Ziele Untersuchung
mit Columbo Integrität von
Datenbanken Interaktion und
Portierbarkeit Ergonomie der
Schnittstellen

Angebot Produkte Projekt Beratung

Mittel Analytik Modellierung Sprachen Algebra Logik Hardware Denken Kreativität

Zusammenhänge Gesellschaft Wirtschaft Branche Firma


products/Sources/formale Sprachen/Isabelle/HOL/Auth/Guard/ (Beweissystem Isabelle Version 2025-1^©) Datei vom 16.11.2025 mit Größe 10 kB

Quelle Guard_Yahalom.thy Sprache: Isabelle

(*  Title:      HOL/Auth/Guard/Guard_Yahalom.thy
    Author:     Frederic Blanqui, University of Cambridge Computer Laboratory
    Copyright   2002  University of Cambridge
*)

section‹Yahalom Protocol›

theory Guard_Yahalom imports "../Shared" Guard_Shared begin

subsection‹messages used in the protocol›

abbreviation (input)
  ya1 :: "agent => agent => nat => event" where
  "ya1 A B NA == Says A B \Agent A, Nonce NA\"

abbreviation (input)
  ya1' :: "agent => agent => agent => nat => event" where
  "ya1' A' A B NA == Says A' B \Agent A, Nonce NA\"

abbreviation (input)
  ya2 :: "agent => agent => nat => nat => event" where
  "ya2 A B NA NB == Says B Server \Agent B, Ciph B \Agent A, Nonce NA, Nonce NB\\"

abbreviation (input)
  ya2' :: "agent => agent => agent => nat => nat => event" where
  "ya2' B' A B NA NB == Says B' Server \Agent B, Ciph B \Agent A, Nonce NA, Nonce NB\\"

abbreviation (input)
  ya3 :: "agent => agent => nat => nat => key => event" where
  "ya3 A B NA NB K ==
    Says Server A {Ciph A {Agent B, Key K, Nonce NA, Nonce NB},
                    Ciph B {Agent A, Key K}}"

abbreviation (input)
  ya3':: "agent => msg => agent => agent => nat => nat => key => event" where
  "ya3' S Y A B NA NB K ==
    Says S A {Ciph A {Agent B, Key K, Nonce NA, Nonce NB}, Y}"

abbreviation (input)
  ya4 :: "agent => agent => nat => nat => msg => event" where
  "ya4 A B K NB Y == Says A B \Y, Crypt K (Nonce NB)\"

abbreviation (input)
  ya4' :: "agent => agent => nat => nat => msg => event" where
  "ya4' A' B K NB Y == Says A' B \Y, Crypt K (Nonce NB)\"

subsection‹definition of the protocol›

inductive_set ya :: "event list set"
where

  Nil: "[] \ ya"

| Fake: "\evs \ ya; X \ synth (analz (spies evs))\ \ Says Spy B X # evs \ ya"

| YA1: "\evs1 \ ya; Nonce NA \ used evs1\ \ ya1 A B NA # evs1 \ ya"

| YA2: "\evs2 \ ya; ya1' A' A B NA \ set evs2; Nonce NB \ used evs2\
  ==> ya2 A B NA NB # evs2 ∈ ya"

| YA3: "\evs3 \ ya; ya2' B' A B NA NB \ set evs3; Key K \ used evs3\
  ==> ya3 A B NA NB K # evs3 ∈ ya"

| YA4: "\evs4 \ ya; ya1 A B NA \ set evs4; ya3' S Y A B NA NB K \ set evs4\
  ==> ya4 A B K NB Y # evs4 ∈ ya"

subsection‹declarations for tactics›

declare knows_Spy_partsEs [elim]
declare Fake_parts_insert [THEN subsetD, dest]
declare initState.simps [simp del]

subsection‹general properties of ya›

lemma ya_has_no_Gets: "evs \ ya \ \A X. Gets A X \ set evs"
by (erule ya.induct, auto)

lemma ya_is_Gets_correct [iff]: "Gets_correct ya"
by (auto simp: Gets_correct_def dest: ya_has_no_Gets)

lemma ya_is_one_step [iff]: "one_step ya"
  unfolding one_step_def by (clarify, ind_cases "ev#evs \ ya" for ev evs, auto)

lemma ya_has_only_Says' [rule_format]: "evs \ ya \
ev ∈ set evs ⟶ (∃A B X. ev=Says A B X)"
by (erule ya.induct, auto)

lemma ya_has_only_Says [iff]: "has_only_Says ya"
by (auto simp: has_only_Says_def dest: ya_has_only_Says')

