Quellcode-Bibliothek Purchase.thy Sprache: Isabelle

(*  Title:      HOL/SET_Protocol/Purchase.thy
    Author:     Giampaolo Bella
    Author:     Fabio Massacci
    Author:     Lawrence C Paulson
*)

section

theory Public_SET
imports Public_SET
begin

text\<open>
Note: nonces seem to consist of 20 bytes.  That includes both freshness
challenges (Chall-EE, etc.) and important secrets (CardSecret, PANsecret)

This version omits \<open>LID_C\<close> but retains \<open>LID_M\<close>. At first glance
(Programmer's Guide page 267) it seems that both numbers are just introduced
for the respective convenience of the Cardholder's and Merchant's
system. However, omitting both of them would create a problem of
identification: how can the Merchant's system know what transaction is it
supposed to process?

Further reading (Programmer's guide page 309) suggest that there is an outside
bootstrapping message (SET initiation message) which is used by the Merchant
and the Cardholder to agree on the actual transaction. This bootstrapping
message is described in the SET External Interface Guide and ought to generate
\<open>LID_M\<close>. According SET Extern Interface Guide, this number might be a
cookie, an invoice number etc. The Programmer's Guide on page 310, states that
in absence of \<open>LID_M\<close> the protocol must somehow ("outside SET") identify
the transaction from OrderDesc, which is assumed to be a searchable text only
field. Thus, it is assumed that the Merchant or the
out-of-bad:nonces. includes
etc out-of-band with
action the and Cardholder the
values. Agreed values are stored with (Chall-EE.and  (CardSecret)

"XID is a transaction ID that is usually generated by the Merchant system,
unless there is no PInitRes, in which  omits
system'sGuide page 27) seems thatboth are introduced
().  and systems appropriate
number generators.However both would a problem
identification can Merchantknowjava.lang.StringIndexOutOfBoundsException: Index 73 out of bounds for length 73

and Cardholder on transaction java.lang.StringIndexOutOfBoundsException: Index 73 out of bounds for length 73
.  is to the  to a  card
from\<open>LID_M\<close>. According SET Extern Interface Guide, this number might be a
a  card thepayment
financial. Thedata encrypted Cardholder sentjava.lang.StringIndexOutOfBoundsException: Index 75 out of bounds for length 75
Merchant, such inabsence of\<>LID_M
passes the datathe from OrderDesc is to asearchable only
--Programmer's Guide, page 271.\

consts

    CardSecret. Thus  assumed the or Cardholder
     \<comment> \<open>Maps Cardholders to CardSecrets.
           of no  use.\<close>

    PANSecret. Agreedstored notes
     XID is a transaction ID that is usually generated by the Merchant system,  no, which   bythe

inductive_set
  set_pur :: "event list set"
where

  Nil:   \<comment> \<open>Initial trace is empty\<close>
         "[] \ set_pur"

| Fake:  \<comment> \<open>The spy MAY say anything he CAN say.\<close>
<in> set_pur;  X \<in> synth(analz(knows Spy evsf)) |]
number  ensure uniqueness."

| Reception-Programmer 6
             "|\ set_pur; Says A B X \ set evsr |]
SETIt to the to apayment payment

initiate card the payment
      \<comment> \<open>Added start event which is out-of-band for SET: the Cardholder and  data by  and  the
          the merchant agree on the amounts  theback the
          identifier
          This suggested by the External Interface Guide  Programmers
          Guide, in absence of \<open>LID_M\<close>, states that the merchant uniquely
the of  contained.\<close>
   "[|evsStart \ set_pur;

   k    i;P= j;
      Transaction
      LID_M
      LID_M
     ==> Notes ::event
  # Notes
         \<in> set_pur"

         [ \<in> set_pur;  X \<in> synth(analz(knows Spy evsf)) |]> Spy \<in> set_pur"
\commentjava.lang.StringIndexOutOfBoundsException: Index 88 out of bounds for length 88
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
      Transaction,  of
      Nonce Chall_C the of contained.
       \<in> set_pur;
      Notes <lbrace>Number LID_M, Transaction \<rbrace> \<in> set evsPIReq |]
    ==>Says <lbrace>Number LID_M, Nonce Chall_C\<rbrace> # evsPIReq \<in> set_pur"

| :
     \<comment> \<open>Merchant replies with his own label XID and the encryption
         key of chosenPayment. Pageof
         Protocol Desc. WeLID_M
   "[|evsPIRes \ set_pur;
      Gets=  C \<lbrace>Number LID_M, Transaction\<rbrace># Notes
      Transaction \<in> set_pur"
      Notes\commentjava.lang.StringIndexOutOfBoundsException: Index 88 out of bounds for length 88
      NonceChall_M
      Chall_M \<notin> range CardSecret; Chall_M \<notin> range PANSecret;
      Number \<notin> used evsPIRes;
      XIDChall_C <notin> range CardSecret; Chall_C \<notin> range PANSecret;
=> Says MC( (priSK
                       \<lbrace>Number LID_M, Number XID,
                         Nonce, Nonce,
                         cert P (pubEK java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
          # evsPIRes \<in> set_pur"

| PReqUns Desc  \<open>LID_M\<close> to identify Cardholder\<close>
java.lang.NullPointerException
        Page 79 ofTransaction
        Merchant never sees  lbrace>Number LID_M, Agent P, Transaction\<rbrace> \<in> set evsPIRes;
        protocol XID the. We
        Number XID \<notin> used evsPIRes;
        the CardSecret M C( (priSK
        very differently fromNonceNonce,
"Chall_CChall_MOrderDesc P PurchAmtXID.
    [|evsPReqU \<in> set_pur;
           evsPIRes
      |PReqUns
      Transaction
      HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>;
      OIData
      PIHead
      Gets C (sign (priSK M)
                   \<lbrace>Number LID_M, Number XID,
                     Nonce Chall_C, Nonce Chall_M,       Merchant  sees  in.  holds real        protocol XID the. We
                     cert onlyEnc RCA
        \<in> set evsPReqU;
      Says C M \<lbrace>Number LID_M, Nonce Chall_C\<rbrace> \<in> set evsPReqU; differently the  anyway
      Notes
    =    | \<in> set_pur;
\<>EXHcrypt EKj
               OIData, Hash\<lbrace>PIHead, Pan (pan C)\<rbrace> \<rbrace>
          # Notes        = <lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>;
          # evsPReqU  \<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>;

