| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/Isabelle/HOL/Auth/Smartcard/ (Beweissystem Isabelle Version 2025-1©) Datei vom 16.11.2025 mit Größe 51 kB |
|
Quelle ShoupRubinBella.thySprache: Isabelle |
|||||||||||||||
|
(* Author: Giampaolo Bella, Catania University *) section‹Bella's modification of the Shoup-Rubin protocol› theory ShoupRubinBella imports Smartcard begin text‹The modifications are that message 7 now mentions A, while message 10 mentions Nb and B. The lack of explicitness of the original version was by investigating adherence to the principle of Goal . Only the updated version makes the goals of confidentiality, and key distribution available to both peers.› axiomatization sesK :: "nat*key => key" where (*sesK is injective on each component*) inj_sesK [iff]: "(sesK(m,k) = sesK(m',k')) = (m = m' ∧ k = k')" and (*all long-term keys differ from sesK*) shrK_disj_sesK [iff]: "shrK A ≠ sesK(m,pk)" and crdK_disj_sesK [iff]: "crdK C ≠ sesK(m,pk)" and pin_disj_sesK [iff]: "pin P ≠ sesK(m,pk)" and pairK_disj_sesK[iff]: "pairK(A,B) ≠ sesK(m,pk)" and (*needed for base case in analz_image_freshK*) Atomic_distrib [iff]: "Atomic`(KEY`K ∪ NONCE`N) = Atomic`(KEY`K) ∪ Atomic`(NONCE`N)" and (*this protocol makes the assumption of secure means between each agent and his smartcard*) shouprubin_assumes_securemeans [iff]: "evs ∈ srb ==> secureM" definition Unique :: "[event, event list] => bool" (‹Unique _ on _›) where "Unique ev on evs == ev ∉ set (tl (dropWhile (% z. z ≠ ev) evs))" inductive_set srb :: "event list set" where Nil: "[]∈ srb" | Fake: "[ evsF ∈ srb; X ∈ synth (analz (knows Spy evsF)); illegalUse(Card B) ] ==> Says Spy A X # Inputs Spy (Card B) X # evsF ∈ srb" (*In general this rule causes the assumption Card B \<notin> cloned in most guarantees for B - starting with confidentiality - otherwise pairK_confidential could not apply*) | Forge: "[ evsFo ∈ srb; Nonce Nb ∈ analz (knows Spy evsFo); Key (pairK(A,B)) ∈ knows Spy evsFo ] ==> Notes Spy (Key (sesK(Nb,pairK(A,B)))) # evsFo ∈ srb" | Reception: "[ evsrb∈ srb; Says A B X ∈ set evsrb ] ==> Gets B X # evsrb ∈ srb" (*A AND THE SERVER*) | SR_U1: "[ evs1 ∈ srb; A ≠ Server ] ==> Says A Server {Agent A, Agent B} # evs1 ∈ srb" | SR_U2: "[ evs2 ∈ srb; Gets Server {Agent A, Agent B} ∈ set evs2 ] ==> Says Server A {Nonce (Pairkey(A,B)), Crypt (shrK A) {Nonce (Pairkey(A,B)), Agent B} } # evs2 ∈ srb" (*A AND HER CARD*) (*A cannot decrypt the verifier for she dosn't know shrK A, but the pairkey is recognisable*) | SR_U3: "[ evs3 ∈ srb; legalUse(Card A); Says A Server {Agent A, Agent B} ∈ set evs3; Gets A {Nonce Pk, Certificate} ∈ set evs3 ] ==> Inputs A (Card A) (Agent A) # evs3 ∈ srb" (*however A only queries her card if she has previously contacted the server to initiate with some B. Otherwise she would do so even if the Server had not been active. Still, this doesn't and can't mean that the pairkey originated with the server*) (*The card outputs the nonce Na to A*) | SR_U4: "[ evs4 ∈ srb; Nonce Na ∉ used evs4; legalUse(Card A); A ≠ Server; Inputs A (Card A) (Agent A) ∈ set evs4 ] ==> Outpts (Card A) A {Nonce Na, Crypt (crdK (Card A)) (Nonce Na)} # evs4 ∈ srb" (*The card can be exploited by the spy*) (*because of the assumptions on the card, A is certainly not server nor spy*) | SR_U4Fake: "[ evs4F ∈ srb; Nonce Na ∉ used evs4F; illegalUse(Card A); Inputs Spy (Card A) (Agent A) ∈ set evs4F ] ==> Outpts (Card A) Spy {Nonce Na, Crypt (crdK (Card A)) (Nonce Na)} # evs4F ∈ srb" (*A TOWARDS B*) | SR_U5: "[ evs5 ∈ srb; Outpts (Card A) A {Nonce Na, Certificate} ∈ set evs5; ∀ p q. Certificate ≠ {p, q} ] ==> Says A B {Agent A, Nonce Na} # evs5 ∈ srb" (*A must check that the verifier is not a compound message, otherwise this would also fire after SR_U7 *) (*B AND HIS CARD*) | SR_U6: "[ evs6 ∈ srb; legalUse(Card B); Gets B {Agent A, Nonce Na} ∈ set evs6 ] ==> Inputs B (Card B) {Agent A, Nonce Na} # evs6 ∈ srb" (*B gets back from the card the session key and various verifiers*) | SR_U7: "[ evs7 ∈ srb; Nonce Nb ∉ used evs7; legalUse(Card B); B ≠ Server; K = sesK(Nb,pairK(A,B)); Key K ∉ used evs7; Inputs B (Card B) {Agent A, Nonce Na} ∈ set evs7] ==> Outpts (Card B) B {Nonce Nb, Agent A, Key K, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} # evs7 ∈ srb" (*The card can be exploited by the spy*) (*because of the assumptions on the card, A is certainly not server nor spy*) | SR_U7Fake: "[ evs7F ∈ srb; Nonce Nb ∉ used evs7F; illegalUse(Card B); K = sesK(Nb,pairK(A,B)); Key K ∉ used evs7F; Inputs Spy (Card B) {Agent A, Nonce Na} ∈ set evs7F ] ==> Outpts (Card B) Spy {Nonce Nb, Agent A, Key K, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} # evs7F ∈ srb" (*B TOWARDS A*) (*having sent an input that mentions A is the only memory B relies on, since the output doesn't mention A - lack of explicitness*) | SR_U8: "[ evs8 ∈ srb; Inputs B (Card B) {Agent A, Nonce Na} ∈ set