Extending the Strand Space Method with Timestamps: Part Ii Application to Kerberos V*

In this paper, we show how to use the novel extended strand space method to verify Kerberos V. First, we formally model novel semantical features in Kerberos V such as timestamps and protocol mixture in this new framework. Second, we apply unsolicited authentication test to prove its secrecy and authentication goals of Kerberos V. Our formalization and proof in this case study have been mechanized using Isabelle/HOL.


Introduction
The first version of Kerberos protocol was developed in the mid eighties as part of project Athena at MIT [1].Over twenty years, different versions of Kerberos protocols have evolved.Kerberos V (Figure 1 and Figure 2) is the latest version released by the Internet Engineering Task Force (IETF) [2].It is a passwordbased system for authentication and authorization over local area networks.It is designed with the following aims: once a client authenticates himself to a network machine, the process of obtaining authorization to access another network service should be completely transparent to him.Namely, the client only needs enter his password once during the authentication phase.
As we introduced in the previous paper [3], there are two novel semantic features in Kerberos V protocol.First, it uses timestamps to prevent replay attacks, so this deficiency of the strand space theory makes it difficult to analyze these protocols.Second, it is divided into three causally related multiple phases: authentication, authorization, and service protocol phases.One phase may be used to retrieve a ticket from a key distribution center, while a second phase is used to present the ticket to a security-aware server.To make matters more complex, Kerbeors uses timestamps to guarantee the recency of these tickets, that is, such tickets are only valid for an interval, and multiple sub-protocol sessions can start in parallel by the same agent using the same ticket if the ticket does not expire.Little work has been done to formalize both the timestamps and protocol mixture in a semantic framework.
The aim of this paper is practical.We hope to apply the extended theory in [3] to the analysis of Kerberos V protocol.Kerberos V is appropriate as our case study because it covers both timestamps and protocol mixture semantical features.
Structure of the Paper: Section 2 briefly introduces the overview of Kerberos V. Section 3 presents the formalization of Kerberos V.Sections 4 and 5 prove its secrecy and authentication goals.We discuss related work and conclude the paper in Section 6.

An Overview of Kerberos V
The protocol's layout and its message exchanging are presented in Figure 1 and Figure 2 separately.In the infrastructure of the Kerberos V protocol, there is a unique authentication server, and some (not necessarily only one) ticket granting servers.The latter assumption is different from that in [4], where only a unique ticket granting server exists.: ,  In order to access some network service, the client needs to communicate with two trusted servers Kas and Tgs.Kas is an authentication server (or the key distribution center) and it provides keys for communication between clients and ticket granting servers.Tgs is a ticket granting server and it provides keys for communication between clients and application servers.The full protocol has three phases each consisting of two messages between the client and one of the servers in turn.Messages 2 and 4 are different from those in Kerberos IV [1,4] in that nested encryption has been cancelled.Later we will show that this change does not affect goals of the protocol.
Detailed explanation about Kerberos V is delayed to Section 2, where the protocol is formalized in strand space model with our extensions.Here we only give an overview of the general principles to guarantee recency, secrecy and authentication in the design of Kerberos V.For recency, • A regular sender should attach a timestamp to indicate the time when the message is issued; usually such a message is of the form { } , , K t K K , where t is the time, K may be either a session key or long-term key.
• When a regular receiver the message { } , , K t K K first he need be ensured of K 's secrecy to guarantee that the message is not froged by the penetrator.Second he check the recency of the message by comparing the timestamp t with the reception time.More formally, if the receiving node is n , then ) (n time should be no later than ( ) cracktime K t + , meaning that this message cannot be cracked at ( ) time n , which in turn indicates that the message { } , , For an encrypted message { } K h , the secrecy of a part of the plain message h also comes from both the secrecy of K and the recency of the message { } K h itself.That is to say, when a regular receives { } K h at time t , it must be ensured that the aforementioned two conditions must be guaranteed until t .From this, we can see that recency and secrecy are closely related with each other in a timed protocol framework.
Unsolicited tests are the main mechanism to guarantee authentication.Because a guarantee of the existence of a regular node can be drawn from an unsolicited test, a regular agent uses unsolicited test to authenticate its regular protocol participant in Kerberos V. Now let us briefly review the main theoretical results in [3], which will be used in this work.For interesting readers, refer to [3] for preliminary definitions.
If an agent is not a penetrator then his shared key cannot be penetrated, which is formalized as follows: Axiom 1 If A ∉ Bad , then We will illustrate these general principles in detail in the next sections when we formalize the semantics and prove secrecy properties of Kerberos V.     .In the second phase, the situation is more complex.Both Tgs and A need to check whether their received messages are recent by the same mechanism.Furthermore, Tgs also need ensure a side condition that 1 sessionKcrktime shrKcracktime

