1.1 --- a/src/HOL/Auth/KerberosIV.ML Tue Feb 27 12:28:42 2001 +0100
1.2 +++ b/src/HOL/Auth/KerberosIV.ML Tue Feb 27 16:13:23 2001 +0100
1.3 @@ -63,8 +63,8 @@
1.4 qed "AuthKeys_empty";
1.5
1.6 Goalw [AuthKeys_def]
1.7 - "(ALL A Tk akey Peer. \
1.8 -\ ev ~= Says Kas A (Crypt (shrK A) {|akey, Agent Peer, Tk, \
1.9 + "(\\<forall>A Tk akey Peer. \
1.10 +\ ev \\<noteq> Says Kas A (Crypt (shrK A) {|akey, Agent Peer, Tk, \
1.11 \ (Crypt (shrK Peer) {|Agent A, Agent Peer, akey, Tk|})|}))\
1.12 \ ==> AuthKeys (ev # evs) = AuthKeys evs";
1.13 by Auto_tac;
1.14 @@ -79,21 +79,21 @@
1.15 qed "AuthKeys_insert";
1.16
1.17 Goalw [AuthKeys_def]
1.18 - "K : AuthKeys \
1.19 + "K \\<in> AuthKeys \
1.20 \ (Says Kas A (Crypt (shrK A) {|Key K', Agent Peer, Number Tk, \
1.21 \ (Crypt (shrK Peer) {|Agent A, Agent Peer, Key K', Number Tk|})|}) # evs) \
1.22 -\ ==> K = K' | K : AuthKeys evs";
1.23 +\ ==> K = K' | K \\<in> AuthKeys evs";
1.24 by Auto_tac;
1.25 qed "AuthKeys_simp";
1.26
1.27 Goalw [AuthKeys_def]
1.28 "Says Kas A (Crypt (shrK A) {|Key K, Agent Tgs, Number Tk, \
1.29 -\ (Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key K, Number Tk|})|}) : set evs \
1.30 -\ ==> K : AuthKeys evs";
1.31 +\ (Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key K, Number Tk|})|}) \\<in> set evs \
1.32 +\ ==> K \\<in> AuthKeys evs";
1.33 by Auto_tac;
1.34 qed "AuthKeysI";
1.35
1.36 -Goalw [AuthKeys_def] "K : AuthKeys evs ==> Key K : used evs";
1.37 +Goalw [AuthKeys_def] "K \\<in> AuthKeys evs ==> Key K \\<in> used evs";
1.38 by (Simp_tac 1);
1.39 by (blast_tac (claset() addSEs spies_partsEs) 1);
1.40 qed "AuthKeys_used";
1.41 @@ -103,18 +103,18 @@
1.42
1.43 (*--For reasoning about the encrypted portion of message K3--*)
1.44 Goal "Says Kas' A (Crypt KeyA {|AuthKey, Peer, Tk, AuthTicket|}) \
1.45 -\ : set evs ==> AuthTicket : parts (spies evs)";
1.46 +\ \\<in> set evs ==> AuthTicket \\<in> parts (spies evs)";
1.47 by (blast_tac (claset() addSEs spies_partsEs) 1);
1.48 qed "K3_msg_in_parts_spies";
1.49
1.50 Goal "Says Kas A (Crypt KeyA {|AuthKey, Peer, Tk, AuthTicket|}) \
1.51 -\ : set evs ==> AuthKey : parts (spies evs)";
1.52 +\ \\<in> set evs ==> AuthKey \\<in> parts (spies evs)";
1.53 by (blast_tac (claset() addSEs spies_partsEs) 1);
1.54 qed "Oops_parts_spies1";
1.55
1.56 Goal "[| Says Kas A (Crypt KeyA {|Key AuthKey, Peer, Tk, AuthTicket|}) \
1.57 -\ : set evs ;\
1.58 -\ evs : kerberos |] ==> AuthKey ~: range shrK";
1.59 +\ \\<in> set evs ;\
1.60 +\ evs \\<in> kerberos |] ==> AuthKey \\<notin> range shrK";
1.61 by (etac rev_mp 1);
1.62 by (etac kerberos.induct 1);
1.63 by Auto_tac;
1.64 @@ -122,25 +122,25 @@
1.65
1.66 (*--For reasoning about the encrypted portion of message K5--*)
1.67 Goal "Says Tgs' A (Crypt AuthKey {|ServKey, Agent B, Tt, ServTicket|})\
1.68 - \ : set evs ==> ServTicket : parts (spies evs)";
1.69 + \ \\<in> set evs ==> ServTicket \\<in> parts (spies evs)";
1.70 by (blast_tac (claset() addSEs spies_partsEs) 1);
1.71 qed "K5_msg_in_parts_spies";
1.72
1.73 Goal "Says Tgs A (Crypt AuthKey {|ServKey, Agent B, Tt, ServTicket|})\
1.74 -\ : set evs ==> ServKey : parts (spies evs)";
1.75 +\ \\<in> set evs ==> ServKey \\<in> parts (spies evs)";
1.76 by (blast_tac (claset() addSEs spies_partsEs) 1);
1.77 qed "Oops_parts_spies2";
1.78
1.79 Goal "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|}) \
1.80 -\ : set evs ;\
1.81 -\ evs : kerberos |] ==> ServKey ~: range shrK";
1.82 +\ \\<in> set evs ;\
1.83 +\ evs \\<in> kerberos |] ==> ServKey \\<notin> range shrK";
1.84 by (etac rev_mp 1);
1.85 by (etac kerberos.induct 1);
1.86 by Auto_tac;
1.87 qed "Oops_range_spies2";
1.88
1.89 -Goal "Says S A (Crypt K {|SesKey, B, TimeStamp, Ticket|}) : set evs \
1.90 -\ ==> Ticket : parts (spies evs)";
1.91 +Goal "Says S A (Crypt K {|SesKey, B, TimeStamp, Ticket|}) \\<in> set evs \
1.92 +\ ==> Ticket \\<in> parts (spies evs)";
1.93 by (blast_tac (claset() addSEs spies_partsEs) 1);
1.94 qed "Says_ticket_in_parts_spies";
1.95 (*Replaces both K3_msg_in_parts_spies and K5_msg_in_parts_spies*)
1.96 @@ -156,44 +156,41 @@
1.97
1.98
1.99 (*Spy never sees another agent's shared key! (unless it's lost at start)*)
1.100 -Goal "evs : kerberos ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
1.101 +Goal "evs \\<in> kerberos ==> (Key (shrK A) \\<in> parts (spies evs)) = (A \\<in> bad)";
1.102 by (parts_induct_tac 1);
1.103 by (Fake_parts_insert_tac 1);
1.104 by (ALLGOALS Blast_tac);
1.105 qed "Spy_see_shrK";
1.106 Addsimps [Spy_see_shrK];
1.107
1.108 -Goal "evs : kerberos ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
1.109 +Goal "evs \\<in> kerberos ==> (Key (shrK A) \\<in> analz (spies evs)) = (A \\<in> bad)";
1.110 by (auto_tac (claset() addDs [impOfSubs analz_subset_parts], simpset()));
1.111 qed "Spy_analz_shrK";
1.112 Addsimps [Spy_analz_shrK];
1.113
1.114 -Goal "[| Key (shrK A) : parts (spies evs); evs : kerberos |] ==> A:bad";
1.115 +Goal "[| Key (shrK A) \\<in> parts (spies evs); evs \\<in> kerberos |] ==> A:bad";
1.116 by (blast_tac (claset() addDs [Spy_see_shrK]) 1);
1.117 qed "Spy_see_shrK_D";
1.118 bind_thm ("Spy_analz_shrK_D", analz_subset_parts RS subsetD RS Spy_see_shrK_D);
1.119 AddSDs [Spy_see_shrK_D, Spy_analz_shrK_D];
1.120
1.121 (*Nobody can have used non-existent keys!*)
1.122 -Goal "evs : kerberos ==> \
1.123 -\ Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
1.124 +Goal "evs \\<in> kerberos ==> \
1.125 +\ Key K \\<notin> used evs --> K \\<notin> keysFor (parts (spies evs))";
1.126 by (parts_induct_tac 1);
1.127 (*Fake*)
1.128 -by (best_tac
1.129 - (claset() addSDs [impOfSubs (parts_insert_subset_Un RS keysFor_mono)]
1.130 - addIs [impOfSubs analz_subset_parts]
1.131 - addDs [impOfSubs (analz_subset_parts RS keysFor_mono)]
1.132 - addss (simpset())) 1);
1.133 +by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
1.134 (*Others*)
1.135 by (ALLGOALS (blast_tac (claset() addSEs spies_partsEs)));
1.136 qed_spec_mp "new_keys_not_used";
1.137 +Addsimps [new_keys_not_used];
1.138
1.139 +(*Earlier, \\<forall>protocol proofs declared this theorem.
1.140 + But Yahalom and Kerberos IV are the only ones that need it!*)
1.141 bind_thm ("new_keys_not_analzd",
1.142 [analz_subset_parts RS keysFor_mono,
1.143 new_keys_not_used] MRS contra_subsetD);
1.144
1.145 -Addsimps [new_keys_not_used, new_keys_not_analzd];
1.146 -
1.147
1.148 (*********************** REGULARITY LEMMAS ***********************)
1.149 (* concerning the form of items passed in messages *)
1.150 @@ -201,9 +198,9 @@
1.151
1.152 (*Describes the form of AuthKey, AuthTicket, and K sent by Kas*)
1.153 Goal "[| Says Kas A (Crypt K {|Key AuthKey, Agent Peer, Tk, AuthTicket|}) \
1.154 -\ : set evs; \
1.155 -\ evs : kerberos |] \
1.156 -\ ==> AuthKey ~: range shrK & AuthKey : AuthKeys evs & \
1.157 +\ \\<in> set evs; \
1.158 +\ evs \\<in> kerberos |] \
1.159 +\ ==> AuthKey \\<notin> range shrK & AuthKey \\<in> AuthKeys evs & \
1.160 \ AuthTicket = (Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|} ) &\
1.161 \ K = shrK A & Peer = Tgs";
1.162 by (etac rev_mp 1);
1.163 @@ -221,20 +218,20 @@
1.164 Generalised to any session keys (both AuthKey and ServKey).
1.165 *)
1.166 Goal "[| Crypt (shrK Tgs_B) {|Agent A, Agent Tgs_B, Key SesKey, Number T|}\
1.167 -\ : parts (spies evs); Tgs_B ~: bad;\
1.168 -\ evs : kerberos |] \
1.169 -\ ==> SesKey ~: range shrK";
1.170 +\ \\<in> parts (spies evs); Tgs_B \\<notin> bad;\
1.171 +\ evs \\<in> kerberos |] \
1.172 +\ ==> SesKey \\<notin> range shrK";
1.173 by (etac rev_mp 1);
1.174 by (parts_induct_tac 1);
1.175 by (Fake_parts_insert_tac 1);
1.176 qed "SesKey_is_session_key";
1.177
1.178 Goal "[| Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|} \
1.179 -\ : parts (spies evs); \
1.180 -\ evs : kerberos |] \
1.181 +\ \\<in> parts (spies evs); \
1.182 +\ evs \\<in> kerberos |] \
1.183 \ ==> Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Tk, \
1.184 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|}|}) \
1.185 -\ : set evs";
1.186 +\ \\<in> set evs";
1.187 by (etac rev_mp 1);
1.188 by (parts_induct_tac 1);
1.189 (*Fake*)
1.190 @@ -244,9 +241,9 @@
1.191 qed "A_trusts_AuthTicket";
1.192
1.193 Goal "[| Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}\
1.194 -\ : parts (spies evs);\
1.195 -\ evs : kerberos |] \
1.196 -\ ==> AuthKey : AuthKeys evs";
1.197 +\ \\<in> parts (spies evs);\
1.198 +\ evs \\<in> kerberos |] \
1.199 +\ ==> AuthKey \\<in> AuthKeys evs";
1.200 by (ftac A_trusts_AuthTicket 1);
1.201 by (assume_tac 1);
1.202 by (simp_tac (simpset() addsimps [AuthKeys_def]) 1);
1.203 @@ -255,11 +252,11 @@
1.204
1.205 (*Describes the form of ServKey, ServTicket and AuthKey sent by Tgs*)
1.206 Goal "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|})\
1.207 -\ : set evs; \
1.208 -\ evs : kerberos |] \
1.209 -\ ==> B ~= Tgs & ServKey ~: range shrK & ServKey ~: AuthKeys evs &\
1.210 +\ \\<in> set evs; \
1.211 +\ evs \\<in> kerberos |] \
1.212 +\ ==> B \\<noteq> Tgs & ServKey \\<notin> range shrK & ServKey \\<notin> AuthKeys evs &\
1.213 \ ServTicket = (Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|} ) & \
1.214 -\ AuthKey ~: range shrK & AuthKey : AuthKeys evs";
1.215 +\ AuthKey \\<notin> range shrK & AuthKey \\<in> AuthKeys evs";
1.216 by (etac rev_mp 1);
1.217 by (etac kerberos.induct 1);
1.218 by (ALLGOALS
1.219 @@ -277,10 +274,10 @@
1.220
1.221 (*If a certain encrypted message appears then it originated with Kas*)
1.222 Goal "[| Crypt (shrK A) {|Key AuthKey, Peer, Tk, AuthTicket|} \
1.223 -\ : parts (spies evs); \
1.224 -\ A ~: bad; evs : kerberos |] \
1.225 +\ \\<in> parts (spies evs); \
1.226 +\ A \\<notin> bad; evs \\<in> kerberos |] \
1.227 \ ==> Says Kas A (Crypt (shrK A) {|Key AuthKey, Peer, Tk, AuthTicket|}) \
1.228 -\ : set evs";
1.229 +\ \\<in> set evs";
1.230 by (etac rev_mp 1);
1.231 by (parts_induct_tac 1);
1.232 (*Fake*)
1.233 @@ -294,12 +291,12 @@
1.234
1.235 (*If a certain encrypted message appears then it originated with Tgs*)
1.236 Goal "[| Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|} \
1.237 -\ : parts (spies evs); \
1.238 -\ Key AuthKey ~: analz (spies evs); \
1.239 -\ AuthKey ~: range shrK; \
1.240 -\ evs : kerberos |] \
1.241 -\==> EX A. Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|})\
1.242 -\ : set evs";
1.243 +\ \\<in> parts (spies evs); \
1.244 +\ Key AuthKey \\<notin> analz (spies evs); \
1.245 +\ AuthKey \\<notin> range shrK; \
1.246 +\ evs \\<in> kerberos |] \
1.247 +\==> \\<exists>A. Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|})\
1.248 +\ \\<in> set evs";
1.249 by (etac rev_mp 1);
1.250 by (etac rev_mp 1);
1.251 by (parts_induct_tac 1);
1.252 @@ -312,10 +309,10 @@
1.253 qed "A_trusts_K4";
1.254
1.255 Goal "[| Crypt (shrK A) {|Key AuthKey, Agent Tgs, Tk, AuthTicket|} \
1.256 -\ : parts (spies evs); \
1.257 -\ A ~: bad; \
1.258 -\ evs : kerberos |] \
1.259 -\ ==> AuthKey ~: range shrK & \
1.260 +\ \\<in> parts (spies evs); \
1.261 +\ A \\<notin> bad; \
1.262 +\ evs \\<in> kerberos |] \
1.263 +\ ==> AuthKey \\<notin> range shrK & \
1.264 \ AuthTicket = Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|}";
1.265 by (etac rev_mp 1);
1.266 by (parts_induct_tac 1);
1.267 @@ -325,11 +322,11 @@
1.268
1.269 (* This form holds also over an AuthTicket, but is not needed below. *)
1.270 Goal "[| Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|} \
1.271 -\ : parts (spies evs); \
1.272 -\ Key AuthKey ~: analz (spies evs); \
1.273 -\ evs : kerberos |] \
1.274 -\ ==> ServKey ~: range shrK & \
1.275 -\ (EX A. ServTicket = Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|})";
1.276 +\ \\<in> parts (spies evs); \
1.277 +\ Key AuthKey \\<notin> analz (spies evs); \
1.278 +\ evs \\<in> kerberos |] \
1.279 +\ ==> ServKey \\<notin> range shrK & \
1.280 +\ (\\<exists>A. ServTicket = Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|})";
1.281 by (etac rev_mp 1);
1.282 by (etac rev_mp 1);
1.283 by (parts_induct_tac 1);
1.284 @@ -337,13 +334,13 @@
1.285 qed "ServTicket_form";
1.286
1.287 Goal "[| Says Kas' A (Crypt (shrK A) \
1.288 -\ {|Key AuthKey, Agent Tgs, Tk, AuthTicket|} ) : set evs; \
1.289 -\ evs : kerberos |] \
1.290 -\ ==> AuthKey ~: range shrK & \
1.291 +\ {|Key AuthKey, Agent Tgs, Tk, AuthTicket|} ) \\<in> set evs; \
1.292 +\ evs \\<in> kerberos |] \
1.293 +\ ==> AuthKey \\<notin> range shrK & \
1.294 \ AuthTicket = \
1.295 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Tk|}\
1.296 -\ | AuthTicket : analz (spies evs)";
1.297 -by (case_tac "A : bad" 1);
1.298 +\ | AuthTicket \\<in> analz (spies evs)";
1.299 +by (case_tac "A \\<in> bad" 1);
1.300 by (force_tac (claset() addSDs [Says_imp_spies RS analz.Inj], simpset()) 1);
1.301 by (forward_tac [Says_imp_spies RS parts.Inj] 1);
1.302 by (blast_tac (claset() addSDs [AuthTicket_form]) 1);
1.303 @@ -351,13 +348,13 @@
1.304 (* Essentially the same as AuthTicket_form *)
1.305
1.306 Goal "[| Says Tgs' A (Crypt AuthKey \
1.307 -\ {|Key ServKey, Agent B, Tt, ServTicket|} ) : set evs; \
1.308 -\ evs : kerberos |] \
1.309 -\ ==> ServKey ~: range shrK & \
1.310 -\ (EX A. ServTicket = \
1.311 +\ {|Key ServKey, Agent B, Tt, ServTicket|} ) \\<in> set evs; \
1.312 +\ evs \\<in> kerberos |] \
1.313 +\ ==> ServKey \\<notin> range shrK & \
1.314 +\ (\\<exists>A. ServTicket = \
1.315 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|}) \
1.316 -\ | ServTicket : analz (spies evs)";
1.317 -by (case_tac "Key AuthKey : analz (spies evs)" 1);
1.318 +\ | ServTicket \\<in> analz (spies evs)";
1.319 +by (case_tac "Key AuthKey \\<in> analz (spies evs)" 1);
1.320 by (blast_tac (claset() addDs [Says_imp_spies RS analz.Inj]) 1);
1.321 by (forward_tac [Says_imp_spies RS parts.Inj] 1);
1.322 by (blast_tac (claset() addSDs [ServTicket_form]) 1);
1.323 @@ -372,10 +369,10 @@
1.324 also Tgs in the place of B. *)
1.325
1.326 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key SesKey, T|} \
1.327 -\ : parts (spies evs); \
1.328 +\ \\<in> parts (spies evs); \
1.329 \ Crypt (shrK B') {|Agent A', Agent B', Key SesKey, T'|} \
1.330 -\ : parts (spies evs); Key SesKey ~: analz (spies evs); \
1.331 -\ evs : kerberos |] \
1.332 +\ \\<in> parts (spies evs); Key SesKey \\<notin> analz (spies evs); \
1.333 +\ evs \\<in> kerberos |] \
1.334 \ ==> A=A' & B=B' & T=T'";
1.335 by (etac rev_mp 1);
1.336 by (etac rev_mp 1);
1.337 @@ -390,10 +387,10 @@
1.338 A ServKey is encrypted by one and only one AuthKey.
1.339 *)
1.340 Goal "[| Crypt K {|Key SesKey, Agent B, T, Ticket|} \
1.341 -\ : parts (spies evs); \
1.342 +\ \\<in> parts (spies evs); \
1.343 \ Crypt K' {|Key SesKey, Agent B', T', Ticket'|} \
1.344 -\ : parts (spies evs); Key SesKey ~: analz (spies evs); \
1.345 -\ evs : kerberos |] \
1.346 +\ \\<in> parts (spies evs); Key SesKey \\<notin> analz (spies evs); \
1.347 +\ evs \\<in> kerberos |] \
1.348 \ ==> K=K' & B=B' & T=T' & Ticket=Ticket'";
1.349 by (etac rev_mp 1);
1.350 by (etac rev_mp 1);
1.351 @@ -414,20 +411,20 @@
1.352
1.353 Therefore, a goal like
1.354
1.355 - "evs : kerberos \
1.356 - \ ==> Key Kc ~: analz (spies evs) --> \
1.357 - \ (EX K' B' T' Ticket'. ALL K B T Ticket. \
1.358 + "evs \\<in> kerberos \
1.359 + \ ==> Key Kc \\<notin> analz (spies evs) --> \
1.360 + \ (\\<exists>K' B' T' Ticket'. \\<forall>K B T Ticket. \
1.361 \ Crypt Kc {|Key K, Agent B, T, Ticket|} \
1.362 - \ : parts (spies evs) --> K=K' & B=B' & T=T' & Ticket=Ticket')";
1.363 + \ \\<in> parts (spies evs) --> K=K' & B=B' & T=T' & Ticket=Ticket')";
1.364
1.365 would fail on the K2 and K4 cases.
1.366 *)
1.367
1.368 Goal "[| Says Kas A \
1.369 -\ (Crypt Ka {|Key AuthKey, Agent Tgs, Tk, X|}) : set evs; \
1.370 +\ (Crypt Ka {|Key AuthKey, Agent Tgs, Tk, X|}) \\<in> set evs; \
1.371 \ Says Kas A' \
1.372 -\ (Crypt Ka' {|Key AuthKey, Agent Tgs, Tk', X'|}) : set evs; \
1.373 -\ evs : kerberos |] ==> A=A' & Ka=Ka' & Tk=Tk' & X=X'";
1.374 +\ (Crypt Ka' {|Key AuthKey, Agent Tgs, Tk', X'|}) \\<in> set evs; \
1.375 +\ evs \\<in> kerberos |] ==> A=A' & Ka=Ka' & Tk=Tk' & X=X'";
1.376 by (etac rev_mp 1);
1.377 by (etac rev_mp 1);
1.378 by (parts_induct_tac 1);
1.379 @@ -437,10 +434,10 @@
1.380
1.381 (* ServKey uniquely identifies the message from Tgs *)
1.382 Goal "[| Says Tgs A \
1.383 -\ (Crypt K {|Key ServKey, Agent B, Tt, X|}) : set evs; \
1.384 +\ (Crypt K {|Key ServKey, Agent B, Tt, X|}) \\<in> set evs; \
1.385 \ Says Tgs A' \
1.386 -\ (Crypt K' {|Key ServKey, Agent B', Tt', X'|}) : set evs; \
1.387 -\ evs : kerberos |] ==> A=A' & B=B' & K=K' & Tt=Tt' & X=X'";
1.388 +\ (Crypt K' {|Key ServKey, Agent B', Tt', X'|}) \\<in> set evs; \
1.389 +\ evs \\<in> kerberos |] ==> A=A' & B=B' & K=K' & Tt=Tt' & X=X'";
1.390 by (etac rev_mp 1);
1.391 by (etac rev_mp 1);
1.392 by (parts_induct_tac 1);
1.393 @@ -458,8 +455,8 @@
1.394
1.395 Goalw [KeyCryptKey_def]
1.396 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, tt, X |}) \
1.397 -\ : set evs; \
1.398 -\ evs : kerberos |] ==> KeyCryptKey AuthKey ServKey evs";
1.399 +\ \\<in> set evs; \
1.400 +\ evs \\<in> kerberos |] ==> KeyCryptKey AuthKey ServKey evs";
1.401 by (ftac Says_Tgs_message_form 1);
1.402 by (assume_tac 1);
1.403 by (Blast_tac 1);
1.404 @@ -468,7 +465,7 @@
1.405 Goalw [KeyCryptKey_def]
1.406 "KeyCryptKey AuthKey ServKey (Says S A X # evs) = \
1.407 \ (Tgs = S & \
1.408 -\ (EX B tt. X = Crypt AuthKey \
1.409 +\ (\\<exists>B tt. X = Crypt AuthKey \
1.410 \ {|Key ServKey, Agent B, tt, \
1.411 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, tt|} |}) \
1.412 \ | KeyCryptKey AuthKey ServKey evs)";
1.413 @@ -480,7 +477,7 @@
1.414 (*A fresh AuthKey cannot be associated with any other
1.415 (with respect to a given trace). *)
1.416 Goalw [KeyCryptKey_def]
1.417 - "[| Key AuthKey ~: used evs; evs : kerberos |] \
1.418 + "[| Key AuthKey \\<notin> used evs; evs \\<in> kerberos |] \
1.419 \ ==> ~ KeyCryptKey AuthKey ServKey evs";
1.420 by (etac rev_mp 1);
1.421 by (parts_induct_tac 1);
1.422 @@ -491,13 +488,13 @@
1.423 (*A fresh ServKey cannot be associated with any other
1.424 (with respect to a given trace). *)
1.425 Goalw [KeyCryptKey_def]
1.426 - "Key ServKey ~: used evs ==> ~ KeyCryptKey AuthKey ServKey evs";
1.427 + "Key ServKey \\<notin> used evs ==> ~ KeyCryptKey AuthKey ServKey evs";
1.428 by (blast_tac (claset() addSEs spies_partsEs) 1);
1.429 qed "Serv_fresh_not_KeyCryptKey";
1.430
1.431 Goalw [KeyCryptKey_def]
1.432 "[| Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, tk|}\
1.433 -\ : parts (spies evs); evs : kerberos |] \
1.434 +\ \\<in> parts (spies evs); evs \\<in> kerberos |] \
1.435 \ ==> ~ KeyCryptKey K AuthKey evs";
1.436 by (etac rev_mp 1);
1.437 by (parts_induct_tac 1);
1.438 @@ -511,9 +508,9 @@
1.439 (*A secure serverkey cannot have been used to encrypt others*)
1.440 Goalw [KeyCryptKey_def]
1.441 "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, tt|} \
1.442 -\ : parts (spies evs); \
1.443 -\ Key ServKey ~: analz (spies evs); \
1.444 -\ B ~= Tgs; evs : kerberos |] \
1.445 +\ \\<in> parts (spies evs); \
1.446 +\ Key ServKey \\<notin> analz (spies evs); \
1.447 +\ B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.448 \ ==> ~ KeyCryptKey ServKey K evs";
1.449 by (etac rev_mp 1);
1.450 by (etac rev_mp 1);
1.451 @@ -536,7 +533,7 @@
1.452
1.453 (*Long term keys are not issued as ServKeys*)
1.454 Goalw [KeyCryptKey_def]
1.455 - "evs : kerberos ==> ~ KeyCryptKey K (shrK A) evs";
1.456 + "evs \\<in> kerberos ==> ~ KeyCryptKey K (shrK A) evs";
1.457 by (parts_induct_tac 1);
1.458 qed "shrK_not_KeyCryptKey";
1.459
1.460 @@ -544,13 +541,13 @@
1.461 other key AuthKey.*)
1.462 Goalw [KeyCryptKey_def]
1.463 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, tt, X |}) \
1.464 -\ : set evs; \
1.465 -\ AuthKey' ~= AuthKey; evs : kerberos |] \
1.466 +\ \\<in> set evs; \
1.467 +\ AuthKey' \\<noteq> AuthKey; evs \\<in> kerberos |] \
1.468 \ ==> ~ KeyCryptKey AuthKey' ServKey evs";
1.469 by (blast_tac (claset() addDs [unique_ServKeys]) 1);
1.470 qed "Says_Tgs_KeyCryptKey";
1.471
1.472 -Goal "[| KeyCryptKey AuthKey ServKey evs; evs : kerberos |] \
1.473 +Goal "[| KeyCryptKey AuthKey ServKey evs; evs \\<in> kerberos |] \
1.474 \ ==> ~ KeyCryptKey ServKey K evs";
1.475 by (etac rev_mp 1);
1.476 by (parts_induct_tac 1);
1.477 @@ -572,29 +569,29 @@
1.478
1.479 (*We take some pains to express the property
1.480 as a logical equivalence so that the simplifier can apply it.*)
1.481 -Goal "P --> (Key K : analz (Key`KK Un H)) --> (K:KK | Key K : analz H) \
1.482 +Goal "P --> (Key K \\<in> analz (Key`KK Un H)) --> (K:KK | Key K \\<in> analz H) \
1.483 \ ==> \
1.484 -\ P --> (Key K : analz (Key`KK Un H)) = (K:KK | Key K : analz H)";
1.485 +\ P --> (Key K \\<in> analz (Key`KK Un H)) = (K:KK | Key K \\<in> analz H)";
1.486 by (blast_tac (claset() addIs [impOfSubs analz_mono]) 1);
1.487 qed "Key_analz_image_Key_lemma";
1.488
1.489 -Goal "[| KeyCryptKey K K' evs; evs : kerberos |] \
1.490 -\ ==> Key K' : analz (insert (Key K) (spies evs))";
1.491 +Goal "[| KeyCryptKey K K' evs; evs \\<in> kerberos |] \
1.492 +\ ==> Key K' \\<in> analz (insert (Key K) (spies evs))";
1.493 by (full_simp_tac (simpset() addsimps [KeyCryptKey_def]) 1);
1.494 by (Clarify_tac 1);
1.495 by (dresolve_tac [Says_imp_spies RS analz.Inj RS analz_insertI] 1);
1.496 by Auto_tac;
1.497 qed "KeyCryptKey_analz_insert";
1.498
1.499 -Goal "[| K : AuthKeys evs Un range shrK; evs : kerberos |] \
1.500 -\ ==> ALL SK. ~ KeyCryptKey SK K evs";
1.501 +Goal "[| K \\<in> AuthKeys evs Un range shrK; evs \\<in> kerberos |] \
1.502 +\ ==> \\<forall>SK. ~ KeyCryptKey SK K evs";
1.503 by (asm_full_simp_tac (simpset() addsimps [KeyCryptKey_def]) 1);
1.504 by (blast_tac (claset() addDs [Says_Tgs_message_form]) 1);
1.505 qed "AuthKeys_are_not_KeyCryptKey";
1.506
1.507 -Goal "[| K ~: AuthKeys evs; \
1.508 -\ K ~: range shrK; evs : kerberos |] \
1.509 -\ ==> ALL SK. ~ KeyCryptKey K SK evs";
1.510 +Goal "[| K \\<notin> AuthKeys evs; \
1.511 +\ K \\<notin> range shrK; evs \\<in> kerberos |] \
1.512 +\ ==> \\<forall>SK. ~ KeyCryptKey K SK evs";
1.513 by (asm_full_simp_tac (simpset() addsimps [KeyCryptKey_def]) 1);
1.514 by (blast_tac (claset() addDs [Says_Tgs_message_form]) 1);
1.515 qed "not_AuthKeys_not_KeyCryptKey";
1.516 @@ -613,16 +610,16 @@
1.517 REPEAT_FIRST (eresolve_tac [asm_rl, conjE, disjE, exE]
1.518 ORELSE' hyp_subst_tac)];
1.519
1.520 -Goal "[| KK <= -(range shrK); Key K : analz (spies evs); evs: kerberos |] \
1.521 -\ ==> Key K : analz (Key ` KK Un spies evs)";
1.522 +Goal "[| KK <= -(range shrK); Key K \\<in> analz (spies evs); evs \\<in> kerberos |] \
1.523 +\ ==> Key K \\<in> analz (Key ` KK Un spies evs)";
1.524 by (blast_tac (claset() addDs [impOfSubs analz_mono]) 1);
1.525 qed "analz_mono_KK";
1.526
1.527 (*For the Oops2 case of the next theorem*)
1.528 -Goal "[| evs : kerberos; \
1.529 +Goal "[| evs \\<in> kerberos; \
1.530 \ Says Tgs A (Crypt AuthKey \
1.531 \ {|Key ServKey, Agent B, Number Tt, ServTicket|}) \
1.532 -\ : set evs |] \
1.533 +\ \\<in> set evs |] \
1.534 \ ==> ~ KeyCryptKey ServKey SK evs";
1.535 by (blast_tac (claset() addDs [KeyCryptKeyI, KeyCryptKey_not_KeyCryptKey]) 1);
1.536 qed "Oops2_not_KeyCryptKey";
1.537 @@ -633,11 +630,11 @@
1.538 (* exploited as simplification laws for analz, and also "limit the damage" *)
1.539 (* in case of loss of a key to the spy. See ESORICS98. *)
1.540 (* [simplified by LCP] *)
1.541 -Goal "evs : kerberos ==> \
1.542 -\ (ALL SK KK. KK <= -(range shrK) --> \
1.543 -\ (ALL K: KK. ~ KeyCryptKey K SK evs) --> \
1.544 -\ (Key SK : analz (Key`KK Un (spies evs))) = \
1.545 -\ (SK : KK | Key SK : analz (spies evs)))";
1.546 +Goal "evs \\<in> kerberos ==> \
1.547 +\ (\\<forall>SK KK. KK <= -(range shrK) --> \
1.548 +\ (\\<forall>K \\<in> KK. ~ KeyCryptKey K SK evs) --> \
1.549 +\ (Key SK \\<in> analz (Key`KK Un (spies evs))) = \
1.550 +\ (SK \\<in> KK | Key SK \\<in> analz (spies evs)))";
1.551 by (etac kerberos.induct 1);
1.552 by analz_sees_tac;
1.553 by (REPEAT_FIRST (rtac allI));
1.554 @@ -660,7 +657,7 @@
1.555 by (blast_tac (claset() addEs spies_partsEs
1.556 addSDs [AuthKey_not_KeyCryptKey]) 1);
1.557 (*K5*)
1.558 -by (case_tac "Key ServKey : analz (spies evs5)" 1);
1.559 +by (case_tac "Key ServKey \\<in> analz (spies evs5)" 1);
1.560 (*If ServKey is compromised then the result follows directly...*)
1.561 by (asm_simp_tac
1.562 (simpset() addsimps [analz_insert_eq,
1.563 @@ -677,10 +674,10 @@
1.564
1.565 (* First simplification law for analz: no session keys encrypt *)
1.566 (* authentication keys or shared keys. *)
1.567 -Goal "[| evs : kerberos; K : (AuthKeys evs) Un range shrK; \
1.568 -\ SesKey ~: range shrK |] \
1.569 -\ ==> Key K : analz (insert (Key SesKey) (spies evs)) = \
1.570 -\ (K = SesKey | Key K : analz (spies evs))";
1.571 +Goal "[| evs \\<in> kerberos; K \\<in> (AuthKeys evs) Un range shrK; \
1.572 +\ SesKey \\<notin> range shrK |] \
1.573 +\ ==> Key K \\<in> analz (insert (Key SesKey) (spies evs)) = \
1.574 +\ (K = SesKey | Key K \\<in> analz (spies evs))";
1.575 by (ftac AuthKeys_are_not_KeyCryptKey 1 THEN assume_tac 1);
1.576 by (asm_full_simp_tac (analz_image_freshK_ss addsimps [Key_analz_image_Key]) 1);
1.577 qed "analz_insert_freshK1";
1.578 @@ -688,9 +685,9 @@
1.579
1.580 (* Second simplification law for analz: no service keys encrypt *)
1.581 (* any other keys. *)
1.582 -Goal "[| evs : kerberos; ServKey ~: (AuthKeys evs); ServKey ~: range shrK|]\
1.583 -\ ==> Key K : analz (insert (Key ServKey) (spies evs)) = \
1.584 -\ (K = ServKey | Key K : analz (spies evs))";
1.585 +Goal "[| evs \\<in> kerberos; ServKey \\<notin> (AuthKeys evs); ServKey \\<notin> range shrK|]\
1.586 +\ ==> Key K \\<in> analz (insert (Key ServKey) (spies evs)) = \
1.587 +\ (K = ServKey | Key K \\<in> analz (spies evs))";
1.588 by (ftac not_AuthKeys_not_KeyCryptKey 1
1.589 THEN assume_tac 1
1.590 THEN assume_tac 1);
1.591 @@ -703,10 +700,10 @@
1.592 Goal
1.593 "[| Says Tgs A \
1.594 \ (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) \
1.595 -\ : set evs; \
1.596 -\ AuthKey ~= AuthKey'; AuthKey' ~: range shrK; evs : kerberos |] \
1.597 -\ ==> Key ServKey : analz (insert (Key AuthKey') (spies evs)) = \
1.598 -\ (ServKey = AuthKey' | Key ServKey : analz (spies evs))";
1.599 +\ \\<in> set evs; \
1.600 +\ AuthKey \\<noteq> AuthKey'; AuthKey' \\<notin> range shrK; evs \\<in> kerberos |] \
1.601 +\ ==> Key ServKey \\<in> analz (insert (Key AuthKey') (spies evs)) = \
1.602 +\ (ServKey = AuthKey' | Key ServKey \\<in> analz (spies evs))";
1.603 by (dres_inst_tac [("AuthKey'","AuthKey'")] Says_Tgs_KeyCryptKey 1);
1.604 by (Blast_tac 1);
1.605 by (assume_tac 1);
1.606 @@ -717,9 +714,9 @@
1.607 (*a weakness of the protocol*)
1.608 Goal "[| Says Tgs A \
1.609 \ (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) \
1.610 -\ : set evs; \
1.611 -\ Key AuthKey : analz (spies evs); evs : kerberos |] \
1.612 -\ ==> Key ServKey : analz (spies evs)";
1.613 +\ \\<in> set evs; \
1.614 +\ Key AuthKey \\<in> analz (spies evs); evs \\<in> kerberos |] \
1.615 +\ ==> Key ServKey \\<in> analz (spies evs)";
1.616 by (force_tac (claset() addDs [Says_imp_spies RS analz.Inj RS
1.617 analz.Decrypt RS analz.Fst],
1.618 simpset()) 1);
1.619 @@ -729,10 +726,10 @@
1.620 (********************** Guarantees for Kas *****************************)
1.621 Goal "[| Crypt AuthKey {|Key ServKey, Agent B, Tt, \
1.622 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|}|}\
1.623 -\ : parts (spies evs); \
1.624 -\ Key ServKey ~: analz (spies evs); \
1.625 -\ B ~= Tgs; evs : kerberos |] \
1.626 -\ ==> ServKey ~: AuthKeys evs";
1.627 +\ \\<in> parts (spies evs); \
1.628 +\ Key ServKey \\<notin> analz (spies evs); \
1.629 +\ B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.630 +\ ==> ServKey \\<notin> AuthKeys evs";
1.631 by (etac rev_mp 1);
1.632 by (etac rev_mp 1);
1.633 by (asm_full_simp_tac (simpset() addsimps [AuthKeys_def]) 1);
1.634 @@ -745,13 +742,13 @@
1.635
1.636 (** If Spy sees the Authentication Key sent in msg K2, then
1.637 the Key has expired **)
1.638 -Goal "[| A ~: bad; evs : kerberos |] \
1.639 +Goal "[| A \\<notin> bad; evs \\<in> kerberos |] \
1.640 \ ==> Says Kas A \
1.641 \ (Crypt (shrK A) \
1.642 \ {|Key AuthKey, Agent Tgs, Number Tk, \
1.643 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\
1.644 -\ : set evs --> \
1.645 -\ Key AuthKey : analz (spies evs) --> \
1.646 +\ \\<in> set evs --> \
1.647 +\ Key AuthKey \\<in> analz (spies evs) --> \
1.648 \ ExpirAuth Tk evs";
1.649 by (etac kerberos.induct 1);
1.650 by analz_sees_tac;
1.651 @@ -782,42 +779,38 @@
1.652
1.653 Goal "[| Says Kas A \
1.654 \ (Crypt Ka {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}) \
1.655 -\ : set evs; \
1.656 +\ \\<in> set evs; \
1.657 \ ~ ExpirAuth Tk evs; \
1.658 -\ A ~: bad; evs : kerberos |] \
1.659 -\ ==> Key AuthKey ~: analz (spies evs)";
1.660 +\ A \\<notin> bad; evs \\<in> kerberos |] \
1.661 +\ ==> Key AuthKey \\<notin> analz (spies evs)";
1.662 by (ftac Says_Kas_message_form 1 THEN assume_tac 1);
1.663 by (blast_tac (claset() addSDs [lemma]) 1);
1.664 qed "Confidentiality_Kas";
1.665
1.666
1.667 -
1.668 -
1.669 -
1.670 -
1.671 (********************** Guarantees for Tgs *****************************)
1.672
1.673 (** If Spy sees the Service Key sent in msg K4, then
1.674 the Key has expired **)
1.675 -Goal "[| A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \
1.676 -\ ==> Key AuthKey ~: analz (spies evs) --> \
1.677 +Goal "[| A \\<notin> bad; B \\<notin> bad; B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.678 +\ ==> Key AuthKey \\<notin> analz (spies evs) --> \
1.679 \ Says Tgs A \
1.680 \ (Crypt AuthKey \
1.681 \ {|Key ServKey, Agent B, Number Tt, \
1.682 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}|})\
1.683 -\ : set evs --> \
1.684 -\ Key ServKey : analz (spies evs) --> \
1.685 +\ \\<in> set evs --> \
1.686 +\ Key ServKey \\<in> analz (spies evs) --> \
1.687 \ ExpirServ Tt evs";
1.688 by (etac kerberos.induct 1);
1.689 -(*The Oops1 case is unusual: must simplify Authkey ~: analz (spies (ev#evs))
1.690 - rather than weakening it to Authkey ~: analz (spies evs), for we then
1.691 - conclude AuthKey ~= AuthKeya.*)
1.692 +(*The Oops1 case is unusual: must simplify Authkey \\<notin> analz (spies (ev#evs))
1.693 + rather than weakening it to Authkey \\<notin> analz (spies evs), for we then
1.694 + conclude AuthKey \\<noteq> AuthKeya.*)
1.695 by (Clarify_tac 9);
1.696 by analz_sees_tac;
1.697 by (rotate_tac ~1 11);
1.698 by (ALLGOALS
1.699 (asm_full_simp_tac
1.700 - (simpset() addsimps [less_SucI,
