| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/Isabelle/HOL/SET_Protocol/ (Beweissystem Isabelle Version 2025-1©) Datei vom 16.11.2025 mit Größe 52 kB |
|
Quelle Purchase.thy Sprache: Isabelle |
|||||||||||||||
|
(* Title: HOL/SET_Protocol/Purchase.thy Author: Giampaolo Bella Author: Fabio Massacci Author: Lawrence C Paulson *) section‹Purchase Phase of SET› theory Purchase imports Public_SET begin text‹ Note: nonces seem to consist of 20 bytes. That includes both freshness challenges (Chall-EE, etc.) and important secrets (CardSecret, PANsecret) This version omits ‹LID_C› but retains ‹LID_M›. At first glance (Programmer's Guide page 267) it seems that both numbers are just introduced for the respective convenience of the Cardholder's and Merchant's system. However, omitting both of them would create a problem of identification: how can the Merchant's system know what transaction is it supposed to process? Further reading (Programmer's guide page 309) suggest that there is an outside bootstrapping message (SET initiation message) which is used by the Merchant and the Cardholder to agree on the actual transaction. This bootstrapping message is described in the SET External Interface Guide and ought to generate ‹LID_M›. According SET Extern Interface Guide, this number might be a cookie, an invoice number etc. The Programmer's Guide on page 310, states that in absence of ‹LID_M› the protocol must somehow ("outside SET") identify the transaction from OrderDesc, which is assumed to be a searchable text only field. Thus, it is assumed that the Merchant or the Cardholder somehow agreed out-of-bad on the value of ‹LID_M› (for instance a cookie in a web transaction etc.). This out-of-band agreement is expressed with a preliminary start action in which the merchant and the Cardholder agree on the appropriate values. Agreed values are stored with a suitable notes action. "XID is a transaction ID that is usually generated by the Merchant system, unless there is no PInitRes, in which case it is generated by the Cardholder system. It is a randomly generated 20 byte variable that is globally unique (statistically). Merchant and Cardholder systems shall use appropriate random number generators to ensure the global uniqueness of XID." --Programmer's Guide, page 267. PI (Payment Instruction) is the most central and sensitive data structure in SET. It is used to pass the data required to authorize a payment card payment from the Cardholder to the Payment Gateway, which will use the data to initiate a payment card transaction through the traditional payment card financial network. The data is encrypted by the Cardholder and sent via the Merchant, such that the data is hidden from the Merchant unless the Acquirer passes the data back to the Merchant. --Programmer's Guide, page 271.\ consts CardSecret :: "nat \ 🍋 ‹Maps Cardholders to CardSecrets. A CardSecret of 0 means no cerificate, must use unsigned format.› PANSecret :: "nat \ 🍋 ‹Maps Cardholders to PANSecrets.› inductive_set set_pur :: "event list set" where Nil: 🍋 ‹Initial trace is empty› "[] \ | Fake: 🍋 ‹The spy MAY say anything he CAN say.› "[| evsf \ ==> Says Spy B X # evsf ∈ set_pur" | Reception: 🍋 ‹If A sends a message X to B, then B might receive it› "[| evsr \ ==> Gets B X # evsr ∈ set_pur" | Start: 🍋 ‹Added start event which is out-of-band for SET: the Cardholder and the merchant agree on the amounts and uses ‹LID_M› as an identifier. This is suggested by the External Interface Guide. The Programmer's Guide, in absence of ‹LID_M›, states that the merchant uniquely identifies the order out of some data contained in OrderDesc.› "[|evsStart \ Number LID_M ∉ used evsStart; C = Cardholder k; M = Merchant i; P = PG j; Transaction = {Agent M, Agent C, Number OrderDesc, Number PurchAmt}; LID_M ∉ range CardSecret; LID_M ∉ range PANSecret |] ==> Notes C {Number LID_M, Transaction} # Notes M {Number LID_M, Agent P, Transaction} # evsStart ∈ set_pur" | PInitReq: 🍋 ‹Purchase initialization, page 72 of Formal Protocol Desc.› "[|evsPIReq \ Transaction = {Agent M, Agent C, Number OrderDesc, Number PurchAmt}; Nonce Chall_C ∉ used evsPIReq; Chall_C ∉ range CardSecret; Chall_C ∉ range PANSecret; Notes C {Number LID_M, Transaction } ∈ set evsPIReq |] ==> Says C M {Number LID_M, Nonce Chall_C} # evsPIReq ∈ set_pur" | PInitRes: 🍋 ‹Merchant replies with his own label XID and the encryption key certificate of his chosen Payment Gateway. Page 74 of Formal Protocol Desc. We use ‹LID_M› to identify Cardholder› "[|evsPIRes \ Gets M {Number LID_M, Nonce Chall_C} ∈ set evsPIRes; Transaction = {Agent M, Agent C, Number OrderDesc, Number PurchAmt}; Notes M {Number LID_M, Agent P, Transaction} ∈ set evsPIRes; Nonce Chall_M ∉ used evsPIRes; Chall_M ∉ range CardSecret; Chall_M ∉ range PANSecret; Number XID ∉ used evsPIRes; XID ∉ range CardSecret; XID ∉ range PANSecret|] ==> Says M C (sign (priSK M) {Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, cert P (pubEK P) onlyEnc (priSK RCA)}) # evsPIRes ∈ set_pur" | PReqUns: 🍋 ‹UNSIGNED Purchase request (CardSecret = 0). Page 79 of Formal Protocol Desc. Merchant never sees the amount in clear. This holds of the real protocol, where XID identifies the transaction. We omit ‹Hash{Number XID, Nonce (CardSecret k)}› from PIHead because the CardSecret is 0 and because AuthReq treated the unsigned case very differently from the signed one anyway.