Breaking and fixing public-key Kerberos

Authors:
Iliano Cervesato;Aaron D. Jaggard;Andre Scedrov;Joe-Kai Tsay;Christopher Walstad
Affiliations:
Carnegie Mellon University in Qatar, P.O. Box 42866, Doha, Qatar;DIMACS, Rutgers University, 96 Frelinghuysen Rd., Piscataway, NJ 08854;University of Pennsylvania, Department of Mathematics, 209 S. 33rd St., Philadelphia, PA 19104, USA;University of Pennsylvania, Department of Mathematics, 209 S. 33rd St., Philadelphia, PA 19104, USA;University of Pennsylvania, School of Engineering and Applied Science, 220 S. 33rd St., Philadelphia, PA 19104, USA
Venue:
Information and Computation
Year:
2008

Citing 25
Cited 15

A digital signature scheme secure against adaptive chosen-message attacks

SIAM Journal on Computing - Special issue on cryptography
Authentication and authenticated key exchanges

Designs, Codes and Cryptography
On the security of SPLICE/AS—the authentication system in WIDE Internet

Information Processing Letters
On the security of recent protocols

Information Processing Letters
Prudent Engineering Practice for Cryptographic Protocols

IEEE Transactions on Software Engineering
Using encryption for authentication in large networks of computers

Communications of the ACM
Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR

TACAs '96 Proceedings of the Second International Workshop on Tools and Algorithms for Construction and Analysis of Systems
Security Analysis of IKE's Signature-Based Key-Exchange Protocol

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
From Secrecy to Authenticity in Security Protocols

SAS '02 Proceedings of the 9th International Symposium on Static Analysis
A Formal Analysis of Some Properties of Kerberos 5 Using MSR

CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules

CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
A composable cryptographic library with nested operations

Proceedings of the 10th ACM conference on Computer and communications security
Multiset rewriting and the complexity of bounded security protocols

Journal of Computer Security
Analyzing security protocols with secrecy types and logic programs

Journal of the ACM (JACM)
Specifying Kerberos 5 cross-realm authentication

WITS '05 Proceedings of the 2005 workshop on Issues in the theory of security
A Computationally Sound Mechanized Prover for Security Protocols

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Cryptographically Sound Theorem Proving

CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
Formal analysis of Kerberos 5

Theoretical Computer Science - Automated reasoning for security protocol analysis
Finite-state analysis of SSL 3.0

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Computationally Sound Mechanized Proofs of Correspondence Assertions

CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Automated Security Protocol Analysis With the AVISPA Tool

Electronic Notes in Theoretical Computer Science (ENTCS)
Searching for shapes in cryptographic protocols

TACAS'07 Proceedings of the 13th international conference on Tools and algorithms for the construction and analysis of systems
Breaking and fixing public-key Kerberos

ASIAN'06 Proceedings of the 11th Asian computing science conference on Advances in computer science: secure software and related issues
The AVISPA tool for the automated validation of internet security protocols and applications

CAV'05 Proceedings of the 17th international conference on Computer Aided Verification
Cryptographically sound security proofs for basic and public-key kerberos

ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security

Computationally sound mechanized proofs for basic and public-key Kerberos

Proceedings of the 2008 ACM symposium on Information, computer and communications security
Modular verification of security protocol code by typing

Proceedings of the 37th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Secure pseudonymous channels

ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Inductive trace properties for computational security

Journal of Computer Security - 7th International Workshop on Issues in the Theory of Security (WITS'07)
A formal model of identity mixer

FMICS'10 Proceedings of the 15th international conference on Formal methods for industrial critical systems
Bounded memory Dolev-Yao adversaries in collaborative systems

FAST'10 Proceedings of the 7th International conference on Formal aspects of security and trust
Cryptographic verification by typing for a sample protocol implementation

Foundations of security analysis and design VI
Composition theorems without pre-established session identifiers

Proceedings of the 18th ACM conference on Computer and communications security
On-the-Fly trace generation and textual trace analysis and their applications to the analysis of cryptographic protocols

FMOODS'10/FORTE'10 Proceedings of the 12th IFIP WG 6.1 international conference and 30th IFIP WG 6.1 international conference on Formal Techniques for Distributed Systems
Security enhancement of the communication-efficient AUTHMAC_DH protocols

Security and Communication Networks
A security enhanced authentication and key distribution protocol for wireless networks

Security and Communication Networks
Privacy supporting cloud computing: confichair, a case study

POST'12 Proceedings of the First international conference on Principles of Security and Trust
New privacy issues in mobile telephony: fix and verification

Proceedings of the 2012 ACM conference on Computer and communications security
Privacy-supporting cloud computing by in-browser key translation

Journal of Computer Security - Security and Trust Principles
Union, intersection and refinement types and reasoning about type disjointness for secure protocol implementations

Journal of Computer Security - Foundational Aspects of Security

Quantified Score

Hi-index	0.01

Visualization

Abstract

We report on a man-in-the-middle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and end-servers to a client, hence breaching the authentication guarantees of Kerberos. It also gives the attacker the keys that the KDC would normally generate to encrypt the service requests of this client, hence defeating confidentiality as well. The discovery of this attack caused the IETF to change the specification of PKINIT and Microsoft to release a security update for some Windows operating systems. We discovered this attack as part of an ongoing formal analysis of the Kerberos protocol suite, and we have formally verified several possible fixes to PKINIT-including the one adopted by the IETF-that prevent our attack as well as other authentication and secrecy properties of Kerberos with PKINIT.