lemma ya_is_regular [iff]: "regular ya"
apply (simp only: regular_def, clarify)
apply (erule ya.induct, simp_all add: initState.simps knows.simps)
by (auto dest: parts_sub)

subsection‹guardedness of KAB›

lemma Guard_KAB [rule_format]: "\evs \ ya; A \ bad; B \ bad\ \
ya3 A B NA NB K ∈ set evs ⟶ GuardK K {shrK A,shrK B} (spies evs)"
apply (erule ya.induct)
(* Nil *)
apply simp_all
(* Fake *)
apply (clarify, erule in_synth_GuardK, erule GuardK_analz, simp)
(* YA1 *)
(* YA2 *)
apply safe
apply (blast dest: Says_imp_spies)
(* YA3 *)
apply blast
apply (drule_tac A=Server in Key_neq, simp+, rule No_Key, simp)
apply (drule_tac A=Server in Key_neq, simp+, rule No_Key, simp)
(* YA4 *)
apply (blast dest: Says_imp_spies in_GuardK_kparts)
by blast

subsection‹session keys are not symmetric keys›

lemma KAB_isnt_shrK [rule_format]: "evs \ ya \
ya3 A B NA NB K ∈ set evs ⟶ K ∉ range shrK"
by (erule ya.induct, auto)

lemma ya3_shrK: "evs \ ya \ ya3 A B NA NB (shrK C) \ set evs"
by (blast dest: KAB_isnt_shrK)

subsection‹ya2' implies ya1'›

lemma ya2'_parts_imp_ya1'_parts [rule_format]:
     "\evs \ ya; B \ bad\ \
      Ciph B {Agent A, Nonce NA, Nonce NB} ∈ parts (spies evs) ⟶
      {Agent A, Nonce NA} ∈ spies evs"
by (erule ya.induct, auto dest: Says_imp_spies intro: parts_parts)

lemma ya2'_imp_ya1'_parts: "\ya2' B' A B NA NB \ set evs; evs \ ya; B \ bad\
==> {Agent A, Nonce NA} ∈ spies evs"
by (blast dest: Says_imp_spies ya2'_parts_imp_ya1'_parts)

subsection‹uniqueness of NB›

lemma NB_is_uniq_in_ya2'_parts [rule_format]: "\evs \ ya; B \ bad; B' ∉ bad] ==>
Ciph B {Agent A, Nonce NA, Nonce NB} ∈ parts (spies evs) ⟶
Ciph B' \Agent A', Nonce NA', Nonce NB\ \ parts (spies evs) \
A=A' \ B=B' ∧ NA=NA'"
apply (erule ya.induct, simp_all, clarify)
apply (drule Crypt_synth_insert, simp+)
apply (drule Crypt_synth_insert, simp+, safe)
apply (drule not_used_parts_false, simp+)+
by (drule Says_not_parts, simp+)+

lemma NB_is_uniq_in_ya2': "\ya2' C A B NA NB ∈ set evs;
ya2' C' A' B' NA' NB \ set evs; evs \ ya; B \ bad; B' ∉ bad]
==> A=A' \ B=B' ∧ NA=NA'"
by (drule NB_is_uniq_in_ya2'_parts, auto dest: Says_imp_spies)

subsection‹ya3' implies ya2'›

lemma ya3'_parts_imp_ya2'_parts [rule_format]: "\evs \ ya; A \ bad\ \
Ciph A {Agent B, Key K, Nonce NA, Nonce NB} ∈ parts (spies evs)
⟶ Ciph B {Agent A, Nonce NA, Nonce NB} ∈ parts (spies evs)"
apply (erule ya.induct, simp_all)
apply (clarify, drule Crypt_synth_insert, simp+)
apply (blast intro: parts_sub, blast)
by (auto dest: Says_imp_spies parts_parts)

lemma ya3'_parts_imp_ya2' [rule_format]: "\evs \ ya; A \ bad\ \
Ciph A {Agent B, Key K, Nonce NA, Nonce NB} ∈ parts (spies evs)
⟶ (∃B'. ya2' B' A B NA NB \ set evs)"
apply (erule ya.induct, simp_all, safe)
apply (drule Crypt_synth_insert, simp+)
apply (drule Crypt_synth_insert, simp+, blast)
apply blast
apply blast
by (auto dest: Says_imp_spies2 parts_parts)

lemma ya3'_imp_ya2': "\ya3' S Y A B NA NB K \ set evs; evs \ ya; A \ bad\
==> (∃B'. ya2' B' A B NA NB \ set evs)"
by (drule ya3'_parts_imp_ya2', auto dest: Says_imp_spies)