› "!!Chall_C Chall_M OrderDesc P PurchAmt XID evsPReqU. [|evsPReqU ∈ set_pur; C = Cardholder k; CardSecret k = 0; Key KC1 ∉ used evsPReqU; KC1 ∈ symKeys; Transaction = {Agent M, Agent C, Number OrderDesc, Number PurchAmt}; HOD = Hash{Number OrderDesc, Number PurchAmt}; OIData = {Number LID_M, Number XID, Nonce Chall_C, HOD,Nonce Chall_M}; PIHead = {Number LID_M, Number XID, HOD, Number PurchAmt, Agent M}; Gets C (sign (priSK M) {Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, cert P EKj onlyEnc (priSK RCA)}) ∈ set evsPReqU; Says C M {Number LID_M, Nonce Chall_C} ∈ set evsPReqU; Notes C {Number LID_M, Transaction} ∈ set evsPReqU |] ==> Says C M {EXHcrypt KC1 EKj {PIHead, Hash OIData} (Pan (pan C)), OIData, Hash{PIHead, Pan (pan C)} } # Notes C {Key KC1, Agent M} # evsPReqU ∈ set_pur" | PReqS: 🍋 ‹SIGNED Purchase request. Page 77 of Formal Protocol Desc. We could specify the equation 🍋‹PIReqSigned = { PIDualSigned, OIDualSigned }›, since the Formal Desc. gives PIHead the same format in the unsigned case. However, there's little point, as P treats the signed and unsigned cases differently.› "!!C Chall_C Chall_M EKj HOD KC2 LID_M M OIData OIDualSigned OrderDesc P PANData PIData PIDualSigned PIHead PurchAmt Transaction XID evsPReqS k. [|evsPReqS ∈ set_pur; C = Cardholder k; CardSecret k ≠ 0; Key KC2 ∉ used evsPReqS; KC2 ∈ symKeys; Transaction = {Agent M, Agent C, Number OrderDesc, Number PurchAmt}; HOD = Hash{Number OrderDesc, Number PurchAmt}; OIData = {Number LID_M, Number XID, Nonce Chall_C, HOD, Nonce Chall_M}; PIHead = {Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, Hash{Number XID, Nonce (CardSecret k)}}; PANData = {Pan (pan C), Nonce (PANSecret k)}; PIData = {PIHead, PANData}; PIDualSigned = {sign (priSK C) {Hash PIData, Hash OIData}, EXcrypt KC2 EKj {PIHead, Hash OIData} PANData}; OIDualSigned = {OIData, Hash PIData}; Gets C (sign (priSK M) {Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, cert P EKj onlyEnc (priSK RCA)}) ∈ set evsPReqS; Says C M {Number LID_M, Nonce Chall_C} ∈ set evsPReqS; Notes C {Number LID_M, Transaction} ∈ set evsPReqS |] ==> Says C M {PIDualSigned, OIDualSigned} # Notes C {Key KC2, Agent M} # evsPReqS ∈ set_pur" 🍋 ‹Authorization Request. Page 92 of Formal Protocol Desc. Sent in response to Purchase Request.› | AuthReq: "[| evsAReq \ Key KM ∉ used evsAReq; KM ∈ symKeys; Transaction = {Agent M, Agent C, Number OrderDesc, Number PurchAmt}; HOD = Hash{Number OrderDesc, Number PurchAmt}; OIData = {Number LID_M, Number XID, Nonce Chall_C, HOD, Nonce Chall_M}; CardSecret k ≠ 0 ⟶ P_I = {sign (priSK C) {HPIData, Hash OIData}, encPANData}; Gets M {P_I, OIData, HPIData} ∈ set evsAReq; Says M C (sign (priSK M) {Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, cert P EKj onlyEnc (priSK RCA)}) ∈ set evsAReq; Notes M {Number LID_M, Agent P, Transaction} ∈ set evsAReq |] ==> Says M P (EncB (priSK M) KM (pubEK P) {Number LID_M, Number XID, Hash OIData, HOD} P_I) # evsAReq ∈ set_pur" 🍋 ‹Authorization Response has two forms: for UNSIGNED and SIGNED PIs. Page 99 of Formal Protocol Desc. PI is a keyword (product!), so we call it ‹P_I›. The hashes HOD and HOIData occur independently in ‹P_I› and in M's message. The authCode in AuthRes represents the baggage of EncB, which in the full protocol is [CapToken], [AcqCardMsg], [AuthToken]: optional items for split shipments, recurring payments, etc.› | AuthResUns: 🍋 ‹Authorization Response, UNSIGNED› "[| evsAResU \ C = Cardholder k; M = Merchant i; Key KP ∉ used evsAResU; KP ∈ symKeys; CardSecret k = 0; KC1 ∈ symKeys; KM ∈ symKeys; PIHead = {Number LID_M, Number XID, HOD, Number PurchAmt, Agent M}; P_I = EXHcrypt KC1 EKj {PIHead, HOIData} (Pan (pan C)); Gets P (EncB (priSK M) KM (pubEK P) {Number LID_M, Number XID, HOIData, HOD} P_I) ∈ set evsAResU |] ==> Says P M (EncB (priSK P) KP (pubEK M) {Number LID_M, Number XID, Number PurchAmt} authCode) # evsAResU ∈ set_pur" | AuthResS: 🍋 ‹Authorization Response, SIGNED› "[| evsAResS \ C = Cardholder k; Key KP ∉ used evsAResS; KP ∈ symKeys; CardSecret k ≠ 0; KC2 ∈ symKeys; KM ∈ symKeys; P_I = {sign (priSK C) {Hash PIData, HOIData}, EXcrypt KC2 (pubEK P) {PIHead, HOIData} PANData}; PANData = {Pan (pan C), Nonce (PANSecret k)}; PIData = {PIHead, PANData}; PIHead = {Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, Hash{Number XID, Nonce (CardSecret k)}}; Gets P (EncB (priSK M) KM (pubEK P) {Number LID_M, Number XID, HOIData, HOD} P_I) ∈ set evsAResS |] ==> Says P M (EncB (priSK P) KP (pubEK M) {Number LID_M, Number XID, Number PurchAmt} authCode) # evsAResS ∈ set_pur" | PRes: 🍋 ‹Purchase response.