(* Title: HOL/SET_Protocol/Purchase.thy Author: Giampaolo Bella Author: Fabio Massacci Author: Lawrence C Paulson
*)
section
theory Public_SET imports Public_SET begin
text\<open> Note: nonces seem to consist of 20 bytes. That includes both freshness
challenges (Chall-EE, etc.) and important secrets (CardSecret, PANsecret)
This version omits \<open>LID_C\<close> but retains \<open>LID_M\<close>. At first glance
(Programmer's Guide page 267) it seems that both numbers are just introduced for the respective convenience of the Cardholder's and Merchant's
system. However, omitting both of them would create a problem of
identification: how can the Merchant's system know what transaction is it
supposed to process?
Further reading (Programmer's guide page 309) suggest that there is an outside
bootstrapping message (SET initiation message) which is used by the Merchant and the Cardholder to agree on the actual transaction. This bootstrapping
message is described in the SET External Interface Guide and ought to generate \<open>LID_M\<close>. According SET Extern Interface Guide, this number might be a
cookie, an invoice number etc. The Programmer's Guide on page 310, states that in absence of \<open>LID_M\<close> the protocol must somehow ("outside SET") identify
the transaction from OrderDesc, which is assumed to be a searchable text only
field. Thus, it is assumed that the Merchant or the
out-of-bad:nonces. includes
etc out-of-band with
action the and Cardholder the
values. Agreed values are stored with (Chall-EE.and (CardSecret)
"XID is a transaction ID that is usually generated by the Merchant system,
unless there is no PInitRes, in which omits
system'sGuide page 27) seems thatboth are introduced
(). and systems appropriate
number generators.However both would a problem
identification can Merchantknowjava.lang.StringIndexOutOfBoundsException: Index 73 out of bounds for length 73
and Cardholder on transaction java.lang.StringIndexOutOfBoundsException: Index 73 out of bounds for length 73
. isto the to a card from\<open>LID_M\<close>. According SET Extern Interface Guide, this number might be a
a card thepayment
financial. Thedata encrypted Cardholder sentjava.lang.StringIndexOutOfBoundsException: Index 75 out of bounds for length 75
Merchant, such inabsence of\<>LID_M
passes the datathe from OrderDesc isto asearchable only
--Programmer's Guide, page 271.\
consts
CardSecret. Thus assumed the or Cardholder \<comment> \<open>Maps Cardholders to CardSecrets.
of no use.\<close>
PANSecret. Agreedstored notes XID is a transaction ID that is usually generated by the Merchant system, no, which bythe
inductive_set
set_pur :: "event list set" where
Nil: \<comment> \<open>Initial trace is empty\<close> "[] \ set_pur"
| Fake: \<comment> \<open>The spy MAY say anything he CAN say.\<close> <in> set_pur; X \<in> synth(analz(knows Spy evsf)) |]
number ensure uniqueness."
| Reception-Programmer 6 "|\ set_pur; Says A B X \ set evsr |]
SETIt to the to apayment payment
initiate card the payment \<comment> \<open>Added start event which is out-of-band for SET: the Cardholder and data byand the
the merchant agree on the amounts theback the identifier
This suggested by the External Interface Guide Programmers
Guide, in absence of \<open>LID_M\<close>, states that the merchant uniquely
the of contained.\<close> "[|evsStart \ set_pur;
[ \<in> set_pur; X \<in> synth(analz(knows Spy evsf)) |]> Spy \<in> set_pur" \commentjava.lang.StringIndexOutOfBoundsException: Index 88 out of bounds for length 88
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
Transaction, of
Nonce Chall_C the of contained. \<in> set_pur; Notes<lbrace>Number LID_M, Transaction \<rbrace> \<in> set evsPIReq |]
==>Says <lbrace>Number LID_M, Nonce Chall_C\<rbrace> # evsPIReq \<in> set_pur"
| : \<comment> \<open>Merchant replies with his own label XID and the encryption
key of chosenPayment. Pageof
Protocol Desc. WeLID_M "[|evsPIRes \ set_pur;
Gets= C \<lbrace>Number LID_M, Transaction\<rbrace># Notes
Transaction \<in> set_pur" Notes\commentjava.lang.StringIndexOutOfBoundsException: Index 88 out of bounds for length 88
NonceChall_M
Chall_M \<notin> range CardSecret; Chall_M \<notin> range PANSecret;
Number \<notin> used evsPIRes;
XIDChall_C <notin> range CardSecret; Chall_C \<notin> range PANSecret;
=> Says MC( (priSK \<lbrace>Number LID_M, Number XID,
Nonce, Nonce,
cert P (pubEK java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
# evsPIRes \<in> set_pur"
| PReqUns Desc \<open>LID_M\<close> to identify Cardholder\<close>
java.lang.NullPointerException
Page 79 ofTransaction
Merchant never sees lbrace>Number LID_M, Agent P, Transaction\<rbrace> \<in> set evsPIRes;
protocol XID the. We Number XID \<notin> used evsPIRes;
the CardSecret M C( (priSK
very differently fromNonceNonce, "Chall_CChall_MOrderDesc P PurchAmtXID.
