Bella, G., Riccobene, E.: Formal Analysis of the Kerberos Authentication System. J. Universal Comp. Sci. 3 (1997) 1337--1381  Home/Search   Document Details and Download   Summary   Related Articles   Check

....a single login. Kerberos makes use of various tickets, encrypted under a server s key unknown to the user, which when forwarded in an appropriate request authenticate the user to the desired service. A formalization of Kerberos 4, the first publicly released version of this protocol, was given in [5] and has since been extended and thoroughly analyzed using an inductive approach [1, 2, 3, 4] This analysis, through heavy reliance on the Isabelle theorem prover, yielded formal correctness proofs for a fairly detailed specification, and also highlighted a few minor Butler and Jaggard were ....

G. Bella and E. Riccobene, Formal Analysis of the Kerberos Authentication System, J. Universal Comp. Sci. 3 (1997), no. 12, 1337--1381.

....formalism. The studies chosen to be presented in this paper are representative of the studies examined other studies were observed to have the same forms of incremental change as those presented in this paper. Studies that have been examined, but for brevity are not presented here include [21, 30, 8, 30, 31]. 4.1 OPN Case studies Object Petri Nets (OPNs) 33] have been applied to a number of practical case studies. In these case studies, minimal constraints were imposed on the uses of inheritance, so as to assess the extent to which theoretical proposals were applicable in practice. One case study ....

G. Bella and E. Riccobene,Formal Analysis of the Kerberos Authentication System,Journal of Unversal Computer Science, vol. 3, iss. 12, pp. 1337-1381, 1997.

No context found.

G. Bella and E. Riccobene. Formal Analysis of the Kerberos Authentication System. Journal of Universal Computer Science, 3(12):1337{ 1381, 1997.

....agent can independently run his own program. We have tailored this variant to the analysis of cryptographic protocols. Initially, we modelled the Kerberos IV protocol using stepwise refinements in the presence of the spy. Confidentiality at the more detailed level was investigated by simulation [21]. This was the first formal specification of the semantical aspects of the protocol, obtained from the substantial informal documentation provided by its designers. It has significantly simplified the modelling phase of our mechanisation with theorem proving (see chapter 6) Then, we developed a ....

....fix, which can be formally verified to be e#ective. To our knowledge, this is the first mechanised modelling of the complete protocol. We have previously analysed the protocol by ASMs (2.1. 4) formalising the actions of an unbounded population of agents by means of a detailed algebraic model [21]. Using that formal specification as a starting point rather than the informal one [77] significantly simplifies our work towards the inductive definition of the protocol model. Mitchell et al. 79] model check a highly simplified version of the protocol, which derives from Kohl et al. 57] ....

[Article contains additional citation context not shown here]

G. Bella and E. Riccobene. Formal Analysis of the Kerberos Authentication System. Journal of Universal Computer Science, 3(12):1337-- 1381, 1997.

....from electronic transactions over the Internet to banking transactions over financial networks make use of security protocols. It has been shown that the protocols often fail to meet their claimed goals [AN96,Low96] so a number of approaches for analysing them formally have been developed [Low95,BR97,Pau98,Bel99] The threats to the protocols come from malicious principals who manage to monitor the network tra#c building fake messages at will. A major protocol goal is confidentiality, confirming that a message remains undisclosed to malicious principals. Another crucial goal is ....

....is a protocol based on symmetric cryptography meant to distribute session keys with authentication over local area networks. The protocol has been developed in several variants (e.g. MNSS89] and also integrated with smart cards [IH99] Here, we refer to the version by Bella and Riccobene [BR97] database B A Tgs Kas 1 4 3 2 6 5 Fig. 5. The Kerberos layout. The layout in figure 5 shows that Kerberos relies on two servers, the Kerberos Authentication Server (Kas in brief) and the Ticket Granting Server (Tgs in brief) The two servers are trusted, namely they are assumed to ....

G. Bella and E. Riccobene. Formal Analysis of the Kerberos Authentication System. Journal of Universal Computer Science, 3(12):1337--1381, 1997.

