, Agent B, NA, P\) \ set evs" apply (unfold HPair_def) apply (erule rev_mp) apply (erule recur.induct, diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/TLS.thy --- a/src/HOL/Auth/TLS.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/TLS.thy Mon Dec 28 23:13:33 2015 +0100 @@ -20,7 +20,7 @@ The model assumes that no fraudulent certificates are present, but it does assume that some private keys are to the spy. -REMARK. The event "Notes A {|Agent B, Nonce PMS|}" appears in ClientKeyExch, +REMARK. The event "Notes A \Agent B, Nonce PMS\" appears in ClientKeyExch, CertVerify, ClientFinished to record that A knows M. It is a note from A to herself. Nobody else can see it. In ClientKeyExch, the Spy can substitute his own certificate for A's, but he cannot replace A's note by one for himself. @@ -35,7 +35,7 @@ Proofs would be simpler if ClientKeyExch included A's name within Crypt KB (Nonce PMS). As things stand, there is much overlap between proofs about that message (which B receives) and the stronger event -Notes A {|Agent B, Nonce PMS|}. +Notes A \Agent B, Nonce PMS\. *) section\The TLS Protocol: Transport Layer Security\ @@ -43,7 +43,7 @@ theory TLS imports Public "~~/src/HOL/Library/Nat_Bijection" begin definition certificate :: "[agent,key] => msg" where - "certificate A KA == Crypt (priSK Server) {|Agent A, Key KA|}" + "certificate A KA == Crypt (priSK Server) \Agent A, Key KA\" text\TLS apparently does not require separate keypairs for encryption and signature. Therefore, we formalize signature as encryption using the @@ -109,8 +109,8 @@ to available nonces\ "[| evsSK \ tls; {Nonce NA, Nonce NB, Nonce M} <= analz (spies evsSK) |] - ==> Notes Spy {| Nonce (PRF(M,NA,NB)), - Key (sessionK((NA,NB,M),role)) |} # evsSK \ tls" + ==> Notes Spy \ Nonce (PRF(M,NA,NB)), + Key (sessionK((NA,NB,M),role))\ # evsSK \ tls" | ClientHello: \\(7.4.1.2) @@ -121,7 +121,7 @@ May assume @{term "NA \ range PRF"} because CLIENT RANDOM is 28 bytes while MASTER SECRET is 48 bytes\ "[| evsCH \ tls; Nonce NA \ used evsCH; NA \ range PRF |] - ==> Says A B {|Agent A, Nonce NA, Number SID, Number PA|} + ==> Says A B \Agent A, Nonce NA, Number SID, Number PA\ # evsCH \ tls" | ServerHello: @@ -130,9 +130,9 @@ SERVER CERTIFICATE (7.4.2) is always present. \CERTIFICATE_REQUEST\ (7.4.4) is implied.\ "[| evsSH \ tls; Nonce NB \ used evsSH; NB \ range PRF; - Says A' B {|Agent A, Nonce NA, Number SID, Number PA|} + Says A' B \Agent A, Nonce NA, Number SID, Number PA\ \ set evsSH |] - ==> Says B A {|Nonce NB, Number SID, Number PB|} # evsSH \ tls" + ==> Says B A \Nonce NB, Number SID, Number PB\ # evsSH \ tls" | Certificate: \\SERVER (7.4.2) or CLIENT (7.4.6) CERTIFICATE.\ @@ -150,7 +150,7 @@ "[| evsCX \ tls; Nonce PMS \ used evsCX; PMS \ range PRF; Says B' A (certificate B KB) \ set evsCX |] ==> Says A B (Crypt KB (Nonce PMS)) - # Notes A {|Agent B, Nonce PMS|} + # Notes A \Agent B, Nonce PMS\ # evsCX \ tls" | CertVerify: @@ -160,9 +160,9 @@ Checking the signature, which is the only use of A's certificate, assures B of A's presence\ "[| evsCV \ tls; - Says B' A {|Nonce NB, Number SID, Number PB|} \ set evsCV; - Notes A {|Agent B, Nonce PMS|} \ set evsCV |] - ==> Says A B (Crypt (priK A) (Hash{|Nonce NB, Agent B, Nonce PMS|})) + Says B' A \Nonce NB, Number SID, Number PB\ \ set evsCV; + Notes A \Agent B, Nonce PMS\ \ set evsCV |] + ==> Says A B (Crypt (priK A) (Hash\Nonce NB, Agent B, Nonce PMS\)) # evsCV \ tls" \\Finally come the FINISHED messages (7.4.8), confirming PA and PB @@ -170,37 +170,37 @@ Either party may send its message first.\ | ClientFinished: - \\The occurrence of Notes A {|Agent B, Nonce PMS|} stops the + \\The occurrence of Notes A \Agent B, Nonce PMS\ stops the rule's applying when the Spy has satisfied the "Says A B" by repaying messages sent by the true client; in that case, the Spy does not know PMS and could not send ClientFinished. One could simply put @{term "A\Spy"} into the rule, but one should not expect the spy to be well-behaved.\ "[| evsCF \ tls; - Says A B {|Agent A, Nonce NA, Number SID, Number PA|} + Says A B \Agent A, Nonce NA, Number SID, Number PA\ \ set evsCF; - Says B' A {|Nonce NB, Number SID, Number PB|} \ set evsCF; - Notes A {|Agent B, Nonce PMS|} \ set evsCF; + Says B' A \Nonce NB, Number SID, Number PB\ \ set evsCF; + Notes A \Agent B, Nonce PMS\ \ set evsCF; M = PRF(PMS,NA,NB) |] ==> Says A B (Crypt (clientK(NA,NB,M)) - (Hash{|Number SID, Nonce M, + (Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, - Nonce NB, Number PB, Agent B|})) + Nonce NB, Number PB, Agent B\)) # evsCF \ tls" | ServerFinished: \\Keeping A' and A'' distinct means B cannot even check that the two messages originate from the same source.\ "[| evsSF \ tls; - Says A' B {|Agent A, Nonce NA, Number SID, Number PA|} + Says A' B \Agent A, Nonce NA, Number SID, Number PA\ \ set evsSF; - Says B A {|Nonce NB, Number SID, Number PB|} \ set evsSF; + Says B A \Nonce NB, Number SID, Number PB\ \ set evsSF; Says A'' B (Crypt (pubK B) (Nonce PMS)) \ set evsSF; M = PRF(PMS,NA,NB) |] ==> Says B A (Crypt (serverK(NA,NB,M)) - (Hash{|Number SID, Nonce M, + (Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, - Nonce NB, Number PB, Agent B|})) + Nonce NB, Number PB, Agent B\)) # evsSF \ tls" | ClientAccepts: @@ -209,15 +209,15 @@ needed to resume this session. The "Notes A ..." premise is used to prove \Notes_master_imp_Crypt_PMS\.\ "[| evsCA \ tls; - Notes A {|Agent B, Nonce PMS|} \ set evsCA; + Notes A \Agent B, Nonce PMS\ \ set evsCA; M = PRF(PMS,NA,NB); - X = Hash{|Number SID, Nonce M, + X = Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, - Nonce NB, Number PB, Agent B|}; + Nonce NB, Number PB, Agent B\; Says A B (Crypt (clientK(NA,NB,M)) X) \ set evsCA; Says B' A (Crypt (serverK(NA,NB,M)) X) \ set evsCA |] ==> - Notes A {|Number SID, Agent A, Agent B, Nonce M|} # evsCA \ tls" + Notes A \Number SID, Agent A, Agent B, Nonce M\ # evsCA \ tls" | ServerAccepts: \\Having transmitted ServerFinished and received an identical @@ -228,38 +228,38 @@ A \ B; Says A'' B (Crypt (pubK B) (Nonce PMS)) \ set evsSA; M = PRF(PMS,NA,NB); - X = Hash{|Number SID, Nonce M, + X = Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, - Nonce NB, Number PB, Agent B|}; + Nonce NB, Number PB, Agent B\; Says B A (Crypt (serverK(NA,NB,M)) X) \ set evsSA; Says A' B (Crypt (clientK(NA,NB,M)) X) \ set evsSA |] ==> - Notes B {|Number SID, Agent A, Agent B, Nonce M|} # evsSA \ tls" + Notes B \Number SID, Agent A, Agent B, Nonce M\ # evsSA \ tls" | ClientResume: \\If A recalls the \SESSION_ID\, then she sends a FINISHED message using the new nonces and stored MASTER SECRET.\ "[| evsCR \ tls; - Says A B {|Agent A, Nonce NA, Number SID, Number PA|}: set evsCR; - Says B' A {|Nonce NB, Number SID, Number PB|} \ set evsCR; - Notes A {|Number SID, Agent A, Agent B, Nonce M|} \ set evsCR |] + Says A B \Agent A, Nonce NA, Number SID, Number PA\: set evsCR; + Says B' A \Nonce NB, Number SID, Number PB\ \ set evsCR; + Notes A \Number SID, Agent A, Agent B, Nonce M\ \ set evsCR |] ==> Says A B (Crypt (clientK(NA,NB,M)) - (Hash{|Number SID, Nonce M, + (Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, - Nonce NB, Number PB, Agent B|})) + Nonce NB, Number PB, Agent B\)) # evsCR \ tls" | ServerResume: \\Resumption (7.3): If B finds the \SESSION_ID\ then he can send a FINISHED message using the recovered MASTER SECRET\ "[| evsSR \ tls; - Says A' B {|Agent A, Nonce NA, Number SID, Number PA|}: set evsSR; - Says B A {|Nonce NB, Number SID, Number PB|} \ set evsSR; - Notes B {|Number SID, Agent A, Agent B, Nonce M|} \ set evsSR |] + Says A' B \Agent A, Nonce NA, Number SID, Number PA\: set evsSR; + Says B A \Nonce NB, Number SID, Number PB\ \ set evsSR; + Notes B \Number SID, Agent A, Agent B, Nonce M\ \ set evsSR |] ==> Says B A (Crypt (serverK(NA,NB,M)) - (Hash{|Number SID, Nonce M, + (Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, - Nonce NB, Number PB, Agent B|})) # evsSR + Nonce NB, Number PB, Agent B\)) # evsSR \ tls" | Oops: @@ -333,7 +333,7 @@ text\Possibility property ending with ClientAccepts.\ lemma "[| \evs. (@ N. Nonce N \ used evs) \ range PRF; A \ B |] ==> \SID M. \evs \ tls. - Notes A {|Number SID, Agent A, Agent B, Nonce M|} \ set evs" + Notes A \Number SID, Agent A, Agent B, Nonce M\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] tls.Nil [THEN tls.ClientHello, THEN tls.ServerHello, @@ -346,7 +346,7 @@ text\And one for ServerAccepts. Either FINISHED message may come first.\ lemma "[| \evs. (@ N. Nonce N \ used evs) \ range PRF; A \ B |] ==> \SID NA PA NB PB M. \evs \ tls. - Notes B {|Number SID, Agent A, Agent B, Nonce M|} \ set evs" + Notes B \Number SID, Agent A, Agent B, Nonce M\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] tls.Nil [THEN tls.ClientHello, THEN tls.ServerHello, @@ -359,7 +359,7 @@ text\Another one, for CertVerify (which is optional)\ lemma "[| \evs. (@ N. Nonce N \ used evs) \ range PRF; A \ B |] ==> \NB PMS. \evs \ tls. - Says A B (Crypt (priK A) (Hash{|Nonce NB, Agent B, Nonce PMS|})) + Says A B (Crypt (priK A) (Hash\Nonce NB, Agent B, Nonce PMS\)) \ set evs" apply (intro exI bexI) apply (rule_tac [2] tls.Nil @@ -372,14 +372,14 @@ text\Another one, for session resumption (both ServerResume and ClientResume). NO tls.Nil here: we refer to a previous session, not the empty trace.