evs8; Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evs8 ] ==> Says B A {Nonce Nb, Cert1} # evs8 ∈ srb" (*A AND HER CARD*) (*A cannot check the form of the verifiers - although I can prove the form of Cert2 - and just feeds her card with what she's got*) | SR_U9: "[ evs9 ∈ srb; legalUse(Card A); Gets A {Nonce Pk, Cert1} ∈ set evs9; Outpts (Card A) A {Nonce Na, Cert2} ∈ set evs9; Gets A {Nonce Nb, Cert3} ∈ set evs9; ∀ p q. Cert2 ≠ {p, q} ] ==> Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Cert1, Cert3, Cert2} # evs9 ∈ srb" (*But the card will only give outputs to the inputs of the correct form*) | SR_U10: "[ evs10 ∈ srb; legalUse(Card A); A ≠ Server; K = sesK(Nb,pairK(A,B)); Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)), Crypt (shrK A) {Nonce (Pairkey(A,B)), Agent B}, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (crdK (Card A)) (Nonce Na)} ∈ set evs10 ] ==> Outpts (Card A) A {Agent B, Nonce Nb, Key K, Crypt (pairK(A,B)) (Nonce Nb)} # evs10 ∈ srb" (*The card can be exploited by the spy*) (*because of the assumptions on the card, A is certainly not server nor spy*) | SR_U10Fake: "[ evs10F ∈ srb; illegalUse(Card A); K = sesK(Nb,pairK(A,B)); Inputs Spy (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)), Crypt (shrK A) {Nonce (Pairkey(A,B)), Agent B}, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (crdK (Card A)) (Nonce Na)} ∈ set evs10F ] ==> Outpts (Card A) Spy {Agent B, Nonce Nb, Key K, Crypt (pairK(A,B)) (Nonce Nb)} # evs10F ∈ srb" (*A TOWARDS B*) (*having initiated with B is the only memory A relies on, since the output doesn't mention B - lack of explicitness*) | SR_U11: "[ evs11 ∈ srb; Says A Server {Agent A, Agent B} ∈ set evs11; Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evs11 ] ==> Says A B (Certificate) # evs11 ∈ srb" (*Both peers may leak by accident the session keys obtained from their cards*) | Oops1: "[ evsO1 ∈ srb; Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evsO1 ] ==> Notes Spy {Key K, Nonce Nb, Agent A, Agent B} # evsO1 ∈ srb" | Oops2: "[ evsO2 ∈ srb; Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evsO2 ] ==> Notes Spy {Key K, Nonce Nb, Agent A, Agent B} # evsO2 ∈ srb" (*To solve Fake case when it doesn't involve analz - used to be condensed into Fake_parts_insert_tac*) declare Fake_parts_insert_in_Un [dest] declare analz_into_parts [dest] (*declare parts_insertI [intro]*) (*General facts about message reception*) lemma Gets_imp_Says: "[ Gets B X ∈ set evs; evs ∈ srb ] ==> ∃ A. Says A B X ∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done lemma Gets_imp_knows_Spy: "[ Gets B X ∈ set evs; evs ∈ srb ] ==> X ∈ knows Spy evs" apply (blast dest!: Gets_imp_Says Says_imp_knows_Spy) done lemma Gets_imp_knows_Spy_parts_Snd: "[ Gets B {X, Y} ∈ set evs; evs ∈ srb ] ==> Y ∈ parts (knows Spy evs)" apply (blast dest!: Gets_imp_Says Says_imp_knows_Spy parts.Inj parts.Snd) done lemma Gets_imp_knows_Spy_analz_Snd: "[ Gets B {X, Y} ∈ set evs; evs ∈ srb ] ==> Y ∈ analz (knows Spy evs)" apply (blast dest!: Gets_imp_Says Says_imp_knows_Spy analz.Inj analz.Snd) done (*end general facts*) (*Begin lemmas on secure means, from Event.thy, proved for shouprubin. They help the simplifier, especially in analz_image_freshK*) lemma Inputs_imp_knows_Spy_secureM_srb: "[ Inputs Spy C X ∈ set evs; evs ∈ srb ] ==> X ∈ knows Spy evs" apply (simp (no_asm_simp) add: Inputs_imp_knows_Spy_secureM) done lemma knows_Spy_Inputs_secureM_srb_Spy: "evs ∈srb ==> knows Spy (Inputs Spy C X # evs) = insert X (knows Spy evs)" apply (simp (no_asm_simp)) done lemma knows_Spy_Inputs_secureM_srb: "[ A ≠ Spy; evs ∈srb ] ==> knows Spy (Inputs A C X # evs) = knows Spy evs" apply (simp (no_asm_simp)) done lemma knows_Spy_Outpts_secureM_srb_Spy: "evs ∈srb ==> knows Spy (Outpts C Spy X # evs) = insert X (knows Spy evs)" apply (simp (no_asm_simp)) done lemma knows_Spy_Outpts_secureM_srb: "[ A ≠ Spy; evs ∈srb ] ==> knows Spy (Outpts C A X # evs) = knows Spy evs" apply (simp (no_asm_simp)) done (*End lemmas on secure means for shouprubin*) (*BEGIN technical lemmas - evolution of forwarding lemmas*) (*If an honest agent uses a smart card, then the card is his/her own, is not stolen, and the agent has received suitable data to feed the card. In other words, these are guarantees that an honest agent can only use his/her own card, and must use it correctly. On the contrary, the spy can "Inputs" any cloned cards also by the Fake rule. Instead of Auto_tac, proofs here used to asm-simplify and then force-tac. *) lemma Inputs_A_Card_3: "[ Inputs A C (Agent A) ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card A) ∧ (∃ Pk Certificate. Gets A {Pk, Certificate} ∈ set evs)" apply (erule rev_mp, erule srb.induct) apply auto done lemma Inputs_B_Card_6: "[ Inputs B C {Agent A, Nonce Na} ∈ set evs; B ≠ Spy; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card B) ∧ Gets B {Agent A, Nonce Na} ∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done