Extended Abstract: Provable-Security Analysisof Authenticated Encryption in Kerberos

Alexandra Boldyreva Virendra Kumar

Georgia Institute of Technology, School of Computer Science

266 Ferst Drive Atlanta, GA 30332-0765 USA

{aboldyre,virendra}@cc.gatech.edu

Abstract

Kerberos is a widely-deployed network authenticationprotocol that is being considered for standardization. Manyworks have analyzed its security, identifying flaws and of-ten suggesting fixes, thus helping the protocol’s evolution.Several recent results present successful formal-methods-based verification of a significant portion of the currentversion 5, and some even imply security in the computa-tional setting. For these results to hold, encryption in Ker-beros should satisfy strong cryptographic security notions.However, neither currently deployed as part of Kerberos en-cryption schemes nor their proposed revisions are known toprovably satisfy such notions. We take a close look at Ker-beros’ encryption and confirm that most of the options inthe current version provably provide privacy and authen-ticity, some with slight modification that we suggest. Ourresults complement the formal-methods-based analysis ofKerberos that justifies its current design.

1 Introduction

MOTIVATION. Kerberos is a trusted-third-party networkauthentication protocol. It allows a client to authenticateherself to multiple services, e.g. file servers and printers,with a single login. Kerberos has become widely deployedsince its origination as MIT’s project Athena in 1988. Ithas been adopted by many big universities and corporations,is part of all major computing platforms such as Windows(starting from Windows 2000), Linux and Mac OS, and is adraft standard at IETF [26].

Security of Kerberos has been analyzed in many works,e.g. [14, 25, 6, 5, 23, 18, 27]. Most commonly analysesidentify certain limitations or flaws in the deployed versions

of Kerberos and sometimes propose fixes. This leads to theevolution of the protocol, when a new version patches theknown vulnerabilities of the previous versions. The currentversion Kerberos v.5 is already being revised and extended[20, 22, 21].

What is certainly desirable for the upcoming standardis to provide some guarantees that the protocol does notonly resist some specific known attacks, but withstands avery large class of possible attacks, under some acceptedassumptions. Modern techniques in cryptography (compu-tational approach) and formal methods (symbolic approach)make it possible, however formally analyzing such a com-plex protocol is not an easy task.

Several recent works contributed in this direction. Butleret al. [16, 17] have analyzed the significant portions of thecurrent version of Kerberos and its extensions in the sym-bolic approach (i.e. Dolev-Yao model) and have formallyverified that the design of Kerberos’ current version meetsthe desired goals for the most parts. However, a known lim-itation of such analyses is high level of abstraction. A sig-nificant advance has been made by a recent work by Backeset al. [1] in that it is the only work providing symbolic anal-ysis that also guarantees security in the computational set-ting, which is the well-accepted strongest model of secu-rity. Their results use the computational-soundness modeldue to Backes et al. [4, 3, 2]. However, for their results tohold the cryptographic primitives used in the protocol needto satisfy strong notions of security (in the computationalsetting). Namely, the encryption scheme utilized by the pro-tocol needs to provide privacy against chosen-ciphertext at-tacks (be IND-CCA secure) and integrity of ciphertexts (beINT-CTXT secure) [2, 1].

However, it is not known whether encryption1 in Ker-beros is IND-CCA and INT-CTXT. Certain known vulner-abilities indicate that encryption in version 4 did not satisfy

1We will also refer to encryption schemes whose goal is to provideprivacy and authenticity as authenticated encryption.

2007 IEEE Symposium on Security and Privacy(SP'07)0-7695-2848-1/07 $20.00 © 2007

these notions [27]. While encryption in the current version5 is designed to resist known attacks it is not clear whetherit provable resists all attacks of the class, and if yes – un-der which assumptions. Provable security has become a de-facto standard in modern cryptographic research. Cryptog-raphers design plenty of cryptographic schemes for almostall imaginable future applications, and usually provide rig-orous proofs of security for their constructions. It is some-what surprising that the schemes that are actually used indeployed protocols remain unanalyzed from the provable-security perspective. Our work aims at closing this gap.

CONTRIBUTIONS. We take a close look at the encryptionschemes used in Kerberos v.5 (according to its specifica-tions) in order to prove them secure, in the IND-CCA andINT-CTXT sense, assuming the underlying building blocks(e.g. a block cipher) are secure.