1.701 + (simpset() addsimps [less_SucI, new_keys_not_analzd,
1.702 Says_Kas_message_form, Says_Tgs_message_form,
1.703 analz_insert_eq, not_parts_not_analz,
1.704 analz_insert_freshK1, analz_insert_freshK2]
1.705 @@ -826,9 +819,9 @@
1.706 by (spy_analz_tac 1);
1.707 (*K2*)
1.708 by (blast_tac (claset() addSEs spies_partsEs
1.709 - addIs [parts_insertI, impOfSubs analz_subset_parts, less_SucI]) 1);
1.710 + addIs [parts_insertI, less_SucI]) 1);
1.711 (*K4*)
1.712 -by (case_tac "A ~= Aa" 1);
1.713 +by (case_tac "A \\<noteq> Aa" 1);
1.714 by (blast_tac (claset() addSEs spies_partsEs
1.715 addIs [less_SucI]) 1);
1.716 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj RS parts.Fst,
1.717 @@ -847,7 +840,7 @@
1.718 Says_Kas_message_form, Says_Tgs_message_form]
1.719 addIs [less_SucI]) 2);
1.720 (** Level 16 **)
1.721 -by (thin_tac "Says Aa Tgs ?X : set ?evs" 1);
1.722 +by (thin_tac "Says Aa Tgs ?X \\<in> set ?evs" 1);
1.723 by (forward_tac [Says_imp_spies RS parts.Inj RS ServKey_notin_AuthKeysD] 1);
1.724 by (assume_tac 1 THEN Blast_tac 1 THEN assume_tac 1);
1.725 by (rotate_tac ~1 1);
1.726 @@ -863,11 +856,11 @@
1.727 Goal
1.728 "[| Says Tgs A \
1.729 \ (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) \
1.730 -\ : set evs; \
1.731 -\ Key AuthKey ~: analz (spies evs); \
1.732 +\ \\<in> set evs; \
1.733 +\ Key AuthKey \\<notin> analz (spies evs); \
1.734 \ ~ ExpirServ Tt evs; \
1.735 -\ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \
1.736 -\ ==> Key ServKey ~: analz (spies evs)";
1.737 +\ A \\<notin> bad; B \\<notin> bad; B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.738 +\ ==> Key ServKey \\<notin> analz (spies evs)";
1.739 by (ftac Says_Tgs_message_form 1 THEN assume_tac 1);
1.740 by (blast_tac (claset() addDs [lemma]) 1);
1.741 qed "Confidentiality_Tgs1";
1.742 @@ -876,13 +869,13 @@
1.743 Goal
1.744 "[| Says Kas A \
1.745 \ (Crypt Ka {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}) \
1.746 -\ : set evs; \
1.747 +\ \\<in> set evs; \
1.748 \ Says Tgs A \
1.749 \ (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}) \
1.750 -\ : set evs; \
1.751 +\ \\<in> set evs; \
1.752 \ ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; \
1.753 -\ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \
1.754 -\ ==> Key ServKey ~: analz (spies evs)";
1.755 +\ A \\<notin> bad; B \\<notin> bad; B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.756 +\ ==> Key ServKey \\<notin> analz (spies evs)";
1.757 by (blast_tac (claset() addSDs [Confidentiality_Kas,
1.758 Confidentiality_Tgs1]) 1);
1.759 qed "Confidentiality_Tgs2";
1.760 @@ -897,13 +890,13 @@
1.761
1.762 Goal
1.763 "[| Says Kas A \
1.764 -\ (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Tk, AuthTicket|}) : set evs;\
1.765 +\ (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Tk, AuthTicket|}) \\<in> set evs;\
1.766 \ Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|} \
1.767 -\ : parts (spies evs); \
1.768 -\ Key AuthKey ~: analz (spies evs); \
1.769 -\ evs : kerberos |] \
1.770 +\ \\<in> parts (spies evs); \
1.771 +\ Key AuthKey \\<notin> analz (spies evs); \
1.772 +\ evs \\<in> kerberos |] \
1.773 \==> Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, ServTicket|})\
1.774 -\ : set evs";
1.775 +\ \\<in> set evs";
1.776 by (ftac Says_Kas_message_form 1 THEN assume_tac 1);
1.777 by (etac rev_mp 1);
1.778 by (etac rev_mp 1);
1.779 @@ -919,12 +912,12 @@
1.780
1.781
1.782 Goal "[| Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} \
1.783 -\ : parts (spies evs); \
1.784 +\ \\<in> parts (spies evs); \
1.785 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \
1.786 -\ : parts (spies evs); \
1.787 +\ \\<in> parts (spies evs); \
1.788 \ ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; \
1.789 -\ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \
1.790 -\ ==> Key ServKey ~: analz (spies evs)";
1.791 +\ A \\<notin> bad; B \\<notin> bad; B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.792 +\ ==> Key ServKey \\<notin> analz (spies evs)";
1.793 by (dtac A_trusts_AuthKey 1);
1.794 by (assume_tac 1);
1.795 by (assume_tac 1);
1.796 @@ -939,10 +932,10 @@
1.797
1.798 Goal
1.799 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|})\
1.800 -\ : set evs; evs : kerberos|] \
1.801 -\ ==> EX Tk. Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,\
1.802 +\ \\<in> set evs; evs \\<in> kerberos|] \
1.803 +\ ==> \\<exists>Tk. Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,\
1.804 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\
1.805 -\ : set evs";
1.806 +\ \\<in> set evs";
1.807 by (etac rev_mp 1);
1.808 by (parts_induct_tac 1);
1.809 by Auto_tac;
1.810 @@ -952,10 +945,10 @@
1.811
1.812 Goal
1.813 "[| Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|})\
1.814 -\ : set evs; evs : kerberos|] \
1.815 -\ ==> EX Tk. (Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,\
1.816 +\ \\<in> set evs; evs \\<in> kerberos|] \
1.817 +\ ==> \\<exists>Tk. (Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,\
1.818 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\
1.819 -\ : set evs \
1.820 +\ \\<in> set evs \
1.821 \ & ServLife + Tt <= AuthLife + Tk)";
1.822 by (etac rev_mp 1);
1.823 by (parts_induct_tac 1);
1.824 @@ -965,12 +958,12 @@
1.825 qed "K4_imp_K2_refined";
1.826
1.827 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|} \
1.828 -\ : parts (spies evs); B ~= Tgs; B ~: bad; \
1.829 -\ evs : kerberos |] \
1.830 -\==> EX AuthKey. \
1.831 +\ \\<in> parts (spies evs); B \\<noteq> Tgs; B \\<notin> bad; \
1.832 +\ evs \\<in> kerberos |] \
1.833 +\==> \\<exists>AuthKey. \
1.834 \ Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Tt, \
1.835 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Tt|}|}) \
1.836 -\ : set evs";
1.837 +\ \\<in> set evs";
1.838 by (etac rev_mp 1);
1.839 by (parts_induct_tac 1);
1.840 by (Fake_parts_insert_tac 1);
1.841 @@ -978,34 +971,34 @@
1.842 qed "B_trusts_ServKey";
1.843
1.844 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \
1.845 -\ : parts (spies evs); B ~= Tgs; B ~: bad; \
1.846 -\ evs : kerberos |] \
1.847 -\ ==> EX AuthKey Tk. Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,\
1.848 +\ \\<in> parts (spies evs); B \\<noteq> Tgs; B \\<notin> bad; \
1.849 +\ evs \\<in> kerberos |] \
1.850 +\ ==> \\<exists>AuthKey Tk. Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,\
1.851 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\
1.852 -\ : set evs";
1.853 +\ \\<in> set evs";
1.854 by (blast_tac (claset() addSDs [B_trusts_ServKey, K4_imp_K2]) 1);
1.855 qed "B_trusts_ServTicket_Kas";
1.856
1.857 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \
1.858 -\ : parts (spies evs); B ~= Tgs; B ~: bad; \
1.859 -\ evs : kerberos |] \
1.860 -\ ==> EX AuthKey Tk. (Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,\
1.861 +\ \\<in> parts (spies evs); B \\<noteq> Tgs; B \\<notin> bad; \
1.862 +\ evs \\<in> kerberos |] \
1.863 +\ ==> \\<exists>AuthKey Tk. (Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,\
1.864 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\
1.865 -\ : set evs \
1.866 +\ \\<in> set evs \
1.867 \ & ServLife + Tt <= AuthLife + Tk)";
1.868 by (blast_tac (claset() addSDs [B_trusts_ServKey,K4_imp_K2_refined]) 1);
1.869 qed "B_trusts_ServTicket_Kas_refined";
1.870
1.871 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \
1.872 -\ : parts (spies evs); B ~= Tgs; B ~: bad; \
1.873 -\ evs : kerberos |] \
1.874 -\==> EX Tk AuthKey. \
1.875 +\ \\<in> parts (spies evs); B \\<noteq> Tgs; B \\<notin> bad; \
1.876 +\ evs \\<in> kerberos |] \
1.877 +\==> \\<exists>Tk AuthKey. \
1.878 \ Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, \
1.879 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\
1.880 -\ : set evs \
1.881 +\ \\<in> set evs \
1.882 \ & Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, \
1.883 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}|}) \
1.884 -\ : set evs";
1.885 +\ \\<in> set evs";
1.886 by (ftac B_trusts_ServKey 1);
1.887 by (etac exE 4);
1.888 by (ftac K4_imp_K2 4);
1.889 @@ -1014,15 +1007,15 @@
1.890 qed "B_trusts_ServTicket";
1.891
1.892 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \
1.893 -\ : parts (spies evs); B ~= Tgs; B ~: bad; \
1.894 -\ evs : kerberos |] \
1.895 -\==> EX Tk AuthKey. \
1.896 +\ \\<in> parts (spies evs); B \\<noteq> Tgs; B \\<notin> bad; \
1.897 +\ evs \\<in> kerberos |] \
1.898 +\==> \\<exists>Tk AuthKey. \
1.899 \ (Says Kas A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, \
1.900 \ Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey, Number Tk|}|})\
1.901 -\ : set evs \
1.902 +\ \\<in> set evs \
1.903 \ & Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, \
1.904 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}|}) \
1.905 -\ : set evs \
1.906 +\ \\<in> set evs \
1.907 \ & ServLife + Tt <= AuthLife + Tk)";
1.908 by (ftac B_trusts_ServKey 1);
1.909 by (etac exE 4);
1.910 @@ -1039,14 +1032,14 @@
1.911
1.912
1.913 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \
1.914 -\ : parts (spies evs); \
1.915 +\ \\<in> parts (spies evs); \
1.916 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \
1.917 -\ : parts (spies evs); \
1.918 +\ \\<in> parts (spies evs); \
1.919 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}\
1.920 -\ : parts (spies evs); \
1.921 +\ \\<in> parts (spies evs); \
1.922 \ ~ ExpirServ Tt evs; ~ ExpirAuth Tk evs; \
1.923 -\ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \
1.924 -\ ==> Key ServKey ~: analz (spies evs)";
1.925 +\ A \\<notin> bad; B \\<notin> bad; B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.926 +\ ==> Key ServKey \\<notin> analz (spies evs)";
1.927 by (ftac A_trusts_AuthKey 1);
1.928 by (ftac Confidentiality_Kas 3);
1.929 by (ftac B_trusts_ServTicket 6);
1.930 @@ -1070,10 +1063,10 @@
1.931
1.932 (*Most general form -- only for refined model! *)
1.933 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \
1.934 -\ : parts (spies evs); \
1.935 +\ \\<in> parts (spies evs); \
1.936 \ ~ ExpirServ Tt evs; \
1.937 -\ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \
1.938 -\ ==> Key ServKey ~: analz (spies evs)";
1.939 +\ A \\<notin> bad; B \\<notin> bad; B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.940 +\ ==> Key ServKey \\<notin> analz (spies evs)";
1.941 by (blast_tac (claset() addDs [B_trusts_ServTicket_refined,
1.942 NotExpirServ_NotExpirAuth_refined,
1.943 Confidentiality_Tgs2]) 1);
1.944 @@ -1088,12 +1081,12 @@
1.945
1.946 (*Authenticity of ServKey for A: "A_trusts_ServKey"*)
1.947 Goal "[| Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} \
1.948 -\ : parts (spies evs); \
1.949 +\ \\<in> parts (spies evs); \
1.950 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \
1.951 -\ : parts (spies evs); \
1.952 -\ ~ ExpirAuth Tk evs; A ~: bad; evs : kerberos |] \
1.953 +\ \\<in> parts (spies evs); \
1.954 +\ ~ ExpirAuth Tk evs; A \\<notin> bad; evs \\<in> kerberos |] \
1.955 \==>Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|})\
1.956 -\ : set evs";
1.957 +\ \\<in> set evs";
1.958 by (ftac A_trusts_AuthKey 1 THEN assume_tac 1 THEN assume_tac 1);
1.959 by (blast_tac (claset() addDs [Confidentiality_Auth_A, A_trusts_K4_bis]) 1);
1.960 qed "A_trusts_ServKey";
1.961 @@ -1111,12 +1104,12 @@
1.962
1.963 (*B checks authenticity of A: theorems "A_Authenticity",
1.964 "A_authenticity_refined" *)
1.965 -Goal "[| Crypt ServKey {|Agent A, Number Ta|} : parts (spies evs); \
1.966 +Goal "[| Crypt ServKey {|Agent A, Number Ta|} \\<in> parts (spies evs); \
1.967 \ Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, \
1.968 -\ ServTicket|}) : set evs; \
1.969 -\ Key ServKey ~: analz (spies evs); \
1.970 -\ A ~: bad; B ~: bad; evs : kerberos |] \
1.971 -\==> Says A B {|ServTicket, Crypt ServKey {|Agent A, Number Ta|}|} : set evs";
1.972 +\ ServTicket|}) \\<in> set evs; \
1.973 +\ Key ServKey \\<notin> analz (spies evs); \
1.974 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos |] \
1.975 +\==> Says A B {|ServTicket, Crypt ServKey {|Agent A, Number Ta|}|} \\<in> set evs";
1.976 by (etac rev_mp 1);
1.977 by (etac rev_mp 1);
1.978 by (etac rev_mp 1);
1.979 @@ -1138,17 +1131,17 @@
1.980 qed "Says_Auth";
1.981
1.982 (*The second assumption tells B what kind of key ServKey is.*)
1.983 -Goal "[| Crypt ServKey {|Agent A, Number Ta|} : parts (spies evs); \
1.984 +Goal "[| Crypt ServKey {|Agent A, Number Ta|} \\<in> parts (spies evs); \
1.985 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \
1.986 -\ : parts (spies evs); \
1.987 +\ \\<in> parts (spies evs); \
1.988 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \
1.989 -\ : parts (spies evs); \
1.990 +\ \\<in> parts (spies evs); \
1.991 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} \
1.992 -\ : parts (spies evs); \
1.993 +\ \\<in> parts (spies evs); \
1.994 \ ~ ExpirServ Tt evs; ~ ExpirAuth Tk evs; \
1.995 -\ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \
1.996 +\ B \\<noteq> Tgs; A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos |] \
1.997 \ ==> Says A B {|Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|},\
1.998 -\ Crypt ServKey {|Agent A, Number Ta|} |} : set evs";
1.999 +\ Crypt ServKey {|Agent A, Number Ta|} |} \\<in> set evs";
1.1000 by (ftac Confidentiality_B 1);
1.1001 by (ftac B_trusts_ServKey 9);
1.1002 by (etac exE 12);
1.1003 @@ -1158,13 +1151,13 @@
1.1004 qed "A_Authenticity";
1.1005
1.1006 (*Stronger form in the refined model*)
1.1007 -Goal "[| Crypt ServKey {|Agent A, Number Ta2|} : parts (spies evs); \
1.1008 +Goal "[| Crypt ServKey {|Agent A, Number Ta2|} \\<in> parts (spies evs); \
1.1009 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \
1.1010 -\ : parts (spies evs); \
1.1011 +\ \\<in> parts (spies evs); \
1.1012 \ ~ ExpirServ Tt evs; \
1.1013 -\ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \
1.1014 +\ B \\<noteq> Tgs; A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos |] \
1.1015 \ ==> Says A B {|Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|},\
1.1016 -\ Crypt ServKey {|Agent A, Number Ta2|} |} : set evs";
1.1017 +\ Crypt ServKey {|Agent A, Number Ta2|} |} \\<in> set evs";
1.1018 by (ftac Confidentiality_B_refined 1);
1.1019 by (ftac B_trusts_ServKey 6);
1.1020 by (etac exE 9);
1.1021 @@ -1176,12 +1169,12 @@
1.1022
1.1023 (*A checks authenticity of B: theorem "B_authenticity"*)
1.1024
1.1025 -Goal "[| Crypt ServKey (Number Ta) : parts (spies evs); \
1.1026 +Goal "[| Crypt ServKey (Number Ta) \\<in> parts (spies evs); \
1.1027 \ Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, \
1.1028 -\ ServTicket|}) : set evs; \
1.1029 -\ Key ServKey ~: analz (spies evs); \
1.1030 -\ A ~: bad; B ~: bad; evs : kerberos |] \
1.1031 -\ ==> Says B A (Crypt ServKey (Number Ta)) : set evs";
1.1032 +\ ServTicket|}) \\<in> set evs; \
1.1033 +\ Key ServKey \\<notin> analz (spies evs); \
1.1034 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos |] \
1.1035 +\ ==> Says B A (Crypt ServKey (Number Ta)) \\<in> set evs";
1.1036 by (etac rev_mp 1);
1.1037 by (etac rev_mp 1);
1.1038 by (etac rev_mp 1);
1.1039 @@ -1199,11 +1192,11 @@
1.1040 qed "Says_K6";
1.1041
1.1042 Goal "[| Crypt AuthKey {|Key ServKey, Agent B, T, ServTicket|} \
1.1043 -\ : parts (spies evs); \
1.1044 -\ Key AuthKey ~: analz (spies evs); AuthKey ~: range shrK; \
1.1045 -\ evs : kerberos |] \
1.1046 -\ ==> EX A. Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, T, ServTicket|})\
1.1047 -\ : set evs";
1.1048 +\ \\<in> parts (spies evs); \
1.1049 +\ Key AuthKey \\<notin> analz (spies evs); AuthKey \\<notin> range shrK; \
1.1050 +\ evs \\<in> kerberos |] \
1.1051 +\ ==> \\<exists>A. Says Tgs A (Crypt AuthKey {|Key ServKey, Agent B, T, ServTicket|})\
1.1052 +\ \\<in> set evs";
1.1053 by (etac rev_mp 1);
1.1054 by (etac rev_mp 1);
1.1055 by (parts_induct_tac 1);
1.1056 @@ -1212,14 +1205,14 @@
1.1057 by (Blast_tac 1);
1.1058 qed "K4_trustworthy";
1.1059
1.1060 -Goal "[| Crypt ServKey (Number Ta) : parts (spies evs); \
1.1061 +Goal "[| Crypt ServKey (Number Ta) \\<in> parts (spies evs); \
1.1062 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \
1.1063 -\ : parts (spies evs); \
1.1064 +\ \\<in> parts (spies evs); \
1.1065 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}\
1.1066 -\ : parts (spies evs); \
1.1067 +\ \\<in> parts (spies evs); \
1.1068 \ ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; \
1.1069 -\ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \
1.1070 -\ ==> Says B A (Crypt ServKey (Number Ta)) : set evs";
1.1071 +\ A \\<notin> bad; B \\<notin> bad; B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.1072 +\ ==> Says B A (Crypt ServKey (Number Ta)) \\<in> set evs";
1.1073 by (ftac A_trusts_AuthKey 1);
1.1074 by (ftac Says_Kas_message_form 3);
1.1075 by (ftac Confidentiality_Kas 4);
1.1076 @@ -1237,9 +1230,9 @@
1.1077 (***3. Parties' knowledge of session keys. A knows a session key if she
1.1078 used it to build a cipher.***)
1.1079
1.1080 -Goal "[| Says B A (Crypt ServKey (Number Ta)) : set evs; \
1.1081 -\ Key ServKey ~: analz (spies evs); \
1.1082 -\ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \
1.1083 +Goal "[| Says B A (Crypt ServKey (Number Ta)) \\<in> set evs; \
1.1084 +\ Key ServKey \\<notin> analz (spies evs); \
1.1085 +\ A \\<notin> bad; B \\<notin> bad; B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.1086 \ ==> B Issues A with (Crypt ServKey (Number Ta)) on evs";
1.1087 by (simp_tac (simpset() addsimps [Issues_def]) 1);
1.1088 by (rtac exI 1);
1.1089 @@ -1262,41 +1255,41 @@
1.1090 addIs [Says_K6]
1.1091 addEs spies_partsEs) 1);
1.1092 qed "B_Knows_B_Knows_ServKey_lemma";
1.1093 -(*Key ServKey ~: analz (spies evs) could be relaxed by Confidentiality_B
1.1094 +(*Key ServKey \\<notin> analz (spies evs) could be relaxed by Confidentiality_B
1.1095 but this is irrelevant because B knows what he knows! *)
1.1096
1.1097 -Goal "[| Says B A (Crypt ServKey (Number Ta)) : set evs; \
1.1098 +Goal "[| Says B A (Crypt ServKey (Number Ta)) \\<in> set evs; \
1.1099 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}\
1.1100 -\ : parts (spies evs);\
1.1101 +\ \\<in> parts (spies evs);\
1.1102 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}\
1.1103 -\ : parts (spies evs);\
1.1104 +\ \\<in> parts (spies evs);\
1.1105 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}\
1.1106 -\ : parts (spies evs); \
1.1107 +\ \\<in> parts (spies evs); \
1.1108 \ ~ ExpirServ Tt evs; ~ ExpirAuth Tk evs; \
1.1109 -\ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \
1.1110 +\ A \\<notin> bad; B \\<notin> bad; B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.1111 \ ==> B Issues A with (Crypt ServKey (Number Ta)) on evs";
1.1112 by (blast_tac (claset() addSDs [Confidentiality_B,
1.1113 B_Knows_B_Knows_ServKey_lemma]) 1);
1.1114 qed "B_Knows_B_Knows_ServKey";
1.1115
1.1116 -Goal "[| Says B A (Crypt ServKey (Number Ta)) : set evs; \
1.1117 +Goal "[| Says B A (Crypt ServKey (Number Ta)) \\<in> set evs; \
1.1118 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|}\
1.1119 -\ : parts (spies evs);\
1.1120 +\ \\<in> parts (spies evs);\
1.1121 \ ~ ExpirServ Tt evs; \
1.1122 -\ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \
1.1123 +\ A \\<notin> bad; B \\<notin> bad; B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.1124 \ ==> B Issues A with (Crypt ServKey (Number Ta)) on evs";
1.1125 by (blast_tac (claset() addSDs [Confidentiality_B_refined,
1.1126 B_Knows_B_Knows_ServKey_lemma]) 1);
1.1127 qed "B_Knows_B_Knows_ServKey_refined";
1.1128
1.1129
1.1130 -Goal "[| Crypt ServKey (Number Ta) : parts (spies evs); \
1.1131 +Goal "[| Crypt ServKey (Number Ta) \\<in> parts (spies evs); \
1.1132 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \
1.1133 -\ : parts (spies evs); \
1.1134 +\ \\<in> parts (spies evs); \
1.1135 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}\
1.1136 -\ : parts (spies evs); \
1.1137 +\ \\<in> parts (spies evs); \
1.1138 \ ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs; \
1.1139 -\ A ~: bad; B ~: bad; B ~= Tgs; evs : kerberos |] \
1.1140 +\ A \\<notin> bad; B \\<notin> bad; B \\<noteq> Tgs; evs \\<in> kerberos |] \
1.1141 \ ==> B Issues A with (Crypt ServKey (Number Ta)) on evs";
1.1142 by (blast_tac (claset() addSDs [B_Authenticity, Confidentiality_Serv_A,
1.1143 B_Knows_B_Knows_ServKey_lemma]) 1);
1.1144 @@ -1304,11 +1297,11 @@
1.1145
1.1146 Goal "[| Says A Tgs \
1.1147 \ {|AuthTicket, Crypt AuthKey {|Agent A, Number Ta|}, Agent B|}\
1.1148 -\ : set evs; \
1.1149 -\ A ~: bad; evs : kerberos |] \
1.1150 -\ ==> EX Tk. Says Kas A (Crypt (shrK A) \
1.1151 +\ \\<in> set evs; \
1.1152 +\ A \\<notin> bad; evs \\<in> kerberos |] \
1.1153 +\ ==> \\<exists>Tk. Says Kas A (Crypt (shrK A) \
1.1154 \ {|Key AuthKey, Agent Tgs, Tk, AuthTicket|}) \
1.1155 -\ : set evs";
1.1156 +\ \\<in> set evs";
1.1157 by (etac rev_mp 1);
1.1158 by (parts_induct_tac 1);
1.1159 by (Fake_parts_insert_tac 1);
1.1160 @@ -1318,15 +1311,15 @@
1.1161 qed "K3_imp_K2";
1.1162
1.1163 Goal "[| Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \
1.1164 -\ : parts (spies evs); \
1.1165 +\ \\<in> parts (spies evs); \
1.1166 \ Says Kas A (Crypt (shrK A) \
1.1167 \ {|Key AuthKey, Agent Tgs, Tk, AuthTicket|}) \
1.1168 -\ : set evs; \
1.1169 -\ Key AuthKey ~: analz (spies evs); \
1.1170 -\ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \
1.1171 +\ \\<in> set evs; \
1.1172 +\ Key AuthKey \\<notin> analz (spies evs); \
1.1173 +\ B \\<noteq> Tgs; A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos |] \
1.1174 \ ==> Says Tgs A (Crypt AuthKey \
1.1175 \ {|Key ServKey, Agent B, Number Tt, ServTicket|}) \
1.1176 -\ : set evs";
1.1177 +\ \\<in> set evs";
1.1178 by (etac rev_mp 1);
1.1179 by (etac rev_mp 1);
1.1180 by (etac rev_mp 1);
1.1181 @@ -1338,9 +1331,9 @@
1.1182 qed "K4_trustworthy'";
1.1183
1.1184 Goal "[| Says A B {|ServTicket, Crypt ServKey {|Agent A, Number Ta|}|} \
1.1185 -\ : set evs; \
1.1186 -\ Key ServKey ~: analz (spies evs); \
1.1187 -\ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \
1.1188 +\ \\<in> set evs; \
1.1189 +\ Key ServKey \\<notin> analz (spies evs); \
1.1190 +\ B \\<noteq> Tgs; A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos |] \
1.1191 \ ==> A Issues B with (Crypt ServKey {|Agent A, Number Ta|}) on evs";
1.1192 by (simp_tac (simpset() addsimps [Issues_def]) 1);
1.1193 by (rtac exI 1);
1.1194 @@ -1360,7 +1353,7 @@
1.1195 by (asm_full_simp_tac (simpset() addsimps [takeWhile_tail]) 1);
1.1196 (*Level 15: case study necessary because the assumption doesn't state
1.1197 the form of ServTicket. The guarantee becomes stronger.*)
1.1198 -by (case_tac "Key AuthKey : analz (spies evs5)" 1);
1.1199 +by (case_tac "Key AuthKey \\<in> analz (spies evs5)" 1);
1.1200 by (force_tac (claset() addDs [Says_imp_spies RS analz.Inj RS
1.1201 analz.Decrypt RS analz.Fst],
1.1202 simpset()) 1);
1.1203 @@ -1373,38 +1366,38 @@
1.1204 qed "A_Knows_A_Knows_ServKey_lemma";
1.1205
1.1206 Goal "[| Says A B {|ServTicket, Crypt ServKey {|Agent A, Number Ta|}|} \
1.1207 -\ : set evs; \
1.1208 +\ \\<in> set evs; \
1.1209 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|}\
1.1210 -\ : parts (spies evs);\
1.1211 +\ \\<in> parts (spies evs);\
1.1212 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|}\
1.1213 -\ : parts (spies evs); \
1.1214 +\ \\<in> parts (spies evs); \
1.1215 \ ~ ExpirAuth Tk evs; ~ ExpirServ Tt evs;\
1.1216 -\ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \
1.1217 +\ B \\<noteq> Tgs; A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos |] \
1.1218 \ ==> A Issues B with (Crypt ServKey {|Agent A, Number Ta|}) on evs";
1.1219 by (blast_tac (claset() addSDs [Confidentiality_Serv_A,
1.1220 A_Knows_A_Knows_ServKey_lemma]) 1);
1.1221 qed "A_Knows_A_Knows_ServKey";
1.1222
1.1223 -Goal "[| Crypt ServKey {|Agent A, Number Ta|} : parts (spies evs); \
1.1224 +Goal "[| Crypt ServKey {|Agent A, Number Ta|} \\<in> parts (spies evs); \
1.1225 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \
1.1226 -\ : parts (spies evs); \
1.1227 +\ \\<in> parts (spies evs); \
1.1228 \ Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} \
1.1229 -\ : parts (spies evs); \
1.1230 +\ \\<in> parts (spies evs); \
1.1231 \ Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk, AuthTicket|} \
1.1232 -\ : parts (spies evs); \
1.1233 +\ \\<in> parts (spies evs); \
1.1234 \ ~ ExpirServ Tt evs; ~ ExpirAuth Tk evs; \
1.1235 -\ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \
1.1236 +\ B \\<noteq> Tgs; A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos |] \
1.1237 \ ==> A Issues B with (Crypt ServKey {|Agent A, Number Ta|}) on evs";
1.1238 by (blast_tac (claset() addDs [A_Authenticity, Confidentiality_B,
1.1239 A_Knows_A_Knows_ServKey_lemma]) 1);
1.1240 qed "B_Knows_A_Knows_ServKey";
1.1241
1.1242
1.1243 -Goal "[| Crypt ServKey {|Agent A, Number Ta|} : parts (spies evs); \
1.1244 +Goal "[| Crypt ServKey {|Agent A, Number Ta|} \\<in> parts (spies evs); \
1.1245 \ Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} \
1.1246 -\ : parts (spies evs); \
1.1247 +\ \\<in> parts (spies evs); \
1.1248 \ ~ ExpirServ Tt evs; \
1.1249 -\ B ~= Tgs; A ~: bad; B ~: bad; evs : kerberos |] \
1.1250 +\ B \\<noteq> Tgs; A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos |] \
1.1251 \ ==> A Issues B with (Crypt ServKey {|Agent A, Number Ta|}) on evs";
1.1252 by (blast_tac (claset() addDs [A_Authenticity_refined,
1.1253 Confidentiality_B_refined,
2.1 --- a/src/HOL/Auth/KerberosIV.thy Tue Feb 27 12:28:42 2001 +0100
2.2 +++ b/src/HOL/Auth/KerberosIV.thy Tue Feb 27 16:13:23 2001 +0100
2.3 @@ -19,7 +19,7 @@
2.4
2.5 rules
2.6 (*Tgs is secure --- we already know that Kas is secure*)
2.7 - Tgs_not_bad "Tgs ~: bad"
2.8 + Tgs_not_bad "Tgs \\<notin> bad"
2.9
2.10 (*The current time is just the length of the trace!*)
2.11 syntax
2.12 @@ -37,17 +37,17 @@
2.13 constdefs
2.14 (* AuthKeys are those contained in an AuthTicket *)
2.15 AuthKeys :: event list => key set
2.16 - "AuthKeys evs == {AuthKey. EX A Peer Tk. Says Kas A
2.17 + "AuthKeys evs == {AuthKey. \\<exists>A Peer Tk. Says Kas A
2.18 (Crypt (shrK A) {|Key AuthKey, Agent Peer, Tk,
2.19 (Crypt (shrK Peer) {|Agent A, Agent Peer, Key AuthKey, Tk|})
2.20 - |}) : set evs}"
2.21 + |}) \\<in> set evs}"
2.22
2.23 (* A is the true creator of X if she has sent X and X never appeared on
2.24 the trace before this event. Recall that traces grow from head. *)
2.25 Issues :: [agent , agent, msg, event list] => bool ("_ Issues _ with _ on _")
2.26 "A Issues B with X on evs ==
2.27 - EX Y. Says A B Y : set evs & X : parts {Y} &
2.28 - X ~: parts (spies (takeWhile (% z. z ~= Says A B Y) (rev evs)))"
2.29 + \\<exists>Y. Says A B Y \\<in> set evs & X \\<in> parts {Y} &
2.30 + X \\<notin> parts (spies (takeWhile (% z. z \\<noteq> Says A B Y) (rev evs)))"
2.31
2.32
2.33 consts
2.34 @@ -88,11 +88,11 @@
2.35 constdefs
2.36 KeyCryptKey :: [key, key, event list] => bool
2.37 "KeyCryptKey AuthKey ServKey evs ==
2.38 - EX A B tt.
2.39 + \\<exists>A B tt.
2.40 Says Tgs A (Crypt AuthKey
2.41 {|Key ServKey, Agent B, tt,
2.42 Crypt (shrK B) {|Agent A, Agent B, Key ServKey, tt|} |})
2.43 - : set evs"
2.44 + \\<in> set evs"
2.45
2.46 consts
2.47
2.48 @@ -100,16 +100,15 @@
2.49 inductive "kerberos"
2.50 intrs
2.51
2.52 - Nil "[]: kerberos"
2.53 + Nil "[] \\<in> kerberos"
2.54
2.55 - Fake "[| evs: kerberos; B ~= Spy;
2.56 - X: synth (analz (spies evs)) |]
2.57 - ==> Says Spy B X # evs : kerberos"
2.58 + Fake "[| evsf \\<in> kerberos; X \\<in> synth (analz (spies evsf)) |]
2.59 + ==> Says Spy B X # evsf \\<in> kerberos"
2.60
2.61 (* FROM the initiator *)
2.62 - K1 "[| evs1: kerberos |]
2.63 + K1 "[| evs1 \\<in> kerberos |]
2.64 ==> Says A Kas {|Agent A, Agent Tgs, Number (CT evs1)|} # evs1
2.65 - : kerberos"
2.66 + \\<in> kerberos"
2.67
2.68 (* Adding the timestamp serves to A in K3 to check that
2.69 she doesn't get a reply too late. This kind of timeouts are ordinary.
2.70 @@ -118,12 +117,12 @@
2.71 (*---------------------------------------------------------------------*)
2.72
2.73 (*FROM Kas *)
2.74 - K2 "[| evs2: kerberos; Key AuthKey ~: used evs2;
2.75 - Says A' Kas {|Agent A, Agent Tgs, Number Ta|} : set evs2 |]
2.76 + K2 "[| evs2 \\<in> kerberos; Key AuthKey \\<notin> used evs2;
2.77 + Says A' Kas {|Agent A, Agent Tgs, Number Ta|} \\<in> set evs2 |]
2.78 ==> Says Kas A
2.79 (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number (CT evs2),
2.80 (Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey,
2.81 - Number (CT evs2)|})|}) # evs2 : kerberos"
2.82 + Number (CT evs2)|})|}) # evs2 \\<in> kerberos"
2.83 (*
2.84 The internal encryption builds the AuthTicket.
2.85 The timestamp doesn't change inside the two encryptions: the external copy
2.86 @@ -134,15 +133,15 @@
2.87 (*---------------------------------------------------------------------*)
2.88
2.89 (* FROM the initiator *)
2.90 - K3 "[| evs3: kerberos;
2.91 - Says A Kas {|Agent A, Agent Tgs, Number Ta|} : set evs3;
2.92 + K3 "[| evs3 \\<in> kerberos;
2.93 + Says A Kas {|Agent A, Agent Tgs, Number Ta|} \\<in> set evs3;
2.94 Says Kas' A (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,
2.95 - AuthTicket|}) : set evs3;
2.96 + AuthTicket|}) \\<in> set evs3;
2.97 RecentResp Tk Ta
2.98 |]
2.99 ==> Says A Tgs {|AuthTicket,
2.100 (Crypt AuthKey {|Agent A, Number (CT evs3)|}),
2.101 - Agent B|} # evs3 : kerberos"
2.102 + Agent B|} # evs3 \\<in> kerberos"
2.103 (*The two events amongst the premises allow A to accept only those AuthKeys
2.104 that are not issued late. *)
2.105
2.106 @@ -153,12 +152,12 @@
2.107 specification. Adding it strengthens the guarantees assessed by the
2.108 protocol. Theorems that exploit it have the suffix `_refined'
2.109 *)
2.110 - K4 "[| evs4: kerberos; Key ServKey ~: used evs4; B ~= Tgs;
2.111 + K4 "[| evs4 \\<in> kerberos; Key ServKey \\<notin> used evs4; B \\<noteq> Tgs;
2.112 Says A' Tgs {|
2.113 (Crypt (shrK Tgs) {|Agent A, Agent Tgs, Key AuthKey,
2.114 Number Tk|}),
2.115 (Crypt AuthKey {|Agent A, Number Ta1|}), Agent B|}
2.116 - : set evs4;
2.117 + \\<in> set evs4;
2.118 ~ ExpirAuth Tk evs4;
2.119 ~ ExpirAutc Ta1 evs4;
2.120 ServLife + (CT evs4) <= AuthLife + Tk
2.121 @@ -167,7 +166,7 @@
2.122 (Crypt AuthKey {|Key ServKey, Agent B, Number (CT evs4),
2.123 Crypt (shrK B) {|Agent A, Agent B, Key ServKey,
2.124 Number (CT evs4)|} |})
2.125 - # evs4 : kerberos"
2.126 + # evs4 \\<in> kerberos"
2.127 (* Tgs creates a new session key per each request for a service, without
2.128 checking if there is still a fresh one for that service.
