Theory m3_ds_par


  Project: Development of Security Protocols by Refinement

  Module:  Key_establish/m3_ds_par.thy (Isabelle/HOL 2016-1)
  ID:      $Id: m3_ds_par.thy 132890 2016-12-24 10:25:57Z csprenge $
  Authors: Christoph Sprenger, ETH Zurich <>
           Ivano Somaini, ETH Zurich <>

  Key distribution protocols
  Level 3: parallel version of Denning-Sacco protocol

  Copyright (c) 2009-2016 Christoph Sprenger, Ivano Somaini
  Licence: LGPL


section ‹Denning-Sacco, direct variant (L3)›

theory m3_ds_par imports m2_ds "../Refinement/Message"

text ‹
We model a direct implementation of the channel-based Denning-Sacco protocol
at Level 2. In this version, there is no ticket forwarding.
  \mathrm{M1.} & A \rightarrow S: & A, B \\ 
  \mathrm{M2a.} & S \rightarrow A: & \{Kab, B, Ts\}_{Kas} \\
  \mathrm{M2b.} & S \rightarrow B: & \{Kab, A, Ts\}_{Kbs}

text ‹Proof tool configuration. Avoid annoying automatic unfolding of

declare domIff [simp, iff del]

subsection ‹Setup›

text ‹Now we can define the initial key knowledge.›

overloading ltkeySetup'  ltkeySetup begin
definition ltkeySetup_def: "ltkeySetup'  {(sharK C, A) | C A. A = C  A = Sv}"

lemma corrKey_shrK_bad [simp]: "corrKey = shrK`bad"
by (auto simp add: keySetup_def ltkeySetup_def corrKey_def)

subsection ‹State›

text ‹The secure channels are star-shaped to/from the server.  Therefore,
we have only one agent in the relation.›

record m3_state = "m1_state" +
  IK :: "msg set"                                ― ‹intruder knowledge›

text ‹Observable state:
@{term "runs"}, @{term "leak"}, @{term "clk"}, and @{term "cache"}.›

  m3_obs = "m2_obs"

  m3_obs :: "m3_state  m3_obs" where
  "m3_obs s   runs = runs s, leak = leak s, clk = clk s "

  m3_pred = "m3_state set"

  m3_trans = "(m3_state × m3_state) set"

subsection ‹Events›

text ‹Protocol events.›

definition     ― ‹by @{term "A"}, refines @{term "m2_step1"}
  m3_step1 :: "[rid_t, agent, agent]  m3_trans"
  "m3_step1 Ra A B  {(s, s1).
    ― ‹guards:›
    Ra  dom (runs s)                                 ― ‹Ra› is fresh›

    ― ‹actions:›
    s1 = s
      runs := (runs s)(Ra  (Init, [A, B], [])),
      IK := insert Agent A, Agent B (IK s)        ― ‹send M1›

definition     ― ‹by @{term "B"}, refines @{term "m2_step2"}
  m3_step2 :: "[rid_t, agent, agent]  m3_trans"
  "m3_step2  m1_step2"

definition     ― ‹by @{text "Server"}, refines @{term m2_step3}
  m3_step3 :: "[rid_t, agent, agent, key, time]  m3_trans"
  "m3_step3 Rs A B Kab Ts  {(s, s1).
    ― ‹guards:›
    Rs  dom (runs s)                            ― ‹fresh server run›
    Kab = sesK (Rs$sk)                           ― ‹fresh session key›

     Agent A, Agent B  IK s                    ― ‹recv M1›
     Ts = clk s                                    ― ‹fresh timestamp›

     ― ‹actions:›
     ― ‹record session key and send M2›
     s1 = s
       runs := (runs s)(Rs  (Serv, [A, B], [aNum Ts])),   ― ‹send M2a›, M2b›
       IK := insert (Crypt (shrK A) Agent B, Key Kab, Number Ts)
             (insert (Crypt (shrK B) Key Kab, Agent A, Number Ts) (IK s))

definition     ― ‹by @{term "A"}, refines @{term m2_step4}
  m3_step4 :: "[rid_t, agent, agent, key, time]  m3_trans"
  "m3_step4 Ra A B Kab Ts  {(s, s1).

