A formal analysis of ome properties of kerberos 5 using MSR

Butler, Frederick; Cervesato, Iliano; Jaggard, Aaron D.; Scedrov, Andre

doi:10.1109/csfw.2002.1021815

Cited by 38 publications

(61 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Indeed an attacker could have replaced K BS (A, k) with an arbitrary message in an undetectable way. Such a behavior has been documented for Kerberos 5 [2].…”

Section: Two-party Key Distributionmentioning

confidence: 91%

See 1 more Smart Citation

Deriving Key Distribution Protocols and their Security Properties

Cervesato

Meadows

Pavlović

2006

View full text Add to dashboard Cite

We apply the derivational method of protocol verification to key distribution protocols. This method assembles the security properties of a protocol by composing the guarantees offered by embedded fragments and patterns. It has shed light on fundamental notions such as challenge-response and fed a growing taxonomy of protocols. Here, we similarly capture the essence of key distribution, authentication timestamps and key confirmation. With these building blocks, we derive the authentication properties of the Needham-Schroeder shared-key and the Denning-Sacco protocols, and of the cores of Kerberos 4 and 5.The main results of this research were obtained in 2003-04 and appeared in [3]. The present document collects proofs omitted for space reasons and unpublished background material.Cervesato was partially supported by ONR under Grant N000149910150; significant portions of this work were completed while he was at Tulane University. Pavlovic was supported by ONR N00014-03-C-0237 and by NSF CCR-0345397. Report Documentation Page Form Approved OMB No. 0704-0188Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number.

show abstract

“…Indeed an attacker could have replaced K BS (A, k) with an arbitrary message in an undetectable way. Such a behavior has been documented for Kerberos 5 [2].…”

Section: Two-party Key Distributionmentioning

confidence: 91%

“…A run of a process thus boils down to a Lamport order of actions. 2 We pointed out earlier that a process corresponds to a collection of strands. In the same vein, a run is akin to a bundle in the strand world [8].…”

Section: Execution Modelmentioning

confidence: 99%

Deriving Key Distribution Protocols and their Security Properties

Cervesato

Meadows

Pavlović

2006

View full text Add to dashboard Cite

show abstract

“…Butler et al [17,18] have analyzed the significant portions of the current version of Kerberos and its extensions in the symbolic approach (i.e. Dolev-Yao model [19]) and have formally verified that the design of Kerberos' current version meets the desired goals for the most parts.…”

Section: Motivationmentioning

confidence: 99%

Provable-security analysis of authenticated encryption in Kerberos

Boldyreva

Kumar

2011

IET Inf. Secur.

View full text Add to dashboard Cite

Kerberos is a widely-deployed network authentication protocol that is being considered for standardization. Many works have analyzed its security, identifying flaws and often suggesting fixes, thus helping the protocol's evolution. Several recent results present successful formal-methods-based verification of a significant portion of the current version 5, and some even imply security in the computational setting. For these results to be meaningful, encryption in Kerberos should satisfy strong cryptographic security notions. However, neither currently deployed as part of Kerberos encryption schemes nor their proposed revisions are known to provably satisfy such notions. We take a close look at Kerberos' encryption and confirm that most of the options in the current version provably provide privacy and authenticity, some with slight modification that we suggest. Our results complement the formal-methods-based analysis of Kerberos that justifies its current design.

show abstract

“…Our earlier work on Kerberos successfully employed formal methods for the verification of the authentication properties of basic intra-realm Kerberos 5 [7,8] and of cross-realm authentication [8,9]. Although our work is carried out by hand, a variety of automated approaches exist for symbolic proofs [10][11][12][13][14][15][16][17] and have also been applied to deployed protocols (e.g., [18][19][20]).…”

Section: Introductionmentioning

confidence: 99%

Breaking and Fixing Public-Key Kerberos

Cervesato

Jaggard

Scedrov

et al. 2007

Advances in Computer Science - ASIAN 2006. Secure Software and Related Issues

View full text Add to dashboard Cite

We report on a man-in-the-middle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and end-servers to a client, hence breaching the authentication guarantees of Kerberos. It also gives the attacker the keys that the KDC would normally generate to encrypt the service requests of this client, hence defeating confidentiality as well. The discovery of this attack caused the IETF to change the specification of PKINIT and Microsoft to release a security update for some Windows operating systems. We discovered this attack as part of an ongoing formal analysis of the Kerberos protocol suite, and we have formally verified several possible fixes to PKINIT-including the one adopted by the IETF-that prevent our attack as well as other authentication and secrecy properties of Kerberos with PKINIT.

show abstract

A formal analysis of ome properties of kerberos 5 using MSR

Cited by 38 publications

References 13 publications

Deriving Key Distribution Protocols and their Security Properties

Deriving Key Distribution Protocols and their Security Properties

Provable-security analysis of authenticated encryption in Kerberos

Breaking and Fixing Public-Key Kerberos

Contact Info

Product

Resources

About