section‹Bella's modification of the Shoup-Rubin protocol›
theory ShoupRubinBella imports Smartcard begin
text‹The modifications are that message 7 now mentions A, while message 10
mentions Nb and B. The lack of explicitness of the original version was
by investigating adherence to the principle of Goal
. Only the updated version makes the goals of confidentiality,
and key distribution available to both peers.›
axiomatization sesK :: "nat*key => key" where (*sesK is injective on each component*)
inj_sesK [iff]: "(sesK(m,k) = sesK(m',k')) = (m = m' ∧ k = k')"and
(*all long-term keys differ from sesK*)
shrK_disj_sesK [iff]: "shrK A ≠ sesK(m,pk)"and
crdK_disj_sesK [iff]: "crdK C ≠ sesK(m,pk)"and
pin_disj_sesK [iff]: "pin P ≠ sesK(m,pk)"and
pairK_disj_sesK[iff]: "pairK(A,B) ≠ sesK(m,pk)"and
(*needed for base case in analz_image_freshK*)
Atomic_distrib [iff]: "Atomic`(KEY`K ∪ NONCE`N) = Atomic`(KEY`K) ∪ Atomic`(NONCE`N)"and
(*this protocol makes the assumption of secure means
between each agent and his smartcard*)
shouprubin_assumes_securemeans [iff]: "evs ∈ srb ==> secureM"
definition Unique :: "[event, event list] => bool" (‹Unique _ on _›) where "Unique ev on evs == ev ∉ set (tl (dropWhile (% z. z ≠ ev) evs))"
inductive_set srb :: "event list set" where
Nil: "[]∈ srb"
| Fake: "[ evsF ∈ srb; X ∈ synth (analz (knows Spy evsF)); illegalUse(Card B) ] ==> Says Spy A X # Inputs Spy (Card B) X # evsF ∈ srb"
(*In general this rule causes the assumption Card B \<notin> cloned inmostguaranteesforB-startingwithconfidentiality-
otherwise pairK_confidential could not apply*)
| Forge: "[ evsFo ∈ srb; Nonce Nb ∈ analz (knows Spy evsFo); Key (pairK(A,B)) ∈ knows Spy evsFo ] ==> Notes Spy (Key (sesK(Nb,pairK(A,B)))) # evsFo ∈ srb"
| Reception: "[ evsrb∈ srb; Says A B X ∈ set evsrb ] ==> Gets B X # evsrb ∈ srb"
(*A AND THE SERVER*)
| SR_U1: "[ evs1 ∈ srb; A ≠ Server ] ==> Says A Server {Agent A, Agent B} # evs1 ∈ srb"
| SR_U2: "[ evs2 ∈ srb; Gets Server {Agent A, Agent B}∈ set evs2 ] ==> Says Server A {Nonce (Pairkey(A,B)), Crypt (shrK A) {Nonce (Pairkey(A,B)), Agent B} } # evs2 ∈ srb"
(*A AND HER CARD*) (*A cannot decrypt the verifier for she dosn't know shrK A,
but the pairkey is recognisable*)
| SR_U3: "[ evs3 ∈ srb; legalUse(Card A); Says A Server {Agent A, Agent B}∈ set evs3; Gets A {Nonce Pk, Certificate}∈ set evs3 ] ==> Inputs A (Card A) (Agent A) # evs3 ∈ srb"(*however A only queries her card ifshehaspreviouslycontactedtheservertoinitiatewithsomeB. OtherwiseshewoulddosoeveniftheServerhadnotbeenactive. Still,thisdoesn'tandcan'tmeanthatthepairkeyoriginatedwith
the server*)
(*The card outputs the nonce Na to A*)
| SR_U4: "[ evs4 ∈ srb; Nonce Na ∉ used evs4; legalUse(Card A); A ≠ Server; Inputs A (Card A) (Agent A) ∈ set evs4 ] ==> Outpts (Card A) A {Nonce Na, Crypt (crdK (Card A)) (Nonce Na)} # evs4 ∈ srb"
(*The card can be exploited by the spy*) (*because of the assumptions on the card, A is certainly not server nor spy*)
