Toward a secure Kerberos key exchange with smart cards

Public key Kerberos (PKINIT) is a standard authentication and key establishment protocol. Unfortunately, it suffers from a security flaw when combined with smart cards. In particular, temporary access to a user’s card enables an adversary to impersonate that user for an indefinite period of time, even after the adversary’s access to the card is revoked. In this paper, we extend Shoup’s key exchange security model to the smart card setting and examine PKINIT in this model. Using this formalization, we show that PKINIT is indeed flawed, propose a fix, and provide a proof that this fix leads to a secure protocol.

[1]  Andre Scedrov,et al.  Breaking and fixing public-key Kerberos , 2006, Information and Computation.

[2]  Paul E. Hoffman,et al.  Internet Key Exchange Protocol Version 2 (IKEv2) , 2010, RFC.

[3]  Ran Canetti,et al.  Resettable zero-knowledge (extended abstract) , 2000, STOC '00.

[4]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[5]  Martín Abadi,et al.  Authentication and Delegation with Smart-cards , 1991, TACS.

[6]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[7]  Michael Backes,et al.  Cryptographically Sound Security Proofs for Basic and Public-Key Kerberos , 2006, ESORICS.

[8]  Martín Abadi,et al.  Authentification and Delegation with Smart-Cards , 1993, Sci. Comput. Program..

[9]  John C. Mitchell,et al.  Protocol Composition Logic (PCL) , 2007, Computation, Meaning, and Logic.

[10]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[11]  Ross J. Anderson,et al.  Robustness Principles for Public Key Protocols , 1995, CRYPTO.

[12]  Sean Turner,et al.  Transport Layer Security , 2014, IEEE Internet Computing.

[13]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[14]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[15]  John C. Mitchell,et al.  Formal Proofs of Cryptographic Security of Diffie-Hellman-Based Protocols , 2007, TGC.

[16]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[17]  Adam Shostack,et al.  Breaking Up Is Hard To Do: Modeling Security Threats for Smart Cards , 1999, Smartcard.

[18]  Victor Shoup,et al.  Session Key Distribution Using Smart Cards , 1996, EUROCRYPT.

[19]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[20]  Giampaolo Bella Inductive Verification of Smart Card Protocols , 2003, J. Comput. Secur..

[21]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[22]  Bart Preneel,et al.  Security implications in Kerberos by the introduction of smart cards , 2012, ASIACCS '12.

[23]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[24]  Andre Scedrov,et al.  Computationally sound mechanized proofs for basic and public-key Kerberos , 2008, ASIACCS '08.

[25]  Tatu Ylönen,et al.  The Secure Shell (SSH) Protocol Architecture , 2006, RFC.

[26]  Larry Zhu,et al.  Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) , 2006, RFC.

[27]  Lawrence C. Paulson,et al.  Isabelle: The Next 700 Theorem Provers , 2000, ArXiv.

[28]  Li Gong,et al.  Reasoning about belief in cryptographic protocols , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[29]  Steven M. Bellovin,et al.  Limitations of the Kerberos authentication system , 1990, CCRV.