lemma Inputs_A_Card_9: "[ Inputs A C {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Cert1, Cert2, Cert3} ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card A) ∧ Gets A {Nonce Pk, Cert1} ∈ set evs ∧ Outpts (Card A) A {Nonce Na, Cert3} ∈ set evs ∧ Gets A {Nonce Nb, Cert2} ∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done (*The two occurrences of A in the Outpts event don't match SR_U4Fake, where A cannot be the Spy. Hence the card is legally usable by rule SR_U4*) lemma Outpts_A_Card_4: "[ Outpts C A {Nonce Na, (Crypt (crdK (Card A)) (Nonce Na))} ∈ set evs; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card A) ∧ Inputs A (Card A) (Agent A) ∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done (*First certificate is made explicit so that a comment similar to the previous applies. This also provides Na to the Inputs event in the conclusion*) lemma Outpts_B_Card_7: "[ Outpts C B {Nonce Nb, Agent A, Key K, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Cert2} ∈ set evs; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card B) ∧ Inputs B (Card B) {Agent A, Nonce Na} ∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done lemma Outpts_A_Card_10: "[ Outpts C A {Agent B, Nonce Nb, Key K, (Crypt (pairK(A,B)) (Nonce Nb))} ∈ set evs; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card A) ∧ (∃ Na Ver1 Ver2 Ver3. Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)), Ver1, Ver2, Ver3} ∈ set evs)" apply (erule rev_mp, erule srb.induct) apply auto done (* Contrarily to original version, A doesn't need to check the form of the certificate to learn that her peer is B. The goal is available to A. *) lemma Outpts_A_Card_10_imp_Inputs: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evs; evs ∈ srb ] ==> (∃ Na Ver1 Ver2 Ver3. Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)), Ver1, Ver2, Ver3} ∈ set evs)" apply (erule rev_mp, erule srb.induct) apply simp_all apply blast+ done (*Weaker version: if the agent can't check the forms of the verifiers, then the agent must not be the spy so as to solve SR_U4Fake. The verifier must be recognised as some cyphertex in order to distinguish from case SR_U7, concerning B's output, which also begins with a nonce. *) lemma Outpts_honest_A_Card_4: "[ Outpts C A {Nonce Na, Crypt K X} ∈set evs; A ≠ Spy; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card A) ∧ Inputs A (Card A) (Agent A) ∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done (*alternative formulation of same theorem Goal "\<lbrakk> Outpts C A \<lbrace>Nonce Na, Certificate\<rbrace> \<in> set evs; \<forall> p q. Certificate \<noteq> \<lbrace>p, q\<rbrace>; A \<noteq> Spy; evs \<in> srb \<rbrakk> \<Longrightarrow> legalUse(C) \<and> C = (Card A) \<and> Inputs A (Card A) (Agent A) \<in> set evs" same proof *) lemma Outpts_honest_B_Card_7: "[ Outpts C B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evs; B ≠ Spy; evs ∈ srb ] ==> legalUse(C) ∧ C = (Card B) ∧ (∃ Na. Inputs B (Card B) {Agent A, Nonce Na} ∈ set evs)" apply (erule rev_mp, erule srb.induct) apply auto done lemma Outpts_honest_A_Card_10: "[ Outpts C A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> legalUse (C) ∧ C = (Card A) ∧ (∃ Na Pk Ver1 Ver2 Ver3. Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Pk, Ver1, Ver2, Ver3} ∈ set evs)" apply (erule rev_mp, erule srb.induct) apply simp_all apply blast+ done (*-END-*) (*Even weaker versions: if the agent can't check the forms of the verifiers and the agent may be the spy, then we must know what card the agent is getting the output from. *) lemma Outpts_which_Card_4: "[ Outpts (Card A) A {Nonce Na, Crypt K X} ∈ set evs; evs ∈ srb ] ==> Inputs A (Card A) (Agent A) ∈ set evs" apply (erule rev_mp, erule srb.induct) apply (simp_all (no_asm_simp)) apply clarify done lemma Outpts_which_Card_7: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evs; evs ∈ srb ] ==> ∃ Na. Inputs B (Card B) {Agent A, Nonce Na} ∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done (*This goal is now available - in the sense of Goal Availability*) lemma Outpts_which_Card_10: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate } ∈ set evs; evs ∈ srb ] ==> ∃ Na. Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)), Crypt (shrK A) {Nonce (Pairkey(A,B)), Agent B}, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (crdK (Card A)) (Nonce Na) } ∈ set evs" apply (erule rev_mp, erule srb.induct) apply auto done (*Lemmas on the form of outputs*) (*A needs to check that the verifier is a cipher for it to come from SR_U4 otherwise it could come from SR_U7 *) lemma Outpts_A_Card_form_4: "[ Outpts (Card A) A {Nonce Na, Certificate} ∈ set evs; ∀ p q. Certificate ≠ {p, q}; evs ∈ srb ] ==> Certificate = (Crypt (crdK (Card A)) (Nonce Na))" apply (erule rev_mp, erule srb.induct) apply (simp_all (no_asm_simp)) done lemma Outpts_B_Card_form_7: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evs; evs ∈ srb ] ==> ∃ Na. K = sesK(Nb,pairK(A,B)) ∧ Cert1 = (Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}) ∧ Cert2 = (Crypt (pairK(A,B)) (Nonce Nb))" apply (erule rev_mp, erule srb.induct) apply auto done lemma Outpts_A_Card_form_10: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evs; evs ∈ srb ] ==> K = sesK(Nb,pairK(A,B)) ∧ Certificate = (Crypt (pairK(A,B)) (Nonce Nb))" apply (erule rev_mp, erule srb.induct) apply (simp_all (no_asm_simp)) done lemma Outpts_A_Card_form_bis: "[ Outpts (Card A') A' {Agent B', Nonce Nb', Key (sesK(Nb,pairK(A,B))), Certificate} ∈ set evs; evs ∈ srb ] ==> A' = A ∧ B' = B ∧ Nb = Nb' ∧ Certificate = (Crypt (pairK(A,B)) (Nonce Nb))" apply (erule rev_mp, erule srb.induct) apply (simp_all (no_asm_simp)) done (*\<dots> and Inputs *) lemma Inputs_A_Card_form_9: "[ Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Cert1, Cert2, Cert3} ∈ set evs; evs ∈ srb ] ==> Cert3 = Crypt (crdK (Card A)) (Nonce Na)" apply (erule rev_mp) apply (erule srb.induct) apply (simp_all (no_asm_simp)) (*Fake*) apply force (*SR_U9*) apply (blast dest!: Outpts_A_Card_form_4) done (* Pk, Cert1, Cert2 cannot be made explicit because they traversed the network in the clear *) (*General guarantees on Inputs and Outpts*) (*for any agents*) lemma Inputs_Card_legalUse: "[ Inputs A (Card A) X ∈ set evs; evs ∈ srb ] ==> legalUse(Card A)" apply (erule rev_mp, erule srb.induct) apply auto done lemma Outpts_Card_legalUse: "[ Outpts (Card A) A X ∈ set evs; evs ∈ srb ] ==> legalUse(Card A)" apply (erule rev_mp, erule srb.induct) apply auto done (*for honest agents*) lemma Inputs_Card: "[ Inputs A C X ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> C = (Card A) ∧ legalUse(C)" apply (erule rev_mp, erule srb.induct) apply auto done lemma Outpts_Card: "[ Outpts C A X ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> C = (Card A) ∧ legalUse(C)" apply (erule rev_mp, erule srb.induct) apply auto done lemma Inputs_Outpts_Card: "[ Inputs A C X ∈ set evs ∨ Outpts C A Y ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> C = (Card A) ∧ legalUse(Card A)" apply (blast dest: Inputs_Card Outpts_Card) done (*for the spy - they stress that the model behaves as it is meant to*) (*The or version can be also proved directly. It stresses that the spy may use either her own legally usable card or all the illegally usable cards. *) lemma Inputs_Card_Spy: "[ Inputs Spy C X ∈ set evs ∨ Outpts C Spy X ∈ set evs; evs ∈ srb ] ==> C = (Card Spy) ∧ legalUse(Card Spy) ∨ (∃ A. C = (Card A) ∧ illegalUse(Card A))" apply (erule rev_mp, erule srb.induct) apply auto done (*END technical lemmas*) (*BEGIN unicity theorems: certain items uniquely identify a smart card's output*) (*A's card's first output: the nonce uniquely identifies the rest*) lemma Outpts_A_Card_unique_nonce: "[ Outpts (Card A) A {Nonce Na, Crypt (crdK (Card A)) (Nonce Na)} ∈ set evs; Outpts (Card A') A' {Nonce Na, Crypt (crdK (Card A')) (Nonce Na)} ∈ set evs; evs ∈ srb ] ==> A=A'" apply (erule rev_mp, erule rev_mp, erule srb.induct, simp_all) apply (fastforce dest: Outpts_parts_used) apply blast done (*B's card's output: the NONCE uniquely identifies the rest*) lemma Outpts_B_Card_unique_nonce: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key SK, Cert1, Cert2} ∈ set evs; Outpts (Card B') B' {Nonce Nb, Agent A', Key SK', Cert1', Cert2'} ∈ set evs; evs ∈ srb ] ==> B=B' ∧ A=A' ∧ SK=SK' ∧ Cert1=Cert1' ∧ Cert2=Cert2'" apply (erule rev_mp, erule rev_mp, erule srb.induct, simp_all) apply (fastforce dest: Outpts_parts_used) apply blast done (*B's card's output: the SESKEY uniquely identifies the rest*) lemma Outpts_B_Card_unique_key: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key SK, Cert1, Cert2} ∈ set evs; Outpts (Card B') B' {Nonce Nb', Agent A', Key SK, Cert1', Cert2'} ∈ set evs; evs ∈ srb ] ==> B=B' ∧ A=A' ∧ Nb=Nb' ∧ Cert1=Cert1' ∧ Cert2=Cert2'" apply (erule rev_mp, erule rev_mp, erule srb.induct, simp_all) apply (fastforce dest: Outpts_parts_used) apply blast done lemma Outpts_A_Card_unique_key: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, V} ∈ set evs; Outpts (Card A') A' {Agent B', Nonce Nb', Key K, V'} ∈ set evs; evs ∈ srb ] ==> A=A' ∧ B=B' ∧ Nb=Nb' ∧ V=V'" apply (erule rev_mp, erule rev_mp, erule srb.induct, simp_all) apply (blast dest: Outpts_A_Card_form_bis) apply blast done (*Revised unicity theorem - applies to both steps 4 and 7*) lemma Outpts_A_Card_Unique: "[ Outpts (Card A) A {Nonce Na, rest} ∈ set evs; evs ∈ srb ] ==> Unique (Outpts (Card A) A {Nonce Na, rest}) on evs" apply (erule rev_mp, erule srb.induct, simp_all add: Unique_def) apply (fastforce dest: Outpts_parts_used) apply blast apply (fastforce dest: Outpts_parts_used) apply blast done (*can't prove the same on evs10 for it doesn't have a freshness assumption!