| SR_U4Fake: "[ evs4F ∈ srb; Nonce Na ∉ used evs4F; illegalUse(Card A); Inputs Spy (Card A) (Agent A) ∈ set evs4F ] ==> Outpts (Card A) Spy {Nonce Na, Crypt (crdK (Card A)) (Nonce Na)} # evs4F ∈ srb"
(*A TOWARDS B*)
| SR_U5: "[ evs5 ∈ srb; Outpts (Card A) A {Nonce Na, Certificate}∈ set evs5; ∀ p q. Certificate ≠{p, q}] ==> Says A B {Agent A, Nonce Na} # evs5 ∈ srb" (*A must check that the verifier is not a compound message,
otherwise this would also fire after SR_U7 *)
(*B AND HIS CARD*)
| SR_U6: "[ evs6 ∈ srb; legalUse(Card B); Gets B {Agent A, Nonce Na}∈ set evs6 ] ==> Inputs B (Card B) {Agent A, Nonce Na} # evs6 ∈ srb" (*B gets back from the card the session key and various verifiers*)
| SR_U7: "[ evs7 ∈ srb; Nonce Nb ∉ used evs7; legalUse(Card B); B ≠ Server; K = sesK(Nb,pairK(A,B)); Key K ∉ used evs7; Inputs B (Card B) {Agent A, Nonce Na}∈ set evs7] ==> Outpts (Card B) B {Nonce Nb, Agent A, Key K, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} # evs7 ∈ srb" (*The card can be exploited by the spy*) (*because of the assumptions on the card, A is certainly not server nor spy*)
| SR_U7Fake: "[ evs7F ∈ srb; Nonce Nb ∉ used evs7F; illegalUse(Card B); K = sesK(Nb,pairK(A,B)); Key K ∉ used evs7F; Inputs Spy (Card B) {Agent A, Nonce Na}∈ set evs7F ] ==> Outpts (Card B) Spy {Nonce Nb, Agent A, Key K, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} # evs7F ∈ srb"
(*B TOWARDS A*) (*having sent an input that mentions A is the only memory B relies on,
since the output doesn't mention A - lack of explicitness*)
| SR_U8: "[ evs8 ∈ srb; Inputs B (Card B) {Agent A, Nonce Na}∈ set evs8; Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2}∈ set evs8 ] ==> Says B A {Nonce Nb, Cert1} # evs8 ∈ srb"
(*A AND HER CARD*) (*A cannot check the form of the verifiers - although I can prove the form of
Cert2 - and just feeds her card with what she's got*)
| SR_U9: "[ evs9 ∈ srb; legalUse(Card A); Gets A {Nonce Pk, Cert1}∈ set evs9; Outpts (Card A) A {Nonce Na, Cert2}∈ set evs9; Gets A {Nonce Nb, Cert3}∈ set evs9; ∀ p q. Cert2 ≠{p, q}] ==> Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Cert1, Cert3, Cert2} # evs9 ∈ srb" (*But the card will only give outputs to the inputs of the correct form*)
| SR_U10: "[ evs10 ∈ srb; legalUse(Card A); A ≠ Server; K = sesK(Nb,pairK(A,B)); Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)), Crypt (shrK A) {Nonce (Pairkey(A,B)), Agent B}, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (crdK (Card A)) (Nonce Na)} ∈ set evs10 ] ==> Outpts (Card A) A {Agent B, Nonce Nb, Key K, Crypt (pairK(A,B)) (Nonce Nb)} # evs10 ∈ srb" (*The card can be exploited by the spy*) (*because of the assumptions on the card, A is certainly not server nor spy*)
| SR_U10Fake: "[ evs10F ∈ srb; illegalUse(Card A); K = sesK(Nb,pairK(A,B)); Inputs Spy (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)), Crypt (shrK A) {Nonce (Pairkey(A,B)), Agent B}, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (crdK (Card A)) (Nonce Na)} ∈ set evs10F ] ==> Outpts (Card A) Spy {Agent B, Nonce Nb, Key K, Crypt (pairK(A,B)) (Nonce Nb)} # evs10F ∈ srb"