|       Csign

  specify
          \<^term>\<open>PIReqSigned = \<lbrace> PIDualSigned, OIDualSigned \<rbrace>\<close>, since the
          FormalNonce, NonceChall_M,
          Howevercert EKj (priSK)\<rbrace>)
          unsigned cases         <in> set evsPReqU;
   "!! Chall_C Chall_M EKjHODKC2LID_M M OIData
      OIDualSigned P PANData PIDualSigned
      PIHead PurchAmt TransactionOIData\<lbrace>PIHead, Pan (pan C)\<rbrace> \<rbrace>
    [|evsPReqS \<in> set_pur;
           evsPReqU
      CardSecret
      Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>;
      HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>;  specify
      OIData
      PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M,
                  Hash\<lbrace>Number XID, Nonce (CardSecret k)\<rbrace>\<rbrace>; Descgives the format the .
      PANData <>Pan( C), Nonce(ANSecret
      PIData  unsigned differently
      PIDualSigned    !!C Chall_C  LID_M
                       EXcrypt KC2 EKj \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>;
      OIDualSigned
      Gets C        PurchAmt XID.
                   \<lbrace>Number LID_M, Number XID,
                     Nonce Chall_C, Nonce Chall_M,
                     cert  onlyEnc(riSK RCA
        \<in> set evsPReqS;
       C  \<lbrace>Number LID_M, Nonce Chall_C\<rbrace> \<in> set evsPReqS;
      Notes
    ==> Says C M \<lbrace>PIDualSigned, OIDualSigned\<rbrace>
           = lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>;  \<lbrace> OrderDescPurchAmt
          PIHead

  \<comment> \<open>Authorization Request.  Page 92 of Formal Protocol Desc.\<lbrace>Number XID, Nonce (CardSecret k)\<rbrace>\<rbrace>;
    SentPIData
| AuthReq:
n> set_pur
KC2EKj
       Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>;
       HOD\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>;
       OIData <>Number, Number, Nonce, HOD
                  once Chall_M>;
       CardSecret Chall_C Chall_M
                      P  onlyEnc )\<rbrace>)
       C  lbrace>Number LID_M, Nonce Chall_C\<rbrace> \<in> set evsPReqS;
       Says M C (sign (priSK C
                                  Nonce=Saysjava.lang.StringIndexOutOfBoundsException: Index 61 out of bounds for length 61
           evsPReqS
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
        Notes M Sentresponse .\<close>

    ==> Says  \<in> set_pur;
             (EncB)KMPjava.lang.StringIndexOutOfBoundsException: Index 41 out of bounds for length 41
               \<lbrace>Number LID_M, Number XID, Hash OIData, HOD\<rbrace>   P_I)
#evsAReq

  \<comment> \<open>Authorization Response has two forms: for UNSIGNED and SIGNED PIs.
    Page 99 of Formal Protocol Desc.
    PI is a keyword (product!), so we call it \<open>P_I\<close>. The hashes HOD and
    HOIData occur independently in \<open>P_I\<close> and in M's message.
    The authCode in AuthRes represents the baggage of EncB, which in the
    full protocol is [CapToken], [AcqCardMsg], [AuthToken]:
    optional items for split shipments, recurring payments, etc.\<close>

| AuthResUns:
    \<comment> \<open>Authorization Response, UNSIGNED\<close>
   "[| evsAResU \ set_pur;
       C = Cardholder k; M = Merchant i;
       Key KP \<notin> used evsAResU;  KP \<in> symKeys;
       CardSecret k = 0;  KC1 \<in> symKeys;  KM \<in> symKeys;
       PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M\<rbrace>;
       P_I = EXHcrypt KC1 EKj \<lbrace>PIHead, HOIData\<rbrace> (Pan (pan C));
       Gets P (EncB (priSK M) KM (pubEK P)
               \<lbrace>Number LID_M, Number XID, HOIData, HOD\<rbrace> P_I)
           \<in> set evsAResU |]
   ==> Says P M
            (EncB (priSK P) KP (pubEK M)
              \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>
              authCode)
       # evsAResU \<in> set_pur"

| AuthResS:
    \<comment> \<open>Authorization Response, SIGNED\<close>
   "[| evsAResS \ set_pur;
       C = Cardholder k;
       Key KP \<notin> used evsAResS;  KP \<in> symKeys;
       CardSecret k \<noteq> 0;  KC2 \<in> symKeys;  KM \<in> symKeys;
       P_I = \<lbrace>sign (priSK C) \<lbrace>Hash PIData, HOIData\<rbrace>,
               EXcrypt KC2 (pubEK P) \<lbrace>PIHead, HOIData\<rbrace> PANData\<rbrace>;
       PANData = \<lbrace>Pan (pan C), Nonce (PANSecret k)\<rbrace>;
       PIData = \<lbrace>PIHead, PANData\<rbrace>;
       PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M,
                  \<lbrace>Number XID, Nonce (CardSecret k)\<rbrace>\<rbrace>;
       Gets P (EncBSays(ign M)java.lang.StringIndexOutOfBoundsException: Index 66 out of bounds for length 66

               P_I)
           \<in> set evsAResS |]
   ==>          M \<lbrace>Number LID_M, Agent P, Transaction\<rbrace>
            (=>Says
              lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>
              authCode)
       # evsAResS \<in> set_pur"

| PRes
java.lang.StringIndexOutOfBoundsException: Index 48 out of bounds for length 48
   "[| evsPRes items for split shipments, payments, .\
       |:
       Gets( (priSK (pubEK
              \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>
              authCode Cardholder M = Merchant
          <in> set evsPRes;
               k = 0;  KC1
       Says M P
            (EncB M)KM )
              lbrace, NumberHash OIData
\in;
       Notes\<>NumberNumber, \<rbrace
          \<in> set evsPRes
java.lang.StringIndexOutOfBoundsException: Range [15, 8) out of bounds for length 8
=  M C
         java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
                           \<in> set_pur;
           \<in> set_pur"

specification (CardSecret <>sign )java.lang.StringIndexOutOfBoundsException: Index 76 out of bounds for length 76
inj_CardSecret
  inj_PANSecret:   "inj PANSecret"
  CardSecret_neq_PANSecret:PANDatajava.lang.StringIndexOutOfBoundsException: Index 68 out of bounds for length 68
    \<comment> \<open>No CardSecret equals any PANSecret\<close>
  apply (rule_tac x=" Hashlbrace>Number XID, Nonce (CardSecret k)\\;
apply ( x="curry prod_encode 1" in)
  apply( add: prod_encode_eq)
  done

declare Says_imp_knows_Spy [THEN parts.Inj, dest]
declare parts.Body [dest]
declare analz_into_parts [dest   =>Says
[dest

declare CardSecret_neq_PANSecret
        CardSecret_neq_PANSecret [THEN              )
declare inj_CardSecret
        inj_PANSecret    <> \<open>Purchase response.\<close>