We first look at the encryption description in the currentversion 5 specification (cf Section 6 in [22].) We will referto it as “general profile”. Fix a block cipher with input-output length n and a key for it. A message M is firstpadded so that its length is multiple of n. Next a randomn-bit string conf is chosen. Then a checksum, i.e. a hashfunction is applied to the string conf ‖ 0n ‖M . Let us callthe checksum’s output σ. Finally, the block cipher in theCBC mode with fixed initial vector IV = 0n is appliedto the string conf ‖ σ ‖M . Decryption is defined accord-ingly. The recommended options are DES as the block ci-pher and MD4 or MD5 as hash functions, which is not avery good choice for known reasons. DES is an outdatedstandard since its key size is too small given modern com-puting power, and collisions have been found in MD4 andMD5 [24]. What we show is that even if one assumes asecure block cipher in a secure encryption mode and a se-cure hash function, the construction is not secure in general.That is, there is an attack on the scheme composed of securecomponents that shows that it does not provide integrity ofciphertexts. We propose a simple change that is sufficientfor security of the design of the general profile. Namely, weshow that if a secure message authentication code (MAC) isused in place of the hash function, then the scheme given bythe general profile is IND-CCA and INT-CTXT, also assum-ing that underlying the block cipher is secure. We note thatthe proposed modification does not require heavy changesin the implementations.

Suggested revisions to the Kerberos’ design [21] thathowever did not yet catch up with the implementations,do recommend to use AES or Triple-DES as a block ci-pher and HMAC [8] as a MAC, but in a different manner.Under the so-called “simplified profile” (cf. Section 5 in[22] and [21]) the message is first encoded such that thenecessary padding is appended and a random confounderis pre-pended. The block cipher in CBC mode or a vari-ant of CBC mode with ciphertext-stealing both with fixed

all-zero-bit IV and HMAC are applied to the encoded mes-sage independently to yield two parts of the resulting ci-phertext. Decryption is defined accordingly. We prove thatthis method yields an encryption scheme that is IND-CCAand INT-CTXT secure. This confirms soundness of the de-sign of the simplified profile, that, unlike general profile, issecure in general.

While our results are not as unexpected or “catchy” assome results discovering a flaw or implementing an attackon a practical protocol, they are far from being less impor-tant. Having provable security guarantees is an invaluablebenefit for any cryptographic design, especially a widelydeployed protocol. Our results together with the formal-methods-based results in the symbolic setting constitutestrong provable-security support for the design of Kerberos.

RELATED WORK. Bellare and Namprempre [12] studyvarious ways to securely compose secure (IND-CPA) en-cryption and secure (unforgeable against chosen-messageattacks or UF-CMA) message authentication code (MAC)schemes. They show that the only one out of three moststraight-forward composition methods, Encrypt-then-MAC,is secure in general, i.e. always yields an IND-CCA andINT-CTXT encryption scheme. At the same time cer-tain secure components can yield a scheme constructedvia Encrypt-and-MAC or MAC-then-Encrypt paradigm thatis not IND-CCA or not INT-CTXT. If Kerberos’ designhad utilized the Encrypt-then-MAC composition methodwith secure encryption and MAC schemes, we would havenothing to prove here. But for some reasons Kerberosuses some variations of Encrypt-and-MAC or MAC-then-Encrypt methods that also rely on the properties of the en-codings of the message, i.e. of pre-processing of the mes-sage before encryption and MAC are applied.

Bellare et al. [11] analyze security of encryption in an-other widely deployed protocol, Secure Shell aka. SSH.They suggest several modifications to the SSH encryptionto fix certain flaws and prove that the resulting scheme prov-ably provides privacy against chosen-ciphertext attacks andintegrity of ciphertexts. They also provide general resultsabout security of stateful encryption schemes composedaccording to Encode-then-Encrypt-and-MAC paradigm as-suming certain security properties of the base encoding, en-cryption and MAC schemes. The encryption scheme pro-posed for the revision of Kerberos v.5 (cf. simplified profilein [22]) conforms to the Encode-then-Encrypt-and-MACmethod. However, the security results from [11] do not di-rectly imply strong security notions of the simplified profilein Kerberos. First, the general results from [11] do not guar-antee a strong notion of integrity of ciphertexts (they onlyconsider a weaker notion of integrity of plaintexts). Second,the result of [11] require IND-CPA secure base encryptionscheme but as we mentioned above the base encryption inKerberos is CBC with fixed IV and is not IND-CPA secure.

