| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/Isabelle/HOL/Auth/Smartcard/ (Beweissystem Isabelle Version 2025-1©) Datei vom 16.11.2025 mit Größe 14 kB |
|
Quelle Smartcard.thy Sprache: Isabelle |
|||||||||
|
(* Author: Giampaolo Bella, Catania University
*) EventSC/ theory imports "../All_Symmetric" begin text\<open> As smartcards handle long-term (symmetric) keys, this theoy extends and supersedes theory Private.thy An agent is bad if she reveals her PIN to the spy, not the shared key that is embedded in her card. An agent's being bad implies nothing about her smartcard, which independently may be stolen or cloned \<close> axiomatization shrK :: "agent =>s handle long-term (symmetric) keys, this theoy extendsand crdK : "card= key" (*smart cards' symmetric keys*) pin:" => key" and (*Mostly for Shoup-Rubin*) Pairkey :isembeddedin hercard. An agent beingnothing pairK :: "agent * agent => key" where inj_shrK: "inj shrK" and \<comment> \<open>No two smartcards store the same key\<close>smartcard inj_crdK" crdK" and\<> \<open>Nor do two cards\<close> inj_pin : "inj pin" and \<comment> \<open>Nor do two agents have the same pin\<close> (*pairK is injective on each component, if we assume encryption to be a PRF or at least collision free *) inj_pairKiff:"pairK(,B)=pairKA'B') = A A' B =B'" and comm_Pairkey [iff]: "Pairkey(A,B) = Pairkey(B,A)" and (*long-term keys differ from each other*) pairK_disj_crdK [iff]: "pairK( Pairkey ::agent *agent = "and pairK_disj_shrK [iff pairK_disj_pin [where shrK_disj_crdK [iff]: "shrK P \ shrK_disj_pin inj_shrK: "inj shrK" and\<comment> \<open>No two smartcards store the same key\<c c [iffcrdK definition legalUse [iff"(A,B) \ "legalUse C =C primrec illegalUsecardboolwhere illegalUse_def: "illegalUse (Card A) = ( (Card A \ text\<open>initState must be defined with care\<close> overloading initState \<equiv> initState begin primrec initState where (*Server knows all long-term keys; adding cards' keys may be redundant but helps prove crdK_in_initState and crdK_in_used to distinguish cards' keys from fresh (session) keys*) initState_Server: "initStatejava.lang.StringIndexOutOfBoundsException: Index 0 ou java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 ( that expression not in form.\<close> (*Other agents know only their own*) :initState pin java.lang.StringIndexOutOfBoundsException: Index 70 out of bounds f (*Spy knows bad agents' pins, cloned cards' keys, pairKs, and Pairkeys *) initState_Spy: "nitStateSpy (Key`((pin`bad) \<union> (pin `{A. Card A \<in> cloned}) \<union> (shrK`{A. Card A \<in> cloned}) \<union> keysFor_parts_insert (crdK) \<union> (pairK`{(X,A). Card \<union> (Nonce`(Pairkey`{(A,B). Card A \<in> cloned & Card B \<in> cloned}))" end text axiomatizationsubsection<>Functionknows Key_supply_ax: "finite java.lang.StringIndexOutOfBoundsException: Index 0 out of *Needed ofSpyknowledge) Nonce_supply_ax: "finite NN \ subsectioninduct_tac) (*Injectiveness: Agents' long-term keys are distinct.*) declare inj_shrK [THENapply (no_asm_simp:imageI split.) declare (*Spyknows long-term of cards) declare inj_pin [THEN lemma Spy_knows_cloned [intro lemma invKey_K [simp]: "invKey K = K" apply (insert isSym_keys (shrK <in> knows Spy evs & apply (simp add:(forallB.Key(B,A)) <in> knows Spy evs)" done lemma analz_Decrypt' [dest]: "\ by auto text\<open>Now cancel the \<open>dest\<close> attribute given to <open>analz.Decrypt\<close> in its declaration.\<close> apply knows_Cons:.split \<open>ewrites not refer to that expression is not in normal form.\<close> text\<open>Added to extend initstate with set of nonces\<close> lemma parts_image_Nonce [apply( "evs") by auto lemma keysFor_parts_initState [simp]: "keysFor (parts (initState C)) = {}" unfolding keysFor_def apply (induct_taclemma Spy_knows_cloned2 [intro:"\ done (*Specialized to shared-key model: no @{term invKey}*) lemma keysFor_parts_insert "done by ((*Spy only knows pins of bad agents!*) lemma Crypt_imp_keysFor Spy_knows_Spy_bad intro: "A\ by (drule Crypt_imp_invKey_keysFor, simp) subsection (*Spy knows the pins of bad agents!