Verifying Confidentiality and Authentication in Kerberos 5

Butler, Frederick; Cervesato, Iliano; Jaggard, Aaron D.; Scedrov, Andre

doi:10.1007/978-3-540-37621-7_1

Cited by 6 publications

(14 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Most demonstrated approaches for proving security of complex network protocols, of the scale that appear in IEEE and IETF standards, use a simplified model of protocol execution based on symbolic computation and highly idealized cryptography [7,16,21,25]. However, proofs about symbolic computation do not provide the same level of assurance as proofs about probabilistic polynomial-time attacks.…”

Section: Related Workmentioning

confidence: 99%

Inductive trace properties for computational security

Datta

Derek

Mitchell

2010

JCS

View full text Add to dashboard Cite

Protocol authentication properties are generally trace-based, meaning that authentication holds for the protocol if authentication holds for individual traces (runs of the protocol and adversary). Computational secrecy conditions, on the other hand, often are not trace based: the ability to computationally distinguish a system that transmits a secret from one that does not is measured by overall success on the set of all traces of each system. Non-trace-based properties present a challenge for inductive or compositional methods: induction is a natural way of reasoning about traces of a system, but it does not appear directly applicable to non-trace properties. We therefore investigate the semantic connection between trace properties that could be established by induction and non-trace-based security requirements. Specifically, we prove that a certain trace property implies computational secrecy and authentication properties, assuming the encryption scheme provides chosen ciphertext security and ciphertext integrity. We also prove a similar theorem for computational secrecy assuming Decisional Diffie-Hellman and a chosen plaintext secure encryption scheme. A. Roy et al. / Inductive trace properties for computational securityAlice participated in the same session of the same protocol. However, many natural secrecy conditions in the computational model are not trace based.Computational indistinguishability, for example, requires that no computational observer can feasibly distinguish a situation in which a secret is transmitted from a situation in which some non-informative values are transmitted instead. If we look at a single trace, this gives no real information about how likely an observer is to succeed over the set of all traces. Instead, we must look at the probability distribution on traces, and determine the probability of success over the entire distribution. Computational indistinguishability and other non-trace properties present a challenge for proving secrecy properties of protocols, since trace-based properties are naturally amenable to induction on the length of a trace, while non-trace-based properties are not. If we assume inductively that a trace-based property holds, this means it holds for (almost) all traces, and we can consider the effect of adding one more step to each trace. If the effect preserves the property on each trace, then we conclude that the property holds for the protocol as a whole. Since this form of argument only works for trace-based properties, it does not appear applicable to important computational security properties.In this paper, we develop foundations for inductive proofs of computational security properties by proving connections between selected trace properties and useful non-trace properties. This effort is motivated by our interest in extending Computational Protocol Composition Logic (Computational PCL) [27,28,47,48] to computational secrecy properties, and using that logic to prove properties of standard and useful protocols. However, we do not develop the applica...

show abstract

Section: Related Workmentioning

confidence: 99%

Inductive trace properties for computational security

Datta

Derek

Mitchell

2010

JCS

View full text Add to dashboard Cite

show abstract

“…Our formulation is based on the A level formalization of Kerberos V5 in [12]. Kerberos provides mutual authentication and establishes keys between clients and application servers, using a sequence of two-message interactions with trusted parties called the Kerberos Authentication Server (KAS) and the Ticket Granting Server (TGS).…”

Section: Syntax and Semanticsmentioning

confidence: 99%

Inductive Proofs of Computational Secrecy

Roy

Datta

Derek

et al. 2007

Computer Security – ESORICS 2007

View full text Add to dashboard Cite

Abstract. Secrecy properties of network protocols assert that no probabilistic polynomial-time distinguisher can win a suitable game presented by a challenger. Because such properties are not determined by traceby-trace behavior of the protocol, we establish a trace-based protocol condition, suitable for inductive proofs, that guarantees a generic reduction from protocol attacks to attacks on underlying primitives. We use this condition to present a compositional inductive proof system for secrecy, and illustrate the system by giving a modular, formal proof of computational authentication and secrecy properties of Kerberos V5.

show abstract

“…In the symbolic model, protocol execution and the possible actions of an attacker are characterized using a symbolic model of computation that allows nondeterminism but does not incorporate probability or computational complexity bounds. In addition to many model checking and bug-finding efforts, there have been some significant correctness proofs carried using the symbolic model, including mechanically checked formal proofs [13,14], unformalized but mathematical proofs about a multiset rewriting model [15][16][17], and work using compositional formal logic approaches [18][19][20][21][22]. Several groups of researchers have taken steps to connect the symbolic model to the probabilistic polynomial-time computational model used in cryptographic studies, e.g., [23-29, 3, 4, 30].…”

Section: Introductionmentioning

confidence: 99%

Analysis of EAP-GPSK Authentication Protocol

Mitchell

Rowe

Scedrov

2008

Applied Cryptography and Network Security

Self Cite

View full text Add to dashboard Cite

Abstract. The EAP-GPSK protocol is a lightweight, flexible authentication protocol relying on symmetric key cryptography. It is part of an ongoing IETF process to develop authentication methods for the EAP framework. We analyze the protocol and find three weaknesses: a repairable Denial-of-Service attack, an anomaly with the key derivation function used to create a short-term master session key, and a ciphersuite downgrading attack. We propose fixes to these anomalies, and use a finite-state verification tool to search for remaining problems after making these repairs. We then prove the fixed version correct using a protocol verification logic. We discussed the attacks and our suggested fixes with the authors of the specification document which has subsequently been modified to include our proposed changes.

show abstract

Verifying Confidentiality and Authentication in Kerberos 5

Cited by 6 publications

References 8 publications

Inductive trace properties for computational security

Inductive trace properties for computational security

Inductive Proofs of Computational Secrecy

Analysis of EAP-GPSK Authentication Protocol

Contact Info

Product

Resources

About