     ― ‹guards:›
     runs s Ra = Some (Init, [A, B], [])            ― ‹key not yet recv'd›

     Crypt (shrK A)                                  ― ‹recv M2›
       Agent B, Key Kab, Number Ts  IK s 

     ― ‹check freshness of session key›
     clk s < Ts + Ls 

     ― ‹actions:›
     ― ‹record session key›
     s1 = s
       runs := (runs s)(Ra  (Init, [A, B], [aKey Kab, aNum Ts]))

definition     ― ‹by @{term "B"}, refines @{term m2_step5}
  m3_step5 :: "[rid_t, agent, agent, key, time]  m3_trans"
  "m3_step5 Rb A B Kab Ts  {(s, s1).
     ― ‹guards:›
     runs s Rb = Some (Resp, [A, B], [])              ― ‹key not yet recv'd›

     Crypt (shrK B) Key Kab, Agent A, Number Ts  IK s     ― ‹recv M3›

     ― ‹ensure freshness of session key; replays with fresh authenticator ok!›
     clk s < Ts + Ls 

     ― ‹actions:›
     ― ‹record session key›
     s1 = s
       runs := (runs s)(Rb  (Resp, [A, B], [aKey Kab, aNum Ts]))

text ‹Clock tick event›

definition   ― ‹refines @{term "m2_tick"}
  m3_tick :: "time  m3_trans"
  "m3_tick  m1_tick"

text ‹Session key compromise.›

definition     ― ‹refines @{term m2_leak}
  m3_leak :: "rid_t  m3_trans"
  "m3_leak Rs  {(s, s1).
    ― ‹guards:›
    Rs  dom (runs s) 
    fst (the (runs s Rs)) = Serv          ― ‹compromise server run Rs›

    ― ‹actions:›
    ― ‹record session key as leaked and add it to intruder knowledge›
    s1 = s leak := insert (sesK (Rs$sk)) (leak s),
            IK := insert (Key (sesK (Rs$sk))) (IK s) 

text ‹Intruder fake event. The following "Dolev-Yao" event generates all
intruder-derivable messages.›

definition     ― ‹refines @{term "m2_fake"}
  m3_DY_fake :: "m3_trans"
  "m3_DY_fake  {(s, s1).

     ― ‹actions:›
     s1 = s IK := synth (analz (IK s))        ― ‹take DY closure›

subsection ‹Transition system›

  m3_init :: "m3_pred"
  "m3_init  { 
     runs = Map.empty,
     leak = shrK`bad,
     clk = 0,
     IK = Key`shrK`bad

  m3_trans :: "m3_trans" where
  "m3_trans  (A B Ra Rb Rs Kab Ts T.
     m3_step1 Ra A B 
     m3_step2 Rb A B 
     m3_step3 Rs A B Kab Ts 
     m3_step4 Ra A B Kab Ts 
     m3_step5 Rb A B Kab Ts 
     m3_tick T 
     m3_leak Rs 

  m3 :: "(m3_state, m3_obs) spec" where
    init = m3_init,
    trans = m3_trans,
    obs = m3_obs

lemmas m3_loc_defs =
  m3_def m3_init_def m3_trans_def m3_obs_def
  m3_step1_def m3_step2_def m3_step3_def m3_step4_def m3_step5_def
  m3_tick_def m3_leak_def m3_DY_fake_def

lemmas m3_defs = m3_loc_defs m2_defs

subsection ‹Invariants›

text ‹Specialized injection that we can apply more aggressively.›

lemmas analz_Inj_IK = analz.Inj [where H="IK s" for s]
lemmas parts_Inj_IK = parts.Inj [where H="IK s" for s]

declare parts_Inj_IK [dest!]

