Abstract. We present axioms and inference rules for reasoning about Diffie-Hellman-based key exchange protocols and use these rules to prove authentication and secrecy properties of two important protocol standards, the Diffie-Hellman variant of Kerberos, and IKEv2, the revised standard key management protocol for IPSEC. The new proof system is sound for an accepted semantics used in cryptographic studies. In the process of applying our system, we uncover a deficiency in Diffie-Hellman Kerberos that is easily repaired. 1

We present a computationally sound mechanized analysis of Kerberos 5, both with and without its public-key extension PKINIT. We prove authentication and key secrecy properties using the prover CryptoVerif, which works directly in the computational model; these are the first mechanical proofs of a full industrial protocol at the computational level. We also generalize the notion of key usability and use CryptoVerif to prove that this definition is satisfied by keys in Kerberos.

Kerberos is designed to allow a user to repeatedly authenticate herself to multiple servers based on a single login. The PKINIT extension to Kerberos modifies the initial round of the protocol to use a PKI instead of long-term shared keys (e.g., password-derived keys). Especially with PKINIT, Kerberos uses a rich collection of cryptographic operations and constructs, and Kerberos, both with and without the PKINIT extension, is used in real world settings (including Microsoft Windows). Kerberos is thus a great test case for protocol-analysis tools. The CryptoVerif prover works directly in the computational model to prove properties of protocols that are formalized as games. This talk will both survey some of our earlier work using CryptoVerif to analyze Kerberos, with and without PKINIT, and describe two recent extensions of this work. First, we briefly survey our work [1] to formalize all three rounds of Kerberos (with and without PKINIT) as games that CryptoVerif could analyze. This allowed us to prove, using CryptoVerif, authentication and secrecy properties under certain cryptographic assumptions (e.g., that the public-key encryption scheme satisfies IND-CCA2 security). This work included the definition of a version of key usability that was stronger than that originally given by Datta et al. [2]; the stronger version is amenable to being proved using CryptoVerif, and we showed that freshly generated keys in Kerberos are usable in this strong sense for IND-CCA2-secure encryption.

Abstract. We propose a generic modelling technique that can be used to extend existing frameworks for theoretical security analysis in order to capture the use of timestamps. We apply this technique to two of the most popular models adopted in literature (Bellare-Rogaway and Canetti-Krawczyk). We analyse previous results obtained using these models in light of the proposed extensions, and demonstrate their application to a new class of protocols. In the timed CK model we concentrate on modular design and analysis of protocols, and propose a more efficient timed authenticator relying on timestamps. The structure of this new authenticator implies that an authentication mechanism standardised in ISO-9798 is secure. Finally, we use our timed extension to the BR model to establish the security of an efficient ISO protocol for key transport and unilateral entity authentication. Keywords. Timestamp, Key Agreement, Entity Authentication. 1