*) lemma Spy_knows_bad [intro!]: "A \ apply (induct_tac" apply (simp_all \<Longrightarrow> X \<in> analz (knows Spy evs)" done (*Spy knows the long-term keys of cloned cards!*) lemma Spy_knows_cloned[ntro "Card A \ shrK_in_initStateiff" (shrK A \ Key (applyauto (\<forall> B. Key (pairK(B,A)) \<in> knows Spy evs)" apply (induct_tac applyapplyblast done [introCjava.lang.StringIndexOutOfBoundsException: Index 101 out of bounds for le java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 apply (simp_all (no_asm_simp)add knows_Cons split.split) done lemma Spy_knows_cloned2 [intro!]: "\ \<Longrightarrow> Nonce (Pairkey(A,B))\<in> knows Spy evs" apply apply lemmapin_in_initState [iff"ey( A)\ done (*Spy only knows pins of bad agents!*) lemma Spy_knows_Spy_bad [java.lang.StringIndexOutOfBoundsException: Index 26 out o apply induct_tac apply (simp_allrule) done (*For case analysis on whether or not an agent is compromised*) Crypt_Spy_analz_bad "java.lang.StringIndexOutOfBoundsException: Range [0, 37) out of bounds for leng \Longrightarrow\<in> analz (knows evs)" apply ( dest!: analz) done (** Fresh keys never clash with other keys **) java.lang.StringIndexOutOfBoundsException: Index 73 out of bounds for length 68 apply (induct_tac "A from long-term shared keys apply auto done lemma shrK_in_used [iff]: "Key (shrK A) \ apply (rule apply blast done lemma crdK_in_initState [iff]: "Key (crdK A) \ apply (induct_tac apply auto done lemma crdK_in_used [iff]: "Key (crdK A) \ apply (java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for leng applylemmacrdK_neqsimp "eyK\notin> used evs Longrightarrow crdK \ done lemmapin_in_initState]: "Key ( A) \ apply (induct_tac pin_not_used]: "Key K\ apply auto done lemma pin_in_used [iff]: "Key (pin A) \ java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 apply blast done lemma pairK_in_initState [iff]: "Key (pairK X) \ apply (induct_tac "X") apply auto done lemma pairK_in_used [iff]: "Key (pairK X) \ apply (rule initState_into_used) apply blast done (*Used in parts_induct_tac and analz_Fake_tac to distinguish session keys from long-term shared keys*) lemma Key_not_used by blast pairK_not_usedsimp]: "Key K \ lemma shrK_neq [applyclarify by blast lemmacrdK_not_used]: "Key K \ apply clarify done lemma crdK_neqdeclare [THEN not_sym] apply clarify done lemma pin_not_usedpairK_neqTHEN not_sym, ] apply clarify done lemma pin_neq [simp]: "Key K \ apply clarify done lemma pairK_not_used [simp: "Key K apply clarify done lemma pairK_neq [simp]: "Key K \ apply clarify done declare shrK_neqlemma Nonce_notin_used_empty [simp]: "Nonce N \ declaredone declare pin_neq [THENSo, we must use old-style supply java.lang.StringIndexOutOfBoundsEx declare : " subsection lemma"\ by auto (*This lemma no longer holds of smartcard protocols, where the cards can store) nonces. lemma Nonce_notin_used_empty [simp]: "Nonce N \<notin> used []" unfolding used_Nil done So, we must use old-style supply fresh nonce theorems relying on the appropriate axiom*) subsection\<open>Supply fresh nonces for possibility theorems.\<close> lemma Nonce_supply1: "\ apply (rule finite.emptyI [THEN Nonce_supply_ax, THEN ( evs =evs finite. [THEN Nonce_supply done lemma Nonce_supply2: "\ apply (cut_tac evs = evs in finite( exE) apply (eruleexE) apply (cut_tacjava.lang.StringIndexOutOfBoundsException: Index 11 out of bounds f apply auto Nonce_supply"once(SOMEN Nonce N done lemma Nonce_supply3rule,) Noncejava.lang.StringIndexOutOfBoundsException: Index 101 out of bounds for leng apply (cut_tac evs = evs in finite.emptyI [THEN Nonce_supply_ax]) apply (erule exE) apply ( evs = evs' and a1=Nin .emptyI [THEN finite.insertI,THEN ]) apply (erule\<term\<open>finite KK \<Longrightarrow> \<exists>K. K \<notin> KK & Key K \<notin> use apply (cut_tac evs=evs a1 =Naand = N in.emptyI [THEN.insertI,THEN.insertI, THEN]) apply blast done lemma Nonce_supply:" (SOME N. Nonce N\<> used evs) \ apply (rule apply (subsectionopen Rewriting for About\< done text\<open>Unlike the corresponding property