ABSTRACT
We present a computationally sound mechanized analysis of Kerberos 5, both with and without its public-key extension PKINIT. We prove authentication and key secrecy properties using the prover CryptoVerif, which works directly in the computational model; these are the first mechanical proofs of a full industrial protocol at the computational level. We also generalize the notion of key usability and use CryptoVerif to prove that this definition is satisfied by keys in Kerberos.
- M. Abadi and P. Rogaway. Reconciling two views of cryptography (the computational soundness of formal encryption). In First IFIP, volume 1872 of LNCS. Springer, Aug. 2000. Google ScholarDigital Library
- M. Abdalla, P.-A. Fouque, and D. Pointcheval. Password-Based Authenticated Key Exchange in the Three-Party Setting. IEE Proc. Information Security, 153(1), 2006.Google Scholar
- A. Armando et al. The Avispa tool for the automated validation of internet security protocols and applications. In CAV 2005, volume 3576 of LNCS. Springer. Google ScholarDigital Library
- M. Backes, I. Cervesato, A. D. Jaggard, A. Scedrov, and J.-K. Tsay. Cryptographically Sound Security Proofs for Basic and Public-key Kerberos. In ESORICS 2006, volume 4189 of LNCS. Springer, September 2006. Google ScholarDigital Library
- M. Backes, B. Pfitzmann, and M. Waidner. A Composable Cryptographic Library with Nested Operations. In CCS'03. ACM, 2003. Google ScholarDigital Library
- G. Bella and L. C. Paulson. Using Isabelle to Prove Properties of the Kerberos Authentication System. In DIMACS'97, Workshop on Design and Formal Verification of Security Protocols (CD-ROM), 1997.Google Scholar
- G. Bella and L. C. Paulson. Kerberos Version IV: Inductive Analysis of the Secrecy Goals. In ESORICS'98, volume 1485 of LNCS. Springer, 1998. Google ScholarDigital Library
- M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. In CRYPTO'96, volume 1109 of LNCS. Springer, 1996. Google ScholarDigital Library
- M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In ASIACRYPT 2000, volume 1976 of LNCS. Springer, December 2000. Google ScholarDigital Library
- S. M. Bellovin and M. Merritt. Limitations of the Kerberos Authentication System. In USENIX Conference Proceedings, Winter 1991.Google Scholar
- B. Blanchet. A computationally sound mechanized prover for security protocols. IEEE Transactions on Dependable and Secure Computing. To appear. Technical report version available at http://eprint.iacr.org/2005/401. Google ScholarDigital Library
- B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In CSFW-14, June 2001. Google ScholarDigital Library
- B. Blanchet. A Computationally Sound Mechanized Prover for Security Protocols. In IEEE Symposium on Security and Privacy, May 2006. Google ScholarDigital Library
- B. Blanchet. Computationally sound mechanized proofs of correspondence assertions. In CSF 2007, July 2007. Google ScholarDigital Library
- B. Blanchet and D. Pointcheval. Automated Security Proofs with Sequences of Games. In CRYPTO 2006, volume 4117 of LNCS. Springer, Aug. 2006. Google ScholarDigital Library
- A. Boldyreva and V. Kumar. Provable-security analysis of authenticated encryption in Kerberos. In IEEE Symp. Security and Privacy, 2007. Google ScholarDigital Library
- F. Butler, I. Cervesato, A. D. Jaggard, A. Scedrov, and C. Walstad. Formal Analysis of Kerberos 5. Theoretical Computer Science, 367(1--2), 2006. Google ScholarDigital Library
- R. Canetti and J. Herzog. Universally composable symbolic analysis of mutual authentication and key exchange protocols. In TCC'06, volume 3876 of LNCS. Springer, March 2006. Google ScholarDigital Library
- I. Cervesato, A. D. Jaggard, A. Scedrov, J.-K. Tsay, and C. Walstad. Breaking and fixing public-key Kerberos. Information and Computation, FCS-ARSPA'06 Special Issue. To appear. Google ScholarDigital Library
- V. Cortier and B. Warinschi. Computationally sound, automated proofs for security protocols. In ESOP'05, volume 3444 of LNCS. Springer, Apr. 2005. Google ScholarDigital Library
