| Quellcodebibliothek Statistik Leitseite products/sources/formale Sprachen/Isabelle/LCF/ (Beweissystem Isabelle Version 2025-1©) Datei vom 16.11.2025 mit Größe 11 kB |
|
Quelle Purchase.thy Sprache: Isabelle |
|||||||||
|
(* Title: HOL/SET_Protocol/Purchase.thy
Author: Giampaolo Bella Author: Fabio Massacci Author: Lawrence C Paulson *) *\<open>Purchase Phase of SET\<close> theory Purchase Purchase importsjava.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for len begin text\<open> Note seem to consist of 20 bytes That both freshnesstransaction.). This agreement is expresse challenges, etc. importantsecrets, PANsecretjava.lang.StringIndexOutOfBoundsExcepti Thisversion \<open>LID_C\<close> but retains \<open>LID_M\<close>. At first glance (Programmer Guide6it numbers just for thestatisticallyMerchant Cardholder shall use random system However, omitting of them create of : how the's system what transaction is it supposed to process? Further reading (Programmer's guide page 309) suggest that there is an outside bootstrapping message (SET initiation and the to agree the actual. Thisbootstrapping message is described in the SETSETIt usedto pass datarequired authorizea payment payment \<open>LID_M\<close>. According SET Extern Interface Guide, this number might be a cookie, an invoice initiatepayment transaction through traditional payment card networkTh absence open\<close> the protocol must somehow ("outside SET") identify transaction, which assumed to be searchable textjava.lang.StringIndexOutOfBoundsExcept field, itis that Merchantor the somehow agreed out-of-bad\<comment> \<open>Maps Cardholders to CardSecrets. transaction etc.). This out-of-band agreement is expressed with a preliminary start action in which the merchant and the Cardholder agree on ACardSecret 0 means cerificate, values values are with a suitable action. " unless thereis PInitRes in case itisgenerated Cardholder system. It is a randomly generated java.lang.StringIndexOutOfBoundsException: Range [3 (statistically). java.lang.StringIndexOutOfBoundsException: Index 73 out of bound generators to the global of XID" -'s Guide, page 27. "[ evsr \ SET. is used pass data required authorizea payment cardpayment from initiate a payment transaction throughthe traditional card financial network.The is encrypted the Cardholder sentvia Merchant, such that the data is hidden from the Merchant unless the Acquirer passes data to Merchant. --Programmer's Guide, page 271.\ . CardSecret :: is.The'java.lang.StringIndexOutOfBoundsException: Index 77 out of bo \<comment> \<open>Maps Cardholders to CardSecrets. A CardSecret of identifies order out somedata in OrderDesc C=Cardholder;M=Merchant =PG \<comment> \<open>Maps Cardholders to PANSecrets.\<close> inductive_set \<notin> range PANSecret |] set_pur:"event list set" where Nil M \<lbrace>Number LID_M, Agent P, Transaction\<rbrace> "[] \ | Fake: \<comment> \<open>The spy MAY say anything he CAN say.\<close># evsStart "[ evsf == Says B X # evsfjava.lang.StringIndexOutOfBoundsException: Index 49 out of bounds f | <> <open>Purchase initialization, page 72 of Formal Protocol Desc.\<close> "[| evsr \ ==> Gets B X # evsr \<in> set_pur" | Start: \<comment> \<open>Added start event which is out-of-band for SET: the Cardholder and the merchant agree on the amounts and uses \<open>LID_M\<close> as an identifier. This is suggested by the External Interface Guide. The Programmer's Guide inabsence \<open>LID_M\<close>, states that the merchant uniquely identifies order out some data in OrderDesc\<close> evsStart NumberNotes C\< C = Cardholder C M\< Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>;PInitRes LID_M \<notin> range CardSecret; certificate his Gateway 74 Formal \<notin> range PANSecret |] =>Notes M \<lbrace>Number LID_M, Agent P, Transaction\<rbrace> # evsStart | PInitReq: <> <open>Purchase initialization, page 72 of Formal Protocol Desc.\<close> "[|evsPIReq \ Transaction \<notin> used evsPIRes; Nonce Chall_C XID Chall_Cjava.lang.NullPointerException = Says sign M) ==> Says C M \<lbrace>Number LID_M, Nonce Chall_C\<rbrace> # evsPIReq \<in> set_pur" Chall_C Chall_M | PInitRes: \<comment> \<open>Merchant replies with his own label XID and the encryption key Protocol. We use "[|evsPIRes \ Gets <comment> \<open>UNSIGNED Purchase request (CardSecret = 0). = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>; NotesM\< Nonce Chall_M \<notin> used evsPIRes; , where identifies transaction omit XID \<notin> range CardSecret; XID \<notin> range PANSecret|] ==> Says sign M) \<lbrace>Number LID_M, Number XID, Chall_C, Chall_M cert !! OrderDesc evsPReqU # \<in> set_pur" : \<comment> \<open>UNSIGNED Purchase request (CardSecret = 0). = \<lbrace>Agent M, Agent C, Number O Page = \<lbrace>Number LID_M, Number XID, Nonce Chall_C, HOD,Nonce Chall_M\<rbrace>; = \<lbrace>N Merchantnever theamount clearThis of the , where identifies transaction omit \<open>Hash\<lbrace>Number XID, Nonce (CardSecret k)\<rbrace>\<close> from PIHead because thecert P EKj (priSKRCA)\<rbrace>) very from signedone.