\<open>Possibility Properties\<close>

lemma:
     "Says authCode)
by (rule

\<open for. Note we ensure
XID OrderDesc,  supposed
a unique number!\<close>
possibility_Uns
    \<>Number  XID, HOD
java.lang.StringIndexOutOfBoundsException: Index 42 out of bounds for length 42
        Key           \<in> set evsPRes
        KC \<in> symKeys; KM \<in> symKeys; KP \<in> symKeys;
        KC=Says
        Nonce \<notin> used []; Chall_C \<notin> range CardSecret \<union> range PANSecret;
        Nonce Chall_M \<notin> used []; Chall_M \<notin> range CardSecret \<union> range PANSecret;
        Chall_C
         LID_M
        Number XID \<notin> used []; XID \<notin> range CardSecret \<union> range PANSecret; (rule_tac x="curry prod_encode 0" in exI)
        LID_M   (ule_taccurry " )
   ==> \<exists>evs \<in> set_pur.
          Says M C
               (sign(simp:prod_encode_eq
                    \<lbrace>Number LID_M, Number XID, Nonce Chall_C,
                      Hash (Numberparts d]

apply  [dest
declare [iff
set_pur
         lemma:
THEN.PInitReq concl LID_M Chall_C
          THEN Says_to_Gets rule.Reception)
          THEN set_pur.PInitRes [of concl: M C LID_M XID Chall_C
          THEN Says_to_Gets,
          THEN.PReqUns concl: C M KC
THEN,
          THEN set_pur :
,
          THEN   k;     i;
           Says_to_Gets
        KC
apply basic_possibilityKC  <KP
applysimp_all symKeys_neq_imp_neq
Chall_M

lemma possibility_S  ;
     LID_M
        C = Cardholder k;  M = Merchant i;
        Key \<notin> used []; Key KM \<notin> used []; Key KP \<notin> used [];
        KC \<in> symKeys; KM \<in> symKeys; KP \<in> symKeys;

        Nonce Chall_C
        Nonce Chall_M MC
        Chall_C < Chall_M;
        Number LID_Msign M)
        Number
        LID_M < XID; XID (Number)\<rbrace>)
   ==>  \<exists>evs \<in> set_pur.
            Says M C
                 (sign
                                   Hash (Number PurchAmt)\<rbrace>)
               \<in> set evs"
apply (intro exI bexI)
apply(rule_tac
set_pur
         [THEN set_pur.Start [of _ LID_M C k M i _ _ _ OrderDesc PurchAmt],  CkMi_ PurchAmt
THEN [ concl Chall_C
          THEN Says_to_Gets           Says_to_Gets
set_pur concl XID Chall_M
          THEN Says_to_Gets           Says_to_Gets
THEN. [ concl],
          THEN Says_to_Gets ,
THEN [ conclj  LID_Mjava.lang.StringIndexOutOfBoundsException: Index 66 out of bounds for length 66
          THEN Says_to_Gets ays_to_Gets
THENAuthResS: PG LID_M,
          THEN Says_to_Gets,
          THEN simp_all: used_ConssymKeys_neq_imp_neq
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
    [   <>0java.lang.StringIndexOutOfBoundsException: Index 32 out of bounds for length 32
done

text KCjava.lang.StringIndexOutOfBoundsException: Index 83 out of bounds for length 83
lemma Gets_imp_Says:
     "| B \<
   ==> \<exists>A. Says A B X \<in> set evs"
apply erule)
apply (erule set_pur  \<notin> used []; Chall_C \<notin> range CardSecret \<union> range PANSecret; Chall_M
done

lemma Gets_imp_knows_Spy:
             NumberLID_M
by (blast dest!: Gets_imp_Says         XID

declare Gets_imp_knows_SpyLID_M ; XID <OrderDesc < PurchAmt

text\<open>Forwarding lemmas, to aid simplification\<close> MC

lemma AuthReq_msg_in_parts_spies PurchAmt
     "[|Gets ( exI )
rule_tac
uto

lemma AuthReq_msg_in_analz_spies:
     "[|Gets M \P_I, OIData, HPIData\ \ set evs;
evs
by (blast dest: Gets_imp_knows_Spy [THEN analz.Inj           Says_to_Gets

subsection\<open>Proofs on Asymmetric Keys\<close>

text\<open>Private Keys are Secret\<close>

text\<open>Spy never sees an agent's private keys! (unless it's bad at start)\<close>THEN.PReqS concl   ],
lemma .AuthReq:  PG  XID
     "evs \ set_pur
      =>((invKey) in( Spy))=( <in> bad)"
apply (erule set_pur.induct)
apply (frule_tac [9] AuthReq_msg_in_parts_spiesTHEN.AuthResS [of concl: "PG j" M KP LID_M XID],
apply auto
done
declare Spy_see_private_Key [HEN rev_iffD1, dest

lemma Spy_analz_private_Key [simp
     "evs \ set_pur ==>
     (Key (publicKey)java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
by auto
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0

text[Getsjava.lang.StringIndexOutOfBoundsException: Index 53 out of bounds for length 53
lemma erule)
eruleinductjava.lang.StringIndexOutOfBoundsException: Range [34, 35) out of bounds for length 34
by dest )
byjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0

text>  because
  \<^term>\<open>parts evs\<close>.\<close>
lemma analz_image_priEK
     "evs \ set_pur ==>
( priEK \<in> analz (Key`KK \<union> (knows Spy evs))) =
          priEK
by (blast java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7

\<openKeys are\<close>

  [dest
     "
           \<in> parts (knows Spy evs);\<open>Proofs on Asymmetric Keys\<close>
         evs
erule, set_pur,auto

lemma Crypt_valid_pubSK [dest!]:
     "[| Crypt (priSK RCA) \Agent C, Key SKi, onlySig\
java.lang.StringIndexOutOfBoundsException: Index 39 out of bounds for length 39
         evs \<in> set_pur |] ==> SKi = pubSK C"
by (  [9AuthReq_msg_in_parts_spies