\ lemma "[| evs0 \ tls; - Notes A {|Number SID, Agent A, Agent B, Nonce M|} \ set evs0; - Notes B {|Number SID, Agent A, Agent B, Nonce M|} \ set evs0; + Notes A \Number SID, Agent A, Agent B, Nonce M\ \ set evs0; + Notes B \Number SID, Agent A, Agent B, Nonce M\ \ set evs0; \evs. (@ N. Nonce N \ used evs) \ range PRF; A \ B |] ==> \NA PA NB PB X. \evs \ tls. - X = Hash{|Number SID, Nonce M, + X = Hash\Number SID, Nonce M, Nonce NA, Number PA, Agent A, - Nonce NB, Number PB, Agent B|} & + Nonce NB, Number PB, Agent B\ & Says A B (Crypt (clientK(NA,NB,M)) X) \ set evs & Says B A (Crypt (serverK(NA,NB,M)) X) \ set evs" apply (intro exI bexI) @@ -425,7 +425,7 @@ subsubsection\Properties of items found in Notes\ lemma Notes_Crypt_parts_spies: - "[| Notes A {|Agent B, X|} \ set evs; evs \ tls |] + "[| Notes A \Agent B, X\ \ set evs; evs \ tls |] ==> Crypt (pubK B) X \ parts (spies evs)" apply (erule rev_mp) apply (erule tls.induct, @@ -435,7 +435,7 @@ text\C may be either A or B\ lemma Notes_master_imp_Crypt_PMS: - "[| Notes C {|s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))|} \ set evs; + "[| Notes C \s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))\ \ set evs; evs \ tls |] ==> Crypt (pubK B) (Nonce PMS) \ parts (spies evs)" apply (erule rev_mp) @@ -448,9 +448,9 @@ text\Compared with the theorem above, both premise and conclusion are stronger\ lemma Notes_master_imp_Notes_PMS: - "[| Notes A {|s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))|} \ set evs; + "[| Notes A \s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))\ \ set evs; evs \ tls |] - ==> Notes A {|Agent B, Nonce PMS|} \ set evs" + ==> Notes A \Agent B, Nonce PMS\ \ set evs" apply (erule rev_mp) apply (erule tls.induct, force, simp_all) txt\ServerAccepts\ @@ -463,7 +463,7 @@ text\B can check A's signature if he has received A's certificate.\ lemma TrustCertVerify_lemma: "[| X \ parts (spies evs); - X = Crypt (priK A) (Hash{|nb, Agent B, pms|}); + X = Crypt (priK A) (Hash\nb, Agent B, pms\); evs \ tls; A \ bad |] ==> Says A B X \ set evs" apply (erule rev_mp, erule ssubst) @@ -473,7 +473,7 @@ text\Final version: B checks X using the distributed KA instead of priK A\ lemma TrustCertVerify: "[| X \ parts (spies evs); - X = Crypt (invKey KA) (Hash{|nb, Agent B, pms|}); + X = Crypt (invKey KA) (Hash\nb, Agent B, pms\); certificate A KA \ parts (spies evs); evs \ tls; A \ bad |] ==> Says A B X \ set evs" @@ -482,25 +482,25 @@ text\If CertVerify is present then A has chosen PMS.\ lemma UseCertVerify_lemma: - "[| Crypt (priK A) (Hash{|nb, Agent B, Nonce PMS|}) \ parts (spies evs); + "[| Crypt (priK A) (Hash\nb, Agent B, Nonce PMS\) \ parts (spies evs); evs \ tls; A \ bad |] - ==> Notes A {|Agent B, Nonce PMS|} \ set evs" + ==> Notes A \Agent B, Nonce PMS\ \ set evs" apply (erule rev_mp) apply (erule tls.induct, force, simp_all, blast) done text\Final version using the distributed KA instead of priK A\ lemma UseCertVerify: - "[| Crypt (invKey KA) (Hash{|nb, Agent B, Nonce PMS|}) + "[| Crypt (invKey KA) (Hash\nb, Agent B, Nonce PMS\) \ parts (spies evs); certificate A KA \ parts (spies evs); evs \ tls; A \ bad |] - ==> Notes A {|Agent B, Nonce PMS|} \ set evs" + ==> Notes A \Agent B, Nonce PMS\ \ set evs" by (blast dest!: certificate_valid intro!: UseCertVerify_lemma) lemma no_Notes_A_PRF [simp]: - "evs \ tls ==> Notes A {|Agent B, Nonce (PRF x)|} \ set evs" + "evs \ tls ==> Notes A \Agent B, Nonce (PRF x)\ \ set evs" apply (erule tls.induct, force, simp_all) txt\ClientKeyExch: PMS is assumed to differ from any PRF.\ apply blast @@ -538,15 +538,15 @@ (** It is frustrating that we need two versions of the unicity results. - But Notes A {|Agent B, Nonce PMS|} determines both A and B. Sometimes + But Notes A \Agent B, Nonce PMS\ determines both A and B. Sometimes we have only the weaker assertion Crypt(pubK B) (Nonce PMS), which determines B alone, and only if PMS is secret. **) text\In A's internal Note, PMS determines A and B.\ lemma Notes_unique_PMS: - "[| Notes A {|Agent B, Nonce PMS|} \ set evs; - Notes A' {|Agent B', Nonce PMS|} \ set evs; + "[| Notes A \Agent B, Nonce PMS\ \ set evs; + Notes A' \Agent B', Nonce PMS\ \ set evs; evs \ tls |] ==> A=A' & B=B'" apply (erule rev_mp, erule rev_mp) @@ -674,7 +674,7 @@ text\If A sends ClientKeyExch to an honest B, then the PMS will stay secret.\ lemma Spy_not_see_PMS: - "[| Notes A {|Agent B, Nonce PMS|} \ set evs; + "[| Notes A \Agent B, Nonce PMS\ \ set evs; evs \ tls; A \ bad; B \ bad |] ==> Nonce PMS \ analz (spies evs)" apply (erule rev_mp, erule tls.induct, frule_tac [7] CX_KB_is_pubKB) @@ -696,7 +696,7 @@ text\If A sends ClientKeyExch to an honest B, then the MASTER SECRET will stay secret.\ lemma Spy_not_see_MS: - "[| Notes A {|Agent B, Nonce PMS|} \ set evs; + "[| Notes A \Agent B, Nonce PMS\ \ set evs; evs \ tls; A \ bad; B \ bad |] ==> Nonce (PRF(PMS,NA,NB)) \ analz (spies evs)" apply (erule rev_mp, erule tls.induct, frule_tac [7] CX_KB_is_pubKB) @@ -720,7 +720,7 @@ would send a message using a clientK generated from that PMS.\ lemma Says_clientK_unique: "[| Says A' B' (Crypt (clientK(Na,Nb,PRF(PMS,NA,NB))) Y) \ set evs; - Notes A {|Agent B, Nonce PMS|} \ set evs; + Notes A \Agent B, Nonce PMS\ \ set evs; evs \ tls; A' \ Spy |] ==> A = A'" apply (erule rev_mp, erule rev_mp) @@ -737,7 +737,7 @@ text\If A created PMS and has not leaked her clientK to the Spy, then it is completely secure: not even in parts!\ lemma clientK_not_spied: - "[| Notes A {|Agent B, Nonce PMS|} \ set evs; + "[| Notes A \Agent B, Nonce PMS\ \ set evs; Says A Spy (Key (clientK(Na,Nb,PRF(PMS,NA,NB)))) \ set evs; A \ bad; B \ bad; evs \ tls |] @@ -762,7 +762,7 @@ send a message using a serverK generated from that PMS.\ lemma Says_serverK_unique: "[| Says B' A' (Crypt (serverK(Na,Nb,PRF(PMS,NA,NB))) Y) \ set evs; - Notes A {|Agent B, Nonce PMS|} \ set evs; + Notes A \Agent B, Nonce PMS\ \ set evs; evs \ tls; A \ bad; B \ bad; B' \ Spy |] ==> B = B'" apply (erule rev_mp, erule rev_mp) @@ -779,7 +779,7 @@ text\If A created PMS for B, and B has not leaked his serverK to the Spy, then it is completely secure: not even in parts!\ lemma serverK_not_spied: - "[| Notes A {|Agent B, Nonce PMS|} \ set evs; + "[| Notes A \Agent B, Nonce PMS\ \ set evs; Says B Spy (Key(serverK(Na,Nb,PRF(PMS,NA,NB)))) \ set evs; A \ bad; B \ bad; evs \ tls |] ==> Key (serverK(Na,Nb,PRF(PMS,NA,NB))) \ parts (spies evs)" @@ -804,13 +804,13 @@ text\The mention of her name (A) in X assures A that B knows who she is.\ lemma TrustServerFinished [rule_format]: "[| X = Crypt (serverK(Na,Nb,M)) - (Hash{|Number SID, Nonce M, + (Hash\Number SID, Nonce M, Nonce Na, Number PA, Agent A, - Nonce Nb, Number PB, Agent B|}); + Nonce Nb, Number PB, Agent B\); M = PRF(PMS,NA,NB); evs \ tls; A \ bad; B \ bad |] ==> Says B Spy (Key(serverK(Na,Nb,M))) \ set evs --> - Notes A {|Agent B, Nonce PMS|} \ set evs --> + Notes A \Agent B, Nonce PMS\ \ set evs --> X \ parts (spies evs) --> Says B A X \ set evs" apply (erule ssubst)+ apply (erule tls.induct, frule_tac [7] CX_KB_is_pubKB) @@ -829,7 +829,7 @@ lemma TrustServerMsg [rule_format]: "[| M = PRF(PMS,NA,NB); evs \ tls; A \ bad; B \ bad |] ==> Says B Spy (Key(serverK(Na,Nb,M))) \ set evs --> - Notes A {|Agent B, Nonce PMS|} \ set evs --> + Notes A \Agent B, Nonce PMS\ \ set evs --> Crypt (serverK(Na,Nb,M)) Y \ parts (spies evs) --> (\A'. Says B A' (Crypt (serverK(Na,Nb,M)) Y) \ set evs)" apply (erule ssubst) @@ -855,7 +855,7 @@ lemma TrustClientMsg [rule_format]: "[| M = PRF(PMS,NA,NB); evs \ tls; A \ bad; B \ bad |] ==> Says A Spy (Key(clientK(Na,Nb,M))) \ set evs --> - Notes A {|Agent B, Nonce PMS|} \ set evs --> + Notes A \Agent B, Nonce PMS\ \ set evs --> Crypt (clientK(Na,Nb,M)) Y \ parts (spies evs) --> Says A B (Crypt (clientK(Na,Nb,M)) Y) \ set evs" apply (erule ssubst) @@ -878,7 +878,7 @@ Says A Spy (Key(clientK(Na,Nb,M))) \ set evs; Says A' B (Crypt (clientK(Na,Nb,M)) Y) \ set evs; certificate A KA \ parts (spies evs); - Says A'' B (Crypt (invKey KA) (Hash{|nb, Agent B, Nonce PMS|})) + Says A'' B (Crypt (invKey KA) (Hash\nb, Agent B, Nonce PMS\)) \ set evs; evs \ tls; A \ bad; B \ bad |] ==> Says A B (Crypt (clientK(Na,Nb,M)) Y) \ set evs" diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/WooLam.thy --- a/src/HOL/Auth/WooLam.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/WooLam.thy Mon Dec 28 23:13:33 2015 +0100 @@ -52,13 +52,13 @@ | WL4: "[| evs4 \ woolam; Says A' B X \ set evs4; Says A'' B (Agent A) \ set evs4 |] - ==> Says B Server {|Agent A, Agent B, X|} # evs4 \ woolam" + ==> Says B Server \Agent A, Agent B, X\ # evs4 \ woolam" (*Server decrypts Alice's response for Bob.*) | WL5: "[| evs5 \ woolam; - Says B' Server {|Agent A, Agent B, Crypt (shrK A) (Nonce NB)|} + Says B' Server \Agent A, Agent B, Crypt (shrK A) (Nonce NB)\ \ set evs5 |] - ==> Says Server B (Crypt (shrK B) {|Agent A, Nonce NB|}) + ==> Says Server B (Crypt (shrK B) \Agent A, Nonce NB\) # evs5 \ woolam" @@ -70,7 +70,7 @@ (*A "possibility property": there are traces that reach the end*) lemma "\NB. \evs \ woolam. - Says Server B (Crypt (shrK B) {|Agent A, Nonce NB|}) \ set evs" + Says Server B (Crypt (shrK B) \Agent A, Nonce NB\) \ set evs" apply (intro exI bexI) apply (rule_tac [2] woolam.Nil [THEN woolam.WL1, THEN woolam.WL2, THEN woolam.WL3, @@ -113,7 +113,7 @@ Alice, then she originated that certificate. But we DO NOT know that B ever saw it: the Spy may have rerouted the message to the Server.