2.129 The cipher under Tgs' key is the AuthTicket, the cipher under B's key
2.130 @@ -179,56 +178,56 @@
2.131 (*---------------------------------------------------------------------*)
2.132
2.133 (* FROM the initiator *)
2.134 - K5 "[| evs5: kerberos;
2.135 + K5 "[| evs5 \\<in> kerberos;
2.136 Says A Tgs
2.137 {|AuthTicket, (Crypt AuthKey {|Agent A, Number Ta1|} ),
2.138 Agent B|}
2.139 - : set evs5;
2.140 + \\<in> set evs5;
2.141 Says Tgs' A
2.142 (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|} )
2.143 - : set evs5;
2.144 + \\<in> set evs5;
2.145 RecentResp Tt Ta1 |]
2.146 ==> Says A B {|ServTicket,
2.147 Crypt ServKey {|Agent A, Number (CT evs5)|} |}
2.148 - # evs5 : kerberos"
2.149 + # evs5 \\<in> kerberos"
2.150 (* Checks similar to those in K3. *)
2.151
2.152 (*---------------------------------------------------------------------*)
2.153
2.154 (* FROM the responder*)
2.155 - K6 "[| evs6: kerberos;
2.156 + K6 "[| evs6 \\<in> kerberos;
2.157 Says A' B {|
2.158 (Crypt (shrK B) {|Agent A, Agent B, Key ServKey, Number Tt|} ),
2.159 (Crypt ServKey {|Agent A, Number Ta2|} )|}
2.160 - : set evs6;
2.161 + \\<in> set evs6;
2.162 ~ ExpirServ Tt evs6;
2.163 ~ ExpirAutc Ta2 evs6
2.164 |]
2.165 ==> Says B A (Crypt ServKey (Number Ta2) )
2.166 - # evs6 : kerberos"
2.167 + # evs6 \\<in> kerberos"
2.168 (* Checks similar to those in K4. *)
2.169
2.170 (*---------------------------------------------------------------------*)
2.171
2.172 (* Leaking an AuthKey... *)
2.173 - Oops1 "[| evsO1: kerberos; A ~= Spy;
2.174 + Oops1 "[| evsO1 \\<in> kerberos; A \\<noteq> Spy;
2.175 Says Kas A
2.176 (Crypt (shrK A) {|Key AuthKey, Agent Tgs, Number Tk,
2.177 - AuthTicket|}) : set evsO1;
2.178 + AuthTicket|}) \\<in> set evsO1;
2.179 ExpirAuth Tk evsO1 |]
2.180 ==> Says A Spy {|Agent A, Agent Tgs, Number Tk, Key AuthKey|}
2.181 - # evsO1 : kerberos"
2.182 + # evsO1 \\<in> kerberos"
2.183
2.184 (*---------------------------------------------------------------------*)
2.185
2.186 (*Leaking a ServKey... *)
2.187 - Oops2 "[| evsO2: kerberos; A ~= Spy;
2.188 + Oops2 "[| evsO2 \\<in> kerberos; A \\<noteq> Spy;
2.189 Says Tgs A
2.190 (Crypt AuthKey {|Key ServKey, Agent B, Number Tt, ServTicket|})
2.191 - : set evsO2;
2.192 + \\<in> set evsO2;
2.193 ExpirServ Tt evsO2 |]
2.194 ==> Says A Spy {|Agent A, Agent B, Number Tt, Key ServKey|}
2.195 - # evsO2 : kerberos"
2.196 + # evsO2 \\<in> kerberos"
2.197
2.198 (*---------------------------------------------------------------------*)
2.199
3.1 --- a/src/HOL/Auth/Kerberos_BAN.ML Tue Feb 27 12:28:42 2001 +0100
3.2 +++ b/src/HOL/Auth/Kerberos_BAN.ML Tue Feb 27 16:13:23 2001 +0100
3.3 @@ -23,9 +23,9 @@
3.4
3.5
3.6 (*A "possibility property": there are traces that reach the end.*)
3.7 -Goal "EX Timestamp K. EX evs: kerberos_ban. \
3.8 +Goal "\\<exists>Timestamp K. \\<exists>evs \\<in> kerberos_ban. \
3.9 \ Says B A (Crypt K (Number Timestamp)) \
3.10 -\ : set evs";
3.11 +\ \\<in> set evs";
3.12 by (cut_facts_tac [SesKeyLife_LB] 1);
3.13 by (REPEAT (resolve_tac [exI,bexI] 1));
3.14 by (rtac (kerberos_ban.Nil RS kerberos_ban.Kb1 RS kerberos_ban.Kb2 RS
3.15 @@ -39,17 +39,17 @@
3.16 (**** Inductive proofs about kerberos_ban ****)
3.17
3.18 (*Forwarding Lemma for reasoning about the encrypted portion of message Kb3*)
3.19 -Goal "Says S A (Crypt KA {|Timestamp, B, K, X|}) : set evs \
3.20 -\ ==> X : parts (spies evs)";
3.21 +Goal "Says S A (Crypt KA {|Timestamp, B, K, X|}) \\<in> set evs \
3.22 +\ ==> X \\<in> parts (spies evs)";
3.23 by (Blast_tac 1);
3.24 qed "Kb3_msg_in_parts_spies";
3.25
3.26 -Goal "Says Server A (Crypt (shrK A) {|Timestamp, B, K, X|}) : set evs \
3.27 -\ ==> K : parts (spies evs)";
3.28 +Goal "Says Server A (Crypt (shrK A) {|Timestamp, B, K, X|}) \\<in> set evs \
3.29 +\ ==> K \\<in> parts (spies evs)";
3.30 by (Blast_tac 1);
3.31 qed "Oops_parts_spies";
3.32
3.33 -(*For proving the easier theorems about X ~: parts (spies evs).*)
3.34 +(*For proving the easier theorems about X \\<notin> parts (spies evs).*)
3.35 fun parts_induct_tac i =
3.36 etac kerberos_ban.induct i THEN
3.37 ftac Oops_parts_spies (i+6) THEN
3.38 @@ -58,20 +58,20 @@
3.39
3.40
3.41 (*Spy never sees another agent's shared key! (unless it's bad at start)*)
3.42 -Goal "evs : kerberos_ban ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
3.43 +Goal "evs \\<in> kerberos_ban ==> (Key (shrK A) \\<in> parts (spies evs)) = (A \\<in> bad)";
3.44 by (parts_induct_tac 1);
3.45 by (ALLGOALS Blast_tac);
3.46 qed "Spy_see_shrK";
3.47 Addsimps [Spy_see_shrK];
3.48
3.49
3.50 -Goal "evs : kerberos_ban ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
3.51 +Goal "evs \\<in> kerberos_ban ==> (Key (shrK A) \\<in> analz (spies evs)) = (A \\<in> bad)";
3.52 by Auto_tac;
3.53 qed "Spy_analz_shrK";
3.54 Addsimps [Spy_analz_shrK];
3.55
3.56 -Goal "[| Key (shrK A) : parts (spies evs); \
3.57 -\ evs : kerberos_ban |] ==> A:bad";
3.58 +Goal "[| Key (shrK A) \\<in> parts (spies evs); \
3.59 +\ evs \\<in> kerberos_ban |] ==> A:bad";
3.60 by (blast_tac (claset() addDs [Spy_see_shrK]) 1);
3.61 qed "Spy_see_shrK_D";
3.62
3.63 @@ -80,28 +80,22 @@
3.64
3.65
3.66 (*Nobody can have used non-existent keys!*)
3.67 -Goal "evs : kerberos_ban ==> \
3.68 -\ Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
3.69 +Goal "evs \\<in> kerberos_ban ==> \
3.70 +\ Key K \\<notin> used evs --> K \\<notin> keysFor (parts (spies evs))";
3.71 by (parts_induct_tac 1);
3.72 (*Fake*)
3.73 by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
3.74 (*Kb2, Kb3, Kb4*)
3.75 by (ALLGOALS Blast_tac);
3.76 qed_spec_mp "new_keys_not_used";
3.77 -
3.78 -bind_thm ("new_keys_not_analzd",
3.79 - [analz_subset_parts RS keysFor_mono,
3.80 - new_keys_not_used] MRS contra_subsetD);
3.81 -
3.82 -Addsimps [new_keys_not_used, new_keys_not_analzd];
3.83 -
3.84 +Addsimps [new_keys_not_used];
3.85
3.86 (** Lemmas concerning the form of items passed in messages **)
3.87
3.88 (*Describes the form of K, X and K' when the Server sends this message.*)
3.89 Goal "[| Says Server A (Crypt K' {|Number Ts, Agent B, Key K, X|}) \
3.90 -\ : set evs; evs : kerberos_ban |] \
3.91 -\ ==> K ~: range shrK & \
3.92 +\ \\<in> set evs; evs \\<in> kerberos_ban |] \
3.93 +\ ==> K \\<notin> range shrK & \
3.94 \ X = (Crypt (shrK B) {|Number Ts, Agent A, Key K|}) & \
3.95 \ K' = shrK A";
3.96 by (etac rev_mp 1);
3.97 @@ -116,10 +110,10 @@
3.98 This shows implicitly the FRESHNESS OF THE SESSION KEY to A
3.99 *)
3.100 Goal "[| Crypt (shrK A) {|Number Ts, Agent B, Key K, X|} \
3.101 -\ : parts (spies evs); \
3.102 -\ A ~: bad; evs : kerberos_ban |] \
3.103 +\ \\<in> parts (spies evs); \
3.104 +\ A \\<notin> bad; evs \\<in> kerberos_ban |] \
3.105 \ ==> Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \
3.106 -\ : set evs";
3.107 +\ \\<in> set evs";
3.108 by (etac rev_mp 1);
3.109 by (parts_induct_tac 1);
3.110 by (Blast_tac 1);
3.111 @@ -128,12 +122,12 @@
3.112
3.113 (*If the TICKET appears then it originated with the Server*)
3.114 (*FRESHNESS OF THE SESSION KEY to B*)
3.115 -Goal "[| Crypt (shrK B) {|Number Ts, Agent A, Key K|} : parts (spies evs); \
3.116 -\ B ~: bad; evs : kerberos_ban |] \
3.117 +Goal "[| Crypt (shrK B) {|Number Ts, Agent A, Key K|} \\<in> parts (spies evs); \
3.118 +\ B \\<notin> bad; evs \\<in> kerberos_ban |] \
3.119 \ ==> Says Server A \
3.120 \ (Crypt (shrK A) {|Number Ts, Agent B, Key K, \
3.121 \ Crypt (shrK B) {|Number Ts, Agent A, Key K|}|}) \
3.122 -\ : set evs";
3.123 +\ \\<in> set evs";
3.124 by (etac rev_mp 1);
3.125 by (parts_induct_tac 1);
3.126 by (Blast_tac 1);
3.127 @@ -144,11 +138,11 @@
3.128 OR reduces it to the Fake case.
3.129 Use Says_Server_message_form if applicable.*)
3.130 Goal "[| Says S A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \
3.131 -\ : set evs; \
3.132 -\ evs : kerberos_ban |] \
3.133 -\==> (K ~: range shrK & X = (Crypt (shrK B) {|Number Ts, Agent A, Key K|}))\
3.134 -\ | X : analz (spies evs)";
3.135 -by (case_tac "A : bad" 1);
3.136 +\ \\<in> set evs; \
3.137 +\ evs \\<in> kerberos_ban |] \
3.138 +\==> (K \\<notin> range shrK & X = (Crypt (shrK B) {|Number Ts, Agent A, Key K|}))\
3.139 +\ | X \\<in> analz (spies evs)";
3.140 +by (case_tac "A \\<in> bad" 1);
3.141 by (fast_tac (claset() addSDs [Says_imp_spies RS analz.Inj]
3.142 addss (simpset())) 1);
3.143 by (forward_tac [Says_imp_spies RS parts.Inj] 1);
3.144 @@ -167,8 +161,8 @@
3.145 (****
3.146 The following is to prove theorems of the form
3.147
3.148 - Key K : analz (insert (Key KAB) (spies evs)) ==>
3.149 - Key K : analz (spies evs)
3.150 + Key K \\<in> analz (insert (Key KAB) (spies evs)) ==>
3.151 + Key K \\<in> analz (spies evs)
3.152
3.153 A more general formula must be proved inductively.
3.154
3.155 @@ -177,10 +171,10 @@
3.156
3.157 (** Session keys are not used to encrypt other session keys **)
3.158
3.159 -Goal "evs : kerberos_ban ==> \
3.160 -\ ALL K KK. KK <= - (range shrK) --> \
3.161 -\ (Key K : analz (Key`KK Un (spies evs))) = \
3.162 -\ (K : KK | Key K : analz (spies evs))";
3.163 +Goal "evs \\<in> kerberos_ban ==> \
3.164 +\ \\<forall>K KK. KK <= - (range shrK) --> \
3.165 +\ (Key K \\<in> analz (Key`KK Un (spies evs))) = \
3.166 +\ (K \\<in> KK | Key K \\<in> analz (spies evs))";
3.167 by (etac kerberos_ban.induct 1);
3.168 by analz_spies_tac;
3.169 by (REPEAT_FIRST (resolve_tac [allI, impI]));
3.170 @@ -192,9 +186,9 @@
3.171 qed_spec_mp "analz_image_freshK";
3.172
3.173
3.174 -Goal "[| evs : kerberos_ban; KAB ~: range shrK |] ==> \
3.175 -\ Key K : analz (insert (Key KAB) (spies evs)) = \
3.176 -\ (K = KAB | Key K : analz (spies evs))";
3.177 +Goal "[| evs \\<in> kerberos_ban; KAB \\<notin> range shrK |] ==> \
3.178 +\ Key K \\<in> analz (insert (Key KAB) (spies evs)) = \
3.179 +\ (K = KAB | Key K \\<in> analz (spies evs))";
3.180 by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
3.181 qed "analz_insert_freshK";
3.182
3.183 @@ -202,10 +196,10 @@
3.184 (** The session key K uniquely identifies the message **)
3.185
3.186 Goal "[| Says Server A \
3.187 -\ (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) : set evs; \
3.188 +\ (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \\<in> set evs; \
3.189 \ Says Server A' \
3.190 -\ (Crypt (shrK A') {|Number Ts', Agent B', Key K, X'|}) : set evs;\
3.191 -\ evs : kerberos_ban |] ==> A=A' & Ts=Ts' & B=B' & X = X'";
3.192 +\ (Crypt (shrK A') {|Number Ts', Agent B', Key K, X'|}) \\<in> set evs;\
3.193 +\ evs \\<in> kerberos_ban |] ==> A=A' & Ts=Ts' & B=B' & X = X'";
3.194 by (etac rev_mp 1);
3.195 by (etac rev_mp 1);
3.196 by (parts_induct_tac 1);
3.197 @@ -218,12 +212,12 @@
3.198 if the spy could see it!
3.199 **)
3.200
3.201 -Goal "[| A ~: bad; B ~: bad; evs : kerberos_ban |] \
3.202 +Goal "[| A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban |] \
3.203 \ ==> Says Server A \
3.204 \ (Crypt (shrK A) {|Number Ts, Agent B, Key K, \
3.205 \ Crypt (shrK B) {|Number Ts, Agent A, Key K|}|})\
3.206 -\ : set evs --> \
3.207 -\ Key K : analz (spies evs) --> Expired Ts evs";
3.208 +\ \\<in> set evs --> \
3.209 +\ Key K \\<in> analz (spies evs) --> Expired Ts evs";
3.210 by (etac kerberos_ban.induct 1);
3.211 by analz_spies_tac;
3.212 by (ALLGOALS
3.213 @@ -237,7 +231,7 @@
3.214 by (spy_analz_tac 1);
3.215 (**LEVEL 6 **)
3.216 (*Kb3*)
3.217 -by (case_tac "Aa : bad" 1);
3.218 +by (case_tac "Aa \\<in> bad" 1);
3.219 by (blast_tac (claset() addDs [A_trusts_K_by_Kb2, unique_session_keys]) 2);
3.220 by (blast_tac (claset() addDs [Says_imp_spies RS analz.Inj,
3.221 Crypt_Spy_analz_bad, analz.Fst, analz.Snd]
3.222 @@ -250,25 +244,25 @@
3.223 as long as they have NOT EXPIRED
3.224 **)
3.225 Goal "[| Says Server A \
3.226 -\ (Crypt K' {|Number T, Agent B, Key K, X|}) : set evs; \
3.227 +\ (Crypt K' {|Number T, Agent B, Key K, X|}) \\<in> set evs; \
3.228 \ ~ Expired T evs; \
3.229 -\ A ~: bad; B ~: bad; evs : kerberos_ban \
3.230 -\ |] ==> Key K ~: analz (spies evs)";
3.231 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban \
3.232 +\ |] ==> Key K \\<notin> analz (spies evs)";
3.233 by (ftac Says_Server_message_form 1 THEN assume_tac 1);
3.234 by (blast_tac (claset() addIs [lemma2]) 1);
3.235 qed "Confidentiality_S";
3.236
3.237 (**** THE COUNTERPART OF CONFIDENTIALITY
3.238 - [|...; Expired Ts evs; ...|] ==> Key K : analz (spies evs)
3.239 + [|...; Expired Ts evs; ...|] ==> Key K \\<in> analz (spies evs)
3.240 WOULD HOLD ONLY IF AN OOPS OCCURRED! ---> Nothing to prove! ****)
3.241
3.242
3.243 (** CONFIDENTIALITY for ALICE: **)
3.244 (** Also A_trusts_K_by_Kb2 RS Confidentiality_S **)
3.245 -Goal "[| Crypt (shrK A) {|Number T, Agent B, Key K, X|} : parts (spies evs);\
3.246 +Goal "[| Crypt (shrK A) {|Number T, Agent B, Key K, X|} \\<in> parts (spies evs);\
3.247 \ ~ Expired T evs; \
3.248 -\ A ~: bad; B ~: bad; evs : kerberos_ban \
3.249 -\ |] ==> Key K ~: analz (spies evs)";
3.250 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban \
3.251 +\ |] ==> Key K \\<notin> analz (spies evs)";
3.252 by (blast_tac (claset() addSDs [A_trusts_K_by_Kb2, Confidentiality_S]) 1);
3.253 qed "Confidentiality_A";
3.254
3.255 @@ -276,21 +270,21 @@
3.256 (** CONFIDENTIALITY for BOB: **)
3.257 (** Also B_trusts_K_by_Kb3 RS Confidentiality_S **)
3.258 Goal "[| Crypt (shrK B) {|Number Tk, Agent A, Key K|} \
3.259 -\ : parts (spies evs); \
3.260 +\ \\<in> parts (spies evs); \
3.261 \ ~ Expired Tk evs; \
3.262 -\ A ~: bad; B ~: bad; evs : kerberos_ban \
3.263 -\ |] ==> Key K ~: analz (spies evs)";
3.264 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban \
3.265 +\ |] ==> Key K \\<notin> analz (spies evs)";
3.266 by (blast_tac (claset() addSDs [B_trusts_K_by_Kb3,
3.267 Confidentiality_S]) 1);
3.268 qed "Confidentiality_B";
3.269
3.270
3.271 -Goal "[| B ~: bad; evs : kerberos_ban |] \
3.272 -\ ==> Key K ~: analz (spies evs) --> \
3.273 +Goal "[| B \\<notin> bad; evs \\<in> kerberos_ban |] \
3.274 +\ ==> Key K \\<notin> analz (spies evs) --> \
3.275 \ Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \
3.276 -\ : set evs --> \
3.277 -\ Crypt K (Number Ta) : parts (spies evs) --> \
3.278 -\ Says B A (Crypt K (Number Ta)) : set evs";
3.279 +\ \\<in> set evs --> \
3.280 +\ Crypt K (Number Ta) \\<in> parts (spies evs) --> \
3.281 +\ Says B A (Crypt K (Number Ta)) \\<in> set evs";
3.282 by (etac kerberos_ban.induct 1);
3.283 by (ftac Says_S_message_form 5 THEN assume_tac 5);
3.284 by (dtac Kb3_msg_in_parts_spies 5);
3.285 @@ -302,12 +296,12 @@
3.286 by (Clarify_tac 1);
3.287 (*
3.288 Subgoal 1: contradiction from the assumptions
3.289 -Key K ~: used evs2 and Crypt K (Number Ta) : parts (spies evs2)
3.290 +Key K \\<notin> used evs2 and Crypt K (Number Ta) \\<in> parts (spies evs2)
3.291 *)
3.292 by (dtac Crypt_imp_invKey_keysFor 1);
3.293 by (Asm_full_simp_tac 1);
3.294 (* the two tactics above detect the contradiction*)
3.295 -by (case_tac "Ba : bad" 1); (*splits up the subgoal by the stated case*)
3.296 +by (case_tac "Ba \\<in> bad" 1); (*splits up the subgoal by the stated case*)
3.297 by (blast_tac (claset() addDs [Says_imp_spies RS parts.Inj RS parts.Fst RS
3.298 B_trusts_K_by_Kb3,
3.299 unique_session_keys]) 2);
3.300 @@ -317,25 +311,25 @@
3.301
3.302
3.303 (*AUTHENTICATION OF B TO A*)
3.304 -Goal "[| Crypt K (Number Ta) : parts (spies evs); \
3.305 +Goal "[| Crypt K (Number Ta) \\<in> parts (spies evs); \
3.306 \ Crypt (shrK A) {|Number Ts, Agent B, Key K, X|} \
3.307 -\ : parts (spies evs); \
3.308 +\ \\<in> parts (spies evs); \
3.309 \ ~ Expired Ts evs; \
3.310 -\ A ~: bad; B ~: bad; evs : kerberos_ban |] \
3.311 -\ ==> Says B A (Crypt K (Number Ta)) : set evs";
3.312 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban |] \
3.313 +\ ==> Says B A (Crypt K (Number Ta)) \\<in> set evs";
3.314 by (blast_tac (claset() addSDs [A_trusts_K_by_Kb2]
3.315 addSIs [lemma_B RS mp RS mp RS mp]
3.316 addSEs [Confidentiality_S RSN (2,rev_notE)]) 1);
3.317 qed "Authentication_B";
3.318
3.319
3.320 -Goal "[| A ~: bad; B ~: bad; evs : kerberos_ban |] ==> \
3.321 -\ Key K ~: analz (spies evs) --> \
3.322 +Goal "[| A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban |] ==> \
3.323 +\ Key K \\<notin> analz (spies evs) --> \
3.324 \ Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \
3.325 -\ : set evs --> \
3.326 -\ Crypt K {|Agent A, Number Ta|} : parts (spies evs) -->\
3.327 +\ \\<in> set evs --> \
3.328 +\ Crypt K {|Agent A, Number Ta|} \\<in> parts (spies evs) -->\
3.329 \ Says A B {|X, Crypt K {|Agent A, Number Ta|}|} \
3.330 -\ : set evs";
3.331 +\ \\<in> set evs";
3.332 by (etac kerberos_ban.induct 1);
3.333 by (ftac Says_S_message_form 5 THEN assume_tac 5);
3.334 by (ftac Kb3_msg_in_parts_spies 5);
3.335 @@ -352,13 +346,13 @@
3.336
3.337
3.338 (*AUTHENTICATION OF A TO B*)
3.339 -Goal "[| Crypt K {|Agent A, Number Ta|} : parts (spies evs); \
3.340 +Goal "[| Crypt K {|Agent A, Number Ta|} \\<in> parts (spies evs); \
3.341 \ Crypt (shrK B) {|Number Ts, Agent A, Key K|} \
3.342 -\ : parts (spies evs); \
3.343 +\ \\<in> parts (spies evs); \
3.344 \ ~ Expired Ts evs; \
3.345 -\ A ~: bad; B ~: bad; evs : kerberos_ban |] \
3.346 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> kerberos_ban |] \
3.347 \ ==> Says A B {|Crypt (shrK B) {|Number Ts, Agent A, Key K|}, \
3.348 -\ Crypt K {|Agent A, Number Ta|}|} : set evs";
3.349 +\ Crypt K {|Agent A, Number Ta|}|} \\<in> set evs";
3.350 by (blast_tac (claset() addSDs [B_trusts_K_by_Kb3]
3.351 addSIs [lemma_A RS mp RS mp RS mp]
3.352 addSEs [Confidentiality_S RSN (2,rev_notE)]) 1);
4.1 --- a/src/HOL/Auth/Kerberos_BAN.thy Tue Feb 27 12:28:42 2001 +0100
4.2 +++ b/src/HOL/Auth/Kerberos_BAN.thy Tue Feb 27 16:13:23 2001 +0100
4.3 @@ -46,48 +46,48 @@
4.4 inductive "kerberos_ban"
4.5 intrs
4.6
4.7 - Nil "[]: kerberos_ban"
4.8 + Nil "[] \\<in> kerberos_ban"
4.9
4.10 - Fake "[| evs: kerberos_ban; X: synth (analz (spies evs)) |]
4.11 - ==> Says Spy B X # evs : kerberos_ban"
4.12 + Fake "[| evsf \\<in> kerberos_ban; X \\<in> synth (analz (spies evsf)) |]
4.13 + ==> Says Spy B X # evsf \\<in> kerberos_ban"
4.14
4.15
4.16 - Kb1 "[| evs1: kerberos_ban |]
4.17 + Kb1 "[| evs1 \\<in> kerberos_ban |]
4.18 ==> Says A Server {|Agent A, Agent B|} # evs1
4.19 - : kerberos_ban"
4.20 + \\<in> kerberos_ban"
4.21
4.22
4.23 - Kb2 "[| evs2: kerberos_ban; Key KAB ~: used evs2;
4.24 - Says A' Server {|Agent A, Agent B|} : set evs2 |]
4.25 + Kb2 "[| evs2 \\<in> kerberos_ban; Key KAB \\<notin> used evs2;
4.26 + Says A' Server {|Agent A, Agent B|} \\<in> set evs2 |]
4.27 ==> Says Server A
4.28 (Crypt (shrK A)
4.29 {|Number (CT evs2), Agent B, Key KAB,
4.30 (Crypt (shrK B) {|Number (CT evs2), Agent A, Key KAB|})|})
4.31 - # evs2 : kerberos_ban"
4.32 + # evs2 \\<in> kerberos_ban"
4.33
4.34
4.35 - Kb3 "[| evs3: kerberos_ban;
4.36 + Kb3 "[| evs3 \\<in> kerberos_ban;
4.37 Says S A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|})
4.38 - : set evs3;
4.39 - Says A Server {|Agent A, Agent B|} : set evs3;
4.40 + \\<in> set evs3;
4.41 + Says A Server {|Agent A, Agent B|} \\<in> set evs3;
4.42 ~ Expired Ts evs3 |]
4.43 ==> Says A B {|X, Crypt K {|Agent A, Number (CT evs3)|} |}
4.44 - # evs3 : kerberos_ban"
4.45 + # evs3 \\<in> kerberos_ban"
4.46
4.47
4.48 - Kb4 "[| evs4: kerberos_ban;
4.49 + Kb4 "[| evs4 \\<in> kerberos_ban;
4.50 Says A' B {|(Crypt (shrK B) {|Number Ts, Agent A, Key K|}),
4.51 (Crypt K {|Agent A, Number Ta|}) |}: set evs4;
4.52 ~ Expired Ts evs4; RecentAuth Ta evs4 |]
4.53 ==> Says B A (Crypt K (Number Ta)) # evs4
4.54 - : kerberos_ban"
4.55 + \\<in> kerberos_ban"
4.56
4.57 (*Old session keys may become compromised*)
4.58 - Oops "[| evso: kerberos_ban;
4.59 + Oops "[| evso \\<in> kerberos_ban;
4.60 Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|})
4.61 - : set evso;
4.62 + \\<in> set evso;
4.63 Expired Ts evso |]
4.64 - ==> Notes Spy {|Number Ts, Key K|} # evso : kerberos_ban"
4.65 + ==> Notes Spy {|Number Ts, Key K|} # evso \\<in> kerberos_ban"
4.66
4.67
4.68 end
5.1 --- a/src/HOL/Auth/OtwayRees.ML Tue Feb 27 12:28:42 2001 +0100
5.2 +++ b/src/HOL/Auth/OtwayRees.ML Tue Feb 27 16:13:23 2001 +0100
5.3 @@ -17,8 +17,8 @@
5.4
5.5
5.6 (*A "possibility property": there are traces that reach the end*)
5.7 -Goal "[| B ~= Server |] \
5.8 -\ ==> EX NA K. EX evs: otway. \
5.9 +Goal "B ~= Server \
5.10 +\ ==> \\<exists>NA K. \\<exists>evs \\<in> otway. \
5.11 \ Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|} \
5.12 \ : set evs";
5.13 by (REPEAT (resolve_tac [exI,bexI] 1));
5.14 @@ -29,7 +29,7 @@
5.15 by possibility_tac;
5.16 result();
5.17
5.18 -Goal "[| Gets B X : set evs; evs : otway |] ==> EX A. Says A B X : set evs";
5.19 +Goal "[| Gets B X : set evs; evs : otway |] ==> \\<exists>A. Says A B X : set evs";
5.20 by (etac rev_mp 1);
5.21 by (etac otway.induct 1);
5.22 by Auto_tac;
5.23 @@ -66,7 +66,7 @@
5.24 bind_thm ("OR4_parts_knows_Spy",
5.25 OR4_analz_knows_Spy RS (impOfSubs analz_subset_parts));
5.26
5.27 -(*For proving the easier theorems about X ~: parts (knows Spy evs).*)
5.28 +(*For proving the easier theorems about X \\<notin> parts (knows Spy evs).*)
5.29 fun parts_induct_tac i =
5.30 etac otway.induct i THEN
5.31 ftac Oops_parts_knows_Spy (i+7) THEN
5.32 @@ -75,7 +75,7 @@
5.33 prove_simple_subgoals_tac i;
5.34
5.35
5.36 -(** Theorems of the form X ~: parts (knows Spy evs) imply that NOBODY
5.37 +(** Theorems of the form X \\<notin> parts (knows Spy evs) imply that NOBODY
5.38 sends messages containing X! **)
5.39
5.40 (*Spy never sees a good agent's shared key!*)
5.41 @@ -94,25 +94,13 @@
5.42 Spy_analz_shrK RSN (2, rev_iffD1)];
5.43
5.44
5.45 -(*Nobody can have used non-existent keys!*)
5.46 -Goal "evs: otway ==> Key K ~: used evs --> K ~: keysFor(parts(knows Spy evs))";
5.47 -by (parts_induct_tac 1);
5.48 -(*Fake*)
5.49 -by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
5.50 -(*OR2, OR3*)
5.51 -by (ALLGOALS Blast_tac);
5.52 -qed_spec_mp "new_keys_not_used";
5.53 -Addsimps [new_keys_not_used];
5.54 -
5.55 -
5.56 -
5.57 (*** Proofs involving analz ***)
5.58
5.59 (*Describes the form of K and NA when the Server sends this message. Also
5.60 for Oops case.*)
5.61 Goal "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs; \
5.62 \ evs : otway |] \
5.63 -\ ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
5.64 +\ ==> K \\<notin> range shrK & (\\<exists>i. NA = Nonce i) & (\\<exists>j. NB = Nonce j)";
5.65 by (etac rev_mp 1);
5.66 by (etac otway.induct 1);
5.67 by (ALLGOALS Simp_tac);
5.68 @@ -154,7 +142,7 @@
5.69 qed_spec_mp "analz_image_freshK";
5.70
5.71
5.72 -Goal "[| evs : otway; KAB ~: range shrK |] \
5.73 +Goal "[| evs : otway; KAB \\<notin> range shrK |] \
5.74 \ ==> Key K : analz (insert (Key KAB) (knows Spy evs)) = \
5.75 \ (K = KAB | Key K : analz (knows Spy evs))";
5.76 by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
5.77 @@ -178,7 +166,7 @@
5.78 (**** Authenticity properties relating to NA ****)
5.79
5.80 (*Only OR1 can have caused such a part of a message to appear.*)
5.81 -Goal "[| A ~: bad; evs : otway |] \
5.82 +Goal "[| A \\<notin> bad; evs : otway |] \
5.83 \ ==> Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (knows Spy evs) --> \
5.84 \ Says A B {|NA, Agent A, Agent B, \
5.85 \ Crypt (shrK A) {|NA, Agent A, Agent B|}|} \
5.86 @@ -189,7 +177,7 @@
5.87
5.88 Goal "[| Gets B {|NA, Agent A, Agent B, \
5.89 \ Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \
5.90 -\ A ~: bad; evs : otway |] \
5.91 +\ A \\<notin> bad; evs : otway |] \
5.92 \ ==> Says A B {|NA, Agent A, Agent B, \
5.93 \ Crypt (shrK A) {|NA, Agent A, Agent B|}|} \
5.94 \ : set evs";
5.95 @@ -201,7 +189,7 @@
5.96
5.97 Goal "[| Crypt (shrK A) {|NA, Agent A, Agent B|}: parts (knows Spy evs); \
5.98 \ Crypt (shrK A) {|NA, Agent A, Agent C|}: parts (knows Spy evs); \
5.99 -\ evs : otway; A ~: bad |] \
5.100 +\ evs : otway; A \\<notin> bad |] \
5.101 \ ==> B = C";
5.102 by (etac rev_mp 1);
5.103 by (etac rev_mp 1);
5.104 @@ -214,10 +202,10 @@
5.105 (*It is impossible to re-use a nonce in both OR1 and OR2. This holds because
5.106 OR2 encrypts Nonce NB. It prevents the attack that can occur in the
5.107 over-simplified version of this protocol: see OtwayRees_Bad.*)
5.108 -Goal "[| A ~: bad; evs : otway |] \
5.109 +Goal "[| A \\<notin> bad; evs : otway |] \
5.110 \ ==> Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (knows Spy evs) --> \
5.111 \ Crypt (shrK A) {|NA', NA, Agent A', Agent A|} \
5.112 -\ ~: parts (knows Spy evs)";
5.113 +\ \\<notin> parts (knows Spy evs)";
5.114 by (parts_induct_tac 1);
5.115 by Auto_tac;
5.116 qed_spec_mp "no_nonce_OR1_OR2";
5.117 @@ -226,11 +214,11 @@
5.118
5.119 (*Crucial property: If the encrypted message appears, and A has used NA
5.120 to start a run, then it originated with the Server!*)
5.121 -Goal "[| A ~: bad; evs : otway |] \
5.122 +Goal "[| A \\<notin> bad; evs : otway |] \
5.123 \ ==> Says A B {|NA, Agent A, Agent B, \
5.124 \ Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs --> \
5.125 \ Crypt (shrK A) {|NA, Key K|} : parts (knows Spy evs) \
5.126 -\ --> (EX NB. Says Server B \
5.127 +\ --> (\\<exists>NB. Says Server B \
5.128 \ {|NA, \
5.129 \ Crypt (shrK A) {|NA, Key K|}, \
5.130 \ Crypt (shrK B) {|NB, Key K|}|} : set evs)";
5.131 @@ -252,8 +240,8 @@
5.132 Goal "[| Says A B {|NA, Agent A, Agent B, \
5.133 \ Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \
5.134 \ Gets A {|NA, Crypt (shrK A) {|NA, Key K|}|} : set evs; \
5.135 -\ A ~: bad; evs : otway |] \
5.136 -\ ==> EX NB. Says Server B \
5.137 +\ A \\<notin> bad; evs : otway |] \
5.138 +\ ==> \\<exists>NB. Says Server B \
5.139 \ {|NA, \
5.140 \ Crypt (shrK A) {|NA, Key K|}, \
5.141 \ Crypt (shrK B) {|NB, Key K|}|} \
5.142 @@ -266,12 +254,12 @@
5.143 Does not in itself guarantee security: an attack could violate
5.144 the premises, e.g. by having A=Spy **)
5.145
5.146 -Goal "[| A ~: bad; B ~: bad; evs : otway |] \
5.147 +Goal "[| A \\<notin> bad; B \\<notin> bad; evs : otway |] \
5.148 \ ==> Says Server B \
5.149 \ {|NA, Crypt (shrK A) {|NA, Key K|}, \
5.150 \ Crypt (shrK B) {|NB, Key K|}|} : set evs --> \
5.151 -\ Notes Spy {|NA, NB, Key K|} ~: set evs --> \
5.152 -\ Key K ~: analz (knows Spy evs)";
5.153 +\ Notes Spy {|NA, NB, Key K|} \\<notin> set evs --> \
5.154 +\ Key K \\<notin> analz (knows Spy evs)";
5.155 by (etac otway.induct 1);
5.156 by analz_knows_Spy_tac;
5.157 by (ALLGOALS
5.158 @@ -291,9 +279,9 @@
5.159 Goal "[| Says Server B \
5.160 \ {|NA, Crypt (shrK A) {|NA, Key K|}, \
5.161 \ Crypt (shrK B) {|NB, Key K|}|} : set evs; \
5.162 -\ Notes Spy {|NA, NB, Key K|} ~: set evs; \
5.163 -\ A ~: bad; B ~: bad; evs : otway |] \
5.164 -\ ==> Key K ~: analz (knows Spy evs)";
5.165 +\ Notes Spy {|NA, NB, Key K|} \\<notin> set evs; \
5.166 +\ A \\<notin> bad; B \\<notin> bad; evs : otway |] \
5.167 +\ ==> Key K \\<notin> analz (knows Spy evs)";
5.168 by (blast_tac (claset() addDs [Says_Server_message_form] addSEs [lemma]) 1);
5.169 qed "Spy_not_see_encrypted_key";
5.170
5.171 @@ -303,9 +291,9 @@
5.172 Goal "[| Says A B {|NA, Agent A, Agent B, \
5.173 \ Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \
5.174 \ Gets A {|NA, Crypt (shrK A) {|NA, Key K|}|} : set evs; \
5.175 -\ ALL NB. Notes Spy {|NA, NB, Key K|} ~: set evs; \
5.176 -\ A ~: bad; B ~: bad; evs : otway |] \
5.177 -\ ==> Key K ~: analz (knows Spy evs)";
5.178 +\ ALL NB. Notes Spy {|NA, NB, Key K|} \\<notin> set evs; \
5.179 +\ A \\<notin> bad; B \\<notin> bad; evs : otway |] \
5.180 +\ ==> Key K \\<notin> analz (knows Spy evs)";
5.181 by (blast_tac (claset() addSDs [A_trusts_OR4, Spy_not_see_encrypted_key]) 1);
5.182 qed "A_gets_good_key";
5.183
5.184 @@ -316,8 +304,8 @@
5.185 know anything about X: it does NOT have to have the right form.*)
5.186 Goal "[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} \
5.187 \ : parts (knows Spy evs); \
5.188 -\ B ~: bad; evs : otway |] \
5.189 -\ ==> EX X. Says B Server \
5.190 +\ B \\<notin> bad; evs : otway |] \
5.191 +\ ==> \\<exists>X. Says B Server \
5.192 \ {|NA, Agent A, Agent B, X, \
5.193 \ Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|} \
5.194 \ : set evs";
5.195 @@ -331,7 +319,7 @@
5.196
5.197 Goal "[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} : parts(knows Spy evs); \
5.198 \ Crypt (shrK B) {|NC, NB, Agent C, Agent B|} : parts(knows Spy evs); \
5.199 -\ evs : otway; B ~: bad |] \
5.200 +\ evs : otway; B \\<notin> bad |] \
5.201 \ ==> NC = NA & C = A";
5.202 by (etac rev_mp 1);
5.203 by (etac rev_mp 1);
5.204 @@ -342,7 +330,7 @@
5.205
5.206 (*If the encrypted message appears, and B has used Nonce NB,
5.207 then it originated with the Server! Quite messy proof.*)
5.208 -Goal "[| B ~: bad; evs : otway |] \
5.209 +Goal "[| B \\<notin> bad; evs : otway |] \
5.210 \ ==> Crypt (shrK B) {|NB, Key K|} : parts (knows Spy evs) \
5.211 \ --> (ALL X'. Says B Server \
5.212 \ {|NA, Agent A, Agent B, X', \
5.213 @@ -371,7 +359,7 @@
5.214 \ Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
5.215 \ : set evs; \
5.216 \ Gets B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs; \
5.217 -\ B ~: bad; evs : otway |] \
5.218 +\ B \\<notin> bad; evs : otway |] \
5.219 \ ==> Says Server B \
5.220 \ {|NA, \
5.221 \ Crypt (shrK A) {|NA, Key K|}, \
5.222 @@ -386,9 +374,9 @@
5.223 \ Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
5.224 \ : set evs; \
5.225 \ Gets B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs; \
5.226 -\ Notes Spy {|NA, NB, Key K|} ~: set evs; \
5.227 -\ A ~: bad; B ~: bad; evs : otway |] \
5.228 -\ ==> Key K ~: analz (knows Spy evs)";
5.229 +\ Notes Spy {|NA, NB, Key K|} \\<notin> set evs; \
5.230 +\ A \\<notin> bad; B \\<notin> bad; evs : otway |] \
5.231 +\ ==> Key K \\<notin> analz (knows Spy evs)";
5.232 by (blast_tac (claset() addSDs [B_trusts_OR3, Spy_not_see_encrypted_key]) 1);
5.233 qed "B_gets_good_key";
5.234
5.235 @@ -396,8 +384,8 @@
5.236 Goal "[| Says Server B \
5.237 \ {|NA, Crypt (shrK A) {|NA, Key K|}, \
5.238 \ Crypt (shrK B) {|NB, Key K|}|} : set evs; \
5.239 -\ B ~: bad; evs : otway |] \
5.240 -\ ==> EX X. Says B Server {|NA, Agent A, Agent B, X, \
5.241 +\ B \\<notin> bad; evs : otway |] \
5.242 +\ ==> \\<exists>X. Says B Server {|NA, Agent A, Agent B, X, \
5.243 \ Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
5.244 \ : set evs";
5.245 by (etac rev_mp 1);
5.246 @@ -414,8 +402,8 @@
5.247 Goal "[| Gets A {|NA, Crypt (shrK A) {|NA, Key K|}|} : set evs; \
5.248 \ Says A B {|NA, Agent A, Agent B, \
5.249 \ Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \
5.250 -\ A ~: bad; B ~: bad; evs : otway |] \
5.251 -\ ==> EX NB X. Says B Server {|NA, Agent A, Agent B, X, \
5.252 +\ A \\<notin> bad; B \\<notin> bad; evs : otway |] \
5.253 +\ ==> \\<exists>NB X. Says B Server {|NA, Agent A, Agent B, X, \
5.254 \ Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |}\
5.255 \ : set evs";
5.256 by (blast_tac (claset() delrules [Gets_imp_knows_Spy RS parts.Inj]
6.1 --- a/src/HOL/Auth/OtwayRees.thy Tue Feb 27 12:28:42 2001 +0100
6.2 +++ b/src/HOL/Auth/OtwayRees.thy Tue Feb 27 16:13:23 2001 +0100
6.3 @@ -13,29 +13,29 @@
6.4 inductive "otway"
6.5 intrs
6.6 (*Initial trace is empty*)
6.7 - Nil "[]: otway"
6.8 + Nil "[] \\<in> otway"
6.9
6.10 (** These rules allow agents to send messages to themselves **)
6.11
6.12 (*The spy MAY say anything he CAN say. We do not expect him to
6.13 invent new nonces here, but he can also use NS1. Common to
6.14 all similar protocols.*)
6.15 - Fake "[| evsa: otway; X: synth (analz (knows Spy evsa)) |]
6.16 - ==> Says Spy B X # evsa : otway"
6.17 + Fake "[| evsf \\<in> otway; X \\<in> synth (analz (knows Spy evsf)) |]
6.18 + ==> Says Spy B X # evsf : otway"
6.19
6.20 (*A message that has been sent can be received by the
6.21 intended recipient.*)
6.22 - Reception "[| evsr: otway; Says A B X : set evsr |]
6.23 + Reception "[| evsr \\<in> otway; Says A B X : set evsr |]
6.24 ==> Gets B X # evsr : otway"
6.25
6.26 (*Alice initiates a protocol run*)
6.27 - OR1 "[| evs1: otway; Nonce NA ~: used evs1 |]
6.28 + OR1 "[| evs1 \\<in> otway; Nonce NA \\<notin> used evs1 |]
6.29 ==> Says A B {|Nonce NA, Agent A, Agent B,
6.30 Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |}
6.31 # evs1 : otway"
6.32
6.33 (*Bob's response to Alice's message. Note that NB is encrypted.*)
6.34 - OR2 "[| evs2: otway; Nonce NB ~: used evs2;
6.35 + OR2 "[| evs2 \\<in> otway; Nonce NB \\<notin> used evs2;
6.36 Gets B {|Nonce NA, Agent A, Agent B, X|} : set evs2 |]
6.37 ==> Says B Server
6.38 {|Nonce NA, Agent A, Agent B, X,
6.39 @@ -46,7 +46,7 @@
6.40 (*The Server receives Bob's message and checks that the three NAs
6.41 match. Then he sends a new session key to Bob with a packet for
6.42 forwarding to Alice.*)
6.43 - OR3 "[| evs3: otway; Key KAB ~: used evs3;
6.44 + OR3 "[| evs3 \\<in> otway; Key KAB \\<notin> used evs3;
6.45 Gets Server
6.46 {|Nonce NA, Agent A, Agent B,
6.47 Crypt (shrK A) {|Nonce NA, Agent A, Agent B|},
6.48 @@ -61,7 +61,7 @@
6.49 (*Bob receives the Server's (?) message and compares the Nonces with
6.50 those in the message he previously sent the Server.