- A. Datta, J. Mitchell, and B. Warinschi. Computationally Sound Compositional Logic for Key Exchange Protocols. In CSFW'06, July 2006. Google ScholarDigital Library
- C. He, M. Sundararajan, A. Datta, A. Derek, and J. C. Mitchell. A modular correctness proof of TLS and IEEE 802.11i. In CCS'05. ACM, November 2005. Google ScholarDigital Library
- IETF. Public Key Cryptography for Initial Authentication in Kerberos, 1996--2006. RFC 4556. Preliminary versions available as a sequence of Internet Drafts at http://tools.ietf.org/wg/krb-wg/draft-ietf-cat-kerberos-pk-init/.Google Scholar
- A. D. Jaggard, A. Scedrov, and J.-K. Tsay. Computationally Sound Mechanized Proof of PKINIT for Kerberos. Abstract presented at FCC'07.Google Scholar
- P. Laud. Secrecy Types for a Simulatable Cryptographic Library. In CCS 2005, May 2005. Google ScholarDigital Library
- P. D. Lincoln, J. C. Mitchell, M. Mitchell, and A. Scedrov. A probabilistic poly-time framework for protocol analysis. In CCS-5, November 1998. Google ScholarDigital Library
- P. D. Lincoln, J. C. Mitchell, M. Mitchell, and A. Scedrov. Probabilistic polynomial-time equivalence and security protocols. In FM'99, volume 1708 of LNCS. Springer, Sept. 1999. Google ScholarDigital Library
- G. Lowe. Breaking and Fixing the Needham-Schroeder Public-Key Protocol using FDR. In TACAS'96, volume 1055 of LNCS. Springer, 1996. Google ScholarDigital Library
- C. Meadows. Analysis of the Internet Key Exchange Protocol using the NRL Protocol Analyzer. In IEEE Symp. Security and Privacy, 1999.Google ScholarCross Ref
- C. A. Meadows. The NRL protocol analyzer: An overview. Journal of Logic Programming, 26(2), 1996.Google ScholarCross Ref
- Microsoft. Security Bulletin MS05-042. http://www.microsoft.com/technet/security/bulletin/MS05-042.mspx, August 2005.Google Scholar
- J. Mitchell, A. Ramanathan, A. Scedrov, and V. Teague. A Probabilistic Polynomial-Time Process Calculus for the Analysis of Cryptographic Protocols. Theoretical Computer Science, 353(1--3), 2006. Google ScholarDigital Library
- J. C. Mitchell, V. Shmatikov, and U. Stern. Finite-State Analysis of SSL 3.0. In 7th USENIX Security Symp., pages 201--216, 1998. Google ScholarDigital Library
- C. Neuman, T. Yu, S. Hartman, and K. Raeburn. The Kerberos Network Authentication Service (V5), July 2005. http://www.ietf.org/rfc/rfc4120.Google Scholar
- K. Raeburn. Encryption and Checksum Specifications for Kerberos 5. http://www.ietf.org/rfc/rfc3961.txt, Feb. 2005.Google Scholar
- A. Roy, A. Datta, A. Derek, and J. C. Mitchell. Inductive proofs of computational secrecy. In ESORICS 2007, volume 4734 of LNCS. Springer, Sept. 2007. Google ScholarDigital Library
- A. Roy, A. Datta, and J. C. Mitchell. Formal proofs of cryptographic security of Diffie-Hellman-based protocols. In TGC'07, Nov. 2007. To appear. Google ScholarDigital Library
- C. Sprenger, M. Backes, D. Basin, B. Pfitzmann, and M. Waidner. Cryptographically Sound Theorem Proving. In CSFW 2006, July 2006. Google ScholarDigital Library
Index Terms
- Computationally sound mechanized proofs for basic and public-key Kerberos
Recommendations
Public-Key Cryptography Enabled Kerberos Authentication
DESE '11: Proceedings of the 2011 Developments in E-systems EngineeringKerberos is a trusted third party authentication protocol based on symmetric key cryptography. This paper studies how Kerberos authentication standard can be extended to support public key cryptography. The paper aims to do this by implementing the most ...
An enhanced Kerberos protocol with non-interactive zero-knowledge proof
As one of the most important trusted third-party-based authentication protocols, Kerberos is widely used to provide authentication service in distributed networks. However, it is vulnerable to common brute force password-guessing attacks because of its ...
Breaking and fixing public-key Kerberos
We report on a man-in-the-middle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and end-servers to a client, ...
Comments