....to take advantage of the protocol goals. A major goal is con dentiality, which holds of a message that remains undisclosed to the spy. Failure to achieve the claimed goals of a protocol [AN96,Low96,LR97] has motivated a number of approaches to reasoning formally on security protocols (e.g. Low95,BR97,Pau98,Bel99] Our original contribution to formal protocol analysis is an approach to modelling any network con guration arising from the execution of a protocol as a soft constraint satisfaction problem (SCSP) and to detecting con dentiality attacks mounted by the spy in the given con ....

.... required by Lowe (x4.1) then the imputable SCSP corresponding to Lowe s attack is not generated by our procedure for building the imputable SCSPs (x3.5) 6 Conclusions and future work A number of approaches for reasoning formally about security protocols are available (e.g. Low95,Pau98,Bel99,BR97] We have developed a new approach bases on soft constraints where con dentiality is not merely associated to a boolean value but to a discrete security level. This allows a ner reasoning on the con dentiality goals that one expects from a protocol. For example, let us consider the network con ....

G. Bella and E. Riccobene. Formal Analysis of the Kerberos Authentication System. Journal of Universal Computer Science, 3(12):1337-1381, 1997.

....replies to be not late w.r.t. this lifetime. A late reply would indicate some messages of the communication to be possibly faked. The rst three lifetimes were introduced by the Athena Technical Plan [14] The fourth is meant to safeguard Alice, and was suggested by the rst author and Riccobene [3] from the observation that late server replies could indicate illegal actions to have been performed. Our model does not force agents to act. They could even reply late, but Alice would discard late replies. Note that temporal checks must involve timestamps. Therefore, saying that a session key ....

....kerberos ] Key ServKey 62 analz (spies evs) 5 Related Work The approaches that have been tailored to the formal analysis of Kerberos Version IV are surprisingly not many. By contrast, a great number has been applied to the simpler BAN version. The rst author and Riccobene analyse Version IV [3] by Gurevich s Abstract State Machine [7] They use a detailed algebraic model to formalise all possible actions of honest agents, but the eavesdropper s potentialities are nite. Theorems are stated from the viewpoint of the single agent of an in nite set. Proofs are carried out by hand thanks to ....

G. Bella, E. Riccobene. Formal Analysis of the Kerberos Authentication System. Journal of Universal Computer Science: Special Issue on Gurevich's Abstract State Machine, Springer, 1997.

.... In H. Orman and C. Meadows, editors, DIMACS Workshop on Design and Formal Veri cation of Security Protocols, Rutgers University New Jersey (USA) September 1997. The inductive approach has also been tailored to analyse real world protocols. The rst one tackled in this eld is Kerberos [5, 1], whose analysis has required some e ort for the mechanism of broadcast of a session key to the intended recipients which relies on the presence of two di erent trusted third parties. Kerberos is the rst protocol relying on the use of timestamps (instead of nonces) to prevent the replay of ....

....et al. 3] was the only signi cant attempt, but showed very few properties and has been widely criticised. A complete formalisation pointing out rigorously all the numerous details of the operation of Kerberos has been only recently achieved by means of the Gurevich s Abstract State Machine [1], but lacks automation. That work has been the basis to ours, which is, to our knowledge, the rst attempt to mechanise such a complex protocol. 3 The Inductive Method For the entire treatment of the method, we refer to [8] Only some guidelines are given here. 3.1 Overview The inductive method ....

[Article contains additional citation context not shown here]

G. Bella, E. Riccobene. Formal Analysis of the Kerberos Authentication System. Journal of Universal Computer Science: Special Issue on Gurevich's Abstract State Machine, Springer, 1997.

....17] by the exhaustive visit of all states that are reachable. It seems sensible that the best results can be achieved by using all approaches in combination. 1 In the sequel, crypto protocol is abbreviated to protocol . After the successful attempt to formalise ad hoc a real world protocol [3] by Abstract State Machines (ASM) 10] the approach seemed promising. Hence, the authors have sketched a general framework for the analysis of any public key protocols [4] Proofs are carried out on paper by induction, and have undertaken a mechanisation process by the theorem prover PVS. ....