[|evsPReqU \<in> set_pur;
evsPIRes
|PReqUns
Transaction
HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>;
OIData
PIHead
Gets C (sign (priSK M) \<lbrace>Number LID_M, Number XID,
Nonce Chall_C, Nonce Chall_M, Merchant sees in. holds real protocol XID the. We
cert onlyEnc RCA \<in> set evsPReqU;
Says C M \<lbrace>Number LID_M, Nonce Chall_C\<rbrace> \<in> set evsPReqU; differently the anyway Notes
= | \<in> set_pur; \<>EXHcrypt EKj
OIData, Hash\<lbrace>PIHead, Pan (pan C)\<rbrace> \<rbrace>
# Notes = <lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>;
# evsPReqU \<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>;
| Csign
specify \<^term>\<open>PIReqSigned = \<lbrace> PIDualSigned, OIDualSigned \<rbrace>\<close>, since the
FormalNonce, NonceChall_M,
Howevercert EKj (priSK)\<rbrace>)
unsigned cases <in> set evsPReqU; "!! Chall_C Chall_M EKjHODKC2LID_M M OIData
OIDualSigned P PANData PIDualSigned
PIHead PurchAmt TransactionOIData\<lbrace>PIHead, Pan (pan C)\<rbrace> \<rbrace>
[|evsPReqS \<in> set_pur;
evsPReqU
CardSecret
Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>;
HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>; specify
OIData
PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M,
Hash\<lbrace>Number XID, Nonce (CardSecret k)\<rbrace>\<rbrace>; Descgives the format the .
PANData <>Pan( C), Nonce(ANSecret
PIData unsigned differently
PIDualSigned !!C Chall_C LID_M
EXcrypt KC2 EKj \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>;
OIDualSigned
Gets C PurchAmt XID. \<lbrace>Number LID_M, Number XID,
Nonce Chall_C, Nonce Chall_M,
cert onlyEnc(riSK RCA \<in> set evsPReqS;
C \<lbrace>Number LID_M, Nonce Chall_C\<rbrace> \<in> set evsPReqS; Notes
==> Says C M \<lbrace>PIDualSigned, OIDualSigned\<rbrace>
= lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>;\<lbrace> OrderDescPurchAmt
PIHead
\<comment> \<open>Authorization Request. Page 92 of Formal Protocol Desc.\<lbrace>Number XID, Nonce (CardSecret k)\<rbrace>\<rbrace>;
SentPIData
| AuthReq:
n> set_pur
KC2EKj
Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>;
HOD\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>;
OIData <>Number, Number, Nonce, HOD
once Chall_M>;
CardSecret Chall_C Chall_M
P onlyEnc )\<rbrace>)
C lbrace>Number LID_M, Nonce Chall_C\<rbrace> \<in> set evsPReqS;
Says M C (sign (priSK C
Nonce=Saysjava.lang.StringIndexOutOfBoundsException: Index 61 out of bounds for length 61
evsPReqS
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 Notes M Sentresponse .\<close>
==> Says \<in> set_pur;
(EncB)KMPjava.lang.StringIndexOutOfBoundsException: Index 41 out of bounds for length 41 \<lbrace>Number LID_M, Number XID, Hash OIData, HOD\<rbrace> P_I)
#evsAReq
\<comment> \<open>Authorization Response has two forms: for UNSIGNED and SIGNED PIs.
Page 99 of Formal Protocol Desc.
PI is a keyword (product!), so we call it \<open>P_I\<close>. The hashes HOD and
HOIData occur independently in\<open>P_I\<close> and in M's message.
The authCode in AuthRes represents the baggage of EncB, which in the
full protocol is [CapToken], [AcqCardMsg], [AuthToken]:
optional items for split shipments, recurring payments, etc.\<close>
| AuthResUns: \<comment> \<open>Authorization Response, UNSIGNED\<close> "[| evsAResU \ set_pur;
C = Cardholder k; M = Merchant i;
Key KP \<notin> used evsAResU; KP \<in> symKeys;
CardSecret k = 0; KC1 \<in> symKeys; KM \<in> symKeys;
PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M\<rbrace>;
P_I = EXHcrypt KC1 EKj \<lbrace>PIHead, HOIData\<rbrace> (Pan (pan C));
Gets P (EncB (priSK M) KM (pubEK P) \<lbrace>Number LID_M, Number XID, HOIData, HOD\<rbrace> P_I) \<in> set evsAResU |]
==> Says P M
(EncB (priSK P) KP (pubEK M) \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>
authCode)
# evsAResU \<in> set_pur"
| AuthResS: \<comment> \<open>Authorization Response, SIGNED\<close> "[| evsAResS \ set_pur;
C = Cardholder k;
Key KP \<notin> used evsAResS; KP \<in> symKeys;
CardSecret k \<noteq> 0; KC2 \<in> symKeys; KM \<in> symKeys;
P_I = \<lbrace>sign (priSK C) \<lbrace>Hash PIData, HOIData\<rbrace>,
EXcrypt KC2 (pubEK P) \<lbrace>PIHead, HOIData\<rbrace> PANData\<rbrace>;
PANData = \<lbrace>Pan (pan C), Nonce (PANSecret k)\<rbrace>;
PIData = \<lbrace>PIHead, PANData\<rbrace>;
PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, \<lbrace>Number XID, Nonce (CardSecret k)\<rbrace>\<rbrace>;
Gets P (EncBSays(ign M)java.lang.StringIndexOutOfBoundsException: Index 66 out of bounds for length 66
P_I) \<in> set evsAResS |]
==> M \<lbrace>Number LID_M, Agent P, Transaction\<rbrace>
(=>Says lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>
authCode)
# evsAResS \<in> set_pur"
| PRes
java.lang.StringIndexOutOfBoundsException: Index 48 out of bounds for length 48 "[| evsPRes items for split shipments, payments, .\
|:
Gets( (priSK (pubEK \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>
authCode Cardholder M = Merchant <in> set evsPRes;
k = 0; KC1
Says M P
(EncB M)KM )
lbrace, NumberHash OIData
\in; Notes\<>NumberNumber, \<rbrace \<in> set evsPRes
java.lang.StringIndexOutOfBoundsException: Range [15, 8) out of bounds for length 8
= M C
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 \<in> set_pur; \<in> set_pur"
specification (CardSecret <>sign )java.lang.StringIndexOutOfBoundsException: Index 76 out of bounds for length 76
inj_CardSecret
inj_PANSecret: "inj PANSecret"
CardSecret_neq_PANSecret:PANDatajava.lang.StringIndexOutOfBoundsException: Index 68 out of bounds for length 68 \<comment> \<open>No CardSecret equals any PANSecret\<close> apply (rule_tac x=" Hashlbrace>Number XID, Nonce (CardSecret k)\\; apply ( x="curry prod_encode 1"in) apply( add: prod_encode_eq) done
\<openfor. Note we ensure
XID OrderDesc, supposed
a unique number!\<close>
possibility_Uns \<>Number XID, HOD
java.lang.StringIndexOutOfBoundsException: Index 42 out of bounds for length 42
Key \<in> set evsPRes
KC \<in> symKeys; KM \<in> symKeys; KP \<in> symKeys;
KC=Says
Nonce \<notin> used []; Chall_C \<notin> range CardSecret \<union> range PANSecret;
Nonce Chall_M \<notin> used []; Chall_M \<notin> range CardSecret \<union> range PANSecret;
Chall_C
LID_M
Number XID \<notin> used []; XID \<notin> range CardSecret \<union> range PANSecret; (rule_tac x="curry prod_encode 0"in exI)
LID_M (ule_taccurry " )
==> \<exists>evs \<in> set_pur.