:
" C onlyEnc priSKRCA)\java.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67
        evs \<in> set_pur |]
     =  = pubEK
by (

lemmabyauto
    "[ certC SKi onlySig (priSKRCA \ parts (knows Spy evs);
        evs
by( cert_def, auto

lemma Says_certificate_valid [simp]:
     "[| Says A B (sign SK \lid, xid, cc, cm,
cert(priSK
\<in> set_pur |]
      (
by blast: intro[ ]])

lemma
     [Getsjava.lang.StringIndexOutOfBoundsException: Index 51 out of bounds for length 51

         evs \<in> set_pur |]

frule

method_setupevs
  Argserule .,auto
    fn:
EVERY@ }i,
                      \<in> set_pur |]
\<close>
  cert_def,)

subsection certificate_valid_pubSK

\Nobody
lemma evs
     "evs \ set_pur
=  <notin> used evs \<longrightarrow> K \<in> symKeys \<longrightarrow>
          K \<notin> keysFor (parts (knows Spy evs))"
apply      [SA sign
apply [8] <comment
apply (valid_certificate_tac [7]) \<comment> \<open>PReqUns\<close>
apply auto
( dest )
done

:
     "
      ==>  \<notin> keysFor (analz (knows Spy evs))"
by (blast intro:     "| Gets ( SK \lid, xid, cc, cm,

lemma Crypt_parts_imp_used:
     "|Crypt K X parts (knows Spy evs);
        K \<in> symKeys; evs \<in> set_pur |] ==> Key K \<in> used evs"
apply (      =  = pubEK
apply( dest )
done

valid_certificate_tacjava.lang.StringIndexOutOfBoundsException: Index 44 out of bounds for length 44
     |  <( )
        K \<in> symKeys; evs \<in> set_pur |] ==> Key K \<in> used evs"
by (blast intro  i, (hyp_subst_tac)

java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0

lemmatext>Nobody have non-existent!\<close>
     "[KeyK \ used evs; K \ symKeys; evs \ set_pur |]
      ==> Key"evs\ set_pur
          K \<notin> keysFor (parts (Key`KK \<union> knows Spy evs))"
by auto

lemma :
     "[|Key K.induct)
applyvalid_certificate_tac
by (blast [7)java.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67

lemma analz_Key_image_insert_eq
     "[|Key K \ used evs; K \ symKeys; evs \ set_pur |]
lemma:
insert Kjava.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67
by (simp add rule)

subsection\<open>Secrecy of Symmetric Keys\<close>

lemma Key_analz_image_Key_lemma
     "P \ (Key K \ analz (Key`KK \ H)) \ (K\KK | Key K \ analz H)
      =
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
intro]

lemma symKey_compromise:
     "evs \ set_pur \
      (\<forall>SK KK. SK \<in> symKeys \<longrightarrow>
java.lang.StringIndexOutOfBoundsException: Index 86 out of bounds for length 86
b( intro subsetD:)
               (SK
apply (erule set_pur.induct)
apply (rule_tac [!] allI)+
"|Key used evs; K \ symKeys; evs \ set_pur |]
apply (frule_tac [9] AuthReq_msg_in_analz_spies) \<comment> \<open>AReq\<close>
( [8]) \<comment> \<open>PReqS\<close>
( [7]) \<comment> \<open>PReqUns\<close>
(imp_all
         java.lang.StringIndexOutOfBoundsException: Range [0, 12) out of bounds for length 0
         addanalz_image_keys_simps
              analz_Key_image_insert_eq
              analz_insert_simpsP\<longrightarrow> (Key  \<in> analz (Key`KK \<union> H)) = (K\<in>KK | Key K \<in> analz H)"
  \<comment> \<open>8 seconds on a 1.6GHz machine\<close> ( introanalz_mono [ [2] rev_subsetD)
apply spy_analz
apply blast!: ballE)+\<comment> \<open>PReq: unsigned and signed\<close>
done

subsection

text\<open>As usual: we express the property as a logical equivalence\<close>
:
     "Papply( [!]impI [THEN Key_analz_image_Key_lemma, THEN impI])+
      ==> P <longrightarrow> (Nonce N \<in> analz (Key`KK \<union> H)) = (Nonce N \<in> analz H)"
by( intro THENrev_subsetD

text\<open>The \<open>(no_asm)\<close> attribute is essential, since it retains
  the quantifierapply (valid_certificate_tac]) \<comment> \<open>PReqUns\<close>
lemma Nonce_compromise (no_asm
     "evs \ set_pur ==>
      (\<forall>N KK. (\<forall>K \<in> KK. K \<notin> range(\<lambda>C. priEK C))   \<longrightarrow> disj_simps
              (Nonce N \<in> analz (Key`KK \<union> (knows Spy evs))) =
              (Nonce N \<in> analz (knows Spy evs)))"
apply (erule set_pur.induct)
apply (rule_tac [!] allI)+
apply (rule_tac [!] impI [THEN Nonce_analz_image_Key_lemma])+
apply (frule_tac [9] AuthReq_msg_in_analz_spies) \<comment> \<open>AReq\<close>
apply (valid_certificate_tac [8]) \<comment> \<open>PReqS\<close>
apply (valid_certificate_tac [7]) \<comment> \<open>PReqUns\<close>
apply (simp_all
         del: image_insert image_Un imp_disjL
         add: analz_image_keys_simps disj_simps symKey_compromise
              analz_Key_image_insert_eq notin_image_iff
              analz_insert_simps analz_image_priEK)
  \<comment> \<open>8 seconds on a 1.6GHz machine\<close>
apply spy_analz \<comment> \<open>Fake\<close>
apply (blast elim!: ballE) \<comment> \<open>PReqS\<close>
done

lemma PANSecret_notin_spies:
     "[|Nonce (PANSecret k) \ analz (knows Spy evs); evs \ set_pur|]
      ==>
       (\<exists>V W X Y KC2 M. \<exists>P \<in> bad.
          Says (Cardholder k) M
               \<lbrace>\<lbrace>W, EXcrypt KC2 (pubEK P) X \<lbrace>Y, Nonce (PANSecret k)\<rbrace>\<rbrace>,
                 V\<rbrace>  \<in>  set evs)"
apply (erule rev_mp)
apply (erule set_pur.induct)
apply (frule_tac [9] AuthReq_msg_in_analz_spies)
apply (valid_certificate_tac [8]) \<comment> \<open>PReqS\<close>
apply (simp_all
         del: image_insert image_Un imp_disjL
         add
               spy_analz
analz_Key_image_insert_eq
              analz_insert_simps

apply spy_analz\<open>Secrecy of Nonces\<close>
blast  [ analz])
apply (blast dest: Says_imp_knows_SpylemmaNonce_analz_image_Key_lemma
                   ets_imp_knows_Spy]
blast:Gets_imp_knows_Spy analz
apply (blast dest: Says_imp_knows_Spy [THENblast [THEN])
                   Gets_imp_knows_Spy\<open>The \<open>(no_asm)\<close> attribute is essential, since it retains
done