declare analz_into_parts [dest]

subsubsection ‹inv1: Secrecy of pre-distributed shared keys›

  m3_inv1_lkeysec :: "m3_pred"
  "m3_inv1_lkeysec  {s. C.
     (Key (shrK C)  parts (IK s)  C  bad) 
     (C  bad  Key (shrK C)  IK s)

lemmas m3_inv1_lkeysecI = m3_inv1_lkeysec_def [THEN setc_def_to_intro, rule_format]
lemmas m3_inv1_lkeysecE [elim] = m3_inv1_lkeysec_def [THEN setc_def_to_elim, rule_format]
lemmas m3_inv1_lkeysecD = m3_inv1_lkeysec_def [THEN setc_def_to_dest, rule_format]

text ‹Invariance proof.›

lemma PO_m3_inv1_lkeysec_init [iff]:
  "init m3  m3_inv1_lkeysec"
by (auto simp add: m3_defs intro!: m3_inv1_lkeysecI)

lemma PO_m3_inv1_lkeysec_trans [iff]:
  "{m3_inv1_lkeysec} trans m3 {> m3_inv1_lkeysec}"
by (fastforce simp add: PO_hoare_defs m3_defs intro!: m3_inv1_lkeysecI)

lemma PO_m3_inv1_lkeysec [iff]: "reach m3  m3_inv1_lkeysec"
by (rule inv_rule_incr) (fast+)

text ‹Useful simplifier lemmas›

lemma m3_inv1_lkeysec_for_parts [simp]:
  " s  m3_inv1_lkeysec   Key (shrK C)  parts (IK s)  C  bad"
by auto

lemma m3_inv1_lkeysec_for_analz [simp]:
  " s  m3_inv1_lkeysec   Key (shrK C)  analz (IK s)  C  bad"
by auto

subsubsection ‹inv3: Session keys not used to encrypt other session keys›

text ‹Session keys are not used to encrypt other keys. Proof requires
generalization to sets of session keys.

NOTE: This invariant will be derived from the corresponding L2 invariant
using the simulation relation.

  m3_inv3_sesK_compr :: "m3_pred"
  "m3_inv3_sesK_compr  {s. K KK.
     KK  range sesK 
     (Key K  analz (Key`KK  (IK s))) = (K  KK  Key K  analz (IK s))

lemmas m3_inv3_sesK_comprI = m3_inv3_sesK_compr_def [THEN setc_def_to_intro, rule_format]
lemmas m3_inv3_sesK_comprE = m3_inv3_sesK_compr_def [THEN setc_def_to_elim, rule_format]
lemmas m3_inv3_sesK_comprD = m3_inv3_sesK_compr_def [THEN setc_def_to_dest, rule_format]

text ‹Additional lemma›
lemmas insert_commute_Key = insert_commute [where x="Key K" for K]

lemmas m3_inv3_sesK_compr_simps =
  m3_inv3_sesK_comprD [where KK="insert Kab KK" for Kab KK, simplified]
  m3_inv3_sesK_comprD [where KK="{Kab}" for Kab, simplified]

subsection ‹Refinement›

subsubsection ‹Message abstraction and simulation relation›

text ‹Abstraction function on sets of messages.›

  abs_msg :: "msg set  chmsg set"
  for H :: "msg set"
    "Agent A, Agent B  H
   Insec A B (Msg [])  abs_msg H"
| am_M2a:
    "Crypt (shrK C) Agent B, Key K, Number T  H
   Secure Sv C (Msg [aAgt B, aKey K, aNum T])  abs_msg H"
| am_M2b:
    "Crypt (shrK C) Key K, Agent A, Number T  H
   Secure Sv C (Msg [aKey K, aAgt A, aNum T])  abs_msg H"

text ‹R23: The simulation relation. This is a data refinement of
the insecure and secure channels of refinement 2.›

  R23_msgs :: "(m2_state × m3_state) set" where
  "R23_msgs  {(s, t). abs_msg (parts (IK t))  chan s }"

  R23_keys :: "(m2_state × m3_state) set" where
  "R23_keys  {(s, t). KK K. KK  range sesK 
     Key K  analz (Key`KK  (IK t))  aKey K  extr (aKey`KK  ik0) (chan s)

  R23_pres :: "(m2_state × m3_state) set" where
  "R23_pres  {(s, t). runs s = runs t  leak s = leak t  clk s = clk t}"