*) lemma Server_trusts_WL4 [dest]: - "[| Says B' Server {|Agent A, Agent B, Crypt (shrK A) (Nonce NB)|} + "[| Says B' Server \Agent A, Agent B, Crypt (shrK A) (Nonce NB)\ \ set evs; A \ bad; evs \ woolam |] ==> \B. Says A B (Crypt (shrK A) (Nonce NB)) \ set evs" @@ -124,17 +124,17 @@ (*Server sent WL5 only if it received the right sort of message*) lemma Server_sent_WL5 [dest]: - "[| Says Server B (Crypt (shrK B) {|Agent A, NB|}) \ set evs; + "[| Says Server B (Crypt (shrK B) \Agent A, NB\) \ set evs; evs \ woolam |] - ==> \B'. Says B' Server {|Agent A, Agent B, Crypt (shrK A) NB|} + ==> \B'. Says B' Server \Agent A, Agent B, Crypt (shrK A) NB\ \ set evs" by (erule rev_mp, erule woolam.induct, force, simp_all, blast+) (*If the encrypted message appears then it originated with the Server!*) lemma NB_Crypt_imp_Server_msg [rule_format]: - "[| Crypt (shrK B) {|Agent A, NB|} \ parts (spies evs); + "[| Crypt (shrK B) \Agent A, NB\ \ parts (spies evs); B \ bad; evs \ woolam |] - ==> Says Server B (Crypt (shrK B) {|Agent A, NB|}) \ set evs" + ==> Says Server B (Crypt (shrK B) \Agent A, NB\) \ set evs" by (erule rev_mp, erule woolam.induct, force, simp_all, blast+) (*Guarantee for B. If B gets the Server's certificate then A has encrypted @@ -142,7 +142,7 @@ But A may have sent the nonce to some other agent and it could have reached the Server via the Spy.*) lemma B_trusts_WL5: - "[| Says S B (Crypt (shrK B) {|Agent A, Nonce NB|}): set evs; + "[| Says S B (Crypt (shrK B) \Agent A, Nonce NB\): set evs; A \ bad; B \ bad; evs \ woolam |] ==> \B. Says A B (Crypt (shrK A) (Nonce NB)) \ set evs" by (blast dest!: NB_Crypt_imp_Server_msg) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Yahalom.thy --- a/src/HOL/Auth/Yahalom.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Yahalom.thy Mon Dec 28 23:13:33 2015 +0100 @@ -32,24 +32,24 @@ (*Alice initiates a protocol run*) | YM1: "[| evs1 \ yahalom; Nonce NA \ used evs1 |] - ==> Says A B {|Agent A, Nonce NA|} # evs1 \ yahalom" + ==> Says A B \Agent A, Nonce NA\ # evs1 \ yahalom" (*Bob's response to Alice's message.*) | YM2: "[| evs2 \ yahalom; Nonce NB \ used evs2; - Gets B {|Agent A, Nonce NA|} \ set evs2 |] + Gets B \Agent A, Nonce NA\ \ set evs2 |] ==> Says B Server - {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} + \Agent B, Crypt (shrK B) \Agent A, Nonce NA, Nonce NB\\ # evs2 \ yahalom" (*The Server receives Bob's message. He responds by sending a new session key to Alice, with a packet for forwarding to Bob.*) | YM3: "[| evs3 \ yahalom; Key KAB \ used evs3; KAB \ symKeys; Gets Server - {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} + \Agent B, Crypt (shrK B) \Agent A, Nonce NA, Nonce NB\\ \ set evs3 |] ==> Says Server A - {|Crypt (shrK A) {|Agent B, Key KAB, Nonce NA, Nonce NB|}, - Crypt (shrK B) {|Agent A, Key KAB|}|} + \Crypt (shrK A) \Agent B, Key KAB, Nonce NA, Nonce NB\, + Crypt (shrK B) \Agent A, Key KAB\\ # evs3 \ yahalom" | YM4: @@ -58,25 +58,25 @@ @{term "A \ Server"} is needed for \Says_Server_not_range\. Alice can check that K is symmetric by its length.\ "[| evs4 \ yahalom; A \ Server; K \ symKeys; - Gets A {|Crypt(shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|}, X|} + Gets A \Crypt(shrK A) \Agent B, Key K, Nonce NA, Nonce NB\, X\ \ set evs4; - Says A B {|Agent A, Nonce NA|} \ set evs4 |] - ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \ yahalom" + Says A B \Agent A, Nonce NA\ \ set evs4 |] + ==> Says A B \X, Crypt K (Nonce NB)\ # evs4 \ yahalom" (*This message models possible leaks of session keys. The Nonces identify the protocol run. Quoting Server here ensures they are correct.*) | Oops: "[| evso \ yahalom; - Says Server A {|Crypt (shrK A) - {|Agent B, Key K, Nonce NA, Nonce NB|}, - X|} \ set evso |] - ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \ yahalom" + Says Server A \Crypt (shrK A) + \Agent B, Key K, Nonce NA, Nonce NB\, + X\ \ set evso |] + ==> Notes Spy \Nonce NA, Nonce NB, Key K\ # evso \ yahalom" definition KeyWithNonce :: "[key, nat, event list] => bool" where "KeyWithNonce K NB evs == \A B na X. - Says Server A {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB|}, X|} + Says Server A \Crypt (shrK A) \Agent B, Key K, na, Nonce NB\, X\ \ set evs" @@ -88,7 +88,7 @@ text\A "possibility property": there are traces that reach the end\ lemma "[| A \ Server; K \ symKeys; Key K \ used [] |] ==> \X NB. \evs \ yahalom. - Says A B {|X, Crypt K (Nonce NB)|} \ set evs" + Says A B \X, Crypt K (Nonce NB)\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] yahalom.Nil [THEN yahalom.YM1, THEN yahalom.Reception, @@ -116,7 +116,7 @@ text\Lets us treat YM4 using a similar argument as for the Fake case.\ lemma YM4_analz_knows_Spy: - "[| Gets A {|Crypt (shrK A) Y, X|} \ set evs; evs \ yahalom |] + "[| Gets A \Crypt (shrK A) Y, X\ \ set evs; evs \ yahalom |] ==> X \ analz (knows Spy evs)" by blast @@ -125,7 +125,7 @@ text\For Oops\ lemma YM4_Key_parts_knows_Spy: - "Says Server A {|Crypt (shrK A) {|B,K,NA,NB|}, X|} \ set evs + "Says Server A \Crypt (shrK A) \B,K,NA,NB\, X\ \ set evs ==> K \ parts (knows Spy evs)" by (metis parts.Body parts.Fst parts.Snd Says_imp_knows_Spy parts.Inj) @@ -170,7 +170,7 @@ text\Describes the form of K when the Server sends this message. Useful for Oops as well as main secrecy property.\ lemma Says_Server_not_range [simp]: - "[| Says Server A {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} + "[| Says Server A \Crypt (shrK A) \Agent B, Key K, na, nb\, X\ \ set evs; evs \ yahalom |] ==> K \ range shrK" by (erule rev_mp, erule yahalom.induct, simp_all) @@ -210,9 +210,9 @@ text\The Key K uniquely identifies the Server's message.\ lemma unique_session_keys: "[| Says Server A - {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \ set evs; + \Crypt (shrK A) \Agent B, Key K, na, nb\, X\ \ set evs; Says Server A' - {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|} \ set evs; + \Crypt (shrK A') \Agent B', Key K, na', nb'\, X'\ \ set evs; evs \ yahalom |] ==> A=A' & B=B' & na=na' & nb=nb'" apply (erule rev_mp, erule rev_mp) @@ -226,10 +226,10 @@ lemma secrecy_lemma: "[| A \ bad; B \ bad; evs \ yahalom |] ==> Says Server A - {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, - Crypt (shrK B) {|Agent A, Key K|}|} + \Crypt (shrK A) \Agent B, Key K, na, nb\, + Crypt (shrK B) \Agent A, Key K\\ \ set evs --> - Notes Spy {|na, nb, Key K|} \ set evs --> + Notes Spy \na, nb, Key K\ \ set evs --> Key K \ analz (knows Spy evs)" apply (erule yahalom.induct, force, drule_tac [6] YM4_analz_knows_Spy) @@ -240,10 +240,10 @@ text\Final version\ lemma Spy_not_see_encrypted_key: "[| Says Server A - {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, - Crypt (shrK B) {|Agent A, Key K|}|} + \Crypt (shrK A) \Agent B, Key K, na, nb\, + Crypt (shrK B) \Agent A, Key K\\ \ set evs; - Notes Spy {|na, nb, Key K|} \ set evs; + Notes Spy \na, nb, Key K\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> Key K \ analz (knows Spy evs)" by (blast dest: secrecy_lemma) @@ -253,11 +253,11 @@ text\If the encrypted message appears then it originated with the Server\ lemma A_trusts_YM3: - "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} \ parts (knows Spy evs); + "[| Crypt (shrK A) \Agent B, Key K, na, nb\ \ parts (knows Spy evs); A \ bad; evs \ yahalom |] ==> Says Server A - {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, - Crypt (shrK B) {|Agent A, Key K|}|} + \Crypt (shrK A) \Agent B, Key K, na, nb\, + Crypt (shrK B) \Agent A, Key K\\ \ set evs" apply (erule rev_mp) apply (erule yahalom.induct, force, @@ -269,8 +269,8 @@ text\The obvious combination of \A_trusts_YM3\ with \Spy_not_see_encrypted_key\\ lemma A_gets_good_key: - "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} \ parts (knows Spy evs); - Notes Spy {|na, nb, Key K|} \ set evs; + "[| Crypt (shrK A) \Agent B, Key K, na, nb\ \ parts (knows Spy evs); + Notes Spy \na, nb, Key K\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> Key K \ analz (knows Spy evs)" by (metis A_trusts_YM3 secrecy_lemma) @@ -281,12 +281,12 @@ text\B knows, by the first part of A's message, that the Server distributed the key for A and B. But this part says nothing about nonces.\ lemma B_trusts_YM4_shrK: - "[| Crypt (shrK B) {|Agent A, Key K|} \ parts (knows Spy evs); + "[| Crypt (shrK B) \Agent A, Key K\ \ parts (knows Spy evs); B \ bad; evs \ yahalom |] ==> \NA NB. Says Server A - {|Crypt (shrK A) {|Agent B, Key K, - Nonce NA, Nonce NB|}, - Crypt (shrK B) {|Agent A, Key K|}|} + \Crypt (shrK A) \Agent B, Key K, + Nonce NA, Nonce NB\, + Crypt (shrK B) \Agent A, Key K\\ \ set evs" apply (erule rev_mp) apply (erule yahalom.induct, force, @@ -305,8 +305,8 @@ "[|Crypt K (Nonce NB) \ parts (knows Spy evs); Nonce NB \ analz (knows Spy evs); evs \ yahalom|] ==> \A B NA. Says Server A - {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|}, - Crypt (shrK B) {|Agent A, Key K|}|} + \Crypt (shrK A) \Agent B, Key K, Nonce NA, Nonce NB\, + Crypt (shrK B) \Agent A, Key K\\ \ set evs" apply (erule rev_mp, erule rev_mp) apply (erule yahalom.induct, force, @@ -329,14 +329,14 @@ lemma KeyWithNonceI: "Says Server A - {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB|}, X|} + \Crypt (shrK A) \Agent B, Key K, na, Nonce NB\, X\ \ set evs ==> KeyWithNonce K NB evs" by (unfold KeyWithNonce_def, blast) lemma KeyWithNonce_Says [simp]: "KeyWithNonce K NB (Says S A X # evs) = (Server = S & - (\B n X'. X = {|Crypt (shrK A) {|Agent B, Key K, n, Nonce NB|}, X'|}) + (\B n X'. X = \Crypt (shrK A) \Agent B, Key K, n, Nonce NB\, X'\) | KeyWithNonce K NB evs)" by (simp add: KeyWithNonce_def, blast) @@ -358,7 +358,7 @@ text\The Server message associates K with NB' and therefore not with any other nonce NB.