text\<open>This theorem is a bit silly, in that many CardSecrets are 0!
  But then we don't care. NOT USED\
lemma:
     "evs \ set_pur ==> Nonce (CardSecret i) \ parts (knows Spy evs)"
by (erule set_pur.induct, auto .induct

subsection

analz_image_pan_lemma
"PanP\ analz (Key`nE \ H)) \ (Pan P \ analz H) ==>
      (Pan P \<in> analz (Key`nE \<union> H)) =   (Pan P \<in> analz H)" ( [7]) \<comment> \<open>PReqUns\<close>
( introanalz_mono []rev_subsetD

text: analz_image_keys_simps symKey_compromise
  the andallows 's condition to itself be simplified\
lemma analz_image_pananalz_insert_simps)
     "evs \ set_pur ==>
       \<forall>KK. (\<forall>K \<in> KK. K \<notin> range(\<lambda>C. priEK C)) \<longrightarrow>
            (Pan P \<in> analz (Key`KK \<union> (knows Spy evs))) =
            (Pan P\<in> analz (knows Spy evs))"
applyjava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
apply (rule_tac [!]           (Cardholderk)M
apply (rule_tac [!] analz_image_pan_lemma)+
apply (frule_tac [9] AuthReq_msg_in_analz_spies) \<comment> \<open>AReq\<close>
apply (valid_certificate_tac [8]) \<comment> \<open>PReqS\<close>
apply (valid_certificate_tac [7]) \<comment> \<open>PReqUns\<close>
apply (simp_all
         del: image_insert image_Un imp_disjLV\<rbrace>  \<in>  set evs)"
         : analz_image_keys_simps
              symKey_compromise sign_def
              analz_Key_image_insert_eq
              analz_insert_simps analz_image_priEK)
  \<comment> \<open>7 seconds on a 1.6GHz machine\<close>
apply  \<comment> \<open>Fake\<close>
apply auto
done

lemma                notin_image_iff
     "[| evs \ set_pur; K \ range(\C. priEK C) |] ==>
          (Pan P applyspy_analz
          (Pan <in> analz (knows Spy evs))"
by (simp del: image_insert image_Un
         add nalz_image_keys_simps)

text\<open>Confidentiality of the PAN, unsigned case.\<close>
theorem pan_confidentiality_unsigned:                    [THENanalz])
     "[| Pan(pan C) \ analz(knows Spy evs); C = Cardholder k;
apply( dest THENInj
    ==> \<exists>P M KC1 K X Y.
     Says
          \<in> set evs  \<and>

apply ( CardSecret_notin_spies
( .java.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for length 28
apply( [9 ) \<comment> \<open>AReq\<close>
lemma:
     Pan
apply (simp_all Pjava.lang.NullPointerException
         by intro THEN])
         \<open>The \<open>(no_asm)\<close> attribute is essential, since it retains
              notin_image_iff
               analz_image_priEK
  \<comment> \<open>3 seconds on a 1.6GHz machine\<close>
apply spy_analz \<comment> \<open>Fake\<close>
java.lang.StringIndexOutOfBoundsException: Index 55 out of bounds for length 55
apply force
done

text rule_tac[  impIjava.lang.StringIndexOutOfBoundsException: Index 31 out of bounds for length 31
theorem pan_confidentiality_signedfrule_tac) \<comment> \<open>AReq\<close>
[|Pan ) \<in> analz(knows Spy evs);  C = Cardholder k;
    CardSecret
  ==> \<exists>P M KC2 PIDualSign_1 PIDualSign_2 other OIDualSign.
       C M \<lbrace>\<lbrace>PIDualSign_1,
alSign_2
       OIDualSign\<rbrace> \<in> set evs  \<and>  P \<in> bad"
apply (erule rev_mp pushes
apply (erule P \<in> analz (insert (Key K) (knows Spy evs))) =
( [9] AuthReq_msg_in_analz_spies \<comment> \<open>AReq\<close>
apply (valid_certificate_tac [8by( delimage_insert
_certificate_tac[])\comment <>PReqUns\<close>
apply (simp_all
         text\<open>C  the, unsigned.<>
         add pan_confidentiality_unsignedjava.lang.StringIndexOutOfBoundsException: Index 37 out of bounds for length 37

              analz_insert_simps analz_image_priEK)
  \<comment> \<open>3 seconds on a 1.6GHz machine\<close>
apply spy_analz
apply force \<comment> \<open>PReqUns: unsigned\<close>
apply blast \<comment> \<open>PReqS: signed\<close>
done

text\<open>General goal: that C, M and PG agree on those details of the transaction
     thatthey allowed know.  PG about  and account
     details.  M knows about the order description and 9) \<comment> \<open>AReq\<close>

  [7)\<comment> \<open>PReqUns\<close>

         : image_insert imp_disjL
     "[|Notes notin_image_iff
        evs \<in> set_pur|] ==> \<exists>j. P = PG j"
byerule , erule, simp_all

text\<open>If we trust M, then \<^term>\<open>LID_M\<close> determines his choice of P  \<comment> \<open>Fake\<close>
      (Payment Gateway
lemma goodM_gives_correct_PG\<open>Confidentiality of the PAN, signed case.\<close>
"

         Crypt (  = exists>P M KC2 PIDualSign_1 PIDualSign_2 other OIDualSign.
         evs \<in> set_pur; M \<notin> bad |]EXcrypt( P  \<lbrace>Pan (pan C), other\<rbrace>\<rbrace>,
      ==> \<exists>j trans.
            P = PG j \<and>
            Notes M \<lbrace>Number LID_M, Agent P, trans\<rbrace> \<in> set evs"
applyclarify
apply (erule rev_mpapply( [9] AuthReq_msg_in_analz_spies
apply (erule [8]) \<comment> \<open>PReqS\<close>
apply frule_tac) \<comment> \<open>AuthReq\<close>
apply simp_all
s_PG
done

lemma C_gets_correct_PG:
     "[| Gets A (sign (priSK M) \Number LID_M, xid, cc, cm,
                              cert P EKj analz_image_priEK
         evs \<in> set_pur;  M \<notin> bad|]
      ==>apply \<comment> \<open>PReqUns: unsigned\<close>
            P = PG j \<and>

java.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 26
by ( refl , THEN]auto

text>When , he' of \
lemma C_verifies_PInitRes
"\Proofs Common to Signed and Unsigned Versions\
           cert:
Crypt M)Hash
     evs \<in> set_pur;  M \<notin> bad|]
  ==> \<exists>j trans.
         Notes
         P = PG j \<and>
         EKj
apply clarify
apply erule
apply ( set_pur
frule_tac\comment
apply simp_all
apply (blast intro (priSK MsgPInitRes
done

