15 AddDs [Says_imp_knows_Spy RS parts.Inj, parts.Body]; |
15 AddDs [Says_imp_knows_Spy RS parts.Inj, parts.Body]; |
16 AddDs [impOfSubs analz_subset_parts, impOfSubs Fake_parts_insert]; |
16 AddDs [impOfSubs analz_subset_parts, impOfSubs Fake_parts_insert]; |
17 |
17 |
18 |
18 |
19 (*A "possibility property": there are traces that reach the end*) |
19 (*A "possibility property": there are traces that reach the end*) |
20 Goal "B ~= Server \ |
20 Goal "B \\<noteq> Server \ |
21 \ ==> \\<exists>K. \\<exists>NA. \\<exists>evs \\<in> otway. \ |
21 \ ==> \\<exists>K. \\<exists>NA. \\<exists>evs \\<in> otway. \ |
22 \ Says B A (Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}) \ |
22 \ Says B A (Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}) \ |
23 \ \\<in> set evs"; |
23 \ \\<in> set evs"; |
24 by (REPEAT (resolve_tac [exI,bexI] 1)); |
24 by (REPEAT (resolve_tac [exI,bexI] 1)); |
25 by (rtac (otway.Nil RS |
25 by (rtac (otway.Nil RS |
166 |
166 |
167 |
167 |
168 (**** Authenticity properties relating to NA ****) |
168 (**** Authenticity properties relating to NA ****) |
169 |
169 |
170 (*If the encrypted message appears then it originated with the Server!*) |
170 (*If the encrypted message appears then it originated with the Server!*) |
171 Goal "[| A \\<notin> bad; A ~= B; evs \\<in> otway |] \ |
171 Goal "[| A \\<notin> bad; A \\<noteq> B; evs \\<in> otway |] \ |
172 \ ==> Crypt (shrK A) {|NA, Agent A, Agent B, Key K|} \\<in> parts (knows Spy evs) \ |
172 \ ==> Crypt (shrK A) {|NA, Agent A, Agent B, Key K|} \\<in> parts (knows Spy evs) \ |
173 \ --> (\\<exists>NB. Says Server B \ |
173 \ --> (\\<exists>NB. Says Server B \ |
174 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \ |
174 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \ |
175 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
175 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
176 \ \\<in> set evs)"; |
176 \ \\<in> set evs)"; |
184 |
184 |
185 (*Corollary: if A receives B's OR4 message then it originated with the Server. |
185 (*Corollary: if A receives B's OR4 message then it originated with the Server. |
186 Freshness may be inferred from nonce NA.*) |
186 Freshness may be inferred from nonce NA.*) |
187 Goal "[| Gets A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}) \ |
187 Goal "[| Gets A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}) \ |
188 \ \\<in> set evs; \ |
188 \ \\<in> set evs; \ |
189 \ A \\<notin> bad; A ~= B; evs \\<in> otway |] \ |
189 \ A \\<notin> bad; A \\<noteq> B; evs \\<in> otway |] \ |
190 \ ==> \\<exists>NB. Says Server B \ |
190 \ ==> \\<exists>NB. Says Server B \ |
191 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \ |
191 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \ |
192 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
192 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
193 \ \\<in> set evs"; |
193 \ \\<in> set evs"; |
194 by (blast_tac (claset() addSIs [NA_Crypt_imp_Server_msg]) 1); |
194 by (blast_tac (claset() addSIs [NA_Crypt_imp_Server_msg]) 1); |
237 (*A's guarantee. The Oops premise quantifies over NB because A cannot know |
237 (*A's guarantee. The Oops premise quantifies over NB because A cannot know |
238 what it is.*) |
238 what it is.*) |
239 Goal "[| Gets A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}) \ |
239 Goal "[| Gets A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}) \ |
240 \ \\<in> set evs; \ |
240 \ \\<in> set evs; \ |
241 \ ALL NB. Notes Spy {|NA, NB, Key K|} \\<notin> set evs; \ |
241 \ ALL NB. Notes Spy {|NA, NB, Key K|} \\<notin> set evs; \ |