Bella, G., Riccobene, E.: Formal Analysis of the Kerberos Authentication System. Journal of Universal Computer Science: Special Issue on Gurevich's Abstract State Machine 3(12) (1997) 1337--1381

....protocols: Needham Schroeder (both shared key and publickey) Otway Rees, Yahalom [8, 9, 10] A new attack has been discovered in a variant of the Otway Rees protocol. The inductive approach has also been tailored to analyse real world protocols. The first one tackled in this field is Kerberos [5, 1], whose analysis has Giampaolo.Bella cl.cam.ac.uk y Larry.Paulson cl.cam.ac.uk required some effort for the mechanism of broadcast of a session key to the intended recipients which relies on the presence of two different trusted third parties. Kerberos is the first protocol relying on the ....

....et al. 3] was the only significant attempt, but showed very few properties and has been widely criticised. A complete formalisation pointing out rigorously all the numerous details of the operation of Kerberos has been only recently achieved by means of the Gurevich s Abstract State Machine [1], but lacks automation. That work has been the basis to ours, which is, to our knowledge, the first attempt to mechanise such a complex protocol. 3 The Inductive Method For the entire treatment of the method, we refer to [8] Only some guidelines are given here. 3.1 Overview The inductive method ....

[Article contains additional citation context not shown here]

G. Bella, E. Riccobene. Formal Analysis of the Kerberos Authentication System. Journal of Universal Computer Science: Special Issue on Gurevich's Abstract State Machine, Springer, 1997.

....replies to be not late w.r.t. this lifetime. A late reply would indicate some messages of the communication to be possibly faked. The first three lifetimes were introduced by the Athena Technical Plan [14] The fourth is meant to safeguard Alice, and was suggested by the first author and Riccobene [3] from the observation that late server replies could indicate illegal actions to have been performed. Our model does not force agents to act. They could even reply late, but Alice would discard late replies. Note that temporal checks must involve timestamps. Therefore, saying that a session key ....

.... ] Key ServKey 62 analz (spies evs) 5 Related Work The approaches that have been tailored to the formal analysis of Kerberos Version IV are surprisingly not many. By contrast, a great number has been applied to the simpler BAN version. The first author and Riccobene analyse Version IV [3] by Gurevich s Abstract State Machine [7] They use a detailed algebraic model to formalise all possible actions of honest agents, but the eavesdropper s potentialities are finite. Theorems are stated from the viewpoint of the single agent of an infinite set. Proofs are carried out by hand thanks ....

G. Bella, E. Riccobene. Formal Analysis of the Kerberos Authentication System. Journal of Universal Computer Science: Special Issue on Gurevich's Abstract State Machine, Springer, 1997.

....it seems widely accepted that induction is suitable to formally specify the goals of a crypto protocol. We believe that the little formal overhead of ASM models can galvanise the potentialities of induction. This is supported by the complete analysis of the Kerberos Authentication System [2], which verifies a possible attack by the eavesdropper of the network (called spy below) We present a general ASM model of spy that is independent from the protocol being analysed. The model poses no limit to the spy s knowledge, thus exceeding the limits of state enumeration, and is plainly ....

Bella, G., Riccobene, E.: Formal Analysis of the Kerberos Authentication System. Journal of Universal Computer Science: Special Issue on Gurevich's Abstract State Machine 3(12) (1997) 1337--1381

No context found.

Bella, G., Riccobene, E.: Formal Analysis of the Kerberos Authentication System. J. Universal Comp. Sci. 3 (1997) 1337--1381

No context found.

G. Bella and E. Riccobene, Formal Analysis of the Kerberos Authentication System, J. Universal Comp. Sci. 3 (1997), no. 12, 1337--1381.

No context found.

G. Bella and E. Riccobene, Formal Analysis of the Kerberos Authentication System, J. Universal Comp. Sci. 3 (1997), no. 12, 1337--1381.

No context found.

G. Bella and E. Riccobene, Formal Analysis of the Kerberos Authentication System, J. Universal Comp. Sci. 3 (1997), no. 12, 1337--1381.

No context found.

G. Bella and E. Riccobene, Formal Analysis of the Kerberos Authentication System, J. Universal Comp. Sci. 3 (1997), no. 12, 1337--1381.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC