Nonce-based Kerberos is a Secure Delegated AKE Protocol

Kerberos is one of the most important cryptographic protocols, first because it is the basisc authentication protocol in Microsoft\u27s Active Directory and shipped with every major operating system, and second because it served as a model for all Single-Sign-On protocols (e.g. SAML, OpenID, MS Cardspace, OpenID Connect). Its security has been confirmed with several Dolev-Yao style proofs, and attacks on certain versions of the protocol have been described. However despite its importance, despite its longevity, and despite the wealth of Dolev-Yao-style security proofs, no reduction based security proof has been published until now. This has two reasons: (1) All widely accepted formal models either deal with two-party protocols, or group key agreement protocols (where all entities have the same role), but not with 3-party protocols where each party has a different role. (2) Kerberos uses timestamps and nonces, and formal security models for timestamps are not well understood up to now. As a step towards a full security proof of Kerberos, we target problem (1) here: We propose a variant of the Kerberos protocol, where nonces are used instead of timestamps. This requires one additional protocol message, but enables a proof in the standard Bellare-Rogaway (BR) model. The key setup and the roles of the different parties are identical to the original Kerberos protocol. For our proof, we only require that the authenticated encryption and the message authentication code (MAC) schemes are secure. Under these assumptions we show that the probability that a client or server process oracle accepts maliciously, and the advantage of an adversary trying to distinguish a real Kerberos session key from a random value, are both negligible. One main idea in the proof is to model the Kerberos server a a public oracle, so that we do not have to consider the security of the connection client--Kerberos. This idea is only applicable to the communication pattern adapted by Kerberos, and not to other 3-party patterns (e.g. EAP protocols)

A Reduction-Based Proof for Authentication and Session Key Security in 3-Party Kerberos

Kerberos is one of the earliest network security protocols, providing authentication between clients and servers with the assistance of trusted servers. It remains widely used, notably as the default authentication protocol in Microsoft Active Directory (thus shipped with every major operating system), and is the ancestor of modern single sign-on protocols like OAuth and OpenID Connect. There have been many analyses of Kerberos in the symbolic (Dolev--Yao) model, which is more amenable to computer-aided verification tools than the computational model, but also idealizes messages and cryptographic primitives more. Reduction-based proofs in the computational model can provide assurance against a richer class of adversaries, and proofs with concrete probability analyses help in picking security parameters, but Kerberos has had no such analyses to date. We give a reduction-based security proof of Kerberos authentication and key establishment, focusing on the mandatory 3-party mode. We show that it is a secure authentication protocol under standard assumptions on its encryption scheme; our results can be lifted to apply to quantum adversaries as well. As has been the case for other real-world authenticated key exchange (AKE) protocols, the standard AKE security notion of session key indistinguishability cannot be proven for Kerberos since the session key is used in the protocol itself, breaking indistinguishability. We provide two positive results despite this: we show that the standardized but optional sub-session mode of Kerberos does yield secure session keys, and that the hash of the main session key is also a secure session key under Krawczyk\u27s generalization of the authenticated and confidential channel establishment (ACCE) model

A Formal Analysis of Some Properties of Kerberos 5 Using MSR

We give three formalizations of the Kerberos 5 authentication protocol in the Multi-Set Rewriting (MSR) formalism. One is a high-level formalization containing just enough detail to prove authentication and confidentiality properties of the protocol. A second formalization refines this by adding a variety of protocol options; we similarly refine proofs of properties in the first formalization to prove properties of the second formalization. Our third formalization adds timestamps to the first formalization but has not been analyzed extensively. The various proofs make use of rank and corank functions, inspired by work of Schneider in CSP, and provide examples of reasoning about real-world protocols in MSR.We also note some potentially curious protocol behavior; given our positive results, this does not compromise the security of the protocol