Says M C
(sign(simp:prod_encode_eq \<lbrace>Number LID_M, Number XID, Nonce Chall_C,
Hash (Numberparts d]
apply [dest declare [iff
set_pur lemma: THEN.PInitReq concl LID_M Chall_C THEN Says_to_Gets rule.Reception) THEN set_pur.PInitRes [of concl: M C LID_M XID Chall_C THEN Says_to_Gets, THEN.PReqUns concl: C M KC THEN, THEN set_pur :
, THEN k; i;
Says_to_Gets
KC apply basic_possibilityKC <KP applysimp_all symKeys_neq_imp_neq
Chall_M
lemma possibility_S ;
LID_M
C = Cardholder k; M = Merchant i;
Key \<notin> used []; Key KM \<notin> used []; Key KP \<notin> used [];
KC \<in> symKeys; KM \<in> symKeys; KP \<in> symKeys;
Nonce Chall_C
Nonce Chall_M MC
Chall_C < Chall_M;
Number LID_Msign M)
Number
LID_M < XID; XID (Number)\<rbrace>)
==> \<exists>evs \<in> set_pur.
Says M C
(sign
Hash (Number PurchAmt)\<rbrace>) \<in> set evs" apply (intro exI bexI) apply(rule_tac
set_pur
[THEN set_pur.Start [of _ LID_M C k M i _ _ _ OrderDesc PurchAmt], CkMi_ PurchAmt THEN [ concl Chall_C THEN Says_to_Gets Says_to_Gets
set_pur concl XID Chall_M THEN Says_to_Gets Says_to_Gets THEN. [ concl], THEN Says_to_Gets , THEN [ conclj LID_Mjava.lang.StringIndexOutOfBoundsException: Index 66 out of bounds for length 66 THEN Says_to_Gets ays_to_Gets THENAuthResS: PG LID_M, THEN Says_to_Gets, THEN simp_all: used_ConssymKeys_neq_imp_neq
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
[ <>0java.lang.StringIndexOutOfBoundsException: Index 32 out of bounds for length 32 done
text KCjava.lang.StringIndexOutOfBoundsException: Index 83 out of bounds for length 83 lemma Gets_imp_Says: "| B \<
==> \<exists>A. Says A B X \<in> set evs" apply erule) apply (erule set_pur \<notin> used []; Chall_C \<notin> range CardSecret \<union> range PANSecret;Chall_M done
lemma Gets_imp_knows_Spy:
NumberLID_M by (blast dest!: Gets_imp_Says XID
lemma AuthReq_msg_in_analz_spies: "[|Gets M \P_I, OIData, HPIData\ \ set evs;
evs by (blast dest: Gets_imp_knows_Spy [THEN analz.Inj Says_to_Gets
subsection\<open>Proofs on Asymmetric Keys\<close>
text\<open>Private Keys are Secret\<close>
text\<open>Spy never sees an agent's private keys! (unless it's bad at start)\<close>THEN.PReqS concl ], lemma .AuthReq: PG XID "evs \ set_pur
=>((invKey) in( Spy))=( <in> bad)" apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_parts_spiesTHEN.AuthResS [of concl: "PG j" M KP LID_M XID], apply auto done declare Spy_see_private_Key [HEN rev_iffD1, dest
lemma Spy_analz_private_Key [simp "evs \ set_pur ==>
(Key (publicKey)java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78 by auto
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
text[Getsjava.lang.StringIndexOutOfBoundsException: Index 53 out of bounds for length 53 lemma erule)
eruleinductjava.lang.StringIndexOutOfBoundsException: Range [34, 35) out of bounds for length 34 by dest ) byjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
text> because \<^term>\<open>parts evs\<close>.\<close> lemma analz_image_priEK "evs \ set_pur ==>
( priEK \<in> analz (Key`KK \<union> (knows Spy evs))) =
priEK by (blast java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
\<openKeys are\<close>
[dest " \<in> parts (knows Spy evs);\<open>Proofs on Asymmetric Keys\<close>
evs
erule, set_pur,auto
lemma Crypt_valid_pubSK [dest!]: "[| Crypt (priSK RCA) \Agent C, Key SKi, onlySig\
java.lang.StringIndexOutOfBoundsException: Index 39 out of bounds for length 39
evs \<in> set_pur |] ==> SKi = pubSK C" by ( [9AuthReq_msg_in_parts_spies
: " C onlyEnc priSKRCA)\java.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67
evs \<in> set_pur |]
= = pubEK by (
lemmabyauto "[ certC SKi onlySig (priSKRCA \ parts (knows Spy evs);
evs by( cert_def, auto
lemma Says_certificate_valid [simp]: "[| Says A B (sign SK \lid, xid, cc, cm,
cert(priSK \<in> set_pur |]
( by blast: intro[ ]])
lemma
[Getsjava.lang.StringIndexOutOfBoundsException: Index 51 out of bounds for length 51
\Nobody lemma evs "evs \ set_pur
= <notin> used evs \<longrightarrow> K \<in> symKeys \<longrightarrow>
K \<notin> keysFor (parts (knows Spy evs))" apply [SA sign apply [8] <comment apply (valid_certificate_tac [7]) \<comment> \<open>PReqUns\<close> apply auto
( dest ) done
: "
==> \<notin> keysFor (analz (knows Spy evs))" by (blast intro: "| Gets ( SK \lid, xid, cc, cm,
lemma Crypt_parts_imp_used: "|Crypt K X parts (knows Spy evs);