(*A TOWARDS B*) (*having initiated with B is the only memory A relies on,
since the output doesn't mention B - lack of explicitness*)
| SR_U11: "[ evs11 ∈ srb; Says A Server {Agent A, Agent B}∈ set evs11; Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evs11 ] ==> Says A B (Certificate) # evs11 ∈ srb"
(*Both peers may leak by accident the session keys obtained from their
cards*)
| Oops1: "[ evsO1 ∈ srb; Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evsO1 ] ==> Notes Spy {Key K, Nonce Nb, Agent A, Agent B} # evsO1 ∈ srb"
| Oops2: "[ evsO2 ∈ srb; Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evsO2 ] ==> Notes Spy {Key K, Nonce Nb, Agent A, Agent B} # evsO2 ∈ srb"
(*To solve Fake case when it doesn't involve analz - used to be condensed
into Fake_parts_insert_tac*) declare Fake_parts_insert_in_Un [dest] declare analz_into_parts [dest] (*declare parts_insertI [intro]*)
(*General facts about message reception*) lemma Gets_imp_Says: "[ Gets B X ∈ set evs; evs ∈ srb ]==>∃ A. Says A B X ∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done
lemma Gets_imp_knows_Spy: "[ Gets B X ∈ set evs; evs ∈ srb ]==> X ∈ knows Spy evs" apply (blast dest!: Gets_imp_Says Says_imp_knows_Spy) done
lemma Gets_imp_knows_Spy_parts_Snd: "[ Gets B {X, Y}∈ set evs; evs ∈ srb ]==> Y ∈ parts (knows Spy evs)" apply (blast dest!: Gets_imp_Says Says_imp_knows_Spy parts.Inj parts.Snd) done
lemma Gets_imp_knows_Spy_analz_Snd: "[ Gets B {X, Y}∈ set evs; evs ∈ srb ]==> Y ∈ analz (knows Spy evs)" apply (blast dest!: Gets_imp_Says Says_imp_knows_Spy analz.Inj analz.Snd) done
(*end general facts*)
(*Begin lemmas on secure means, from Event.thy, proved for shouprubin. They help
the simplifier, especially in analz_image_freshK*)
lemma Inputs_imp_knows_Spy_secureM_srb: "[ Inputs Spy C X ∈ set evs; evs ∈ srb ]==> X ∈ knows Spy evs" apply (simp (no_asm_simp) add: Inputs_imp_knows_Spy_secureM) done
lemma knows_Spy_Inputs_secureM_srb_Spy: "evs ∈srb ==> knows Spy (Inputs Spy C X # evs) = insert X (knows Spy evs)" apply (simp (no_asm_simp)) done
lemma knows_Spy_Inputs_secureM_srb: "[ A ≠ Spy; evs ∈srb ]==> knows Spy (Inputs A C X # evs) = knows Spy evs" apply (simp (no_asm_simp)) done
lemma knows_Spy_Outpts_secureM_srb_Spy: "evs ∈srb ==> knows Spy (Outpts C Spy X # evs) = insert X (knows Spy evs)" apply (simp (no_asm_simp)) done
lemma knows_Spy_Outpts_secureM_srb: "[ A ≠ Spy; evs ∈srb ]==> knows Spy (Outpts C A X # evs) = knows Spy evs" apply (simp (no_asm_simp)) done
(*End lemmas on secure means for shouprubin*)
(*BEGIN technical lemmas - evolution of forwarding lemmas*)
(*If an honest agent uses a smart card, then the card is his/her own, is notstolen,andtheagenthasreceivedsuitabledatatofeedthecard. Inotherwords,theseareguaranteesthatanhonestagentcanonlyuse his/herowncard,andmustuseitcorrectly. Onthecontrary,thespycan"Inputs"anyclonedcardsalsobytheFakerule.
InsteadofAuto_tac,proofshereusedtoasm-simplifyandthenforce-tac.