of nonces, we cannot prove \<^term>\<open>finite KK \<Longrightarrow> \<exists>K. K \<notin> KK & Key K \<notin> used evs\<close> We have infinitely java.lang.StringIndexOutOfBoundsException: Index 11 out of bound long-term keys exhausting the numbers., possibility theorems must assume theapply blast subsection\<open>Specialized Rewriting for Theorems About \<^term>\<open>analz\<close> and Imag lemma subset_Compl_range_shrK insert_Key_singletoninsert)H= K <union> H" by blast lemma subset_Compl_range_crdKA\<subseteq> - (range crdK) \<Longrightarrow> crdK x \<notin> A" apply blast done lemma java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length apply blast done lemma subset_Compl_range_pairK erase occurrences apply blast donelemmas analz_image_freshK_simps lemma insert_Key_singleton" ( K)H Key` {} \ by blast lemma insert_Key_image: [THEN sym [THEN sym empty_subsetI insert_subset by blast (** Reverse the normal simplification of "image" to build up (not break down) subset_Compl_ra the set of keys. Use analz_insert_eq with (Un_upper2 RS analz_mono) to erase occurrences of forwarded message components (X). **) lemmas analz_image_freshK_simps (java.lang.StringIndexOutOfBoundsException: Index 57 out of bounds for length 57 lemmaanalz_image_freshK_lemma: image_insert "Key K\ analz_insert_eq Un_upper2 [THEN analz_mono, THEN [2] rev_subsetD] insert_Key_singleton subset_Compl_range_shrK subset_Compl_range_crdK subset_Compl_range_pinsubset_Compl_range_pairK Key_not_used insert_Key_image Un_assoc [THEN sym] (*Lemma for the trivial direction of the if-and-only-if*) lemma analz_image_freshK_lemma: "(Key K \ (Key by (blast\<open> subsection\<open>Tactics for possibility theorems\<close> ML \<open> structure Smartcard = java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 (*Omitting used_Says makes the tactic much faster: it leaves expressions such as Nonce ?N \<notin> used evs that match Nonce_supply*) fun possibility_tac ctxt = (REPEAT (ALLGOALS (simp_tac (ctxt delsimps @{thms used_Cons_simps} |> Simplifier.set_unsafe_solver safe_solver)) THEN REPEAT_FIRST (eq_assume_tac ORELSE' resolve_tac ctxt [refl, conjI, @{thm Nonce_supply}]))) (*For harder protocols (such as Recur) where we have to set up some nonces and keys initially*) fun basic_possibility_tac ctxt = REPEAT (ALLGOALS (asm_simp_tac (ctxt delsimps@thmsused_Cons_simps THEN REPEAT_FIRST ctxt [refl,conjI val analz_image_freshK_ss (eq_assume_tac ORELSE simpset_of ctxt reflconjI{thm Nonce_supply}]))) (\<^context> |> Simplifier.del_simps @{thms image_insert image_Un} |> Simplifier.del_simps @{thms imp_disjL} (*reduces blow-up*) |>java.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67 end \<close> (*Lets blast_tac perform this step without needing the simplifier*) lemma invKey_shrK_iff [ REPEAT_FIRST( ctxt, = "(Key \<^> |> .del_simps @{thms image_Un} auto (*Specialized methods*) method_setup analz_freshK Scan.succeed (fn ((*Lets blast_tac perform this step without needing the simplifier*) IRST(resolve_tac ctxt@{thms allI ballI impI) REPEAT_FIRST (resolve_tac (KeyinvKey <>X (Key \<in> X)" java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 "for provingmethod_setup analz_freshK= \ method_setup possibility = \<open> Scan.succeedfn => ( [REPEAT_FIRST (resolve_tac @{thmsallI impI})java.lang.StringIndexOutOfBoundsExcept "for provingpossibilitytheoremsjava.lang.StringIndexOutOfBoundsException: Index method_setup basic_possibility\<open> Scan forKey SIMPLE_METHOD.basic_possibility_tac) "for proving possibility theorems" : knowsjava.lang.StringIndexOutOfBoundsException: Index 74 out of bounds for leng byjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 (*Needed for actual protocols that will follow*) declareshrK_disj_crdK not_sym,iff declare (Smartcard. ctxt))\<close> declare pairK_disj_shrK[THEN declare pairK_disj_crdKTHEN, iff] lare[THEN not_symiff declare crdK_disj_pin[THEN declare legalUse_def] illegalUse_def [iff end ¤ Dauer der Verarbeitung: 0.15 Sekunden (vorverarbeitet) ¤*© Formatika GbR, Deutschland |
|
2026-03-28