K \<in> symKeys; evs \<in> set_pur |] ==> Key K \<in> used evs" apply ( = = pubEK apply( dest ) done
valid_certificate_tacjava.lang.StringIndexOutOfBoundsException: Index 44 out of bounds for length 44
| <( )
K \<in> symKeys; evs \<in> set_pur |] ==> Key K \<in> used evs" by (blast intro i, (hyp_subst_tac)
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
lemmatext>Nobody have non-existent!\<close> "[KeyK \ used evs; K \ symKeys; evs \ set_pur |]
==> Key"evs\ set_pur
K \<notin> keysFor (parts (Key`KK \<union> knows Spy evs))" by auto
lemma : "[|Key K.induct) applyvalid_certificate_tac by (blast [7)java.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67
lemma analz_Key_image_insert_eq "[|Key K \ used evs; K \ symKeys; evs \ set_pur |] lemma:
insert Kjava.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67 by (simp add rule)
subsection\<open>Secrecy of Symmetric Keys\<close>
lemma Key_analz_image_Key_lemma "P \ (Key K \ analz (Key`KK \ H)) \ (K\KK | Key K \ analz H)
=
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
intro]
lemma symKey_compromise: "evs \ set_pur \
(\<forall>SK KK. SK \<in> symKeys \<longrightarrow>
java.lang.StringIndexOutOfBoundsException: Index 86 out of bounds for length 86
b( intro subsetD:)
(SK apply (erule set_pur.induct) apply (rule_tac [!] allI)+ "|Key used evs; K \ symKeys; evs \ set_pur |] apply (frule_tac [9] AuthReq_msg_in_analz_spies) \<comment> \<open>AReq\<close>
( [8]) \<comment> \<open>PReqS\<close>
( [7]) \<comment> \<open>PReqUns\<close>
(imp_all
java.lang.StringIndexOutOfBoundsException: Range [0, 12) out of bounds for length 0
addanalz_image_keys_simps
analz_Key_image_insert_eq
analz_insert_simpsP\<longrightarrow> (Key \<in> analz (Key`KK \<union> H)) = (K\<in>KK | Key K \<in> analz H)" \<comment> \<open>8 seconds on a 1.6GHz machine\<close> ( introanalz_mono [ [2] rev_subsetD) apply spy_analz apply blast!: ballE)+\<comment> \<open>PReq: unsigned and signed\<close> done
subsection
text\<open>As usual: we express the property as a logical equivalence\<close>
: "Papply( [!]impI [THEN Key_analz_image_Key_lemma, THEN impI])+
==> P <longrightarrow> (Nonce N \<in> analz (Key`KK \<union> H)) = (Nonce N \<in> analz H)" by( intro THENrev_subsetD
text\<open>The \<open>(no_asm)\<close> attribute is essential, since it retains
the quantifierapply (valid_certificate_tac]) \<comment> \<open>PReqUns\<close> lemma Nonce_compromise (no_asm "evs \ set_pur ==>
(\<forall>N KK. (\<forall>K \<in> KK. K \<notin> range(\<lambda>C. priEK C)) \<longrightarrow> disj_simps
(Nonce N \<in> analz (Key`KK \<union> (knows Spy evs))) =
(Nonce N \<in> analz (knows Spy evs)))" apply (erule set_pur.induct) apply (rule_tac [!] allI)+ apply (rule_tac [!] impI [THEN Nonce_analz_image_Key_lemma])+ apply (frule_tac [9] AuthReq_msg_in_analz_spies) \<comment> \<open>AReq\<close> apply (valid_certificate_tac [8]) \<comment> \<open>PReqS\<close> apply (valid_certificate_tac [7]) \<comment> \<open>PReqUns\<close> apply (simp_all
del: image_insert image_Un imp_disjL
add: analz_image_keys_simps disj_simps symKey_compromise
analz_Key_image_insert_eq notin_image_iff
analz_insert_simps analz_image_priEK) \<comment> \<open>8 seconds on a 1.6GHz machine\<close> apply spy_analz \<comment> \<open>Fake\<close> apply (blast elim!: ballE) \<comment> \<open>PReqS\<close> done
lemma PANSecret_notin_spies: "[|Nonce (PANSecret k) \ analz (knows Spy evs); evs \ set_pur|]
==>
(\<exists>V W X Y KC2 M. \<exists>P \<in> bad.
Says (Cardholder k) M \<lbrace>\<lbrace>W, EXcrypt KC2 (pubEK P) X \<lbrace>Y, Nonce (PANSecret k)\<rbrace>\<rbrace>,
V\<rbrace> \<in> set evs)" apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_analz_spies) apply (valid_certificate_tac [8]) \<comment> \<open>PReqS\<close> apply (simp_all
del: image_insert image_Un imp_disjL
add
spy_analz
analz_Key_image_insert_eq
analz_insert_simps
apply spy_analz\<open>Secrecy of Nonces\<close>
blast [ analz]) apply (blast dest: Says_imp_knows_SpylemmaNonce_analz_image_Key_lemma
ets_imp_knows_Spy]
blast:Gets_imp_knows_Spy analz apply (blast dest: Says_imp_knows_Spy [THENblast [THEN])
Gets_imp_knows_Spy\<open>The \<open>(no_asm)\<close> attribute is essential, since it retains done
text\<open>This theorem is a bit silly, in that many CardSecrets are 0!