\ lemma Says_Server_KeyWithNonce: - "[| Says Server A {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB'|}, X|} + "[| Says Server A \Crypt (shrK A) \Agent B, Key K, na, Nonce NB'\, X\ \ set evs; NB \ NB'; evs \ yahalom |] ==> ~ KeyWithNonce K NB evs" @@ -417,7 +417,7 @@ for the induction to carry through.\ lemma single_Nonce_secrecy: "[| Says Server A - {|Crypt (shrK A) {|Agent B, Key KAB, na, Nonce NB'|}, X|} + \Crypt (shrK A) \Agent B, Key KAB, na, Nonce NB'\, X\ \ set evs; NB \ NB'; KAB \ range shrK; evs \ yahalom |] ==> (Nonce NB \ analz (insert (Key KAB) (knows Spy evs))) = @@ -430,8 +430,8 @@ subsubsection\The Nonce NB uniquely identifies B's message.\ lemma unique_NB: - "[| Crypt (shrK B) {|Agent A, Nonce NA, nb|} \ parts (knows Spy evs); - Crypt (shrK B') {|Agent A', Nonce NA', nb|} \ parts (knows Spy evs); + "[| Crypt (shrK B) \Agent A, Nonce NA, nb\ \ parts (knows Spy evs); + Crypt (shrK B') \Agent A', Nonce NA', nb\ \ parts (knows Spy evs); evs \ yahalom; B \ bad; B' \ bad |] ==> NA' = NA & A' = A & B' = B" apply (erule rev_mp, erule rev_mp) @@ -445,9 +445,9 @@ text\Variant useful for proving secrecy of NB. Because nb is assumed to be secret, we no longer must assume B, B' not bad.\ lemma Says_unique_NB: - "[| Says C S {|X, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} + "[| Says C S \X, Crypt (shrK B) \Agent A, Nonce NA, nb\\ \ set evs; - Gets S' {|X', Crypt (shrK B') {|Agent A', Nonce NA', nb|}|} + Gets S' \X', Crypt (shrK B') \Agent A', Nonce NA', nb\\ \ set evs; nb \ analz (knows Spy evs); evs \ yahalom |] ==> NA' = NA & A' = A & B' = B" @@ -458,9 +458,9 @@ subsubsection\A nonce value is never used both as NA and as NB\ lemma no_nonce_YM1_YM2: - "[|Crypt (shrK B') {|Agent A', Nonce NB, nb'|} \ parts(knows Spy evs); + "[|Crypt (shrK B') \Agent A', Nonce NB, nb'\ \ parts(knows Spy evs); Nonce NB \ analz (knows Spy evs); evs \ yahalom|] - ==> Crypt (shrK B) {|Agent A, na, Nonce NB|} \ parts(knows Spy evs)" + ==> Crypt (shrK B) \Agent A, na, Nonce NB\ \ parts(knows Spy evs)" apply (erule rev_mp, erule rev_mp) apply (erule yahalom.induct, force, frule_tac [6] YM4_parts_knows_Spy) @@ -471,18 +471,18 @@ text\The Server sends YM3 only in response to YM2.\ lemma Says_Server_imp_YM2: - "[| Says Server A {|Crypt (shrK A) {|Agent B, k, na, nb|}, X|} \ set evs; + "[| Says Server A \Crypt (shrK A) \Agent B, k, na, nb\, X\ \ set evs; evs \ yahalom |] - ==> Gets Server {| Agent B, Crypt (shrK B) {|Agent A, na, nb|} |} + ==> Gets Server \Agent B, Crypt (shrK B) \Agent A, na, nb\\ \ set evs" by (erule rev_mp, erule yahalom.induct, auto) text\A vital theorem for B, that nonce NB remains secure from the Spy.\ lemma Spy_not_see_NB : "[| Says B Server - {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} + \Agent B, Crypt (shrK B) \Agent A, Nonce NA, Nonce NB\\ \ set evs; - (\k. Notes Spy {|Nonce NA, Nonce NB, k|} \ set evs); + (\k. Notes Spy \Nonce NA, Nonce NB, k\ \ set evs); A \ bad; B \ bad; evs \ yahalom |] ==> Nonce NB \ analz (knows Spy evs)" apply (erule rev_mp, erule rev_mp) @@ -521,17 +521,17 @@ If this run is broken and the spy substitutes a certificate containing an old key, B has no means of telling.\ lemma B_trusts_YM4: - "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|}, - Crypt K (Nonce NB)|} \ set evs; + "[| Gets B \Crypt (shrK B) \Agent A, Key K\, + Crypt K (Nonce NB)\ \ set evs; Says B Server - {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} + \Agent B, Crypt (shrK B) \Agent A, Nonce NA, Nonce NB\\ \ set evs; - \k. Notes Spy {|Nonce NA, Nonce NB, k|} \ set evs; + \k. Notes Spy \Nonce NA, Nonce NB, k\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> Says Server A - {|Crypt (shrK A) {|Agent B, Key K, - Nonce NA, Nonce NB|}, - Crypt (shrK B) {|Agent A, Key K|}|} + \Crypt (shrK A) \Agent B, Key K, + Nonce NA, Nonce NB\, + Crypt (shrK B) \Agent A, Key K\\ \ set evs" by (blast dest: Spy_not_see_NB Says_unique_NB Says_Server_imp_YM2 B_trusts_YM4_newK) @@ -541,12 +541,12 @@ text\The obvious combination of \B_trusts_YM4\ with \Spy_not_see_encrypted_key\\ lemma B_gets_good_key: - "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|}, - Crypt K (Nonce NB)|} \ set evs; + "[| Gets B \Crypt (shrK B) \Agent A, Key K\, + Crypt K (Nonce NB)\ \ set evs; Says B Server - {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} + \Agent B, Crypt (shrK B) \Agent A, Nonce NA, Nonce NB\\ \ set evs; - \k. Notes Spy {|Nonce NA, Nonce NB, k|} \ set evs; + \k. Notes Spy \Nonce NA, Nonce NB, k\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> Key K \ analz (knows Spy evs)" by (metis B_trusts_YM4 Spy_not_see_encrypted_key) @@ -556,10 +556,10 @@ text\The encryption in message YM2 tells us it cannot be faked.\ lemma B_Said_YM2 [rule_format]: - "[|Crypt (shrK B) {|Agent A, Nonce NA, nb|} \ parts (knows Spy evs); + "[|Crypt (shrK B) \Agent A, Nonce NA, nb\ \ parts (knows Spy evs); evs \ yahalom|] ==> B \ bad --> - Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} + Says B Server \Agent B, Crypt (shrK B) \Agent A, Nonce NA, nb\\ \ set evs" apply (erule rev_mp, erule yahalom.induct, force, frule_tac [6] YM4_parts_knows_Spy, simp_all) @@ -569,10 +569,10 @@ text\If the server sends YM3 then B sent YM2\ lemma YM3_auth_B_to_A_lemma: - "[|Says Server A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} + "[|Says Server A \Crypt (shrK A) \Agent B, Key K, Nonce NA, nb\, X\ \ set evs; evs \ yahalom|] ==> B \ bad --> - Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} + Says B Server \Agent B, Crypt (shrK B) \Agent A, Nonce NA, nb\\ \ set evs" apply (erule rev_mp, erule yahalom.induct, simp_all) txt\YM3, YM4\ @@ -581,10 +581,10 @@ text\If A receives YM3 then B has used nonce NA (and therefore is alive)\ lemma YM3_auth_B_to_A: - "[| Gets A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} + "[| Gets A \Crypt (shrK A) \Agent B, Key K, Nonce NA, nb\, X\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] - ==> Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} + ==> Says B Server \Agent B, Crypt (shrK B) \Agent A, Nonce NA, nb\\ \ set evs" by (metis A_trusts_YM3 Gets_imp_analz_Spy YM3_auth_B_to_A_lemma analz.Fst not_parts_not_analz) @@ -600,9 +600,9 @@ "evs \ yahalom ==> Key K \ analz (knows Spy evs) --> Crypt K (Nonce NB) \ parts (knows Spy evs) --> - Crypt (shrK B) {|Agent A, Key K|} \ parts (knows Spy evs) --> + Crypt (shrK B) \Agent A, Key K\ \ parts (knows Spy evs) --> B \ bad --> - (\X. Says A B {|X, Crypt K (Nonce NB)|} \ set evs)" + (\X. Says A B \X, Crypt K (Nonce NB)\ \ set evs)" apply (erule yahalom.induct, force, frule_tac [6] YM4_parts_knows_Spy) apply (analz_mono_contra, simp_all) @@ -624,13 +624,13 @@ Moreover, A associates K with NB (thus is talking about the same run). Other premises guarantee secrecy of K.\ lemma YM4_imp_A_Said_YM3 [rule_format]: - "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|}, - Crypt K (Nonce NB)|} \ set evs; + "[| Gets B \Crypt (shrK B) \Agent A, Key K\, + Crypt K (Nonce NB)\ \ set evs; Says B Server - {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} + \Agent B, Crypt (shrK B) \Agent A, Nonce NA, Nonce NB\\ \ set evs; - (\NA k. Notes Spy {|Nonce NA, Nonce NB, k|} \ set evs); + (\NA k. Notes Spy \Nonce NA, Nonce NB, k\ \ set evs); A \ bad; B \ bad; evs \ yahalom |] - ==> \X. Says A B {|X, Crypt K (Nonce NB)|} \ set evs" + ==> \X. Says A B \X, Crypt K (Nonce NB)\ \ set evs" by (metis A_Said_YM3_lemma B_gets_good_key Gets_imp_analz_Spy YM4_parts_knows_Spy analz.Fst not_parts_not_analz) end diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Yahalom2.thy --- a/src/HOL/Auth/Yahalom2.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Yahalom2.thy Mon Dec 28 23:13:33 2015 +0100 @@ -36,44 +36,44 @@ (*Alice initiates a protocol run*) | YM1: "[| evs1 \ yahalom; Nonce NA \ used evs1 |] - ==> Says A B {|Agent A, Nonce NA|} # evs1 \ yahalom" + ==> Says A B \Agent A, Nonce NA\ # evs1 \ yahalom" (*Bob's response to Alice's message.*) | YM2: "[| evs2 \ yahalom; Nonce NB \ used evs2; - Gets B {|Agent A, Nonce NA|} \ set evs2 |] + Gets B \Agent A, Nonce NA\ \ set evs2 |] ==> Says B Server - {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} + \Agent B, Nonce NB, Crypt (shrK B) \Agent A, Nonce NA\\ # evs2 \ yahalom" (*The Server receives Bob's message. He responds by sending a new session key to Alice, with a certificate for forwarding to Bob. Both agents are quoted in the 2nd certificate to prevent attacks!*) | YM3: "[| evs3 \ yahalom; Key KAB \ used evs3; - Gets Server {|Agent B, Nonce NB, - Crypt (shrK B) {|Agent A, Nonce NA|}|} + Gets Server \Agent B, Nonce NB, + Crypt (shrK B) \Agent A, Nonce NA\\ \ set evs3 |] ==> Says Server A - {|Nonce NB, - Crypt (shrK A) {|Agent B, Key KAB, Nonce NA|}, - Crypt (shrK B) {|Agent A, Agent B, Key KAB, Nonce NB|}|} + \Nonce NB, + Crypt (shrK A) \Agent B, Key KAB, Nonce NA\, + Crypt (shrK B) \Agent A, Agent B, Key KAB, Nonce NB\\ # evs3 \ yahalom" (*Alice receives the Server's (?) message, checks her Nonce, and uses the new session key to send Bob his Nonce.