*) lemma Inputs_A_Card_3: "[ Inputs A C (Agent A) ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card A) ∧ (∃ Pk Certificate. Gets A {Pk, Certificate}∈ set evs)" apply (erule rev_mp, erule srb.induct) apply auto done
lemma Inputs_B_Card_6: "[ Inputs B C {Agent A, Nonce Na}∈ set evs; B ≠ Spy; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card B) ∧ Gets B {Agent A, Nonce Na}∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done
lemma Inputs_A_Card_9: "[ Inputs A C {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Cert1, Cert2, Cert3}∈ set evs; A ≠ Spy; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card A) ∧ Gets A {Nonce Pk, Cert1}∈ set evs ∧ Outpts (Card A) A {Nonce Na, Cert3}∈ set evs ∧ Gets A {Nonce Nb, Cert2}∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done
(*The two occurrences of A in the Outpts event don't match SR_U4Fake, where
A cannot be the Spy. Hence the card is legally usable by rule SR_U4*) lemma Outpts_A_Card_4: "[ Outpts C A {Nonce Na, (Crypt (crdK (Card A)) (Nonce Na))}∈ set evs; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card A) ∧ Inputs A (Card A) (Agent A) ∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done
(*First certificate is made explicit so that a comment similar to the previous
applies. This also provides Na to the Inputs event in the conclusion*) lemma Outpts_B_Card_7: "[ Outpts C B {Nonce Nb, Agent A, Key K, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Cert2}∈ set evs; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card B) ∧ Inputs B (Card B) {Agent A, Nonce Na}∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done
lemma Outpts_A_Card_10: "[ Outpts C A {Agent B, Nonce Nb, Key K, (Crypt (pairK(A,B)) (Nonce Nb))}∈ set evs; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card A) ∧ (∃ Na Ver1 Ver2 Ver3. Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)), Ver1, Ver2, Ver3}∈ set evs)" apply (erule rev_mp, erule srb.induct) apply auto done
(* Contrarilytooriginalversion,Adoesn'tneedtochecktheformofthe certificatetolearnthatherpeerisB.ThegoalisavailabletoA.
*) lemma Outpts_A_Card_10_imp_Inputs: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evs; evs ∈ srb ] ==> (∃ Na Ver1 Ver2 Ver3. Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)), Ver1, Ver2, Ver3}∈ set evs)" apply (erule rev_mp, erule srb.induct) apply simp_all apply blast+ done
(*Weaker version: if the agent can't check the forms of the verifiers, then theagentmustnotbethespysoastosolveSR_U4Fake.Theverifiermustbe recognisedassomecyphertexinordertodistinguishfromcaseSR_U7, concerningB'soutput,whichalsobeginswithanonce.
*) lemma Outpts_honest_A_Card_4: "[ Outpts C A {Nonce Na, Crypt K X}∈set evs; A ≠ Spy; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card A) ∧ Inputs A (Card A) (Agent A) ∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done
(*alternative formulation of same theorem Goal"\<lbrakk>OutptsCA\<lbrace>NonceNa,Certificate\<rbrace>\<in>setevs; \<forall>pq.Certificate\<noteq>\<lbrace>p,q\<rbrace>; A\<noteq>Spy;evs\<in>srb\<rbrakk> \<Longrightarrow>legalUse(C)\<and>C=(CardA)\<and> InputsA(CardA)(AgentA)\<in>setevs" sameproof
*)
lemma Outpts_honest_B_Card_7: "[ Outpts C B {Nonce Nb, Agent A, Key K, Cert1, Cert2}∈ set evs; B ≠ Spy; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card B) ∧ (∃ Na. Inputs B (Card B) {Agent A, Nonce Na}∈ set evs)" apply (erule rev_mp, erule srb.induct) apply auto done
lemma Outpts_honest_A_Card_10: "[ Outpts C A {Agent B, Nonce Nb, Key K, Certificate}∈ set evs; A ≠ Spy; evs ∈ srb ] ==> legalUse (C) ∧ C = (Card A) ∧ (∃ Na Pk Ver1 Ver2 Ver3. Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Pk, Ver1, Ver2, Ver3}∈ set evs)" apply (erule rev_mp, erule srb.induct) apply simp_all apply blast+ done (*-END-*)
(*Even weaker versions: if the agent can't check the forms of the verifiers andtheagentmaybethespy,thenwemustknowwhatcardtheagent isgettingtheoutputfrom.