\<close> "!!Chall_C C \ [evsPReqU C = Cardholder lbrace KC1 EKj \<lbrace>PIHead, Hash OIData\<rbrace> (Pan (pan C)), Key KC1 \<notin> used evsPReqU; KC1 \<in> symKeys; Transactionjava.lang.StringIndexOutOfBoundsException: Index 90 out of bounds for HOD =Hash OIData = \<lbrace>Number LID_M, Number XID, Nonce Chall_C, HOD,Nonce Chall_M\<rbrace>; PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M\<rbrace>; Gets ( (priSK M) \<comment> \<open>SIGNED Purchase request. Page 77 of Formal Protocol Desc. We could specify thec Chall_C Chall_M P onlyEnc RCA java.lang.NullPointerException Says!CChall_C OIData Notes C \<lbrace>Number LID_M, Transaction\<rbrace> \<in> set evsPReqU |] ==> Says C M \<lbrace>EXHcrypt KC1 EKj \<lbrace>PIHead, Hash OIData\<rbrace> (Pan (pan C)), OrderDesc PIData , Hash # Notes C \<lbrace>Key KC1, Agent M\<rbrace> # \<in> set_pur" |Transaction \<comment> \<open>SIGNED Purchase request. Page 77 of Formal Protocol Desc. Wecould theequation \<^term>\<open>PIReqSigned = \<lbrace> PIDualSigned, OIDualSigned \<rbrace>\<close>, since the = \<l Formal. PIHeadthe same in unsignedcase However =\lbrace panNonce ( k)\<rbrace>; cases.\<close> "C Chall_M EKj HODKC2 M OIData OIDualSigned OrderDesc = \<lbrace>OIData, Hash PIData\<rbrace>; PIHead Transaction evsPReqS kjava.lang.StringIndexOutOfBoundsException: Index 49 ou [|evsPReqS PEKj (riSK)\<rbrace>) C = Cardholder k;SaysM CardSecret k \<noteq> 0; Key KC2 \<notin> used evsPReqS; KC2 \<in> symKeys; C \<lbrace>Number LID_M, Tr saction\< HOD=HashlbraceNumber, Number \<rbrace>; OIData = \<lbrace>Number LID_M, Number XID, Nonce Chall_C, HOD, Nonce Chall_M\<rbrace>; = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, Hash PANData = \<lbrace>Pan (pan C), Nonce (PANSecret k)\<rbrace>; = \<lbrace>PIHead, PANData\<rbrace>; PIDualSigned; EXcrypt \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>; OIDualSigned = Hash Gets =\lbrace LID_M XID Chall_C, Nonce\<rbrace Nonce, Nonce, certEKj (priSKRCA \<in> set evsPReqS; Says M\<java.lang.StringIndexOutOfBoundsException: Index 80 out of bounds for leng Notes \<lbrace>Number LID_M, Transaction\<rbrace> \<in> set evsPReqS |] => C M <lbrace>PIDualSigned, OIDualSigned\<rbrace> # Notes C \<lbrace>Key KC2, Agent M\<rbrace> # \<in> set_pur" \<comment> \<open>Authorization Request. Page 92 of Formal Protocol Desc. in to PurchaseRequest | AuthReq \<in> set evsAReq |] "[|evsAReq\ Key KM (priSK M KM (pubEK ) Transaction = \<lbrace>Agent M, Agent C, Number OrderDesc, Number PurchAmt\<rbrace>; HOD = evsAReq \<in> set_pur" OIData = \<lbrace>Number LID_M, Number XID, Nonce Chall_C, HOD, Nonce Chall_M\<rbrace>; CardSecret k \<noteq> 0 \<longrightarrow> P_IHash Gets M \<lbrace>P_I, OIData, HPIData\<rbrace> \<in> set evsAReq; M C ( (priSK <lbrace>Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, cert P EKj onlyEnc (priSK RCA)\<lbrace>Number LID_M, Number XID, HOIData, HOD\<rbrace> \<in> set evsAReq; Notes \<in> set evsAReq |] = Says M P (EncB\< \<lbrace>Number LID_M, Number XID, Hash OIData, HOD\<rbrace> P_I) # evsAReq \<in> set_pur" \<comment> \<open>Authorization Response has two forms: for UNSIGNED and SIGNED PIs. Page 99 of Formal Protocol Desc. PI is a keyword (product!), so we call it \<open>P_I\<close>. The hashes HOD and HOIData occur independently in \<open>P_I\<close> and in M's message. The \<comment> \<open>Purchase response.\<close> full protocol is [CapToken], [AcqCardMsg], [AuthToken]: optionalforshipmentsrecurringetc |AuthResUns \<comment> \<open>Authorization Response, UNSIGNED\<close> M EncB P) KP M) "[| evsAResU \ C = k; i; java.lang.NullPointerException CardSecret \<in> symKeys; KM \<in> symKeys; PIHead (priSK (pubEK P P_I\<>Number LID_M XID, Hash, HOD\<rbrace> P_I) <> set evsPRes <lbrace LID_M, XID, HOIDataHOD> P_I) \<in> set evsAResU |] ==> Says P M (EncB (priSK P) KP (pubEK M) \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace> authCode) # evsAResU => Says | AuthResS: \<comment> \<open>Authorization Response, SIGNED\<close> "[| evsAResS \ C = Cardholder k; Key KP#evsPRes CardSecret k \<noteq> 0; KC2 \<in> symKeys; KM \<in> symKeys; P_I =\<lbrace (priSK C <lbrace>Hash PIData, HOIData\<rbrace>, EXcrypt KC2 (pubEK P) \<lbrace>PIHead, HOIData\<rbrace> PANData\<rbrace>; : "inj CardSecret" = <lbrace>Pan (pan C), Nonce (PANSecret k)\<rbrace>; PIData = \<lbrace>PIHead, PANData\<rbrace>; PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, \< Gets rule_tacprod_encode exI simp inj_on_def java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 \<in> set evsAResS |] = P M (EncB (declare Fake_parts_insert_in_Un] \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace> [iff] authCode # evsAResS \<in> set_pur" | PRes: \<comment "[| evsPRes \ Transaction = subsection Gets M Says_to_Gets authCode \<in> set evsPRes; Getstextopen>Possibility UNSIGNED purchases that need to Saysthat differs from and PurchAmtsince it is to be (EncB lemmapossibility_Uns: <lbrace LID_M,Number, Hash OIData\<rbrace> P_I) C = Cardholder k; M = Merchant i; Notes M \<lbrace>Number LID_M, Agent P, Transaction\<rbrace> |] ==> M C ( Chall_C Hash (Number PurchAmt)\<rbrace>) # evsPRes \<in> set_pur" specification (CardSecretNumber \<notin> used []; LID_M \<notin> range CardSecret \<union> range inj_CardSecret: "inj CardSecret" inj_PANSecret: "inj PANSecret" CardSecret_neq_PANSecret: "CardSecret k \ \<comment> \<open>No CardSecret equals any PANSecret\<close> apply apply( x=" prod_encode 1 inexIjava.lang.StringIndexOutOfBoundsException: Index 49 apply add prod_encode_eq inj_on_def) done declare Says_imp_knows_Spy [THEN parts.Inj, dest] declare parts.Body[est declare analz_into_parts [dest\<in> set evs" declareFake_parts_insert_in_Un] CardSecret_neq_PANSecret] CardSecret_neq_PANSecret .Nil declare inj_CardSecret [THEN inj_eq, iff] inj_PANSecret [THEN inj_eq, iff] subsection\<open>Possibility Properties\<close> Says_to_Gets set_pur [of: C M LID_M], by( set_pur, autojava.lang.StringIndexOutOfBoundsException: Index 33 out of bounds text\<open>Possibility for UNSIGNED purchases. Note that we need to ensure that set_pur [of concl ], a Says_to_Gets lemma possibility_Uns "[| CardSecret k THENSays_to_Gets, C =CardholderM =Merchant KeyTHEN, KC \<in> symKeys; KM \<in> symKeys; KP \<in> symKeys; < KM;KM ; Nonce Chall_C ( add: used_Cons) Nonce \<notin> used []; Chall_M \<notin> range CardSecret \<union> range PANSecret; Chall_C<Chall_M Number \<notin> used []; LID_M \<notin> range CardSecret \<union> range PANSecret; Number XID \<notin> used []; XID \<notin> range CardSecret \<union> range PANSecret; KC LID_M < XID; XID < OrderDesc; OrderDesc ==> \<exists>evs \<in> set_pur. Says java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length ( (priSK \<lbrace>Number LID_M, Number XID, Nonce Chall_C, Hash PurchAmt)\<rbrace>) \<in> set evs" apply (intro exIjava.lang.StringIndexOutOfBoundsException: Range [35, 22) out of b [2] .Nil [THEN set_pur.Start [of_ LID_M _ _ OrderDesc], THEN set_pur.PInitReq [of concl: C M LID_M set_pur.PInitReqof: C M LID_M], THEN, THEN set_pur.PInitRes [of concl: M THEN.PInitRes [of: M C LID_MXID Chall_C], THEN, THEN set_pur.PReqUns [of set_purPReqSof: C M _ _ KC THENSays_to_Gets THEN set_pur set_pur.AuthReqof: M "PG "KM XID], THEN Says_to_Gets, THEN set_pur.AuthResUns [of concl: "PG j" M KP LID_M XID], THENS, THEN set_pur.PRes set_pur. [of concl"PG j" M KP XID], apply basic_possibility apply( addused_Cons ) done lemma possibility_S: "|CardSecret k\noteq>0; C = Cardholder k; M = Merchant i; Key \<notin> used []; Key KM \<notin> used []; Key KP \<notin> used []; KC[ GetsX <in> set evs; evs \<in> set_pur |] KC < KMapply( rev_mp NonceChall_C Nonce \<notin> used []; Chall_M \<notin> range CardSecret \<union> range PANSecret; java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 Number LID_M \<notin> used []; LID_M \<notin> range CardSecret \<union> range PANSecret; Number \<notin> used []; XID \<notin> range CardSecret \<union> range PANSecret; <XID ; OrderDesc |] ==> \<exists>evs \<in> set_pur. Says C (sign Hash (Number)\<rbrace>) \<in> set evs" applyintrobexI apply( [2] set_pur.bya java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 THEN set_pur. evs \<in> set_pur|] ==> P_I \<in> analz (knows Spy evs)" THEN, THEN java.lang.StringIndexOutOfBoundsException: Index 20 out of bounds for length THEN set_pur [of: C M __KC THEN Says_to_Gets, THENset_pur [of conclM" j" KMLID_M], THEN Says_to_Gets=> Key (publicKey b A)\<> partsknows evs Ajava.lang.StringIndexOutOfBounds THEN set_purT [2]rev_iffD1!] lemmaSpy_analz_private_Key]: THEN(invKey b A) <in> analz(knows Spy evs)) = (A \<in> bad)" apply basic_possibility apply (auto simp add: used_Cons symKeys_neq_imp_neq) done text\<open>General facts about message reception\<close> lemma "| Gets B X \ ==> \<exists>A. Says A B X \<in> set evs" apply ( rev_mp apply( set_pur., auto) done lemma Gets_imp_knows_Spy: "[| Gets B X \ (blast!: Gets_imp_SaysSays_imp_knows_Spy declare Gets_imp_knows_Spy [THEN parts.Inj, dest] text\<opentrivialproof \<^term>\<open>priEK C\<close> never appears even in lemma AuthReq_msg_in_parts_spiesanalz_image_priEK: "[|Gets Key (priEK C)\ ( C \<in> KK | C \<in> bad)" byauto lemma AuthReq_msg_in_analz_spies: "[|Gets M \ subsection>Public in Certificates Correct by lemmaCrypt_valid_pubEK!]: subsection text\<open>Private Keys are Secret\<close> text rev_mp erule.induct ) lemma java.lang.StringIndexOutOfBoundsException: Index 8 out of bounds for length " ==> (Key(invKey (publicKey b A)) \<in> parts(knows Spy evs)) = (A \<in> bad)" apply (erule set_pur.induct) apply(frule_tac] ) \<comment> \<open>AuthReq\<close> applylemma certificate_valid_pubEK done[|certEKi( ) <in> parts (knows Spy evs); declare Spy_see_private_Key [THEN [2] rev_iffD1, dest!] lemma=>EKi C" "evs \ (Key by auto declare Spy_analz_private_Key| SKi ) text unfold signCert_def) lemma java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length "[| C EK onlyEnc RCA)\ evs \<in> set_pur|] ==> priEK C \<in> KK | C \<in> bad" by auto text\<open>trivial proof because \<^term>\<open>priEK C\<close> never appears even in \<^term>\<open>parts evs\<close>.