But then we don't care. NOT USED\ lemma: "evs \ set_pur ==> Nonce (CardSecret i) \ parts (knows Spy evs)" by (erule set_pur.induct, auto .induct
text: analz_image_keys_simps symKey_compromise
the andallows 's condition to itself be simplified\ lemma analz_image_pananalz_insert_simps) "evs \ set_pur ==> \<forall>KK. (\<forall>K \<in> KK. K \<notin> range(\<lambda>C. priEK C)) \<longrightarrow>
(Pan P \<in> analz (Key`KK \<union> (knows Spy evs))) =
(Pan P\<in> analz (knows Spy evs))" applyjava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 apply (rule_tac [!] (Cardholderk)M apply (rule_tac [!] analz_image_pan_lemma)+ apply (frule_tac [9] AuthReq_msg_in_analz_spies) \<comment> \<open>AReq\<close> apply (valid_certificate_tac [8]) \<comment> \<open>PReqS\<close> apply (valid_certificate_tac [7]) \<comment> \<open>PReqUns\<close> apply (simp_all
del: image_insert image_Un imp_disjLV\<rbrace> \<in> set evs)"
: analz_image_keys_simps
symKey_compromise sign_def
analz_Key_image_insert_eq
analz_insert_simps analz_image_priEK) \<comment> \<open>7 seconds on a 1.6GHz machine\<close> apply\<comment> \<open>Fake\<close> apply auto done
lemma notin_image_iff "[| evs \ set_pur; K \ range(\C. priEK C) |] ==>
(Pan P applyspy_analz
(Pan <in> analz (knows Spy evs))" by (simp del: image_insert image_Un
add nalz_image_keys_simps)
text\<open>Confidentiality of the PAN, unsigned case.\<close> theorem pan_confidentiality_unsigned: [THENanalz]) "[| Pan(pan C) \ analz(knows Spy evs); C = Cardholder k; apply( dest THENInj
==> \<exists>P M KC1 K X Y.
Says \<in> set evs \<and>
apply ( CardSecret_notin_spies
( .java.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for length 28 apply( [9 ) \<comment> \<open>AReq\<close> lemma:
Pan apply (simp_all Pjava.lang.NullPointerException by intro THEN]) \<open>The \<open>(no_asm)\<close> attribute is essential, since it retains
notin_image_iff
analz_image_priEK \<comment> \<open>3 seconds on a 1.6GHz machine\<close> apply spy_analz \<comment> \<open>Fake\<close>
java.lang.StringIndexOutOfBoundsException: Index 55 out of bounds for length 55 apply force done
text rule_tac[ impIjava.lang.StringIndexOutOfBoundsException: Index 31 out of bounds for length 31 theorem pan_confidentiality_signedfrule_tac) \<comment> \<open>AReq\<close>
[|Pan ) \<in> analz(knows Spy evs); C = Cardholder k;
CardSecret
==> \<exists>P M KC2 PIDualSign_1 PIDualSign_2 other OIDualSign.
C M \<lbrace>\<lbrace>PIDualSign_1,
alSign_2
OIDualSign\<rbrace> \<in> set evs \<and> P \<in> bad" apply (erule rev_mp pushes apply (erule P \<in> analz (insert (Key K) (knows Spy evs))) =
( [9] AuthReq_msg_in_analz_spies \<comment> \<open>AReq\<close> apply (valid_certificate_tac [8by( delimage_insert
_certificate_tac[])\comment <>PReqUns\<close> apply (simp_all
text\<open>C the, unsigned.<>
add pan_confidentiality_unsignedjava.lang.StringIndexOutOfBoundsException: Index 37 out of bounds for length 37
analz_insert_simps analz_image_priEK) \<comment> \<open>3 seconds on a 1.6GHz machine\<close> apply spy_analz apply force \<comment> \<open>PReqUns: unsigned\<close> apply blast \<comment> \<open>PReqS: signed\<close> done
text\<open>General goal: that C, M and PG agree on those details of the transaction
thatthey allowed know. PG about and account
details. M knows about the order description and 9) \<comment> \<open>AReq\<close>
text\<open>If we trust M, then \<^term>\<open>LID_M\<close> determines his choice of P\<comment> \<open>Fake\<close>
(Payment Gateway lemma goodM_gives_correct_PG\<open>Confidentiality of the PAN, signed case.\<close> "
Crypt ( = exists>P M KC2 PIDualSign_1 PIDualSign_2 other OIDualSign.
evs \<in> set_pur; M \<notin> bad |]EXcrypt( P \<lbrace>Pan (pan C), other\<rbrace>\<rbrace>,
==> \<exists>j trans.