Defining an approximation to formally verify cryptographic protocols

Electronic forms of communication are abundant in todays world, and much emphasis is placed on these methods of communication in every day life. In order to guarantee the secrecy and authenticity of information exchanged, it is vital to formally verify the cryptographic protocols used in these forms of communications. This verification does, however, present many challenges. The systems to verify are infinite, with an infinite number of sessions and of p articipants. As if this was not enough, there is also a reactive element to deal with: th e intruder. The intruder will attack the protocol to achieve his goal: usurping identity, stealing confidential information, etc. His behavior is unpredictable! This thesis describes a method of verification based 011 the verification of systems by approximation. Starting from an initial configuration of the network, an overapproximation of the set of messages exchanged is automatically computed. Secrecy and authentication properties can then be checked on the approximated system. Starting from an existing semi-automatic proof method developed by Genet and Klay, an automatic solution is developed. Starting from an existing semi-automatic proof method developed by Genet and Klay, an automatic solution is developed. This thesis defines a particular approximation function that can be generated automatically and that guarantees that the computation of the approximated system terminates. Th e verification by approximation only tells if properties are verified. When the verification fails no conclusion can be drawn on the property. Thus, this thesis also shows how the approximation technique can easily be combined with another verification technique to combine the strengths of both approaches. Finally, the tool developed to validate these developments and the results of cryptographic protocol verifications carried out in the course of this research are included

Model checking security protocols : a multiagent system approach

Security protocols specify the communication required to achieve security objectives, e.g., data-privacy. Such protocols are used in electronic media: e-commerce, e-banking, e-voting, etc. Formal verification is used to discover protocol-design flaws. In this thesis, we use a multiagent systems approach built on temporal-epistemic logic to model and analyse a bounded number of concurrent sessions of authentication and key-establishment protocols executing in a Dolev-Yao environment. We increase the expressiveness of classical, trace-based frameworks by mapping each protocol requirement into a hierarchy of temporal-epistemic formulae. To automate our methodology, we design and implement a tool called PD2IS. From a high-level protocol description, PD2IS produces our protocol model and the temporal-epistemic specifications of the protocol’s goals. This output is verified with the model checker MCMAS. We benchmark our methodology on various protocols drawn from standard repositories. We extend our approach to formalise protocols described by equations of cryptographic primitives. The core of this extension is an indistinguishability relation to accommodate the underlying protocol equations. Based on this relation, we introduce a knowledge modality and an algorithm to model check multiagent systems against it. These techniques are applied to verify e-voting protocols. Furthermore, we develop our methodology towards intrusion-detection techniques. We introduce the concept of detectability, i.e., the ability of protocol participants to detect jointly that the protocol is being attacked. We extend our formalisms and PD2IS to support detectability analysis. We model check several attack-prone protocols against their detectability specifications

Model Checking Security Protocols: A Multiagent System Approach

Security protocols specify the communication required to achieve security objectives, e.g., data-privacy. Such protocols are used in electronic media: e-commerce, e-banking, e-voting, etc. Formal verification is used to discover protocol-design flaws. In this thesis, we use a multiagent systems approach built on temporal-epistemic logic to model and analyse a bounded number of concurrent sessions of authentication and key-establishment protocols executing in a Dolev-Yao environment. We increase the expressiveness of classical, trace-based frameworks by mapping each protocol requirement into a hierarchy of temporal-epistemic formulae. To automate our methodology, we design and implement a tool called PD2IS. From a high-level protocol description, PD2IS produces our protocol model and the temporal-epistemic specifications of the protocol’s goals. This output is verified with the model checker MCMAS. We benchmark our methodology on various protocols drawn from standard repositories. We extend our approach to formalise protocols described by equations of cryptographic primitives. The core of this extension is an indistinguishability relation to accommodate the underlying protocol equations. Based on this relation, we introduce a knowledge modality and an algorithm to model check multiagent systems against it. These techniques are applied to verify e-voting protocols. Furthermore, we develop our methodology towards intrusion-detection techniques. We introduce the concept of detectability, i.e., the ability of protocol participants to detect jointly that the protocol is being attacked. We extend our formalisms and PD2IS to support detectability analysis. We model check several attack-prone protocols against their detectability specifications

Mechanising BAN Kerberos by the Inductive Method

Abstract. The version of Kerberos presented by Burrows et al. [5] is fully mechanised using the Inductive Method. Two models are presented, allowing respectively the leak of any session keys, and of expired session keys. Thanks to timestamping, the protocol provides the involved parties with strong guarantees in a realistically hostile environment. These guarantees are supported by the generic theorem prover Isabelle.