Provable-Security Analysis of Authenticated Encryption in Kerberos

Kerberos is a widely deployed network authentication protocol currently being considered for standardisation. Many works have analysed its security, identifying flaws and often suggesting fixes, thus promoting the protocol's evolution. Several recent results present successful, formal methods-based verifications of a significant portion of the current version, v.5 and some even imply security in the computational setting. For these results to hold, encryption in Kerberos should satisfy strong cryptographic security notions. However, prior to the authors' work, none of the encryption schemes currently deployed as part of Kerberos, nor their proposed revisions, were known to provably satisfy such notions. The authors take a close look at Kerberos' encryption, and they confirm that most of the options in the current version provably provide privacy and authenticity, although some require slight modifications which they suggest. The authors' results complement the formal methods-based analysis of Kerberos that justifies its current design.

[1]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[2]  Steven M. Bellovin,et al.  Limitations of the Kerberos authentication system , 1990, CCRV.

[3]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[4]  Sam Hartman,et al.  The Perils of Unauthenticated Encryption: Kerberos Version 4 , 2004, NDSS.

[5]  John T. Kohl The use of Encryption in Kerberos for Network Authentication , 1989, CRYPTO.

[6]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[7]  Michael Backes,et al.  Cryptographically Sound Security Proofs for Basic and Public-Key Kerberos , 2006, ESORICS.

[8]  Tadayoshi Kohno Authenticated encryption in practice : generalized composition methods and the Secure Shell, CWC, and WinZip schemes , 2006 .

[9]  Bogdan Warinschi,et al.  Completeness Theorems for the Abadi-Rogaway Language of Encrypted Expressions , 2004, J. Comput. Secur..

[10]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[11]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[12]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[13]  Lawrence C. Paulson,et al.  Kerberos Version 4: Inductive Analysis of the Secrecy Goals , 1998, ESORICS.

[14]  Kenneth Raeburn,et al.  Encryption and Checksum Specifications for Kerberos 5 , 2005, RFC.

[15]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[16]  Thomas D. Wu A Real-World Analysis of Kerberos Password Security , 1999, NDSS.

[17]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[18]  Birgit Pfitzmann,et al.  Symmetric encryption in a simulatable Dolev-Yao style cryptographic library , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[19]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[20]  Taylor Yu The Kerberos Network Authentication Service (Version 5) , 2007 .

[21]  Elvinia Riccobene,et al.  Formal Analysis of the Kerberos Authentication System , 1997, J. Univers. Comput. Sci..

[22]  Birgit Pfitzmann,et al.  Symmetric Authentication within a Simulatable Cryptographic Library , 2003, ESORICS.

[23]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[24]  Rafail Ostrovsky,et al.  Searchable symmetric encryption: improved definitions and efficient constructions , 2006, CCS '06.

[25]  Virgil D. Gligor,et al.  On message integrity in cryptographic protocols , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[26]  Chanathip Namprempre,et al.  Authenticated encryption in SSH: provably fixing the SSH binary packet protocol , 2002, CCS '02.

[27]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[28]  Kenneth Raeburn,et al.  Advanced Encryption Standard (AES) Encryption for Kerberos 5 , 2005, RFC.

[29]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[30]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[31]  Andre Scedrov,et al.  Formal analysis of Kerberos 5 , 2006, Theor. Comput. Sci..

[32]  Andre Scedrov,et al.  A formal analysis of ome properties of kerberos 5 using MSR , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.