*) | YM4: "[| evs4 \ yahalom; - Gets A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, - X|} \ set evs4; - Says A B {|Agent A, Nonce NA|} \ set evs4 |] - ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \ yahalom" + Gets A \Nonce NB, Crypt (shrK A) \Agent B, Key K, Nonce NA\, + X\ \ set evs4; + Says A B \Agent A, Nonce NA\ \ set evs4 |] + ==> Says A B \X, Crypt K (Nonce NB)\ # evs4 \ yahalom" (*This message models possible leaks of session keys. The nonces identify the protocol run. Quoting Server here ensures they are correct. *) | Oops: "[| evso \ yahalom; - Says Server A {|Nonce NB, - Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, - X|} \ set evso |] - ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \ yahalom" + Says Server A \Nonce NB, + Crypt (shrK A) \Agent B, Key K, Nonce NA\, + X\ \ set evso |] + ==> Notes Spy \Nonce NA, Nonce NB, Key K\ # evso \ yahalom" declare Says_imp_knows_Spy [THEN analz.Inj, dest] @@ -84,7 +84,7 @@ text\A "possibility property": there are traces that reach the end\ lemma "Key K \ used [] ==> \X NB. \evs \ yahalom. - Says A B {|X, Crypt K (Nonce NB)|} \ set evs" + Says A B \X, Crypt K (Nonce NB)\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] yahalom.Nil [THEN yahalom.YM1, THEN yahalom.Reception, @@ -111,7 +111,7 @@ text\Result for reasoning about the encrypted portion of messages. Lets us treat YM4 using a similar argument as for the Fake case.\ lemma YM4_analz_knows_Spy: - "[| Gets A {|NB, Crypt (shrK A) Y, X|} \ set evs; evs \ yahalom |] + "[| Gets A \NB, Crypt (shrK A) Y, X\ \ set evs; evs \ yahalom |] ==> X \ analz (knows Spy evs)" by blast @@ -157,7 +157,7 @@ text\Describes the form of K when the Server sends this message. Useful for Oops as well as main secrecy property.\ lemma Says_Server_message_form: - "[| Says Server A {|nb', Crypt (shrK A) {|Agent B, Key K, na|}, X|} + "[| Says Server A \nb', Crypt (shrK A) \Agent B, Key K, na\, X\ \ set evs; evs \ yahalom |] ==> K \ range shrK" by (erule rev_mp, erule yahalom.induct, simp_all) @@ -194,9 +194,9 @@ text\The Key K uniquely identifies the Server's message\ lemma unique_session_keys: "[| Says Server A - {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, X|} \ set evs; + \nb, Crypt (shrK A) \Agent B, Key K, na\, X\ \ set evs; Says Server A' - {|nb', Crypt (shrK A') {|Agent B', Key K, na'|}, X'|} \ set evs; + \nb', Crypt (shrK A') \Agent B', Key K, na'\, X'\ \ set evs; evs \ yahalom |] ==> A=A' & B=B' & na=na' & nb=nb'" apply (erule rev_mp, erule rev_mp) @@ -211,10 +211,10 @@ lemma secrecy_lemma: "[| A \ bad; B \ bad; evs \ yahalom |] ==> Says Server A - {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, - Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|} + \nb, Crypt (shrK A) \Agent B, Key K, na\, + Crypt (shrK B) \Agent A, Agent B, Key K, nb\\ \ set evs --> - Notes Spy {|na, nb, Key K|} \ set evs --> + Notes Spy \na, nb, Key K\ \ set evs --> Key K \ analz (knows Spy evs)" apply (erule yahalom.induct, force, frule_tac [7] Says_Server_message_form, drule_tac [6] YM4_analz_knows_Spy) @@ -226,10 +226,10 @@ text\Final version\ lemma Spy_not_see_encrypted_key: "[| Says Server A - {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, - Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|} + \nb, Crypt (shrK A) \Agent B, Key K, na\, + Crypt (shrK B) \Agent A, Agent B, Key K, nb\\ \ set evs; - Notes Spy {|na, nb, Key K|} \ set evs; + Notes Spy \na, nb, Key K\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> Key K \ analz (knows Spy evs)" by (blast dest: secrecy_lemma Says_Server_message_form) @@ -245,10 +245,10 @@ @{term "Key K \ analz (knows Spy evs)"}.\ lemma Spy_not_know_encrypted_key: "[| Says Server A - {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, - Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|} + \nb, Crypt (shrK A) \Agent B, Key K, na\, + Crypt (shrK B) \Agent A, Agent B, Key K, nb\\ \ set evs; - Notes Spy {|na, nb, Key K|} \ set evs; + Notes Spy \na, nb, Key K\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> Key K \ knows Spy evs" by (blast dest: Spy_not_see_encrypted_key) @@ -259,11 +259,11 @@ text\If the encrypted message appears then it originated with the Server. May now apply \Spy_not_see_encrypted_key\, subject to its conditions.\ lemma A_trusts_YM3: - "[| Crypt (shrK A) {|Agent B, Key K, na|} \ parts (knows Spy evs); + "[| Crypt (shrK A) \Agent B, Key K, na\ \ parts (knows Spy evs); A \ bad; evs \ yahalom |] ==> \nb. Says Server A - {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, - Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|} + \nb, Crypt (shrK A) \Agent B, Key K, na\, + Crypt (shrK B) \Agent A, Agent B, Key K, nb\\ \ set evs" apply (erule rev_mp) apply (erule yahalom.induct, force, @@ -275,8 +275,8 @@ text\The obvious combination of \A_trusts_YM3\ with \Spy_not_see_encrypted_key\\ theorem A_gets_good_key: - "[| Crypt (shrK A) {|Agent B, Key K, na|} \ parts (knows Spy evs); - \nb. Notes Spy {|na, nb, Key K|} \ set evs; + "[| Crypt (shrK A) \Agent B, Key K, na\ \ parts (knows Spy evs); + \nb. Notes Spy \na, nb, Key K\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> Key K \ analz (knows Spy evs)" by (blast dest!: A_trusts_YM3 Spy_not_see_encrypted_key) @@ -287,13 +287,13 @@ text\B knows, by the first part of A's message, that the Server distributed the key for A and B, and has associated it with NB.\ lemma B_trusts_YM4_shrK: - "[| Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|} + "[| Crypt (shrK B) \Agent A, Agent B, Key K, Nonce NB\ \ parts (knows Spy evs); B \ bad; evs \ yahalom |] ==> \NA. Says Server A - {|Nonce NB, - Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, - Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}|} + \Nonce NB, + Crypt (shrK A) \Agent B, Key K, Nonce NA\, + Crypt (shrK B) \Agent A, Agent B, Key K, Nonce NB\\ \ set evs" apply (erule rev_mp) apply (erule yahalom.induct, force, @@ -309,13 +309,13 @@ text\What can B deduce from receipt of YM4? Stronger and simpler than Yahalom because we do not have to show that NB is secret.\ lemma B_trusts_YM4: - "[| Gets B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, X|} + "[| Gets B \Crypt (shrK B) \Agent A, Agent B, Key K, Nonce NB\, X\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> \NA. Says Server A - {|Nonce NB, - Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, - Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}|} + \Nonce NB, + Crypt (shrK A) \Agent B, Key K, Nonce NA\, + Crypt (shrK B) \Agent A, Agent B, Key K, Nonce NB\\ \ set evs" by (blast dest!: B_trusts_YM4_shrK) @@ -323,9 +323,9 @@ text\The obvious combination of \B_trusts_YM4\ with \Spy_not_see_encrypted_key\\ theorem B_gets_good_key: - "[| Gets B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, X|} + "[| Gets B \Crypt (shrK B) \Agent A, Agent B, Key K, Nonce NB\, X\ \ set evs; - \na. Notes Spy {|na, Nonce NB, Key K|} \ set evs; + \na. Notes Spy \na, Nonce NB, Key K\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> Key K \ analz (knows Spy evs)" by (blast dest!: B_trusts_YM4 Spy_not_see_encrypted_key) @@ -335,10 +335,10 @@ text\The encryption in message YM2 tells us it cannot be faked.\ lemma B_Said_YM2: - "[| Crypt (shrK B) {|Agent A, Nonce NA|} \ parts (knows Spy evs); + "[| Crypt (shrK B) \Agent A, Nonce NA\ \ parts (knows Spy evs); B \ bad; evs \ yahalom |] - ==> \NB. Says B Server {|Agent B, Nonce NB, - Crypt (shrK B) {|Agent A, Nonce NA|}|} + ==> \NB. Says B Server \Agent B, Nonce NB, + Crypt (shrK B) \Agent A, Nonce NA\\ \ set evs" apply (erule rev_mp) apply (erule yahalom.induct, force, @@ -350,11 +350,11 @@ text\If the server sends YM3 then B sent YM2, perhaps with a different NB\ lemma YM3_auth_B_to_A_lemma: - "[| Says Server A {|nb, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, X|} + "[| Says Server A \nb, Crypt (shrK A) \Agent B, Key K, Nonce NA\, X\ \ set evs; B \ bad; evs \ yahalom |] - ==> \nb'. Says B Server {|Agent B, nb', - Crypt (shrK B) {|Agent A, Nonce NA|}|} + ==> \nb'. Says B Server \Agent B, nb', + Crypt (shrK B) \Agent A, Nonce NA\\ \ set evs" apply (erule rev_mp) apply (erule yahalom.induct, simp_all) @@ -364,11 +364,11 @@ text\If A receives YM3 then B has used nonce NA (and therefore is alive)\ theorem YM3_auth_B_to_A: - "[| Gets A {|nb, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, X|} + "[| Gets A \nb, Crypt (shrK A) \Agent B, Key K, Nonce NA\, X\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> \nb'. Says B Server - {|Agent B, nb', Crypt (shrK B) {|Agent A, Nonce NA|}|} + \Agent B, nb', Crypt (shrK B) \Agent A, Nonce NA\\ \ set evs" by (blast dest!: A_trusts_YM3 YM3_auth_B_to_A_lemma) @@ -385,8 +385,8 @@ text\This lemma allows a use of \unique_session_keys\ in the next proof, which otherwise is extremely slow.\ lemma secure_unique_session_keys: - "[| Crypt (shrK A) {|Agent B, Key K, na|} \ analz (spies evs); - Crypt (shrK A') {|Agent B', Key K, na'|} \ analz (spies evs); + "[| Crypt (shrK A) \Agent B, Key K, na\ \ analz (spies evs); + Crypt (shrK A') \Agent B', Key K, na'\ \ analz (spies evs); Key K \ analz (knows Spy evs); evs \ yahalom |] ==> A=A' & B=B'" by (blast dest!: A_trusts_YM3 dest: unique_session_keys Crypt_Spy_analz_bad) @@ -397,10 +397,10 @@ ==> Key K \ analz (knows Spy evs) --> K \ symKeys --> Crypt K (Nonce NB) \ parts (knows Spy evs) --> - Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|} + Crypt (shrK B) \Agent A, Agent B, Key K, Nonce NB\ \ parts (knows Spy evs) --> B \ bad --> - (\X. Says A B {|X, Crypt K (Nonce NB)|} \ set evs)" + (\X. Says A B \X, Crypt K (Nonce NB)\ \ set evs)" apply (erule yahalom.induct, force, frule_tac [6] YM4_parts_knows_Spy) apply (analz_mono_contra, simp_all) @@ -419,11 +419,11 @@ Moreover, A associates K with NB (thus is talking about the same run). Other premises guarantee secrecy of K.