Formalizing Kerberos V
to guarantee that the application server B only receives a recent service ticket.Informally speaking, this condition means that Tgs can guarantee any authK that he receives can only be compromised later than servK which is associated with the authK .We will comment this side condition in analysis in the third phase.At the end of this phase, A obtains a ticket servTicket and the session key servK to communicate with B .
3) Part III (Service Phase) i Tgs authK T t t i authTicket B T t t ∃ .
( ) where 0 sessionKcrktime S t T − ≤ .In the last phase, it is subtle for the application server B to check the recency of the message The authentication server Kas must obey the following principles to generate a session key authK : • authK must never be known initially to a penetrator, i.e., P K ∉ authK ; • authK must be uniquely originated; • authK is a symmetric key; • authK must not be the same as an agent's longterm shared key.
We summarize these principles as the following axiom: Axiom 4 For any authentication server strand as such that ≠ for any agent B .In the following two subsections, we verify the secrecy and authentication properties of Kerberos V. We use similar ways for representing these security properties as in [5].However, we may need formulate secrecy properties with temporal restrictions when we discuss them in a timed framework.A value v is secret for a protocol if for every bundle C of the protocol the penetrator cannot receive v in cleartext until some time t ; that is, there is no node n in C such that ( ) = term n v and ( ) time n t ≤ .For Kerberos V, we mainly discuss the secrecy of a long-term key of a regular agent, and , authK servK issued by servers.Authentication properties are specified as usual: for a participant B (e.g.acting as a responder), for a certain vector of parameters x r , if each time principal B completes a run of the protocol as a responder using x r supposedly with A , then there is a run of the protocol with A acting as an initiator using x r supposedly with B. And this is formalized as follows: there is a responder strand Resp ( x r ) and the i -th node of the strand is in a bundle C , then there is an initiator strand Init ( x r ) and some j -th node of the initiator strand is in C .
In order to prove the secrecy of a long-term key A K , we only need use the well-founded induction principle on bundles.But the knowledge closure property on penetrators is needed when we prove the secrecy of some session key authK or servK .For instance, in order to prove the secrecy of authK , we construct a set ∉ By the knowledge closure property, we can exclude the cases when m is in a penetrator strand.By case analysis on the form of the trace of regular strands, we can also exclude the case when m is in a regular strand.Thus, a contradiction is concluded.
In the following two sections, we give the detailed proof on the secrecy and authentication properties to show how to apply the proof techniques aforementioned.Note that we also have formalized all the proofs in Isabelle/HOL, and the proof scripts can be obtained at [6].The paper proof here can be viewed as a text account of the mechanical proof scripts at [6].

Proving Secrecy Goals
In Kerberos V, a long-term key of a regular agent is never sent in the network, so it cannot be compromised.Let B be a bundle of Kerberos V.For any node in the bundle, the long-term key of a regular agent cannot be a part of the term of the node.In order to prove this lemma, we only need the well-founded induction principle on bundles.
We show that P is empty by contradiction.If there is a node P n ' ∈ , then by the well-foundedness of a bundle, there exists a node m such that m is minimal in P .Namely, , and for all From ( 1) and (2), we can conclude that m is not minimal in P .This contradicts with the minimality of m .
• CASE 2: m is in a penetrator strand p .
Here we only analyze the cases when p is either K K (key strand) or h g C , (concatenation).Other cases are either straightforward or can be analyzed in a similar way.
p is We have ,2) ( = p m '  and . By the definition of ⊏ , we have . This contradicts with the minimality of m .The case when h K A ⊏ can be analyzed similarly.
We show that for any node . In order to prove this, we only need show P is empty.We prove the assertion by contradiction.If P is not empty , then by the well-foundedness of a bundle, (

' authK authK =
From the definition of Axiom 4, we have authK uniquely originates from the strand i .Combining with (2), we have i as = , then  ( )

Proving Authentication Goals
For convenience, we call that a strand i uses a term Roughly speaking, we need two steps to prove an authentication goal that if there is a regular responder strand Resp ( r , x r ) and the k -th node of the strand is in a bundle B , then there is an initiator strand Init ( i , x r ) and some j -th node of the initiator strand is in B .First we prove that ) , ( k r is an unsolicited test for some encrypted term { } K h in B , which requires the secrecy of K .This is can be easily proved by the secrecy results on keys in section 3. Therefore, we have that there exists some regular node m in B by Lemma 2. Second, we need prove that m indeed is the intended node ) , ( j i .In order to prove this, we need do case analysis on the form of the strand which m possibly lies in.This proof needs unicity property of some session keys and the results of unsolicted tests, namely, the facts that { } K h ⊏ ) (m term and m is minimal.