*) lemma Outpts_which_Card_4: "[ Outpts (Card A) A {Nonce Na, Crypt K X}∈ set evs; evs ∈ srb ] ==> Inputs A (Card A) (Agent A) ∈ set evs" apply (erule rev_mp, erule srb.induct) apply (simp_all (no_asm_simp)) apply clarify done
lemma Outpts_which_Card_7: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evs; evs ∈ srb ] ==>∃ Na. Inputs B (Card B) {Agent A, Nonce Na}∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done
(*This goal is now available - in the sense of Goal Availability*) lemma Outpts_which_Card_10: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate }∈ set evs; evs ∈ srb ] ==>∃ Na. Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)), Crypt (shrK A) {Nonce (Pairkey(A,B)), Agent B}, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (crdK (Card A)) (Nonce Na) }∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done
(*Lemmas on the form of outputs*)
(*A needs to check that the verifier is a cipher for it to come from SR_U4
otherwise it could come from SR_U7 *) lemma Outpts_A_Card_form_4: "[ Outpts (Card A) A {Nonce Na, Certificate}∈ set evs; ∀ p q. Certificate ≠{p, q}; evs ∈ srb ] ==> Certificate = (Crypt (crdK (Card A)) (Nonce Na))" apply (erule rev_mp, erule srb.induct) apply (simp_all (no_asm_simp)) done
lemma Outpts_B_Card_form_7: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evs; evs ∈ srb ] ==>∃ Na. K = sesK(Nb,pairK(A,B)) ∧ Cert1 = (Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}) ∧ Cert2 = (Crypt (pairK(A,B)) (Nonce Nb))" apply (erule rev_mp, erule srb.induct) apply auto done
lemma Outpts_A_Card_form_bis: "[ Outpts (Card A') A' {Agent B', Nonce Nb', Key (sesK(Nb,pairK(A,B))), Certificate}∈ set evs; evs ∈ srb ] ==> A' = A ∧ B' = B ∧ Nb = Nb' ∧ Certificate = (Crypt (pairK(A,B)) (Nonce Nb))" apply (erule rev_mp, erule srb.induct) apply (simp_all (no_asm_simp)) done
(*\<dots> and Inputs *)
lemma Inputs_A_Card_form_9:
"[ Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Cert1, Cert2, Cert3}∈ set evs; evs ∈ srb ] ==> Cert3 = Crypt (crdK (Card A)) (Nonce Na)" apply (erule rev_mp) apply (erule srb.induct) apply (simp_all (no_asm_simp)) (*Fake*) apply force (*SR_U9*) apply (blast dest!: Outpts_A_Card_form_4) done (* Pk, Cert1, Cert2 cannot be made explicit because they traversed the network in the clear *)
(*General guarantees on Inputs and Outpts*)
(*for any agents*)
lemma Inputs_Card_legalUse: "[ Inputs A (Card A) X ∈ set evs; evs ∈ srb ]==> legalUse(Card A)" apply (erule rev_mp, erule srb.induct) apply auto done
lemma Outpts_Card_legalUse: "[ Outpts (Card A) A X ∈ set evs; evs ∈ srb ]==> legalUse(Card A)" apply (erule rev_mp, erule srb.induct) apply auto done
(*for honest agents*)
lemma Inputs_Card: "[ Inputs A C X ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> C = (Card A) ∧ legalUse(C)" apply (erule rev_mp, erule srb.induct) apply auto done
lemma Outpts_Card: "[ Outpts C A X ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> C = (Card A) ∧ legalUse(C)" apply (erule rev_mp, erule srb.induct) apply auto done
lemma Inputs_Outpts_Card: "[ Inputs A C X ∈ set evs ∨ Outpts C A Y ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> C = (Card A) ∧ legalUse(Card A)" apply (blast dest: Inputs_Card Outpts_Card) done
(*for the spy - they stress that the model behaves as it is meant to*)
(*The or version can be also proved directly. Itstressesthatthespymayuseeitherherownlegallyusablecardor alltheillegallyusablecards.