› "[| evsPRes \ Transaction = {Agent M, Agent C, Number OrderDesc, Number PurchAmt}; Gets M (EncB (priSK P) KP (pubEK M) {Number LID_M, Number XID, Number PurchAmt} authCode) ∈ set evsPRes; Gets M {Number LID_M, Nonce Chall_C} ∈ set evsPRes; Says M P (EncB (priSK M) KM (pubEK P) {Number LID_M, Number XID, Hash OIData, HOD} P_I) ∈ set evsPRes; Notes M {Number LID_M, Agent P, Transaction} ∈ set evsPRes |] ==> Says M C (sign (priSK M) {Number LID_M, Number XID, Nonce Chall_C, Hash (Number PurchAmt)}) # evsPRes ∈ set_pur" specification (CardSecret PANSecret) inj_CardSecret: "inj CardSecret" inj_PANSecret: "inj PANSecret" CardSecret_neq_PANSecret: "CardSecret k \ 🍋 ‹No CardSecret equals any PANSecret› apply (rule_tac x="curry prod_encode 0" in exI) apply (rule_tac x="curry prod_encode 1" in exI) apply (simp add: prod_encode_eq inj_on_def) done declare Says_imp_knows_Spy [THEN parts.Inj, dest] declare parts.Body [dest] declare analz_into_parts [dest] declare Fake_parts_insert_in_Un [dest] declare CardSecret_neq_PANSecret [iff] CardSecret_neq_PANSecret [THEN not_sym, iff] declare inj_CardSecret [THEN inj_eq, iff] inj_PANSecret [THEN inj_eq, iff] subsection‹Possibility Properties› lemma Says_to_Gets: "Says A B X # evs \ by (rule set_pur.Reception, auto) text‹Possibility for UNSIGNED purchases. Note that we need to ensure that XID differs from OrderDesc and PurchAmt, since it is supposed to be a unique number!› lemma possibility_Uns: "[| CardSecret k = 0; C = Cardholder k; M = Merchant i; Key KC ∉ used []; Key KM ∉ used []; Key KP ∉ used []; KC ∈ symKeys; KM ∈ symKeys; KP ∈ symKeys; KC < KM; KM < KP; Nonce Chall_C ∉ used []; Chall_C ∉ range CardSecret ∪ range PANSecret; Nonce Chall_M ∉ used []; Chall_M ∉ range CardSecret ∪ range PANSecret; Chall_C < Chall_M; Number LID_M ∉ used []; LID_M ∉ range CardSecret ∪ range PANSecret; Number XID ∉ used []; XID ∉ range CardSecret ∪ range PANSecret; LID_M < XID; XID < OrderDesc; OrderDesc < PurchAmt |] ==> ∃evs ∈ set_pur. Says M C (sign (priSK M) {Number LID_M, Number XID, Nonce Chall_C, Hash (Number PurchAmt)}) ∈ set evs" apply (intro exI bexI) apply (rule_tac [2] set_pur.Nil [THEN set_pur.Start [of _ LID_M C k M i _ _ _ OrderDesc PurchAmt], THEN set_pur.PInitReq [of concl: C M LID_M Chall_C], THEN Says_to_Gets, THEN set_pur.PInitRes [of concl: M C LID_M XID Chall_C Chall_M], THEN Says_to_Gets, THEN set_pur.PReqUns [of concl: C M KC], THEN Says_to_Gets, THEN set_pur.AuthReq [of concl: M "PG j" KM LID_M XID], THEN Says_to_Gets, THEN set_pur.AuthResUns [of concl: "PG j" M KP LID_M XID], THEN Says_to_Gets, THEN set_pur.PRes]) apply basic_possibility apply (simp_all add: used_Cons symKeys_neq_imp_neq) done lemma possibility_S: "[| CardSecret k \ C = Cardholder k; M = Merchant i; Key KC ∉ used []; Key KM ∉ used []; Key KP ∉ used []; KC ∈ symKeys; KM ∈ symKeys; KP ∈ symKeys; KC < KM; KM < KP; Nonce Chall_C ∉ used []; Chall_C ∉ range CardSecret ∪ range PANSecret; Nonce Chall_M ∉ used []; Chall_M ∉ range CardSecret ∪ range PANSecret; Chall_C < Chall_M; Number LID_M ∉ used []; LID_M ∉ range CardSecret ∪ range PANSecret; Number XID ∉ used []; XID ∉ range CardSecret ∪ range PANSecret; LID_M < XID; XID < OrderDesc; OrderDesc < PurchAmt |] ==> ∃evs ∈ set_pur. Says M C (sign (priSK M) {Number LID_M, Number XID, Nonce Chall_C, Hash (Number PurchAmt)}) ∈ set evs" apply (intro exI bexI) apply (rule_tac [2] set_pur.Nil [THEN set_pur.Start [of _ LID_M C k M i _ _ _ OrderDesc PurchAmt], THEN set_pur.PInitReq [of concl: C M LID_M Chall_C], THEN Says_to_Gets, THEN set_pur.PInitRes [of concl: M C LID_M XID Chall_C Chall_M], THEN Says_to_Gets, THEN set_pur.PReqS [of concl: C M _ _ KC], THEN Says_to_Gets, THEN set_pur.AuthReq [of concl: M "PG j" KM LID_M XID], THEN Says_to_Gets, THEN set_pur.AuthResS [of concl: "PG j" M KP LID_M XID], THEN Says_to_Gets, THEN set_pur.PRes]) apply basic_possibility apply (auto simp add: used_Cons symKeys_neq_imp_neq) done text‹General facts about message reception› lemma Gets_imp_Says: "[| Gets B X \ ==> ∃A. Says A B X ∈ set evs" apply (erule rev_mp) apply (erule set_pur.induct, auto) done lemma Gets_imp_knows_Spy: "[| Gets B X \ by (blast dest!: Gets_imp_Says Says_imp_knows_Spy) declare Gets_imp_knows_Spy [THEN