242 \ A \\<notin> bad; B \\<notin> bad; A ~= B; evs \\<in> otway |] \ |
242 \ A \\<notin> bad; B \\<notin> bad; A \\<noteq> B; evs \\<in> otway |] \ |
243 \ ==> Key K \\<notin> analz (knows Spy evs)"; |
243 \ ==> Key K \\<notin> analz (knows Spy evs)"; |
244 by (blast_tac (claset() addSDs [A_trusts_OR4, Spy_not_see_encrypted_key]) 1); |
244 by (blast_tac (claset() addSDs [A_trusts_OR4, Spy_not_see_encrypted_key]) 1); |
245 qed "A_gets_good_key"; |
245 qed "A_gets_good_key"; |
246 |
246 |
247 |
247 |
248 (**** Authenticity properties relating to NB ****) |
248 (**** Authenticity properties relating to NB ****) |
249 |
249 |
250 (*If the encrypted message appears then it originated with the Server!*) |
250 (*If the encrypted message appears then it originated with the Server!*) |
251 Goal "[| B \\<notin> bad; A ~= B; evs \\<in> otway |] \ |
251 Goal "[| B \\<notin> bad; A \\<noteq> B; evs \\<in> otway |] \ |
252 \ ==> Crypt (shrK B) {|NB, Agent A, Agent B, Key K|} \\<in> parts (knows Spy evs) \ |
252 \ ==> Crypt (shrK B) {|NB, Agent A, Agent B, Key K|} \\<in> parts (knows Spy evs) \ |
253 \ --> (\\<exists>NA. Says Server B \ |
253 \ --> (\\<exists>NA. Says Server B \ |
254 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \ |
254 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \ |
255 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
255 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
256 \ \\<in> set evs)"; |
256 \ \\<in> set evs)"; |
264 |
264 |
265 (*Guarantee for B: if it gets a well-formed certificate then the Server |
265 (*Guarantee for B: if it gets a well-formed certificate then the Server |
266 has sent the correct message in round 3.*) |
266 has sent the correct message in round 3.*) |
267 Goal "[| Gets B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
267 Goal "[| Gets B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
268 \ \\<in> set evs; \ |
268 \ \\<in> set evs; \ |
269 \ B \\<notin> bad; A ~= B; evs \\<in> otway |] \ |
269 \ B \\<notin> bad; A \\<noteq> B; evs \\<in> otway |] \ |
270 \ ==> \\<exists>NA. Says Server B \ |
270 \ ==> \\<exists>NA. Says Server B \ |
271 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \ |
271 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \ |
272 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
272 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
273 \ \\<in> set evs"; |
273 \ \\<in> set evs"; |
274 by (blast_tac (claset() addSIs [NB_Crypt_imp_Server_msg]) 1); |
274 by (blast_tac (claset() addSIs [NB_Crypt_imp_Server_msg]) 1); |
277 |
277 |
278 (*The obvious combination of B_trusts_OR3 with Spy_not_see_encrypted_key*) |
278 (*The obvious combination of B_trusts_OR3 with Spy_not_see_encrypted_key*) |
279 Goal "[| Gets B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
279 Goal "[| Gets B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \ |
280 \ \\<in> set evs; \ |
280 \ \\<in> set evs; \ |
281 \ ALL NA. Notes Spy {|NA, NB, Key K|} \\<notin> set evs; \ |
281 \ ALL NA. Notes Spy {|NA, NB, Key K|} \\<notin> set evs; \ |
282 \ A \\<notin> bad; B \\<notin> bad; A ~= B; evs \\<in> otway |] \ |
282 \ A \\<notin> bad; B \\<notin> bad; A \\<noteq> B; evs \\<in> otway |] \ |
283 \ ==> Key K \\<notin> analz (knows Spy evs)"; |
283 \ ==> Key K \\<notin> analz (knows Spy evs)"; |
284 by (blast_tac (claset() addDs [B_trusts_OR3, Spy_not_see_encrypted_key]) 1); |
284 by (blast_tac (claset() addDs [B_trusts_OR3, Spy_not_see_encrypted_key]) 1); |
285 qed "B_gets_good_key"; |
285 qed "B_gets_good_key"; |