*) lemma Inputs_Card_Spy: "[ Inputs Spy C X ∈ set evs ∨ Outpts C Spy X ∈ set evs; evs ∈ srb ] ==> C = (Card Spy) ∧ legalUse(Card Spy) ∨ (∃ A. C = (Card A) ∧ illegalUse(Card A))" apply (erule rev_mp, erule srb.induct) apply auto done
(*END technical lemmas*)
(*BEGIN unicity theorems: certain items uniquely identify a smart card's
output*)
(*A's card's first output: the nonce uniquely identifies the rest*) lemma Outpts_A_Card_unique_nonce: "[ Outpts (Card A) A {Nonce Na, Crypt (crdK (Card A)) (Nonce Na)} ∈ set evs; Outpts (Card A') A' {Nonce Na, Crypt (crdK (Card A')) (Nonce Na)} ∈ set evs; evs ∈ srb ]==> A=A'" apply (erule rev_mp, erule rev_mp, erule srb.induct, simp_all) apply (fastforce dest: Outpts_parts_used) apply blast done
(*B's card's output: the NONCE uniquely identifies the rest*) lemma Outpts_B_Card_unique_nonce: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key SK, Cert1, Cert2}∈ set evs; Outpts (Card B') B' {Nonce Nb, Agent A', Key SK', Cert1', Cert2'}∈ set evs; evs ∈ srb ]==> B=B' ∧ A=A' ∧ SK=SK' ∧ Cert1=Cert1' ∧ Cert2=Cert2'" apply (erule rev_mp, erule rev_mp, erule srb.induct, simp_all) apply (fastforce dest: Outpts_parts_used) apply blast done
(*B's card's output: the SESKEY uniquely identifies the rest*) lemma Outpts_B_Card_unique_key: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key SK, Cert1, Cert2}∈ set evs; Outpts (Card B') B' {Nonce Nb', Agent A', Key SK, Cert1', Cert2'}∈ set evs; evs ∈ srb ]==> B=B' ∧ A=A' ∧ Nb=Nb' ∧ Cert1=Cert1' ∧ Cert2=Cert2'" apply (erule rev_mp, erule rev_mp, erule srb.induct, simp_all) apply (fastforce dest: Outpts_parts_used) apply blast done
(* This fails on base case because of XOR properties. lemmaPairkey_authentic: "\<lbrakk>Nonce(Pairkey(A,B))\<in>parts(knowsSpyevs); CardA\<notin>cloned;evs\<in>sr\<rbrakk> \<Longrightarrow>\<exists>cert.SaysServerA\<lbrace>Nonce(Pairkey(A,B)),Cert\<rbrace>\<in>setevs" apply(erulerev_mp) apply(erulesr.induct,simp_all) applyclarify oops
(*Because initState contains a set of nonces, this is needed for base case of
analz_image_freshK*) lemma analz_image_Key_Un_Nonce: "analz (Key ` K ∪ Nonce ` N) = Key ` K ∪ Nonce ` N" by (auto simp del: parts_image)
lemma A_authenticates_B: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate}∈ set evs; ¬illegalUse(Card B); evs ∈ srb ] ==>∃ Na. Outpts (Card B) B {Nonce Nb, Agent A, Key K, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)}∈ set evs" apply (blast dest: Na_Nb_certificate_authentic Outpts_A_Card_form_10 Outpts_A_Card_imp_pairK_parts) done
lemma A_authenticates_B_Gets: "[ Gets A {Nonce Nb, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}} ∈ set evs; ¬illegalUse(Card B); evs ∈ srb ] ==> Outpts (Card B) B {Nonce Nb, Agent A, Key (sesK(Nb, pairK (A, B))), Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)}∈ set evs" apply (blast dest: Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd, THEN Na_Nb_certificate_authentic]) done
lemma A_authenticates_B_bis: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Cert2}∈ set evs; ¬illegalUse(Card B); evs ∈ srb ] ==>∃ Cert1. Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evs" apply (blast dest: Na_Nb_certificate_authentic Outpts_A_Card_form_10 Outpts_A_Card_imp_pairK_parts) done
lemma B_authenticates_A: "[ Gets B (Crypt (pairK(A,B)) (Nonce Nb)) ∈ set evs; B ≠ Spy; ¬illegalUse(Card A); ¬illegalUse(Card B); evs ∈ srb ] ==> Outpts (Card A) A {Agent B, Nonce Nb, Key (sesK(Nb,pairK(A,B))), Crypt (pairK(A,B)) (Nonce Nb)}∈ set evs" apply (erule rev_mp) apply (erule srb.induct) apply (simp_all (no_asm_simp)) apply (blast dest: Says_imp_knows_Spy [THEN parts.Inj] Nb_certificate_authentic) done