\ theorem YM4_imp_A_Said_YM3 [rule_format]: - "[| Gets B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, - Crypt K (Nonce NB)|} \ set evs; - (\NA. Notes Spy {|Nonce NA, Nonce NB, Key K|} \ set evs); + "[| Gets B \Crypt (shrK B) \Agent A, Agent B, Key K, Nonce NB\, + Crypt K (Nonce NB)\ \ set evs; + (\NA. Notes Spy \Nonce NA, Nonce NB, Key K\ \ set evs); K \ symKeys; A \ bad; B \ bad; evs \ yahalom |] - ==> \X. Says A B {|X, Crypt K (Nonce NB)|} \ set evs" + ==> \X. Says A B \X, Crypt K (Nonce NB)\ \ set evs" by (blast intro: Auth_A_to_B_lemma dest: Spy_not_see_encrypted_key B_trusts_YM4_shrK) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/Yahalom_Bad.thy --- a/src/HOL/Auth/Yahalom_Bad.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/Yahalom_Bad.thy Mon Dec 28 23:13:33 2015 +0100 @@ -31,34 +31,34 @@ (*Alice initiates a protocol run*) | YM1: "[| evs1 \ yahalom; Nonce NA \ used evs1 |] - ==> Says A B {|Agent A, Nonce NA|} # evs1 \ yahalom" + ==> Says A B \Agent A, Nonce NA\ # evs1 \ yahalom" (*Bob's response to Alice's message.*) | YM2: "[| evs2 \ yahalom; Nonce NB \ used evs2; - Gets B {|Agent A, Nonce NA|} \ set evs2 |] + Gets B \Agent A, Nonce NA\ \ set evs2 |] ==> Says B Server - {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} + \Agent B, Nonce NB, Crypt (shrK B) \Agent A, Nonce NA\\ # evs2 \ yahalom" (*The Server receives Bob's message. He responds by sending a new session key to Alice, with a packet for forwarding to Bob.*) | YM3: "[| evs3 \ yahalom; Key KAB \ used evs3; KAB \ symKeys; Gets Server - {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} + \Agent B, Nonce NB, Crypt (shrK B) \Agent A, Nonce NA\\ \ set evs3 |] ==> Says Server A - {|Crypt (shrK A) {|Agent B, Key KAB, Nonce NA, Nonce NB|}, - Crypt (shrK B) {|Agent A, Key KAB|}|} + \Crypt (shrK A) \Agent B, Key KAB, Nonce NA, Nonce NB\, + Crypt (shrK B) \Agent A, Key KAB\\ # evs3 \ yahalom" (*Alice receives the Server's (?) message, checks her Nonce, and uses the new session key to send Bob his Nonce. The premise A \ Server is needed to prove Says_Server_not_range.*) | YM4: "[| evs4 \ yahalom; A \ Server; K \ symKeys; - Gets A {|Crypt(shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|}, X|} + Gets A \Crypt(shrK A) \Agent B, Key K, Nonce NA, Nonce NB\, X\ \ set evs4; - Says A B {|Agent A, Nonce NA|} \ set evs4 |] - ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \ yahalom" + Says A B \Agent A, Nonce NA\ \ set evs4 |] + ==> Says A B \X, Crypt K (Nonce NB)\ # evs4 \ yahalom" declare Says_imp_knows_Spy [THEN analz.Inj, dest] @@ -70,7 +70,7 @@ text\A "possibility property": there are traces that reach the end\ lemma "[| A \ Server; Key K \ used []; K \ symKeys |] ==> \X NB. \evs \ yahalom. - Says A B {|X, Crypt K (Nonce NB)|} \ set evs" + Says A B \X, Crypt K (Nonce NB)\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] yahalom.Nil [THEN yahalom.YM1, THEN yahalom.Reception, @@ -98,7 +98,7 @@ text\Lets us treat YM4 using a similar argument as for the Fake case.\ lemma YM4_analz_knows_Spy: - "[| Gets A {|Crypt (shrK A) Y, X|} \ set evs; evs \ yahalom |] + "[| Gets A \Crypt (shrK A) Y, X\ \ set evs; evs \ yahalom |] ==> X \ analz (knows Spy evs)" by blast @@ -168,9 +168,9 @@ text\The Key K uniquely identifies the Server's message.\ lemma unique_session_keys: "[| Says Server A - {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \ set evs; + \Crypt (shrK A) \Agent B, Key K, na, nb\, X\ \ set evs; Says Server A' - {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|} \ set evs; + \Crypt (shrK A') \Agent B', Key K, na', nb'\, X'\ \ set evs; evs \ yahalom |] ==> A=A' & B=B' & na=na' & nb=nb'" apply (erule rev_mp, erule rev_mp) @@ -184,8 +184,8 @@ lemma secrecy_lemma: "[| A \ bad; B \ bad; evs \ yahalom |] ==> Says Server A - {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, - Crypt (shrK B) {|Agent A, Key K|}|} + \Crypt (shrK A) \Agent B, Key K, na, nb\, + Crypt (shrK B) \Agent A, Key K\\ \ set evs --> Key K \ analz (knows Spy evs)" apply (erule yahalom.induct, force, drule_tac [6] YM4_analz_knows_Spy) @@ -196,8 +196,8 @@ text\Final version\ lemma Spy_not_see_encrypted_key: "[| Says Server A - {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, - Crypt (shrK B) {|Agent A, Key K|}|} + \Crypt (shrK A) \Agent B, Key K, na, nb\, + Crypt (shrK B) \Agent A, Key K\\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> Key K \ analz (knows Spy evs)" @@ -208,11 +208,11 @@ text\If the encrypted message appears then it originated with the Server\ lemma A_trusts_YM3: - "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} \ parts (knows Spy evs); + "[| Crypt (shrK A) \Agent B, Key K, na, nb\ \ parts (knows Spy evs); A \ bad; evs \ yahalom |] ==> Says Server A - {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, - Crypt (shrK B) {|Agent A, Key K|}|} + \Crypt (shrK A) \Agent B, Key K, na, nb\, + Crypt (shrK B) \Agent A, Key K\\ \ set evs" apply (erule rev_mp) apply (erule yahalom.induct, force, @@ -224,7 +224,7 @@ text\The obvious combination of \A_trusts_YM3\ with \Spy_not_see_encrypted_key\\ lemma A_gets_good_key: - "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} \ parts (knows Spy evs); + "[| Crypt (shrK A) \Agent B, Key K, na, nb\ \ parts (knows Spy evs); A \ bad; B \ bad; evs \ yahalom |] ==> Key K \ analz (knows Spy evs)" by (blast dest!: A_trusts_YM3 Spy_not_see_encrypted_key) @@ -234,11 +234,11 @@ text\B knows, by the first part of A's message, that the Server distributed the key for A and B. But this part says nothing about nonces.\ lemma B_trusts_YM4_shrK: - "[| Crypt (shrK B) {|Agent A, Key K|} \ parts (knows Spy evs); + "[| Crypt (shrK B) \Agent A, Key K\ \ parts (knows Spy evs); B \ bad; evs \ yahalom |] ==> \NA NB. Says Server A - {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|}, - Crypt (shrK B) {|Agent A, Key K|}|} + \Crypt (shrK A) \Agent B, Key K, Nonce NA, Nonce NB\, + Crypt (shrK B) \Agent A, Key K\\ \ set evs" apply (erule rev_mp) apply (erule yahalom.induct, force, @@ -262,9 +262,9 @@ "[|Key K \ analz (knows Spy evs); evs \ yahalom|] ==> Crypt K (Nonce NB) \ parts (knows Spy evs) --> (\A B NA. Says Server A - {|Crypt (shrK A) {|Agent B, Key K, - Nonce NA, Nonce NB|}, - Crypt (shrK B) {|Agent A, Key K|}|} + \Crypt (shrK A) \Agent B, Key K, + Nonce NA, Nonce NB\, + Crypt (shrK B) \Agent A, Key K\\ \ set evs)" apply (erule rev_mp) apply (erule yahalom.induct, force, @@ -285,15 +285,15 @@ text\B's session key guarantee from YM4. The two certificates contribute to a single conclusion about the Server's message.\ lemma B_trusts_YM4: - "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|}, - Crypt K (Nonce NB)|} \ set evs; + "[| Gets B \Crypt (shrK B) \Agent A, Key K\, + Crypt K (Nonce NB)\ \ set evs; Says B Server - {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} + \Agent B, Nonce NB, Crypt (shrK B) \Agent A, Nonce NA\\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> \na nb. Says Server A - {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, - Crypt (shrK B) {|Agent A, Key K|}|} + \Crypt (shrK A) \Agent B, Key K, na, nb\, + Crypt (shrK B) \Agent A, Key K\\ \ set evs" by (blast dest: B_trusts_YM4_newK B_trusts_YM4_shrK Spy_not_see_encrypted_key unique_session_keys) @@ -302,10 +302,10 @@ text\The obvious combination of \B_trusts_YM4\ with \Spy_not_see_encrypted_key\\ lemma B_gets_good_key: - "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|}, - Crypt K (Nonce NB)|} \ set evs; + "[| Gets B \Crypt (shrK B) \Agent A, Key K\, + Crypt K (Nonce NB)\ \ set evs; Says B Server - {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} + \Agent B, Nonce NB, Crypt (shrK B) \Agent A, Nonce NA\\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] ==> Key K \ analz (knows Spy evs)" @@ -325,9 +325,9 @@ "evs \ yahalom ==> Key K \ analz (knows Spy evs) --> Crypt K (Nonce NB) \ parts (knows Spy evs) --> - Crypt (shrK B) {|Agent A, Key K|} \ parts (knows Spy evs) --> + Crypt (shrK B) \Agent A, Key K\ \ parts (knows Spy evs) --> B \ bad --> - (\X. Says A B {|X, Crypt K (Nonce NB)|} \ set evs)" + (\X. Says A B \X, Crypt K (Nonce NB)\ \ set evs)" apply (erule yahalom.induct, force, frule_tac [6] YM4_parts_knows_Spy) apply (analz_mono_contra, simp_all) @@ -349,13 +349,13 @@ Moreover, A associates K with NB (thus is talking about the same run). Other premises guarantee secrecy of K.\ lemma YM4_imp_A_Said_YM3 [rule_format]: - "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|}, - Crypt K (Nonce NB)|} \ set evs; + "[| Gets B \Crypt (shrK B) \Agent A, Key K\, + Crypt K (Nonce NB)\ \ set evs; Says B Server - {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} + \Agent B, Nonce NB, Crypt (shrK B) \Agent A, Nonce NA\\ \ set evs; A \ bad; B \ bad; evs \ yahalom |] - ==> \X. Says A B {|X, Crypt K (Nonce NB)|} \ set evs" + ==> \X. Says A B \X, Crypt K (Nonce NB)\ \ set evs" by (blast intro!: A_Said_YM3_lemma dest: Spy_not_see_encrypted_key B_trusts_YM4 Gets_imp_Says) diff -r e96292f32c3c -r 38b73f7940af src/HOL/Auth/ZhouGollmann.thy --- a/src/HOL/Auth/ZhouGollmann.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/Auth/ZhouGollmann.thy Mon Dec 28 23:13:33 2015 +0100 @@ -43,24 +43,24 @@ rather than to keep M secret.*) | ZG1: "[| evs1 \ zg; Nonce L \ used evs1; C = Crypt K (Number m); K \ symKeys; - NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}|] - ==> Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} # evs1 \ zg" + NRO = Crypt (priK A) \Number f_nro, Agent B, Nonce L, C\|] + ==> Says A B \Number f_nro, Agent B, Nonce L, C, NRO\ # evs1 \ zg" (*B must check that NRO is A's signature to learn the sender's name*) | ZG2: "[| evs2 \ zg; - Gets B {|Number f_nro, Agent B, Nonce L, C, NRO|} \ set evs2; - NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}; - NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}|] - ==> Says B A {|Number f_nrr, Agent A, Nonce L, NRR|} # evs2 \ zg" + Gets B \Number f_nro, Agent B, Nonce L, C, NRO\ \ set evs2; + NRO = Crypt (priK A) \Number f_nro, Agent B, Nonce L, C\; + NRR = Crypt (priK B) \Number f_nrr, Agent A, Nonce L, C\|] + ==> Says B A \Number f_nrr, Agent A, Nonce L, NRR\ # evs2 \ zg" (*A must check that NRR is B's signature to learn the sender's name; without spy, the matching label would be enough*) | ZG3: "[| evs3 \ zg; C = Crypt K M; K \ symKeys; - Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} \ set evs3; - Gets A {|Number f_nrr, Agent A, Nonce L, NRR|} \ set evs3; - NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}; - sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}|] - ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} + Says A B \Number f_nro, Agent B, Nonce L, C, NRO\ \ set evs3; + Gets A \Number f_nrr, Agent A, Nonce L, NRR\ \ set evs3; + NRR = Crypt (priK B) \Number f_nrr, Agent A, Nonce L, C\; + sub_K = Crypt (priK A) \Number f_sub, Agent B, Nonce L, Key K\|] + ==> Says A TTP \Number f_sub, Agent B, Nonce L, Key K, sub_K\ # evs3 \ zg" (*TTP checks that sub_K is A's signature to learn who issued K, then @@ -70,14 +70,14 @@ also allowing lemma @{text Crypt_used_imp_spies} to omit the condition @{term "K \ priK TTP"}. *) | ZG4: "[| evs4 \ zg; K \ symKeys; - Gets TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} + Gets TTP \Number f_sub, Agent B, Nonce L, Key K, sub_K\ \ set evs4; - sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}; - con_K = Crypt (priK TTP) {|Number f_con, Agent A, Agent B, - Nonce L, Key K|}|] + sub_K = Crypt (priK A) \Number f_sub, Agent B, Nonce L, Key K\; + con_K = Crypt (priK TTP) \Number f_con, Agent A, Agent B, + Nonce L, Key K\|] ==> Says TTP Spy con_K # - Notes TTP {|Number f_con, Agent A, Agent B, Nonce L, Key K, con_K|} + Notes TTP \Number f_con, Agent A, Agent B, Nonce L, Key K, con_K\ # evs4 \ zg" @@ -92,8 +92,8 @@ text\A "possibility property": there are traces that reach the end\ lemma "[|A \ B; TTP \ A; TTP \ B; K \ symKeys|] ==> \L. \evs \ zg. - Notes TTP {|Number f_con, Agent A, Agent B, Nonce L, Key K, - Crypt (priK TTP) {|Number f_con, Agent A, Agent B, Nonce L, Key K|} |} + Notes TTP \Number f_con, Agent A, Agent B, Nonce L, Key K, + Crypt (priK TTP) \Number f_con, Agent A, Agent B, Nonce L, Key K\\ \ set evs" apply (intro exI bexI) apply (rule_tac [2] zg.Nil @@ -128,18 +128,18 @@ done lemma Notes_TTP_imp_Gets: - "[|Notes TTP {|Number f_con, Agent A, Agent B, Nonce L, Key K, con_K |} + "[|Notes TTP \Number f_con, Agent A, Agent B, Nonce L, Key K, con_K\ \ set evs; - sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}; + sub_K = Crypt (priK A) \Number f_sub, Agent B, Nonce L, Key K\; evs \ zg|] - ==> Gets TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} \ set evs" + ==> Gets TTP \Number f_sub, Agent B, Nonce L, Key K, sub_K\ \ set evs" apply (erule rev_mp) apply (erule zg.induct, auto) done text\For reasoning about C, which is encrypted in message ZG2\ lemma ZG2_msg_in_parts_spies: - "[|Gets B {|F, B', L, C, X|} \ set evs; evs \ zg|] + "[|Gets B \F, B', L, C, X\ \ set evs; evs \ zg|] ==> C \ parts (spies evs)" by (blast dest: Gets_imp_Says) @@ -165,10 +165,10 @@ text\Strong conclusion for a good agent\ lemma NRO_validity_good: - "[|NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}; + "[|NRO = Crypt (priK A) \Number f_nro, Agent B, Nonce L, C\; NRO \ parts (spies evs); A \ bad; evs \ zg |] - ==> Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} \ set evs" + ==> Says A B \Number f_nro, Agent B, Nonce L, C, NRO\ \ set evs" apply clarify apply (erule rev_mp) apply (erule zg.induct) @@ -176,7 +176,7 @@ done lemma NRO_sender: - "[|Says A' B {|n, b, l, C, Crypt (priK A) X|} \ set evs; evs \ zg|] + "[|Says A' B \n, b, l, C, Crypt (priK A) X\ \ set evs; evs \ zg|] ==> A' \ {A,Spy}" apply (erule rev_mp) apply (erule zg.induct, simp_all) @@ -184,10 +184,10 @@ text\Holds also for @{term "A = Spy"}!\ theorem NRO_validity: - "[|Gets B {|Number f_nro, Agent B, Nonce L, C, NRO|} \ set evs; - NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}; + "[|Gets B \Number f_nro, Agent B, Nonce L, C, NRO\ \ set evs; + NRO = Crypt (priK A) \Number f_nro, Agent B, Nonce L, C\; A \ broken; evs \ zg |] - ==> Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} \ set evs" + ==> Says A B \Number f_nro, Agent B, Nonce L, C, NRO\ \ set evs" apply (drule Gets_imp_Says, assumption) apply clarify apply (frule NRO_sender, auto) @@ -205,10 +205,10 @@ text\Strong conclusion for a good agent\ lemma NRR_validity_good: - "[|NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}; + "[|NRR = Crypt (priK B) \Number f_nrr, Agent A, Nonce L, C\; NRR \ parts (spies evs); B \ bad; evs \ zg |] - ==> Says B A {|Number f_nrr, Agent A, Nonce L, NRR|} \ set evs" + ==> Says B A \Number f_nrr, Agent A, Nonce L, NRR\ \ set evs" apply clarify apply (erule rev_mp) apply (erule zg.induct) @@ -216,7 +216,7 @@ done lemma NRR_sender: - "[|Says B' A {|n, a, l, Crypt (priK B) X|} \ set evs; evs \ zg|] + "[|Says B' A \n, a, l, Crypt (priK B) X\ \ set evs; evs \ zg|] ==> B' \ {B,Spy}" apply (erule rev_mp) apply (erule zg.induct, simp_all) @@ -224,10 +224,10 @@ text\Holds also for @{term "B = Spy"}!\ theorem NRR_validity: - "[|Says B' A {|Number f_nrr, Agent A, Nonce L, NRR|} \ set evs; - NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}; + "[|Says B' A \Number f_nrr, Agent A, Nonce L, NRR\ \ set evs; + NRR = Crypt (priK B) \Number f_nrr, Agent A, Nonce L, C\; B \ broken; evs \ zg|] - ==> Says B A {|Number f_nrr, Agent A, Nonce L, NRR|} \ set evs" + ==> Says B A \Number f_nrr, Agent A, Nonce L, NRR\ \ set evs" apply clarify apply (frule NRR_sender, auto) txt\We are left with the case where @{term "B' = Spy"} and @{term "B' \ B"}, @@ -243,10 +243,10 @@ text\Strong conclusion for a good agent\ lemma sub_K_validity_good: - "[|sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}; + "[|sub_K = Crypt (priK A) \Number f_sub, Agent B, Nonce L, Key K\; sub_K \ parts (spies evs); A \ bad; evs \ zg |] - ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} \ set evs" + ==> Says A TTP \Number f_sub, Agent B, Nonce L, Key K, sub_K\ \ set evs" apply clarify apply (erule rev_mp) apply (erule zg.induct) @@ -256,7 +256,7 @@ done lemma sub_K_sender: - "[|Says A' TTP {|n, b, l, k, Crypt (priK A) X|} \ set evs; evs \ zg|] + "[|Says A' TTP \n, b, l, k, Crypt (priK A) X\ \ set evs; evs \ zg|] ==> A' \ {A,Spy}" apply (erule rev_mp) apply (erule zg.induct, simp_all) @@ -264,10 +264,10 @@ text\Holds also for @{term "A = Spy"}!\ theorem sub_K_validity: - "[|Gets TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} \ set evs; - sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}; + "[|Gets TTP \Number f_sub, Agent B, Nonce L, Key K, sub_K\ \ set evs; + sub_K = Crypt (priK A) \Number f_sub, Agent B, Nonce L, Key K\; A \ broken; evs \ zg |] - ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} \ set evs" + ==> Says A TTP \Number f_sub, Agent B, Nonce L, Key K, sub_K\ \ set evs" apply (drule Gets_imp_Says, assumption) apply clarify apply (frule sub_K_sender, auto) @@ -288,9 +288,9 @@ lemma con_K_validity: "[|con_K \ used evs; con_K = Crypt (priK TTP) - {|Number f_con, Agent A, Agent B, Nonce L, Key K|}; + \Number f_con, Agent A, Agent B, Nonce L, Key K\; evs \ zg |] - ==> Notes TTP {|Number f_con, Agent A, Agent B, Nonce L, Key K, con_K|} + ==> Notes TTP \Number f_con, Agent A, Agent B, Nonce L, Key K, con_K\ \ set evs" apply clarify apply (erule rev_mp) @@ -306,11 +306,11 @@ @{term sub_K}. We assume that @{term A} is not broken. Importantly, nothing needs to be assumed about the form of @{term con_K}!\ lemma Notes_TTP_imp_Says_A: - "[|Notes TTP {|Number f_con, Agent A, Agent B, Nonce L, Key K, con_K|} + "[|Notes TTP \Number f_con, Agent A, Agent B, Nonce L, Key K, con_K\ \ set evs; - sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}; + sub_K = Crypt (priK A) \Number f_sub, Agent B, Nonce L, Key K\; A \ broken; evs \ zg|] - ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} \ set evs" + ==> Says A TTP \Number f_sub, Agent B, Nonce L, Key K, sub_K\ \ set evs" apply clarify apply (erule rev_mp) apply (erule zg.induct) @@ -324,11 +324,11 @@ assume that @{term A} is not broken.