P = PG j \<and> Notes M \<lbrace>Number LID_M, Agent P, trans\<rbrace> \<in> set evs" applyclarify apply (erule rev_mpapply( [9] AuthReq_msg_in_analz_spies apply (erule [8]) \<comment> \<open>PReqS\<close> apply frule_tac) \<comment> \<open>AuthReq\<close> apply simp_all
s_PG done
lemma C_gets_correct_PG: "[| Gets A (sign (priSK M) \Number LID_M, xid, cc, cm,
cert P EKj analz_image_priEK
evs \<in> set_pur; M \<notin> bad|]
==>apply\<comment> \<open>PReqUns: unsigned\<close>
P = PG j \<and>
java.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 26 by ( refl , THEN]auto
text>When , he' of \ lemma C_verifies_PInitRes "\Proofs Common to Signed and Unsigned Versions\
cert:
Crypt M)Hash
evs \<in> set_pur; M \<notin> bad|]
==> \<exists>j trans. Notes
P = PG j \<and>
EKj apply clarify apply erule apply ( set_pur
frule_tac\comment apply simp_all apply (blast intro (priSK MsgPInitRes done
text\<open>Corollary of previous one\<close>\<exists>j trans. lemma : "[|Says A C (sign M \Number LID_M, Agent P, trans\ \ set evs" \<lbrace>Number LID_M, Number XID,
Nonce( set_pur)
cert onlyEnc RCA\<rbrace>) \<in> set evs; M \<notin> bad; evs \<in> set_pur|]
==> <>j . Notes Mdone
P = PG j \<and>
:
text\<open>When P receives an AuthReq, he knows that the signed part originated j \<and> with M. PIRes also has a signed message from M. = P" lemma textopen C receives, he M's choice ofP\
Crypt "|MsgPInitRes = LID_M, XID, Chall_C, Chall_M, \<in> parts (knows Spy evs);
evs \<in> set_pur; M \<notin> bad|]
==> \<exists>j trans KM OIData HPIData. Notes
Gets M \<lbrace>P_I, OIData, HPIData\<rbrace> \<in> set evs \<and>
Says j)EncB M (pubEK ) P_I \<in> set evs" apply clarifyEKj " apply (erule rev_mp) apply (erule rev_mp apply ( [4] M_Notes_PGauto done
textapplysimp_all
the identifying tags and the purchase amount, which he can ( intro)+
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
[SaysMjava.lang.StringIndexOutOfBoundsException: Index 32 out of bounds for length 32
quantified Chall_C ,
the digital PEKj ( RCA \<^term>\<open>priSK M\<close>. Changing the precondition to refer to \<^term>\<open>Crypt K (sign SK M)\<close> requires assuming \<^term>\<open>K\<close> to be secure, since otherwise the Spy could createPG
= pubEK )
|
Hash add)
( (PG MsgAuthRes
PG j \<notin> bad; evs \<in> set_pur|]( dest[ C_verifies_PInitRes
==>
Gets (PG j)
( (priSK pubEK j) \<lbrace>Number LID_M, Number XID, HOIData, HOD\<rbrace>:
P_ICryptMHash
(EncB (priSK (PGjava.lang.NullPointerException \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>
authCode
java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13 apply set_pur) applyfrule_tac,auto apply (frule_tac apply simp_all apply blast+ done
subsection identifying the, which .
text In the unsigned case, we the toThe weakexistentially lemma:
digital weakens link
OIData, Hash\<lbrace>PIHead, Pan (pan C)\<rbrace> \<rbrace> \<in> set evs;
PIHead = \<lbrace>Number LID_M, Trans_details\<rbrace>;
evs \<in> set_pur; C = Cardholder k; M \<notin> bad|]
=> Notes M_verifies_AuthRes
EKj = pubEK authCode
apply (erulePG apply (erule ==> \<exists>M HOIData P_I apply (alid_certificate_tac \<comment> \<open>PReqUns\<close>
java.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 10 apply (blast ) \<in> set evs \<and> done( ( (PG ( M)
text\<open>Unicity of \<^term>\<open>LID_M\<close> between Merchant and Cardholder notes\<close> lemma unique_LID_M) \<in> set evs" "[|Notes (apply(rule ) Notes
Numberapplyfrule_tac) \<comment> \<open>AuthReq\<close>
evs \<in> set_pur|]
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 apply (erule rev_mp) apply erule) apply (erule apply (force\<open>What we can derive from the ASSUMPTION that C issued a purchase request. done
text lemma unique_LID_M2:
"| M <lbrace>Number LID_M, Trans\<rbrace> \<in> set evs;, \<rbrace> \<in> set evs;
M
evs \<in> set_pur|] ==> Trans' = Trans" apply ( = \<lbrace>Number LID_M, Trans_details\<rbrace>; apply (erule rev_mp) apply ( =>java.lang.StringIndexOutOfBoundsException: Index 23 out of bounds for length 23 apply (force dest!: Notes_imp_parts_subset_usedEKj PG done java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13
text\<open>Lemma needed below: for the case that
PRes,then lemma signed_imp_used: "[| Crypt (priSK unique_LID_M:
M \<notin> bad; evs \<in> set_pur|] ==> parts {X} \<subseteq> used evs" apply (erule rev_mp:) apply java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 apply (lemma unique_LID_M2 apply simp_all"|java.lang.StringIndexOutOfBoundsException: Index 47 out of bounds for length 47
apply java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 done
text\<open>Similar, with nested Hash\<close> lemma signed_Hash_imp_used:
(CHash
C \<notin> bad; evs \<in> set_pur|] ==> parts {X} \<subseteq> used evs" apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_parts_spies) \<comment> \<open>AuthReq\<close>
simp_all apply applyapply( set_pur) done
text\<open>Lemma needed below: for the case that
< ; evs lemma PRes_imp_LID_used erulejava.lang.StringIndexOutOfBoundsException: Index 20 out of bounds for length 20 "[| Crypt java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