\<close> lemma analz_image_priEK: "evs \ evs priEKC\<in> KK | C \<in> bad)" by( dest!: parts_image_priEK: analz_mono THEN[2 rev_subsetD subsection\<open>Public Keys in Certificates are Correct\<close>"| A (sign SK \ lemma Crypt_valid_pubEK [dest!]: "[| Crypt (priSK RCA) \ \<in> parts (knows Spy evs); evs \<in> set_pur |] ==> EKi = pubEK C" by (erule rev_mp, erule set_pur lemma Crypt_valid_pubSK [dest!]: "[|by (frule Gets_imp_Says, auto) \<in> parts (knows Spy evs); \<in> set_pur |] ==> SKi = pubSK C" by (erule rev_mp, eruleset_purinduct auto) lemma certificate_valid_pubEK "[ EVERY [forward_tac ctxt {thmsGets_certificate_valid i, evs ==> EKi = pubEK C" by(unfold signCert_def auto lemma: "[| certtext evs \<in> set_pur |] ==> SKi = pubSK C" by => KeyKjava.lang.StringIndexOutOfBoundsException: Index 85 out of bounds for len lemma Says_certificate_valid [simp]: "| ays B(sign SK \ (valid_certificate_tac)\<comment> \<open>PReqS\<close> evs \<in> set_pur |] ==> EKapply force!: usedIkeysFor_parts_insert\<comment> \<open>Fake\<close> by (unfold sign_deflemmanew_keys_not_analzd lemma Gets_certificate_valid> Kjava.lang.StringIndexOutOfBoundsException: Index 53 [Asign cert evs [KXjava.lang.StringIndexOutOfBoundsException: Index 46 out of bounds for leng =>EK C" by (frule Gets_imp_Says,apply force: new_keys_not_usedCrypt_imp_invKey_keysFor method_setupvalid_certificate_tac = \<open> Args.goal_spec >> (fn quant => fn ctxt => SIMPLE_METHOD'' quant (fn"[Crypt KX\ EVERY [forward_tac ctxt @{thms Gets_certificate_valid} i, assume_tacctxt REPEAT ctxt i)])) \<close> subsection\<open>Proofs on Symmetric Keys\<close> \<open can used keys lemma new_keys_not_used [rule_format,simp "| K\ =java.lang.StringIndexOutOfBoundsException: Index 69 out of bounds for length 69 Klemmagen_new_keys_not_analzd set_pur ( [8]) \<comment> \<open>PReqS\<close> apply (valid_certificate_tac] <comment> \<open>PReqUns\<close> apply auto apply (force dest!: usedI keysFor_parts_insert) \<comment> \<open>Fake\<close> done lemma new_keys_not_analzd: "[|Key K \ ==> K \<notin> keysFor (analz (knows Spy evs))" by (blast intro: keysFor_mono Crypt_parts_imp_used " (Key K) (analz (Key ` K K \<in> symKeys; evs \<in> set_pur |] ==> Key K \<in> used evs" apply ( ccontr java.lang.StringIndexOutOfBoundsException: Index 2 out of bounds for length 0 done lemma Crypt_analz_imp_used: "[|Crypt K X \ K \<in> symKeys; evs \<in> set_pur |] ==> Key K \<in> used evs" by (blast intro: Crypt_parts_imp_used=> text\<open>New versions: as above, but generalized to have the KK argument\<close> lemma gen_new_keys_not_used: "[ y(blast : analz_mono [THEN [2] rev_subsetD]) =java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 K \<notin> keysFor (parts (Key`KK \<union> knows Spy evs))" by auto lemma gen_new_keys_not_analzd: "[|Key K (\ ==> K \<notin> keysFor (analz (Key`KK \<union> knows Spy evs))" y blast: keysFor_mono [THENsubsetD] dest gen_new_keys_not_used lemma analz_Key_image_insert_eq: [Kjava.lang.StringIndexOutOfBoundsException: Index 70 out of bounds for length 7 ==> applyvalid_certificate_tac insert (Keyapplyvalid_certificate_tac by (simpapply (imp_all subsection\<open>Secrecy of Symmetric Keys\<close> lemma: disj_simps " analz_Key_image_insert_eq notin_image_iff ==> <longrightarrow> (Key K \<in> analz (Key`KK \<union> H)) = (K\<in>KK | Key K \<in> analz H)"KeyK byblast: analz_mono THENrev_subsetD] lemma symKey_compromise( elim ballE+ "evs \ (\<forall>SK KK. SK \<in> symKeys \<longrightarrow> (\<forall>K \<in> KK. K \<notin> range(\<lambda>C. priEK C)) \<longrightarrow> (Key\<open>Secrecy of Nonces\<close> (SK \<in> KK \<or> Key SK \<in> analz (knows Spy evs)))" apply (erule set_pur.induct) applylemmaNonce_analz_image_Key_lemma (ule_tac impIjava.lang.NullPointerException apply (frule_tac blast: analz_mono[ [2] ]) java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 [7 apply [rule_format)]: del: image_insert image_Un imp_disjL add: analz_image_keys_simps analz_Key_image_insert_eq notin_image_iff analz_insert_simps analz_image_priEK) \<comment> \<open>8 seconds on a 1.6GHz machine\<close> applyspy_analz \<comment> \<open>Fake\<close> apply notin_image_iff done subsection apply( dest!: Gets_imp_knows_SpyTHENanalz.Inj) Nonce_analz_image_Key_lemma: "G [THEN analz.Inj) ==>apply( dest Gets_imp_knows_Spy [THEN.Inj])\<comment> \<open>PReqS\<close> by ( intro: analz_mono [2] rev_subsetD) text the quantifier and allows the simprule's condition to itself be simplified.