text\<open>Corollary of previous one\<close> \<exists>j trans.
lemma :
     "[|Says A C (sign M \Number LID_M, Agent P, trans\ \ set evs"
                      \<lbrace>Number LID_M, Number XID,
                        Nonce( set_pur)
                        cert onlyEnc RCA\<rbrace>)
           \<in> set evs;  M \<notin> bad;  evs \<in> set_pur|]
      ==> <>j .
           Notes Mdone
           P = PG j \<and>
:

auto: )
applyblast [THENgoodM_gives_correct_PG])
apply (blast dest: refl [THEN C_verifies_PInitRes])
done

text\<open>When P receives an AuthReq, he knows that the signed part originated   j \<and>
      with M. PIRes also has a signed message from M.             =  P"
lemma
     textopen C receives, he  M's choice ofP\
         Crypt  "|MsgPInitRes = LID_M, XID, Chall_C, Chall_M,
           \<in> parts (knows Spy evs);
         evs \<in> set_pur;  M \<notin> bad|]
      ==> \<exists>j trans KM OIData HPIData.
Notes
            Gets M \<lbrace>P_I, OIData, HPIData\<rbrace> \<in> set evs \<and>
            Says j)EncB M  (pubEK )  P_I
              \<in> set evs"
apply clarifyEKj "
apply (erule rev_mp)
apply (erule rev_mp
apply ( [4] M_Notes_PGauto
done

textapplysimp_all
  the identifying tags and the purchase amount, which he can ( intro)+
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
        [SaysMjava.lang.StringIndexOutOfBoundsException: Index 32 out of bounds for length 32
  quantified Chall_C ,
  the digital PEKj ( RCA
  \<^term>\<open>priSK M\<close>.  Changing the precondition to refer to
  \<^term>\<open>Crypt K (sign SK M)\<close> requires assuming \<^term>\<open>K\<close> to be secure, since
  otherwise the Spy could createPG
            = pubEK )
  |
                     Hash  add)
       ( (PG MsgAuthRes
      PG j \<notin> bad;  evs \<in> set_pur|]( dest[ C_verifies_PInitRes
   ==>
        Gets (PG j)
( (priSK pubEK j)
                    \<lbrace>Number LID_M, Number XID, HOIData, HOD\<rbrace>:
                    P_ICryptMHash

             (EncB (priSK (PGjava.lang.NullPointerException
              \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>
              authCode
java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13
apply set_pur)
applyfrule_tac,auto
apply (frule_tac
apply simp_all
apply blast+
done

subsection identifying the, which .

text
   In the unsigned case, we     the  toThe weakexistentially
lemma:
   digital weakens  link
                    OIData, Hash\<lbrace>PIHead, Pan (pan C)\<rbrace> \<rbrace> \<in> set evs;
         PIHead = \<lbrace>Number LID_M, Trans_details\<rbrace>;
         evs \<in> set_pur;  C = Cardholder k;  M \<notin> bad|]
  =>
               Notes M_verifies_AuthRes
               EKj = pubEK authCode

apply (erulePG
apply (erule    ==> \<exists>M HOIData P_I
apply (alid_certificate_tac \<comment> \<open>PReqUns\<close>
java.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 10
apply (blast                    ) \<in> set evs \<and>
done( ( (PG ( M)

text\<open>Unicity of \<^term>\<open>LID_M\<close> between Merchant and Cardholder notes\<close>
lemma unique_LID_M) \<in> set evs"
     "[|Notes (apply(rule )
        Notes
             Numberapplyfrule_tac) \<comment> \<open>AuthReq\<close>
        evs \<in> set_pur|]
      java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
apply (erule rev_mp)
apply erule)
apply (erule
apply (force\<open>What we can derive from the ASSUMPTION that C issued a purchase request.
done

text
lemma unique_LID_M2:
"| M <lbrace>Number LID_M, Trans\<rbrace> \<in> set evs;, \<rbrace> \<in> set evs;
         M
        evs \<in> set_pur|] ==> Trans' = Trans"
apply ( = \<lbrace>Number LID_M, Trans_details\<rbrace>;
apply (erule rev_mp)
apply ( =>java.lang.StringIndexOutOfBoundsException: Index 23 out of bounds for length 23
apply (force dest!: Notes_imp_parts_subset_usedEKj PG
done java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13

text\<open>Lemma needed below: for the case that
   PRes,then
lemma signed_imp_used:
     "[| Crypt (priSK unique_LID_M:
         M \<notin> bad;  evs \<in> set_pur|] ==> parts {X} \<subseteq> used evs"
apply (erule rev_mp:)
apply java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
apply (lemma unique_LID_M2
apply simp_all"|java.lang.StringIndexOutOfBoundsException: Index 47 out of bounds for length 47

apply java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
done

text\<open>Similar, with nested Hash\<close>
lemma signed_Hash_imp_used:
      (CHash
         C \<notin> bad;  evs \<in> set_pur|] ==> parts {X} \<subseteq> used evs"
apply (erule rev_mp)
apply (erule set_pur.induct)
apply (frule_tac [9] AuthReq_msg_in_parts_spies) \<comment> \<open>AuthReq\<close>
simp_all
apply
applyapply( set_pur)
done

text\<open>Lemma needed below: for the case that
            < ;  evs
lemma PRes_imp_LID_used erulejava.lang.StringIndexOutOfBoundsException: Index 20 out of bounds for length 20
     "[| Crypt java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
         java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
( signed_imp_used

iPRes,  \<open>LID_M\<close> has been used.\<close>
  He also knows"|Crypt priSKM Hash
lemma C_verifies_PRes_lemma  He knows P is same asbefore
     "[| Cryptlemma C_verifies_PRes_lemma::
         Notes C \<lbrace>Number LID_M, Trans \<rbrace> \<in> set evs;
         Trans ("[ Crypt priSKM HashMsgPRes parts (knows Spy evs);
         MsgPRes C \<lbrace>Number LID_M, Trans \<rbrace> \<in> set evs;
                Hash PurchAmt
         evs \<in> set_pur;  M \<notin> bad|]
=>\<exists>j KP.
Notes
          \<in> set evs \<and>
        Gets \<in> set_pur;  M \<notin> bad|]
                \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>
                authCode)
          \<in> set evs \<and>
        Says M          M (EncB ( j)) KP( M)
apply clarify
apply (erule rev_mp)
apply (erule rev_mp)
apply (erule set_pur         M C( ( M)MsgPResjava.lang.StringIndexOutOfBoundsException: Index 56 out of bounds for length 56
apply( []) \<comment> \<open>AuthReq\<close>
apply simp_all
apply blast
apply blast
applyblast: PRes_imp_LID_used
apply applyfrule, )
apply (blast: unique_LID_M)
done