subsection‹ya3' implies ya3\

lemma ya3'_parts_imp_ya3 [rule_format]: "\evs \ ya; A \ bad\ \
Ciph A {Agent B, Key K, Nonce NA, Nonce NB} ∈ parts(spies evs)
⟶ ya3 A B NA NB K ∈ set evs"
apply (erule ya.induct, simp_all, safe)
apply (drule Crypt_synth_insert, simp+)
by (blast dest: Says_imp_spies2 parts_parts)

lemma ya3'_imp_ya3: "\ya3' S Y A B NA NB K ∈ set evs; evs ∈ ya; A ∉ bad]
==> ya3 A B NA NB K ∈ set evs"
by (blast dest: Says_imp_spies ya3'_parts_imp_ya3)

subsection‹guardedness of NB›

definition ya_keys :: "agent \ agent \ nat \ nat \ event list \ key set" where
"ya_keys A B NA NB evs \ {shrK A,shrK B} \ {K. ya3 A B NA NB K \ set evs}"

lemma Guard_NB [rule_format]: "\evs \ ya; A \ bad; B \ bad\ \
ya2 A B NA NB ∈ set evs ⟶ Guard NB (ya_keys A B NA NB evs) (spies evs)"
apply (erule ya.induct)
(* Nil *)
apply (simp_all add: ya_keys_def)
(* Fake *)
apply safe
apply (erule in_synth_Guard, erule Guard_analz, simp, clarify)
apply (frule_tac B=B in Guard_KAB, simp+)
apply (drule_tac p=ya in GuardK_Key_analz, simp+)
apply (blast dest: KAB_isnt_shrK, simp)
(* YA1 *)
apply (drule_tac n=NB in Nonce_neq, simp+, rule No_Nonce, simp)
(* YA2 *)
apply blast
apply (drule Says_imp_spies)
apply (drule_tac n=NB in Nonce_neq, simp+)
apply (drule_tac n'=NAa in in_Guard_kparts_neq, simp+)
apply (rule No_Nonce, simp)
(* YA3 *)
apply (rule Guard_extand, simp, blast)
apply (case_tac "NAa=NB", clarify)
apply (frule Says_imp_spies)
apply (frule in_Guard_kparts_Crypt, simp+)
apply (frule_tac A=A and B=B and NA=NA and NB=NB and C=Ba in ya3_shrK, simp)
apply (drule ya2'_imp_ya1'_parts, simp, blast, blast)
apply (case_tac "NBa=NB", clarify)
apply (frule Says_imp_spies)
apply (frule in_Guard_kparts_Crypt, simp+)
apply (frule_tac A=A and B=B and NA=NA and NB=NB and C=Ba in ya3_shrK, simp)
apply (drule NB_is_uniq_in_ya2', simp+, blast, simp+)
apply (simp add: No_Nonce, blast)
(* YA4 *)
apply (blast dest: Says_imp_spies)
apply (case_tac "NBa=NB", clarify)
apply (frule_tac A=S in Says_imp_spies)
apply (frule in_Guard_kparts_Crypt, simp+)
apply (blast dest: Says_imp_spies)
apply (case_tac "NBa=NB", clarify)
apply (frule_tac A=S in Says_imp_spies)
apply (frule in_Guard_kparts_Crypt, simp+, blast, simp+)
apply (frule_tac A=A and B=B and NA=NA and NB=NB and C=Aa in ya3_shrK, simp)
apply (frule ya3'_imp_ya2', simp+, blast, clarify)
apply (frule_tac A=B' in Says_imp_spies)
apply (rotate_tac -1, frule in_Guard_kparts_Crypt, simp+)
apply (frule_tac A=A and B=B and NA=NA and NB=NB and C=Ba in ya3_shrK, simp)
apply (drule NB_is_uniq_in_ya2', simp+, blast, clarify)
apply (drule ya3'_imp_ya3, simp+)
apply (simp add: Guard_Nonce)
apply (simp add: No_Nonce)
done

end

Messung V0.5

¤ Dauer der Verarbeitung: 0.8 Sekunden (vorverarbeitet) ¤

Wurzel

Suchen

Beweissystem der NASA

Beweissystem Isabelle

NIST Cobol Testsuite

Cephes Mathematical Library

Wiener Entwicklungsmethode

Haftungshinweis

Die Informationen auf dieser Webseite wurden nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit, noch Qualität der bereit gestellten Informationen zugesichert.