\ lemma Nonce_compromise "evs \ (\<forall>N KK. (\<forall>K \<in> KK. K \<notin> range(\<lambda>C. priEK C)) \<longrightarrow> (Nonce N \<in> analz (Key`KK \<union> (knows Spy evs))) = CardSecret_notin_spies (Nonce N \<in> analz (knows Spy evs)))" apply (eruleset_pur) apply (rule_tac [!] allI apply (rule_tac [!] impI [THENsubsection\<open>Confidentiality of PAN\<close> apply lemma: apply (valid_certificate_tac ( apply valid_certificate_tac apply (simp_all byblast: [THEN2 ]) add disj_simps analz_Key_image_insert_eq notin_image_iff quantifier the simpruleto. analz_image_priEK \<comment> \<open>8 seconds on a 1.6GHz machine\<close> apply spy_analz \<comment> \<open>Fake\<close> apply (blast elim!: ballEPan done lemma PANSecret_notin_spies: "[|Nonce (PANSecret k) \ ==> (\<exists>V W X Y KC2 M. \<exists>P \<in> bad. Says k java.lang.StringIndexOutOfBoundsException: Index 31 out of bounds for lengt java.lang.StringIndexOutOfBoundsException: Range [0, 92) out of bounds for lengt apply add apply (erule pushes apply ( notin_image_iff apply ( apply spy_analz del add analz_Key_image_insert_eq analz_insert_simps analz_image_priEK) \<comment> \<open>2.5 seconds on a 1.6GHz machine\<close> apply spy_analz apply (blast Pjava.lang.StringIndexOutOfBoundsException: Index 46 out of bounds fo apply (blast dest:a analz_image_pan Gets_imp_knows_Spy .Inj apply (blast dest: Gets_imp_knows_Spy pan blast: Says_imp_knows_Spy[ analz.] Gets_imp_knows_Spy [THEN analz.Inj]) \<comment> \<open>PRes\<close> done text\<open>This theorem is a bit silly, in that many CardSecrets are 0! P\<in> bad" lemma: "apply (ruleset_purinduct) by (erule set_pur.induct, auto) subsection\<open>Confidentiality of PAN\<close>apply frule_tac]AuthReq_msg_in_analz_spi analz_image_pan_lemma "( P \ (Pan <in> analz (Key`nE \<union> H)) = (Pan P \<in> analz H)" (blast: analz_mono [ [2] rev_subsetD text the quantifier and allows the simprule's condition to itself be simplified.\ lemma analz_image_pananalz_insert_simps) "evs \ \<forall>KK. (\<forall>K \<in> KK. K \<notin> range(\<lambda>C. priEK C)) \<longrightarrow> (Pan P apply blast \<comment> \<open>PReqUns: unsigned\<close> (Pan \<comment> \<open>PReqS: signed\<close> apply (erule apply(rule_tac [!]allI)+ apply (rule_tac [!] analz_image_pan_lemma)+ apply ( [9] AuthReq_msg_in_analz_spies apply" (panC apply (valid_certificate_tac k \<noteq> 0; evs \<in> set_pur|] apply Says del: image_insert image_Un del: image_insert image_Un imp_disjL \<lbrace>Pan (pan C), other\< add: analz_image_keys_simps symKey_compromise sign_def analz_Key_image_insert_eq notin_image_iff analz_insert_simps analz_image_priEK) \<comment> \<open>7 seconds on a 1.6GHz machine\<close> apply spy_analz \<comment> \<open>Fake\<close> apply auto done lemma analz_insert_pan: "[| evs \ (Pan\<in> analz (insert (Key K) (knows Spy evs))) = (applyfrule_tacAuthReq_msg_in_analz_spies)\<comment> \<open>AReq\<close> by simp: image_Un add 7 <>\openPReqUns onfidentialityof PAN case\close theorempan_confidentiality_unsigned: "[| Pan (pan C) \ CardSecret k = 0; evs \<in> set_pur|]notin_image_iff = Says \<comment> \<open>Fake\<close> \<in> set evs \<and> P \<in> bad" apply (erule rev_mp apply (erule set_pur.induct are to about knowspriceprice. C knows both.\<close> apply (frule_tac [] AuthReq_msg_in_analz_spies apply (valid_certificate_tac [8]) \<comment> \<open>PReqS\<close> apply(valid_certificate_tac] apply (simp_all delimage_insert image_Un add: analz_image_keys_simps analz_insert_pan analz_image_pan java.lang.StringIndexOutOfBoundsException: Index 29 out of bounds for length 29 by ( rev_mp set_pur.induct) \<comment> \<open>3 seconds on a 1.6GHz machine\<close> applyspy_analz apply blast \<comment> \<open>PReqUns: unsigned\<close> apply force \<comment> \<open>PReqS: signed\<close> done text theorem pan_confidentiality_signed: "[| [|MsgPInitRes = CardSecret\<lbrace>Number LID_M, xid, cc, cm, cert P EKj onlyEnc (priSK RCA)\<rbrace>; =>\< Says C M \<lbrace>\<lbrace>PIDualSign_1, KC2 pubEK)PIDualSign_2 OIDualSign\<rbrace> \<in> set evs \<and> P \<in> bad" apply (erule rev_mp) apply ( clarify frule_tac) \<comment> \<open>AReq\<close> apply (valid_certificate_tac apply (valid_certificate_tac( [9] AuthReq_msg_in_parts_spies apply (simp_all del: image_insert)+ addjava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 notin_image_iff analz_insert_simps) \<comment> \<open>3 seconds on a 1.6GHz machine\<close> apply spy_analz \<comment> \<open>Fake\<close> force apply blast \<comment> \<open>PReqS: signed\<close> done text EKj = pubEK P" that they are allowed to know about. PG knows about (ule [THENgoodM_gives_correct_PG exE] aut details\<open C receivesPInitRes learns Ms choiceP<close> subsection lemma M_Notes_PG Crypt (priSK ( MsgPInitRes) \<in> parts (knows Spy evs); evs \<in> set_pur|] ==> \<exists>j. P = PG j" by (erule rev_mp, erule set_pur.induct M \<lbrace>Number LID_M, Agent P, trans\<rbrace> \<in> set e text\<open>If we trust M, then \<^term>\<open>LID_M\<close> determines his choice of P (Payment Gateway( rev_mp) lemma goodM_gives_correct_PGerule.induct) "[| MsgPInitRes apply(frule_tac [9] AuthReq_msg_in_parts_spies) \<lbrace>Number LID_M, xid, cc, cm, cert P EKj onlyEnc (priSK RCA)\<rbrace>; Crypt M) (Hash) \<in> parts (knows Spy evs); evs ==>\<exists>j trans. P = PGSays_C_PInitRes Notes apply clarify apply (erule rev_mp) apply erule.induct apply (frule_tac P EKj (priSK)\<rbrace>) apply simp_all apply (blast intro: M_Notes_PG\existstrans java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 lemmaC_gets_correct_PG "[|GetsA (sign(priSKM)\ apply(auto simp addsign_def evs ( dest: refl java.lang.StringIndexOutOfBoundsException: Index 54 out of bounds f ==> done P =PG\<and> Notes M \<lbrace>Number LID_M, Agent P, trans\<rbrace> \<in> set evs \<and> EKjpubEK by (rule refl [THEN goodM_gives_correct_PGlemma P_verifies_AuthReq: \<>When PInitReshe learns lemma C_verifies_PInitRes: [ MsgPInitRes\<NumberNumber NonceNonce cert P EKj onlyEnc \<in> parts (knows Spy evs); Crypt (priSK M) (Hash MsgPInitRes) \<in> parts (knows Spy evs); M \<lbrace>Number LID_M, Agent (PG j), trans\<rbrace> \<in> set evs \<and> ==> \<exists>j trans. Notes M \<lbrace>Number LID_M, Agent P, trans\<rbrace> \<in> set evs \<and> M (PG)(EncB (priSK)KMpubE P = PG j \<and> = pubEK Pjava.lang.StringIndexOutOfBoundsException: Index 23 out of bounds for len apply clarify apply (erule) apply (erule set_purfrule_tacM_Notes_PG, ) apply java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14 applyblast: M_Notes_PG done text\<open>Corollary of previous one\<close> lemma Says_C_PInitRes: "| A C (sign (priSK ) \<lbrace>Number LID_M, Number XID, Nonce, NonceChall_M cert EKj onlyEncpriSK)\<rbrace>) \<in> set evs; M \<notin> bad; evs \<in> set_pur|] ==> \<exists>j trans. Notes M \<lbrace>Number LID_M, Agent P, trans\<rbrace> \<in> set evs \<and> P = PG j \<and> EKjpubEK (PGj" apply"[ MsgAuthRes =\ apply (autosimp: sign_def apply (blast dest: reflCryptpriSK j)) (Hash) \<in> parts (knows Spy evs); apply (blast: refl [HEN]) done text\<open>When P receives an AuthReq, he knows that the signed part originated > \<exists>M KM KP HO EncB M) KM ( (PG) lemma P_verifies_AuthReq "[| AuthReqData = \ (priSK ) ( \<lbrace>AuthReqData, Hash P_I\<rbrace>) \<in> parts (knows Spy evs); evs \<in> set_pur; M \<notin> bad|] ==> <exists>j trans KM OIData HPIData. Notes M \<lbrace>Number LID_M, Agent (PG j), trans\<rbrace> \<in> set evs \<and> Gets) \<in> set evs" Saysapply clarify \<in> set evs" apply clarify apply (erule rev_mp) apply (erule.induct, simp_all apply ( [4] M_Notes_PG, auto) done textjava.lang.StringIndexOutOfBoundsException: Range [0, 55) out of bounds for l the tags and purchase amount he canverify (Although the spectext\<open>What we can derive from the ASSUMPTION that C issued a purchase req send samemessage M.) conclusion is: M is existentially quantified! That is because C_determines_EKj the envelope weakensthe between \<^term>\<open>MsgAuthRes\<close> and \<^term>\<open>priSK M\<close>. Changing the precondition to refer to \<^term>\<open>Crypt K (sign SK M)\<close> requires assuming \<^term>\<open>K\<close> to be secure, sin otherwise the Spy= \<exists>trans j. theorem: "[| MsgAuthRes = \ Hash\<rbrace>; Cryptapplyclarify j \<notin> bad; evs \<in> set_pur|] KM KP HOD. Gets (PG ( [2])\<comment> \<open>PReqUns\<close> (EncB (priSK M) KM (pubEK (PGapplyauto \<lbrace>Number LID_M, Number XID, HOIData, HOD\<rbrace> P_I\<in> set evs \<and> Says (PG j) M EncBpriSKPG j)) KPpubEKjava.lang.StringIndexOutOfBoundsException: Index 46 out of \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace> authCode apply clarify (rev_mp apply (erule C \<lbrace>Number LID_M, Agent M, Agent C, Number OD, ( [9] AuthReq_msg_in_parts_spies apply simp_all apply blast+ done subsectionapply( rev_mp text In the unsigned case, we lemma C_determines_EKjtext\<open>Unicity of \<^term>\<open>LID_M\<close>, for two Merchant Note [Notes\<lbrace>Number LID_MTrans OIData, Hash\<lbrace>PIHead, Pan (pan C)\<rbrace> \<rbrace> \<in> set evs;Notes\<lbrace>Number LID_ PIHead evs \<in> set_pur; C = Cardholder k; M \<notin> bad|] => <exists>trans j. Notes M \<lbrace>Number LID_M, Agent (PG j), trans \<rbrace> \<in> set evs \<and> = pubEK(PG j)" applyclarify apply (erule rev_mp) apply (valid_certificate_tac [2]) \<comment> \<open>PReqUns\<close> apply auto apply (blast dest: Gets_imp_Says Says_C_PInitRes) done text\<open>Unicity of \<^term>\<open>LID_M\<close> between Merchant and Cardholder notes\<close>i lemmajava.lang.StringIndexOutOfBoundsException: Index 19 out of bounds for lengt "[|Notes (Merchant i) \ Notes C \<lbrace>Number LID_M, Agent M, Agent C, Number OD, Number PA\<rbrace> \<in> set