Cryptographically Sound Security Proofs for Basic and Public-Key Kerberos

  • M. Backes
  • I. Cervesato
  • A. D. Jaggard
  • A. Scedrov
  • J. -K. Tsay
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4189)


We present a computational analysis of basic Kerberos and Kerberos with public-key authentication (PKINIT) in which we consider authentication and key secrecy properties. Our proofs rely on the Dolev-Yao style model of Backes, Pfitzmann and Waidner, which allows for mapping results obtained symbolically within this model to cryptographically sound proofs if certain assumptions are met. This is the most complex fragment of an industrial protocol that has yet been verified at the computational level. Considering a recently fixed version of PKINIT, we extend symbolic correctness results we previously attained in the Dolev-Yao model to cryptographically sound results in the computational model.


Authentication Service Springer LNCS Protocol Machine Service Ticket Cryptographic Implementation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Abadi, M., Jürjens, J.: Formal eavesdropping and its computational interpretation. In: Kobayashi, N., Pierce, B.C. (eds.) TACS 2001. LNCS, vol. 2215, p. 82. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Abadi, M., Rogaway, P.: Reconciling two views of cryptography. In: Watanabe, O., Hagiya, M., Ito, T., van Leeuwen, J., Mosses, P.D. (eds.) TCS 2000. LNCS, vol. 1872, pp. 3–22. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Backes, M.: A cryptographically sound dolev-yao style security proof of the otway-rees protocol. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 89–108. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Backes, M., Cervesato, I., Jaggard, A.D., Scedrov, A., Tsay, J.-K.: Cryptographically sound security proofs for basic and public-key Kerberos. IACR Cryptology ePrint Archive, Report 2006/219 (June 2006),
  6. 6.
    Backes, M., Jacobi, C.: Cryptographically sound and machine-assisted verification of security protocols. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 675–686. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Backes, M., Pfitzmann, B.: A cryptographically sound security proof of the Needham-Schroeder-Lowe public-key protocol. Journal on Selected Areas in Communications 22(10), 2075–2086 (2004)CrossRefGoogle Scholar
  8. 8.
    Backes, M., Pfitzmann, B.: Symmetric encryption in a simulatable Dolev-Yao style cryptographic library. In: Proc. CSFW 2004, pp. 204–218 (June 2004)Google Scholar
  9. 9.
    Backes, M., Pfitzmann, B.: Relating symbolic and cryptographic secrecy. IEEE Trans. Dependable Secure Comp. 2(2), 109–123 (2005)CrossRefGoogle Scholar
  10. 10.
    Backes, M., Pfitzmann, B.: Relating symbolic and cryptographic secrecy. In: Proc. 26th IEEE Symposium on Security & Privacy, Extended version in IACR Cryptology ePrint Archive 2004/300, pp. 171–182 (2005)Google Scholar
  11. 11.
    Backes, M., Pfitzmann, B.: On the cryptographic key secrecy of the stregthened Yahalom protocol. In: Proceedings of 21st IFIP SEC 2006 (to appear, 2006)Google Scholar
  12. 12.
    Backes, M., Pfitzmann, B., Waidner, M.: A composable cryptographic library with nested operations (extended abstract). In: Proc. CCS 2003, pp. 220–230 (2003)Google Scholar
  13. 13.
    Backes, M., Pfitzmann, B., Waidner, M.: Symmetric authentication within a simulatable cryptographic library. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 271–290. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Backes, M., Pfitzmann, B., Waidner, M.: A universally composable cryptographic library. IACR Cryptology ePrint Archive, Report 2003/015 (January 2003),
  15. 15.
    Bella, G., Paulson, L.C.: Kerberos Version IV: Inductive Analysis of the Secrecy Goals. In: Quisquater, J.-J., Deswarte, Y., Meadows, C., Gollmann, D. (eds.) ESORICS 1998. LNCS, vol. 1485, pp. 361–375. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  16. 16.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  17. 17.
    Blanchet, B.: A computationally sound mechanized prover for security protocols. In: Proc. 27th IEEE Symposium on Security & Privacy (2006)Google Scholar
  18. 18.