Conclusions and Related Work
Our main aim is to extend and mechanize the strand space theory to analyze Kerberos V, since mechanization in a theorem prover not only helps us model protocols rigorously and specify protocol goals without any ambiguity, it also guarantees a formal proof.Besides the essential inherence from the classic strand space method, our work is deeply inspired by Paulson and Bella's work.
We have directly used their formalization of message algebra, and have learned a lot about the semantics of timestamps and replay attacks from [4].However, we model and analyze protocols in strand space theory rather than in Paulson's trace theory.In detail, we model behaviors of all the agents by strands, and mainly use the well-founded induction principle to prove properties.So in our Isabelle formalization, main efforts have been devoted to definitions and lemmas about strand space theory.e.g., we formalize strands, bundles, unique originality, the well-founded principle on bundles, and use this principle to prove important results such as unsolicited authentication test and regularity of keys.
In [4], the ability of a penetrator to crack a stale encrypted message is modelled by the Oops rule in the inductive definition of a trace, and the trace definition depends on the protocol under study.However, in the strand space theory, a penetrator's abilities are modelled to be independent of the protocol, that is the main reason why we relate a key with a crack time, and model a penetrator's ability of cracking a stale encrypted message by a new key cracking strand.The advantage of our method is that modelling a penetrator's behavior remains independent and results such as the unsolicited authentication tests can be generalized.
Regarding verification of the Kerberos protocols, Mitchell et al. [7] analyzed a simplified version of the protocol by model checking, and Butler et al. [8] analyzed the Kerberos V protocol using MSR [9].But they did not include timestamps and replay attacks in their model, in fact the former work ignored both nonces and timestamps, and the latter only considered the implementation of the Kerberos protocol basing on nonce.

*
This is a revised and extended version of the homonymous paper appearing in the Proceedings the Eighth International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT 2007, IEEE Computer Society).The main modifications have been made on the presentation of the technical material, with the purpose of having full details.The first author is supported by grants (No.60833001, 60496321, 60421001) from National Natural Science Foundation of

Figure 1 .
Figure 1.The layout of Kerberos V.
1 is the main technique used to reason about authentication guarantee of a node n which is an unsolicited test for an encrypted term of the form { } K authK is the session key that will be used for the client A to communicate with a ticket grant server Tgs , authK has not been compromised.At the end of this stage, A and B authenticate each other, and A can access the service provided by B .
A B servK T to obtain servK .Since authK is also a session key which is originated by Kas in an earlier time than s T , the guarantee for the confidentiality of authK is of extreme importance.The corresponding ticket { } , , , Tgs a K A Tgs authK T is not available for B , B cannot know the creation time of authK .So B cannot directly check whether authK has been compromised.Fortunately, if Tgs can guarantee that any authK which it receives will be compromised later than servK , associated with the authK , then it is enough for B to check 0 sessionKcrktime prove that the sign of m is positive.If A is not compromised, and Tgs is a ticket granting server, then it can be guaranteed that there must be an authentication server strand as in which A K must be regular w.r.t.n .By Lemma 3, there is no node m in B such that ( ) A K must be regular w.r.t.n .From (1), by Lemma 1, there exists a positive regular node m in B such that n m B and { } ' A , ' Tgs , ' authK , servK , In order to prove the conclusion of Lemma 5, we need the conclusion of Lemma 4, which ensures us that a penetrator cannot crack the term { } occur as a part of the term of a node in B , A and B are not compromised, and B is not a ticket grant server, and authK is still not compromised at the time when the above two tickets occur, then it can be guaranteed that A must have passed the first and second phases of the protocol, and a ticket grant server strand tgs must exist in B , where two tickets are issued for some session key authK .Similar to Lemma 4, this lemma ensures us that S T is the earliest time when servK occurs in B , and this minimal property is needed in the proof of Lemma 7.
' A , ' Tgs , ' A , ' Tgs , ' authK , ' servK , ' B , ' A , ' Tgs , From Axiom 5, we have authK uniquely originates from the strand i .Combining with (3), we can conclude i is both an authentication server strand and a ticket granting server • But for a short session key authK or servK , the cases are more complex because they are sent as a part in a message such as Secrecy of K can be directly drawn from other lemmas on K .But for recency checking, firstly we need prove that the timestamp t indeed indicates the time when ' authK synth then by the definition of synth, we have servK ∈ , M but this contradicts with the definition of M .