Formal analysis of Kerberos 5

We report on the detailed verification of a substantial portion of the Kerberos 5 protocol specification. Because it targeted a deployed protocol rather than an academic abstraction, this multiyear effort led to the development of new analysis methods in order to manage the inherent complexity. This enabled proving that Kerberos supports the expected authentication and confidentiality properties, and that it is structurally sound; these results rely on a pair of intertwined inductions. Our work also detected a number of innocuous but nonetheless unexpected behaviors, and it clearly described how vulnerable the cross-realm authentication support of Kerberos is to the compromise of remote administrative domains.

[1]  Andre Scedrov,et al.  Specifying Kerberos 5 cross-realm authentication , 2005, WITS '05.

[2]  Mark-Oliver Stehr,et al.  Representing the MSR Cryptoprotocol Specification Language in an Extension of Rewriting Logic with Dependent Types , 2004, WRLA.

[3]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[4]  Giampaolo Bella Using Isabelle to Prove Properties of the Kerberos Authentication System , 1997 .

[5]  Iliano Cervesato Fine-Grained MSR Specifications for Quantitative Security Analysis , 2004 .

[6]  Lawrence C. Paulson,et al.  Kerberos Version 4: Inductive Analysis of the Secrecy Goals , 1998, ESORICS.

[7]  Kenneth Raeburn,et al.  Encryption and Checksum Specifications for Kerberos 5 , 2005, RFC.

[8]  Andre Scedrov,et al.  A formal analysis of ome properties of kerberos 5 using MSR , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[9]  Slawomir Lukomski,et al.  Combinatorial search for the ligands that specifically recognize the streptococcal collagen-like proteins Scl1 and Scl2 , 2006 .

[10]  Iliano Cervesato A Specification Language for Crypto-Protocols based on Multiset Rewriting, Dependent Types and Subsorting , 2001 .

[11]  Hong-Jian Lai,et al.  Group connectivity of graphs with diameter at most 2 , 2006, Eur. J. Comb..

[12]  Hong-Jian Lai,et al.  Every 3-connected, essentially 11-connected line graph is Hamiltonian , 2006, J. Comb. Theory, Ser. B.

[13]  T. A. Parker,et al.  A secure European system for applications in a multi-vendor environment (the SESAME project) , 1993 .

[14]  Oleg Pikhurko,et al.  Edge-bandwidth of grids and tori , 2006, Theor. Comput. Sci..

[15]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[16]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[17]  Yuesheng Xu,et al.  Two-dimensional empirical mode decomposition by finite elements , 2006, Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[18]  Dieter Gollmann,et al.  Authentication-Myths and Misconceptions , 2001 .

[19]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[20]  John Ulrich,et al.  Automated Analysis of Cryptographic Protocols Using Mur ' , 1997 .

[21]  Sam B. Nadler,et al.  Absolute n-fold hyperspace suspensions , 2006 .

[22]  John C. Mitchell,et al.  Multiset rewriting and the complexity of bounded security protocols , 2004, J. Comput. Secur..

[23]  Arnold Knopfmacher Ordered and Unordered Factorizations of Integers , 2006 .

[24]  Catherine A. Meadows,et al.  Analysis of the Internet Key Exchange protocol using the NRL Protocol Analyzer , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[25]  Virgil D. Gligor,et al.  On inter-realm authentication in large distributed systems , 1991, Proceedings. 25th Annual 1991 IEEE International Carnahan Conference on Security Technology.

[26]  Patrick Lincoln,et al.  A comparison between strand spaces and multiset rewriting for security protocol analysis , 2002, J. Comput. Secur..

[27]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[28]  Butler W. Lampson,et al.  A Global Authentication Service without Global Trust , 1986, 1986 IEEE Symposium on Security and Privacy.

[29]  Andre Scedrov,et al.  Verifying Confidentiality and Authentication in Kerberos 5 , 2003, ISSS.

[30]  Steve A. Schneider,et al.  A decision procedure for the existence of a rank function , 2005, J. Comput. Secur..

[31]  Chontita Rattanakul,et al.  Stability of solution of Kuramoto-Sivashinsky-Korteweg-de Vries system , 2006, Comput. Math. Appl..

[32]  Hong-Jian Lai,et al.  Conditional colorings of graphs , 2006, Discret. Math..

[33]  Yuesheng Xu,et al.  Gearbox fault diagnosis using empirical mode decomposition and Hilbert spectrum , 2006 .

[34]  Iliano Cervesato Typed MSR: Syntax and Examples , 2001, MMM-ACNS.

[35]  Stefano Bistarelli,et al.  On Representing Biological Systems through Multiset Rewriting , 2003, EUROCAST.

[36]  Virgil D. Gligor,et al.  On Inter-Realm Authentication in Large Distributed Systems , 1993, J. Comput. Secur..

[37]  Steve A. Schneider Verifying Authentication Protocols in CSP , 1998, IEEE Trans. Software Eng..

[38]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[39]  MeseguerJosé Conditional rewriting logic as a unified model of concurrency , 1992 .

[40]  Hong-Jian Lai,et al.  Group chromatic number of planar graphs of girth at least 4 , 2006 .

[41]  Yuesheng Xu,et al.  A B-spline approach for empirical mode decompositions , 2006, Adv. Comput. Math..

[42]  Hong-Jian Lai,et al.  Hamiltonicity in 3-connected claw-free graphs , 2006, J. Comb. Theory, Ser. B.

[43]  Somesh Jha,et al.  Using state space exploration and a natural deduction style message derivation engine to verify security protocols , 1998, PROCOMET.

[44]  Giampaolo Bella,et al.  Inductive verification of cryptographic protocols , 2000 .

[45]  Dusko Pavlovic,et al.  Deriving, Attacking and Defending the GDOI Protocol , 2004, ESORICS.

[46]  Narciso Martí-Oliet,et al.  Maude: specification and programming in rewriting logic , 2002, Theor. Comput. Sci..

[47]  Joshua D. Guttman,et al.  Honest ideals on strand spaces , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[48]  Cun-Quan Zhang,et al.  A NEW CLUSTERING METHOD AND ITS APPLICATION TO PROTEOMIC PROFILING FOR COLON CANCER. , 2006, IASTED International Conference on Computational and Systems Biology : November 13-14, 2006, Dallas, Texas, USA.

[49]  Sam B. Nadler Local connectivity functions on arcwise connected spaces and certain continua , 2006 .

[50]  Jason Garman Kerberos: The Definitive Guide , 2003 .

[51]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[52]  Sam Hartman,et al.  The Perils of Unauthenticated Encryption: Kerberos Version 4 , 2004, NDSS.

[53]  Ken-ichi Kawarabayashi,et al.  Chords of longest circuits in locally planar graphs , 2007, Eur. J. Comb..

[54]  Dusko Pavlovic,et al.  An encapsulated authentication logic for reasoning about key distribution protocols , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[55]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.