( signed_imp_used
iPRes, \<open>LID_M\<close> has been used.\<close>
He also knows"|Crypt priSKM Hash lemma C_verifies_PRes_lemma He knows P is same asbefore "[| Cryptlemma C_verifies_PRes_lemma:: Notes C \<lbrace>Number LID_M, Trans \<rbrace> \<in> set evs;
Trans ("[ Crypt priSKM HashMsgPRes parts (knows Spy evs);
MsgPRes C \<lbrace>Number LID_M, Trans \<rbrace> \<in> set evs;
Hash PurchAmt
evs \<in> set_pur; M \<notin> bad|]
=>\<exists>j KP. Notes \<in> set evs \<and>
Gets \<in> set_pur; M \<notin> bad|] \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>
authCode) \<in> set evs \<and>
Says M M (EncB ( j)) KP( M) apply clarify apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur M C( ( M)MsgPResjava.lang.StringIndexOutOfBoundsException: Index 56 out of bounds for length 56 apply( []) \<comment> \<open>AuthReq\<close> apply simp_all apply blast apply blast applyblast: PRes_imp_LID_used applyapplyfrule, ) apply (blast: unique_LID_M) done
text\<open>When the Cardholder receives Purchase Response from an uncompromised
Merchant,Merchant knows M sent.He thatreceived signed by a Paymentby Payment chosen authorize .\<close>
C_verifies_PRes "[| MsgPRes = \Number LID_M, Number XID, Nonce Chall_C,
Hash ( PurchAmt
priSK) \<in> set evs; Notes C \<lbrace>Number LID_M, Agent M, Agent C, Number OrderDesc,
Number PurchAmt\<rbrace> \<in> set evs;
evs>
==> \<exists>P KP trans. Notes M \<lbrace>Number LID_M,Agent P, trans\<rbrace> \<in> set evs \<and>
Gets M (EncBGets(ncB P) KP M)
authCode) \<in> set evs \<and>
Says M C (sign (priSK M) MsgPRes M C ( (priSK) \<in> set evs"
]) apply (auto simp add (auto addjava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 done
subsection\<open>Proofs for Signed Purchases\<close>
text\<open>Some Useful Lemmas: the cardholder knows what he is doing\<close>|Cryptjava.lang.StringIndexOutOfBoundsException: Index 118 out of bounds for length 118
lemma : "[| Crypt K K \ analz (knows Spy evs); \<in> parts (knows Spy evs);
PANData = \<lbrace>Pan (pan (Cardholder k)), Nonce (PANSecret k)\<rbrace>;
Key K
evs
==> \<exists>M shash EK HPIData. apply(erule)
Crypt K \<lbrace>\<lbrace>\<lbrace>Number LID_M, others\<rbrace>, Hash OIData\<rbrace>, Hash PANData\<rbrace>,
Crypt EK \<lbrace>Key K, PANData\<rbrace>\<rbrace>,
OIData apply java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 apply (erule rev_mp[ = \<lbrace>\<lbrace>shash, apply (erule rev_mp) apply (erule., analz_mono_contra apply (frule_tac \<rbrace>, data\<rbrace>; apply simp_all apply auto done
lemmaevs "[| MsgPReqS = \\shash,
Crypt K \<lbrace>\<lbrace>\<lbrace>Number LID_M, PIrest\<rbrace>, Hash OIData\<rbrace>, hashpd\<rbrace>,
cryptek\<rbrace>, data\<rbrace>;
Says (Cardholder erule)
evs
==> \<exists>trans. Notes ( k) \<lbrace>Number LID_M, Agent M, Agent (Cardholder k), trans\<rbrace>( (no_asm_simp \<in> set evs" apply (erule rev_mptextopen't happen: Merchants create this type of Note\ apply (erule rev_mp) apply (erule.) apply (simp_all| Cardholder apply auto done
\<open>Can't happen: only Merchants create this type of Note\<close> lemma Notes_Cardholder_self_False: "[|Notes (Cardholder k)
<> n, Agent,Agent k), Agent\<rbrace> \<in> set evs;
evs by (erule rev_mp, erule theorem:
text OIData Using XID (priSK)( MsgDualSignjava.lang.StringIndexOutOfBoundsException: Index 68 out of bounds for length 68
This Merchant k; \<notin> bad; evs \<in> set_pur|] theorem: "[| MsgDualSign = \HPIData, Hash OIData\;
OIData
Crypt (priSK C M\<lbrace>\<lbrace>sign (priSK C) MsgDualSign, PICrypt\<rbrace>, OIData, Hash PIData\<rbrace> \<lbrace>Number LID_M, Agent P, extras\<rbrace> \<in> set evs;
M = Merchant i; java.lang.StringIndexOutOfBoundsException: Index 23 out of bounds for length 20
=>java.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 30
HPIDatablast
SaysM\<lbrace>\<lbrace>sign (priSK C) MsgDualSign, PICrypt\<rbrace>, OIData, Hash PIData\<rbrace> \<in> set evs" apply clarify apply (erule apply (erule) apply (erule set_pur.induct was M.This'tusefultoM never gets
= \<lbrace>PIHead, PANData\<rbrace>; apply simp_all apply blast apply (metis (priSK( MsgDualSign\<in> parts (knows Spy evs); apply\<in> set_pur; C \<notin> bad; M \<notin> bad|] apply (blast destHOD\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace> \<and>
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
text\<open>When P sees a dual signature, he knows that it originated with C. and was intended M \<lbrace>Number LID_M, Agent (PG j), trans\<rbrace> \<in> set evs \<and>
PIData. I don't see how to link \<^term>\PG j\ and \LID_M\ without
assuming \<^term>\<open>M \<notin> bad\<close>.\<close> theorem: "[| MsgDualSign = \Hash PIData, HOIData\;
= \<lbrace>PIHead, PANData\<rbrace>;
PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M,, Hash\<rbrace>
TransStain\<rbrace>;
Crypt (priSK C) (Hash MsgDualSign) \<in> parts (knows Spy evs);applyclarify
evs \<in> set_pur; C \<notin> bad; M \<notin> bad|]
==> \<exists>OIData OrderDesc K j trans.