parts.Inj, dest] text‹Forwarding lemmas, to aid simplification› lemma AuthReq_msg_in_parts_spies: "[|Gets M \ evs ∈ set_pur|] ==> P_I ∈ parts (knows Spy evs)" by auto lemma AuthReq_msg_in_analz_spies: "[|Gets M \ evs ∈ set_pur|] ==> P_I ∈ analz (knows Spy evs)" by (blast dest: Gets_imp_knows_Spy [THEN analz.Inj]) subsection‹Proofs on Asymmetric Keys› text‹Private Keys are Secret› text‹Spy never sees an agent's private keys! (unless it's bad at start)› lemma Spy_see_private_Key [simp]: "evs \ ==> (Key(invKey (publicKey b A)) ∈ parts(knows Spy evs)) = (A ∈ bad)" apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_parts_spies) 🍋 ‹AuthReq› apply auto done declare Spy_see_private_Key [THEN [2] rev_iffD1, dest!] lemma Spy_analz_private_Key [simp]: "evs \ (Key(invKey (publicKey b A)) ∈ analz(knows Spy evs)) = (A ∈ bad)" by auto declare Spy_analz_private_Key [THEN [2] rev_iffD1, dest!] text‹rewriting rule for priEK's\ lemma parts_image_priEK: "[|Key (priEK C) \ evs ∈ set_pur|] ==> priEK C ∈ KK | C ∈ bad" by auto text‹trivial proof because 🍋‹priEK C› never appears even in 🍋‹parts evs›.› lemma analz_image_priEK: "evs \ (Key (priEK C) ∈ analz (Key`KK ∪ (knows Spy evs))) = (priEK C ∈ KK | C ∈ bad)" by (blast dest!: parts_image_priEK intro: analz_mono [THEN [2] rev_subsetD]) subsection‹Public Keys in Certificates are Correct› lemma Crypt_valid_pubEK [dest!]: "[| Crypt (priSK RCA) \ ∈ parts (knows Spy evs); evs ∈ set_pur |] ==> EKi = pubEK C" by (erule rev_mp, erule set_pur.induct, auto) lemma Crypt_valid_pubSK [dest!]: "[| Crypt (priSK RCA) \ ∈ parts (knows Spy evs); evs ∈ set_pur |] ==> SKi = pubSK C" by (erule rev_mp, erule set_pur.induct, auto) lemma certificate_valid_pubEK: "[| cert C EKi onlyEnc (priSK RCA) \ evs ∈ set_pur |] ==> EKi = pubEK C" by (unfold cert_def signCert_def, auto) lemma certificate_valid_pubSK: "[| cert C SKi onlySig (priSK RCA) \ evs ∈ set_pur |] ==> SKi = pubSK C" by (unfold cert_def signCert_def, auto) lemma Says_certificate_valid [simp]: "[| Says A B (sign SK \ cert C EK onlyEnc (priSK RCA)}) ∈ set evs; evs ∈ set_pur |] ==> EK = pubEK C" by (unfold sign_def, auto) lemma Gets_certificate_valid [simp]: "[| Gets A (sign SK \ cert C EK onlyEnc (priSK RCA)}) ∈ set evs; evs ∈ set_pur |] ==> EK = pubEK C" by (frule Gets_imp_Says, auto) method_setup valid_certificate_tac = ‹ Args.goal_spec >> (fn quant => fn ctxt => SIMPLE_METHOD'' quant (fn i => EVERY [forward_tac ctxt @{thms Gets_certificate_valid} i, assume_tac ctxt i, REPEAT (hyp_subst_tac ctxt i)])) › subsection‹Proofs on Symmetric Keys› text‹Nobody can have used non-existent keys!› lemma new_keys_not_used [rule_format,simp]: "evs \ ==> Key K ∉ used evs ⟶ K ∈ symKeys ⟶ K ∉ keysFor (parts (knows Spy evs))" apply (erule set_pur.induct) apply (valid_certificate_tac [8]) 🍋 ‹PReqS› apply (valid_certificate_tac [7]) 🍋 ‹PReqUns› apply auto apply (force dest!: usedI keysFor_parts_insert) 🍋 ‹Fake› done lemma new_keys_not_analzd: "[|Key K \ ==> K ∉ keysFor (analz (knows Spy evs))" by (blast intro: keysFor_mono [THEN [2] rev_subsetD] dest: new_keys_not_used) lemma Crypt_parts_imp_used: "[|Crypt K X \ K ∈ symKeys; evs ∈ set_pur |] ==> Key K ∈ used evs" apply (rule ccontr) apply (force dest: new_keys_not_used Crypt_imp_invKey_keysFor) done lemma Crypt_analz_imp_used: "[|Crypt K X \ K ∈ symKeys; evs ∈ set_pur |] ==> Key K ∈ used evs" by (blast intro: Crypt_parts_imp_used) text‹New versions: as above, but generalized to have the KK argument› lemma gen_new_keys_not_used: "[|Key K \ ==> Key K ∉ used evs ⟶ K ∈ symKeys ⟶ K ∉ keysFor (parts (Key`KK ∪ knows Spy evs))" by auto lemma gen_new_keys_not_analzd: "[|Key K \ ==> K ∉ keysFor (analz (Key`KK ∪ knows Spy evs))" by (blast intro: keysFor_mono [THEN subsetD] dest: gen_new_keys_not_used) lemma analz_Key_image_insert_eq: "[|Key K \ ==> analz (Key ` (insert K KK) ∪ knows Spy evs) = insert (Key K) (analz (Key ` KK ∪ knows Spy evs))" by (simp add: gen_new_keys_not_analzd) subsection‹Secrecy of Symmetric Keys› lemma Key_analz_image_Key_lemma: "P \ ==> P ⟶ (Key K ∈ analz (Key`KK ∪ H)) = (K∈KK | Key K ∈ analz H)" by (blast intro: analz_mono [THEN [2] rev_subsetD]) lemma symKey_compromise: "evs \ (∀SK KK. SK ∈ symKeys ⟶ (∀K ∈ KK. K ∉ range(λC. priEK C)) ⟶ (Key SK ∈ analz (Key`KK ∪ (knows Spy evs))) = (SK ∈ KK ∨ Key SK ∈ analz (knows Spy evs)))" apply (erule set_pur.induct) apply (rule_tac [!] allI)+ apply (rule_tac [!] impI [THEN Key_analz_image_Key_lemma, THEN impI])+ apply (frule_tac [9] AuthReq_msg_in_analz_spies) 🍋 ‹AReq› apply (valid_certificate_tac [8]) 🍋 ‹PReqS› apply (valid_certificate_tac [7]) 🍋 ‹PReqUns› apply (simp_all del: image_insert image_Un imp_disjL add: analz_image_keys_simps disj_simps analz_Key_image_insert_eq notin_image_iff analz_insert_simps analz_image_priEK) 🍋 ‹8 seconds on a 1.6GHz machine› apply spy_analz 🍋 ‹Fake› apply (blast elim!: ballE)+ 🍋 ‹PReq: unsigned and signed› done subsection‹Secrecy of Nonces› text‹As usual: we express the property as a logical equivalence› lemma Nonce_analz_image_Key_lemma: "P \ ==> P ⟶ (Nonce N ∈ analz (Key`KK ∪ H)) = (Nonce N ∈ analz H)" by (blast intro: analz_mono [THEN [2] rev_subsetD]) text‹The ‹(no_asm)› attribute is essential, since it retains the quantifier and allows the simprule's condition to itself be simplified.