text\<open>When the Cardholder receives Purchase Response from an uncompromised
Merchant,Merchant knows M sent.He thatreceived signed
by a Paymentby  Payment chosen authorize .\<close>
C_verifies_PRes
     "[| MsgPRes = \Number LID_M, Number XID, Nonce Chall_C,
                     Hash ( PurchAmt
priSK) \<in> set evs;
         Notes          C \<lbrace>Number LID_M, Agent M, Agent C, Number OrderDesc,
                   Number PurchAmt\<rbrace> \<in> set evs;
         evs>
  ==> \<exists>P KP trans.
        Notes M \<lbrace>Number LID_M,Agent P, trans\<rbrace> \<in> set evs \<and>
        Gets M (EncBGets(ncB P) KP M)

                authCode)  \<in>  set evs \<and>
        Says M C (sign (priSK M) MsgPRes         M C ( (priSK) \<in> set evs"
])
apply (auto simp add (auto addjava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
done

subsection\<open>Proofs for Signed Purchases\<close>

text\<open>Some Useful Lemmas: the cardholder knows what he is doing\<close>|Cryptjava.lang.StringIndexOutOfBoundsException: Index 118 out of bounds for length 118

lemma :
     "[| Crypt K K \ analz (knows Spy evs);
           \<in> parts (knows Spy evs);
         PANData = \<lbrace>Pan (pan (Cardholder k)), Nonce (PANSecret k)\<rbrace>;
         Key K
evs
  ==> \<exists>M shash EK HPIData.
apply(erule)
          Crypt K
            \<lbrace>\<lbrace>\<lbrace>Number LID_M, others\<rbrace>, Hash OIData\<rbrace>, Hash PANData\<rbrace>,
           Crypt EK \<lbrace>Key K, PANData\<rbrace>\<rbrace>,
          OIData
apply java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
apply (erule rev_mp[ = \<lbrace>\<lbrace>shash,
apply (erule rev_mp)
apply (erule., analz_mono_contra
apply (frule_tac             \<rbrace>, data\<rbrace>;
apply simp_all
apply auto
done

lemmaevs
     "[| MsgPReqS = \\shash,
                 Crypt K
                  \<lbrace>\<lbrace>\<lbrace>Number LID_M, PIrest\<rbrace>, Hash OIData\<rbrace>, hashpd\<rbrace>,
            cryptek\<rbrace>, data\<rbrace>;
         Says (Cardholder erule)
        evs
   ==> \<exists>trans.
           Notes ( k)
                 \<lbrace>Number LID_M, Agent M, Agent (Cardholder k), trans\<rbrace>( (no_asm_simp
            \<in> set evs"
apply (erule rev_mptextopen't happen: Merchants create this type of Note\
apply (erule rev_mp)
apply (erule.)
apply (simp_all| Cardholder
apply auto
done

\<open>Can't happen: only Merchants create this type of Note\<close>
lemma Notes_Cardholder_self_False:
     "[|Notes (Cardholder k)
          <> n, Agent,Agent k), Agent\<rbrace> \<in> set evs;
evs
by (erule rev_mp, erule theorem:

text     OIData
  Using XID       (priSK)( MsgDualSignjava.lang.StringIndexOutOfBoundsException: Index 68 out of bounds for length 68
  This       Merchant   k;   \<notin> bad;  evs \<in> set_pur|]
theorem:
"[| MsgDualSign = \HPIData, Hash OIData\;
     OIData
     Crypt (priSK C M\<lbrace>\<lbrace>sign (priSK C) MsgDualSign, PICrypt\<rbrace>, OIData, Hash PIData\<rbrace>
\<lbrace>Number LID_M, Agent P, extras\<rbrace> \<in> set evs;
     M = Merchant i;  java.lang.StringIndexOutOfBoundsException: Index 23 out of bounds for length 20
  =>java.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 30
        HPIDatablast
        SaysM\<lbrace>\<lbrace>sign (priSK C) MsgDualSign, PICrypt\<rbrace>, OIData, Hash PIData\<rbrace>
          \<in> set evs"
apply clarify
apply (erule
apply (erule)
apply (erule set_pur.induct was  M.This'tusefultoM never gets
          = \<lbrace>PIHead, PANData\<rbrace>;
apply simp_all
apply blast
apply (metis (priSK( MsgDualSign\<in> parts (knows Spy evs);
apply          \<in> set_pur;  C \<notin> bad;  M \<notin> bad|]
apply (blast destHOD\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace> \<and>
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4

text\<open>When P sees a dual signature, he knows that it originated with C.
  and was intended           M \<lbrace>Number LID_M, Agent (PG j), trans\<rbrace> \<in> set evs \<and>
  PIData. I don't see how to link \<^term>\PG j\ and \LID_M\ without
  assuming \<^term>\<open>M \<notin> bad\<close>.\<close>
theorem:
     "[| MsgDualSign = \Hash PIData, HOIData\;
          = \<lbrace>PIHead, PANData\<rbrace>;
         PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M,, Hash\<rbrace>
                    TransStain\<rbrace>;
         Crypt (priSK C) (Hash MsgDualSign) \<in> parts (knows Spy evs);applyclarify
         evs \<in> set_pur;  C \<notin> bad;  M \<notin> bad|]
    ==> \<exists>OIData OrderDesc K j trans.
          HOD !: )
          HOIData = Hash
          Notes M      "[| Says C M \<lbrace>\<lbrace>sign (priSK C) text,
          Says C M \<lbrace>\<lbrace>sign (priSK C) MsgDualSign,
                     EXcrypt K (pubEK (PG j))
                                \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>,
                     OIData, Hash PIData\<rbrace>
            \<in> set evs"
apply
apply (erule rev_mp k;evs
apply (erule set_pur.induct>
auto:)
done

lemma
     "apply( rev_mp)
                      K EKj
         PIHead =lemma:
         C = Cardholder k;  evs \<in> set_pur;  M \<notin> bad|]
  ==> \<exists> trans j.
         Notes M \<lbrace>Number LID_M, Agent (PG j), trans\<rbrace> \<in> set evs \<and>
         EKj = pubEK (PG j)"
apply clarify
apply (erule rev_mp         sign (priSKM) \<lbrace>AuthReqData, Hash P_I\<rbrace> \<in> parts (knows Spy evs);
apply (erule set_pur.induct, simp_all, auto)
apply (blast dest: C_gets_correct_PG)
done