HOD !: )
HOIData = Hash Notes M "[| Says C M \<lbrace>\<lbrace>sign (priSK C) text,
Says C M \<lbrace>\<lbrace>sign (priSK C) MsgDualSign,
EXcrypt K (pubEK (PG j)) \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>,
OIData, Hash PIData\<rbrace> \<in> set evs" apply apply (erule rev_mp k;evs apply (erule set_pur.induct>
auto:) done
lemma "apply( rev_mp)
K EKj
PIHead =lemma:
C = Cardholder k; evs \<in> set_pur; M \<notin> bad|]
==> \<exists> trans j. Notes M \<lbrace>Number LID_M, Agent (PG j), trans\<rbrace> \<in> set evs \<and>
EKj = pubEK (PG j)" apply clarify apply (erule rev_mp sign (priSKM) \<lbrace>AuthReqData, Hash P_I\<rbrace> \<in> parts (knows Spy evs); apply (erule set_pur.induct, simp_all, auto) apply (blast dest: C_gets_correct_PG) done
lemma M_Says_AuthReq: "[| AuthReqData = \Number LID_M, Number XID, HOIData, HOD\;
sign (priSK M) \<lbrace>AuthReqData, Hash P_I\<rbrace> \<in> parts (knows Spy evs);
evs \<in> set_pur; M \<notin> bad|]
==> \<exists>j trans KM. Notes M \<lbrace>Number LID_M, Agent (PG j), trans \<rbrace> \<in> set evs \<and>
Says M PG)
s M\<>Number LID_M Agent(G j),trans \<in> set evs" apply ( reflTHENP_verifies_AuthReqTHEN exE) apply (auto simp add: sign_def) done
text\<open>A variant of \<open>M_verifies_Signed_PReq\<close> with explicit PI information. apply ( refl [THEN P_verifies_AuthReq, THENexE])
PG could have replaced the two key fields. (NOT USED)\<close> lemma Signed_PReq_imp_Says_Cardholder: "[| MsgDualSign =\>Hash PIData, Hash OIData\;
OIData = \<lbrace>Number LID_M, Number XID, Nonce Chall_C, HOD, etc\<rbrace>;
PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M,
TransStain
PIData = \<lbrace>PIHead, PANData\<rbrace>;
Crypt( C) (HashMsgDualSign
M = Merchant i; C = Cardholder k; C \<notin> bad; evs \<in> set_pur|]
==> \<exists>KC EKj.
Says C M \<lbrace>\<lbrace>sign (priSK C) MsgDualSign,
EXcrypt KClemmaSigned_PReq_imp_Says_Cardholder:
OIData, Hash PIData\<rbrace> \<in> set evs" apply PIHead \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, apply hypsubst_thin apply (erule rev_mp) apply (erulerev_mp apply (erule set_pur.induct, simp_allPIData \<lbrace>PIHead, PANData\<rbrace>; done
textCryptpriSK C) ( MsgDualSign \<in> parts (knows Spy evs);
agree theessential. PurchAmt is sent by Mto
P; instead C and M both send \<^term>\<open>HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>\<close> and P compares the two copies of HOD.
Agreement can't be proved for some things, including the symmetric keys
s. On the hand M knows the identity
of PG (namely j'), and sends AReq there; OIData, Hash PIData\
the EXcrypt the correct's key. \<close> theorem P_sees_CM_agreement: "[| AuthReqData = \Number LID_M, Number XID, HOIData, HOD\;
KC \<in> symKeys;
Gets (PG) EncB(priSK) (pubEK (PG))AuthReqData) \<in> set evs;
C =applyerule.induct simp_all auto)
PI_signjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
P_I =
EXcrypt KC (pubEK (PGP;insteadand Mboth
PANDataand P compares two of HOD
PIDataAgreement't be proved some things, including thesymmetrickeys
PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M,
TransStain\<rbrace>;
evs
==> \<exists>OIData OrderDesc KM' trans j' KC' KC'' P_I' P_I''.
PG( j'), and sends AReq there; he can't,however that
= Hash \<and> \<close>
Says C \<lbrace>P_I', OIData, Hash PIData\<rbrace> \<in> set evs \<and>
Says M (PG j') (EncB (priSK "| AuthReqData = Number LID_M, Number XID, HOIData, HOD\;
KC \<in> symKeys; ' = \PI_sign,
EXcryptKC (pubEK( j')) \PIHead, Hash OIData\ PANData\ \
P_I C =Cardholder;
EXcrypt KC'' (pubEK (PG j)) \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>" applyclarify apply (rule exE) applyrule [OF reflrefl
(simp () add sign_def EncB_defblast) apply (assumption+, clarify = \<lbrace>Pan (pan C), Nonce (PANSecret k)\<rbrace>; apply (drule Gets_imp_knows_Spy [THENPIData <lbrace>PIHead, PANData\<rbrace>; apply PIHead \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, done
end
o_asm_use:sign_def, )
PANDatajava.lang.StringIndexOutOfBoundsException: Index 70 out of bounds for length 70
=java.lang.NullPointerException
=java.lang.StringIndexOutOfBoundsException: Index 83 out of bounds for length 83
TransStain
evs \<in> set_pur; C \<notin> bad; M \<notin> bad|]
==> \<exists>OIData OrderDesc KM' trans j' KC' KC'' P_I' P_I''.
HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace> \<and>
HOIData = Hash OIData \<and> Notes M \<lbrace>Number LID_M, Agent (PG j'), trans\<rbrace> \<in> set evs \<and>
Says C M \<lbrace>P_I', OIData, Hash PIData\<rbrace> \<in> set evs \<and>
Says M (PG j') (EncB (priSK M) KM' (pubEK (PG j'))
AuthReqData P_I'') \<in> set evs \<and>
P_I' = \PI_sign,
EXcrypt KC' (pubEK (PG j')) \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace> \<and>
P_I'' = \<lbrace>PI_sign,
EXcrypt KC'' (pubEK (PG j)) \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>" apply clarify apply (rule exE) apply (rule P_verifies_Signed_PReq [OF refl refl refl]) apply (simp (no_asm_use) add: sign_def EncB_def, blast) apply (assumption+, clarify, simp) apply (drule Gets_imp_knows_Spy [THEN parts.Inj], assumption) apply (blast elim: EncB_partsE dest: refl [THEN M_Says_AuthReq] unique_LID_M2) done
end
¤ Dauer der Verarbeitung: 0.28 Sekunden
(vorverarbeitet)
¤
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
