Breaking and Fixing Public-Key Kerberos

  • Iliano Cervesato
  • Aaron D. Jaggard
  • Andre Scedrov
  • Joe-Kai Tsay
  • Christopher Walstad
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4435)


We report on a man-in-the-middle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and end-servers to a client, hence breaching the authentication guarantees of Kerberos. It also gives the attacker the keys that the KDC would normally generate to encrypt the service requests of this client, hence defeating confidentiality as well. The discovery of this attack caused the IETF to change the specification of PKINIT and Microsoft to release a security update for some Windows operating systems. We discovered this attack as part of an ongoing formal analysis of the Kerberos protocol suite, and we have formally verified several possible fixes to PKINIT—including the one adopted by the IETF—that prevent our attack.


Shared Secret Authentication Protocol Request Message Authentication Service Service Ticket 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Neuman, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos Network Authentication Service (V5) (2005),
  2. 2.
    Thomas, M., Vilhuber, J.: Kerberized Internet Negotiation of Keys (KINK) (2003),
  3. 3.
    Microsoft: Security Bulletin MS05-042 (2005),
  4. 4.
    Strasser, M., Steffen, A.: Kerberos PKINIT Implementation for Unix Clients. Technical report, Zurich University of Applied Sciences Winterthur (2002)Google Scholar
  5. 5.
    CERT: Vulnerability Note 477341 (2005),
  6. 6.
    Yu, T., Hartman, S., Raeburn, K.: The perils of unauthenticated encryption: Kerberos version 4. In: Proc. NDSS 2004 (2004)Google Scholar
  7. 7.
    Butler, F., Cervesato, I., Jaggard, A.D., Scedrov, A., Walstad, C.: Formal Analysis of Kerberos 5. Theoretical Computer Science 367, 57–87 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Cervesato, I., Jaggard, A.D., Scedrov, A., Walstad, C.: Specifying Kerberos 5 Cross-Realm Authentication. In: Proc. WITS 2005, ACM Digital Lib. pp. 12–26 (2005)Google Scholar
  9. 9.
    Kemmerer, R., Meadows, C., Millen, J.: Three systems for cryptographic protocol analysis. J. Cryptology 7, 79–130 (1994)CrossRefzbMATHGoogle Scholar
  10. 10.
    Meadows, C.: Analysis of the internet key exchange protocol using the nrl protocol analyzer. In: Proc. IEEE Symp. Security and Privacy, pp. 216–231 (1999)Google Scholar
  11. 11.
    Mitchell, J.C., Shmatikov, V., Stern, U.: Finite-State Analysis of SSL 3.0. In: Proc. 7th USENIX Security Symp., pp. 201–216 (1998)Google Scholar
  12. 12.
    Backes, M., Cervesato, I., Jaggard, A.D., Scedrov, A., Tsay, J.K.: Cryptographically Sound Security Proofs for Basic and Public-key Kerberos. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, Springer, Heidelberg (2006)Google Scholar
  13. 13.
    IETF: Public Key Cryptography for Initial Authentication in Kerberos (1996–2006) RFC 4556. Preliminary versions available as a sequence of Internet Drafts at,
  14. 14.
    De Clercq, J., Balladelli, M.: Windows 2000 authentication, Digital Press (2001),
  15. 15.
    Cable Television Laboratories, Inc.: PacketCable Security Specification Technical document PKT-SP-SEC-I11-040730 (2004)Google Scholar
  16. 16.
    Goldwasser, S., Micali, S., Rivest, R.L.: A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks. SIAM J. Computing 17, 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Diffie, W., van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Designs, Codes and Cryptography 2, 107–125 (1992)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Canetti, R., Krawczyk, H.: Security Analysis of IKE’s Signature-Based Key-Exchange Protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  19. 19.
    Lowe, G.: Breaking and Fixing the Needham-Schroeder Public-Key Protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  20. 20.
    Clark, J., Jacob, J.: On the security of recent protocols. Information Processing Letters 56, 151–155 (1995)CrossRefzbMATHGoogle Scholar
  21. 21.
    Abadi, M., Needham, R.: Prudent Engineering Practice for Cryptographic Protocols. IEEE Trans. Software Eng. 22, 6–15 (1996)CrossRefGoogle Scholar
  22. 22.
    Raeburn, K.: Encryption and Checksum Specifications for Kerberos 5 (2005),
  23. 23.
    Cervesato, I.: Typed MSR: Syntax and Examples. In: Gorodetski, V.I., Skormin, V.A., Popyack, L.J. (eds.) MMM-ACNS 2001. LNCS, vol. 2052, Springer, Heidelberg (2001)Google Scholar
  24. 24.
    Durgin, N.A., Lincoln, P., Mitchell, J., Scedrov, A.: Multiset Rewriting and the Complexity of Bounded Security Protocols. J. Comp. Security 12, 247–311 (2004)CrossRefGoogle Scholar
  25. 25.
    Backes, M., Pfitzmann, B., Waidner, M.: A Composable Cryptographic Library with Nested Operations. In: Proc. CCS 2003, pp. 220–230. ACM, New York (2003)Google Scholar
  26. 26.
    Sprenger, C., Backes, M., Basin, D., Pfitzmann, B., Waidner, M.: Cryptographically sound theorem proving. In: Proc. CSFW 2006, pp. 153–166 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Iliano Cervesato
    • 1
  • Aaron D. Jaggard
    • 2
  • Andre Scedrov
    • 3
  • Joe-Kai Tsay
    • 3
  • Christopher Walstad
    • 3
  1. 1.Carnegie Mellon UniversityQatar
  2. 2.Tulane UniversityUSA
  3. 3.University of PennsylvaniaUSA

Personalised recommendations