*) (*END unicity theorems*) (*BEGIN counterguarantees about spy's knowledge*) (*on nonces*) lemma Spy_knows_Na: "[ Says A B {Agent A, Nonce Na} ∈ set evs; evs ∈ srb ] ==> Nonce Na ∈ analz (knows Spy evs)" apply (blast dest!: Says_imp_knows_Spy [THEN analz.Inj, THEN analz.Snd]) done lemma Spy_knows_Nb: "[ Says B A {Nonce Nb, Certificate} ∈ set evs; evs ∈ srb ] ==> Nonce Nb ∈ analz (knows Spy evs)" apply (blast dest!: Says_imp_knows_Spy [THEN analz.Inj, THEN analz.Fst]) done (*on Pairkey*) lemma Pairkey_Gets_analz_knows_Spy: "[ Gets A {Nonce (Pairkey(A,B)), Certificate} ∈ set evs; evs ∈ srb ] ==> Nonce (Pairkey(A,B)) ∈ analz (knows Spy evs)" apply (blast dest!: Gets_imp_knows_Spy [THEN analz.Inj]) done lemma Pairkey_Inputs_imp_Gets: "[ Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)), Cert1, Cert3, Cert2} ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> Gets A {Nonce (Pairkey(A,B)), Cert1} ∈ set evs" apply (erule rev_mp, erule srb.induct) apply (simp_all (no_asm_simp)) apply force done lemma Pairkey_Inputs_analz_knows_Spy: "[ Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce (Pairkey(A,B)), Cert1, Cert3, Cert2} ∈ set evs; evs ∈ srb ] ==> Nonce (Pairkey(A,B)) ∈ analz (knows Spy evs)" apply (case_tac "A = Spy") apply (fastforce dest!: Inputs_imp_knows_Spy_secureM [THEN analz.Inj]) apply (blast dest!: Pairkey_Inputs_imp_Gets [THEN Pairkey_Gets_analz_knows_Spy]) done (* This fails on base case because of XOR properties. lemma Pairkey_authentic: "\<lbrakk> Nonce (Pairkey(A,B)) \<in> parts (knows Spy evs); Card A \<notin> cloned; evs \<in> sr \<rbrakk> \<Longrightarrow> \<exists> cert. Says Server A \<lbrace>Nonce (Pairkey(A,B)), Cert\<rbrace> \<in> s apply (erule rev_mp) apply (erule sr.induct, simp_all) apply clarify oops 1. \<And>x a b. \<lbrakk>Card A \<notin> cloned; Pairkey (A, B) = Pairkey (a, b); Card a \<in> cloned; Card b \<in> cloned\<rbrakk> \<Longrightarrow> False *) (*END counterguarantees on spy's knowledge*) (*BEGIN rewrite rules for parts operator*) declare shrK_disj_sesK [THEN not_sym, iff] declare pin_disj_sesK [THEN not_sym, iff] declare crdK_disj_sesK [THEN not_sym, iff] declare pairK_disj_sesK [THEN not_sym, iff] ML ‹ ShoupRubinBella = prepare_tac ctxt = (*SR_U8*) forward_tac ctxt [@{thm Outpts_B_Card_form_7}] 14 THEN (*SR_U8*) clarify_tac ctxt 15 THEN (*SR_U9*) forward_tac ctxt [@{thm Outpts_A_Card_form_4}] 16 THEN (*SR_U11*) forward_tac ctxt [@{thm Outpts_A_Card_form_10}] 21 fun parts_prepare_tac ctxt = prepare_tac ctxt THEN (*SR_U9*) dresolve_tac ctxt [@{thm Gets_imp_knows_Spy_parts_Snd}] 18 THEN (*SR_U9*) dresolve_tac ctxt [@{thm Gets_imp_knows_Spy_parts_Snd}] 19 THEN (*Oops1*) dresolve_tac ctxt [@{thm Outpts_B_Card_form_7}] 25 THEN (*Oops2*) dresolve_tac ctxt [@{thm Outpts_A_Card_form_10}] 27 THEN (*Base*) (force_tac ctxt) 1 fun analz_prepare_tac ctxt = prepare_tac ctxt THEN dresolve_tac ctxt @{thms Gets_imp_knows_Spy_analz_Snd} 18 THEN (*SR_U9*) dresolve_tac ctxt @{thms Gets_imp_knows_Spy_analz_Snd} 19 THEN REPEAT_FIRST (eresolve_tac ctxt [asm_rl, conjE] ORELSE' hyp_subst_tac ctxt) end › method_setup prepare = ‹ Scan.succeed (fn ctxt => SIMPLE_METHOD (ShoupRubinBella.prepare_tac ctxt))\<close> "to launch a few simple facts that will help the simplifier" method_setup parts_prepare = \<open> Scan.succeed (fn ctxt => SIMPLE_METHOD (ShoupRubinBella.parts_prepare_tac ctxt))\<close> "additional facts to reason about parts" method_setup analz_prepare = \<open> Scan.succeed (fn ctxt => SIMPLE_METHOD (ShoupRubinBella.analz_prepare_tac ctxt))\<close> "additional facts to reason about analz" lemma Spy_parts_keys [simp]: "evs \<in> srb \<Longrightarrow> (Key (shrK P) \<in> parts (knows Spy evs)) = (Card P \<in> cloned) \<and> (Key (pin P) \<in> parts (knows Spy evs)) = (P \<in> bad \<or> Card P \<in> cloned) \<and> (Key (crdK C) \<in> parts (knows Spy evs)) = (C \<in> cloned) \<and> (Key (pairK(A,B)) \<in> parts (knows Spy evs)) = (Card B \<in> cloned)" apply (erule srb.induct) apply parts_prepare apply simp_all apply (blast intro: parts_insertI) done (*END rewrite rules for parts operator*) (*BEGIN rewrite rules for analz operator*) lemma Spy_analz_shrK[simp]: "evs ∈ srb ==> (Key (shrK P) ∈ analz (knows Spy evs)) = (Card P ∈ cloned)" apply (auto dest!: Spy_knows_cloned) done lemma Spy_analz_crdK[simp]: "evs ∈ srb ==> (Key (crdK C) ∈ analz (knows Spy evs)) = (C ∈ cloned)" apply (auto dest!: Spy_knows_cloned) done lemma Spy_analz_pairK[simp]: "evs ∈ srb ==> (Key (pairK(A,B)) ∈ analz (knows Spy evs)) = (Card B ∈ cloned)" apply (auto dest!: Spy_knows_cloned) done (*Because initState contains a set of nonces, this is needed for base case of analz_image_freshK*) lemma analz_image_Key_Un_Nonce: "analz (Key ` K ∪ Nonce ` N) = Key ` K ∪ Nonce ` N" by (auto simp del: parts_image) method_setup sc_analz_freshK = ‹ Scan.succeed (fn ctxt => (SIMPLE_METHOD (EVERY [REPEAT_FIRST (resolve_tac ctxt @{thms allI ballI impI}), REPEAT_FIRST (resolve_tac ctxt @{thms analz_image_freshK_lemma}), ALLGOALS (asm_simp_tac (put_simpset Smartcard.analz_image_freshK_ss ctxt |> Simplifier.add_simps [@{thm knows_Spy_Inputs_secureM_srb_Spy}, @{thm knows_Spy_Outpts_secureM_srb_Spy}, @{thm shouprubin_assumes_securemeans}, @{thm analz_image_Key_Un_Nonce}]))])))› "for proving the Session Key Compromise theorem for smartcard protocols" lemma analz_image_freshK [rule_format]: "evs ∈ srb ==> ∀ K KK. (Key K ∈ analz (Key`KK ∪ (knows Spy evs))) = (K ∈ KK ∨ Key K ∈ analz (knows Spy evs))" apply (erule srb.induct) apply analz_prepare apply sc_analz_freshK apply spy_analz done lemma analz_insert_freshK: "evs ∈ srb ==> Key K ∈ analz (insert (Key K') (knows Spy evs)) = (K = K' ∨ Key K ∈ analz (knows Spy evs))" apply (simp only: analz_image_freshK_simps analz_image_freshK) done (*END rewrite rules for analz operator*) (*BEGIN authenticity theorems*) lemma Na_Nb_certificate_authentic: "[ Crypt (pairK(A,B)) {Nonce Na, Nonce Nb} ∈ parts (knows Spy evs); ¬illegalUse(Card B); evs ∈ srb ] ==> Outpts (Card B) B {Nonce Nb, Agent A, Key (sesK(Nb,pairK(A,B))), Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs" apply (erule rev_mp, erule srb.induct) apply parts_prepare apply simp_all (*Fake*) apply spy_analz (*SR_U7F*) apply clarify (*SR_U8*) apply clarify done lemma Nb_certificate_authentic: "[ Crypt (pairK(A,B)) (Nonce Nb) ∈ parts (knows Spy evs); B ≠ Spy; ¬illegalUse(Card A); ¬illegalUse(Card B); evs ∈ srb ] ==> Outpts (Card A) A {Agent B, Nonce Nb, Key (sesK(Nb,pairK(A,B))), Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs" apply (erule rev_mp, erule srb.induct) apply parts_prepare apply (case_tac [17] "Aa = Spy") apply simp_all (*Fake*) apply spy_analz (*SR_U7F, SR_U10F*) apply clarify+ done (*Discovering the very origin of the Nb certificate...*) lemma Outpts_A_Card_imp_pairK_parts: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evs; evs ∈ srb ] ==> ∃ Na. Crypt (pairK(A,B)) {Nonce Na, Nonce Nb} ∈ parts (knows Spy evs)" apply (erule rev_mp, erule srb.induct) apply parts_prepare apply simp_all (*Fake*) apply (blast dest: parts_insertI) (*SR_U7*) apply force (*SR_U7F*) apply force (*SR_U8*) apply blast (*SR_U10*) apply (blast dest: Inputs_imp_knows_Spy_secureM_srb parts.Inj Inputs_A_Card_9 Gets_imp (*SR_U10F*) apply (blast dest: Inputs_imp_knows_Spy_secureM_srb [THEN parts.Inj] Inputs_A_Card_9 Gets_imp_knows_Spy elim: knows_Spy_partsEs) done lemma Nb_certificate_authentic_bis: "[ Crypt (pairK(A,B)) (Nonce Nb) ∈ parts (knows Spy evs); B ≠ Spy; ¬illegalUse(Card B); evs ∈ srb ] ==> ∃ Na. Outpts (Card B) B {Nonce Nb, Agent A, Key (sesK(Nb,pairK(A,B))), Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs" apply (erule rev_mp, erule srb.induct) apply parts_prepare apply (simp_all (no_asm_simp)) (*Fake*) apply spy_analz (*SR_U7*) apply blast (*SR_U7F*) apply blast (*SR_U8*) apply force (*SR_U10*) apply (blast dest: Na_Nb_certificate_authentic Inputs_imp_knows_Spy_secureM_srb [THEN (*SR_U10F*) apply (blast dest: Na_Nb_certificate_authentic Inputs_imp_knows_Spy_secureM_srb [THEN (*SR_U11*) apply (blast dest: Na_Nb_certificate_authentic Outpts_A_Card_imp_pairK_parts) done lemma Pairkey_certificate_authentic: "[ Crypt (shrK A) {Nonce Pk, Agent B} ∈ parts (knows Spy evs); Card A ∉ cloned; evs ∈ srb ] ==> Pk = Pairkey(A,B) ∧ Says Server A {Nonce Pk, Crypt (shrK A) {Nonce Pk, Agent B}} ∈ set evs" apply (erule rev_mp, erule srb.induct) apply parts_prepare apply (simp_all (no_asm_simp)) (*Fake*) apply spy_analz (*SR_U8*) apply force done lemma sesK_authentic: "[ Key (sesK(Nb,pairK(A,B))) ∈ parts (knows Spy evs); A ≠ Spy; B ≠ Spy; ¬illegalUse(Card A); ¬illegalUse(Card B); evs ∈ srb ] ==> Notes Spy {Key (sesK(Nb,pairK(A,B))), Nonce Nb, Agent A, Agent B} ∈ set evs" apply (erule rev_mp, erule srb.induct) apply parts_prepare apply (simp_all) (*fake*) apply spy_analz (*forge*) apply (fastforce dest: analz.Inj) (*SR_U7: used B\<noteq>Spy*) (*SR_U7F*) apply clarify (*SR_U10: used A\<noteq>Spy*) (*SR_U10F*) apply clarify done (*END authenticity theorems*) (*BEGIN confidentiality theorems*) lemma Confidentiality: "[ Notes Spy {Key (sesK(Nb,pairK(A,B))), Nonce Nb, Agent A, Agent B} ∉ set evs; A ≠ Spy; B ≠ Spy; ¬illegalUse(Card A); ¬illegalUse(Card B); evs ∈ srb ] ==> Key (sesK(Nb,pairK(A,B))) ∉ analz (knows Spy evs)" apply (blast intro: sesK_authentic) done lemma Confidentiality_B: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evs; Notes Spy {Key K, Nonce Nb, Agent A, Agent B} ∉ set evs; A ≠ Spy; B ≠ Spy; ¬illegalUse(Card A); Card B ∉ cloned; evs ∈ srb ] ==> Key K ∉ analz (knows Spy evs)" apply (erule rev_mp, erule rev_mp, erule srb.induct) apply analz_prepare apply (simp_all add: analz_insert_eq analz_insert_freshK pushes split_ifs) (*Fake*) apply spy_analz (*Forge*) apply (rotate_tac 7) apply (drule parts.Inj) apply (fastforce dest: Outpts_B_Card_form_7) (*SR_U7*) apply (blast dest!: Outpts_B_Card_form_7) (*SR_U7F*) apply clarify apply (drule Outpts_parts_used) apply simp (*faster than apply (fastforce dest: Outpts_parts_used) *) (*SR_U10*) apply (fastforce dest: Outpts_B_Card_form_7) (*SR_U10F - uses assumption Card A not cloned*) apply clarify apply (drule Outpts_B_Card_form_7, assumption) apply simp (*Oops1*) apply (blast dest!: Outpts_B_Card_form_7) (*Oops2*) apply (blast dest!: Outpts_B_Card_form_7 Outpts_A_Card_form_10) done (*END confidentiality theorems*) (*BEGIN authentication theorems*) lemma A_authenticates_B: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evs; ¬illegalUse(Card B); evs ∈ srb ] ==> ∃ Na. Outpts (Card B) B {Nonce Nb, Agent A, Key K, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs" apply (blast dest: Na_Nb_certificate_authentic Outpts_A_Card_form_10 Outpts_A_Card_im done lemma A_authenticates_B_Gets: "[ Gets A {Nonce Nb, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}} ∈ set evs; ¬illegalUse(Card B); evs ∈ srb ] ==> Outpts (Card B) B {Nonce Nb, Agent A, Key (sesK(Nb, pairK (A, B))), Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs" apply (blast dest: Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd, THEN Na_Nb_certifi done lemma A_authenticates_B_bis: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Cert2} ∈ set evs; ¬illegalUse(Card B); evs ∈ srb ] ==> ∃ Cert1. Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evs" apply (blast dest: Na_Nb_certificate_authentic Outpts_A_Card_form_10 Outpts_A_Card_im done lemma B_authenticates_A: "[ Gets B (Crypt (pairK(A,B)) (Nonce Nb)) ∈ set evs; B ≠ Spy; ¬illegalUse(Card A); ¬illegalUse(Card B); evs ∈ srb ] ==> Outpts (Card A) A {Agent B, Nonce Nb, Key (sesK(Nb,pairK(A,B))), Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs" apply (erule rev_mp) apply (erule srb.induct) apply (simp_all (no_asm_simp)) apply (blast dest: Says_imp_knows_Spy [THEN parts.Inj] Nb_certificate_authentic) done lemma B_authenticates_A_bis: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evs; Gets B (Cert2) ∈ set evs; B ≠ Spy; ¬illegalUse(Card A); ¬illegalUse(Card B); evs ∈ srb ] ==> Outpts (Card A) A {Agent B, Nonce Nb, Key K, Cert2} ∈ set evs" apply (blast dest: Outpts_B_Card_form_7 B_authenticates_A) done (*END authentication theorems*) lemma Confidentiality_A: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evs; Notes Spy {Key K, Nonce Nb, Agent A, Agent B} ∉ set evs; A ≠ Spy; B ≠ Spy; ¬illegalUse(Card A); ¬illegalUse(Card B); evs ∈ srb ] ==> Key K ∉ analz (knows Spy evs)" apply (drule A_authenticates_B) prefer 3 apply (erule exE) apply (drule Confidentiality_B) apply auto done lemma Outpts_imp_knows_agents_secureM_srb: "[ Outpts (Card A) A X ∈ set evs; evs ∈ srb ] ==> X ∈ knows A evs" apply (simp (no_asm_simp) add: Outpts_imp_knows_agents_secureM) done (*BEGIN key distribution theorems*) lemma A_keydist_to_B: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evs; ¬illegalUse(Card B); evs ∈ srb ] ==> Key K ∈ analz (knows B evs)" apply (drule A_authenticates_B) prefer 3 apply (erule exE) apply (rule Outpts_imp_knows_agents_secureM_srb [THEN analz.Inj, THEN analz.Snd, THEN an apply assumption+ done lemma B_keydist_to_A: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key K, Cert1, Cert2} ∈ set evs; Gets B (Cert2) ∈ set evs; B ≠ Spy; ¬illegalUse(Card A); ¬illegalUse(Card B); evs ∈ srb ] ==> Key K ∈ analz (knows A evs)" apply (frule Outpts_B_Card_form_7) apply assumption apply simp apply (frule B_authenticates_A) apply (rule_tac [5] Outpts_imp_knows_agents_secureM_srb [THEN analz.Inj, THEN analz.Snd apply simp+ done (*END key distribution theorems*) (*BEGIN further theorems about authenticity of verifiers - useful to cards, and somewhat to agents *) (*MSG11 If B receives the verifier of msg11, then the verifier originated with msg7. This is clearly not available to B: B can't check the form of the verifier because he doesn't know *) lemma Nb_certificate_authentic_B: "[ Gets B (Crypt (pairK(A,B)) (Nonce Nb)) ∈ set evs; B ≠ Spy; ¬illegalUse(Card B); evs ∈ srb ] ==> ∃ Na. Outpts (Card B) B {Nonce Nb, Agent A, Key (sesK(Nb,pairK(A,B))), Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs" apply (blast dest: Gets_imp_knows_Spy [THEN parts.Inj, THEN Nb_certificate_authentic_bi done (*MSG10 If A obtains the verifier of msg10, then the verifier originated with msg7: A_authenticates_B. It is useful to A, who can check the form of the verifier by application of Outpts_A_Card_form_10. *) (*MSG9 The first verifier verifies the Pairkey to the card: since it's encrypted under Ka, it must come from the server (if A's card is not cloned). The second verifier verifies both nonces, since it's encrypted under the pairK, it must originate with B's card (if A and B's cards not cloned). The third verifier verifies Na: since it's encrytped under the card's key, it originated with the card; so the card does not need to save Na in the first place and do a comparison now: it just verifies Na through the verifier. Three theorems related to these three statements. Recall that a card can check the form of the verifiers (can decrypt them), while an agent in general cannot, if not provided with a suitable theorem. *) (*Card A can't reckon the pairkey - we need to guarantee its integrity!