evs; evs \<in> set_pur|] ==> M = Merchant i \<and> Trans = \<lbrace>Agent M, Agent C, Number OD, Number PA\<rbrace>" apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur.induct, simp_all) apply (force dest! Notes_imp_parts_subset_used done text\<open>Unicity of \<^term>\<open>LID_M\<close>, for two Merchant Notes events\<close> : "[Notes M \ Notes M \<lbrace>Number LID_M, Trans'\<rbrace> \<in> set evs; evs \<in> set_pur|] ==> Trans' = Trans" apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur.induct, simp_all) apply safe done text\<open>Lemma needed below: for the case that if PRes is "[|Crypt priSK ) ( \ lemma signed_imp_used: "[| Crypt (priSK M) (Hash X) \ apply apply (erule safe apply erule.inductjava.lang.StringIndexOutOfBoundsException: Index 28 out of boun apply (frule_tac [9] AuthReq_msg_in_parts_spies) \<comment> \<open>AuthReq\<close> apply simp_all apply safe apply blast+ done text lemma signed_Hash_imp_used: "[java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 C\notin>bad \<in> set_pur|] ==> parts {X} \<subseteq> used evs" apply( rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_parts_spies) \<comment> \<open>AuthReq\<close> applysimp_all apply safe apply blast+ done text\<open>Lemma needed below: for the case thatby(drule, auto) f is presentthen lemma PRes_imp_LID_used: [ ( ) ( \<lbrace>N, X\<rbrace>) \<in> parts (knows Spy evs); M \<notin> bad; evs \<in> set_pur|] ==> N \<in> used evs" by (drule signed_imp_used, auto) text\<open>When C receives PRes, he knows that M and P agreed to the purchase details. also that the PG \<close> java.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for length 28 |( )( )\< Notes Trans = \<lbrace> Agent M, Agent C, Number OrderDesc, Number PurchAmt \<rbrace>; (Number)\<rbrace> = \<exists>j KP. M \<lbrace>Number LID_M, Agent (PG j), Trans \<rbrace> evs ==> \<exists>j KP. Notes M \<lbrace>Number LID_M, Agent (PG j), Trans \<rbrace> \<in> set evs \<and> Gets (priSKPG KP pubEK \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace> authCode \<in> set evs \<and> Says signpriSK MsgPRes) \<in> set evs" apply clarify apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur.induct) (rule_tac9 AuthReq_msg_in_parts_spies\<comment> \<open>AuthReq\<close> apply simp_all apply blast apply blast apply (blast ( destPRes_imp_LID_used) ( M_Notes_PGauto apply (blast destunique_LID_M done text\<open>When the Cardholder receives Purchase Response from an uncompromised , he that it also knows M a message bya Gateway by M to thepurchase theorem C_verifies_PRestheoremC_verifies_PRes: "[| MsgPRes = \ HashNumber)\<rbrace>; Gets C (sign ( M) MsgPRes Notes Number PurchAmt\<rbrace> \<in> set evs; evs \<in> set_pur; M \<notin> bad|] == \<exists>P KP trans. Notes M \<lbrace>Number LID_M,Agent P, trans\<rbrace> \<in> set evs \<and> M ( (priSK KP (pubEK \<lbrace>Number LID_M, Number XID, Number PurchAmt\<rbrace>\<lbrace>Number LID_M, Number XID, N authCode) \<in> set evs \<and> Sayssign M) MsgPRes apply (rule C_verifies_PRes_lemma [THEN exE apply simp: sign_def) done subsection\<open>Proofs for Signed Purchases\<close> text\<open>Some Useful Lemmas: the cardholder knows what he is doing\<close> lemma Crypt_imp_Says_Cardholder: "[ K \<in> parts (knows Spy evs); PANDataCrypt_imp_Says_Cardholder Key evs \<in> set_pur|] ==> \<exists>M shash EK HPIData. Says (Cardholder k) M \<lbrace>\<lbrace>shash, Crypt K \<lbrace>\<lbrace>\<lbrace>Number LID_M, others\<rbrace>, Hash OIData\<rbrace>, Hash PANData\<rbr Crypt EK \<lbrace>Key K, PANData\<rbrace>\<rbrace>, OIData, HPIData\<rbrace> \<in> set evs" apply (erule rev_mp \<in> set_pur|] apply (erule rev_mp) rev_mp apply (erule set_pur.induct, analz_mono_contra) apply (frule_tac [9] AuthReq_msg_in_parts_spies) \<comment> \<open>AuthReq\<close> apply simp_all apply auto done lemma Says_PReqS_imp_trans_details_C: "|MsgPReqS \ Crypt K \<lbrace>\<lbrace>\<lbrace>Number LID_M, PIrest\<rbrace>, Hash OIData\<rbrace>, hashpd\<rbrace>, s cryptek Says (Cardholder k)java.lang.StringIndexOutOfBoundsException: Index 29 out of boun \<in> set_pur |] ==> \<exists>trans. Notes (Cardholder k) \<lbrace>Number LID_M, Agent M, Agent (Cardholder k), trans\<rbrace> \<in> set evs" apply ( rev_mp apply (erule rev_mps \<in> set_pur |] apply (eruleNotesCardholder apply simp_all)) apply auto done \<>Can:only lemma Notes_Cardholder_self_Falseerule set_purinduct "[Notes ( k) \<lbrace>Number n, Agent P, Agent (Cardholder k), Agent C, etc\<rbrace> \<in> set evs; evs \<in> set_pur|] ==> False" by (erule text text\<open>When M sees a dual signature, he knows that it originated with C. Using XID he knows\lbraceNumber P (Cardholder C, etc \<in> set_pur|] ==> False" M_verifies_Signed_PReq "[| MsgDualSign = = \<lbrace>Number LID_M, etc\<rbrace>; Crypt C Hash) <in> parts (knows Spy evs); Notes M \<lbrace>Number LID_M, Agent P, extras\<rbrace> \<in> set evs; M= i; C=CardholderC ==> \<exists>PIData PICrypt. M_verifies_Signed_PReq HPIData = Hash PIData = \<lbrace>Number LID_M, etc\<rbrace>; Says \<in> set evs" apply Notes M apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [ => <exists>PIData PICrypt. apply simp_all apply blast apply Says C apply (metis unique_LID_M) apply (blast dest!: Notes_Cardholder_self_False) done text\<open>When P sees a dual signature, he knows that it originated with C. rev_mp and intended for guarantee isn ,who PIData. I don't see how to link \<^term>\ assuming \<^term>\<open>M \<notin> bad\<close>.