    Butler, F., Cervesato, I., Jaggard, A.D., Scedrov, A.: An Analysis of Some Properties of Kerberos 5 Using MSR. In: Proc. CSFW 2002 (2002)Google Scholar
  19. 19.
    Canetti, R., Herzog, J.C.: Universally composable symbolic analysis of mutual authentication and key-exchange protocols. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 380–403. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Cervesato, I., Jaggard, A.D., Scedrov, A., Tsay, J.-K., Walstad, C.: Breaking and fixing public-key Kerberos. In: Proc. WITS 2006 (2006)Google Scholar
  21. 21.
    Cervesato, I., Jaggard, A.D., Scedrov, A., Walstad, C.: Specifying Kerberos 5 Cross-Realm Authentication. In: Proc. WITS 2005, pp. 12–26 (2005)Google Scholar
  22. 22.
    Cortier, V., Warinschi, B.: Computationally sound, automated proofs for security protocols. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 157–171. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Datta, A., Derek, A., Mitchell, J.C., Shmatikov, V., Turuani, M.: Probabilistic polynomial-time semantics for a protocol security logic. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 16–29. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  24. 24.
    Datta, A., Derek, A., Mitchell, J., Warinschi, B.: Key exchange protocols: Security definition, proof method, and applications. In: 19th IEEE Computer Security Foundations Workshop (CSFW 19), Venice, Italy. IEEE Press, Los Alamitos (2006)Google Scholar
  25. 25.
    Dolev, D., Yao, A.: On the security of public-key protocols. IEEE Trans. Info. Theory 2(29), 198–208 (1983)CrossRefMathSciNetGoogle Scholar
  26. 26.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game – or – a completeness theorem for protocols with honest majority. In: Proc. STOC, pp. 218–229 (1987)Google Scholar
  27. 27.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28, 270–299 (1984)CrossRefMathSciNetMATHGoogle Scholar
  28. 28.
    Guttman, J.D., Thayer Fabrega, F.J., Zuck, L.: The faithfulness of abstract protocol analysis: Message authentication. In: Proc. CCS-8, pp. 186–195 (2001)Google Scholar
  29. 29.
    He, C., Mitchell, J.C.: Security Analysis and Improvements for IEEE 802.11i. In: Proc. NDSS 2005 (2005)Google Scholar
  30. 30.
    Herzog, J.C., Liskov, M., Micali, S.: Plaintext awareness via key registration. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 548–564. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  31. 31.
    IETF. Public Key Cryptography for Initial Authentication in Kerberos (1996–2006), Sequence of Internet drafts, available from:
  32. 32.
    Impagliazzo, R., Kapron, B.M.: Logics for reasoning about cryptographic constructions. In: Proc. FOCS, pp. 372–381 (2003)Google Scholar
  33. 33.
    Laud, P.: Symmetric encryption in automatic analyses for confidentiality against active adversaries. In: Proc. Symp. Security and Privacy, pp. 71–85 (2004)Google Scholar
  34. 34.
    Meadows, C.: Analysis of the internet key exchange protocol using the NRL Protocol Analyzer. In: Proc. IEEE Symp. Security and Privacy, pp. 216–231 (1999)Google Scholar
  35. 35.
    Micciancio, D., Warinschi, B.: Soundness of formal encryption in the presence of active adversaries. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 133–151. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  36. 36.
    Microsoft. Security Bulletin MS05-042 (August 2005),
  37. 37.
    Mitchell, J., Mitchell, M., Scedrov, A., Teague, V.: A probabilistic polynominal-time process calculus for analysis of cryptographic protocols (preliminary report). Electronic Notes in Theoretical Computer Science 47, 1–31 (2001)Google Scholar
  38. 38.
    Neuman, C., Ts’o, T.: Kerberos: An Authentication Service for Computer Networks. IEEE Communications 32(9), 33–38 (1994)CrossRefGoogle Scholar
  39. 39.
    Neuman, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos Network Authentication Service (V5) (July 2005),
  40. 40.
    Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: Proc. S&P, pp. 184–200 (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • M. Backes
    • 1
  • I. Cervesato
    • 2
  • A. D. Jaggard
    • 3
  • A. Scedrov
    • 4
  • J. -K. Tsay
    • 4
  1. 1.Saarland University 
  2. 2.Deductive Solutions 
  3. 3.Tulane University 
  4. 4.University of Pennsylvania 

Personalised recommendations