\ lemma Nonce_compromise [rule_format (no_asm)]: "evs \ (∀N KK. (∀K ∈ KK. K ∉ range(λC. priEK C)) ⟶ (Nonce N ∈ analz (Key`KK ∪ (knows Spy evs))) = (Nonce N ∈ analz (knows Spy evs)))" apply (erule set_pur.induct) apply (rule_tac [!] allI)+ apply (rule_tac [!] impI [THEN Nonce_analz_image_Key_lemma])+ apply (frule_tac [9] AuthReq_msg_in_analz_spies) 🍋 ‹AReq› apply (valid_certificate_tac [8]) 🍋 ‹PReqS› apply (valid_certificate_tac [7]) 🍋 ‹PReqUns› apply (simp_all del: image_insert image_Un imp_disjL add: analz_image_keys_simps disj_simps symKey_compromise analz_Key_image_insert_eq notin_image_iff analz_insert_simps analz_image_priEK) 🍋 ‹8 seconds on a 1.6GHz machine› apply spy_analz 🍋 ‹Fake› apply (blast elim!: ballE) 🍋 ‹PReqS› done lemma PANSecret_notin_spies: "[|Nonce (PANSecret k) \ ==> (∃V W X Y KC2 M. ∃P ∈ bad. Says (Cardholder k) M {{W, EXcrypt KC2 (pubEK P) X {Y, Nonce (PANSecret k)}}, V} ∈ set evs)" apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_analz_spies) apply (valid_certificate_tac [8]) 🍋 ‹PReqS› apply (simp_all del: image_insert image_Un imp_disjL add: analz_image_keys_simps disj_simps symKey_compromise pushes sign_def Nonce_compromise analz_Key_image_insert_eq notin_image_iff analz_insert_simps analz_image_priEK) 🍋 ‹2.5 seconds on a 1.6GHz machine› apply spy_analz apply (blast dest!: Gets_imp_knows_Spy [THEN analz.Inj]) apply (blast dest: Says_imp_knows_Spy [THEN analz.Inj] Gets_imp_knows_Spy [THEN analz.Inj]) apply (blast dest: Gets_imp_knows_Spy [THEN analz.Inj]) 🍋 ‹PReqS› apply (blast dest: Says_imp_knows_Spy [THEN analz.Inj] Gets_imp_knows_Spy [THEN analz.Inj]) 🍋 ‹PRes› done text‹This theorem is a bit silly, in that many CardSecrets are 0! But then we don't care. NOT USED\ lemma CardSecret_notin_spies: "evs \ by (erule set_pur.induct, auto) subsection‹Confidentiality of PAN› lemma analz_image_pan_lemma: "(Pan P \ (Pan P ∈ analz (Key`nE ∪ H)) = (Pan P ∈ analz H)" by (blast intro: analz_mono [THEN [2] rev_subsetD]) text‹The ‹(no_asm)› attribute is essential, since it retains the quantifier and allows the simprule's condition to itself be simplified.\ lemma analz_image_pan [rule_format (no_asm)]: "evs \ ∀KK. (∀K ∈ KK. K ∉ range(λC. priEK C)) ⟶ (Pan P ∈ analz (Key`KK ∪ (knows Spy evs))) = (Pan P ∈ analz (knows Spy evs))" apply (erule set_pur.induct) apply (rule_tac [!] allI impI)+ apply (rule_tac [!] analz_image_pan_lemma)+ apply (frule_tac [9] AuthReq_msg_in_analz_spies) 🍋 ‹AReq› apply (valid_certificate_tac [8]) 🍋 ‹PReqS› apply (valid_certificate_tac [7]) 🍋 ‹PReqUns› apply (simp_all del: image_insert image_Un imp_disjL add: analz_image_keys_simps symKey_compromise pushes sign_def analz_Key_image_insert_eq notin_image_iff analz_insert_simps analz_image_priEK) 🍋 ‹7 seconds on a 1.6GHz machine› apply spy_analz 🍋 ‹Fake› apply auto done lemma analz_insert_pan: "[| evs \ (Pan P ∈ analz (insert (Key K) (knows Spy evs))) = (Pan P ∈ analz (knows Spy evs))" by (simp del: image_insert image_Un add: analz_image_keys_simps analz_image_pan) text‹Confidentiality of the PAN, unsigned case.› theorem pan_confidentiality_unsigned: "[| Pan (pan C) \ CardSecret k = 0; evs ∈ set_pur|] ==> ∃P M KC1 K X Y. Says C M {EXHcrypt KC1 (pubEK P) X (Pan (pan C)), Y} ∈ set evs ∧ P ∈ bad" apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_analz_spies) 🍋 ‹AReq› apply (valid_certificate_tac [8]) 🍋 ‹PReqS› apply (valid_certificate_tac [7]) 🍋 ‹PReqUns› apply (simp_all del: image_insert image_Un imp_disjL add: analz_image_keys_simps analz_insert_pan analz_image_pan notin_image_iff analz_insert_simps analz_image_priEK) 🍋 ‹3 seconds on a 1.6GHz machine› apply spy_analz 🍋 ‹Fake› apply blast 🍋 ‹PReqUns: unsigned› apply force 🍋 ‹PReqS: signed› done text‹Confidentiality of the PAN, signed case.› theorem pan_confidentiality_signed: "[|Pan (pan C) \ CardSecret k ≠ 0; evs ∈ set_pur|] ==> ∃P M KC2 PIDualSign_1 PIDualSign_2 other OIDualSign. Says C M {{PIDualSign_1, EXcrypt KC2 (pubEK P) PIDualSign_2 {Pan (pan C), other}}, OIDualSign} ∈ set evs ∧ P ∈ bad" apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_analz_spies) 🍋 ‹AReq› apply (valid_certificate_tac [8]) 🍋 ‹PReqS› apply (valid_certificate_tac [7]) 🍋 ‹PReqUns› apply (simp_all del: image_insert image_Un imp_disjL add: analz_image_keys_simps analz_insert_pan analz_image_pan notin_image_iff analz_insert_simps analz_image_priEK) 🍋 ‹3 seconds on a 1.6GHz machine› apply spy_analz 🍋 ‹Fake› apply force 🍋 ‹PReqUns: unsigned› apply blast 🍋 ‹PReqS: signed› done text‹General goal: that C, M and PG agree on those details of the transaction that they are allowed to know about. PG knows about price and account details. M knows about the order description and price. C knows both.