  R23 :: "(m2_state × m3_state) set" where
  "R23  R23_msgs  R23_keys  R23_pres"

lemmas R23_defs =
  R23_def R23_msgs_def R23_keys_def R23_pres_def

text ‹The mediator function is the identity here.›

  med32 :: "m3_obs  m2_obs" where
  "med32  id"

lemmas R23_msgsI = R23_msgs_def [THEN rel_def_to_intro, simplified, rule_format]
lemmas R23_msgsE [elim] = R23_msgs_def [THEN rel_def_to_elim, simplified, rule_format]

lemmas R23_keysI = R23_keys_def [THEN rel_def_to_intro, simplified, rule_format]
lemmas R23_keysE [elim] = R23_keys_def [THEN rel_def_to_elim, simplified, rule_format]

lemmas R23_presI = R23_pres_def [THEN rel_def_to_intro, simplified, rule_format]
lemmas R23_presE [elim] = R23_pres_def [THEN rel_def_to_elim, simplified, rule_format]

lemmas R23_intros = R23_msgsI R23_keysI R23_presI

text ‹Simplifier lemmas for various instantiations (for keys).›

lemmas R23_keys_simp = R23_keys_def [THEN rel_def_to_dest, simplified, rule_format]
lemmas R23_keys_simps =
  R23_keys_simp [where KK="{}", simplified]
  R23_keys_simp [where KK="{K'}" for K', simplified]
  R23_keys_simp [where KK="insert K' KK" for K' KK, simplified, OF _ conjI]

subsubsection ‹General lemmas›

text ‹General facts about @{term "abs_msg"}

declare abs_msg.intros [intro!]
declare abs_msg.cases [elim!]

lemma abs_msg_empty: "abs_msg {} = {}"
by (auto)

lemma abs_msg_Un [simp]:
  "abs_msg (G  H) = abs_msg G  abs_msg H"
by (auto)

lemma abs_msg_mono [elim]:
  " m  abs_msg G; G  H   m  abs_msg H"
by (auto)

lemma abs_msg_insert_mono [intro]:
  " m  abs_msg H   m  abs_msg (insert m' H)"
by (auto)

text ‹Facts about @{term "abs_msg"} concerning abstraction of fakeable
messages. This is crucial for proving the refinement of the intruder event.›

lemma abs_msg_DY_subset_fakeable:
  " (s, t)  R23_msgs; (s, t)  R23_keys; t  m3_inv1_lkeysec 
   abs_msg (synth (analz (IK t)))  fake ik0 (dom (runs s)) (chan s)"
apply (auto)
― ‹4 subgoals, deal with replays first›
apply (blast)
defer 1 apply (blast)
― ‹remaining 2 subgoals are real fakes›
apply (rule fake_StatCh, auto simp add: R23_keys_simps)+

subsubsection ‹Refinement proof›

text ‹Pair decomposition. These were set to \texttt{elim!}, which is too
agressive here.›

declare MPair_analz [rule del, elim]
declare MPair_parts [rule del, elim]

text ‹Protocol events.›

lemma PO_m3_step1_refines_m2_step1:
     (m2_step1 Ra A B), (m3_step1 Ra A B)
   {> R23}"
by (auto simp add: PO_rhoare_defs R23_def m3_defs intro!: R23_intros)

lemma PO_m3_step2_refines_m2_step2:
     (m2_step2 Rb A B), (m3_step2 Rb A B)
   {> R23}"
by (auto simp add: PO_rhoare_defs R23_def m3_defs intro!: R23_intros)

lemma PO_m3_step3_refines_m2_step3:
  "{R23  (m2_inv3a_sesK_compr) × (m3_inv3_sesK_compr  m3_inv1_lkeysec)}
     (m2_step3 Rs A B Kab Ts), (m3_step3 Rs A B Kab Ts)
   {> R23}"
proof -
  { fix s t
    assume H:
      "(s, t)  R23_msgs" "(s, t)  R23_keys" "(s, t)  R23_pres"
      "s  m2_inv3a_sesK_compr" "t  m3_inv3_sesK_compr" "t  m3_inv1_lkeysec"
      "Kab = sesK (Rs$sk)" "Rs  dom (runs t)"
      " Agent A, Agent B   parts (IK t)"
    let ?s'=
      "s runs := (runs s)(Rs  (Serv, [A, B], [aNum (clk t)])),
          chan := insert (Secure Sv A (Msg [aAgt B, aKey Kab, aNum (clk t)]))
                 (insert (Secure Sv B (Msg [aKey Kab, aAgt A, aNum (clk t)])) (chan s)) "
    let ?t'=
      "t runs := (runs t)(Rs  (Serv, [A, B], [aNum (clk t)])),
          IK := insert
                  (Crypt (shrK A)  Agent B, Key Kab, Number (clk t) )
                  (Crypt (shrK B)  Key Kab, Agent A, Number (clk t) )
                (IK t)) "
    have "(?s', ?t')  R23_msgs" using H
    by (-) (rule R23_intros, auto)
    have "(?s', ?t')  R23_keys" using H
    by (-) (rule R23_intros,
            auto simp add: m2_inv3a_sesK_compr_simps m3_inv3_sesK_compr_simps,
            auto simp add: R23_keys_simps)
    have "(?s', ?t')  R23_pres" using H
    by (-) (rule R23_intros, auto)
    note calculation
  thus ?thesis
  by  (auto simp add: PO_rhoare_defs R23_def m3_defs)