\<close> theorem P_verifies_Signed_PReq: "[| MsgDualSign = \ PIData PIHead = \<lbrace>Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, TransStain Crypt C) Hash) \<in> parts (knows Spy evs); evs ==> \<exists>OIData OrderDesc K j trans. = Hash HOIData done Notesjava.lang.StringIndexOutOfBoundsException: Index 90 out of bounds for lengt assuming EXcrypt P_verifies_Signed_PReq PIData OIData PIData \<in> set evs" java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13 apply (erule rev_mp) apply (erule set_pur.induct, simp_all) apply (autodestC_gets_correct_PG done lemma C_determines_EKj_signed: java.lang.StringIndexOutOfBoundsException: Index 56 out of bounds for length 56 EXcrypt K EKj \<lbrace>PIHead, X\<rbrace> Y\<rbrace>, Z\<rbrace> \<in> set evs; apply clarify C = Cardholder \<in> set_pur; M \<notin> bad|] ==>\<exists> trans j. Notes apply( dest! C_gets_correct_PG EKj = pubEK (PG apply clarify apply erule apply EXcrypt \<lbrace>PIHead, X\<rbrace> Y\<rbrace>, Z\<rbrace> \<in> set evs; apply (blast dest: C_gets_correct_PG) done lemma M_Says_AuthReq "[| AuthReqData = \ java.lang.StringIndexOutOfBoundsException: Index 92 out of bounds for length 92 Notes = M( j lbrace, () \<rbrace> \<in> set evs \<and> Says rule [ , THEN] (EncB (done text (uleTHENP_verifies_AuthReq exEjava.lang.StringIndexOutOfBoundsException: Index 53 apply (auto lbrace OIData text\<rbrace>; Even here we priSK ) \<in> parts (knows Spy evs); PG could have replaced the two=> java.lang.StringIndexOutOfBoundsException: Index 26 ou Signed_PReq_imp_Says_Cardholder "[| MsgDualSign = \ OIData =java.lang.StringIndexOutOfBoundsException: Index 83 out of bounds for length 83 TransStain ) =java.lang.StringIndexOutOfBoundsException: Index 52 out of bounds for length 52 (priSKHash) M on detailshowever never M java.lang.StringIndexOutOfBoundsException: Index 73 out o ==> \<exists>KC EKj.java.lang.StringIndexOutOfBoundsException: Index 89 out of bounds Says C M \<lbrace>\<lbrace>sign (priSK C) MsgDualSign, EXcrypt other, knows true , the involves PGkey apply clarifyP_sees_CM_agreement apply hypsubst_thin apply (erule rev_mp j( ( MKM( j) P_I apply (erule rev_mp) ( set_pur,,auto done text\<open>When P receives an AuthReq and a dual signature, he knows that C and M agree on the essential details. PurchAmt agree on the essential details. PurchAmt however P C and send \<^term>\<open>HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace>\<close> and the copies. canfor java.lang.StringIndexOutOfBoundsException: Index 73 out of bounds for leng \<in> set_pur; C \<notin> bad; M \<notin> bad|] of namelyAReq,, check HOIData OIData \<close> theorem P_sees_CM_agreement:SaysM\<lbrace>P_I', OIData, Hash PIData\<rbrace> \<in> set evs \<an [java.lang.NullPointerException KCjava.lang.NullPointerException P_I ' PG) C kjava.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 2 PI_sign = java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for le P_I = \<lbrace>PI_sign, ( P_verifies_Signed_PReq refl ]) EXcrypt apply(simpno_asm_use:sign_def, ) PANDatajava.lang.StringIndexOutOfBoundsException: Index 70 out of bounds for len =java.lang.NullPointerException =java.lang.StringIndexOutOfBoundsException: Index 83 out of bounds for length 83 TransStain evs \<in> set_pur; C \<notin> bad; M \<notin> bad|] ==> \<exists>OIData OrderDesc KM' trans j' KC' KC'' P_I' P_I''. HOD = Hash\<lbrace>Number OrderDesc, Number PurchAmt\<rbrace> \<and> HOIData = Hash OIData \<and> Notes M \<lbrace>Number LID_M, Agent (PG j'), trans\<rbrace> \<in> set evs \<and> Says C M \<lbrace>P_I', OIData, Hash PIData\<rbrace> \<in> set evs \<and> Says M (PG j') (EncB (priSK M) KM' (pubEK (PG j')) AuthReqData P_I'') \<in> set evs \<and> P_I' = \ EXcrypt KC' (pubEK (PG j')) \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace> \<and> P_I'' = \<lbrace>PI_sign, EXcrypt KC'' (pubEK (PG j)) \<lbrace>PIHead, Hash OIData\<rbrace> PANData\<rbrace>" apply clarify apply (rule exE) apply (rule P_verifies_Signed_PReq [OF refl refl refl]) apply (simp (no_asm_use) add: sign_def EncB_def, blast) apply (assumption+, clarify, simp) apply (drule Gets_imp_knows_Spy [THEN parts.Inj], assumption) apply (blast elim: EncB_partsE dest: refl [THEN M_Says_AuthReq] unique_LID_M2) done end ¤ Dauer der Verarbeitung: 0.27 Sekunden ¤*© Formatika GbR, Deutschland |
|
2026-03-28