› subsection‹Proofs Common to Signed and Unsigned Versions› lemma M_Notes_PG: "[|Notes M \ evs ∈ set_pur|] ==> ∃j. P = PG j" by (erule rev_mp, erule set_pur.induct, simp_all) text‹If we trust M, then 🍋‹LID_M› determines his choice of P (Payment Gateway)› lemma goodM_gives_correct_PG: "[| MsgPInitRes = {Number LID_M, xid, cc, cm, cert P EKj onlyEnc (priSK RCA)}; Crypt (priSK M) (Hash MsgPInitRes) ∈ parts (knows Spy evs); evs ∈ set_pur; M ∉ bad |] ==> ∃j trans. P = PG j ∧ Notes M {Number LID_M, Agent P, trans} ∈ set evs" apply clarify apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_parts_spies) 🍋 ‹AuthReq› apply simp_all apply (blast intro: M_Notes_PG)+ done lemma C_gets_correct_PG: "[| Gets A (sign (priSK M) \ cert P EKj onlyEnc (priSK RCA)}) ∈ set evs; evs ∈ set_pur; M ∉ bad|] ==> ∃j trans. P = PG j ∧ Notes M {Number LID_M, Agent P, trans} ∈ set evs ∧ EKj = pubEK P" by (rule refl [THEN goodM_gives_correct_PG, THEN exE], auto) text‹When C receives PInitRes, he learns M's choice of P\ lemma C_verifies_PInitRes: "[| MsgPInitRes = \ cert P EKj onlyEnc (priSK RCA)}; Crypt (priSK M) (Hash MsgPInitRes) ∈ parts (knows Spy evs); evs ∈ set_pur; M ∉ bad|] ==> ∃j trans. Notes M {Number LID_M, Agent P, trans} ∈ set evs ∧ P = PG j ∧ EKj = pubEK P" apply clarify apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_parts_spies) 🍋 ‹AuthReq› apply simp_all apply (blast intro: M_Notes_PG)+ done text‹Corollary of previous one› lemma Says_C_PInitRes: "[|Says A C (sign (priSK M) {Number LID_M, Number XID, Nonce Chall_C, Nonce Chall_M, cert P EKj onlyEnc (priSK RCA)}) ∈ set evs; M ∉ bad; evs ∈ set_pur|] ==> ∃j trans. Notes M {Number LID_M, Agent P, trans} ∈ set evs ∧ P = PG j ∧ EKj = pubEK (PG j)" apply (frule Says_certificate_valid) apply (auto simp add: sign_def) apply (blast dest: refl [THEN goodM_gives_correct_PG]) apply (blast dest: refl [THEN C_verifies_PInitRes]) done text‹When P receives an AuthReq, he knows that the signed part originated with M. PIRes also has a signed message from M....› lemma P_verifies_AuthReq: "[| AuthReqData = \ Crypt (priSK M) (Hash {AuthReqData, Hash P_I}) ∈ parts (knows Spy evs); evs ∈ set_pur; M ∉ bad|] ==> ∃j trans KM OIData HPIData. Notes M {Number LID_M, Agent (PG j), trans} ∈ set evs ∧ Gets M {P_I, OIData, HPIData} ∈ set evs ∧ Says M (PG j) (EncB (priSK M) KM (pubEK (PG j)) AuthReqData P_I) ∈ set evs" apply clarify apply (erule rev_mp) apply (erule set_pur.induct, simp_all) apply (frule_tac [4] M_Notes_PG, auto) done text‹When M receives AuthRes, he knows that P signed it, including the identifying tags and the purchase amount, which he can verify. (Although the spec has SIGNED and UNSIGNED forms of AuthRes, they send the same message to M.) The conclusion is weak: M is existentially quantified! That is because Authorization Response does not refer to M, while the digital envelope weakens the link between 🍋‹MsgAuthRes› and 🍋‹priSK M›. Changing the precondition to refer to 🍋‹Crypt K (sign SK M)› requires assuming 🍋‹K› to be secure, since otherwise the Spy could create that message.› theorem M_verifies_AuthRes: "[| MsgAuthRes = \ Hash authCode}; Crypt (priSK (PG j)) (Hash MsgAuthRes) ∈ parts (knows Spy evs); PG j ∉ bad; evs ∈ set_pur|] ==> ∃M KM KP HOIData HOD P_I. Gets (PG j) (EncB (priSK M) KM (pubEK (PG j)) {Number LID_M, Number XID, HOIData, HOD} P_I) ∈ set evs ∧ Says (PG j) M (EncB (priSK (PG j)) KP (pubEK M) {Number LID_M, Number XID, Number PurchAmt} authCode) ∈ set evs" apply clarify apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_parts_spies) 🍋 ‹AuthReq› apply simp_all apply blast+ done subsection‹Proofs for Unsigned Purchases› text‹What we can derive from the ASSUMPTION that C issued a purchase request. In the unsigned case, we must trust "C": there's no authentication.