lemma B_authenticates_A_bis: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2}∈ set evs; Gets B (Cert2) ∈ set evs; B ≠ Spy; ¬illegalUse(Card A); ¬illegalUse(Card B); evs ∈ srb ] ==> Outpts (Card A) A {Agent B, Nonce Nb, Key K, Cert2}∈ set evs" apply (blast dest: Outpts_B_Card_form_7 B_authenticates_A) done
(*END authentication theorems*)
lemma Confidentiality_A: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate}∈ set evs; Notes Spy {Key K, Nonce Nb, Agent A, Agent B}∉ set evs; A ≠ Spy; B ≠ Spy; ¬illegalUse(Card A); ¬illegalUse(Card B); evs ∈ srb ] ==> Key K ∉ analz (knows Spy evs)" apply (drule A_authenticates_B) prefer3 apply (erule exE) apply (drule Confidentiality_B) apply auto done
lemma Outpts_imp_knows_agents_secureM_srb: "[ Outpts (Card A) A X ∈ set evs; evs ∈ srb ]==> X ∈ knows A evs" apply (simp (no_asm_simp) add: Outpts_imp_knows_agents_secureM) done
(*BEGIN key distribution theorems*) lemma A_keydist_to_B: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate}∈ set evs; ¬illegalUse(Card B); evs ∈ srb ] ==> Key K ∈ analz (knows B evs)" apply (drule A_authenticates_B) prefer3 apply (erule exE) apply (rule Outpts_imp_knows_agents_secureM_srb [THEN analz.Inj, THEN analz.Snd, THEN analz.Snd, THEN analz.Fst]) apply assumption+ done
lemma B_keydist_to_A: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2}∈ set evs; Gets B (Cert2) ∈ set evs; B ≠ Spy; ¬illegalUse(Card A); ¬illegalUse(Card B); evs ∈ srb ] ==> Key K ∈ analz (knows A evs)" apply (frule Outpts_B_Card_form_7) apply assumption apply simp apply (frule B_authenticates_A) apply (rule_tac [5] Outpts_imp_knows_agents_secureM_srb [THEN analz.Inj, THEN analz.Snd, THEN analz.Snd, THEN analz.Fst]) apply simp+ done
(*END key distribution theorems*)
(*BEGIN further theorems about authenticity of verifiers - useful to cards,
and somewhat to agents *)
(*MSG11 IfBreceivestheverifierofmsg11,thentheverifieroriginatedwithmsg7. ThisisclearlynotavailabletoB:Bcan'tchecktheformoftheverifierbecausehedoesn'tknowpairK(A,B)
*) lemma Nb_certificate_authentic_B: "[ Gets B (Crypt (pairK(A,B)) (Nonce Nb)) ∈ set evs; B ≠ Spy; ¬illegalUse(Card B); evs ∈ srb ] ==>∃ Na. Outpts (Card B) B {Nonce Nb, Agent A, Key (sesK(Nb,pairK(A,B))), Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)}∈ set evs" apply (blast dest: Gets_imp_knows_Spy [THEN parts.Inj, THEN Nb_certificate_authentic_bis]) done
(*Card A can't reckon the pairkey - we need to guarantee its integrity!*) lemma Pairkey_certificate_authentic_A_Card: "[ Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Crypt (shrK A) {Nonce Pk, Agent B}, Cert2, Cert3}∈ set evs; A ≠ Spy; Card A ∉ cloned; evs ∈ srb ] ==> Pk = Pairkey(A,B) ∧ Says Server A {Nonce (Pairkey(A,B)), Crypt (shrK A) {Nonce (Pairkey(A,B)), Agent B}} ∈ set evs " apply (blast dest: Inputs_A_Card_9 Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd] Pairkey_certificate_authentic) done (*the second conjunct of the thesis might be regarded as a form of integrity
in the sense of Neuman-Ts'o*)
lemma Na_Nb_certificate_authentic_A_Card: "[ Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Cert1, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Cert3}∈ set evs; A ≠ Spy; ¬illegalUse(Card B); evs ∈ srb ] ==> Outpts (Card B) B {Nonce Nb, Agent A, Key (sesK(Nb, pairK (A, B))), Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs " apply (frule Inputs_A_Card_9) apply assumption+ apply (blast dest: Inputs_A_Card_9 Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd, THEN Na_Nb_certificate_authentic]) done
