Breaking and fixing public-key Kerberos
Saved in:
| Title: | Breaking and fixing public-key Kerberos |
|---|---|
| Authors: | Cervesato, Iliano1, Jaggard, Aaron D.2, Scedrov, Andre3, Tsay, Joe-Kai3 jetsay@math.upenn.edu, Walstad, Christopher4 |
| Source: | Information & Computation. Feb2008, Vol. 206 Issue 2-4, p402-424. 23p. |
| Subjects: | Computer network protocols, Microsoft Windows device drivers (Computer programs), Authentication (Law), Data protection |
| Abstract: | Abstract: We report on a man-in-the-middle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and end-servers to a client, hence breaching the authentication guarantees of Kerberos. It also gives the attacker the keys that the KDC would normally generate to encrypt the service requests of this client, hence defeating confidentiality as well. The discovery of this attack caused the IETF to change the specification of PKINIT and Microsoft to release a security update for some Windows operating systems. We discovered this attack as part of an ongoing formal analysis of the Kerberos protocol suite, and we have formally verified several possible fixes to PKINIT—including the one adopted by the IETF—that prevent our attack as well as other authentication and secrecy properties of Kerberos with PKINIT. [Copyright &y& Elsevier] |
| Copyright of Information & Computation is the property of Academic Press Inc. and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.) | |
| Database: | Engineering Source |
| FullText | Text: Availability: 0 |
|---|---|
| Header | DbId: egs DbLabel: Engineering Source An: 31289033 AccessLevel: 6 PubType: Academic Journal PubTypeId: academicJournal PreciseRelevancyScore: 0 |
| IllustrationInfo | |
| Items | – Name: Title Label: Title Group: Ti Data: Breaking and fixing public-key Kerberos – Name: Author Label: Authors Group: Au Data: <searchLink fieldCode="AR" term="%22Cervesato%2C+Iliano%22">Cervesato, Iliano</searchLink><relatesTo>1</relatesTo><br /><searchLink fieldCode="AR" term="%22Jaggard%2C+Aaron+D%2E%22">Jaggard, Aaron D.</searchLink><relatesTo>2</relatesTo><br /><searchLink fieldCode="AR" term="%22Scedrov%2C+Andre%22">Scedrov, Andre</searchLink><relatesTo>3</relatesTo><br /><searchLink fieldCode="AR" term="%22Tsay%2C+Joe-Kai%22">Tsay, Joe-Kai</searchLink><relatesTo>3</relatesTo><i> jetsay@math.upenn.edu</i><br /><searchLink fieldCode="AR" term="%22Walstad%2C+Christopher%22">Walstad, Christopher</searchLink><relatesTo>4</relatesTo> – Name: TitleSource Label: Source Group: Src Data: <searchLink fieldCode="JN" term="%22Information+%26+Computation%22">Information & Computation</searchLink>. Feb2008, Vol. 206 Issue 2-4, p402-424. 23p. – Name: Subject Label: Subjects Group: Su Data: <searchLink fieldCode="DE" term="%22Computer+network+protocols%22">Computer network protocols</searchLink><br /><searchLink fieldCode="DE" term="%22Microsoft+Windows+device+drivers+%28Computer+programs%29%22">Microsoft Windows device drivers (Computer programs)</searchLink><br /><searchLink fieldCode="DE" term="%22Authentication+%28Law%29%22">Authentication (Law)</searchLink><br /><searchLink fieldCode="DE" term="%22Data+protection%22">Data protection</searchLink> – Name: Abstract Label: Abstract Group: Ab Data: Abstract: We report on a man-in-the-middle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and end-servers to a client, hence breaching the authentication guarantees of Kerberos. It also gives the attacker the keys that the KDC would normally generate to encrypt the service requests of this client, hence defeating confidentiality as well. The discovery of this attack caused the IETF to change the specification of PKINIT and Microsoft to release a security update for some Windows operating systems. We discovered this attack as part of an ongoing formal analysis of the Kerberos protocol suite, and we have formally verified several possible fixes to PKINIT—including the one adopted by the IETF—that prevent our attack as well as other authentication and secrecy properties of Kerberos with PKINIT. [Copyright &y& Elsevier] – Name: AbstractSuppliedCopyright Label: Group: Ab Data: <i>Copyright of Information & Computation is the property of Academic Press Inc. and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.) |
| PLink | https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=31289033 |
| RecordInfo | BibRecord: BibEntity: Identifiers: – Type: doi Value: 10.1016/j.ic.2007.05.005 Languages: – Code: eng Text: English PhysicalDescription: Pagination: PageCount: 23 StartPage: 402 Subjects: – SubjectFull: Computer network protocols Type: general – SubjectFull: Microsoft Windows device drivers (Computer programs) Type: general – SubjectFull: Authentication (Law) Type: general – SubjectFull: Data protection Type: general Titles: – TitleFull: Breaking and fixing public-key Kerberos Type: main BibRelationships: HasContributorRelationships: – PersonEntity: Name: NameFull: Cervesato, Iliano – PersonEntity: Name: NameFull: Jaggard, Aaron D. – PersonEntity: Name: NameFull: Scedrov, Andre – PersonEntity: Name: NameFull: Tsay, Joe-Kai – PersonEntity: Name: NameFull: Walstad, Christopher IsPartOfRelationships: – BibEntity: Dates: – D: 01 M: 02 Text: Feb2008 Type: published Y: 2008 Identifiers: – Type: issn-print Value: 08905401 Numbering: – Type: volume Value: 206 – Type: issue Value: 2-4 Titles: – TitleFull: Information & Computation Type: main |
| ResultId | 1 |