Breaking and Fixing Public-Key Kerberos

Andre Scedrov, University of Pennsylvania

This joint work with I. Cervesato, A.D. Jaggard, J.-K. Tsay, and C. Walstad reports on a man-in-the-middle attack against PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and end-servers to a client, hence breaching the authentication guarantees of Kerberos. It also gives the attacker the keys that the KDC would normally generate to encrypt the service requests of this client, hence defeating confidentiality as well. The discovery of this attack caused the IETF to change the specification of PKINIT and Microsoft to release a security update for a number of Windows operating systems. A Microsoft Security Bulletin which mentions this work is available on We discovered this attack as part of an ongoing symbolic analysis of the Kerberos protocol suite, and we have verified in the symbolic model several fixes to PKINIT that prevent our attack.

Gates 4B (opposite 490) Thursday 09/22/05 1630 hrs