6.51 Need B ~= Server because we allow messages to self.*)
6.52 - OR4 "[| evs4: otway; B ~= Server;
6.53 + OR4 "[| evs4 \\<in> otway; B ~= Server;
6.54 Says B Server {|Nonce NA, Agent A, Agent B, X',
6.55 Crypt (shrK B)
6.56 {|Nonce NA, Nonce NB, Agent A, Agent B|}|}
6.57 @@ -72,7 +72,7 @@
6.58
6.59 (*This message models possible leaks of session keys. The nonces
6.60 identify the protocol run.*)
6.61 - Oops "[| evso: otway;
6.62 + Oops "[| evso \\<in> otway;
6.63 Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
6.64 : set evso |]
6.65 ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : otway"
7.1 --- a/src/HOL/Auth/OtwayRees_AN.ML Tue Feb 27 12:28:42 2001 +0100
7.2 +++ b/src/HOL/Auth/OtwayRees_AN.ML Tue Feb 27 16:13:23 2001 +0100
7.3 @@ -17,10 +17,10 @@
7.4
7.5
7.6 (*A "possibility property": there are traces that reach the end*)
7.7 -Goal "[| B ~= Server |] \
7.8 -\ ==> EX K. EX NA. EX evs: otway. \
7.9 +Goal "B ~= Server \
7.10 +\ ==> \\<exists>K. \\<exists>NA. \\<exists>evs \\<in> otway. \
7.11 \ Says B A (Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}) \
7.12 -\ : set evs";
7.13 +\ \\<in> set evs";
7.14 by (REPEAT (resolve_tac [exI,bexI] 1));
7.15 by (rtac (otway.Nil RS
7.16 otway.OR1 RS otway.Reception RS
7.17 @@ -29,14 +29,14 @@
7.18 by possibility_tac;
7.19 result();
7.20
7.21 -Goal "[| Gets B X : set evs; evs : otway |] ==> EX A. Says A B X : set evs";
7.22 +Goal "[| Gets B X \\<in> set evs; evs \\<in> otway |] ==> \\<exists>A. Says A B X \\<in> set evs";
7.23 by (etac rev_mp 1);
7.24 by (etac otway.induct 1);
7.25 by Auto_tac;
7.26 qed"Gets_imp_Says";
7.27
7.28 (*Must be proved separately for each protocol*)
7.29 -Goal "[| Gets B X : set evs; evs : otway |] ==> X : knows Spy evs";
7.30 +Goal "[| Gets B X \\<in> set evs; evs \\<in> otway |] ==> X \\<in> knows Spy evs";
7.31 by (blast_tac (claset() addSDs [Gets_imp_Says, Says_imp_knows_Spy]) 1);
7.32 qed"Gets_imp_knows_Spy";
7.33 AddDs [Gets_imp_knows_Spy RS parts.Inj];
7.34 @@ -46,20 +46,20 @@
7.35
7.36 (** For reasoning about the encrypted portion of messages **)
7.37
7.38 -Goal "[| Gets B {|X, Crypt(shrK B) X'|} : set evs; evs : otway |] ==> \
7.39 -\ X : analz (knows Spy evs)";
7.40 +Goal "[| Gets B {|X, Crypt(shrK B) X'|} \\<in> set evs; evs \\<in> otway |] \
7.41 +\ ==> X \\<in> analz (knows Spy evs)";
7.42 by (blast_tac (claset() addSDs [Gets_imp_knows_Spy RS analz.Inj]) 1);
7.43 qed "OR4_analz_knows_Spy";
7.44
7.45 -Goal "Says Server B {|X, Crypt K' {|NB, a, Agent B, K|}|} : set evs \
7.46 -\ ==> K : parts (knows Spy evs)";
7.47 +Goal "Says Server B {|X, Crypt K' {|NB, a, Agent B, K|}|} \\<in> set evs \
7.48 +\ ==> K \\<in> parts (knows Spy evs)";
7.49 by (Blast_tac 1);
7.50 qed "Oops_parts_knows_Spy";
7.51
7.52 bind_thm ("OR4_parts_knows_Spy",
7.53 OR4_analz_knows_Spy RS (impOfSubs analz_subset_parts));
7.54
7.55 -(*For proving the easier theorems about X ~: parts (knows Spy evs).*)
7.56 +(*For proving the easier theorems about X \\<notin> parts (knows Spy evs).*)
7.57 fun parts_induct_tac i =
7.58 etac otway.induct i THEN
7.59 ftac Oops_parts_knows_Spy (i+7) THEN
7.60 @@ -67,17 +67,17 @@
7.61 prove_simple_subgoals_tac i;
7.62
7.63
7.64 -(** Theorems of the form X ~: parts (knows Spy evs) imply that NOBODY
7.65 +(** Theorems of the form X \\<notin> parts (knows Spy evs) imply that NOBODY
7.66 sends messages containing X! **)
7.67
7.68 (*Spy never sees a good agent's shared key!*)
7.69 -Goal "evs : otway ==> (Key (shrK A) : parts (knows Spy evs)) = (A : bad)";
7.70 +Goal "evs \\<in> otway ==> (Key (shrK A) \\<in> parts (knows Spy evs)) = (A \\<in> bad)";
7.71 by (parts_induct_tac 1);
7.72 by (ALLGOALS Blast_tac);
7.73 qed "Spy_see_shrK";
7.74 Addsimps [Spy_see_shrK];
7.75
7.76 -Goal "evs : otway ==> (Key (shrK A) : analz (knows Spy evs)) = (A : bad)";
7.77 +Goal "evs \\<in> otway ==> (Key (shrK A) \\<in> analz (knows Spy evs)) = (A \\<in> bad)";
7.78 by (auto_tac(claset() addDs [impOfSubs analz_subset_parts], simpset()));
7.79 qed "Spy_analz_shrK";
7.80 Addsimps [Spy_analz_shrK];
7.81 @@ -86,32 +86,15 @@
7.82 Spy_analz_shrK RSN (2, rev_iffD1)];
7.83
7.84
7.85 -(*Nobody can have used non-existent keys!*)
7.86 -Goal "evs : otway ==> Key K ~: used evs --> K ~: keysFor (parts (knows Spy evs))";
7.87 -by (parts_induct_tac 1);
7.88 -(*Fake*)
7.89 -by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
7.90 -(*OR3*)
7.91 -by (Blast_tac 1);
7.92 -qed_spec_mp "new_keys_not_used";
7.93 -
7.94 -bind_thm ("new_keys_not_analzd",
7.95 - [analz_subset_parts RS keysFor_mono,
7.96 - new_keys_not_used] MRS contra_subsetD);
7.97 -
7.98 -Addsimps [new_keys_not_used, new_keys_not_analzd];
7.99 -
7.100 -
7.101 -
7.102 (*** Proofs involving analz ***)
7.103
7.104 (*Describes the form of K and NA when the Server sends this message.*)
7.105 Goal "[| Says Server B \
7.106 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \
7.107 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
7.108 -\ : set evs; \
7.109 -\ evs : otway |] \
7.110 -\ ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
7.111 +\ \\<in> set evs; \
7.112 +\ evs \\<in> otway |] \
7.113 +\ ==> K \\<notin> range shrK & (\\<exists>i. NA = Nonce i) & (\\<exists>j. NB = Nonce j)";
7.114 by (etac rev_mp 1);
7.115 by (etac otway.induct 1);
7.116 by (ALLGOALS Asm_simp_tac);
7.117 @@ -139,10 +122,10 @@
7.118 (** Session keys are not used to encrypt other session keys **)
7.119
7.120 (*The equality makes the induction hypothesis easier to apply*)
7.121 -Goal "evs : otway ==> \
7.122 +Goal "evs \\<in> otway ==> \
7.123 \ ALL K KK. KK <= -(range shrK) --> \
7.124 -\ (Key K : analz (Key`KK Un (knows Spy evs))) = \
7.125 -\ (K : KK | Key K : analz (knows Spy evs))";
7.126 +\ (Key K \\<in> analz (Key`KK Un (knows Spy evs))) = \
7.127 +\ (K \\<in> KK | Key K \\<in> analz (knows Spy evs))";
7.128 by (etac otway.induct 1);
7.129 by analz_knows_Spy_tac;
7.130 by (REPEAT_FIRST (resolve_tac [allI, impI]));
7.131 @@ -153,9 +136,9 @@
7.132 qed_spec_mp "analz_image_freshK";
7.133
7.134
7.135 -Goal "[| evs : otway; KAB ~: range shrK |] ==> \
7.136 -\ Key K : analz (insert (Key KAB) (knows Spy evs)) = \
7.137 -\ (K = KAB | Key K : analz (knows Spy evs))";
7.138 +Goal "[| evs \\<in> otway; KAB \\<notin> range shrK |] ==> \
7.139 +\ Key K \\<in> analz (insert (Key KAB) (knows Spy evs)) = \
7.140 +\ (K = KAB | Key K \\<in> analz (knows Spy evs))";
7.141 by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
7.142 qed "analz_insert_freshK";
7.143
7.144 @@ -165,12 +148,12 @@
7.145 Goal "[| Says Server B \
7.146 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, K|}, \
7.147 \ Crypt (shrK B) {|NB, Agent A, Agent B, K|}|} \
7.148 -\ : set evs; \
7.149 +\ \\<in> set evs; \
7.150 \ Says Server B' \
7.151 \ {|Crypt (shrK A') {|NA', Agent A', Agent B', K|}, \
7.152 \ Crypt (shrK B') {|NB', Agent A', Agent B', K|}|} \
7.153 -\ : set evs; \
7.154 -\ evs : otway |] \
7.155 +\ \\<in> set evs; \
7.156 +\ evs \\<in> otway |] \
7.157 \ ==> A=A' & B=B' & NA=NA' & NB=NB'";
7.158 by (etac rev_mp 1);
7.159 by (etac rev_mp 1);
7.160 @@ -185,12 +168,12 @@
7.161 (**** Authenticity properties relating to NA ****)
7.162
7.163 (*If the encrypted message appears then it originated with the Server!*)
7.164 -Goal "[| A ~: bad; A ~= B; evs : otway |] \
7.165 -\ ==> Crypt (shrK A) {|NA, Agent A, Agent B, Key K|} : parts (knows Spy evs) \
7.166 -\ --> (EX NB. Says Server B \
7.167 +Goal "[| A \\<notin> bad; A ~= B; evs \\<in> otway |] \
7.168 +\ ==> Crypt (shrK A) {|NA, Agent A, Agent B, Key K|} \\<in> parts (knows Spy evs) \
7.169 +\ --> (\\<exists>NB. Says Server B \
7.170 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \
7.171 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
7.172 -\ : set evs)";
7.173 +\ \\<in> set evs)";
7.174 by (parts_induct_tac 1);
7.175 by (Blast_tac 1);
7.176 by (ALLGOALS (asm_simp_tac (simpset() addsimps [ex_disj_distrib])));
7.177 @@ -202,12 +185,12 @@
7.178 (*Corollary: if A receives B's OR4 message then it originated with the Server.
7.179 Freshness may be inferred from nonce NA.*)
7.180 Goal "[| Gets A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}) \
7.181 -\ : set evs; \
7.182 -\ A ~: bad; A ~= B; evs : otway |] \
7.183 -\ ==> EX NB. Says Server B \
7.184 +\ \\<in> set evs; \
7.185 +\ A \\<notin> bad; A ~= B; evs \\<in> otway |] \
7.186 +\ ==> \\<exists>NB. Says Server B \
7.187 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \
7.188 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
7.189 -\ : set evs";
7.190 +\ \\<in> set evs";
7.191 by (blast_tac (claset() addSIs [NA_Crypt_imp_Server_msg]) 1);
7.192 qed "A_trusts_OR4";
7.193
7.194 @@ -216,13 +199,13 @@
7.195 Does not in itself guarantee security: an attack could violate
7.196 the premises, e.g. by having A=Spy **)
7.197
7.198 -Goal "[| A ~: bad; B ~: bad; evs : otway |] \
7.199 +Goal "[| A \\<notin> bad; B \\<notin> bad; evs \\<in> otway |] \
7.200 \ ==> Says Server B \
7.201 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \
7.202 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
7.203 -\ : set evs --> \
7.204 -\ Notes Spy {|NA, NB, Key K|} ~: set evs --> \
7.205 -\ Key K ~: analz (knows Spy evs)";
7.206 +\ \\<in> set evs --> \
7.207 +\ Notes Spy {|NA, NB, Key K|} \\<notin> set evs --> \
7.208 +\ Key K \\<notin> analz (knows Spy evs)";
7.209 by (etac otway.induct 1);
7.210 by analz_knows_Spy_tac;
7.211 by (ALLGOALS
7.212 @@ -242,10 +225,10 @@
7.213 Goal "[| Says Server B \
7.214 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \
7.215 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
7.216 -\ : set evs; \
7.217 -\ Notes Spy {|NA, NB, Key K|} ~: set evs; \
7.218 -\ A ~: bad; B ~: bad; evs : otway |] \
7.219 -\ ==> Key K ~: analz (knows Spy evs)";
7.220 +\ \\<in> set evs; \
7.221 +\ Notes Spy {|NA, NB, Key K|} \\<notin> set evs; \
7.222 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> otway |] \
7.223 +\ ==> Key K \\<notin> analz (knows Spy evs)";
7.224 by (ftac Says_Server_message_form 1 THEN assume_tac 1);
7.225 by (blast_tac (claset() addSEs [lemma]) 1);
7.226 qed "Spy_not_see_encrypted_key";
7.227 @@ -254,10 +237,10 @@
7.228 (*A's guarantee. The Oops premise quantifies over NB because A cannot know
7.229 what it is.*)
7.230 Goal "[| Gets A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}) \
7.231 -\ : set evs; \
7.232 -\ ALL NB. Notes Spy {|NA, NB, Key K|} ~: set evs; \
7.233 -\ A ~: bad; B ~: bad; A ~= B; evs : otway |] \
7.234 -\ ==> Key K ~: analz (knows Spy evs)";
7.235 +\ \\<in> set evs; \
7.236 +\ ALL NB. Notes Spy {|NA, NB, Key K|} \\<notin> set evs; \
7.237 +\ A \\<notin> bad; B \\<notin> bad; A ~= B; evs \\<in> otway |] \
7.238 +\ ==> Key K \\<notin> analz (knows Spy evs)";
7.239 by (blast_tac (claset() addSDs [A_trusts_OR4, Spy_not_see_encrypted_key]) 1);
7.240 qed "A_gets_good_key";
7.241
7.242 @@ -265,12 +248,12 @@
7.243 (**** Authenticity properties relating to NB ****)
7.244
7.245 (*If the encrypted message appears then it originated with the Server!*)
7.246 -Goal "[| B ~: bad; A ~= B; evs : otway |] \
7.247 -\ ==> Crypt (shrK B) {|NB, Agent A, Agent B, Key K|} : parts (knows Spy evs) \
7.248 -\ --> (EX NA. Says Server B \
7.249 +Goal "[| B \\<notin> bad; A ~= B; evs \\<in> otway |] \
7.250 +\ ==> Crypt (shrK B) {|NB, Agent A, Agent B, Key K|} \\<in> parts (knows Spy evs) \
7.251 +\ --> (\\<exists>NA. Says Server B \
7.252 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \
7.253 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
7.254 -\ : set evs)";
7.255 +\ \\<in> set evs)";
7.256 by (parts_induct_tac 1);
7.257 by (Blast_tac 1);
7.258 by (ALLGOALS (asm_simp_tac (simpset() addsimps [ex_disj_distrib])));
7.259 @@ -282,21 +265,21 @@
7.260 (*Guarantee for B: if it gets a well-formed certificate then the Server
7.261 has sent the correct message in round 3.*)
7.262 Goal "[| Gets B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
7.263 -\ : set evs; \
7.264 -\ B ~: bad; A ~= B; evs : otway |] \
7.265 -\ ==> EX NA. Says Server B \
7.266 +\ \\<in> set evs; \
7.267 +\ B \\<notin> bad; A ~= B; evs \\<in> otway |] \
7.268 +\ ==> \\<exists>NA. Says Server B \
7.269 \ {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}, \
7.270 \ Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
7.271 -\ : set evs";
7.272 +\ \\<in> set evs";
7.273 by (blast_tac (claset() addSIs [NB_Crypt_imp_Server_msg]) 1);
7.274 qed "B_trusts_OR3";
7.275
7.276
7.277 (*The obvious combination of B_trusts_OR3 with Spy_not_see_encrypted_key*)
7.278 Goal "[| Gets B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
7.279 -\ : set evs; \
7.280 -\ ALL NA. Notes Spy {|NA, NB, Key K|} ~: set evs; \
7.281 -\ A ~: bad; B ~: bad; A ~= B; evs : otway |] \
7.282 -\ ==> Key K ~: analz (knows Spy evs)";
7.283 +\ \\<in> set evs; \
7.284 +\ ALL NA. Notes Spy {|NA, NB, Key K|} \\<notin> set evs; \
7.285 +\ A \\<notin> bad; B \\<notin> bad; A ~= B; evs \\<in> otway |] \
7.286 +\ ==> Key K \\<notin> analz (knows Spy evs)";
7.287 by (blast_tac (claset() addDs [B_trusts_OR3, Spy_not_see_encrypted_key]) 1);
7.288 qed "B_gets_good_key";
8.1 --- a/src/HOL/Auth/OtwayRees_AN.thy Tue Feb 27 12:28:42 2001 +0100
8.2 +++ b/src/HOL/Auth/OtwayRees_AN.thy Tue Feb 27 16:13:23 2001 +0100
8.3 @@ -28,50 +28,50 @@
8.4 (*The spy MAY say anything he CAN say. We do not expect him to
8.5 invent new nonces here, but he can also use NS1. Common to
8.6 all similar protocols.*)
8.7 - Fake "[| evs: otway; X: synth (analz (knows Spy evs)) |]
8.8 - ==> Says Spy B X # evs : otway"
8.9 + Fake "[| evs \\<in> otway; X \\<in> synth (analz (knows Spy evs)) |]
8.10 + ==> Says Spy B X # evs \\<in> otway"
8.11
8.12 (*A message that has been sent can be received by the
8.13 intended recipient.*)
8.14 - Reception "[| evsr: otway; Says A B X : set evsr |]
8.15 - ==> Gets B X # evsr : otway"
8.16 + Reception "[| evsr \\<in> otway; Says A B X \\<in>set evsr |]
8.17 + ==> Gets B X # evsr \\<in> otway"
8.18
8.19 (*Alice initiates a protocol run*)
8.20 - OR1 "[| evs1: otway |]
8.21 - ==> Says A B {|Agent A, Agent B, Nonce NA|} # evs1 : otway"
8.22 + OR1 "[| evs1 \\<in> otway |]
8.23 + ==> Says A B {|Agent A, Agent B, Nonce NA|} # evs1 \\<in> otway"
8.24
8.25 (*Bob's response to Alice's message.*)
8.26 - OR2 "[| evs2: otway;
8.27 - Gets B {|Agent A, Agent B, Nonce NA|} : set evs2 |]
8.28 + OR2 "[| evs2 \\<in> otway;
8.29 + Gets B {|Agent A, Agent B, Nonce NA|} \\<in>set evs2 |]
8.30 ==> Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
8.31 - # evs2 : otway"
8.32 + # evs2 \\<in> otway"
8.33
8.34 (*The Server receives Bob's message. Then he sends a new
8.35 session key to Bob with a packet for forwarding to Alice.*)
8.36 - OR3 "[| evs3: otway; Key KAB ~: used evs3;
8.37 + OR3 "[| evs3 \\<in> otway; Key KAB \\<notin> used evs3;
8.38 Gets Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
8.39 - : set evs3 |]
8.40 + \\<in>set evs3 |]
8.41 ==> Says Server B
8.42 {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key KAB|},
8.43 Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key KAB|}|}
8.44 - # evs3 : otway"
8.45 + # evs3 \\<in> otway"
8.46
8.47 (*Bob receives the Server's (?) message and compares the Nonces with
8.48 those in the message he previously sent the Server.
8.49 Need B ~= Server because we allow messages to self.*)
8.50 - OR4 "[| evs4: otway; B ~= Server;
8.51 - Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} : set evs4;
8.52 + OR4 "[| evs4 \\<in> otway; B ~= Server;
8.53 + Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} \\<in>set evs4;
8.54 Gets B {|X, Crypt(shrK B){|Nonce NB,Agent A,Agent B,Key K|}|}
8.55 - : set evs4 |]
8.56 - ==> Says B A X # evs4 : otway"
8.57 + \\<in>set evs4 |]
8.58 + ==> Says B A X # evs4 \\<in> otway"
8.59
8.60 (*This message models possible leaks of session keys. The nonces
8.61 identify the protocol run. B is not assumed to know shrK A.*)
8.62 - Oops "[| evso: otway;
8.63 + Oops "[| evso \\<in> otway;
8.64 Says Server B
8.65 {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|},
8.66 Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key K|}|}
8.67 - : set evso |]
8.68 - ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : otway"
8.69 + \\<in>set evso |]
8.70 + ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \\<in> otway"
8.71
8.72 end
9.1 --- a/src/HOL/Auth/OtwayRees_Bad.ML Tue Feb 27 12:28:42 2001 +0100
9.2 +++ b/src/HOL/Auth/OtwayRees_Bad.ML Tue Feb 27 16:13:23 2001 +0100
9.3 @@ -19,10 +19,10 @@
9.4 AddDs [impOfSubs analz_subset_parts, impOfSubs Fake_parts_insert];
9.5
9.6 (*A "possibility property": there are traces that reach the end*)
9.7 -Goal "[| A ~= B; B ~= Server |] \
9.8 -\ ==> EX K. EX NA. EX evs: otway. \
9.9 +Goal "B ~= Server \
9.10 +\ ==> \\<exists>K. \\<exists>NA. \\<exists>evs \\<in> otway. \
9.11 \ Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|} \
9.12 -\ : set evs";
9.13 +\ \\<in> set evs";
9.14 by (REPEAT (resolve_tac [exI,bexI] 1));
9.15 by (rtac (otway.Nil RS
9.16 otway.OR1 RS otway.Reception RS
9.17 @@ -31,14 +31,14 @@
9.18 by possibility_tac;
9.19 result();
9.20
9.21 -Goal "[| Gets B X : set evs; evs : otway |] ==> EX A. Says A B X : set evs";
9.22 +Goal "[| Gets B X \\<in> set evs; evs \\<in> otway |] ==> \\<exists>A. Says A B X \\<in> set evs";
9.23 by (etac rev_mp 1);
9.24 by (etac otway.induct 1);
9.25 by Auto_tac;
9.26 qed"Gets_imp_Says";
9.27
9.28 (*Must be proved separately for each protocol*)
9.29 -Goal "[| Gets B X : set evs; evs : otway |] ==> X : knows Spy evs";
9.30 +Goal "[| Gets B X \\<in> set evs; evs \\<in> otway |] ==> X \\<in> knows Spy evs";
9.31 by (blast_tac (claset() addSDs [Gets_imp_Says, Says_imp_knows_Spy]) 1);
9.32 qed"Gets_imp_knows_Spy";
9.33 AddDs [Gets_imp_knows_Spy RS parts.Inj];
9.34 @@ -49,18 +49,18 @@
9.35
9.36 (** For reasoning about the encrypted portion of messages **)
9.37
9.38 -Goal "[| Gets B {|N, Agent A, Agent B, X|} : set evs; evs : otway |] \
9.39 -\ ==> X : analz (knows Spy evs)";
9.40 +Goal "[| Gets B {|N, Agent A, Agent B, X|} \\<in> set evs; evs \\<in> otway |] \
9.41 +\ ==> X \\<in> analz (knows Spy evs)";
9.42 by (blast_tac (claset() addSDs [Gets_imp_knows_Spy RS analz.Inj]) 1);
9.43 qed "OR2_analz_knows_Spy";
9.44
9.45 -Goal "[| Gets B {|N, X, Crypt (shrK B) X'|} : set evs; evs : otway |] \
9.46 -\ ==> X : analz (knows Spy evs)";
9.47 +Goal "[| Gets B {|N, X, Crypt (shrK B) X'|} \\<in> set evs; evs \\<in> otway |] \
9.48 +\ ==> X \\<in> analz (knows Spy evs)";
9.49 by (blast_tac (claset() addSDs [Gets_imp_knows_Spy RS analz.Inj]) 1);
9.50 qed "OR4_analz_knows_Spy";
9.51
9.52 -Goal "Says Server B {|NA, X, Crypt K' {|NB,K|}|} : set evs \
9.53 -\ ==> K : parts (knows Spy evs)";
9.54 +Goal "Says Server B {|NA, X, Crypt K' {|NB,K|}|} \\<in> set evs \
9.55 +\ ==> K \\<in> parts (knows Spy evs)";
9.56 by (Blast_tac 1);
9.57 qed "Oops_parts_knows_Spy";
9.58
9.59 @@ -69,7 +69,7 @@
9.60 bind_thm ("OR4_parts_knows_Spy",
9.61 OR4_analz_knows_Spy RS (impOfSubs analz_subset_parts));
9.62
9.63 -(*For proving the easier theorems about X ~: parts (knows Spy evs).*)
9.64 +(*For proving the easier theorems about X \\<notin> parts (knows Spy evs).*)
9.65 fun parts_induct_tac i =
9.66 etac otway.induct i THEN
9.67 ftac Oops_parts_knows_Spy (i+7) THEN
9.68 @@ -78,17 +78,17 @@
9.69 prove_simple_subgoals_tac i;
9.70
9.71
9.72 -(** Theorems of the form X ~: parts (knows Spy evs) imply that NOBODY
9.73 +(** Theorems of the form X \\<notin> parts (knows Spy evs) imply that NOBODY
9.74 sends messages containing X! **)
9.75
9.76 (*Spy never sees a good agent's shared key!*)
9.77 -Goal "evs : otway ==> (Key (shrK A) : parts (knows Spy evs)) = (A : bad)";
9.78 +Goal "evs \\<in> otway ==> (Key (shrK A) \\<in> parts (knows Spy evs)) = (A \\<in> bad)";
9.79 by (parts_induct_tac 1);
9.80 by (ALLGOALS Blast_tac);
9.81 qed "Spy_see_shrK";
9.82 Addsimps [Spy_see_shrK];
9.83
9.84 -Goal "evs : otway ==> (Key (shrK A) : analz (knows Spy evs)) = (A : bad)";
9.85 +Goal "evs \\<in> otway ==> (Key (shrK A) \\<in> analz (knows Spy evs)) = (A \\<in> bad)";
9.86 by (auto_tac(claset() addDs [impOfSubs analz_subset_parts], simpset()));
9.87 qed "Spy_analz_shrK";
9.88 Addsimps [Spy_analz_shrK];
9.89 @@ -97,25 +97,13 @@
9.90 Spy_analz_shrK RSN (2, rev_iffD1)];
9.91
9.92
9.93 -(*Nobody can have used non-existent keys!*)
9.94 -Goal "evs : otway ==> Key K ~: used evs --> K ~: keysFor (parts (knows Spy evs))";
9.95 -by (parts_induct_tac 1);
9.96 -(*Fake*)
9.97 -by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
9.98 -(*OR2, OR3*)
9.99 -by (ALLGOALS Blast_tac);
9.100 -qed_spec_mp "new_keys_not_used";
9.101 -Addsimps [new_keys_not_used];
9.102 -
9.103 -
9.104 -
9.105 (*** Proofs involving analz ***)
9.106
9.107 (*Describes the form of K and NA when the Server sends this message. Also
9.108 for Oops case.*)
9.109 -Goal "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs; \
9.110 -\ evs : otway |] \
9.111 -\ ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
9.112 +Goal "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \\<in> set evs; \
9.113 +\ evs \\<in> otway |] \
9.114 +\ ==> K \\<notin> range shrK & (\\<exists>i. NA = Nonce i) & (\\<exists>j. NB = Nonce j)";
9.115 by (etac rev_mp 1);
9.116 by (etac otway.induct 1);
9.117 by (ALLGOALS Simp_tac);
9.118 @@ -134,8 +122,8 @@
9.119 (****
9.120 The following is to prove theorems of the form
9.121
9.122 - Key K : analz (insert (Key KAB) (knows Spy evs)) ==>
9.123 - Key K : analz (knows Spy evs)
9.124 + Key K \\<in> analz (insert (Key KAB) (knows Spy evs)) ==>
9.125 + Key K \\<in> analz (knows Spy evs)
9.126
9.127 A more general formula must be proved inductively.
9.128 ****)
9.129 @@ -144,10 +132,10 @@
9.130 (** Session keys are not used to encrypt other session keys **)
9.131
9.132 (*The equality makes the induction hypothesis easier to apply*)
9.133 -Goal "evs : otway ==> \
9.134 -\ ALL K KK. KK <= - (range shrK) --> \
9.135 -\ (Key K : analz (Key`KK Un (knows Spy evs))) = \
9.136 -\ (K : KK | Key K : analz (knows Spy evs))";
9.137 +Goal "evs \\<in> otway ==> \
9.138 +\ \\<forall>K KK. KK <= - (range shrK) --> \
9.139 +\ (Key K \\<in> analz (Key`KK Un (knows Spy evs))) = \
9.140 +\ (K \\<in> KK | Key K \\<in> analz (knows Spy evs))";
9.141 by (etac otway.induct 1);
9.142 by analz_knows_Spy_tac;
9.143 by (REPEAT_FIRST (resolve_tac [allI, impI]));
9.144 @@ -158,18 +146,18 @@
9.145 qed_spec_mp "analz_image_freshK";
9.146
9.147
9.148 -Goal "[| evs : otway; KAB ~: range shrK |] ==> \
9.149 -\ Key K : analz (insert (Key KAB) (knows Spy evs)) = \
9.150 -\ (K = KAB | Key K : analz (knows Spy evs))";
9.151 +Goal "[| evs \\<in> otway; KAB \\<notin> range shrK |] ==> \
9.152 +\ Key K \\<in> analz (insert (Key KAB) (knows Spy evs)) = \
9.153 +\ (K = KAB | Key K \\<in> analz (knows Spy evs))";
9.154 by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
9.155 qed "analz_insert_freshK";
9.156
9.157
9.158 (*** The Key K uniquely identifies the Server's message. **)
9.159
9.160 -Goal "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|} : set evs; \
9.161 -\ Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} : set evs; \
9.162 -\ evs : otway |] ==> X=X' & B=B' & NA=NA' & NB=NB'";
9.163 +Goal "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|} \\<in> set evs; \
9.164 +\ Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} \\<in> set evs; \
9.165 +\ evs \\<in> otway |] ==> X=X' & B=B' & NA=NA' & NB=NB'";
9.166 by (etac rev_mp 1);
9.167 by (etac rev_mp 1);
9.168 by (etac otway.induct 1);
9.169 @@ -183,12 +171,12 @@
9.170 Does not in itself guarantee security: an attack could violate
9.171 the premises, e.g. by having A=Spy **)
9.172
9.173 -Goal "[| A ~: bad; B ~: bad; evs : otway |] \
9.174 +Goal "[| A \\<notin> bad; B \\<notin> bad; evs \\<in> otway |] \
9.175 \ ==> Says Server B \
9.176 \ {|NA, Crypt (shrK A) {|NA, Key K|}, \
9.177 -\ Crypt (shrK B) {|NB, Key K|}|} : set evs --> \
9.178 -\ Notes Spy {|NA, NB, Key K|} ~: set evs --> \
9.179 -\ Key K ~: analz (knows Spy evs)";
9.180 +\ Crypt (shrK B) {|NB, Key K|}|} \\<in> set evs --> \
9.181 +\ Notes Spy {|NA, NB, Key K|} \\<notin> set evs --> \
9.182 +\ Key K \\<notin> analz (knows Spy evs)";
9.183 by (etac otway.induct 1);
9.184 by analz_knows_Spy_tac;
9.185 by (ALLGOALS
9.186 @@ -207,10 +195,10 @@
9.187
9.188 Goal "[| Says Server B \
9.189 \ {|NA, Crypt (shrK A) {|NA, Key K|}, \
9.190 -\ Crypt (shrK B) {|NB, Key K|}|} : set evs; \
9.191 -\ Notes Spy {|NA, NB, Key K|} ~: set evs; \
9.192 -\ A ~: bad; B ~: bad; evs : otway |] \
9.193 -\ ==> Key K ~: analz (knows Spy evs)";
9.194 +\ Crypt (shrK B) {|NB, Key K|}|} \\<in> set evs; \
9.195 +\ Notes Spy {|NA, NB, Key K|} \\<notin> set evs; \
9.196 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> otway |] \
9.197 +\ ==> Key K \\<notin> analz (knows Spy evs)";
9.198 by (ftac Says_Server_message_form 1 THEN assume_tac 1);
9.199 by (blast_tac (claset() addSEs [lemma]) 1);
9.200 qed "Spy_not_see_encrypted_key";
9.201 @@ -221,10 +209,10 @@
9.202 (*Only OR1 can have caused such a part of a message to appear.
9.203 The premise A ~= B prevents OR2's similar-looking cryptogram from being
9.204 picked up. Original Otway-Rees doesn't need it.*)
9.205 -Goal "[| A ~: bad; A ~= B; evs : otway |] \
9.206 -\ ==> Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (knows Spy evs) --> \
9.207 +Goal "[| A \\<notin> bad; A ~= B; evs \\<in> otway |] \
9.208 +\ ==> Crypt (shrK A) {|NA, Agent A, Agent B|} \\<in> parts (knows Spy evs) --> \
9.209 \ Says A B {|NA, Agent A, Agent B, \
9.210 -\ Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs";
9.211 +\ Crypt (shrK A) {|NA, Agent A, Agent B|}|} \\<in> set evs";
9.212 by (parts_induct_tac 1);
9.213 by (ALLGOALS Blast_tac);
9.214 qed_spec_mp "Crypt_imp_OR1";
9.215 @@ -235,15 +223,15 @@
9.216 The premise A ~= B allows use of Crypt_imp_OR1*)
9.217 (*Only it is FALSE. Somebody could make a fake message to Server
9.218 substituting some other nonce NA' for NB.*)
9.219 -Goal "[| A ~: bad; A ~= B; evs : otway |] \
9.220 -\ ==> Crypt (shrK A) {|NA, Key K|} : parts (knows Spy evs) --> \
9.221 +Goal "[| A \\<notin> bad; A ~= B; evs \\<in> otway |] \
9.222 +\ ==> Crypt (shrK A) {|NA, Key K|} \\<in> parts (knows Spy evs) --> \
9.223 \ Says A B {|NA, Agent A, Agent B, \
9.224 \ Crypt (shrK A) {|NA, Agent A, Agent B|}|} \
9.225 -\ : set evs --> \
9.226 -\ (EX B NB. Says Server B \
9.227 +\ \\<in> set evs --> \
9.228 +\ (\\<exists>B NB. Says Server B \
9.229 \ {|NA, \
9.230 \ Crypt (shrK A) {|NA, Key K|}, \
9.231 -\ Crypt (shrK B) {|NB, Key K|}|} : set evs)";
9.232 +\ Crypt (shrK B) {|NB, Key K|}|} \\<in> set evs)";
9.233 by (parts_induct_tac 1);
9.234 (*Fake*)
9.235 by (Blast_tac 1);
9.236 @@ -261,11 +249,11 @@
9.237 {|Nonce NA, Agent Aa, Agent A,
9.238 Crypt (shrK Aa) {|Nonce NA, Agent Aa, Agent A|}, Nonce NB,
9.239 Crypt (shrK A) {|Nonce NA, Agent Aa, Agent A|}|}
9.240 - : set evs3;
9.241 + \\<in> set evs3;
9.242 Says A B
9.243 {|Nonce NB, Agent A, Agent B,
9.244 Crypt (shrK A) {|Nonce NB, Agent A, Agent B|}|}
9.245 - : set evs3;
9.246 + \\<in> set evs3;
9.247 *)
9.248 writeln "GIVE UP! on NA_Crypt_imp_Server_msg";
9.249
10.1 --- a/src/HOL/Auth/OtwayRees_Bad.thy Tue Feb 27 12:28:42 2001 +0100
10.2 +++ b/src/HOL/Auth/OtwayRees_Bad.thy Tue Feb 27 16:13:23 2001 +0100
10.3 @@ -17,66 +17,66 @@
10.4 inductive otway
10.5 intrs
10.6 (*Initial trace is empty*)
10.7 - Nil "[]: otway"
10.8 + Nil "[] \\<in> otway"
10.9
10.10 (*The spy MAY say anything he CAN say. We do not expect him to
10.11 invent new nonces here, but he can also use NS1. Common to
10.12 all similar protocols.*)
10.13 - Fake "[| evs: otway; X: synth (analz (knows Spy evs)) |]
10.14 - ==> Says Spy B X # evs : otway"
10.15 + Fake "[| evsf \\<in> otway; X \\<in> synth (analz (knows Spy evsf)) |]
10.16 + ==> Says Spy B X # evsf \\<in> otway"
10.17
10.18 (*A message that has been sent can be received by the
10.19 intended recipient.*)
10.20 - Reception "[| evsr: otway; Says A B X : set evsr |]
10.21 - ==> Gets B X # evsr : otway"
10.22 + Reception "[| evsr \\<in> otway; Says A B X \\<in> set evsr |]
10.23 + ==> Gets B X # evsr \\<in> otway"
10.24
10.25 (*Alice initiates a protocol run*)
10.26 - OR1 "[| evs1: otway; Nonce NA ~: used evs1 |]
10.27 + OR1 "[| evs1 \\<in> otway; Nonce NA \\<notin> used evs1 |]
10.28 ==> Says A B {|Nonce NA, Agent A, Agent B,
10.29 Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |}
10.30 - # evs1 : otway"
10.31 + # evs1 \\<in> otway"
10.32
10.33 (*Bob's response to Alice's message.
10.34 This variant of the protocol does NOT encrypt NB.*)
10.35 - OR2 "[| evs2: otway; Nonce NB ~: used evs2;
10.36 - Gets B {|Nonce NA, Agent A, Agent B, X|} : set evs2 |]
10.37 + OR2 "[| evs2 \\<in> otway; Nonce NB \\<notin> used evs2;
10.38 + Gets B {|Nonce NA, Agent A, Agent B, X|} \\<in> set evs2 |]
10.39 ==> Says B Server
10.40 {|Nonce NA, Agent A, Agent B, X, Nonce NB,
10.41 Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
10.42 - # evs2 : otway"
10.43 + # evs2 \\<in> otway"
10.44
10.45 (*The Server receives Bob's message and checks that the three NAs
10.46 match. Then he sends a new session key to Bob with a packet for
10.47 forwarding to Alice.*)
10.48 - OR3 "[| evs3: otway; Key KAB ~: used evs3;
10.49 + OR3 "[| evs3 \\<in> otway; Key KAB \\<notin> used evs3;
10.50 Gets Server
10.51 {|Nonce NA, Agent A, Agent B,
10.52 Crypt (shrK A) {|Nonce NA, Agent A, Agent B|},
10.53 Nonce NB,
10.54 Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
10.55 - : set evs3 |]
10.56 + \\<in> set evs3 |]
10.57 ==> Says Server B
10.58 {|Nonce NA,
10.59 Crypt (shrK A) {|Nonce NA, Key KAB|},
10.60 Crypt (shrK B) {|Nonce NB, Key KAB|}|}
10.61 - # evs3 : otway"
10.62 + # evs3 \\<in> otway"
10.63
10.64 (*Bob receives the Server's (?) message and compares the Nonces with
10.65 those in the message he previously sent the Server.
10.66 Need B ~= Server because we allow messages to self.*)
10.67 - OR4 "[| evs4: otway; B ~= Server;
10.68 + OR4 "[| evs4 \\<in> otway; B ~= Server;
10.69 Says B Server {|Nonce NA, Agent A, Agent B, X', Nonce NB,
10.70 Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
10.71 - : set evs4;
10.72 + \\<in> set evs4;
10.73 Gets B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
10.74 - : set evs4 |]
10.75 - ==> Says B A {|Nonce NA, X|} # evs4 : otway"
10.76 + \\<in> set evs4 |]
10.77 + ==> Says B A {|Nonce NA, X|} # evs4 \\<in> otway"
10.78
10.79 (*This message models possible leaks of session keys. The nonces
10.80 identify the protocol run.*)
10.81 - Oops "[| evso: otway;
10.82 + Oops "[| evso \\<in> otway;
10.83 Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
10.84 - : set evso |]
10.85 - ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : otway"
10.86 + \\<in> set evso |]
10.87 + ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \\<in> otway"
10.88
10.89 end
11.1 --- a/src/HOL/Auth/Recur.ML Tue Feb 27 12:28:42 2001 +0100
11.2 +++ b/src/HOL/Auth/Recur.ML Tue Feb 27 16:13:23 2001 +0100
11.3 @@ -133,27 +133,6 @@
11.4 Spy_analz_shrK RSN (2, rev_iffD1)];
11.5
11.6
11.7 -(** Nobody can have used non-existent keys! **)
11.8 -
11.9 -(*The special case of H={} has the same proof*)
11.10 -Goal "[| K \\<in> keysFor (parts (insert RB H)); RB \\<in> responses evs |] \
11.11 -\ ==> K \\<in> range shrK | K \\<in> keysFor (parts H)";
11.12 -by (etac rev_mp 1);
11.13 -by (etac responses.induct 1);
11.14 -by Auto_tac;
11.15 -qed_spec_mp "Key_in_keysFor_parts";
11.16 -
11.17 -
11.18 -Goal "evs \\<in> recur ==> Key K \\<notin> used evs --> K \\<notin> keysFor (parts (spies evs))";
11.19 -by (parts_induct_tac 1);
11.20 -(*RA3*)
11.21 -by (blast_tac (claset() addSDs [Key_in_keysFor_parts]) 2);
11.22 -(*Fake*)
11.23 -by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
11.24 -qed_spec_mp "new_keys_not_used";
11.25 -Addsimps [new_keys_not_used];
11.26 -
11.27 -
11.28
11.29 (*** Proofs involving analz ***)
11.30
12.1 --- a/src/HOL/Auth/Recur.thy Tue Feb 27 12:28:42 2001 +0100
12.2 +++ b/src/HOL/Auth/Recur.thy Tue Feb 27 16:13:23 2001 +0100
12.3 @@ -19,21 +19,21 @@
12.4 consts respond :: "event list => (msg*msg*key)set"
12.5 inductive "respond evs" (*Server's response to the nested message*)
12.6 intrs
12.7 - One "[| Key KAB ~: used evs |]
12.8 + One "Key KAB \\<notin> used evs
12.9 ==> (Hash[Key(shrK A)] {|Agent A, Agent B, Nonce NA, END|},
12.10 {|Crypt (shrK A) {|Key KAB, Agent B, Nonce NA|}, END|},
12.11 - KAB) : respond evs"
12.12 + KAB) \\<in> respond evs"
12.13
12.14 (*The most recent session key is passed up to the caller*)
12.15 - Cons "[| (PA, RA, KAB) : respond evs;
12.16 - Key KBC ~: used evs; Key KBC ~: parts {RA};
12.17 + Cons "[| (PA, RA, KAB) \\<in> respond evs;
12.18 + Key KBC \\<notin> used evs; Key KBC \\<notin> parts {RA};
12.19 PA = Hash[Key(shrK A)] {|Agent A, Agent B, Nonce NA, P|} |]
12.20 ==> (Hash[Key(shrK B)] {|Agent B, Agent C, Nonce NB, PA|},
12.21 {|Crypt (shrK B) {|Key KBC, Agent C, Nonce NB|},
12.22 Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|},
12.23 RA|},
12.24 KBC)
12.25 - : respond evs"
12.26 + \\<in> respond evs"
12.27
12.28
12.29 (*Induction over "respond" can be difficult due to the complexity of the
12.30 @@ -43,52 +43,52 @@
12.31 inductive "responses evs"
12.32 intrs
12.33 (*Server terminates lists*)
12.34 - Nil "END : responses evs"
12.35 + Nil "END \\<in> responses evs"
12.36
12.37 - Cons "[| RA : responses evs; Key KAB ~: used evs |]
12.38 + Cons "[| RA \\<in> responses evs; Key KAB \\<notin> used evs |]
12.39 ==> {|Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|},
12.40 - RA|} : responses evs"
12.41 + RA|} \\<in> responses evs"
12.42
12.43
12.44 consts recur :: event list set
12.45 inductive "recur"
12.46 intrs
12.47 (*Initial trace is empty*)
12.48 - Nil "[]: recur"
12.49 + Nil "[] \\<in> recur"
12.50
12.51 (*The spy MAY say anything he CAN say. Common to
12.52 all similar protocols.*)
12.53 Fake "[| evs: recur; X: synth (analz (spies evs)) |]
12.54 - ==> Says Spy B X # evs : recur"
12.55 + ==> Says Spy B X # evs \\<in> recur"
12.56
12.57 (*Alice initiates a protocol run.
12.58 END is a placeholder to terminate the nesting.*)
12.59 - RA1 "[| evs1: recur; Nonce NA ~: used evs1 |]
12.60 + RA1 "[| evs1: recur; Nonce NA \\<notin> used evs1 |]
12.61 ==> Says A B (Hash[Key(shrK A)] {|Agent A, Agent B, Nonce NA, END|})
12.62 - # evs1 : recur"
12.63 + # evs1 \\<in> recur"
12.64
12.65 (*Bob's response to Alice's message. C might be the Server.