\ lemma C_determines_EKj: "[| Says C M \ OIData, Hash{PIHead, Pan (pan C)} } ∈ set evs; PIHead = {Number LID_M, Trans_details}; evs ∈ set_pur; C = Cardholder k; M ∉ bad|] ==> ∃trans j. Notes M {Number LID_M, Agent (PG j), trans } ∈ set evs ∧ EKj = pubEK (PG j)" apply clarify apply (erule rev_mp) apply (erule set_pur.induct, simp_all) apply (valid_certificate_tac [2]) 🍋 ‹PReqUns› apply auto apply (blast dest: Gets_imp_Says Says_C_PInitRes) done text‹Unicity of 🍋‹LID_M› between Merchant and Cardholder notes› lemma unique_LID_M: "[|Notes (Merchant i) \ Notes C {Number LID_M, Agent M, Agent C, Number OD, Number PA} ∈ set evs; evs ∈ set_pur|] ==> M = Merchant i ∧ Trans = {Agent M, Agent C, Number OD, Number PA}" apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur.induct, simp_all) apply (force dest!: Notes_imp_parts_subset_used) done text‹Unicity of 🍋‹LID_M›, for two Merchant Notes events› lemma unique_LID_M2: "[|Notes M \ Notes M {Number LID_M, Trans'\ evs ∈ set_pur|] ==> Trans' = Trans" apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur.induct, simp_all) apply (force dest!: Notes_imp_parts_subset_used) done text‹Lemma needed below: for the case that if PRes is present, then 🍋‹LID_M› has been used.› lemma signed_imp_used: "[| Crypt (priSK M) (Hash X) \ M ∉ bad; evs ∈ set_pur|] ==> parts {X} ⊆ used evs" apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_parts_spies) 🍋 ‹AuthReq› apply simp_all apply safe apply blast+ done text‹Similar, with nested Hash› lemma signed_Hash_imp_used: "[| Crypt (priSK C) (Hash \ C ∉ bad; evs ∈ set_pur|] ==> parts {X} ⊆ used evs" apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_parts_spies) 🍋 ‹AuthReq› apply simp_all apply safe apply blast+ done text‹Lemma needed below: for the case that if PRes is present, then ‹LID_M› has been used.› lemma PRes_imp_LID_used: "[| Crypt (priSK M) (Hash \ M ∉ bad; evs ∈ set_pur|] ==> N ∈ used evs" by (drule signed_imp_used, auto) text‹When C receives PRes, he knows that M and P agreed to the purchase details. He also knows that P is the same PG as before› lemma C_verifies_PRes_lemma: "[| Crypt (priSK M) (Hash MsgPRes) \ Notes C {Number LID_M, Trans } ∈ set evs; Trans = { Agent M, Agent C, Number OrderDesc, Number PurchAmt }; MsgPRes = {Number LID_M, Number XID, Nonce Chall_C, Hash (Number PurchAmt)}; evs ∈ set_pur; M ∉ bad|] ==> ∃j KP. Notes M {Number LID_M, Agent (PG j), Trans } ∈ set evs ∧ Gets M (EncB (priSK (PG j)) KP (pubEK M) {Number LID_M, Number XID, Number PurchAmt} authCode) ∈ set evs ∧ Says M C (sign (priSK M) MsgPRes) ∈ set evs" apply clarify apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_parts_spies) 🍋 ‹AuthReq› apply simp_all apply blast apply blast apply (blast dest: PRes_imp_LID_used) apply (frule M_Notes_PG, auto) apply (blast dest: unique_LID_M) done text‹When the Cardholder receives Purchase Response from an uncompromised Merchant, he knows that M sent it. He also knows that M received a message signed by a Payment Gateway chosen by M to authorize the purchase.› theorem C_verifies_PRes: "[| MsgPRes = \ Hash (Number PurchAmt)}; Gets C (sign (priSK M) MsgPRes) ∈ set evs; Notes C {Number LID_M, Agent M, Agent C, Number OrderDesc, Number PurchAmt} ∈ set evs; evs ∈ set_pur; M ∉ bad|] ==> ∃P KP trans. Notes M {Number LID_M,Agent P, trans} ∈ set evs ∧ Gets M (EncB (priSK P) KP (pubEK M) {Number LID_M, Number XID, Number PurchAmt} authCode) ∈ set evs ∧ Says M C (sign (priSK M) MsgPRes) ∈ set evs" apply (rule C_verifies_PRes_lemma [THEN exE]) apply (auto simp add: sign_def) done subsection‹Proofs for Signed Purchases› text‹Some Useful Lemmas: the cardholder knows what he is doing› lemma Crypt_imp_Says_Cardholder: "[| Crypt K \ ∈ parts (knows Spy evs); PANData = {Pan (pan (Cardholder k)), Nonce (PANSecret k)}; Key K ∉ analz (knows Spy evs); evs ∈ set_pur|] ==> ∃M shash EK HPIData. Says (Cardholder k) M {{shash, Crypt K {{{Number LID_M, others}, Hash OIData}, Hash PANData}, Crypt EK {Key K, PANData}}, OIData, HPIData} ∈ set evs" apply (erule rev_mp) apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur.induct, analz_mono_contra) apply (frule_tac [9] AuthReq_msg_in_parts_spies) 🍋 ‹AuthReq› apply simp_all apply auto done lemma Says_PReqS_imp_trans_details_C: "[| MsgPReqS = \ Crypt K {{{Number LID_M, PIrest}, Hash OIData}, hashpd}, cryptek}, data}; Says (Cardholder k) M MsgPReqS ∈ set evs; evs ∈ set_pur |] ==> ∃trans. Notes (Cardholder k) {Number LID_M, Agent M, Agent (Cardholder k), trans} ∈ set evs" apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur.induct) apply (simp_all (no_asm_simp)) apply auto done text‹Can't happen: only Merchants create this type of Note\ lemma Notes_Cardholder_self_False: "[|Notes (Cardholder k) {Number n, Agent P, Agent (Cardholder k), Agent C, etc} ∈ set evs; evs ∈ set_pur|] ==> False" by (erule rev_mp, erule set_pur.induct, auto) text‹When M sees a dual signature, he knows that it originated with C. Using XID he knows it was intended for him. This guarantee isn't useful to P, who never gets OIData.