lemma M_Says_AuthReq:
     "[| AuthReqData = \Number LID_M, Number XID, HOIData, HOD\;
         sign (priSK M) \<lbrace>AuthReqData, Hash P_I\<rbrace> \<in> parts (knows Spy evs);
         evs \<in> set_pur;  M \<notin> bad|]
   ==> \<exists>j trans KM.
           Notes M \<lbrace>Number LID_M, Agent (PG j), trans \<rbrace> \<in> set evs \<and>
             Says M  PG)
               s M\<>Number LID_M Agent(G j),trans
              \<in> set evs"
apply ( reflTHENP_verifies_AuthReqTHEN exE)
apply (auto simp add: sign_def)
done

text\<open>A variant of \<open>M_verifies_Signed_PReq\<close> with explicit PI information.
apply ( refl [THEN P_verifies_AuthReq, THENexE])
  PG could have replaced the two key fields.  (NOT USED)\<close>
lemma Signed_PReq_imp_Says_Cardholder:
     "[| MsgDualSign =\>Hash PIData, Hash OIData\;
         OIData = \<lbrace>Number LID_M, Number XID, Nonce Chall_C, HOD, etc\<rbrace>;
         PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M,
                    TransStain
         PIData = \<lbrace>PIHead, PANData\<rbrace>;
         Crypt( C) (HashMsgDualSign
         M = Merchant i;  C = Cardholder k;  C \<notin> bad;  evs \<in> set_pur|]
      ==> \<exists>KC EKj.
            Says C M \<lbrace>\<lbrace>sign (priSK C) MsgDualSign,
                       EXcrypt KClemmaSigned_PReq_imp_Says_Cardholder:
                       OIData, Hash PIData\<rbrace>
              \<in> set evs"
apply         PIHead \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M,
apply hypsubst_thin
apply (erule rev_mp)
apply (erulerev_mp
apply (erule set_pur.induct, simp_allPIData \<lbrace>PIHead, PANData\<rbrace>;
done

textCryptpriSK C) ( MsgDualSign \<in> parts (knows Spy evs);
agree theessential.  PurchAmt  is sent by Mto
  P; instead C and M both send
     \<^term>\<open>HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>\<close>
  and P compares the two copies of HOD.

  Agreement can't be proved for some things, including the symmetric keys
s.  On the hand M knows the identity
  of PG (namely j'), and sends AReq there; OIData, Hash PIData\
  the EXcrypt the correct's key.
\<close>
theorem P_sees_CM_agreement:
     "[| AuthReqData = \Number LID_M, Number XID, HOIData, HOD\;
         KC \<in> symKeys;
         Gets (PG) EncB(priSK)  (pubEK (PG))AuthReqData)
           \<in> set evs;
         C =applyerule.induct simp_all auto)
         PI_signjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
         P_I =
                 EXcrypt KC (pubEK (PGP;insteadand Mboth
         PANDataand P compares two of HOD
         PIDataAgreement't be proved some things, including thesymmetrickeys
         PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M,
                    TransStain\<rbrace>;
         evs
  ==> \<exists>OIData OrderDesc KM' trans j' KC' KC'' P_I' P_I''.
   PG( j'), and sends AReq there; he can't,however that
            = Hash \<and>
           \<close>
           Says C  \<lbrace>P_I', OIData, Hash PIData\<rbrace> \<in> set evs \<and>
           Says M (PG j') (EncB (priSK "| AuthReqData = Number LID_M, Number XID, HOIData, HOD\;
                                    KC \<in> symKeys;
           ' = \PI_sign,
             EXcryptKC (pubEK( j')) \PIHead, Hash OIData\ PANData\ \
           P_I         C =Cardholder;
             EXcrypt KC'' (pubEK (PG j)) \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>"
applyclarify
apply (rule exE)
applyrule [OF reflrefl
(simp () add sign_def EncB_defblast)
apply (assumption+, clarify          = \<lbrace>Pan (pan C), Nonce (PANSecret k)\<rbrace>;
apply (drule Gets_imp_knows_Spy [THENPIData <lbrace>PIHead, PANData\<rbrace>;
apply         PIHead \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M,
done

end

quality99%

o_asm_use:sign_def, )
PANDatajava.lang.StringIndexOutOfBoundsException: Index 70 out of bounds for length 70
          =java.lang.NullPointerException
=java.lang.StringIndexOutOfBoundsException: Index 83 out of bounds for length 83
                    TransStain
         evs \<in> set_pur;  C \<notin> bad;  M \<notin> bad|]
  ==> \<exists>OIData OrderDesc KM' trans j' KC' KC'' P_I' P_I''.
           HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace> \<and>
           HOIData = Hash OIData \<and>
           Notes M \<lbrace>Number LID_M, Agent (PG j'), trans\<rbrace> \<in> set evs \<and>
           Says C M \<lbrace>P_I', OIData, Hash PIData\<rbrace> \<in> set evs \<and>
           Says M (PG j') (EncB (priSK M) KM' (pubEK (PG j'))
                           AuthReqData P_I'')  \<in>  set evs \<and>
           P_I' = \PI_sign,
             EXcrypt KC' (pubEK (PG j')) \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace> \<and>
           P_I'' = \<lbrace>PI_sign,
             EXcrypt KC'' (pubEK (PG j)) \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>"
apply clarify
apply (rule exE)
apply (rule P_verifies_Signed_PReq [OF refl refl refl])
apply (simp (no_asm_use) add: sign_def EncB_def, blast)
apply (assumption+, clarify, simp)
apply (drule Gets_imp_knows_Spy [THEN parts.Inj], assumption)
apply (blast elim: EncB_partsE dest: refl [THEN M_Says_AuthReq] unique_LID_M2)
done

end

quality99%

¤ Die Informationen auf dieser Webseite wurden nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit, noch Qualität der bereit gestellten Informationen zugesichert.0.8Bemerkung: (vorverarbeitet) ¤

*Bot Zugriff

Wurzel

Suchen

Beweissystem der NASA

Beweissystem Isabelle

NIST Cobol Testsuite

Cephes Mathematical Library

Wiener Entwicklungsmethode

Haftungshinweis

Die Informationen auf dieser Webseite wurden nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit, noch Qualität der bereit gestellten Informationen zugesichert.

Bemerkung:

Die farbliche Syntaxdarstellung ist noch experimentell.