12.66 We omit PA = {|XA, Agent A, Agent B, Nonce NA, P|} because
12.67 it complicates proofs, so B may respond to any message at all!*)
12.68 - RA2 "[| evs2: recur; Nonce NB ~: used evs2;
12.69 - Says A' B PA : set evs2 |]
12.70 + RA2 "[| evs2: recur; Nonce NB \\<notin> used evs2;
12.71 + Says A' B PA \\<in> set evs2 |]
12.72 ==> Says B C (Hash[Key(shrK B)] {|Agent B, Agent C, Nonce NB, PA|})
12.73 - # evs2 : recur"
12.74 + # evs2 \\<in> recur"
12.75
12.76 (*The Server receives Bob's message and prepares a response.*)
12.77 - RA3 "[| evs3: recur; Says B' Server PB : set evs3;
12.78 - (PB,RB,K) : respond evs3 |]
12.79 - ==> Says Server B RB # evs3 : recur"
12.80 + RA3 "[| evs3: recur; Says B' Server PB \\<in> set evs3;
12.81 + (PB,RB,K) \\<in> respond evs3 |]
12.82 + ==> Says Server B RB # evs3 \\<in> recur"
12.83
12.84 (*Bob receives the returned message and compares the Nonces with
12.85 those in the message he previously sent the Server.*)
12.86 RA4 "[| evs4: recur;
12.87 Says B C {|XH, Agent B, Agent C, Nonce NB,
12.88 - XA, Agent A, Agent B, Nonce NA, P|} : set evs4;
12.89 + XA, Agent A, Agent B, Nonce NA, P|} \\<in> set evs4;
12.90 Says C' B {|Crypt (shrK B) {|Key KBC, Agent C, Nonce NB|},
12.91 Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|},
12.92 - RA|} : set evs4 |]
12.93 - ==> Says B A RA # evs4 : recur"
12.94 + RA|} \\<in> set evs4 |]
12.95 + ==> Says B A RA # evs4 \\<in> recur"
12.96
12.97 end
12.98
12.99 @@ -100,7 +100,7 @@
12.100 the chain. Oops cases proved using parts_cut, Key_in_keysFor_parts,
12.101 etc.
12.102
12.103 - Oops "[| evso: recur; Says Server B RB : set evso;
12.104 - RB : responses evs'; Key K : parts {RB} |]
12.105 - ==> Notes Spy {|Key K, RB|} # evso : recur"
12.106 + Oops "[| evso: recur; Says Server B RB \\<in> set evso;
12.107 + RB \\<in> responses evs'; Key K \\<in> parts {RB} |]
12.108 + ==> Notes Spy {|Key K, RB|} # evso \\<in> recur"
12.109 *)
13.1 --- a/src/HOL/Auth/Shared_lemmas.ML Tue Feb 27 12:28:42 2001 +0100
13.2 +++ b/src/HOL/Auth/Shared_lemmas.ML Tue Feb 27 16:13:23 2001 +0100
13.3 @@ -56,25 +56,12 @@
13.4 qed "Spy_knows_Spy_bad";
13.5 AddSIs [Spy_knows_Spy_bad];
13.6
13.7 -(*For not_bad_tac*)
13.8 +(*For case analysis on whether or not an agent is compromised*)
13.9 Goal "[| Crypt (shrK A) X : analz (knows Spy evs); A: bad |] \
13.10 -\ ==> X : analz (knows Spy evs)";
13.11 +\ ==> X : analz (knows Spy evs)";
13.12 by (force_tac (claset() addSDs [analz.Decrypt], simpset()) 1);
13.13 qed "Crypt_Spy_analz_bad";
13.14
13.15 -(*Prove that the agent is uncompromised by the confidentiality of
13.16 - a component of a message she's said.*)
13.17 -fun not_bad_tac s =
13.18 - case_tac ("(" ^ s ^ ") : bad") THEN'
13.19 - SELECT_GOAL
13.20 - (REPEAT_DETERM (etac exE 1) THEN
13.21 - REPEAT_DETERM (dtac (Says_imp_spies RS analz.Inj) 1) THEN
13.22 - REPEAT_DETERM (etac MPair_analz 1) THEN
13.23 - THEN_BEST_FIRST
13.24 - (dres_inst_tac [("A", s)] Crypt_Spy_analz_bad 1 THEN assume_tac 1)
13.25 - (has_fewer_prems 1, size_of_thm)
13.26 - (Step_tac 1));
13.27 -
13.28
13.29 (** Fresh keys never clash with long-term shared keys **)
13.30
14.1 --- a/src/HOL/Auth/TLS.ML Tue Feb 27 12:28:42 2001 +0100
14.2 +++ b/src/HOL/Auth/TLS.ML Tue Feb 27 16:13:23 2001 +0100
14.3 @@ -32,13 +32,13 @@
14.4
14.5 (*** clientK and serverK make symmetric keys; no clashes with pubK or priK ***)
14.6
14.7 -Goal "pubK A ~= sessionK arg";
14.8 +Goal "pubK A \\<noteq> sessionK arg";
14.9 by (rtac notI 1);
14.10 by (dres_inst_tac [("f","isSymKey")] arg_cong 1);
14.11 by (Full_simp_tac 1);
14.12 qed "pubK_neq_sessionK";
14.13
14.14 -Goal "priK A ~= sessionK arg";
14.15 +Goal "priK A \\<noteq> sessionK arg";
14.16 by (rtac notI 1);
14.17 by (dres_inst_tac [("f","isSymKey")] arg_cong 1);
14.18 by (Full_simp_tac 1);
14.19 @@ -55,17 +55,17 @@
14.20
14.21
14.22 (** These proofs assume that the Nonce_supply nonces
14.23 - (which have the form @ N. Nonce N ~: used evs)
14.24 + (which have the form @ N. Nonce N \\<notin> used evs)
14.25 lie outside the range of PRF. It seems reasonable, but as it is needed
14.26 only for the possibility theorems, it is not taken as an axiom.
14.27 **)
14.28
14.29
14.30 (*Possibility property ending with ClientAccepts.*)
14.31 -Goal "[| ALL evs. (@ N. Nonce N ~: used evs) ~: range PRF; \
14.32 -\ A ~= B |] \
14.33 -\ ==> EX SID M. EX evs: tls. \
14.34 -\ Notes A {|Number SID, Agent A, Agent B, Nonce M|} : set evs";
14.35 +Goal "[| \\<forall>evs. (@ N. Nonce N \\<notin> used evs) \\<notin> range PRF; \
14.36 +\ A \\<noteq> B |] \
14.37 +\ ==> \\<exists>SID M. \\<exists>evs \\<in> tls. \
14.38 +\ Notes A {|Number SID, Agent A, Agent B, Nonce M|} \\<in> set evs";
14.39 by (REPEAT (resolve_tac [exI,bexI] 1));
14.40 by (rtac (tls.Nil RS tls.ClientHello RS tls.ServerHello RS tls.Certificate RS
14.41 tls.ClientKeyExch RS tls.ClientFinished RS tls.ServerFinished RS
14.42 @@ -75,10 +75,10 @@
14.43 result();
14.44
14.45 (*And one for ServerAccepts. Either FINISHED message may come first.*)
14.46 -Goal "[| ALL evs. (@ N. Nonce N ~: used evs) ~: range PRF; \
14.47 -\ A ~= B |] \
14.48 -\ ==> EX SID NA PA NB PB M. EX evs: tls. \
14.49 -\ Notes B {|Number SID, Agent A, Agent B, Nonce M|} : set evs";
14.50 +Goal "[| \\<forall>evs. (@ N. Nonce N \\<notin> used evs) \\<notin> range PRF; \
14.51 +\ A \\<noteq> B |] \
14.52 +\ ==> \\<exists>SID NA PA NB PB M. \\<exists>evs \\<in> tls. \
14.53 +\ Notes B {|Number SID, Agent A, Agent B, Nonce M|} \\<in> set evs";
14.54 by (REPEAT (resolve_tac [exI,bexI] 1));
14.55 by (rtac (tls.Nil RS tls.ClientHello RS tls.ServerHello RS tls.Certificate RS
14.56 tls.ClientKeyExch RS tls.ServerFinished RS tls.ClientFinished RS
14.57 @@ -88,10 +88,10 @@
14.58 result();
14.59
14.60 (*Another one, for CertVerify (which is optional)*)
14.61 -Goal "[| ALL evs. (@ N. Nonce N ~: used evs) ~: range PRF; \
14.62 -\ A ~= B |] \
14.63 -\ ==> EX NB PMS. EX evs: tls. \
14.64 -\ Says A B (Crypt (priK A) (Hash{|Nonce NB, Agent B, Nonce PMS|})) : set evs";
14.65 +Goal "[| \\<forall>evs. (@ N. Nonce N \\<notin> used evs) \\<notin> range PRF; \
14.66 +\ A \\<noteq> B |] \
14.67 +\ ==> \\<exists>NB PMS. \\<exists>evs \\<in> tls. \
14.68 +\ Says A B (Crypt (priK A) (Hash{|Nonce NB, Agent B, Nonce PMS|})) \\<in> set evs";
14.69 by (REPEAT (resolve_tac [exI,bexI] 1));
14.70 by (rtac (tls.Nil RS tls.ClientHello RS tls.ServerHello RS tls.Certificate RS
14.71 tls.ClientKeyExch RS tls.CertVerify) 2);
14.72 @@ -100,17 +100,17 @@
14.73 result();
14.74
14.75 (*Another one, for session resumption (both ServerResume and ClientResume) *)
14.76 -Goal "[| evs0 : tls; \
14.77 -\ Notes A {|Number SID, Agent A, Agent B, Nonce M|} : set evs0; \
14.78 -\ Notes B {|Number SID, Agent A, Agent B, Nonce M|} : set evs0; \
14.79 -\ ALL evs. (@ N. Nonce N ~: used evs) ~: range PRF; \
14.80 -\ A ~= B |] \
14.81 -\ ==> EX NA PA NB PB X. EX evs: tls. \
14.82 +Goal "[| evs0 \\<in> tls; \
14.83 +\ Notes A {|Number SID, Agent A, Agent B, Nonce M|} \\<in> set evs0; \
14.84 +\ Notes B {|Number SID, Agent A, Agent B, Nonce M|} \\<in> set evs0; \
14.85 +\ \\<forall>evs. (@ N. Nonce N \\<notin> used evs) \\<notin> range PRF; \
14.86 +\ A \\<noteq> B |] \
14.87 +\ ==> \\<exists>NA PA NB PB X. \\<exists>evs \\<in> tls. \
14.88 \ X = Hash{|Number SID, Nonce M, \
14.89 \ Nonce NA, Number PA, Agent A, \
14.90 \ Nonce NB, Number PB, Agent B|} & \
14.91 -\ Says A B (Crypt (clientK(NA,NB,M)) X) : set evs & \
14.92 -\ Says B A (Crypt (serverK(NA,NB,M)) X) : set evs";
14.93 +\ Says A B (Crypt (clientK(NA,NB,M)) X) \\<in> set evs & \
14.94 +\ Says B A (Crypt (serverK(NA,NB,M)) X) \\<in> set evs";
14.95 by (REPEAT (resolve_tac [exI,bexI] 1));
14.96 by (etac (tls.ClientHello RS tls.ServerHello RS tls.ServerResume RS
14.97 tls.ClientResume) 2);
14.98 @@ -124,7 +124,7 @@
14.99
14.100
14.101 (*Induction for regularity theorems. If induction formula has the form
14.102 - X ~: analz (spies evs) --> ... then it shortens the proof by discarding
14.103 + X \\<notin> analz (spies evs) --> ... then it shortens the proof by discarding
14.104 needless information about analz (insert X (spies evs)) *)
14.105 fun parts_induct_tac i =
14.106 etac tls.induct i
14.107 @@ -133,17 +133,17 @@
14.108 ALLGOALS Asm_simp_tac;
14.109
14.110
14.111 -(** Theorems of the form X ~: parts (spies evs) imply that NOBODY
14.112 +(** Theorems of the form X \\<notin> parts (spies evs) imply that NOBODY
14.113 sends messages containing X! **)
14.114
14.115 (*Spy never sees another agent's private key! (unless it's bad at start)*)
14.116 -Goal "evs : tls ==> (Key (priK A) : parts (spies evs)) = (A : bad)";
14.117 +Goal "evs \\<in> tls ==> (Key (priK A) \\<in> parts (spies evs)) = (A \\<in> bad)";
14.118 by (parts_induct_tac 1);
14.119 by (Blast_tac 1);
14.120 qed "Spy_see_priK";
14.121 Addsimps [Spy_see_priK];
14.122
14.123 -Goal "evs : tls ==> (Key (priK A) : analz (spies evs)) = (A : bad)";
14.124 +Goal "evs \\<in> tls ==> (Key (priK A) \\<in> analz (spies evs)) = (A \\<in> bad)";
14.125 by Auto_tac;
14.126 qed "Spy_analz_priK";
14.127 Addsimps [Spy_analz_priK];
14.128 @@ -157,7 +157,7 @@
14.129 little point in doing so: the loss of their private keys is a worse
14.130 breach of security.*)
14.131 Goalw [certificate_def]
14.132 - "[| certificate B KB : parts (spies evs); evs : tls |] ==> pubK B = KB";
14.133 + "[| certificate B KB \\<in> parts (spies evs); evs \\<in> tls |] ==> pubK B = KB";
14.134 by (etac rev_mp 1);
14.135 by (parts_induct_tac 1);
14.136 by (Blast_tac 1);
14.137 @@ -181,17 +181,17 @@
14.138
14.139 (*** Properties of items found in Notes ***)
14.140
14.141 -Goal "[| Notes A {|Agent B, X|} : set evs; evs : tls |] \
14.142 -\ ==> Crypt (pubK B) X : parts (spies evs)";
14.143 +Goal "[| Notes A {|Agent B, X|} \\<in> set evs; evs \\<in> tls |] \
14.144 +\ ==> Crypt (pubK B) X \\<in> parts (spies evs)";
14.145 by (etac rev_mp 1);
14.146 by (analz_induct_tac 1);
14.147 by (blast_tac (claset() addIs [parts_insertI]) 1);
14.148 qed "Notes_Crypt_parts_spies";
14.149
14.150 (*C may be either A or B*)
14.151 -Goal "[| Notes C {|s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))|} : set evs; \
14.152 -\ evs : tls |] \
14.153 -\ ==> Crypt (pubK B) (Nonce PMS) : parts (spies evs)";
14.154 +Goal "[| Notes C {|s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))|} \\<in> set evs; \
14.155 +\ evs \\<in> tls |] \
14.156 +\ ==> Crypt (pubK B) (Nonce PMS) \\<in> parts (spies evs)";
14.157 by (etac rev_mp 1);
14.158 by (parts_induct_tac 1);
14.159 by (ALLGOALS Clarify_tac);
14.160 @@ -202,9 +202,9 @@
14.161 qed "Notes_master_imp_Crypt_PMS";
14.162
14.163 (*Compared with the theorem above, both premise and conclusion are stronger*)
14.164 -Goal "[| Notes A {|s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))|} : set evs;\
14.165 -\ evs : tls |] \
14.166 -\ ==> Notes A {|Agent B, Nonce PMS|} : set evs";
14.167 +Goal "[| Notes A {|s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))|} \\<in> set evs;\
14.168 +\ evs \\<in> tls |] \
14.169 +\ ==> Notes A {|Agent B, Nonce PMS|} \\<in> set evs";
14.170 by (etac rev_mp 1);
14.171 by (parts_induct_tac 1);
14.172 (*ServerAccepts*)
14.173 @@ -215,10 +215,10 @@
14.174 (*** Protocol goal: if B receives CertVerify, then A sent it ***)
14.175
14.176 (*B can check A's signature if he has received A's certificate.*)
14.177 -Goal "[| X : parts (spies evs); \
14.178 +Goal "[| X \\<in> parts (spies evs); \
14.179 \ X = Crypt (priK A) (Hash{|nb, Agent B, pms|}); \
14.180 -\ evs : tls; A ~: bad |] \
14.181 -\ ==> Says A B X : set evs";
14.182 +\ evs \\<in> tls; A \\<notin> bad |] \
14.183 +\ ==> Says A B X \\<in> set evs";
14.184 by (etac rev_mp 1);
14.185 by (hyp_subst_tac 1);
14.186 by (parts_induct_tac 1);
14.187 @@ -226,20 +226,20 @@
14.188 val lemma = result();
14.189
14.190 (*Final version: B checks X using the distributed KA instead of priK A*)
14.191 -Goal "[| X : parts (spies evs); \
14.192 +Goal "[| X \\<in> parts (spies evs); \
14.193 \ X = Crypt (invKey KA) (Hash{|nb, Agent B, pms|}); \
14.194 -\ certificate A KA : parts (spies evs); \
14.195 -\ evs : tls; A ~: bad |] \
14.196 -\ ==> Says A B X : set evs";
14.197 +\ certificate A KA \\<in> parts (spies evs); \
14.198 +\ evs \\<in> tls; A \\<notin> bad |] \
14.199 +\ ==> Says A B X \\<in> set evs";
14.200 by (blast_tac (claset() addSDs [certificate_valid] addSIs [lemma]) 1);
14.201 qed "TrustCertVerify";
14.202
14.203
14.204 (*If CertVerify is present then A has chosen PMS.*)
14.205 Goal "[| Crypt (priK A) (Hash{|nb, Agent B, Nonce PMS|}) \
14.206 -\ : parts (spies evs); \
14.207 -\ evs : tls; A ~: bad |] \
14.208 -\ ==> Notes A {|Agent B, Nonce PMS|} : set evs";
14.209 +\ \\<in> parts (spies evs); \
14.210 +\ evs \\<in> tls; A \\<notin> bad |] \
14.211 +\ ==> Notes A {|Agent B, Nonce PMS|} \\<in> set evs";
14.212 by (etac rev_mp 1);
14.213 by (parts_induct_tac 1);
14.214 by (Blast_tac 1);
14.215 @@ -247,15 +247,15 @@
14.216
14.217 (*Final version using the distributed KA instead of priK A*)
14.218 Goal "[| Crypt (invKey KA) (Hash{|nb, Agent B, Nonce PMS|}) \
14.219 -\ : parts (spies evs); \
14.220 -\ certificate A KA : parts (spies evs); \
14.221 -\ evs : tls; A ~: bad |] \
14.222 -\ ==> Notes A {|Agent B, Nonce PMS|} : set evs";
14.223 +\ \\<in> parts (spies evs); \
14.224 +\ certificate A KA \\<in> parts (spies evs); \
14.225 +\ evs \\<in> tls; A \\<notin> bad |] \
14.226 +\ ==> Notes A {|Agent B, Nonce PMS|} \\<in> set evs";
14.227 by (blast_tac (claset() addSDs [certificate_valid] addSIs [lemma]) 1);
14.228 qed "UseCertVerify";
14.229
14.230
14.231 -Goal "evs : tls ==> Notes A {|Agent B, Nonce (PRF x)|} ~: set evs";
14.232 +Goal "evs \\<in> tls ==> Notes A {|Agent B, Nonce (PRF x)|} \\<notin> set evs";
14.233 by (parts_induct_tac 1);
14.234 (*ClientKeyExch: PMS is assumed to differ from any PRF.*)
14.235 by (Blast_tac 1);
14.236 @@ -263,8 +263,8 @@
14.237 Addsimps [no_Notes_A_PRF];
14.238
14.239
14.240 -Goal "[| Nonce (PRF (PMS,NA,NB)) : parts (spies evs); evs : tls |] \
14.241 -\ ==> Nonce PMS : parts (spies evs)";
14.242 +Goal "[| Nonce (PRF (PMS,NA,NB)) \\<in> parts (spies evs); evs \\<in> tls |] \
14.243 +\ ==> Nonce PMS \\<in> parts (spies evs)";
14.244 by (etac rev_mp 1);
14.245 by (parts_induct_tac 1);
14.246 (*Easy, e.g. by freshness*)
14.247 @@ -279,10 +279,10 @@
14.248 (*** Unicity results for PMS, the pre-master-secret ***)
14.249
14.250 (*PMS determines B.*)
14.251 -Goal "[| Crypt(pubK B) (Nonce PMS) : parts (spies evs); \
14.252 -\ Crypt(pubK B') (Nonce PMS) : parts (spies evs); \
14.253 -\ Nonce PMS ~: analz (spies evs); \
14.254 -\ evs : tls |] \
14.255 +Goal "[| Crypt(pubK B) (Nonce PMS) \\<in> parts (spies evs); \
14.256 +\ Crypt(pubK B') (Nonce PMS) \\<in> parts (spies evs); \
14.257 +\ Nonce PMS \\<notin> analz (spies evs); \
14.258 +\ evs \\<in> tls |] \
14.259 \ ==> B=B'";
14.260 by (etac rev_mp 1);
14.261 by (etac rev_mp 1);
14.262 @@ -300,9 +300,9 @@
14.263 **)
14.264
14.265 (*In A's internal Note, PMS determines A and B.*)
14.266 -Goal "[| Notes A {|Agent B, Nonce PMS|} : set evs; \
14.267 -\ Notes A' {|Agent B', Nonce PMS|} : set evs; \
14.268 -\ evs : tls |] \
14.269 +Goal "[| Notes A {|Agent B, Nonce PMS|} \\<in> set evs; \
14.270 +\ Notes A' {|Agent B', Nonce PMS|} \\<in> set evs; \
14.271 +\ evs \\<in> tls |] \
14.272 \ ==> A=A' & B=B'";
14.273 by (etac rev_mp 1);
14.274 by (etac rev_mp 1);
14.275 @@ -316,9 +316,9 @@
14.276
14.277 (*Key compromise lemma needed to prove analz_image_keys.
14.278 No collection of keys can help the spy get new private keys.*)
14.279 -Goal "evs : tls \
14.280 -\ ==> ALL KK. (Key(priK B) : analz (Key`KK Un (spies evs))) = \
14.281 -\ (priK B : KK | B : bad)";
14.282 +Goal "evs \\<in> tls \
14.283 +\ ==> \\<forall>KK. (Key(priK B) \\<in> analz (Key`KK Un (spies evs))) = \
14.284 +\ (priK B \\<in> KK | B \\<in> bad)";
14.285 by (etac tls.induct 1);
14.286 by (ALLGOALS
14.287 (asm_simp_tac (analz_image_keys_ss
14.288 @@ -329,25 +329,25 @@
14.289
14.290
14.291 (*slightly speeds up the big simplification below*)
14.292 -Goal "KK <= range sessionK ==> priK B ~: KK";
14.293 +Goal "KK <= range sessionK ==> priK B \\<notin> KK";
14.294 by (Blast_tac 1);
14.295 val range_sessionkeys_not_priK = result();
14.296
14.297 (*Lemma for the trivial direction of the if-and-only-if*)
14.298 -Goal "(X : analz (G Un H)) --> (X : analz H) ==> \
14.299 -\ (X : analz (G Un H)) = (X : analz H)";
14.300 +Goal "(X \\<in> analz (G Un H)) --> (X \\<in> analz H) ==> \
14.301 +\ (X \\<in> analz (G Un H)) = (X \\<in> analz H)";
14.302 by (blast_tac (claset() addIs [impOfSubs analz_mono]) 1);
14.303 val analz_image_keys_lemma = result();
14.304
14.305 (** Strangely, the following version doesn't work:
14.306 -\ ALL Z. (Nonce N : analz (Key`(sessionK`Z) Un (spies evs))) = \
14.307 -\ (Nonce N : analz (spies evs))";
14.308 +\ \\<forall>Z. (Nonce N \\<in> analz (Key`(sessionK`Z) Un (spies evs))) = \
14.309 +\ (Nonce N \\<in> analz (spies evs))";
14.310 **)
14.311
14.312 -Goal "evs : tls ==> \
14.313 -\ ALL KK. KK <= range sessionK --> \
14.314 -\ (Nonce N : analz (Key`KK Un (spies evs))) = \
14.315 -\ (Nonce N : analz (spies evs))";
14.316 +Goal "evs \\<in> tls ==> \
14.317 +\ \\<forall>KK. KK <= range sessionK --> \
14.318 +\ (Nonce N \\<in> analz (Key`KK Un (spies evs))) = \
14.319 +\ (Nonce N \\<in> analz (spies evs))";
14.320 by (etac tls.induct 1);
14.321 by (ClientKeyExch_tac 7);
14.322 by (REPEAT_FIRST (resolve_tac [allI, impI]));
14.323 @@ -363,9 +363,9 @@
14.324 qed_spec_mp "analz_image_keys";
14.325
14.326 (*Knowing some session keys is no help in getting new nonces*)
14.327 -Goal "evs : tls ==> \
14.328 -\ Nonce N : analz (insert (Key (sessionK z)) (spies evs)) = \
14.329 -\ (Nonce N : analz (spies evs))";
14.330 +Goal "evs \\<in> tls ==> \
14.331 +\ Nonce N \\<in> analz (insert (Key (sessionK z)) (spies evs)) = \
14.332 +\ (Nonce N \\<in> analz (spies evs))";
14.333 by (asm_simp_tac (analz_image_keys_ss addsimps [analz_image_keys]) 1);
14.334 qed "analz_insert_key";
14.335 Addsimps [analz_insert_key];
14.336 @@ -380,10 +380,10 @@
14.337 Nonces don't have to agree, allowing session resumption.
14.338 Converse doesn't hold; revealing PMS doesn't force the keys to be sent.
14.339 THEY ARE NOT SUITABLE AS SAFE ELIM RULES.*)
14.340 -Goal "[| Nonce PMS ~: parts (spies evs); \
14.341 +Goal "[| Nonce PMS \\<notin> parts (spies evs); \
14.342 \ K = sessionK((Na, Nb, PRF(PMS,NA,NB)), role); \
14.343 -\ evs : tls |] \
14.344 -\ ==> Key K ~: parts (spies evs) & (ALL Y. Crypt K Y ~: parts (spies evs))";
14.345 +\ evs \\<in> tls |] \
14.346 +\ ==> Key K \\<notin> parts (spies evs) & (\\<forall>Y. Crypt K Y \\<notin> parts (spies evs))";
14.347 by (etac rev_mp 1);
14.348 by (hyp_subst_tac 1);
14.349 by (analz_induct_tac 1);
14.350 @@ -399,15 +399,15 @@
14.351 simpset()) 1));
14.352 val lemma = result();
14.353
14.354 -Goal "[| Key (sessionK((Na, Nb, PRF(PMS,NA,NB)), role)) : parts (spies evs); \
14.355 -\ evs : tls |] \
14.356 -\ ==> Nonce PMS : parts (spies evs)";
14.357 +Goal "[| Key (sessionK((Na, Nb, PRF(PMS,NA,NB)), role)) \\<in> parts (spies evs); \
14.358 +\ evs \\<in> tls |] \
14.359 +\ ==> Nonce PMS \\<in> parts (spies evs)";
14.360 by (blast_tac (claset() addDs [lemma]) 1);
14.361 qed "PMS_sessionK_not_spied";
14.362
14.363 Goal "[| Crypt (sessionK((Na, Nb, PRF(PMS,NA,NB)), role)) Y \
14.364 -\ : parts (spies evs); evs : tls |] \
14.365 -\ ==> Nonce PMS : parts (spies evs)";
14.366 +\ \\<in> parts (spies evs); evs \\<in> tls |] \
14.367 +\ ==> Nonce PMS \\<in> parts (spies evs)";
14.368 by (blast_tac (claset() addDs [lemma]) 1);
14.369 qed "PMS_Crypt_sessionK_not_spied";
14.370
14.371 @@ -416,9 +416,9 @@
14.372 The strong Oops condition can be weakened later by unicity reasoning,
14.373 with some effort.
14.374 NO LONGER USED: see clientK_not_spied and serverK_not_spied*)
14.375 -Goal "[| ALL A. Says A Spy (Key (sessionK((NA,NB,M),role))) ~: set evs; \
14.376 -\ Nonce M ~: analz (spies evs); evs : tls |] \
14.377 -\ ==> Key (sessionK((NA,NB,M),role)) ~: parts (spies evs)";
14.378 +Goal "[| \\<forall>A. Says A Spy (Key (sessionK((NA,NB,M),role))) \\<notin> set evs; \
14.379 +\ Nonce M \\<notin> analz (spies evs); evs \\<in> tls |] \
14.380 +\ ==> Key (sessionK((NA,NB,M),role)) \\<notin> parts (spies evs)";
14.381 by (etac rev_mp 1);
14.382 by (etac rev_mp 1);
14.383 by (analz_induct_tac 1); (*5 seconds*)
14.384 @@ -430,11 +430,11 @@
14.385
14.386
14.387 (*If A sends ClientKeyExch to an honest B, then the PMS will stay secret.*)
14.388 -Goal "[| evs : tls; A ~: bad; B ~: bad |] \
14.389 -\ ==> Notes A {|Agent B, Nonce PMS|} : set evs --> \
14.390 -\ Nonce PMS ~: analz (spies evs)";
14.391 +Goal "[| evs \\<in> tls; A \\<notin> bad; B \\<notin> bad |] \
14.392 +\ ==> Notes A {|Agent B, Nonce PMS|} \\<in> set evs --> \
14.393 +\ Nonce PMS \\<notin> analz (spies evs)";
14.394 by (analz_induct_tac 1); (*4 seconds*)
14.395 -(*ClientAccepts and ServerAccepts: because PMS ~: range PRF*)
14.396 +(*ClientAccepts and ServerAccepts: because PMS \\<notin> range PRF*)
14.397 by (REPEAT (Force_tac 6));
14.398 (*ClientHello, ServerHello, ClientKeyExch, ServerResume:
14.399 mostly freshness reasoning*)
14.400 @@ -450,9 +450,9 @@
14.401
14.402 (*If A sends ClientKeyExch to an honest B, then the MASTER SECRET
14.403 will stay secret.*)
14.404 -Goal "[| evs : tls; A ~: bad; B ~: bad |] \
14.405 -\ ==> Notes A {|Agent B, Nonce PMS|} : set evs --> \
14.406 -\ Nonce (PRF(PMS,NA,NB)) ~: analz (spies evs)";
14.407 +Goal "[| evs \\<in> tls; A \\<notin> bad; B \\<notin> bad |] \
14.408 +\ ==> Notes A {|Agent B, Nonce PMS|} \\<in> set evs --> \
14.409 +\ Nonce (PRF(PMS,NA,NB)) \\<notin> analz (spies evs)";
14.410 by (analz_induct_tac 1); (*4 seconds*)
14.411 (*ClientAccepts and ServerAccepts: because PMS was already visible*)
14.412 by (REPEAT (blast_tac (claset() addDs [Spy_not_see_PMS,
14.413 @@ -476,9 +476,9 @@
14.414
14.415 (*If A created PMS then nobody else (except the Spy in replays)
14.416 would send a message using a clientK generated from that PMS.*)
14.417 -Goal "[| Says A' B' (Crypt (clientK(Na,Nb,PRF(PMS,NA,NB))) Y) : set evs; \
14.418 -\ Notes A {|Agent B, Nonce PMS|} : set evs; \
14.419 -\ evs : tls; A' ~= Spy |] \
14.420 +Goal "[| Says A' B' (Crypt (clientK(Na,Nb,PRF(PMS,NA,NB))) Y) \\<in> set evs; \
14.421 +\ Notes A {|Agent B, Nonce PMS|} \\<in> set evs; \
14.422 +\ evs \\<in> tls; A' \\<noteq> Spy |] \
14.423 \ ==> A = A'";
14.424 by (etac rev_mp 1);
14.425 by (etac rev_mp 1);
14.426 @@ -496,11 +496,11 @@
14.427
14.428 (*If A created PMS and has not leaked her clientK to the Spy,
14.429 then it is completely secure: not even in parts!*)
14.430 -Goal "[| Notes A {|Agent B, Nonce PMS|} : set evs; \
14.431 -\ Says A Spy (Key (clientK(Na,Nb,PRF(PMS,NA,NB)))) ~: set evs; \
14.432 -\ A ~: bad; B ~: bad; \
14.433 -\ evs : tls |] \
14.434 -\ ==> Key (clientK(Na,Nb,PRF(PMS,NA,NB))) ~: parts (spies evs)";
14.435 +Goal "[| Notes A {|Agent B, Nonce PMS|} \\<in> set evs; \
14.436 +\ Says A Spy (Key (clientK(Na,Nb,PRF(PMS,NA,NB)))) \\<notin> set evs; \
14.437 +\ A \\<notin> bad; B \\<notin> bad; \
14.438 +\ evs \\<in> tls |] \
14.439 +\ ==> Key (clientK(Na,Nb,PRF(PMS,NA,NB))) \\<notin> parts (spies evs)";
14.440 by (etac rev_mp 1);
14.441 by (etac rev_mp 1);
14.442 by (analz_induct_tac 1); (*4 seconds*)
14.443 @@ -519,9 +519,9 @@
14.444
14.445 (*If A created PMS for B, then nobody other than B or the Spy would
14.446 send a message using a serverK generated from that PMS.*)
14.447 -Goal "[| Says B' A' (Crypt (serverK(Na,Nb,PRF(PMS,NA,NB))) Y) : set evs; \
14.448 -\ Notes A {|Agent B, Nonce PMS|} : set evs; \
14.449 -\ evs : tls; A ~: bad; B ~: bad; B' ~= Spy |] \
14.450 +Goal "[| Says B' A' (Crypt (serverK(Na,Nb,PRF(PMS,NA,NB))) Y) \\<in> set evs; \
14.451 +\ Notes A {|Agent B, Nonce PMS|} \\<in> set evs; \
14.452 +\ evs \\<in> tls; A \\<notin> bad; B \\<notin> bad; B' \\<noteq> Spy |] \
14.453 \ ==> B = B'";
14.454 by (etac rev_mp 1);
14.455 by (etac rev_mp 1);
14.456 @@ -540,10 +540,10 @@
14.457
14.458 (*If A created PMS for B, and B has not leaked his serverK to the Spy,
14.459 then it is completely secure: not even in parts!*)
14.460 -Goal "[| Notes A {|Agent B, Nonce PMS|} : set evs; \
14.461 -\ Says B Spy (Key(serverK(Na,Nb,PRF(PMS,NA,NB)))) ~: set evs; \
14.462 -\ A ~: bad; B ~: bad; evs : tls |] \
14.463 -\ ==> Key (serverK(Na,Nb,PRF(PMS,NA,NB))) ~: parts (spies evs)";
14.464 +Goal "[| Notes A {|Agent B, Nonce PMS|} \\<in> set evs; \
14.465 +\ Says B Spy (Key(serverK(Na,Nb,PRF(PMS,NA,NB)))) \\<notin> set evs; \
14.466 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> tls |] \
14.467 +\ ==> Key (serverK(Na,Nb,PRF(PMS,NA,NB))) \\<notin> parts (spies evs)";
14.468 by (etac rev_mp 1);
14.469 by (etac rev_mp 1);
14.470 by (analz_induct_tac 1);
14.471 @@ -569,10 +569,10 @@
14.472 \ Nonce Na, Number PA, Agent A, \
14.473 \ Nonce Nb, Number PB, Agent B|}); \
14.474 \ M = PRF(PMS,NA,NB); \
14.475 -\ evs : tls; A ~: bad; B ~: bad |] \
14.476 -\ ==> Says B Spy (Key(serverK(Na,Nb,M))) ~: set evs --> \
14.477 -\ Notes A {|Agent B, Nonce PMS|} : set evs --> \
14.478 -\ X : parts (spies evs) --> Says B A X : set evs";
14.479 +\ evs \\<in> tls; A \\<notin> bad; B \\<notin> bad |] \
14.480 +\ ==> Says B Spy (Key(serverK(Na,Nb,M))) \\<notin> set evs --> \
14.481 +\ Notes A {|Agent B, Nonce PMS|} \\<in> set evs --> \
14.482 +\ X \\<in> parts (spies evs) --> Says B A X \\<in> set evs";
14.483 by (hyp_subst_tac 1);
14.484 by (analz_induct_tac 1); (*7 seconds*)
14.485 by (ALLGOALS Clarify_tac);
14.486 @@ -587,11 +587,11 @@
14.487 have changed A's identity in all other messages, so we can't be sure
14.488 that B sends his message to A. If CLIENT KEY EXCHANGE were augmented
14.489 to bind A's identity with PMS, then we could replace A' by A below.*)
14.490 -Goal "[| M = PRF(PMS,NA,NB); evs : tls; A ~: bad; B ~: bad |] \
14.491 -\ ==> Says B Spy (Key(serverK(Na,Nb,M))) ~: set evs --> \
14.492 -\ Notes A {|Agent B, Nonce PMS|} : set evs --> \
14.493 -\ Crypt (serverK(Na,Nb,M)) Y : parts (spies evs) --> \
14.494 -\ (EX A'. Says B A' (Crypt (serverK(Na,Nb,M)) Y) : set evs)";
14.495 +Goal "[| M = PRF(PMS,NA,NB); evs \\<in> tls; A \\<notin> bad; B \\<notin> bad |] \
14.496 +\ ==> Says B Spy (Key(serverK(Na,Nb,M))) \\<notin> set evs --> \
14.497 +\ Notes A {|Agent B, Nonce PMS|} \\<in> set evs --> \
14.498 +\ Crypt (serverK(Na,Nb,M)) Y \\<in> parts (spies evs) --> \
14.499 +\ (\\<exists>A'. Says B A' (Crypt (serverK(Na,Nb,M)) Y) \\<in> set evs)";
14.500 by (hyp_subst_tac 1);
14.501 by (analz_induct_tac 1); (*6 seconds*)
14.502 by (ALLGOALS (asm_simp_tac (simpset() addsimps [ex_disj_distrib])));
14.503 @@ -615,11 +615,11 @@
14.504 ClientFinished, then B can then check the quoted values PA, PB, etc.
14.505 ***)
14.506
14.507 -Goal "[| M = PRF(PMS,NA,NB); evs : tls; A ~: bad; B ~: bad |] \
14.508 -\ ==> Says A Spy (Key(clientK(Na,Nb,M))) ~: set evs --> \
14.509 -\ Notes A {|Agent B, Nonce PMS|} : set evs --> \
14.510 -\ Crypt (clientK(Na,Nb,M)) Y : parts (spies evs) --> \
14.511 -\ Says A B (Crypt (clientK(Na,Nb,M)) Y) : set evs";
14.512 +Goal "[| M = PRF(PMS,NA,NB); evs \\<in> tls; A \\<notin> bad; B \\<notin> bad |] \
14.513 +\ ==> Says A Spy (Key(clientK(Na,Nb,M))) \\<notin> set evs --> \
14.514 +\ Notes A {|Agent B, Nonce PMS|} \\<in> set evs --> \
14.515 +\ Crypt (clientK(Na,Nb,M)) Y \\<in> parts (spies evs) --> \
14.516 +\ Says A B (Crypt (clientK(Na,Nb,M)) Y) \\<in> set evs";
14.517 by (hyp_subst_tac 1);
14.518 by (analz_induct_tac 1); (*6 seconds*)
14.519 by (ALLGOALS Clarify_tac);
14.520 @@ -640,13 +640,13 @@
14.521 values PA, PB, etc. Even this one requires A to be uncompromised.
14.522 ***)
14.523 Goal "[| M = PRF(PMS,NA,NB); \
14.524 -\ Says A Spy (Key(clientK(Na,Nb,M))) ~: set evs;\
14.525 -\ Says A' B (Crypt (clientK(Na,Nb,M)) Y) : set evs; \
14.526 -\ certificate A KA : parts (spies evs); \
14.527 +\ Says A Spy (Key(clientK(Na,Nb,M))) \\<notin> set evs;\
14.528 +\ Says A' B (Crypt (clientK(Na,Nb,M)) Y) \\<in> set evs; \
14.529 +\ certificate A KA \\<in> parts (spies evs); \
14.530 \ Says A'' B (Crypt (invKey KA) (Hash{|nb, Agent B, Nonce PMS|}))\
14.531 -\ : set evs; \
14.532 -\ evs : tls; A ~: bad; B ~: bad |] \
14.533 -\ ==> Says A B (Crypt (clientK(Na,Nb,M)) Y) : set evs";
14.534 +\ \\<in> set evs; \
14.535 +\ evs \\<in> tls; A \\<notin> bad; B \\<notin> bad |] \
14.536 +\ ==> Says A B (Crypt (clientK(Na,Nb,M)) Y) \\<in> set evs";
14.537 by (blast_tac (claset() addSIs [TrustClientMsg, UseCertVerify]
14.538 addDs [Says_imp_spies RS parts.Inj]) 1);
14.539 qed "AuthClientFinished";
15.1 --- a/src/HOL/Auth/TLS.thy Tue Feb 27 12:28:42 2001 +0100
15.2 +++ b/src/HOL/Auth/TLS.thy Tue Feb 27 16:13:23 2001 +0100
15.3 @@ -82,14 +82,14 @@
15.4 "[]: tls"
15.5
15.6 Fake (*The spy, an active attacker, MAY say anything he CAN say.*)
15.7 - "[| evs: tls; X: synth (analz (spies evs)) |]
15.8 - ==> Says Spy B X # evs : tls"
15.9 + "[| evsf \\<in> tls; X \\<in> synth (analz (spies evsf)) |]
15.10 + ==> Says Spy B X # evsf \\<in> tls"
15.11
15.12 SpyKeys (*The spy may apply PRF & sessionK to available nonces*)
15.13 - "[| evsSK: tls;
15.14 + "[| evsSK \\<in> tls;
15.15 {Nonce NA, Nonce NB, Nonce M} <= analz (spies evsSK) |]
15.16 ==> Notes Spy {| Nonce (PRF(M,NA,NB)),
15.17 - Key (sessionK((NA,NB,M),role)) |} # evsSK : tls"
15.18 + Key (sessionK((NA,NB,M),role)) |} # evsSK \\<in> tls"
15.19
15.20 ClientHello
15.21 (*(7.4.1.2)
15.22 @@ -97,40 +97,40 @@
15.23 It is uninterpreted but will be confirmed in the FINISHED messages.
15.24 NA is CLIENT RANDOM, while SID is SESSION_ID.
15.25 UNIX TIME is omitted because the protocol doesn't use it.
15.26 - May assume NA ~: range PRF because CLIENT RANDOM is 28 bytes
15.27 + May assume NA \\<notin> range PRF because CLIENT RANDOM is 28 bytes
15.28 while MASTER SECRET is 48 bytes*)
15.29 - "[| evsCH: tls; Nonce NA ~: used evsCH; NA ~: range PRF |]
15.30 + "[| evsCH \\<in> tls; Nonce NA \\<notin> used evsCH; NA \\<notin> range PRF |]
15.31 ==> Says A B {|Agent A, Nonce NA, Number SID, Number PA|}
15.32 - # evsCH : tls"
15.33 + # evsCH \\<in> tls"
15.34
15.35 ServerHello
15.36 (*7.4.1.3 of the TLS Internet-Draft
15.37 PB represents CLIENT_VERSION, CIPHER_SUITE and COMPRESSION_METHOD.
15.38 SERVER CERTIFICATE (7.4.2) is always present.
15.39 CERTIFICATE_REQUEST (7.4.4) is implied.*)
15.40 - "[| evsSH: tls; Nonce NB ~: used evsSH; NB ~: range PRF;
15.41 + "[| evsSH \\<in> tls; Nonce NB \\<notin> used evsSH; NB \\<notin> range PRF;
15.42 Says A' B {|Agent A, Nonce NA, Number SID, Number PA|}
15.43 - : set evsSH |]
15.44 - ==> Says B A {|Nonce NB, Number SID, Number PB|} # evsSH : tls"
15.45 + \\<in> set evsSH |]
15.46 + ==> Says B A {|Nonce NB, Number SID, Number PB|} # evsSH \\<in> tls"
15.47
15.48 Certificate
15.49 (*SERVER (7.4.2) or CLIENT (7.4.6) CERTIFICATE.*)
15.50 - "evsC: tls ==> Says B A (certificate B (pubK B)) # evsC : tls"
15.51 + "evsC \\<in> tls ==> Says B A (certificate B (pubK B)) # evsC \\<in> tls"
15.52
15.53 ClientKeyExch
15.54 (*CLIENT KEY EXCHANGE (7.4.7).
15.55 The client, A, chooses PMS, the PREMASTER SECRET.
15.56 She encrypts PMS using the supplied KB, which ought to be pubK B.
15.57 - We assume PMS ~: range PRF because a clash betweem the PMS
15.58 + We assume PMS \\<notin> range PRF because a clash betweem the PMS
15.59 and another MASTER SECRET is highly unlikely (even though
15.60 both items have the same length, 48 bytes).
15.61 The Note event records in the trace that she knows PMS
15.62 (see REMARK at top). *)
15.63 - "[| evsCX: tls; Nonce PMS ~: used evsCX; PMS ~: range PRF;
15.64 - Says B' A (certificate B KB) : set evsCX |]
15.65 + "[| evsCX \\<in> tls; Nonce PMS \\<notin> used evsCX; PMS \\<notin> range PRF;
15.66 + Says B' A (certificate B KB) \\<in> set evsCX |]
15.67 ==> Says A B (Crypt KB (Nonce PMS))
15.68 # Notes A {|Agent B, Nonce PMS|}
15.69 - # evsCX : tls"
15.70 + # evsCX \\<in> tls"
15.71
15.72 CertVerify
15.73 (*The optional Certificate Verify (7.4.8) message contains the
15.74 @@ -138,11 +138,11 @@
15.75 It adds the pre-master-secret, which is also essential!
15.76 Checking the signature, which is the only use of A's certificate,
15.77 assures B of A's presence*)
15.78 - "[| evsCV: tls;
15.79 - Says B' A {|Nonce NB, Number SID, Number PB|} : set evsCV;
15.80 - Notes A {|Agent B, Nonce PMS|} : set evsCV |]
15.81 + "[| evsCV \\<in> tls;
15.82 + Says B' A {|Nonce NB, Number SID, Number PB|} \\<in> set evsCV;
15.83 + Notes A {|Agent B, Nonce PMS|} \\<in> set evsCV |]
15.84 ==> Says A B (Crypt (priK A) (Hash{|Nonce NB, Agent B, Nonce PMS|}))
15.85 - # evsCV : tls"
15.86 + # evsCV \\<in> tls"
15.87
15.88 (*Finally come the FINISHED messages (7.4.8), confirming PA and PB
15.89 among other things. The master-secret is PRF(PMS,NA,NB).
15.90 @@ -153,101 +153,101 @@
15.91 rule's applying when the Spy has satisfied the "Says A B" by
15.92 repaying messages sent by the true client; in that case, the
15.93 Spy does not know PMS and could not send ClientFinished. One
15.94 - could simply put A~=Spy into the rule, but one should not
15.95 + could simply put A\\<noteq>Spy into the rule, but one should not
15.96 expect the spy to be well-behaved.*)
15.97 - "[| evsCF: tls;
15.98 + "[| evsCF \\<in> tls;
15.99 Says A B {|Agent A, Nonce NA, Number SID, Number PA|}
15.100 - : set evsCF;
15.101 - Says B' A {|Nonce NB, Number SID, Number PB|} : set evsCF;
15.102 - Notes A {|Agent B, Nonce PMS|} : set evsCF;
15.103 + \\<in> set evsCF;
15.104 + Says B' A {|Nonce NB, Number SID, Number PB|} \\<in> set evsCF;
15.105 + Notes A {|Agent B, Nonce PMS|} \\<in> set evsCF;
15.106 M = PRF(PMS,NA,NB) |]
15.107 ==> Says A B (Crypt (clientK(NA,NB,M))
15.108 (Hash{|Number SID, Nonce M,
15.109 Nonce NA, Number PA, Agent A,
15.110 Nonce NB, Number PB, Agent B|}))
15.111 - # evsCF : tls"
15.112 + # evsCF \\<in> tls"
15.113
15.114 ServerFinished
15.115 (*Keeping A' and A'' distinct means B cannot even check that the
15.116 two messages originate from the same source. *)
15.117 - "[| evsSF: tls;
15.118 + "[| evsSF \\<in> tls;
15.119 Says A' B {|Agent A, Nonce NA, Number SID, Number PA|}
15.120 - : set evsSF;
15.121 - Says B A {|Nonce NB, Number SID, Number PB|} : set evsSF;
15.122 - Says A'' B (Crypt (pubK B) (Nonce PMS)) : set evsSF;
15.123 + \\<in> set evsSF;
15.124 + Says B A {|Nonce NB, Number SID, Number PB|} \\<in> set evsSF;
15.125 + Says A'' B (Crypt (pubK B) (Nonce PMS)) \\<in> set evsSF;
15.126 M = PRF(PMS,NA,NB) |]
15.127 ==> Says B A (Crypt (serverK(NA,NB,M))
15.128 (Hash{|Number SID, Nonce M,
15.129 Nonce NA, Number PA, Agent A,
15.130 Nonce NB, Number PB, Agent B|}))
15.131 - # evsSF : tls"
15.132 + # evsSF \\<in> tls"
15.133
15.134 ClientAccepts
15.135 (*Having transmitted ClientFinished and received an identical
15.136 message encrypted with serverK, the client stores the parameters
15.137 needed to resume this session. The "Notes A ..." premise is
15.138 used to prove Notes_master_imp_Crypt_PMS.*)
15.139 - "[| evsCA: tls;
15.140 - Notes A {|Agent B, Nonce PMS|} : set evsCA;
15.141 + "[| evsCA \\<in> tls;
15.142 + Notes A {|Agent B, Nonce PMS|} \\<in> set evsCA;
15.143 M = PRF(PMS,NA,NB);
15.144 X = Hash{|Number SID, Nonce M,
15.145 Nonce NA, Number PA, Agent A,
15.146 Nonce NB, Number PB, Agent B|};
15.147 - Says A B (Crypt (clientK(NA,NB,M)) X) : set evsCA;
15.148 - Says B' A (Crypt (serverK(NA,NB,M)) X) : set evsCA |]
15.149 + Says A B (Crypt (clientK(NA,NB,M)) X) \\<in> set evsCA;
15.150 + Says B' A (Crypt (serverK(NA,NB,M)) X) \\<in> set evsCA |]
15.151 ==>
15.152 - Notes A {|Number SID, Agent A, Agent B, Nonce M|} # evsCA : tls"
15.153 + Notes A {|Number SID, Agent A, Agent B, Nonce M|} # evsCA \\<in> tls"
15.154
15.155 ServerAccepts
15.156 (*Having transmitted ServerFinished and received an identical
15.157 message encrypted with clientK, the server stores the parameters
15.158 needed to resume this session. The "Says A'' B ..." premise is
15.159 used to prove Notes_master_imp_Crypt_PMS.*)
15.160 - "[| evsSA: tls;
15.161 - A ~= B;
15.162 - Says A'' B (Crypt (pubK B) (Nonce PMS)) : set evsSA;
15.163 + "[| evsSA \\<in> tls;
15.164 + A \\<noteq> B;
15.165 + Says A'' B (Crypt (pubK B) (Nonce PMS)) \\<in> set evsSA;
15.166 M = PRF(PMS,NA,NB);
15.167 X = Hash{|Number SID, Nonce M,
15.168 Nonce NA, Number PA, Agent A,
15.169 Nonce NB, Number PB, Agent B|};
15.170 - Says B A (Crypt (serverK(NA,NB,M)) X) : set evsSA;
15.171 - Says A' B (Crypt (clientK(NA,NB,M)) X) : set evsSA |]
15.172 + Says B A (Crypt (serverK(NA,NB,M)) X) \\<in> set evsSA;
15.173 + Says A' B (Crypt (clientK(NA,NB,M)) X) \\<in> set evsSA |]
15.174 ==>
15.175 - Notes B {|Number SID, Agent A, Agent B, Nonce M|} # evsSA : tls"
15.176 + Notes B {|Number SID, Agent A, Agent B, Nonce M|} # evsSA \\<in> tls"
15.177
15.178 ClientResume
15.179 (*If A recalls the SESSION_ID, then she sends a FINISHED message
15.180 using the new nonces and stored MASTER SECRET.*)
15.181 - "[| evsCR: tls;
15.182 + "[| evsCR \\<in> tls;
15.183 Says A B {|Agent A, Nonce NA, Number SID, Number PA|}: set evsCR;
15.184 - Says B' A {|Nonce NB, Number SID, Number PB|} : set evsCR;
15.185 - Notes A {|Number SID, Agent A, Agent B, Nonce M|} : set evsCR |]
15.186 + Says B' A {|Nonce NB, Number SID, Number PB|} \\<in> set evsCR;
15.187 + Notes A {|Number SID, Agent A, Agent B, Nonce M|} \\<in> set evsCR |]
15.188 ==> Says A B (Crypt (clientK(NA,NB,M))
15.189 (Hash{|Number SID, Nonce M,
15.190 Nonce NA, Number PA, Agent A,
15.191 Nonce NB, Number PB, Agent B|}))
15.192 - # evsCR : tls"
15.193 + # evsCR \\<in> tls"
15.194
15.195 ServerResume
15.196 (*Resumption (7.3): If B finds the SESSION_ID then he can send
15.197 a FINISHED message using the recovered MASTER SECRET*)
15.198 - "[| evsSR: tls;
15.199 + "[| evsSR \\<in> tls;
15.200 Says A' B {|Agent A, Nonce NA, Number SID, Number PA|}: set evsSR;
15.201 - Says B A {|Nonce NB, Number SID, Number PB|} : set evsSR;
15.202 - Notes B {|Number SID, Agent A, Agent B, Nonce M|} : set evsSR |]
15.203 + Says B A {|Nonce NB, Number SID, Number PB|} \\<in> set evsSR;
15.204 + Notes B {|Number SID, Agent A, Agent B, Nonce M|} \\<in> set evsSR |]
15.205 ==> Says B A (Crypt (serverK(NA,NB,M))
15.206 (Hash{|Number SID, Nonce M,
15.207 Nonce NA, Number PA, Agent A,
15.208 Nonce NB, Number PB, Agent B|})) # evsSR
15.209 - : tls"
15.210 + \\<in> tls"
15.211
15.212 Oops
15.213 (*The most plausible compromise is of an old session key. Losing
15.214 the MASTER SECRET or PREMASTER SECRET is more serious but
15.215 - rather unlikely. The assumption A ~= Spy is essential: otherwise
15.216 + rather unlikely. The assumption A \\<noteq> Spy is essential: otherwise
15.217 the Spy could learn session keys merely by replaying messages!*)
15.218 - "[| evso: tls; A ~= Spy;
15.219 - Says A B (Crypt (sessionK((NA,NB,M),role)) X) : set evso |]
15.220 - ==> Says A Spy (Key (sessionK((NA,NB,M),role))) # evso : tls"
15.221 + "[| evso \\<in> tls; A \\<noteq> Spy;
15.222 + Says A B (Crypt (sessionK((NA,NB,M),role)) X) \\<in> set evso |]
15.223 + ==> Says A Spy (Key (sessionK((NA,NB,M),role))) # evso \\<in> tls"
15.224
15.225 end
16.1 --- a/src/HOL/Auth/WooLam.ML Tue Feb 27 12:28:42 2001 +0100
16.2 +++ b/src/HOL/Auth/WooLam.ML Tue Feb 27 16:13:23 2001 +0100
16.3 @@ -15,8 +15,8 @@
16.4
16.5
16.6 (*A "possibility property": there are traces that reach the end*)
16.7 -Goal "EX NB. EX evs: woolam. \
16.8 -\ Says Server B (Crypt (shrK B) {|Agent A, Nonce NB|}) : set evs";
16.9 +Goal "\\<exists>NB. \\<exists>evs \\<in> woolam. \
16.10 +\ Says Server B (Crypt (shrK B) {|Agent A, Nonce NB|}) \\<in> set evs";
16.11 by (REPEAT (resolve_tac [exI,bexI] 1));
16.12 by (rtac (woolam.Nil RS woolam.WL1 RS woolam.WL2 RS woolam.WL3 RS
16.13 woolam.WL4 RS woolam.WL5) 2);
16.14 @@ -28,31 +28,31 @@
16.15
16.16 (** For reasoning about the encrypted portion of messages **)
16.17
16.18 -Goal "Says A' B X : set evs ==> X : analz (spies evs)";
16.19 +Goal "Says A' B X \\<in> set evs ==> X \\<in> analz (spies evs)";
16.20 by (etac (Says_imp_spies RS analz.Inj) 1);
16.21 qed "WL4_analz_spies";
16.22
16.23 bind_thm ("WL4_parts_spies",
16.24 WL4_analz_spies RS (impOfSubs analz_subset_parts));
16.25
16.26 -(*For proving the easier theorems about X ~: parts (spies evs) *)
16.27 +(*For proving the easier theorems about X \\<notin> parts (spies evs) *)
16.28 fun parts_induct_tac i =
16.29 etac woolam.induct i THEN
16.30 ftac WL4_parts_spies (i+5) THEN
16.31 prove_simple_subgoals_tac 1;
16.32
16.33
16.34 -(** Theorems of the form X ~: parts (spies evs) imply that NOBODY
16.35 +(** Theorems of the form X \\<notin> parts (spies evs) imply that NOBODY
16.36 sends messages containing X! **)
16.37
16.38 (*Spy never sees another agent's shared key! (unless it's bad at start)*)
16.39 -Goal "evs : woolam ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
16.40 +Goal "evs \\<in> woolam ==> (Key (shrK A) \\<in> parts (spies evs)) = (A \\<in> bad)";
16.41 by (parts_induct_tac 1);
16.42 by (Blast_tac 1);
16.43 qed "Spy_see_shrK";
16.44 Addsimps [Spy_see_shrK];
16.45
16.46 -Goal "evs : woolam ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
16.47 +Goal "evs \\<in> woolam ==> (Key (shrK A) \\<in> analz (spies evs)) = (A \\<in> bad)";
16.48 by Auto_tac;
16.49 qed "Spy_analz_shrK";
16.50 Addsimps [Spy_analz_shrK];
16.51 @@ -67,9 +67,9 @@
16.52 (*** WL4 ***)
16.53
16.54 (*If the encrypted message appears then it originated with Alice*)
16.55 -Goal "[| Crypt (shrK A) (Nonce NB) : parts (spies evs); \
16.56 -\ A ~: bad; evs : woolam |] \
16.57 -\ ==> EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
16.58 +Goal "[| Crypt (shrK A) (Nonce NB) \\<in> parts (spies evs); \
16.59 +\ A \\<notin> bad; evs \\<in> woolam |] \
16.60 +\ ==> \\<exists>B. Says A B (Crypt (shrK A) (Nonce NB)) \\<in> set evs";
16.61 by (etac rev_mp 1);
16.62 by (parts_induct_tac 1);
16.63 by (ALLGOALS Blast_tac);
16.64 @@ -79,9 +79,9 @@
16.65 Alice, then she originated that certificate. But we DO NOT know that B
16.66 ever saw it: the Spy may have rerouted the message to the Server.*)
16.67 Goal "[| Says B' Server {|Agent A, Agent B, Crypt (shrK A) (Nonce NB)|} \
16.68 -\ : set evs; \
16.69 -\ A ~: bad; evs : woolam |] \
16.70 -\ ==> EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
16.71 +\ \\<in> set evs; \
16.72 +\ A \\<notin> bad; evs \\<in> woolam |] \
16.73 +\ ==> \\<exists>B. Says A B (Crypt (shrK A) (Nonce NB)) \\<in> set evs";
16.74 by (blast_tac (claset() addSIs [NB_Crypt_imp_Alice_msg]) 1);
16.75 qed "Server_trusts_WL4";
16.76
16.77 @@ -91,10 +91,10 @@
16.78 (*** WL5 ***)
16.79
16.80 (*Server sent WL5 only if it received the right sort of message*)
16.81 -Goal "[| Says Server B (Crypt (shrK B) {|Agent A, NB|}) : set evs; \
16.82 -\ evs : woolam |] \
16.83 -\ ==> EX B'. Says B' Server {|Agent A, Agent B, Crypt (shrK A) NB|} \
16.84 -\ : set evs";
16.85 +Goal "[| Says Server B (Crypt (shrK B) {|Agent A, NB|}) \\<in> set evs; \
16.86 +\ evs \\<in> woolam |] \
16.87 +\ ==> \\<exists>B'. Says B' Server {|Agent A, Agent B, Crypt (shrK A) NB|} \
16.88 +\ \\<in> set evs";
16.89 by (etac rev_mp 1);
16.90 by (parts_induct_tac 1);
16.91 by (ALLGOALS Blast_tac);
16.92 @@ -103,9 +103,9 @@
16.93 AddDs [Server_sent_WL5];
16.94
16.95 (*If the encrypted message appears then it originated with the Server!*)
16.96 -Goal "[| Crypt (shrK B) {|Agent A, NB|} : parts (spies evs); \
16.97 -\ B ~: bad; evs : woolam |] \
16.98 -\ ==> Says Server B (Crypt (shrK B) {|Agent A, NB|}) : set evs";
16.99 +Goal "[| Crypt (shrK B) {|Agent A, NB|} \\<in> parts (spies evs); \
16.100 +\ B \\<notin> bad; evs \\<in> woolam |] \
16.101 +\ ==> Says Server B (Crypt (shrK B) {|Agent A, NB|}) \\<in> set evs";
16.102 by (etac rev_mp 1);
16.103 by (parts_induct_tac 1);
16.104 by (Blast_tac 1);
16.105 @@ -116,15 +116,15 @@
16.106 But A may have sent the nonce to some other agent and it could have reached
16.107 the Server via the Spy.*)
16.108 Goal "[| Says S B (Crypt (shrK B) {|Agent A, Nonce NB|}): set evs; \
16.109 -\ A ~: bad; B ~: bad; evs : woolam |] \
16.110 -\ ==> EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
16.111 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> woolam |] \
16.112 +\ ==> \\<exists>B. Says A B (Crypt (shrK A) (Nonce NB)) \\<in> set evs";
16.113 by (blast_tac (claset() addSDs [NB_Crypt_imp_Server_msg]) 1);
16.114 qed "B_trusts_WL5";
16.115
16.116
16.117 (*B only issues challenges in response to WL1. Not used.*)
16.118 -Goal "[| Says B A (Nonce NB) : set evs; B ~= Spy; evs : woolam |] \
16.119 -\ ==> EX A'. Says A' B (Agent A) : set evs";
16.120 +Goal "[| Says B A (Nonce NB) \\<in> set evs; B \\<noteq> Spy; evs \\<in> woolam |] \
16.121 +\ ==> \\<exists>A'. Says A' B (Agent A) \\<in> set evs";
16.122 by (etac rev_mp 1);
16.123 by (parts_induct_tac 1);
16.124 by (ALLGOALS Blast_tac);
16.125 @@ -132,10 +132,10 @@
16.126
16.127
16.128 (**CANNOT be proved because A doesn't know where challenges come from...
16.129 -Goal "[| A ~: bad; B ~= Spy; evs : woolam |] \
16.130 -\ ==> Crypt (shrK A) (Nonce NB) : parts (spies evs) & \
16.131 -\ Says B A (Nonce NB) : set evs \
16.132 -\ --> Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
16.133 +Goal "[| A \\<notin> bad; B \\<noteq> Spy; evs \\<in> woolam |] \
16.134 +\ ==> Crypt (shrK A) (Nonce NB) \\<in> parts (spies evs) & \
16.135 +\ Says B A (Nonce NB) \\<in> set evs \
16.136 +\ --> Says A B (Crypt (shrK A) (Nonce NB)) \\<in> set evs";
16.137 by (parts_induct_tac 1);
16.138 by (Blast_tac 1);
16.139 by Safe_tac;
17.1 --- a/src/HOL/Auth/WooLam.thy Tue Feb 27 12:28:42 2001 +0100
17.2 +++ b/src/HOL/Auth/WooLam.thy Tue Feb 27 16:13:23 2001 +0100
17.3 @@ -20,46 +20,46 @@
17.4 inductive woolam
17.5 intrs
17.6 (*Initial trace is empty*)
17.7 - Nil "[]: woolam"
17.8 + Nil "[] \\<in> woolam"
17.9
17.10 (** These rules allow agents to send messages to themselves **)
17.11
17.12 (*The spy MAY say anything he CAN say. We do not expect him to
17.13 invent new nonces here, but he can also use NS1. Common to
17.14 all similar protocols.*)
17.15 - Fake "[| evs: woolam; X: synth (analz (spies evs)) |]
17.16 - ==> Says Spy B X # evs : woolam"
17.17 + Fake "[| evsf \\<in> woolam; X \\<in> synth (analz (spies evsf)) |]
17.18 + ==> Says Spy B X # evsf \\<in> woolam"
17.19
17.20 (*Alice initiates a protocol run*)
17.21 - WL1 "[| evs1: woolam |]
17.22 - ==> Says A B (Agent A) # evs1 : woolam"
17.23 + WL1 "[| evs1 \\<in> woolam |]
17.24 + ==> Says A B (Agent A) # evs1 \\<in> woolam"
17.25
17.26 (*Bob responds to Alice's message with a challenge.*)
17.27 - WL2 "[| evs2: woolam; Says A' B (Agent A) : set evs2 |]
17.28 - ==> Says B A (Nonce NB) # evs2 : woolam"
17.29 + WL2 "[| evs2 \\<in> woolam; Says A' B (Agent A) \\<in> set evs2 |]
17.30 + ==> Says B A (Nonce NB) # evs2 \\<in> woolam"
17.31
17.32 (*Alice responds to Bob's challenge by encrypting NB with her key.
17.33 B is *not* properly determined -- Alice essentially broadcasts
17.34 her reply.*)
17.35 - WL3 "[| evs3: woolam;
17.36 - Says A B (Agent A) : set evs3;
17.37 - Says B' A (Nonce NB) : set evs3 |]
17.38 - ==> Says A B (Crypt (shrK A) (Nonce NB)) # evs3 : woolam"
17.39 + WL3 "[| evs3 \\<in> woolam;
17.40 + Says A B (Agent A) \\<in> set evs3;
17.41 + Says B' A (Nonce NB) \\<in> set evs3 |]
17.42 + ==> Says A B (Crypt (shrK A) (Nonce NB)) # evs3 \\<in> woolam"
17.43
17.44 (*Bob forwards Alice's response to the Server. NOTE: usually
17.45 the messages are shown in chronological order, for clarity.
17.46 But here, exchanging the two events would cause the lemma
17.47 WL4_analz_spies to pick up the wrong assumption!*)
17.48 - WL4 "[| evs4: woolam;
17.49 - Says A' B X : set evs4;
17.50 - Says A'' B (Agent A) : set evs4 |]
17.51 - ==> Says B Server {|Agent A, Agent B, X|} # evs4 : woolam"
17.52 + WL4 "[| evs4 \\<in> woolam;
17.53 + Says A' B X \\<in> set evs4;
17.54 + Says A'' B (Agent A) \\<in> set evs4 |]
17.55 + ==> Says B Server {|Agent A, Agent B, X|} # evs4 \\<in> woolam"
17.56
17.57 (*Server decrypts Alice's response for Bob.*)
17.58 - WL5 "[| evs5: woolam;
17.59 + WL5 "[| evs5 \\<in> woolam;
17.60 Says B' Server {|Agent A, Agent B, Crypt (shrK A) (Nonce NB)|}
17.61 - : set evs5 |]
17.62 + \\<in> set evs5 |]
17.63 ==> Says Server B (Crypt (shrK B) {|Agent A, Nonce NB|})
17.64 - # evs5 : woolam"
17.65 + # evs5 \\<in> woolam"
17.66
17.67 end
18.1 --- a/src/HOL/Auth/Yahalom.ML Tue Feb 27 12:28:42 2001 +0100
18.2 +++ b/src/HOL/Auth/Yahalom.ML Tue Feb 27 16:13:23 2001 +0100
18.3 @@ -14,9 +14,9 @@
18.4
18.5
18.6 (*A "possibility property": there are traces that reach the end*)
18.7 -Goal "A ~= Server \
18.8 -\ ==> EX X NB K. EX evs: yahalom. \
18.9 -\ Says A B {|X, Crypt K (Nonce NB)|} : set evs";
18.10 +Goal "A \\<noteq> Server \
18.11 +\ ==> \\<exists>X NB K. \\<exists>evs \\<in> yahalom. \
18.12 +\ Says A B {|X, Crypt K (Nonce NB)|} \\<in> set evs";
18.13 by (REPEAT (resolve_tac [exI,bexI] 1));
18.14 by (rtac (yahalom.Nil RS
18.15 yahalom.YM1 RS yahalom.Reception RS
18.16 @@ -25,21 +25,18 @@
18.17 by possibility_tac;
18.18 result();
18.19
18.20 -Goal "[| Gets B X : set evs; evs : yahalom |] ==> EX A. Says A B X : set evs";
18.21 +Goal "[| Gets B X \\<in> set evs; evs \\<in> yahalom |] ==> \\<exists>A. Says A B X \\<in> set evs";
18.22 by (etac rev_mp 1);
18.23 by (etac yahalom.induct 1);
18.24 by Auto_tac;
18.25 qed "Gets_imp_Says";
18.26
18.27 (*Must be proved separately for each protocol*)
18.28 -Goal "[| Gets B X : set evs; evs : yahalom |] ==> X : knows Spy evs";
18.29 +Goal "[| Gets B X \\<in> set evs; evs \\<in> yahalom |] ==> X \\<in> knows Spy evs";
18.30 by (blast_tac (claset() addSDs [Gets_imp_Says, Says_imp_knows_Spy]) 1);
18.31 qed"Gets_imp_knows_Spy";
18.32 AddDs [Gets_imp_knows_Spy RS parts.Inj];
18.33
18.34 -fun g_not_bad_tac s =
18.35 - ftac Gets_imp_Says THEN' assume_tac THEN' not_bad_tac s;
18.36 -
18.37
18.38 (**** Inductive proofs about yahalom ****)
18.39
18.40 @@ -47,8 +44,8 @@
18.41 (** For reasoning about the encrypted portion of messages **)
18.42
18.43 (*Lets us treat YM4 using a similar argument as for the Fake case.*)
18.44 -Goal "[| Gets A {|Crypt (shrK A) Y, X|} : set evs; evs : yahalom |] \
18.45 -\ ==> X : analz (knows Spy evs)";
18.46 +Goal "[| Gets A {|Crypt (shrK A) Y, X|} \\<in> set evs; evs \\<in> yahalom |] \
18.47 +\ ==> X \\<in> analz (knows Spy evs)";
18.48 by (blast_tac (claset() addSDs [Gets_imp_knows_Spy RS analz.Inj]) 1);
18.49 qed "YM4_analz_knows_Spy";
18.50
18.51 @@ -56,13 +53,13 @@
18.52 YM4_analz_knows_Spy RS (impOfSubs analz_subset_parts));
18.53
18.54 (*For Oops*)
18.55 -Goal "Says Server A {|Crypt (shrK A) {|B,K,NA,NB|}, X|} : set evs \
18.56 -\ ==> K : parts (knows Spy evs)";
18.57 +Goal "Says Server A {|Crypt (shrK A) {|B,K,NA,NB|}, X|} \\<in> set evs \
18.58 +\ ==> K \\<in> parts (knows Spy evs)";
18.59 by (blast_tac (claset() addSDs [parts.Body,
18.60 Says_imp_knows_Spy RS parts.Inj]) 1);
18.61 qed "YM4_Key_parts_knows_Spy";
18.62
18.63 -(*For proving the easier theorems about X ~: parts (knows Spy evs).*)
18.64 +(*For proving the easier theorems about X \\<notin> parts (knows Spy evs).*)
18.65 fun parts_knows_Spy_tac i =
18.66 EVERY
18.67 [ftac YM4_Key_parts_knows_Spy (i+7),
18.68 @@ -70,7 +67,7 @@
18.69 prove_simple_subgoals_tac i];
18.70
18.71 (*Induction for regularity theorems. If induction formula has the form
18.72 - X ~: analz (knows Spy evs) --> ... then it shortens the proof by discarding
18.73 + X \\<notin> analz (knows Spy evs) --> ... then it shortens the proof by discarding
18.74 needless information about analz (insert X (knows Spy evs)) *)
18.75 fun parts_induct_tac i =
18.76 etac yahalom.induct i
18.77 @@ -79,18 +76,18 @@
18.78 THEN parts_knows_Spy_tac i;
18.79
18.80
18.81 -(** Theorems of the form X ~: parts (knows Spy evs) imply that NOBODY
18.82 +(** Theorems of the form X \\<notin> parts (knows Spy evs) imply that NOBODY
18.83 sends messages containing X! **)
18.84
18.85 (*Spy never sees another agent's shared key! (unless it's bad at start)*)
18.86 -Goal "evs : yahalom ==> (Key (shrK A) : parts (knows Spy evs)) = (A : bad)";
18.87 +Goal "evs \\<in> yahalom ==> (Key (shrK A) \\<in> parts (knows Spy evs)) = (A \\<in> bad)";
18.88 by (parts_induct_tac 1);
18.89 by (Fake_parts_insert_tac 1);
18.90 by (ALLGOALS Blast_tac);
18.91 qed "Spy_see_shrK";
18.92 Addsimps [Spy_see_shrK];
18.93
18.94 -Goal "evs : yahalom ==> (Key (shrK A) : analz (knows Spy evs)) = (A : bad)";
18.95 +Goal "evs \\<in> yahalom ==> (Key (shrK A) \\<in> analz (knows Spy evs)) = (A \\<in> bad)";
18.96 by (auto_tac(claset() addDs [impOfSubs analz_subset_parts], simpset()));
18.97 qed "Spy_analz_shrK";
18.98 Addsimps [Spy_analz_shrK];
18.99 @@ -100,27 +97,28 @@
18.100
18.101
18.102 (*Nobody can have used non-existent keys! Needed to apply analz_insert_Key*)
18.103 -Goal "evs : yahalom ==> \
18.104 -\ Key K ~: used evs --> K ~: keysFor (parts (knows Spy evs))";
18.105 +Goal "evs \\<in> yahalom ==> \
18.106 +\ Key K \\<notin> used evs --> K \\<notin> keysFor (parts (knows Spy evs))";
18.107 by (parts_induct_tac 1);
18.108 (*Fake*)
18.109 by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
18.110 (*YM2-4: Because Key K is not fresh, etc.*)
18.111 by (REPEAT (blast_tac (claset() addSEs knows_Spy_partsEs) 1));
18.112 qed_spec_mp "new_keys_not_used";
18.113 +Addsimps [new_keys_not_used];
18.114
18.115 +(*Earlier, \\<forall>protocol proofs declared this theorem.
18.116 + But Yahalom and Kerberos IV are the only ones that need it!*)
18.117 bind_thm ("new_keys_not_analzd",
18.118 [analz_subset_parts RS keysFor_mono,
18.119 new_keys_not_used] MRS contra_subsetD);
18.120
18.121 -Addsimps [new_keys_not_used, new_keys_not_analzd];
18.122 -
18.123
18.124 (*Describes the form of K when the Server sends this message. Useful for
18.125 Oops as well as main secrecy property.*)
18.126 Goal "[| Says Server A {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \
18.127 -\ : set evs; evs : yahalom |] \
18.128 -\ ==> K ~: range shrK";
18.129 +\ \\<in> set evs; evs \\<in> yahalom |] \
18.130 +\ ==> K \\<notin> range shrK";
18.131 by (etac rev_mp 1);
18.132 by (etac yahalom.induct 1);
18.133 by (ALLGOALS Asm_simp_tac);
18.134 @@ -137,18 +135,18 @@
18.135 (****
18.136 The following is to prove theorems of the form
18.137
18.138 - Key K : analz (insert (Key KAB) (knows Spy evs)) ==>
18.139 - Key K : analz (knows Spy evs)
18.140 + Key K \\<in> analz (insert (Key KAB) (knows Spy evs)) ==>
18.141 + Key K \\<in> analz (knows Spy evs)
18.142
18.143 A more general formula must be proved inductively.
18.144 ****)
18.145
18.146 (** Session keys are not used to encrypt other session keys **)
18.147
18.148 -Goal "evs : yahalom ==> \
18.149 -\ ALL K KK. KK <= - (range shrK) --> \
18.150 -\ (Key K : analz (Key`KK Un (knows Spy evs))) = \
18.151 -\ (K : KK | Key K : analz (knows Spy evs))";
18.152 +Goal "evs \\<in> yahalom ==> \
18.153 +\ \\<forall>K KK. KK <= - (range shrK) --> \
18.154 +\ (Key K \\<in> analz (Key`KK Un (knows Spy evs))) = \
18.155 +\ (K \\<in> KK | Key K \\<in> analz (knows Spy evs))";
18.156 by (etac yahalom.induct 1);
18.157 by analz_knows_Spy_tac;
18.158 by (REPEAT_FIRST (resolve_tac [allI, impI]));
18.159 @@ -159,9 +157,9 @@
18.160 by (spy_analz_tac 1);
18.161 qed_spec_mp "analz_image_freshK";
18.162
18.163 -Goal "[| evs : yahalom; KAB ~: range shrK |] \
18.164 -\ ==> Key K : analz (insert (Key KAB) (knows Spy evs)) = \
18.165 -\ (K = KAB | Key K : analz (knows Spy evs))";
18.166 +Goal "[| evs \\<in> yahalom; KAB \\<notin> range shrK |] \
18.167 +\ ==> Key K \\<in> analz (insert (Key KAB) (knows Spy evs)) = \
18.168 +\ (K = KAB | Key K \\<in> analz (knows Spy evs))";
18.169 by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
18.170 qed "analz_insert_freshK";
18.171
18.172 @@ -170,10 +168,10 @@
18.173
18.174
18.175 Goal "[| Says Server A \
18.176 -\ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} : set evs; \
18.177 +\ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \\<in> set evs; \
18.178 \ Says Server A' \
18.179 -\ {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|} : set evs; \
18.180 -\ evs : yahalom |] \
18.181 +\ {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|} \\<in> set evs; \
18.182 +\ evs \\<in> yahalom |] \
18.183 \ ==> A=A' & B=B' & na=na' & nb=nb'";
18.184 by (etac rev_mp 1);
18.185 by (etac rev_mp 1);
18.186 @@ -188,13 +186,13 @@
18.187
18.188 (** Crucial secrecy property: Spy does not see the keys sent in msg YM3 **)
18.189
18.190 -Goal "[| A ~: bad; B ~: bad; evs : yahalom |] \
18.191 +Goal "[| A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
18.192 \ ==> Says Server A \
18.193 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \
18.194 \ Crypt (shrK B) {|Agent A, Key K|}|} \
18.195 -\ : set evs --> \
18.196 -\ Notes Spy {|na, nb, Key K|} ~: set evs --> \
18.197 -\ Key K ~: analz (knows Spy evs)";
18.198 +\ \\<in> set evs --> \
18.199 +\ Notes Spy {|na, nb, Key K|} \\<notin> set evs --> \
18.200 +\ Key K \\<notin> analz (knows Spy evs)";
18.201 by (etac yahalom.induct 1);
18.202 by analz_knows_Spy_tac;
18.203 by (ALLGOALS
18.204 @@ -216,10 +214,10 @@
18.205 Goal "[| Says Server A \
18.206 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \
18.207 \ Crypt (shrK B) {|Agent A, Key K|}|} \
18.208 -\ : set evs; \
18.209 -\ Notes Spy {|na, nb, Key K|} ~: set evs; \
18.210 -\ A ~: bad; B ~: bad; evs : yahalom |] \
18.211 -\ ==> Key K ~: analz (knows Spy evs)";
18.212 +\ \\<in> set evs; \
18.213 +\ Notes Spy {|na, nb, Key K|} \\<notin> set evs; \
18.214 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
18.215 +\ ==> Key K \\<notin> analz (knows Spy evs)";
18.216 by (blast_tac (claset() addSEs [lemma]) 1);
18.217 qed "Spy_not_see_encrypted_key";
18.218
18.219 @@ -227,22 +225,22 @@
18.220 (** Security Guarantee for A upon receiving YM3 **)
18.221
18.222 (*If the encrypted message appears then it originated with the Server*)
18.223 -Goal "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} : parts (knows Spy evs); \
18.224 -\ A ~: bad; evs : yahalom |] \
18.225 +Goal "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} \\<in> parts (knows Spy evs); \
18.226 +\ A \\<notin> bad; evs \\<in> yahalom |] \
18.227 \ ==> Says Server A \
18.228 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \
18.229 \ Crypt (shrK B) {|Agent A, Key K|}|} \
18.230 -\ : set evs";
18.231 +\ \\<in> set evs";
18.232 by (etac rev_mp 1);
18.233 by (parts_induct_tac 1);
18.234 by (Fake_parts_insert_tac 1);
18.235 qed "A_trusts_YM3";
18.236
18.237 (*The obvious combination of A_trusts_YM3 with Spy_not_see_encrypted_key*)
18.238 -Goal "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} : parts (knows Spy evs); \
18.239 -\ Notes Spy {|na, nb, Key K|} ~: set evs; \
18.240 -\ A ~: bad; B ~: bad; evs : yahalom |] \
18.241 -\ ==> Key K ~: analz (knows Spy evs)";
18.242 +Goal "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} \\<in> parts (knows Spy evs); \
18.243 +\ Notes Spy {|na, nb, Key K|} \\<notin> set evs; \
18.244 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
18.245 +\ ==> Key K \\<notin> analz (knows Spy evs)";
18.246 by (blast_tac (claset() addSDs [A_trusts_YM3, Spy_not_see_encrypted_key]) 1);
18.247 qed "A_gets_good_key";
18.248
18.249 @@ -250,13 +248,13 @@
18.250
18.251 (*B knows, by the first part of A's message, that the Server distributed
18.252 the key for A and B. But this part says nothing about nonces.*)
18.253 -Goal "[| Crypt (shrK B) {|Agent A, Key K|} : parts (knows Spy evs); \
18.254 -\ B ~: bad; evs : yahalom |] \
18.255 -\ ==> EX NA NB. Says Server A \
18.256 +Goal "[| Crypt (shrK B) {|Agent A, Key K|} \\<in> parts (knows Spy evs); \
18.257 +\ B \\<notin> bad; evs \\<in> yahalom |] \
18.258 +\ ==> \\<exists>NA NB. Says Server A \
18.259 \ {|Crypt (shrK A) {|Agent B, Key K, \
18.260 \ Nonce NA, Nonce NB|}, \
18.261 \ Crypt (shrK B) {|Agent A, Key K|}|} \
18.262 -\ : set evs";
18.263 +\ \\<in> set evs";
18.264 by (etac rev_mp 1);
18.265 by (parts_induct_tac 1);
18.266 by (Fake_parts_insert_tac 1);
18.267 @@ -266,27 +264,27 @@
18.268
18.269 (*B knows, by the second part of A's message, that the Server distributed
18.270 the key quoting nonce NB. This part says nothing about agent names.
18.271 - Secrecy of NB is crucial. Note that Nonce NB ~: analz(knows Spy evs) must
18.272 + Secrecy of NB is crucial. Note that Nonce NB \\<notin> analz(knows Spy evs) must
18.273 be the FIRST antecedent of the induction formula.*)
18.274 -Goal "evs : yahalom \
18.275 -\ ==> Nonce NB ~: analz (knows Spy evs) --> \
18.276 -\ Crypt K (Nonce NB) : parts (knows Spy evs) --> \
18.277 -\ (EX A B NA. Says Server A \
18.278 +Goal "evs \\<in> yahalom \
18.279 +\ ==> Nonce NB \\<notin> analz (knows Spy evs) --> \
18.280 +\ Crypt K (Nonce NB) \\<in> parts (knows Spy evs) --> \
18.281 +\ (\\<exists>A B NA. Says Server A \
18.282 \ {|Crypt (shrK A) {|Agent B, Key K, \
18.283 \ Nonce NA, Nonce NB|}, \
18.284 \ Crypt (shrK B) {|Agent A, Key K|}|} \
18.285 -\ : set evs)";
18.286 +\ \\<in> set evs)";
18.287 by (parts_induct_tac 1);
18.288 by (ALLGOALS Clarify_tac);
18.289 (*YM3 & Fake*)
18.290 by (Blast_tac 2);
18.291 by (Fake_parts_insert_tac 1);
18.292 (*YM4*)
18.293 -(*A is uncompromised because NB is secure*)
18.294 -by (g_not_bad_tac "A" 1);
18.295 -(*A's certificate guarantees the existence of the Server message*)
18.296 -by (blast_tac (claset() addDs [Says_imp_knows_Spy RS parts.Inj RS parts.Fst RS
18.297 - A_trusts_YM3]) 1);
18.298 +(*A is uncompromised because NB is secure;
18.299 + A's certificate guarantees the existence of the Server message*)
18.300 +by (blast_tac (claset() addSDs [Gets_imp_Says, Crypt_Spy_analz_bad]
18.301 + addDs [Says_imp_spies, analz.Inj,
18.302 + parts.Inj RS parts.Fst RS A_trusts_YM3]) 1);
18.303 bind_thm ("B_trusts_YM4_newK", result() RS mp RSN (2, rev_mp));
18.304
18.305
18.306 @@ -297,14 +295,14 @@
18.307 Goalw [KeyWithNonce_def]
18.308 "Says Server A \
18.309 \ {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB|}, X|} \
18.310 -\ : set evs ==> KeyWithNonce K NB evs";
18.311 +\ \\<in> set evs ==> KeyWithNonce K NB evs";
18.312 by (Blast_tac 1);
18.313 qed "KeyWithNonceI";
18.314
18.315 Goalw [KeyWithNonce_def]
18.316 "KeyWithNonce K NB (Says S A X # evs) = \
18.317 \ (Server = S & \
18.318 -\ (EX B n X'. X = {|Crypt (shrK A) {|Agent B, Key K, n, Nonce NB|}, X'|}) \
18.319 +\ (\\<exists>B n X'. X = {|Crypt (shrK A) {|Agent B, Key K, n, Nonce NB|}, X'|}) \
18.320 \ | KeyWithNonce K NB evs)";
18.321 by (Simp_tac 1);
18.322 by (Blast_tac 1);
18.323 @@ -326,7 +324,7 @@
18.324 (*A fresh key cannot be associated with any nonce
18.325 (with respect to a given trace). *)
18.326 Goalw [KeyWithNonce_def]
18.327 - "Key K ~: used evs ==> ~ KeyWithNonce K NB evs";
18.328 + "Key K \\<notin> used evs ==> ~ KeyWithNonce K NB evs";
18.329 by (blast_tac (claset() addSEs knows_Spy_partsEs) 1);
18.330 qed "fresh_not_KeyWithNonce";
18.331
18.332 @@ -335,8 +333,8 @@
18.333 Goalw [KeyWithNonce_def]
18.334 "[| Says Server A \
18.335 \ {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB'|}, X|} \
18.336 -\ : set evs; \
18.337 -\ NB ~= NB'; evs : yahalom |] \
18.338 +\ \\<in> set evs; \
18.339 +\ NB \\<noteq> NB'; evs \\<in> yahalom |] \
18.340 \ ==> ~ KeyWithNonce K NB evs";
18.341 by (blast_tac (claset() addDs [unique_session_keys]) 1);
18.342 qed "Says_Server_KeyWithNonce";
18.343 @@ -349,39 +347,43 @@
18.344
18.345 (*As with analz_image_freshK, we take some pains to express the property
18.346 as a logical equivalence so that the simplifier can apply it.*)
18.347 -Goal "P --> (X : analz (G Un H)) --> (X : analz H) ==> \
18.348 -\ P --> (X : analz (G Un H)) = (X : analz H)";
18.349 +Goal "P --> (X \\<in> analz (G Un H)) --> (X \\<in> analz H) ==> \
18.350 +\ P --> (X \\<in> analz (G Un H)) = (X \\<in> analz H)";
18.351 by (blast_tac (claset() addIs [impOfSubs analz_mono]) 1);
18.352 val Nonce_secrecy_lemma = result();
18.353
18.354 -Goal "evs : yahalom ==> \
18.355 -\ (ALL KK. KK <= - (range shrK) --> \
18.356 -\ (ALL K: KK. ~ KeyWithNonce K NB evs) --> \
18.357 -\ (Nonce NB : analz (Key`KK Un (knows Spy evs))) = \
18.358 -\ (Nonce NB : analz (knows Spy evs)))";
18.359 +Goal "evs \\<in> yahalom ==> \
18.360 +\ (\\<forall>KK. KK <= - (range shrK) --> \
18.361 +\ (\\<forall>K \\<in> KK. ~ KeyWithNonce K NB evs) --> \
18.362 +\ (Nonce NB \\<in> analz (Key`KK Un (knows Spy evs))) = \
18.363 +\ (Nonce NB \\<in> analz (knows Spy evs)))";
18.364 by (etac yahalom.induct 1);
18.365 by analz_knows_Spy_tac;
18.366 by (REPEAT_FIRST (resolve_tac [impI RS allI]));
18.367 by (REPEAT_FIRST (rtac Nonce_secrecy_lemma));
18.368 -(*For Oops, simplification proves NBa~=NB. By Says_Server_KeyWithNonce,
18.369 +(*For Oops, simplification proves NBa\\<noteq>NB. By Says_Server_KeyWithNonce,
18.370 we get (~ KeyWithNonce K NB evs); then simplification can apply the
18.371 induction hypothesis with KK = {K}.*)
18.372 by (ALLGOALS (*4 seconds*)
18.373 (asm_simp_tac
18.374 (analz_image_freshK_ss
18.375 addsimps split_ifs
18.376 - addsimps [all_conj_distrib, analz_image_freshK,
18.377 + addsimps [all_conj_distrib, ball_conj_distrib, analz_image_freshK,
18.378 KeyWithNonce_Says, KeyWithNonce_Notes, KeyWithNonce_Gets,
18.379 fresh_not_KeyWithNonce, Says_Server_not_range,
18.380 - imp_disj_not1, (*Moves NBa~=NB to the front*)
18.381 + imp_disj_not1, (*Moves NBa\\<noteq>NB to the front*)
18.382 Says_Server_KeyWithNonce])));
18.383 (*Fake*)
18.384 by (spy_analz_tac 1);
18.385 (*YM4*) (** LEVEL 6 **)
18.386 -by (g_not_bad_tac "A" 1);
18.387 -by (dtac (Gets_imp_knows_Spy RS parts.Inj RS parts.Fst RS A_trusts_YM3) 1
18.388 - THEN REPEAT (assume_tac 1));
18.389 -by (blast_tac (claset() addIs [KeyWithNonceI]) 1);
18.390 +by (thin_tac "\\<forall>KK. ?P KK" 1);
18.391 +by (Clarify_tac 1);
18.392 +(*If A:bad then NBa is known, therefore NBa \\<noteq> NB. Previous two steps make
18.393 + the next step faster.*)
18.394 +by (blast_tac (claset() addSDs [Gets_imp_Says, Says_imp_spies,
18.395 + Crypt_Spy_analz_bad]
18.396 + addDs [analz.Inj,
18.397 + parts.Inj RS parts.Fst RS A_trusts_YM3 RS KeyWithNonceI]) 1);
18.398 qed_spec_mp "Nonce_secrecy";
18.399
18.400
18.401 @@ -390,10 +392,10 @@
18.402 for the induction to carry through.*)
18.403 Goal "[| Says Server A \
18.404 \ {|Crypt (shrK A) {|Agent B, Key KAB, na, Nonce NB'|}, X|} \
18.405 -\ : set evs; \
18.406 -\ NB ~= NB'; KAB ~: range shrK; evs : yahalom |] \
18.407 -\ ==> (Nonce NB : analz (insert (Key KAB) (knows Spy evs))) = \
18.408 -\ (Nonce NB : analz (knows Spy evs))";
18.409 +\ \\<in> set evs; \
18.410 +\ NB \\<noteq> NB'; KAB \\<notin> range shrK; evs \\<in> yahalom |] \
18.411 +\ ==> (Nonce NB \\<in> analz (insert (Key KAB) (knows Spy evs))) = \
18.412 +\ (Nonce NB \\<in> analz (knows Spy evs))";
18.413 by (asm_simp_tac (analz_image_freshK_ss addsimps
18.414 [Nonce_secrecy, Says_Server_KeyWithNonce]) 1);
18.415 qed "single_Nonce_secrecy";
18.416 @@ -401,9 +403,9 @@
18.417
18.418 (*** The Nonce NB uniquely identifies B's message. ***)
18.419
18.420 -Goal "[| Crypt (shrK B) {|Agent A, Nonce NA, nb|} : parts (knows Spy evs); \
18.421 -\ Crypt (shrK B') {|Agent A', Nonce NA', nb|} : parts (knows Spy evs); \
18.422 -\ evs : yahalom; B ~: bad; B' ~: bad |] \
18.423 +Goal "[| Crypt (shrK B) {|Agent A, Nonce NA, nb|} \\<in> parts (knows Spy evs); \
18.424 +\ Crypt (shrK B') {|Agent A', Nonce NA', nb|} \\<in> parts (knows Spy evs); \
18.425 +\ evs \\<in> yahalom; B \\<notin> bad; B' \\<notin> bad |] \
18.426 \ ==> NA' = NA & A' = A & B' = B";
18.427 by (etac rev_mp 1);
18.428 by (etac rev_mp 1);
18.429 @@ -414,27 +416,26 @@
18.430 qed "unique_NB";
18.431
18.432
18.433 -(*Variant useful for proving secrecy of NB: the Says... form allows
18.434 - not_bad_tac to remove the assumption B' ~: bad.*)
18.435 +(*Variant useful for proving secrecy of NB. Because nb is assumed to be
18.436 + secret, we no longer must assume B, B' not bad.*)
18.437 Goal "[| Says C S {|X, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \
18.438 -\ : set evs; B ~: bad; \
18.439 +\ \\<in> set evs; \
18.440 \ Gets S' {|X', Crypt (shrK B') {|Agent A', Nonce NA', nb|}|} \
18.441 -\ : set evs; \
18.442 -\ nb ~: analz (knows Spy evs); evs : yahalom |] \
18.443 +\ \\<in> set evs; \
18.444 +\ nb \\<notin> analz (knows Spy evs); evs \\<in> yahalom |] \
18.445 \ ==> NA' = NA & A' = A & B' = B";
18.446 -by (g_not_bad_tac "B'" 1);
18.447 -by (blast_tac (claset() addSDs [Says_imp_knows_Spy RS parts.Inj]
18.448 - addSEs [MPair_parts]
18.449 - addDs [unique_NB]) 1);
18.450 +by (blast_tac (claset() addSDs [Gets_imp_Says, Crypt_Spy_analz_bad]
18.451 + addDs [Says_imp_spies, unique_NB, parts.Inj,
18.452 + analz.Inj]) 1);
18.453 qed "Says_unique_NB";
18.454
18.455
18.456 (** A nonce value is never used both as NA and as NB **)
18.457
18.458 -Goal "evs : yahalom \
18.459 -\ ==> Nonce NB ~: analz (knows Spy evs) --> \
18.460 -\ Crypt (shrK B') {|Agent A', Nonce NB, nb'|} : parts(knows Spy evs) --> \
18.461 -\ Crypt (shrK B) {|Agent A, na, Nonce NB|} ~: parts(knows Spy evs)";
18.462 +Goal "evs \\<in> yahalom \
18.463 +\ ==> Nonce NB \\<notin> analz (knows Spy evs) --> \
18.464 +\ Crypt (shrK B') {|Agent A', Nonce NB, nb'|} \\<in> parts(knows Spy evs) --> \
18.465 +\ Crypt (shrK B) {|Agent A, na, Nonce NB|} \\<notin> parts(knows Spy evs)";
18.466 by (parts_induct_tac 1);
18.467 by (Fake_parts_insert_tac 1);
18.468 by (blast_tac (claset() addDs [Gets_imp_knows_Spy RS analz.Inj]
18.469 @@ -447,10 +448,10 @@
18.470
18.471 (*The Server sends YM3 only in response to YM2.*)
18.472 Goal "[| Says Server A \
18.473 -\ {|Crypt (shrK A) {|Agent B, k, na, nb|}, X|} : set evs; \
18.474 -\ evs : yahalom |] \
18.475 +\ {|Crypt (shrK A) {|Agent B, k, na, nb|}, X|} \\<in> set evs; \
18.476 +\ evs \\<in> yahalom |] \
18.477 \ ==> Gets Server {| Agent B, Crypt (shrK B) {|Agent A, na, nb|} |} \
18.478 -\ : set evs";
18.479 +\ \\<in> set evs";
18.480 by (etac rev_mp 1);
18.481 by (etac yahalom.induct 1);
18.482 by Auto_tac;
18.483 @@ -458,18 +459,18 @@
18.484
18.485
18.486 (*A vital theorem for B, that nonce NB remains secure from the Spy.*)
18.487 -Goal "[| A ~: bad; B ~: bad; evs : yahalom |] \
18.488 -\ ==> Says B Server \
18.489 +Goal "[| A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
18.490 +\ ==> (\\<forall>k. Notes Spy {|Nonce NA, Nonce NB, k|} \\<notin> set evs) --> \
18.491 +\ Says B Server \
18.492 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \
18.493 -\ : set evs --> \
18.494 -\ (ALL k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs) --> \
18.495 -\ Nonce NB ~: analz (knows Spy evs)";
18.496 +\ \\<in> set evs --> \
18.497 +\ Nonce NB \\<notin> analz (knows Spy evs)";
18.498 by (etac yahalom.induct 1);
18.499 by analz_knows_Spy_tac;
18.500 by (ALLGOALS
18.501 (asm_simp_tac
18.502 (simpset() addsimps split_ifs @ pushes @
18.503 - [analz_insert_eq, analz_insert_freshK])));
18.504 + [new_keys_not_analzd, analz_insert_eq, analz_insert_freshK])));
18.505 (*Prove YM3 by showing that no NB can also be an NA*)
18.506 by (blast_tac (claset() addDs [Says_imp_knows_Spy RS parts.Inj]
18.507 addSEs [no_nonce_YM1_YM2, MPair_parts]
18.508 @@ -488,67 +489,58 @@
18.509 by (ALLGOALS (Clarify_tac THEN'
18.510 full_simp_tac (simpset() addsimps [all_conj_distrib])));
18.511 (*YM4: key K is visible to Spy, contradicting session key secrecy theorem*)
18.512 -by (g_not_bad_tac "Aa" 1);
18.513 -by (dtac (Gets_imp_knows_Spy RS parts.Inj RS parts.Fst RS A_trusts_YM3) 1
18.514 - THEN assume_tac 1);
18.515 -by (ftac Says_Server_imp_YM2 3);
18.516 -by (REPEAT_FIRST (eresolve_tac [asm_rl, exE]));
18.517 -(* use Says_unique_NB to identify message components: Aa=A, Ba=B*)
18.518 -by (blast_tac (claset() addDs [Says_unique_NB,
18.519 +(*Case analysis on Aa:bad; PROOF FAILED problems;
18.520 + use Says_unique_NB to identify message components: Aa=A, Ba=B*)
18.521 +by (blast_tac (claset() addSDs [Says_unique_NB,
18.522 + parts.Inj RS parts.Fst RS A_trusts_YM3]
18.523 + addDs [Gets_imp_knows_Spy RS analz.Inj, Gets_imp_Says,
18.524 + Says_imp_spies, Says_Server_imp_YM2,
18.525 Spy_not_see_encrypted_key]) 1);
18.526 -(** LEVEL 13 **)
18.527 +(** LEVEL 9 **)
18.528 (*Oops case: if the nonce is betrayed now, show that the Oops event is
18.529 covered by the quantified Oops assumption.*)
18.530 -by (ftac Says_Server_imp_YM2 1 THEN assume_tac 1);
18.531 -by (expand_case_tac "NB = NBa" 1);
18.532 +by (ftac Says_Server_imp_YM2 1 THEN assume_tac 1);
18.533 +by (case_tac "NB = NBa" 1);
18.534 (*If NB=NBa then all other components of the Oops message agree*)
18.535 by (blast_tac (claset() addDs [Says_unique_NB]) 1);
18.536 -(*case NB ~= NBa*)
18.537 +(*case NB \\<noteq> NBa*)
18.538 by (asm_simp_tac (simpset() addsimps [single_Nonce_secrecy]) 1);
18.539 -by (Clarify_tac 1);
18.540 -by (blast_tac (claset() addSEs [MPair_parts, no_nonce_YM1_YM2]
18.541 - (*to prove NB~=NAa*)
18.542 +by (blast_tac (claset() addSEs [no_nonce_YM1_YM2] (*to prove NB\\<noteq>NAa*)
18.543 addDs [Says_imp_knows_Spy RS parts.Inj]) 1);
18.544 bind_thm ("Spy_not_see_NB", result() RSN(2,rev_mp) RSN(2,rev_mp));
18.545
18.546
18.547 (*B's session key guarantee from YM4. The two certificates contribute to a
18.548 single conclusion about the Server's message. Note that the "Notes Spy"
18.549 - assumption must quantify over ALL POSSIBLE keys instead of our particular K.
18.550 + assumption must quantify over \\<forall>POSSIBLE keys instead of our particular K.
18.551 If this run is broken and the spy substitutes a certificate containing an
18.552 old key, B has no means of telling.*)
18.553 Goal "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|}, \
18.554 -\ Crypt K (Nonce NB)|} : set evs; \
18.555 +\ Crypt K (Nonce NB)|} \\<in> set evs; \
18.556 \ Says B Server \
18.557 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \
18.558 -\ : set evs; \
18.559 -\ ALL k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs; \
18.560 -\ A ~: bad; B ~: bad; evs : yahalom |] \
18.561 +\ \\<in> set evs; \
18.562 +\ \\<forall>k. Notes Spy {|Nonce NA, Nonce NB, k|} \\<notin> set evs; \
18.563 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
18.564 \ ==> Says Server A \
18.565 \ {|Crypt (shrK A) {|Agent B, Key K, \
18.566 \ Nonce NA, Nonce NB|}, \
18.567 \ Crypt (shrK B) {|Agent A, Key K|}|} \
18.568 -\ : set evs";
18.569 -by (ftac Spy_not_see_NB 1 THEN REPEAT (assume_tac 1));
18.570 -by (etac (Gets_imp_knows_Spy RS parts.Inj RS MPair_parts) 1 THEN
18.571 - assume_tac 1 THEN dtac B_trusts_YM4_shrK 1);
18.572 -by (dtac B_trusts_YM4_newK 3);
18.573 -by (REPEAT_FIRST (eresolve_tac [asm_rl, exE]));
18.574 -by (ftac Says_Server_imp_YM2 1 THEN assume_tac 1);
18.575 -by (dtac unique_session_keys 1 THEN REPEAT (assume_tac 1));
18.576 -by (blast_tac (claset() addDs [Says_unique_NB]) 1);
18.577 +\ \\<in> set evs";
18.578 +by (blast_tac (claset() addDs [Spy_not_see_NB, Says_unique_NB,
18.579 + Says_Server_imp_YM2, B_trusts_YM4_newK]) 1);
18.580 qed "B_trusts_YM4";
18.581
18.582
18.583 (*The obvious combination of B_trusts_YM4 with Spy_not_see_encrypted_key*)
18.584 Goal "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|}, \
18.585 -\ Crypt K (Nonce NB)|} : set evs; \
18.586 +\ Crypt K (Nonce NB)|} \\<in> set evs; \
18.587 \ Says B Server \
18.588 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \
18.589 -\ : set evs; \
18.590 -\ ALL k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs; \
18.591 -\ A ~: bad; B ~: bad; evs : yahalom |] \
18.592 -\ ==> Key K ~: analz (knows Spy evs)";
18.593 +\ \\<in> set evs; \
18.594 +\ \\<forall>k. Notes Spy {|Nonce NA, Nonce NB, k|} \\<notin> set evs; \
18.595 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
18.596 +\ ==> Key K \\<notin> analz (knows Spy evs)";
18.597 by (blast_tac (claset() addSDs [B_trusts_YM4, Spy_not_see_encrypted_key]) 1);
18.598 qed "B_gets_good_key";
18.599
18.600 @@ -556,37 +548,37 @@
18.601 (*** Authenticating B to A ***)
18.602
18.603 (*The encryption in message YM2 tells us it cannot be faked.*)
18.604 -Goal "evs : yahalom \
18.605 -\ ==> Crypt (shrK B) {|Agent A, Nonce NA, nb|} : parts (knows Spy evs) --> \
18.606 -\ B ~: bad --> \
18.607 +Goal "evs \\<in> yahalom \
18.608 +\ ==> Crypt (shrK B) {|Agent A, Nonce NA, nb|} \\<in> parts (knows Spy evs) --> \
18.609 +\ B \\<notin> bad --> \
18.610 \ Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \
18.611 -\ : set evs";
18.612 +\ \\<in> set evs";
18.613 by (parts_induct_tac 1);
18.614 by (Fake_parts_insert_tac 1);
18.615 bind_thm ("B_Said_YM2", result() RSN (2, rev_mp) RS mp);
18.616
18.617 (*If the server sends YM3 then B sent YM2*)
18.618 -Goal "evs : yahalom \
18.619 +Goal "evs \\<in> yahalom \
18.620 \ ==> Says Server A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \
18.621 -\ : set evs --> \
18.622 -\ B ~: bad --> \
18.623 +\ \\<in> set evs --> \
18.624 +\ B \\<notin> bad --> \
18.625 \ Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \
18.626 -\ : set evs";
18.627 +\ \\<in> set evs";
18.628 by (etac yahalom.induct 1);
18.629 by (ALLGOALS Asm_simp_tac);
18.630 (*YM4*)
18.631 by (Blast_tac 2);
18.632 -(*YM3 [blast_tac is 50% slower] *)
18.633 -by (best_tac (claset() addSDs [B_Said_YM2, Says_imp_knows_Spy RS parts.Inj]
18.634 - addSEs [MPair_parts]) 1);
18.635 +(*YM3*)
18.636 +by (blast_tac (claset() addSDs [B_Said_YM2,
18.637 + Says_imp_knows_Spy RS parts.Inj]) 1);
18.638 val lemma = result() RSN (2, rev_mp) RS mp |> standard;
18.639
18.640 (*If A receives YM3 then B has used nonce NA (and therefore is alive)*)
18.641 Goal "[| Gets A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \
18.642 -\ : set evs; \
18.643 -\ A ~: bad; B ~: bad; evs : yahalom |] \
18.644 +\ \\<in> set evs; \
18.645 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
18.646 \==> Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \
18.647 -\ : set evs";
18.648 +\ \\<in> set evs";
18.649 by (blast_tac (claset() addSDs [A_trusts_YM3, lemma]
18.650 addEs knows_Spy_partsEs) 1);
18.651 qed "YM3_auth_B_to_A";
18.652 @@ -597,12 +589,12 @@
18.653 (*Assuming the session key is secure, if both certificates are present then
18.654 A has said NB. We can't be sure about the rest of A's message, but only
18.655 NB matters for freshness.*)
18.656 -Goal "evs : yahalom \
18.657 -\ ==> Key K ~: analz (knows Spy evs) --> \
18.658 -\ Crypt K (Nonce NB) : parts (knows Spy evs) --> \
18.659 -\ Crypt (shrK B) {|Agent A, Key K|} : parts (knows Spy evs) --> \
18.660 -\ B ~: bad --> \
18.661 -\ (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs)";
18.662 +Goal "evs \\<in> yahalom \
18.663 +\ ==> Key K \\<notin> analz (knows Spy evs) --> \
18.664 +\ Crypt K (Nonce NB) \\<in> parts (knows Spy evs) --> \
18.665 +\ Crypt (shrK B) {|Agent A, Key K|} \\<in> parts (knows Spy evs) --> \
18.666 +\ B \\<notin> bad --> \
18.667 +\ (\\<exists>X. Says A B {|X, Crypt K (Nonce NB)|} \\<in> set evs)";
18.668 by (parts_induct_tac 1);
18.669 (*Fake*)
18.670 by (Fake_parts_insert_tac 1);
18.671 @@ -611,30 +603,24 @@
18.672 (*YM4: was Crypt K (Nonce NB) the very last message? If not, use ind. hyp.*)
18.673 by (asm_simp_tac (simpset() addsimps [ex_disj_distrib]) 1);
18.674 (*yes: apply unicity of session keys*)
18.675 -by (g_not_bad_tac "Aa" 1);
18.676 -by (blast_tac (claset() addSEs [MPair_parts]
18.677 - addSDs [A_trusts_YM3, B_trusts_YM4_shrK]
18.678 - addDs [Says_imp_knows_Spy RS parts.Inj,
18.679 - unique_session_keys]) 1);
18.680 +by (blast_tac (claset() addSDs [Gets_imp_Says, A_trusts_YM3, B_trusts_YM4_shrK,
18.681 + Crypt_Spy_analz_bad]
18.682 + addDs [Says_imp_knows_Spy RS parts.Inj,
18.683 + Says_imp_spies RS analz.Inj, unique_session_keys]) 1);
18.684 qed_spec_mp "A_Said_YM3_lemma";
18.685
18.686 (*If B receives YM4 then A has used nonce NB (and therefore is alive).
18.687 Moreover, A associates K with NB (thus is talking about the same run).
18.688 Other premises guarantee secrecy of K.*)
18.689 Goal "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|}, \
18.690 -\ Crypt K (Nonce NB)|} : set evs; \
18.691 +\ Crypt K (Nonce NB)|} \\<in> set evs; \
18.692 \ Says B Server \
18.693 \ {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \
18.694 -\ : set evs; \
18.695 -\ (ALL NA k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs); \
18.696 -\ A ~: bad; B ~: bad; evs : yahalom |] \
18.697 -\ ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs";
18.698 -by (ftac B_trusts_YM4 1);
18.699 -by (REPEAT_FIRST (eresolve_tac [asm_rl, spec]));
18.700 -by (etac (Gets_imp_knows_Spy RS parts.Inj RS MPair_parts) 1 THEN assume_tac 1);
18.701 -by (rtac A_Said_YM3_lemma 1);
18.702 -by (rtac Spy_not_see_encrypted_key 2);
18.703 -by (REPEAT_FIRST assume_tac);
18.704 -by (blast_tac (claset() addSEs [MPair_parts]
18.705 - addDs [Says_imp_knows_Spy RS parts.Inj]) 1);
18.706 +\ \\<in> set evs; \
18.707 +\ (\\<forall>NA k. Notes Spy {|Nonce NA, Nonce NB, k|} \\<notin> set evs); \
18.708 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
18.709 +\ ==> \\<exists>X. Says A B {|X, Crypt K (Nonce NB)|} \\<in> set evs";
18.710 +by (blast_tac (claset() addSIs [A_Said_YM3_lemma]
18.711 + addDs [Spy_not_see_encrypted_key, B_trusts_YM4,
18.712 + Gets_imp_Says, Says_imp_knows_Spy RS parts.Inj]) 1);
18.713 qed_spec_mp "YM4_imp_A_Said_YM3";
19.1 --- a/src/HOL/Auth/Yahalom.thy Tue Feb 27 12:28:42 2001 +0100
19.2 +++ b/src/HOL/Auth/Yahalom.thy Tue Feb 27 16:13:23 2001 +0100
19.3 @@ -16,65 +16,65 @@
19.4 inductive "yahalom"
19.5 intrs
19.6 (*Initial trace is empty*)
19.7 - Nil "[]: yahalom"
19.8 + Nil "[] \\<in> yahalom"
19.9
19.10 (*The spy MAY say anything he CAN say. We do not expect him to
19.11 invent new nonces here, but he can also use NS1. Common to
19.12 all similar protocols.*)
19.13 - Fake "[| evs: yahalom; X: synth (analz (knows Spy evs)) |]
19.14 - ==> Says Spy B X # evs : yahalom"
19.15 + Fake "[| evsf \\<in> yahalom; X \\<in> synth (analz (knows Spy evsf)) |]
19.16 + ==> Says Spy B X # evsf \\<in> yahalom"
19.17
19.18 (*A message that has been sent can be received by the
19.19 intended recipient.*)
19.20 - Reception "[| evsr: yahalom; Says A B X : set evsr |]
19.21 - ==> Gets B X # evsr : yahalom"
19.22 + Reception "[| evsr \\<in> yahalom; Says A B X \\<in> set evsr |]
19.23 + ==> Gets B X # evsr \\<in> yahalom"
19.24
19.25 (*Alice initiates a protocol run*)
19.26 - YM1 "[| evs1: yahalom; Nonce NA ~: used evs1 |]
19.27 - ==> Says A B {|Agent A, Nonce NA|} # evs1 : yahalom"
19.28 + YM1 "[| evs1 \\<in> yahalom; Nonce NA \\<notin> used evs1 |]
19.29 + ==> Says A B {|Agent A, Nonce NA|} # evs1 \\<in> yahalom"
19.30
19.31 (*Bob's response to Alice's message.*)
19.32 - YM2 "[| evs2: yahalom; Nonce NB ~: used evs2;
19.33 - Gets B {|Agent A, Nonce NA|} : set evs2 |]
19.34 + YM2 "[| evs2 \\<in> yahalom; Nonce NB \\<notin> used evs2;
19.35 + Gets B {|Agent A, Nonce NA|} \\<in> set evs2 |]
19.36 ==> Says B Server
19.37 {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
19.38 - # evs2 : yahalom"
19.39 + # evs2 \\<in> yahalom"
19.40
19.41 (*The Server receives Bob's message. He responds by sending a
19.42 new session key to Alice, with a packet for forwarding to Bob.*)
19.43 - YM3 "[| evs3: yahalom; Key KAB ~: used evs3;
19.44 + YM3 "[| evs3 \\<in> yahalom; Key KAB \\<notin> used evs3;
19.45 Gets Server
19.46 {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
19.47 - : set evs3 |]
19.48 + \\<in> set evs3 |]
19.49 ==> Says Server A
19.50 {|Crypt (shrK A) {|Agent B, Key KAB, Nonce NA, Nonce NB|},
19.51 Crypt (shrK B) {|Agent A, Key KAB|}|}
19.52 - # evs3 : yahalom"
19.53 + # evs3 \\<in> yahalom"
19.54
19.55 (*Alice receives the Server's (?) message, checks her Nonce, and
19.56 uses the new session key to send Bob his Nonce. The premise
19.57 - A ~= Server is needed to prove Says_Server_not_range.*)
19.58 - YM4 "[| evs4: yahalom; A ~= Server;
19.59 + A \\<noteq> Server is needed to prove Says_Server_not_range.*)
19.60 + YM4 "[| evs4 \\<in> yahalom; A \\<noteq> Server;
19.61 Gets A {|Crypt(shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|}, X|}
19.62 - : set evs4;
19.63 - Says A B {|Agent A, Nonce NA|} : set evs4 |]
19.64 - ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 : yahalom"
19.65 + \\<in> set evs4;
19.66 + Says A B {|Agent A, Nonce NA|} \\<in> set evs4 |]
19.67 + ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \\<in> yahalom"
19.68
19.69 (*This message models possible leaks of session keys. The Nonces
19.70 identify the protocol run. Quoting Server here ensures they are
19.71 correct.*)
19.72 - Oops "[| evso: yahalom;
19.73 + Oops "[| evso \\<in> yahalom;
19.74 Says Server A {|Crypt (shrK A)
19.75 {|Agent B, Key K, Nonce NA, Nonce NB|},
19.76 - X|} : set evso |]
19.77 - ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : yahalom"
19.78 + X|} \\<in> set evso |]
19.79 + ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \\<in> yahalom"
19.80
19.81
19.82 constdefs
19.83 KeyWithNonce :: [key, nat, event list] => bool
19.84 "KeyWithNonce K NB evs ==
19.85 - EX A B na X.
19.86 + \\<exists>A B na X.
19.87 Says Server A {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB|}, X|}
19.88 - : set evs"
19.89 + \\<in> set evs"
19.90
19.91 end
20.1 --- a/src/HOL/Auth/Yahalom2.ML Tue Feb 27 12:28:42 2001 +0100
20.2 +++ b/src/HOL/Auth/Yahalom2.ML Tue Feb 27 16:13:23 2001 +0100
20.3 @@ -17,8 +17,8 @@
20.4
20.5
20.6 (*A "possibility property": there are traces that reach the end*)
20.7 -Goal "EX X NB K. EX evs: yahalom. \
20.8 -\ Says A B {|X, Crypt K (Nonce NB)|} : set evs";
20.9 +Goal "\\<exists>X NB K. \\<exists>evs \\<in> yahalom. \
20.10 +\ Says A B {|X, Crypt K (Nonce NB)|} \\<in> set evs";
20.11 by (REPEAT (resolve_tac [exI,bexI] 1));
20.12 by (rtac (yahalom.Nil RS
20.13 yahalom.YM1 RS yahalom.Reception RS
20.14 @@ -27,14 +27,14 @@
20.15 by possibility_tac;
20.16 result();
20.17
20.18 -Goal "[| Gets B X : set evs; evs : yahalom |] ==> EX A. Says A B X : set evs";
20.19 +Goal "[| Gets B X \\<in> set evs; evs \\<in> yahalom |] ==> \\<exists>A. Says A B X \\<in> set evs";
20.20 by (etac rev_mp 1);
20.21 by (etac yahalom.induct 1);
20.22 by Auto_tac;
20.23 qed "Gets_imp_Says";
20.24
20.25 (*Must be proved separately for each protocol*)
20.26 -Goal "[| Gets B X : set evs; evs : yahalom |] ==> X : knows Spy evs";
20.27 +Goal "[| Gets B X \\<in> set evs; evs \\<in> yahalom |] ==> X \\<in> knows Spy evs";
20.28 by (blast_tac (claset() addSDs [Gets_imp_Says, Says_imp_knows_Spy]) 1);
20.29 qed"Gets_imp_knows_Spy";
20.30 AddDs [Gets_imp_knows_Spy RS parts.Inj];
20.31 @@ -45,8 +45,8 @@
20.32 (** For reasoning about the encrypted portion of messages **)
20.33
20.34 (*Lets us treat YM4 using a similar argument as for the Fake case.*)
20.35 -Goal "[| Gets A {|NB, Crypt (shrK A) Y, X|} : set evs; evs : yahalom |] \
20.36 -\ ==> X : analz (knows Spy evs)";
20.37 +Goal "[| Gets A {|NB, Crypt (shrK A) Y, X|} \\<in> set evs; evs \\<in> yahalom |] \
20.38 +\ ==> X \\<in> analz (knows Spy evs)";
20.39 by (blast_tac (claset() addSDs [Gets_imp_knows_Spy RS analz.Inj]) 1);
20.40 qed "YM4_analz_knows_Spy";
20.41
20.42 @@ -54,13 +54,13 @@
20.43 YM4_analz_knows_Spy RS (impOfSubs analz_subset_parts));
20.44
20.45 (*For Oops*)
20.46 -Goal "Says Server A {|NB, Crypt (shrK A) {|B,K,NA|}, X|} : set evs \
20.47 -\ ==> K : parts (knows Spy evs)";
20.48 +Goal "Says Server A {|NB, Crypt (shrK A) {|B,K,NA|}, X|} \\<in> set evs \
20.49 +\ ==> K \\<in> parts (knows Spy evs)";
20.50 by (blast_tac (claset() addSDs [parts.Body,
20.51 Says_imp_knows_Spy RS parts.Inj]) 1);
20.52 qed "YM4_Key_parts_knows_Spy";
20.53
20.54 -(*For proving the easier theorems about X ~: parts (knows Spy evs).*)
20.55 +(*For proving the easier theorems about X \\<notin> parts (knows Spy evs).*)
20.56 fun parts_knows_Spy_tac i =
20.57 EVERY
20.58 [ftac YM4_Key_parts_knows_Spy (i+7),
20.59 @@ -68,7 +68,7 @@
20.60 prove_simple_subgoals_tac i];
20.61
20.62 (*Induction for regularity theorems. If induction formula has the form
20.63 - X ~: analz (knows Spy evs) --> ... then it shortens the proof by discarding
20.64 + X \\<notin> analz (knows Spy evs) --> ... then it shortens the proof by discarding
20.65 needless information about analz (insert X (knows Spy evs)) *)
20.66 fun parts_induct_tac i =
20.67 etac yahalom.induct i
20.68 @@ -77,17 +77,17 @@
20.69 THEN parts_knows_Spy_tac i;
20.70
20.71
20.72 -(** Theorems of the form X ~: parts (knows Spy evs) imply that NOBODY
20.73 +(** Theorems of the form X \\<notin> parts (knows Spy evs) imply that NOBODY
20.74 sends messages containing X! **)
20.75
20.76 (*Spy never sees another agent's shared key! (unless it's bad at start)*)
20.77 -Goal "evs : yahalom ==> (Key (shrK A) : parts (knows Spy evs)) = (A : bad)";
20.78 +Goal "evs \\<in> yahalom ==> (Key (shrK A) \\<in> parts (knows Spy evs)) = (A \\<in> bad)";
20.79 by (parts_induct_tac 1);
20.80 by (ALLGOALS Blast_tac);
20.81 qed "Spy_see_shrK";
20.82 Addsimps [Spy_see_shrK];
20.83
20.84 -Goal "evs : yahalom ==> (Key (shrK A) : analz (knows Spy evs)) = (A : bad)";
20.85 +Goal "evs \\<in> yahalom ==> (Key (shrK A) \\<in> analz (knows Spy evs)) = (A \\<in> bad)";
20.86 by Auto_tac;
20.87 qed "Spy_analz_shrK";
20.88 Addsimps [Spy_analz_shrK];
20.89 @@ -97,8 +97,8 @@
20.90
20.91
20.92 (*Nobody can have used non-existent keys! Needed to apply analz_insert_Key*)
20.93 -Goal "evs : yahalom ==> \
20.94 -\ Key K ~: used evs --> K ~: keysFor (parts (knows Spy evs))";
20.95 +Goal "evs \\<in> yahalom ==> \
20.96 +\ Key K \\<notin> used evs --> K \\<notin> keysFor (parts (knows Spy evs))";
20.97 by (parts_induct_tac 1);
20.98 (*YM4: Key K is not fresh!*)
20.99 by (Blast_tac 3);
20.100 @@ -107,19 +107,20 @@
20.101 (*Fake*)
20.102 by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
20.103 qed_spec_mp "new_keys_not_used";
20.104 +Addsimps [new_keys_not_used];
20.105
20.106 +(*Earlier, ALL protocol proofs declared this theorem.
20.107 + But Yahalom and Kerberos IV are the only ones that need it!*)
20.108 bind_thm ("new_keys_not_analzd",
20.109 [analz_subset_parts RS keysFor_mono,
20.110 new_keys_not_used] MRS contra_subsetD);
20.111
20.112 -Addsimps [new_keys_not_used, new_keys_not_analzd];
20.113 -
20.114 (*Describes the form of K when the Server sends this message. Useful for
20.115 Oops as well as main secrecy property.*)
20.116 Goal "[| Says Server A {|nb', Crypt (shrK A) {|Agent B, Key K, na|}, X|} \
20.117 -\ : set evs; \
20.118 -\ evs : yahalom |] \
20.119 -\ ==> K ~: range shrK";
20.120 +\ \\<in> set evs; \
20.121 +\ evs \\<in> yahalom |] \
20.122 +\ ==> K \\<notin> range shrK";
20.123 by (etac rev_mp 1);
20.124 by (etac yahalom.induct 1);
20.125 by (ALLGOALS Asm_simp_tac);
20.126 @@ -137,8 +138,8 @@
20.127 (****
20.128 The following is to prove theorems of the form
20.129
20.130 - Key K : analz (insert (Key KAB) (knows Spy evs)) ==>
20.131 - Key K : analz (knows Spy evs)
20.132 + Key K \\<in> analz (insert (Key KAB) (knows Spy evs)) ==>
20.133 + Key K \\<in> analz (knows Spy evs)
20.134
20.135 A more general formula must be proved inductively.
20.136
20.137 @@ -146,10 +147,10 @@
20.138
20.139 (** Session keys are not used to encrypt other session keys **)
20.140
20.141 -Goal "evs : yahalom ==> \
20.142 -\ ALL K KK. KK <= - (range shrK) --> \
20.143 -\ (Key K : analz (Key`KK Un (knows Spy evs))) = \
20.144 -\ (K : KK | Key K : analz (knows Spy evs))";
20.145 +Goal "evs \\<in> yahalom ==> \
20.146 +\ \\<forall>K KK. KK <= - (range shrK) --> \
20.147 +\ (Key K \\<in> analz (Key`KK Un (knows Spy evs))) = \
20.148 +\ (K \\<in> KK | Key K \\<in> analz (knows Spy evs))";
20.149 by (etac yahalom.induct 1);
20.150 by analz_knows_Spy_tac;
20.151 by (REPEAT_FIRST (resolve_tac [allI, impI]));
20.152 @@ -159,9 +160,9 @@
20.153 by (spy_analz_tac 1);
20.154 qed_spec_mp "analz_image_freshK";
20.155
20.156 -Goal "[| evs : yahalom; KAB ~: range shrK |] ==> \
20.157 -\ Key K : analz (insert (Key KAB) (knows Spy evs)) = \
20.158 -\ (K = KAB | Key K : analz (knows Spy evs))";
20.159 +Goal "[| evs \\<in> yahalom; KAB \\<notin> range shrK |] ==> \
20.160 +\ Key K \\<in> analz (insert (Key KAB) (knows Spy evs)) = \
20.161 +\ (K = KAB | Key K \\<in> analz (knows Spy evs))";
20.162 by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
20.163 qed "analz_insert_freshK";
20.164
20.165 @@ -169,10 +170,10 @@
20.166 (*** The Key K uniquely identifies the Server's message. **)
20.167
20.168 Goal "[| Says Server A \
20.169 -\ {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, X|} : set evs; \
20.170 +\ {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, X|} \\<in> set evs; \
20.171 \ Says Server A' \
20.172 -\ {|nb', Crypt (shrK A') {|Agent B', Key K, na'|}, X'|} : set evs; \
20.173 -\ evs : yahalom |] \
20.174 +\ {|nb', Crypt (shrK A') {|Agent B', Key K, na'|}, X'|} \\<in> set evs; \
20.175 +\ evs \\<in> yahalom |] \
20.176 \ ==> A=A' & B=B' & na=na' & nb=nb'";
20.177 by (etac rev_mp 1);
20.178 by (etac rev_mp 1);
20.179 @@ -185,23 +186,23 @@
20.180
20.181 (** Crucial secrecy property: Spy does not see the keys sent in msg YM3 **)
20.182
20.183 -Goal "[| A ~: bad; B ~: bad; evs : yahalom |] \
20.184 +Goal "[| A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
20.185 \ ==> Says Server A \
20.186 \ {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, \
20.187 \ Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|} \
20.188 -\ : set evs --> \
20.189 -\ Notes Spy {|na, nb, Key K|} ~: set evs --> \
20.190 -\ Key K ~: analz (knows Spy evs)";
20.191 +\ \\<in> set evs --> \
20.192 +\ Notes Spy {|na, nb, Key K|} \\<notin> set evs --> \
20.193 +\ Key K \\<notin> analz (knows Spy evs)";
20.194 by (etac yahalom.induct 1);
20.195 by analz_knows_Spy_tac;
20.196 by (ALLGOALS
20.197 (asm_simp_tac
20.198 (simpset() addsimps split_ifs
20.199 - addsimps [analz_insert_eq, analz_insert_freshK])));
20.200 + addsimps [new_keys_not_analzd, analz_insert_eq,
20.201 + analz_insert_freshK])));
20.202 (*Oops*)
20.203 by (blast_tac (claset() addDs [unique_session_keys]) 3);
20.204 -(*YM3: delete a useless induction hypothesis*)
20.205 -by (thin_tac "?P-->?Q" 2);
20.206 +(*YM3*)
20.207 by (Blast_tac 2);
20.208 (*Fake*)
20.209 by (spy_analz_tac 1);
20.210 @@ -212,12 +213,11 @@
20.211 Goal "[| Says Server A \
20.212 \ {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, \
20.213 \ Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|} \
20.214 -\ : set evs; \
20.215 -\ Notes Spy {|na, nb, Key K|} ~: set evs; \
20.216 -\ A ~: bad; B ~: bad; evs : yahalom |] \
20.217 -\ ==> Key K ~: analz (knows Spy evs)";
20.218 -by (ftac Says_Server_message_form 1 THEN assume_tac 1);
20.219 -by (blast_tac (claset() addSEs [lemma]) 1);
20.220 +\ \\<in> set evs; \
20.221 +\ Notes Spy {|na, nb, Key K|} \\<notin> set evs; \
20.222 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
20.223 +\ ==> Key K \\<notin> analz (knows Spy evs)";
20.224 +by (blast_tac (claset() addSEs [lemma] addDs [Says_Server_message_form]) 1);
20.225 qed "Spy_not_see_encrypted_key";
20.226
20.227
20.228 @@ -226,22 +226,22 @@
20.229 (*If the encrypted message appears then it originated with the Server.
20.230 May now apply Spy_not_see_encrypted_key, subject to its conditions.*)
20.231 Goal "[| Crypt (shrK A) {|Agent B, Key K, na|} \
20.232 -\ : parts (knows Spy evs); \
20.233 -\ A ~: bad; evs : yahalom |] \
20.234 -\ ==> EX nb. Says Server A \
20.235 +\ \\<in> parts (knows Spy evs); \
20.236 +\ A \\<notin> bad; evs \\<in> yahalom |] \
20.237 +\ ==> \\<exists>nb. Says Server A \
20.238 \ {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, \
20.239 \ Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|} \
20.240 -\ : set evs";
20.241 +\ \\<in> set evs";
20.242 by (etac rev_mp 1);
20.243 by (parts_induct_tac 1);
20.244 by (ALLGOALS Blast_tac);
20.245 qed "A_trusts_YM3";
20.246
20.247 (*The obvious combination of A_trusts_YM3 with Spy_not_see_encrypted_key*)
20.248 -Goal "[| Crypt (shrK A) {|Agent B, Key K, na|} : parts (knows Spy evs); \
20.249 -\ ALL nb. Notes Spy {|na, nb, Key K|} ~: set evs; \
20.250 -\ A ~: bad; B ~: bad; evs : yahalom |] \
20.251 -\ ==> Key K ~: analz (knows Spy evs)";
20.252 +Goal "[| Crypt (shrK A) {|Agent B, Key K, na|} \\<in> parts (knows Spy evs); \
20.253 +\ \\<forall>nb. Notes Spy {|na, nb, Key K|} \\<notin> set evs; \
20.254 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
20.255 +\ ==> Key K \\<notin> analz (knows Spy evs)";
20.256 by (blast_tac (claset() addSDs [A_trusts_YM3, Spy_not_see_encrypted_key]) 1);
20.257 qed "A_gets_good_key";
20.258
20.259 @@ -251,13 +251,13 @@
20.260 (*B knows, by the first part of A's message, that the Server distributed
20.261 the key for A and B, and has associated it with NB.*)
20.262 Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|} \
20.263 -\ : parts (knows Spy evs); \
20.264 -\ B ~: bad; evs : yahalom |] \
20.265 -\ ==> EX NA. Says Server A \
20.266 +\ \\<in> parts (knows Spy evs); \
20.267 +\ B \\<notin> bad; evs \\<in> yahalom |] \
20.268 +\ ==> \\<exists>NA. Says Server A \
20.269 \ {|Nonce NB, \
20.270 \ Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, \
20.271 \ Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}|} \
20.272 -\ : set evs";
20.273 +\ \\<in> set evs";
20.274 by (etac rev_mp 1);
20.275 by (parts_induct_tac 1);
20.276 by (ALLGOALS Blast_tac);
20.277 @@ -271,13 +271,13 @@
20.278 because we do not have to show that NB is secret. *)
20.279 Goal "[| Gets B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, \
20.280 \ X|} \
20.281 -\ : set evs; \
20.282 -\ A ~: bad; B ~: bad; evs : yahalom |] \
20.283 -\ ==> EX NA. Says Server A \
20.284 +\ \\<in> set evs; \
20.285 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
20.286 +\ ==> \\<exists>NA. Says Server A \
20.287 \ {|Nonce NB, \
20.288 \ Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, \
20.289 \ Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}|} \
20.290 -\ : set evs";
20.291 +\ \\<in> set evs";
20.292 by (blast_tac (claset() addSDs [B_trusts_YM4_shrK]) 1);
20.293 qed "B_trusts_YM4";
20.294
20.295 @@ -285,10 +285,10 @@
20.296 (*The obvious combination of B_trusts_YM4 with Spy_not_see_encrypted_key*)
20.297 Goal "[| Gets B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, \
20.298 \ X|} \
20.299 -\ : set evs; \
20.300 -\ ALL na. Notes Spy {|na, Nonce NB, Key K|} ~: set evs; \
20.301 -\ A ~: bad; B ~: bad; evs : yahalom |] \
20.302 -\ ==> Key K ~: analz (knows Spy evs)";
20.303 +\ \\<in> set evs; \
20.304 +\ \\<forall>na. Notes Spy {|na, Nonce NB, Key K|} \\<notin> set evs; \
20.305 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
20.306 +\ ==> Key K \\<notin> analz (knows Spy evs)";
20.307 by (blast_tac (claset() addSDs [B_trusts_YM4, Spy_not_see_encrypted_key]) 1);
20.308 qed "B_gets_good_key";
20.309
20.310 @@ -297,11 +297,11 @@
20.311 (*** Authenticating B to A ***)
20.312
20.313 (*The encryption in message YM2 tells us it cannot be faked.*)
20.314 -Goal "[| Crypt (shrK B) {|Agent A, Nonce NA|} : parts (knows Spy evs); \
20.315 -\ B ~: bad; evs : yahalom \
20.316 -\ |] ==> EX NB. Says B Server {|Agent B, Nonce NB, \
20.317 +Goal "[| Crypt (shrK B) {|Agent A, Nonce NA|} \\<in> parts (knows Spy evs); \
20.318 +\ B \\<notin> bad; evs \\<in> yahalom \
20.319 +\ |] ==> \\<exists>NB. Says B Server {|Agent B, Nonce NB, \
20.320 \ Crypt (shrK B) {|Agent A, Nonce NA|}|} \
20.321 -\ : set evs";
20.322 +\ \\<in> set evs";
20.323 by (etac rev_mp 1);
20.324 by (etac rev_mp 1);
20.325 by (parts_induct_tac 1);
20.326 @@ -312,11 +312,11 @@
20.327 (*If the server sends YM3 then B sent YM2, perhaps with a different NB*)
20.328 Goal "[| Says Server A \
20.329 \ {|nb, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, X|} \
20.330 -\ : set evs; \
20.331 -\ B ~: bad; evs : yahalom \
20.332 -\ |] ==> EX nb'. Says B Server {|Agent B, nb', \
20.333 +\ \\<in> set evs; \
20.334 +\ B \\<notin> bad; evs \\<in> yahalom \
20.335 +\ |] ==> \\<exists>nb'. Says B Server {|Agent B, nb', \
20.336 \ Crypt (shrK B) {|Agent A, Nonce NA|}|} \
20.337 -\ : set evs";
20.338 +\ \\<in> set evs";
20.339 by (etac rev_mp 1);
20.340 by (etac rev_mp 1);
20.341 by (etac yahalom.induct 1);
20.342 @@ -329,11 +329,11 @@
20.343
20.344 (*If A receives YM3 then B has used nonce NA (and therefore is alive)*)
20.345 Goal "[| Gets A {|nb, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, X|} \
20.346 -\ : set evs; \
20.347 -\ A ~: bad; B ~: bad; evs : yahalom |] \
20.348 -\==> EX nb'. Says B Server \
20.349 +\ \\<in> set evs; \
20.350 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
20.351 +\==> \\<exists>nb'. Says B Server \
20.352 \ {|Agent B, nb', Crypt (shrK B) {|Agent A, Nonce NA|}|} \
20.353 -\ : set evs";
20.354 +\ \\<in> set evs";
20.355 by (blast_tac (claset() addSDs [A_trusts_YM3, lemma]) 1);
20.356 qed "YM3_auth_B_to_A";
20.357
20.358 @@ -342,15 +342,15 @@
20.359
20.360 (*Assuming the session key is secure, if both certificates are present then
20.361 A has said NB. We can't be sure about the rest of A's message, but only
20.362 - NB matters for freshness. Note that Key K ~: analz (knows Spy evs) must be
20.363 + NB matters for freshness. Note that Key K \\<notin> analz (knows Spy evs) must be
20.364 the FIRST antecedent of the induction formula.*)
20.365 -Goal "evs : yahalom \
20.366 -\ ==> Key K ~: analz (knows Spy evs) --> \
20.367 -\ Crypt K (Nonce NB) : parts (knows Spy evs) --> \
20.368 +Goal "evs \\<in> yahalom \
20.369 +\ ==> Key K \\<notin> analz (knows Spy evs) --> \
20.370 +\ Crypt K (Nonce NB) \\<in> parts (knows Spy evs) --> \
20.371 \ Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|} \
20.372 -\ : parts (knows Spy evs) --> \
20.373 -\ B ~: bad --> \
20.374 -\ (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs)";
20.375 +\ \\<in> parts (knows Spy evs) --> \
20.376 +\ B \\<notin> bad --> \
20.377 +\ (\\<exists>X. Says A B {|X, Crypt K (Nonce NB)|} \\<in> set evs)";
20.378 by (parts_induct_tac 1);
20.379 (*Fake*)
20.380 by (Blast_tac 1);
20.381 @@ -358,12 +358,10 @@
20.382 by (force_tac (claset() addSDs [Crypt_imp_keysFor], simpset()) 1);
20.383 (*YM4: was Crypt K (Nonce NB) the very last message? If not, use ind. hyp.*)
20.384 by (asm_simp_tac (simpset() addsimps [ex_disj_distrib]) 1);
20.385 -(*yes: delete a useless induction hypothesis; apply unicity of session keys*)
20.386 -by (thin_tac "?P-->?Q" 1);
20.387 -by (dtac Gets_imp_Says 1 THEN assume_tac 1);
20.388 -by (not_bad_tac "Aa" 1);
20.389 -by (blast_tac (claset() addSDs [A_trusts_YM3, B_trusts_YM4_shrK]
20.390 - addDs [unique_session_keys]) 1);
20.391 +(*Yes: apply unicity of session keys. [Ind. hyp. no longer needed!]*)
20.392 +by (blast_tac (claset() addSDs [Gets_imp_Says, A_trusts_YM3, B_trusts_YM4_shrK,
20.393 + Crypt_Spy_analz_bad]
20.394 + addDs [Says_imp_spies RS analz.Inj, unique_session_keys]) 1);
20.395 qed_spec_mp "Auth_A_to_B_lemma";
20.396
20.397
20.398 @@ -371,12 +369,10 @@
20.399 Moreover, A associates K with NB (thus is talking about the same run).
20.400 Other premises guarantee secrecy of K.*)
20.401 Goal "[| Gets B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, \
20.402 -\ Crypt K (Nonce NB)|} : set evs; \
20.403 -\ (ALL NA. Notes Spy {|Nonce NA, Nonce NB, Key K|} ~: set evs); \
20.404 -\ A ~: bad; B ~: bad; evs : yahalom |] \
20.405 -\ ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs";
20.406 -by (subgoal_tac "Key K ~: analz (knows Spy evs)" 1);
20.407 -by (blast_tac (claset() addIs [Auth_A_to_B_lemma]) 1);
20.408 -by (blast_tac (claset() addDs [Spy_not_see_encrypted_key,
20.409 - B_trusts_YM4_shrK]) 1);
20.410 +\ Crypt K (Nonce NB)|} \\<in> set evs; \
20.411 +\ (\\<forall>NA. Notes Spy {|Nonce NA, Nonce NB, Key K|} \\<notin> set evs); \
20.412 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
20.413 +\ ==> \\<exists>X. Says A B {|X, Crypt K (Nonce NB)|} \\<in> set evs";
20.414 +by (blast_tac (claset() addIs [Auth_A_to_B_lemma]
20.415 + addDs [Spy_not_see_encrypted_key, B_trusts_YM4_shrK]) 1);
20.416 qed_spec_mp "YM4_imp_A_Said_YM3";
21.1 --- a/src/HOL/Auth/Yahalom2.thy Tue Feb 27 12:28:42 2001 +0100
21.2 +++ b/src/HOL/Auth/Yahalom2.thy Tue Feb 27 16:13:23 2001 +0100
21.3 @@ -19,58 +19,58 @@
21.4 inductive "yahalom"
21.5 intrs
21.6 (*Initial trace is empty*)
21.7 - Nil "[]: yahalom"
21.8 + Nil "[] \\<in> yahalom"
21.9
21.10 (*The spy MAY say anything he CAN say. We do not expect him to
21.11 invent new nonces here, but he can also use NS1. Common to
21.12 all similar protocols.*)
21.13 - Fake "[| evs: yahalom; X: synth (analz (knows Spy evs)) |]
21.14 - ==> Says Spy B X # evs : yahalom"
21.15 + Fake "[| evsf \\<in> yahalom; X \\<in> synth (analz (knows Spy evsf)) |]
21.16 + ==> Says Spy B X # evsf \\<in> yahalom"
21.17
21.18 (*A message that has been sent can be received by the
21.19 intended recipient.*)
21.20 - Reception "[| evsr: yahalom; Says A B X : set evsr |]
21.21 - ==> Gets B X # evsr : yahalom"
21.22 + Reception "[| evsr \\<in> yahalom; Says A B X \\<in> set evsr |]
21.23 + ==> Gets B X # evsr \\<in> yahalom"
21.24
21.25 (*Alice initiates a protocol run*)
21.26 - YM1 "[| evs1: yahalom; Nonce NA ~: used evs1 |]
21.27 - ==> Says A B {|Agent A, Nonce NA|} # evs1 : yahalom"
21.28 + YM1 "[| evs1 \\<in> yahalom; Nonce NA \\<notin> used evs1 |]
21.29 + ==> Says A B {|Agent A, Nonce NA|} # evs1 \\<in> yahalom"
21.30
21.31 (*Bob's response to Alice's message.*)
21.32 - YM2 "[| evs2: yahalom; Nonce NB ~: used evs2;
21.33 - Gets B {|Agent A, Nonce NA|} : set evs2 |]
21.34 + YM2 "[| evs2 \\<in> yahalom; Nonce NB \\<notin> used evs2;
21.35 + Gets B {|Agent A, Nonce NA|} \\<in> set evs2 |]
21.36 ==> Says B Server
21.37 {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
21.38 - # evs2 : yahalom"
21.39 + # evs2 \\<in> yahalom"
21.40
21.41 (*The Server receives Bob's message. He responds by sending a
21.42 new session key to Alice, with a certificate for forwarding to Bob.
21.43 Both agents are quoted in the 2nd certificate to prevent attacks!*)
21.44 - YM3 "[| evs3: yahalom; Key KAB ~: used evs3;
21.45 + YM3 "[| evs3 \\<in> yahalom; Key KAB \\<notin> used evs3;
21.46 Gets Server {|Agent B, Nonce NB,
21.47 Crypt (shrK B) {|Agent A, Nonce NA|}|}
21.48 - : set evs3 |]
21.49 + \\<in> set evs3 |]
21.50 ==> Says Server A
21.51 {|Nonce NB,
21.52 Crypt (shrK A) {|Agent B, Key KAB, Nonce NA|},
21.53 Crypt (shrK B) {|Agent A, Agent B, Key KAB, Nonce NB|}|}
21.54 - # evs3 : yahalom"
21.55 + # evs3 \\<in> yahalom"
21.56
21.57 (*Alice receives the Server's (?) message, checks her Nonce, and
21.58 uses the new session key to send Bob his Nonce.*)
21.59 - YM4 "[| evs4: yahalom;
21.60 + YM4 "[| evs4 \\<in> yahalom;
21.61 Gets A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
21.62 - X|} : set evs4;
21.63 - Says A B {|Agent A, Nonce NA|} : set evs4 |]
21.64 - ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 : yahalom"
21.65 + X|} \\<in> set evs4;
21.66 + Says A B {|Agent A, Nonce NA|} \\<in> set evs4 |]
21.67 + ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \\<in> yahalom"
21.68
21.69 (*This message models possible leaks of session keys. The nonces
21.70 identify the protocol run. Quoting Server here ensures they are
21.71 correct. *)
21.72 - Oops "[| evso: yahalom;
21.73 + Oops "[| evso \\<in> yahalom;
21.74 Says Server A {|Nonce NB,
21.75 Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
21.76 - X|} : set evso |]
21.77 - ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : yahalom"
21.78 + X|} \\<in> set evso |]
21.79 + ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \\<in> yahalom"
21.80
21.81 end
22.1 --- a/src/HOL/Auth/Yahalom_Bad.ML Tue Feb 27 12:28:42 2001 +0100
22.2 +++ b/src/HOL/Auth/Yahalom_Bad.ML Tue Feb 27 16:13:23 2001 +0100
22.3 @@ -11,9 +11,9 @@
22.4 *)
22.5
22.6 (*A "possibility property": there are traces that reach the end*)
22.7 -Goal "A ~= Server \
22.8 -\ ==> EX X NB K. EX evs: yahalom. \
22.9 -\ Says A B {|X, Crypt K (Nonce NB)|} : set evs";
22.10 +Goal "A \\<noteq> Server \
22.11 +\ ==> \\<exists>X NB K. \\<exists>evs \\<in> yahalom. \
22.12 +\ Says A B {|X, Crypt K (Nonce NB)|} \\<in> set evs";
22.13 by (REPEAT (resolve_tac [exI,bexI] 1));
22.14 by (rtac (yahalom.Nil RS
22.15 yahalom.YM1 RS yahalom.Reception RS
22.16 @@ -22,21 +22,18 @@
22.17 by possibility_tac;
22.18 result();
22.19
22.20 -Goal "[| Gets B X : set evs; evs : yahalom |] ==> EX A. Says A B X : set evs";
22.21 +Goal "[| Gets B X \\<in> set evs; evs \\<in> yahalom |] ==> \\<exists>A. Says A B X \\<in> set evs";
22.22 by (etac rev_mp 1);
22.23 by (etac yahalom.induct 1);
22.24 by Auto_tac;
22.25 qed "Gets_imp_Says";
22.26
22.27 (*Must be proved separately for each protocol*)
22.28 -Goal "[| Gets B X : set evs; evs : yahalom |] ==> X : knows Spy evs";
22.29 +Goal "[| Gets B X \\<in> set evs; evs \\<in> yahalom |] ==> X \\<in> knows Spy evs";
22.30 by (blast_tac (claset() addSDs [Gets_imp_Says, Says_imp_knows_Spy]) 1);
22.31 qed"Gets_imp_knows_Spy";
22.32 AddDs [Gets_imp_knows_Spy RS parts.Inj];
22.33
22.34 -fun g_not_bad_tac s =
22.35 - ftac Gets_imp_Says THEN' assume_tac THEN' not_bad_tac s;
22.36 -
22.37
22.38 (**** Inductive proofs about yahalom ****)
22.39
22.40 @@ -44,22 +41,22 @@
22.41 (** For reasoning about the encrypted portion of messages **)
22.42
22.43 (*Lets us treat YM4 using a similar argument as for the Fake case.*)
22.44 -Goal "[| Gets A {|Crypt (shrK A) Y, X|} : set evs; evs : yahalom |] \
22.45 -\ ==> X : analz (knows Spy evs)";
22.46 +Goal "[| Gets A {|Crypt (shrK A) Y, X|} \\<in> set evs; evs \\<in> yahalom |] \
22.47 +\ ==> X \\<in> analz (knows Spy evs)";
22.48 by (blast_tac (claset() addSDs [Gets_imp_knows_Spy RS analz.Inj]) 1);
22.49 qed "YM4_analz_knows_Spy";
22.50
22.51 bind_thm ("YM4_parts_knows_Spy",
22.52 YM4_analz_knows_Spy RS (impOfSubs analz_subset_parts));
22.53
22.54 -(*For proving the easier theorems about X ~: parts (knows Spy evs).*)
22.55 +(*For proving the easier theorems about X \\<notin> parts (knows Spy evs).*)
22.56 fun parts_knows_Spy_tac i =
22.57 EVERY
22.58 [ftac YM4_parts_knows_Spy (i+6), assume_tac (i+6),
22.59 prove_simple_subgoals_tac i];
22.60
22.61 (*Induction for regularity theorems. If induction formula has the form
22.62 - X ~: analz (knows Spy evs) --> ... then it shortens the proof by discarding
22.63 + X \\<notin> analz (knows Spy evs) --> ... then it shortens the proof by discarding
22.64 needless information about analz (insert X (knows Spy evs)) *)
22.65 fun parts_induct_tac i =
22.66 etac yahalom.induct i
22.67 @@ -68,18 +65,18 @@
22.68 THEN parts_knows_Spy_tac i;
22.69
22.70
22.71 -(** Theorems of the form X ~: parts (knows Spy evs) imply that NOBODY
22.72 +(** Theorems of the form X \\<notin> parts (knows Spy evs) imply that NOBODY
22.73 sends messages containing X! **)
22.74
22.75 (*Spy never sees another agent's shared key! (unless it's bad at start)*)
22.76 -Goal "evs : yahalom ==> (Key (shrK A) : parts (knows Spy evs)) = (A : bad)";
22.77 +Goal "evs \\<in> yahalom ==> (Key (shrK A) \\<in> parts (knows Spy evs)) = (A \\<in> bad)";
22.78 by (parts_induct_tac 1);
22.79 by (Fake_parts_insert_tac 1);
22.80 by (ALLGOALS Blast_tac);
22.81 qed "Spy_see_shrK";
22.82 Addsimps [Spy_see_shrK];
22.83
22.84 -Goal "evs : yahalom ==> (Key (shrK A) : analz (knows Spy evs)) = (A : bad)";
22.85 +Goal "evs \\<in> yahalom ==> (Key (shrK A) \\<in> analz (knows Spy evs)) = (A \\<in> bad)";
22.86 by (auto_tac(claset() addDs [impOfSubs analz_subset_parts], simpset()));
22.87 qed "Spy_analz_shrK";
22.88 Addsimps [Spy_analz_shrK];
22.89 @@ -89,20 +86,15 @@
22.90
22.91
22.92 (*Nobody can have used non-existent keys! Needed to apply analz_insert_Key*)
22.93 -Goal "evs : yahalom ==> \
22.94 -\ Key K ~: used evs --> K ~: keysFor (parts (knows Spy evs))";
22.95 +Goal "evs \\<in> yahalom ==> \
22.96 +\ Key K \\<notin> used evs --> K \\<notin> keysFor (parts (knows Spy evs))";
22.97 by (parts_induct_tac 1);
22.98 (*Fake*)
22.99 by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
22.100 (*YM2-4: Because Key K is not fresh, etc.*)
22.101 by (REPEAT (blast_tac (claset() addSEs knows_Spy_partsEs) 1));
22.102 qed_spec_mp "new_keys_not_used";
22.103 -
22.104 -bind_thm ("new_keys_not_analzd",
22.105 - [analz_subset_parts RS keysFor_mono,
22.106 - new_keys_not_used] MRS contra_subsetD);
22.107 -
22.108 -Addsimps [new_keys_not_used, new_keys_not_analzd];
22.109 +Addsimps [new_keys_not_used];
22.110
22.111
22.112 (*For proofs involving analz.*)
22.113 @@ -112,18 +104,18 @@
22.114 (****
22.115 The following is to prove theorems of the form
22.116
22.117 - Key K : analz (insert (Key KAB) (knows Spy evs)) ==>
22.118 - Key K : analz (knows Spy evs)
22.119 + Key K \\<in> analz (insert (Key KAB) (knows Spy evs)) ==>
22.120 + Key K \\<in> analz (knows Spy evs)
22.121
22.122 A more general formula must be proved inductively.
22.123 ****)
22.124
22.125 (** Session keys are not used to encrypt other session keys **)
22.126
22.127 -Goal "evs : yahalom ==> \
22.128 -\ ALL K KK. KK <= - (range shrK) --> \
22.129 -\ (Key K : analz (Key`KK Un (knows Spy evs))) = \
22.130 -\ (K : KK | Key K : analz (knows Spy evs))";
22.131 +Goal "evs \\<in> yahalom ==> \
22.132 +\ \\<forall>K KK. KK <= - (range shrK) --> \
22.133 +\ (Key K \\<in> analz (Key`KK Un (knows Spy evs))) = \
22.134 +\ (K \\<in> KK | Key K \\<in> analz (knows Spy evs))";
22.135 by (etac yahalom.induct 1);
22.136 by analz_knows_Spy_tac;
22.137 by (REPEAT_FIRST (resolve_tac [allI, impI]));
22.138 @@ -133,9 +125,9 @@
22.139 by (spy_analz_tac 1);
22.140 qed_spec_mp "analz_image_freshK";
22.141
22.142 -Goal "[| evs : yahalom; KAB ~: range shrK |] \
22.143 -\ ==> Key K : analz (insert (Key KAB) (knows Spy evs)) = \
22.144 -\ (K = KAB | Key K : analz (knows Spy evs))";
22.145 +Goal "[| evs \\<in> yahalom; KAB \\<notin> range shrK |] \
22.146 +\ ==> Key K \\<in> analz (insert (Key KAB) (knows Spy evs)) = \
22.147 +\ (K = KAB | Key K \\<in> analz (knows Spy evs))";
22.148 by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
22.149 qed "analz_insert_freshK";
22.150
22.151 @@ -143,10 +135,10 @@
22.152 (*** The Key K uniquely identifies the Server's message. **)
22.153
22.154 Goal "[| Says Server A \
22.155 -\ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} : set evs; \
22.156 +\ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \\<in> set evs; \
22.157 \ Says Server A' \
22.158 -\ {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|} : set evs; \
22.159 -\ evs : yahalom |] \
22.160 +\ {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|} \\<in> set evs; \
22.161 +\ evs \\<in> yahalom |] \
22.162 \ ==> A=A' & B=B' & na=na' & nb=nb'";
22.163 by (etac rev_mp 1);
22.164 by (etac rev_mp 1);
22.165 @@ -161,12 +153,12 @@
22.166
22.167 (** Crucial secrecy property: Spy does not see the keys sent in msg YM3 **)
22.168
22.169 -Goal "[| A ~: bad; B ~: bad; evs : yahalom |] \
22.170 +Goal "[| A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
22.171 \ ==> Says Server A \
22.172 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \
22.173 \ Crypt (shrK B) {|Agent A, Key K|}|} \
22.174 -\ : set evs --> \
22.175 -\ Key K ~: analz (knows Spy evs)";
22.176 +\ \\<in> set evs --> \
22.177 +\ Key K \\<notin> analz (knows Spy evs)";
22.178 by (etac yahalom.induct 1);
22.179 by analz_knows_Spy_tac;
22.180 by (ALLGOALS
22.181 @@ -186,9 +178,9 @@
22.182 Goal "[| Says Server A \
22.183 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \
22.184 \ Crypt (shrK B) {|Agent A, Key K|}|} \
22.185 -\ : set evs; \
22.186 -\ A ~: bad; B ~: bad; evs : yahalom |] \
22.187 -\ ==> Key K ~: analz (knows Spy evs)";
22.188 +\ \\<in> set evs; \
22.189 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
22.190 +\ ==> Key K \\<notin> analz (knows Spy evs)";
22.191 by (blast_tac (claset() addSEs [lemma]) 1);
22.192 qed "Spy_not_see_encrypted_key";
22.193
22.194 @@ -196,21 +188,21 @@
22.195 (** Security Guarantee for A upon receiving YM3 **)
22.196
22.197 (*If the encrypted message appears then it originated with the Server*)
22.198 -Goal "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} : parts (knows Spy evs); \
22.199 -\ A ~: bad; evs : yahalom |] \
22.200 +Goal "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} \\<in> parts (knows Spy evs); \
22.201 +\ A \\<notin> bad; evs \\<in> yahalom |] \
22.202 \ ==> Says Server A \
22.203 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \
22.204 \ Crypt (shrK B) {|Agent A, Key K|}|} \
22.205 -\ : set evs";
22.206 +\ \\<in> set evs";
22.207 by (etac rev_mp 1);
22.208 by (parts_induct_tac 1);
22.209 by (Fake_parts_insert_tac 1);
22.210 qed "A_trusts_YM3";
22.211
22.212 (*The obvious combination of A_trusts_YM3 with Spy_not_see_encrypted_key*)
22.213 -Goal "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} : parts (knows Spy evs); \
22.214 -\ A ~: bad; B ~: bad; evs : yahalom |] \
22.215 -\ ==> Key K ~: analz (knows Spy evs)";
22.216 +Goal "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} \\<in> parts (knows Spy evs); \
22.217 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
22.218 +\ ==> Key K \\<notin> analz (knows Spy evs)";
22.219 by (blast_tac (claset() addSDs [A_trusts_YM3, Spy_not_see_encrypted_key]) 1);
22.220 qed "A_gets_good_key";
22.221
22.222 @@ -218,13 +210,13 @@
22.223
22.224 (*B knows, by the first part of A's message, that the Server distributed
22.225 the key for A and B. But this part says nothing about nonces.*)
22.226 -Goal "[| Crypt (shrK B) {|Agent A, Key K|} : parts (knows Spy evs); \
22.227 -\ B ~: bad; evs : yahalom |] \
22.228 -\ ==> EX NA NB. Says Server A \
22.229 +Goal "[| Crypt (shrK B) {|Agent A, Key K|} \\<in> parts (knows Spy evs); \
22.230 +\ B \\<notin> bad; evs \\<in> yahalom |] \
22.231 +\ ==> \\<exists>NA NB. Says Server A \
22.232 \ {|Crypt (shrK A) {|Agent B, Key K, \
22.233 \ Nonce NA, Nonce NB|}, \
22.234 \ Crypt (shrK B) {|Agent A, Key K|}|} \
22.235 -\ : set evs";
22.236 +\ \\<in> set evs";
22.237 by (etac rev_mp 1);
22.238 by (parts_induct_tac 1);
22.239 by (Fake_parts_insert_tac 1);
22.240 @@ -241,58 +233,53 @@
22.241 the key quoting nonce NB. This part says nothing about agent names.
22.242 Secrecy of K is assumed; the valid Yahalom proof uses (and later proves)
22.243 the secrecy of NB.*)
22.244 -Goal "evs : yahalom \
22.245 -\ ==> Key K ~: analz (knows Spy evs) --> \
22.246 -\ Crypt K (Nonce NB) : parts (knows Spy evs) --> \
22.247 -\ (EX A B NA. Says Server A \
22.248 +Goal "evs \\<in> yahalom \
22.249 +\ ==> Key K \\<notin> analz (knows Spy evs) --> \
22.250 +\ Crypt K (Nonce NB) \\<in> parts (knows Spy evs) --> \
22.251 +\ (\\<exists>A B NA. Says Server A \
22.252 \ {|Crypt (shrK A) {|Agent B, Key K, \
22.253 \ Nonce NA, Nonce NB|}, \
22.254 \ Crypt (shrK B) {|Agent A, Key K|}|} \
22.255 -\ : set evs)";
22.256 +\ \\<in> set evs)";
22.257 by (parts_induct_tac 1);
22.258 by (ALLGOALS Clarify_tac);
22.259 (*YM3 & Fake*)
22.260 by (Blast_tac 2);
22.261 by (Fake_parts_insert_tac 1);
22.262 (*YM4*)
22.263 -(*A is uncompromised because NB is secure*)
22.264 -by (g_not_bad_tac "A" 1);
22.265 -(*A's certificate guarantees the existence of the Server message*)
22.266 -by (blast_tac (claset() addDs [Says_imp_knows_Spy RS parts.Inj RS parts.Fst RS
22.267 - A_trusts_YM3]) 1);
22.268 +(*A is uncompromised because NB is secure;
22.269 + A's certificate guarantees the existence of the Server message*)
22.270 +by (blast_tac (claset() addSDs [Gets_imp_Says, Crypt_Spy_analz_bad]
22.271 + addDs [Says_imp_spies, analz.Inj,
22.272 + parts.Inj RS parts.Fst RS A_trusts_YM3]) 1);
22.273 bind_thm ("B_trusts_YM4_newK", result() RS mp RSN (2, rev_mp));
22.274
22.275
22.276 (*B's session key guarantee from YM4. The two certificates contribute to a
22.277 single conclusion about the Server's message. *)
22.278 Goal "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|}, \
22.279 -\ Crypt K (Nonce NB)|} : set evs; \
22.280 +\ Crypt K (Nonce NB)|} \\<in> set evs; \
22.281 \ Says B Server \
22.282 \ {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} \
22.283 -\ : set evs; \
22.284 -\ A ~: bad; B ~: bad; evs : yahalom |] \
22.285 -\ ==> EX na nb. Says Server A \
22.286 +\ \\<in> set evs; \
22.287 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
22.288 +\ ==> \\<exists>na nb. Says Server A \
22.289 \ {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, \
22.290 \ Crypt (shrK B) {|Agent A, Key K|}|} \
22.291 -\ : set evs";
22.292 -by (etac (Gets_imp_knows_Spy RS parts.Inj RS MPair_parts) 1 THEN
22.293 - assume_tac 1 THEN dtac B_trusts_YM4_shrK 1);
22.294 -by (dtac B_trusts_YM4_newK 3);
22.295 -by (REPEAT_FIRST (eresolve_tac [asm_rl, exE]));
22.296 -by (etac Spy_not_see_encrypted_key 1 THEN REPEAT (assume_tac 1));
22.297 -by (ftac unique_session_keys 1 THEN REPEAT (assume_tac 1));
22.298 -by (blast_tac (claset() addDs []) 1);
22.299 +\ \\<in> set evs";
22.300 +by (blast_tac (claset() addDs [B_trusts_YM4_newK, B_trusts_YM4_shrK,
22.301 + Spy_not_see_encrypted_key, unique_session_keys]) 1);
22.302 qed "B_trusts_YM4";
22.303
22.304
22.305 (*The obvious combination of B_trusts_YM4 with Spy_not_see_encrypted_key*)
22.306 Goal "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|}, \
22.307 -\ Crypt K (Nonce NB)|} : set evs; \
22.308 +\ Crypt K (Nonce NB)|} \\<in> set evs; \
22.309 \ Says B Server \
22.310 \ {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} \
22.311 -\ : set evs; \
22.312 -\ A ~: bad; B ~: bad; evs : yahalom |] \
22.313 -\ ==> Key K ~: analz (knows Spy evs)";
22.314 +\ \\<in> set evs; \
22.315 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
22.316 +\ ==> Key K \\<notin> analz (knows Spy evs)";
22.317 by (blast_tac (claset() addSDs [B_trusts_YM4, Spy_not_see_encrypted_key]) 1);
22.318 qed "B_gets_good_key";
22.319
22.320 @@ -306,42 +293,37 @@
22.321 (*Assuming the session key is secure, if both certificates are present then
22.322 A has said NB. We can't be sure about the rest of A's message, but only
22.323 NB matters for freshness.*)
22.324 -Goal "evs : yahalom \
22.325 -\ ==> Key K ~: analz (knows Spy evs) --> \
22.326 -\ Crypt K (Nonce NB) : parts (knows Spy evs) --> \
22.327 -\ Crypt (shrK B) {|Agent A, Key K|} : parts (knows Spy evs) --> \
22.328 -\ B ~: bad --> \
22.329 -\ (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs)";
22.330 +Goal "evs \\<in> yahalom \
22.331 +\ ==> Key K \\<notin> analz (knows Spy evs) --> \
22.332 +\ Crypt K (Nonce NB) \\<in> parts (knows Spy evs) --> \
22.333 +\ Crypt (shrK B) {|Agent A, Key K|} \\<in> parts (knows Spy evs) --> \
22.334 +\ B \\<notin> bad --> \
22.335 +\ (\\<exists>X. Says A B {|X, Crypt K (Nonce NB)|} \\<in> set evs)";
22.336 by (parts_induct_tac 1);
22.337 (*Fake*)
22.338 by (Fake_parts_insert_tac 1);
22.339 (*YM3: by new_keys_not_used we note that Crypt K (Nonce NB) could not exist*)
22.340 -by (fast_tac (claset() addSDs [Crypt_imp_keysFor] addss (simpset())) 1);
22.341 +by (force_tac (claset() addSDs [Crypt_imp_keysFor], simpset()) 1);
22.342 (*YM4: was Crypt K (Nonce NB) the very last message? If not, use ind. hyp.*)
22.343 by (asm_simp_tac (simpset() addsimps [ex_disj_distrib]) 1);
22.344 (*yes: apply unicity of session keys*)
22.345 -by (g_not_bad_tac "Aa" 1);
22.346 -by (blast_tac (claset() addSEs [MPair_parts]
22.347 - addSDs [A_trusts_YM3, B_trusts_YM4_shrK]
22.348 - addDs [Says_imp_knows_Spy RS parts.Inj,
22.349 - unique_session_keys]) 1);
22.350 +by (blast_tac (claset() addSDs [Gets_imp_Says, A_trusts_YM3, B_trusts_YM4_shrK,
22.351 + Crypt_Spy_analz_bad]
22.352 + addDs [Says_imp_knows_Spy RS parts.Inj,
22.353 + Says_imp_spies RS analz.Inj, unique_session_keys]) 1);
22.354 qed_spec_mp "A_Said_YM3_lemma";
22.355
22.356 (*If B receives YM4 then A has used nonce NB (and therefore is alive).
22.357 Moreover, A associates K with NB (thus is talking about the same run).
22.358 Other premises guarantee secrecy of K.*)
22.359 Goal "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|}, \
22.360 -\ Crypt K (Nonce NB)|} : set evs; \
22.361 +\ Crypt K (Nonce NB)|} \\<in> set evs; \
22.362 \ Says B Server \
22.363 \ {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} \
22.364 -\ : set evs; \
22.365 -\ A ~: bad; B ~: bad; evs : yahalom |] \
22.366 -\ ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs";
22.367 -by (ftac B_trusts_YM4 1);
22.368 -by (REPEAT_FIRST assume_tac);
22.369 -by (etac (Gets_imp_knows_Spy RS parts.Inj RS MPair_parts) 1 THEN assume_tac 1);
22.370 -by (Clarify_tac 1);
22.371 -by (rtac A_Said_YM3_lemma 1);
22.372 -by (rtac Spy_not_see_encrypted_key 2);
22.373 -by (REPEAT_FIRST assume_tac);
22.374 +\ \\<in> set evs; \
22.375 +\ A \\<notin> bad; B \\<notin> bad; evs \\<in> yahalom |] \
22.376 +\ ==> \\<exists>X. Says A B {|X, Crypt K (Nonce NB)|} \\<in> set evs";
22.377 +by (blast_tac (claset() addSIs [A_Said_YM3_lemma]
22.378 + addDs [Spy_not_see_encrypted_key, B_trusts_YM4,
22.379 + Gets_imp_Says, Says_imp_knows_Spy RS parts.Inj]) 1);
22.380 qed_spec_mp "YM4_imp_A_Said_YM3";
23.1 --- a/src/HOL/Auth/Yahalom_Bad.thy Tue Feb 27 12:28:42 2001 +0100
23.2 +++ b/src/HOL/Auth/Yahalom_Bad.thy Tue Feb 27 16:13:23 2001 +0100
23.3 @@ -15,49 +15,49 @@
23.4 inductive "yahalom"
23.5 intrs
23.6 (*Initial trace is empty*)
23.7 - Nil "[]: yahalom"
23.8 + Nil "[] : yahalom"
23.9
23.10 (*The spy MAY say anything he CAN say. We do not expect him to
23.11 invent new nonces here, but he can also use NS1. Common to
23.12 all similar protocols.*)
23.13 - Fake "[| evs: yahalom; X: synth (analz (knows Spy evs)) |]
23.14 - ==> Says Spy B X # evs : yahalom"
23.15 + Fake "[| evsf \\<in> yahalom; X \\<in> synth (analz (knows Spy evsf)) |]
23.16 + ==> Says Spy B X # evsf \\<in> yahalom"
23.17
23.18 (*A message that has been sent can be received by the
23.19 intended recipient.*)
23.20 - Reception "[| evsr: yahalom; Says A B X : set evsr |]
23.21 - ==> Gets B X # evsr : yahalom"
23.22 + Reception "[| evsr \\<in> yahalom; Says A B X \\<in> set evsr |]
23.23 + ==> Gets B X # evsr \\<in> yahalom"
23.24
23.25 (*Alice initiates a protocol run*)
23.26 - YM1 "[| evs1: yahalom; Nonce NA ~: used evs1 |]
23.27 - ==> Says A B {|Agent A, Nonce NA|} # evs1 : yahalom"
23.28 + YM1 "[| evs1 \\<in> yahalom; Nonce NA \\<notin> used evs1 |]
23.29 + ==> Says A B {|Agent A, Nonce NA|} # evs1 \\<in> yahalom"
23.30
23.31 (*Bob's response to Alice's message.*)
23.32 - YM2 "[| evs2: yahalom; Nonce NB ~: used evs2;
23.33 - Gets B {|Agent A, Nonce NA|} : set evs2 |]
23.34 + YM2 "[| evs2 \\<in> yahalom; Nonce NB \\<notin> used evs2;
23.35 + Gets B {|Agent A, Nonce NA|} \\<in> set evs2 |]
23.36 ==> Says B Server
23.37 {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
23.38 - # evs2 : yahalom"
23.39 + # evs2 \\<in> yahalom"
23.40
23.41 (*The Server receives Bob's message. He responds by sending a
23.42 new session key to Alice, with a packet for forwarding to Bob.*)
23.43 - YM3 "[| evs3: yahalom; Key KAB ~: used evs3;
23.44 + YM3 "[| evs3 \\<in> yahalom; Key KAB \\<notin> used evs3;
23.45 Gets Server
23.46 {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
23.47 - : set evs3 |]
23.48 + \\<in> set evs3 |]
23.49 ==> Says Server A
23.50 {|Crypt (shrK A) {|Agent B, Key KAB, Nonce NA, Nonce NB|},
23.51 Crypt (shrK B) {|Agent A, Key KAB|}|}
23.52 - # evs3 : yahalom"
23.53 + # evs3 \\<in> yahalom"
23.54
23.55 (*Alice receives the Server's (?) message, checks her Nonce, and
23.56 uses the new session key to send Bob his Nonce. The premise
23.57 - A ~= Server is needed to prove Says_Server_not_range.*)
23.58 - YM4 "[| evs4: yahalom; A ~= Server;
23.59 + A \\<noteq> Server is needed to prove Says_Server_not_range.*)
23.60 + YM4 "[| evs4 \\<in> yahalom; A \\<noteq> Server;
23.61 Gets A {|Crypt(shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|}, X|}
23.62 - : set evs4;
23.63 - Says A B {|Agent A, Nonce NA|} : set evs4 |]
23.64 - ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 : yahalom"
23.65 + \\<in> set evs4;
23.66 + Says A B {|Agent A, Nonce NA|} \\<in> set evs4 |]
23.67 + ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \\<in> yahalom"
23.68
23.69 (*This message models possible leaks of session keys. The Nonces
23.70 identify the protocol run. Quoting Server here ensures they are