\ theorem M_verifies_Signed_PReq: "[| MsgDualSign = \ OIData = {Number LID_M, etc}; Crypt (priSK C) (Hash MsgDualSign) ∈ parts (knows Spy evs); Notes M {Number LID_M, Agent P, extras} ∈ set evs; M = Merchant i; C = Cardholder k; C ∉ bad; evs ∈ set_pur|] ==> ∃PIData PICrypt. HPIData = Hash PIData ∧ Says C M {{sign (priSK C) MsgDualSign, PICrypt}, OIData, Hash PIData} ∈ set evs" apply clarify apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur.induct) apply (frule_tac [9] AuthReq_msg_in_parts_spies) 🍋 ‹AuthReq› apply simp_all apply blast apply (metis subsetD insert_subset parts.Fst parts_increasing signed_Hash_imp_used) apply (metis unique_LID_M) apply (blast dest!: Notes_Cardholder_self_False) done text‹When P sees a dual signature, he knows that it originated with C. and was intended for M. This guarantee isn't useful to M, who never gets PIData. I don't see how to link \<^term>\ assuming 🍋‹M ∉ bad›.› theorem P_verifies_Signed_PReq: "[| MsgDualSign = \ PIData = {PIHead, PANData}; PIHead = {Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, TransStain}; Crypt (priSK C) (Hash MsgDualSign) ∈ parts (knows Spy evs); evs ∈ set_pur; C ∉ bad; M ∉ bad|] ==> ∃OIData OrderDesc K j trans. HOD = Hash{Number OrderDesc, Number PurchAmt} ∧ HOIData = Hash OIData ∧ Notes M {Number LID_M, Agent (PG j), trans} ∈ set evs ∧ Says C M {{sign (priSK C) MsgDualSign, EXcrypt K (pubEK (PG j)) {PIHead, Hash OIData} PANData}, OIData, Hash PIData} ∈ set evs" apply clarify apply (erule rev_mp) apply (erule set_pur.induct, simp_all) apply (auto dest!: C_gets_correct_PG) done lemma C_determines_EKj_signed: "[| Says C M \ EXcrypt K EKj {PIHead, X} Y}, Z} ∈ set evs; PIHead = {Number LID_M, Number XID, W}; C = Cardholder k; evs ∈ set_pur; M ∉ bad|] ==> ∃ trans j. Notes M {Number LID_M, Agent (PG j), trans} ∈ set evs ∧ EKj = pubEK (PG j)" apply clarify apply (erule rev_mp) apply (erule set_pur.induct, simp_all, auto) apply (blast dest: C_gets_correct_PG) done lemma M_Says_AuthReq: "[| AuthReqData = \ sign (priSK M) {AuthReqData, Hash P_I} ∈ parts (knows Spy evs); evs ∈ set_pur; M ∉ bad|] ==> ∃j trans KM. Notes M {Number LID_M, Agent (PG j), trans } ∈ set evs ∧ Says M (PG j) (EncB (priSK M) KM (pubEK (PG j)) AuthReqData P_I) ∈ set evs" apply (rule refl [THEN P_verifies_AuthReq, THEN exE]) apply (auto simp add: sign_def) done text‹A variant of ‹M_verifies_Signed_PReq› with explicit PI information. Even here we cannot be certain about what C sent to M, since a bad PG could have replaced the two key fields. (NOT USED)› lemma Signed_PReq_imp_Says_Cardholder: "[| MsgDualSign = \ OIData = {Number LID_M, Number XID, Nonce Chall_C, HOD, etc}; PIHead = {Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, TransStain}; PIData = {PIHead, PANData}; Crypt (priSK C) (Hash MsgDualSign) ∈ parts (knows Spy evs); M = Merchant i; C = Cardholder k; C ∉ bad; evs ∈ set_pur|] ==> ∃KC EKj. Says C M {{sign (priSK C) MsgDualSign, EXcrypt KC EKj {PIHead, Hash OIData} PANData}, OIData, Hash PIData} ∈ set evs" apply clarify apply hypsubst_thin apply (erule rev_mp) apply (erule rev_mp) apply (erule set_pur.induct, simp_all, auto) done text‹When P receives an AuthReq and a dual signature, he knows that C and M agree on the essential details. PurchAmt however is never sent by M to P; instead C and M both send 🍋‹HOD = Hash{Number OrderDesc, Number PurchAmt}› and P compares the two copies of HOD. Agreement can't be proved for some things, including the symmetric keys used in the digital envelopes. On the other hand, M knows the true identity of PG (namely j'), and sends AReq there; he can't, however, check that the EXcrypt involves the correct PG's key. › theorem P_sees_CM_agreement: "[| AuthReqData = \ KC ∈ symKeys; Gets (PG j) (EncB (priSK M) KM (pubEK (PG j)) AuthReqData P_I) ∈ set evs; C = Cardholder k; PI_sign = sign (priSK C) {Hash PIData, HOIData}; P_I = {PI_sign, EXcrypt KC (pubEK (PG j)) {PIHead, HOIData} PANData}; PANData = {Pan (pan C), Nonce (PANSecret k)}; PIData = {PIHead, PANData}; PIHead = {Number LID_M, Number XID, HOD, Number PurchAmt, Agent M, TransStain}; evs ∈ set_pur; C ∉ bad; M ∉ bad|] ==> ∃OIData OrderDesc KM' trans j' KC' KC'' P_I' P_I''. HOD = Hash{Number OrderDesc, Number PurchAmt} ∧ HOIData = Hash OIData ∧ Notes M {Number LID_M, Agent (PG j'), trans\ Says C M {P_I', OIData, Hash PIData\ Says M (PG j') (EncB (priSK M) KM' (pubEK (PG j')) AuthReqData P_I'') ∈ set evs ∧ P_I' = \ EXcrypt KC' (pubEK (PG j')) {PIHead, Hash OIData} PANData} ∧ P_I'' = {PI_sign, EXcrypt KC'' (pubEK (PG j)) {PIHead, Hash OIData} PANData}" apply clarify apply (rule exE) apply (rule P_verifies_Signed_PReq [OF refl refl refl]) apply (simp (no_asm_use) add: sign_def EncB_def, blast) apply (assumption+, clarify, simp) apply (drule Gets_imp_knows_Spy [THEN parts.Inj], assumption) apply (blast elim: EncB_partsE dest: refl [THEN M_Says_AuthReq] unique_LID_M2) done end
¤ Dauer der Verarbeitung: 0.36 Sekunden ¤*© Formatika GbR, Deutschland |
|
||||||||||||||
2026-04-02