Refining Computationally Sound Mechanized Proofs for Kerberos
نویسندگان
چکیده
Kerberos is designed to allow a user to repeatedly authenticate herself to multiple servers based on a single login. The PKINIT extension to Kerberos modifies the initial round of the protocol to use a PKI instead of long-term shared keys (e.g., password-derived keys). Especially with PKINIT, Kerberos uses a rich collection of cryptographic operations and constructs, and Kerberos, both with and without the PKINIT extension, is used in real world settings (including Microsoft Windows). Kerberos is thus a great test case for protocol-analysis tools. The CryptoVerif prover works directly in the computational model to prove properties of protocols that are formalized as games. This talk will both survey some of our earlier work using CryptoVerif to analyze Kerberos, with and without PKINIT, and describe two recent extensions of this work. First, we briefly survey our work [1] to formalize all three rounds of Kerberos (with and without PKINIT) as games that CryptoVerif could analyze. This allowed us to prove, using CryptoVerif, authentication and secrecy properties under certain cryptographic assumptions (e.g., that the public-key encryption scheme satisfies IND-CCA2 security). This work included the definition of a version of key usability that was stronger than that originally given by Datta et al. [2]; the stronger version is amenable to being proved using CryptoVerif, and we showed that freshly generated keys in Kerberos are usable in this strong sense for IND-CCA2-secure encryption. Second, we describe more recent results that extend our initial work on key usability. We suggest the following definition of strong key usability for INT-CTXT-secure encryption; like our strong notion of INDCCA2 usability, this definition can be captured in the language used by CryptoVerif.
منابع مشابه
Computationally Sound Mechanized Proof of PKINIT for Kerberos
Here we report initial results on the formalization and analysis, using the CryptoVerif tool [4, 5, 6], of the public-key extension to the Kerberos protocol, PKINIT [10]. This protocol provides a good test case for analysis techniques because it incorporates many different protocol design elements: symmetric and asymmetric encryption, digital signatures, and keyed hash functions. We are able to...
متن کاملTechnical Report: Computationally Sound Secrecy Proofs by Mechanized Flow Analysis
We present a novel approach for proving secrecy properties of security protocols by mechanized flow analysis. In contrast to existing tools for proving secrecy by abstract interpretation, our tool enjoys cryptographic soundness in the strong sense of blackbox reactive simulatability/UC which entails that secrecy properties proven by our tool are automatically guaranteed to hold for secure crypt...
متن کاملExtending the Strand Space Method with Timestamps: Part II Application to Kerberos V
In this paper, we show how to use the novel extended strand space method to verify Kerberos V. First, we formally model novel semantical features in Kerberos V such as timestamps and protocol mixture in this new framework. Second, we apply unsolicited authentication test to prove its secrecy and authentication goals of Kerberos V. Our formalization and proof in this case study have been mechani...
متن کاملFormal Proofs of Cryptographic Security of Diffie-Hellman-Based Protocols
We present axioms and inference rules for reasoning about Diffie-Hellman-based key exchange protocols and use these rules to prove authentication and secrecy properties of two important protocol standards, the Diffie-Hellman variant of Kerberos, and IKEv2, the revised standard key management protocol for IPSEC. The new proof system is sound for an accepted semantics used in cryptographic studie...
متن کاملRFC 4430 KINK March 2006
This document describes the Kerberized Internet Negotiation of Keys (KINK) protocol. KINK defines a low-latency, computationally inexpensive, easily managed, and cryptographically sound protocol to establish and maintain security associations using the Kerberos authentication system. KINK reuses the Quick Mode payloads of the Internet Key Exchange (IKE), which should lead to substantial reuse o...
متن کامل