lemma PO_m3_step4_refines_m2_step4:
  "{R23  UNIV × (m3_inv1_lkeysec)}
     (m2_step4 Ra A B Kab Ts), (m3_step4 Ra A B Kab Ts)
   {> R23}"
by (auto simp add: PO_rhoare_defs R23_def m3_defs intro!: R23_intros)

lemma PO_m3_step5_refines_m2_step5:
     (m2_step5 Rb A B Kab Ts), (m3_step5 Rb A B Kab Ts)
   {> R23}"
by (auto simp add: PO_rhoare_defs R23_def m3_defs intro!: R23_intros)

lemma PO_m3_tick_refines_m2_tick:
     (m2_tick T), (m3_tick T)
by (auto simp add: PO_rhoare_defs R23_def m3_defs intro!: R23_intros)

text ‹Intruder events.›

lemma PO_m3_leak_refines_m2_leak:
     (m2_leak Rs), (m3_leak Rs)
by (auto simp add: PO_rhoare_defs R23_def m3_defs  intro!: R23_intros)
   (auto simp add: R23_keys_simps)

lemma PO_m3_DY_fake_refines_m2_fake:
  "{R23  UNIV × (m3_inv1_lkeysec)}
     m2_fake, m3_DY_fake
   {> R23}"
apply (auto simp add: PO_rhoare_defs R23_def m3_defs intro!: R23_intros
            del: abs_msg.cases)
apply (auto intro: abs_msg_DY_subset_fakeable [THEN subsetD]
            del: abs_msg.cases)
apply (auto simp add: R23_keys_simps)

text ‹All together now...›

lemmas PO_m3_trans_refines_m2_trans =
  PO_m3_step1_refines_m2_step1 PO_m3_step2_refines_m2_step2
  PO_m3_step3_refines_m2_step3 PO_m3_step4_refines_m2_step4
  PO_m3_step5_refines_m2_step5 PO_m3_tick_refines_m2_tick
  PO_m3_leak_refines_m2_leak PO_m3_DY_fake_refines_m2_fake

lemma PO_m3_refines_init_m2 [iff]:
  "init m3  R23``(init m2)"
by (auto simp add: R23_def m3_defs intro!: R23_intros)

lemma PO_m3_refines_trans_m2 [iff]:
  "{R23  (m2_inv3a_sesK_compr) × (m3_inv3_sesK_compr  m3_inv1_lkeysec)}
     (trans m2), (trans m3)
   {> R23}"
by (auto simp add: m3_def m3_trans_def m2_def m2_trans_def)
   (blast intro!: PO_m3_trans_refines_m2_trans)+

lemma PO_m3_observation_consistent [iff]:
  "obs_consistent R23 med32 m2 m3"
by (auto simp add: obs_consistent_def R23_def med32_def m3_defs)

text ‹Refinement result.›

lemma m3_refines_m2 [iff]:
     (R23  (m2_inv3a_sesK_compr) × (m3_inv1_lkeysec))
     med32 m2 m3"
proof -
  have "R23  m2_inv3a_sesK_compr × UNIV  UNIV × m3_inv3_sesK_compr"
    by (auto simp add: R23_def R23_keys_simps intro!: m3_inv3_sesK_comprI)
  thus ?thesis
    by (-) (rule Refinement_using_invariants, auto)

lemma m3_implements_m2 [iff]:
  "implements med32 m2 m3"
by (rule refinement_soundness) (auto)