*) lemma Pairkey_certificate_authentic_A_Card: "[ Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Crypt (shrK A) {Nonce Pk, Agent B}, Cert2, Cert3} ∈ set evs; A ≠ Spy; Card A ∉ cloned; evs ∈ srb ] ==> Pk = Pairkey(A,B) ∧ Says Server A {Nonce (Pairkey(A,B)), Crypt (shrK A) {Nonce (Pairkey(A,B)), Agent B}} ∈ set evs " apply (blast dest: Inputs_A_Card_9 Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd] Pa done (*the second conjunct of the thesis might be regarded as a form of integrity in the sense of Neuman-Ts'o*) lemma Na_Nb_certificate_authentic_A_Card: "[ Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Cert1, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Cert3} ∈ set evs; A ≠ Spy; ¬illegalUse(Card B); evs ∈ srb ] ==> Outpts (Card B) B {Nonce Nb, Agent A, Key (sesK(Nb, pairK (A, B))), Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs " apply (frule Inputs_A_Card_9) apply assumption+ apply (blast dest: Inputs_A_Card_9 Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Snd, TH done lemma Na_authentic_A_Card: "[ Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Cert1, Cert2, Cert3} ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> Outpts (Card A) A {Nonce Na, Cert3} ∈ set evs" apply (blast dest: Inputs_A_Card_9) done (* These three theorems for Card A can be put together trivially. They are separated to highlight the different requirements on agents and their cards.*) lemma Inputs_A_Card_9_authentic: "[ Inputs A (Card A) {Agent B, Nonce Na, Nonce Nb, Nonce Pk, Crypt (shrK A) {Nonce Pk, Agent B}, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Cert3} ∈ set evs; A ≠ Spy; Card A ∉ cloned; ¬illegalUse(Card B); evs ∈ srb ] ==> Says Server A {Nonce Pk, Crypt (shrK A) {Nonce Pk, Agent B}} ∈ set evs ∧ Outpts (Card B) B {Nonce Nb, Agent A, Key (sesK(Nb, pairK (A, B))), Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs ∧ Outpts (Card A) A {Nonce Na, Cert3} ∈ set evs" apply (blast dest: Inputs_A_Card_9 Na_Nb_certificate_authentic Gets_imp_knows_Spy [THE done (*MSG8 Nothing to prove because the message is a cleartext that comes from the network*) (*Other messages: nothing to prove because the verifiers involved are new*) (*END further theorems about authenticity of verifiers*) (* BEGIN trivial guarantees on outputs for agents *) (*MSG4*) lemma SR_U4_imp: "[ Outpts (Card A) A {Nonce Na, Crypt (crdK (Card A)) (Nonce Na)} ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> ∃ Pk V. Gets A {Pk, V} ∈ set evs" apply (blast dest: Outpts_A_Card_4 Inputs_A_Card_3) done (*weak: could strengthen the model adding verifier for the Pairkey to msg3*) (*MSG7*) lemma SR_U7_imp: "[ Outpts (Card B) B {Nonce Nb, Agent A, Key K, Crypt (pairK(A,B)) {Nonce Na, Nonce Nb}, Cert2} ∈ set evs; B ≠ Spy; evs ∈ srb ] ==> Gets B {Agent A, Nonce Na} ∈ set evs" apply (blast dest: Outpts_B_Card_7 Inputs_B_Card_6) done (*MSG10*) lemma SR_U10_imp: "[ Outpts (Card A) A {Agent B, Nonce Nb, Key K, Crypt (pairK(A,B)) (Nonce Nb)} ∈ set evs; A ≠ Spy; evs ∈ srb ] ==> ∃ Cert1 Cert2. Gets A {Nonce (Pairkey (A, B)), Cert1} ∈ set evs ∧ Gets A {Nonce Nb, Cert2} ∈ set evs" apply (blast dest: Outpts_A_Card_10 Inputs_A_Card_9) done (*END trivial guarantees on outputs for agents*) (*INTEGRITY*) lemma Outpts_Server_not_evs: "evs ∈ srb ==> Outpts (Card Server) P X ∉ set evs" apply (erule srb.induct) apply auto done text‹term‹step2_integrity› also is a reliability theorem› lemma Says_Server_message_form: "[ Says Server A {Pk, Certificate} ∈ set evs; evs ∈ srb ] ==> ∃ B. Pk = Nonce (Pairkey(A,B)) ∧ Certificate = Crypt (shrK A) {Nonce (Pairkey(A,B)), Agent B}" apply (erule rev_mp) apply (erule srb.induct) apply auto apply (blast dest!: Outpts_Server_not_evs)+ done (*cannot be made useful to A in form of a Gets event*) text‹ step4integrity is term‹Outpts_A_Card_form_4› step7integrity is term‹Outpts_B_Card_form_7› › lemma step8_integrity: "[ Says B A {Nonce Nb, Certificate} ∈ set evs; B ≠ Server; B ≠ Spy; evs ∈ srb ] ==> ∃ Cert2 K. Outpts (Card B) B {Nonce Nb, Agent A, Key K, Certificate, Cert2} ∈ set evs" apply (erule rev_mp) apply (erule srb.induct) prefer 18 apply (fastforce dest: Outpts_A_Card_form_10) apply auto done text‹step9integrity is term‹Inputs_A_Card_form_9› step10integrity is term‹Outpts_A_Card_form_10›. › lemma step11_integrity: "[ Says A B (Certificate) ∈ set evs; ∀ p q. Certificate ≠ {p, q}; A ≠ Spy; evs ∈ srb ] ==> ∃ K Nb. Outpts (Card A) A {Agent B, Nonce Nb, Key K, Certificate} ∈ set evs" apply (erule rev_mp) apply (erule srb.induct) apply auto done end
¤ Dauer der Verarbeitung: 0.32 Sekunden (vorverarbeitet am 2026-06-10) ¤*© Formatika GbR, Deutschland |
|
||||||||||||||
2026-06-09