lemma Na_authentic_A_Card: "[ Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Cert1, Cert2, Cert3}∈ set evs; A ≠ Spy; evs ∈ srb ] ==> Outpts (Card A) A {Nonce Na, Cert3} ∈ set evs" apply (blast dest: Inputs_A_Card_9) done
(* These three theorems for Card A can be put together trivially. Theyareseparatedtohighlightthedifferentrequirementsonagents
and their cards.*)
lemma Inputs_A_Card_9_authentic: "[ Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Crypt (shrK A) {Nonce Pk, Agent B}, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Cert3}∈ set evs; A ≠ Spy; Card A ∉ cloned; ¬illegalUse(Card B); evs ∈ srb ] ==> Says Server A {Nonce Pk, Crypt (shrK A) {Nonce Pk, Agent B}} ∈ set evs ∧ Outpts (Card B) B {Nonce Nb, Agent A, Key (sesK(Nb, pairK (A, B))), Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs ∧ Outpts (Card A) A {Nonce Na, Cert3} ∈ set evs" apply (blast dest: Inputs_A_Card_9 Na_Nb_certificate_authentic Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd] Pairkey_certificate_authentic) done
(*Other messages: nothing to prove because the verifiers involved are new*)
(*END further theorems about authenticity of verifiers*)
(* BEGIN trivial guarantees on outputs for agents *)
(*MSG4*) lemma SR_U4_imp: "[ Outpts (Card A) A {Nonce Na, Crypt (crdK (Card A)) (Nonce Na)} ∈ set evs; A ≠ Spy; evs ∈ srb ] ==>∃ Pk V. Gets A {Pk, V}∈ set evs" apply (blast dest: Outpts_A_Card_4 Inputs_A_Card_3) done (*weak: could strengthen the model adding verifier for the Pairkey to msg3*)
(*MSG7*) lemma SR_U7_imp: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key K, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Cert2}∈ set evs; B ≠ Spy; evs ∈ srb ] ==> Gets B {Agent A, Nonce Na}∈ set evs" apply (blast dest: Outpts_B_Card_7 Inputs_B_Card_6) done
(*MSG10*) lemma SR_U10_imp: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs; A ≠ Spy; evs ∈ srb ] ==>∃ Cert1 Cert2. Gets A {Nonce (Pairkey (A, B)), Cert1}∈ set evs ∧ Gets A {Nonce Nb, Cert2}∈ set evs" apply (blast dest: Outpts_A_Card_10 Inputs_A_Card_9) done
(*END trivial guarantees on outputs for agents*)
(*INTEGRITY*) lemma Outpts_Server_not_evs: "evs ∈ srb ==> Outpts (Card Server) P X ∉ set evs" apply (erule srb.induct) apply auto done
text‹term‹step2_integrity› also is a reliability theorem› lemma Says_Server_message_form: "[ Says Server A {Pk, Certificate}∈ set evs; evs ∈ srb ] ==>∃ B. Pk = Nonce (Pairkey(A,B)) ∧ Certificate = Crypt (shrK A) {Nonce (Pairkey(A,B)), Agent B}" apply (erule rev_mp) apply (erule srb.induct) apply auto apply (blast dest!: Outpts_Server_not_evs)+ done (*cannot be made useful to A in form of a Gets event*)
text‹
step4integrity is term‹Outpts_A_Card_form_4›
step7integrity is term‹Outpts_B_Card_form_7› ›
lemma step8_integrity: "[ Says B A {Nonce Nb, Certificate}∈ set evs; B ≠ Server; B ≠ Spy; evs ∈ srb ] ==>∃ Cert2 K. Outpts (Card B) B {Nonce Nb, Agent A, Key K, Certificate, Cert2}∈ set evs" apply (erule rev_mp) apply (erule srb.induct) prefer18apply (fastforce dest: Outpts_A_Card_form_10) apply auto done
text‹step9integrity is term‹Inputs_A_Card_form_9›
step10integrity is term‹Outpts_A_Card_form_10›. ›
lemma step11_integrity: "[ Says A B (Certificate) ∈ set evs; ∀ p q. Certificate ≠{p, q}; A ≠ Spy; evs ∈ srb ] ==>∃ K Nb. Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate}∈ set evs" apply (erule rev_mp) apply (erule srb.induct) apply auto done
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