\ theorem B_sub_K_validity: "[|con_K \ used evs; - con_K = Crypt (priK TTP) {|Number f_con, Agent A, Agent B, - Nonce L, Key K|}; - sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}; + con_K = Crypt (priK TTP) \Number f_con, Agent A, Agent B, + Nonce L, Key K\; + sub_K = Crypt (priK A) \Number f_sub, Agent B, Nonce L, Key K\; A \ broken; evs \ zg|] - ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} \ set evs" + ==> Says A TTP \Number f_sub, Agent B, Nonce L, Key K, sub_K\ \ set evs" by (blast dest: con_K_validity Notes_TTP_imp_Says_A) @@ -340,9 +340,9 @@ text\Strange: unicity of the label protects @{term A}?\ lemma A_unicity: - "[|NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, Crypt K M|}; + "[|NRO = Crypt (priK A) \Number f_nro, Agent B, Nonce L, Crypt K M\; NRO \ parts (spies evs); - Says A B {|Number f_nro, Agent B, Nonce L, Crypt K M', NRO'|} + Says A B \Number f_nro, Agent B, Nonce L, Crypt K M', NRO'\ \ set evs; A \ bad; evs \ zg |] ==> M'=M" @@ -359,13 +359,13 @@ text\Fairness lemma: if @{term sub_K} exists, then @{term A} holds NRR. Relies on unicity of labels.\ lemma sub_K_implies_NRR: - "[| NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, Crypt K M|}; - NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, Crypt K M|}; + "[| NRO = Crypt (priK A) \Number f_nro, Agent B, Nonce L, Crypt K M\; + NRR = Crypt (priK B) \Number f_nrr, Agent A, Nonce L, Crypt K M\; sub_K \ parts (spies evs); NRO \ parts (spies evs); - sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}; + sub_K = Crypt (priK A) \Number f_sub, Agent B, Nonce L, Key K\; A \ bad; evs \ zg |] - ==> Gets A {|Number f_nrr, Agent A, Nonce L, NRR|} \ set evs" + ==> Gets A \Number f_nrr, Agent A, Nonce L, NRR\ \ set evs" apply clarify apply hypsubst_thin apply (erule rev_mp) @@ -382,7 +382,7 @@ lemma Crypt_used_imp_L_used: - "[| Crypt (priK TTP) {|F, A, B, L, K|} \ used evs; evs \ zg |] + "[| Crypt (priK TTP) \F, A, B, L, K\ \ used evs; evs \ zg |] ==> L \ used evs" apply (erule rev_mp) apply (erule zg.induct, auto) @@ -400,11 +400,11 @@ "[|con_K \ used evs; NRO \ parts (spies evs); con_K = Crypt (priK TTP) - {|Number f_con, Agent A, Agent B, Nonce L, Key K|}; - NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, Crypt K M|}; - NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, Crypt K M|}; + \Number f_con, Agent A, Agent B, Nonce L, Key K\; + NRO = Crypt (priK A) \Number f_nro, Agent B, Nonce L, Crypt K M\; + NRR = Crypt (priK B) \Number f_nrr, Agent A, Nonce L, Crypt K M\; A \ bad; evs \ zg |] - ==> Gets A {|Number f_nrr, Agent A, Nonce L, NRR|} \ set evs" + ==> Gets A \Number f_nrr, Agent A, Nonce L, NRR\ \ set evs" apply clarify apply (erule rev_mp) apply (erule rev_mp) @@ -427,10 +427,10 @@ A}.\ theorem B_fairness_NRR: "[|NRR \ used evs; - NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}; - NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}; + NRR = Crypt (priK B) \Number f_nrr, Agent A, Nonce L, C\; + NRO = Crypt (priK A) \Number f_nro, Agent B, Nonce L, C\; B \ bad; evs \ zg |] - ==> Gets B {|Number f_nro, Agent B, Nonce L, C, NRO|} \ set evs" + ==> Gets B \Number f_nro, Agent B, Nonce L, C, NRO\ \ set evs" apply clarify apply (erule rev_mp) apply (erule zg.induct) diff -r e96292f32c3c -r 38b73f7940af src/HOL/UNITY/Simple/NSP_Bad.thy --- a/src/HOL/UNITY/Simple/NSP_Bad.thy Mon Dec 28 21:47:32 2015 +0100 +++ b/src/HOL/UNITY/Simple/NSP_Bad.thy Mon Dec 28 23:13:33 2015 +0100 @@ -33,7 +33,7 @@ NS1 :: "(state*state) set" where "NS1 = {(s1,s'). \A1 B NA. - s' = Says A1 B (Crypt (pubK B) {|Nonce NA, Agent A1|}) # s1 + s' = Says A1 B (Crypt (pubK B) \Nonce NA, Agent A1\) # s1 & Nonce NA \ used s1}" (*Bob responds to Alice's message with a further nonce*) @@ -41,8 +41,8 @@ NS2 :: "(state*state) set" where "NS2 = {(s2,s'). \A' A2 B NA NB. - s' = Says B A2 (Crypt (pubK A2) {|Nonce NA, Nonce NB|}) # s2 - & Says A' B (Crypt (pubK B) {|Nonce NA, Agent A2|}) \ set s2 + s' = Says B A2 (Crypt (pubK A2) \Nonce NA, Nonce NB\) # s2 + & Says A' B (Crypt (pubK B) \Nonce NA, Agent A2\) \ set s2 & Nonce NB \ used s2}" (*Alice proves her existence by sending NB back to Bob.*) @@ -51,8 +51,8 @@ where "NS3 = {(s3,s'). \A3 B' B NA NB. s' = Says A3 B (Crypt (pubK B) (Nonce NB)) # s3 - & Says A3 B (Crypt (pubK B) {|Nonce NA, Agent A3|}) \ set s3 - & Says B' A3 (Crypt (pubK A3) {|Nonce NA, Nonce NB|}) \ set s3}" + & Says A3 B (Crypt (pubK B) \Nonce NA, Agent A3\) \ set s3 + & Says B' A3 (Crypt (pubK A3) \Nonce NA, Nonce NB\) \ set s3}" definition Nprg :: "state program" where @@ -151,8 +151,8 @@ nonce is secret. (Honest users generate fresh nonces.)*} lemma no_nonce_NS1_NS2: "Nprg - \ Always {s. Crypt (pubK C) {|NA', Nonce NA|} \ parts (spies s) --> - Crypt (pubK B) {|Nonce NA, Agent A|} \ parts (spies s) --> + \ Always {s. Crypt (pubK C) \NA', Nonce NA\ \ parts (spies s) --> + Crypt (pubK B) \Nonce NA, Agent A\ \ parts (spies s) --> Nonce NA \ analz (spies s)}" apply ns_induct apply (blast intro: analz_insertI)+ @@ -167,8 +167,8 @@ lemma unique_NA_lemma: "Nprg \ Always {s. Nonce NA \ analz (spies s) --> - Crypt(pubK B) {|Nonce NA, Agent A|} \ parts(spies s) --> - Crypt(pubK B') {|Nonce NA, Agent A'|} \ parts(spies s) --> + Crypt(pubK B) \Nonce NA, Agent A\ \ parts(spies s) --> + Crypt(pubK B') \Nonce NA, Agent A'\ \ parts(spies s) --> A=A' & B=B'}" apply ns_induct apply auto @@ -177,8 +177,8 @@ text{*Unicity for NS1: nonce NA identifies agents A and B*} lemma unique_NA: - "[| Crypt(pubK B) {|Nonce NA, Agent A|} \ parts(spies s); - Crypt(pubK B') {|Nonce NA, Agent A'|} \ parts(spies s); + "[| Crypt(pubK B) \Nonce NA, Agent A\ \ parts(spies s); + Crypt(pubK B') \Nonce NA, Agent A'\ \ parts(spies s); Nonce NA \ analz (spies s); s \ reachable Nprg |] ==> A=A' & B=B'" @@ -189,7 +189,7 @@ lemma Spy_not_see_NA: "[| A \ bad; B \ bad |] ==> Nprg \ Always - {s. Says A B (Crypt(pubK B) {|Nonce NA, Agent A|}) \ set s + {s. Says A B (Crypt(pubK B) \Nonce NA, Agent A\) \ set s --> Nonce NA \ analz (spies s)}" apply ns_induct txt{*NS3*} @@ -208,9 +208,9 @@ lemma A_trusts_NS2: "[| A \ bad; B \ bad |] ==> Nprg \ Always - {s. Says A B (Crypt(pubK B) {|Nonce NA, Agent A|}) \ set s & - Crypt(pubK A) {|Nonce NA, Nonce NB|} \ parts (knows Spy s) - --> Says B A (Crypt(pubK A) {|Nonce NA, Nonce NB|}) \ set s}" + {s. Says A B (Crypt(pubK B) \Nonce NA, Agent A\) \ set s & + Crypt(pubK A) \Nonce NA, Nonce NB\ \ parts (knows Spy s) + --> Says B A (Crypt(pubK A) \Nonce NA, Nonce NB\) \ set s}" (*insert an invariant for use in some of the subgoals*) apply (insert Spy_not_see_NA [of A B NA], simp, ns_induct) apply (auto dest: unique_NA) @@ -221,8 +221,8 @@ lemma B_trusts_NS1: "Nprg \ Always {s. Nonce NA \ analz (spies s) --> - Crypt (pubK B) {|Nonce NA, Agent A|} \ parts (spies s) - --> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) \ set s}" + Crypt (pubK B) \Nonce NA, Agent A\ \ parts (spies s) + --> Says A B (Crypt (pubK B) \Nonce NA, Agent A\) \ set s}" apply ns_induct apply blast done @@ -235,8 +235,8 @@ lemma unique_NB_lemma: "Nprg \ Always {s. Nonce NB \ analz (spies s) --> - Crypt (pubK A) {|Nonce NA, Nonce NB|} \ parts (spies s) --> - Crypt(pubK A'){|Nonce NA', Nonce NB|} \ parts(spies s) --> + Crypt (pubK A) \Nonce NA, Nonce NB\ \ parts (spies s) --> + Crypt(pubK A') \Nonce NA', Nonce NB\ \ parts(spies s) --> A=A' & NA=NA'}" apply ns_induct apply auto @@ -244,8 +244,8 @@ done lemma unique_NB: - "[| Crypt(pubK A) {|Nonce NA, Nonce NB|} \ parts(spies s); - Crypt(pubK A'){|Nonce NA', Nonce NB|} \ parts(spies s); + "[| Crypt(pubK A) \Nonce NA, Nonce NB\ \ parts(spies s); + Crypt(pubK A') \Nonce NA', Nonce NB\ \ parts(spies s); Nonce NB \ analz (spies s); s \ reachable Nprg |] ==> A=A' & NA=NA'" @@ -257,7 +257,7 @@ lemma Spy_not_see_NB: "[| A \ bad; B \ bad |] ==> Nprg \ Always - {s. Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) \ set s & + {s. Says B A (Crypt (pubK A) \Nonce NA, Nonce NB\) \ set s & (ALL C. Says A C (Crypt (pubK C) (Nonce NB)) \ set s) --> Nonce NB \ analz (spies s)}" apply ns_induct @@ -280,7 +280,7 @@ "[| A \ bad; B \ bad |] ==> Nprg \ Always {s. Crypt (pubK B) (Nonce NB) \ parts (spies s) & - Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) \ set s + Says B A (Crypt (pubK A) \Nonce NA, Nonce NB\) \ set s --> (\C. Says A C (Crypt (pubK C) (Nonce NB)) \ set s)}" (*insert an invariant for use in some of the subgoals*) apply (insert Spy_not_see_NB [of A B NA NB], simp, ns_induct) @@ -294,7 +294,7 @@ text{*Can we strengthen the secrecy theorem? NO*} lemma "[| A \ bad; B \ bad |] ==> Nprg \ Always - {s. Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) \ set s + {s. Says B A (Crypt (pubK A) \Nonce NA, Nonce NB\) \ set s --> Nonce NB \ analz (spies s)}" apply ns_induct apply auto @@ -317,13 +317,13 @@ [| A \ bad; B \ bad |] ==> Nprg \ Always - {s. Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) \ set s --> + {s. Says B A (Crypt (pubK A) \Nonce NA, Nonce NB\) \ set s --> Nonce NB \ analz (knows Spy s)} 1. !!s B' C. [| A \ bad; B \ bad; s \ reachable Nprg - Says A C (Crypt (pubK C) {|Nonce NA, Agent A|}) \ set s; - Says B' A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) \ set s; - C \ bad; Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) \ set s; + Says A C (Crypt (pubK C) \Nonce NA, Agent A\) \ set s; + Says B' A (Crypt (pubK A) \Nonce NA, Nonce NB\) \ set s; + C \ bad; Says B A (Crypt (pubK A) \Nonce NA, Nonce NB\) \ set s; Nonce NB \ analz (knows Spy s) |] ==> False *)