2007 IEEE Symposium on Security and Privacy(SP'07)0-7695-2848-1/07 $20.00 © 2007

2 Preliminaries

NOTATION. If X, Y are strings then X ‖ Y denotes theirconcatenation. If A is a randomized algorithm, then the

notation X$← A denotes that X is assigned the outcome of

the experiment of running A, possibly on some inputs. If Ais deterministic, we drop the dollar sign above the arrow.

CRYPTOGRAPHIC PRIMITIVES ANF THEIR SECURITY.

Definition 2.1 [Symmetric encryption scheme] A sym-metric encryption scheme SE = (K, E , D) with associatedmessage space MsgSp is defined by three algorithms:

• The randomized key generation algorithm K returns asecret key K.

• The (possibly) randomized or stateful encryption algo-rithm E takes input the secret key K and a plaintextM ∈ MsgSp and returns a ciphertext.

• The deterministic decryption algorithmD takes the se-cret key K and a ciphertext C to return the correspond-ing plaintext or a special symbol ⊥ indicating that theciphertext was invalid.

The consistency condition requires thatDK(EK(M)) = Mfor all K that can be output by K and all M ∈ MsgSp.

We now recall cryptographic security notions for encryp-tion. The following definition [9] formalizes the require-ment that even though an adversary knows some partialinformation about the data, no additional information isleaked.

Definition 2.2 [Privacy: IND-CPA, IND-CCA] Let SE =(K, E ,D) be an encryption scheme. For atk ∈ {cpa, cca},adversary A and a bit b define the experiments Expind-atk-b

SE,A

as follows. In all experiments first the secret key K is gen-erated by K. Let LR be the oracle that on input M0,M1, breturns Mb. The adversary A is given access to left-rightencryption oracle EK(LR(·, ·, b)) that A can query on anypair of messages of equal length. In Expind-cca-b

SE,A the ad-versary is also given the decryption oracle DK(·) that itcan query on any ciphertext that was not returned by an-other oracle. The adversary’s goal is to output a bit d as itsguess of the challenge bit b, and the experiment returns d aswell. The scheme SE is said to be indistinguishable againstchosen-plaintext attack or ind-cpa (resp. chosen-ciphertextattack or ind-cca) if for every adversary A with reasonableresources2 the difference

Pr[Expind-atk-0

SE,A = 0]− Pr

[Expind-atk-1

SE,A = 0]

2Here and further in the paper we call the resources of an algorithm(or adversary) “reasonable” if it runs some reasonable amount of time (e.g.up to 10 years) in some fixed model of computation, and does reasonablenumber of oracle queries.

is small3.

It is easy to see that IND-CCA security is a stronger notionthat implies IND-CPA security.

The following definition [12, 13] formalizes the require-ment that no adversary should be able to compute a newciphertext which the receiver will deem valid.

Definition 2.3 [Integrity: INT-CTXT] Let SE = (K, E ,D) be an encryption scheme. The encryption scheme issaid to provide authenticity or ciphertext integrity (or beINT-CTXT secure) if any adversary with reasonable re-sources can be successful in the following experiment onlywith small probability, called the int-ctxt-advantage of A,Advint-ctxt

SE (A). In the experiment first the random key Kis generated by K. The adversary has access to the encryp-tion oracle EK(·). It is successful if it can output a validciphertext C (i.e. DK(C) 6= ⊥) that was never returned bythe encryption oracle.

It has been shown [12] that if an encryption scheme is IND-CPA and INT-CTXT then it is also IND-CCA. To achieveINT-CTXT security encryption scheme often utilize mes-sage authentication codes (MACs), that we define below.

Definition 2.4 [Message authentication code] A messageauthentication code (MAC) MAC = (K, T ) with associatedmessage space MsgSp is defined by two algorithms:

• The randomized key generation algorithm K returns aa secret key K .

• The deterministic4 mac aka. tagging algorithm Ttakes input the secret key K and a plaintext M to returna mac aka. tag for M .

For a message-tag pair (M,σ), we say σ is a valid tag forM if σ = σ′ where σ′ ← TK(M).

The following security definition [10] requires that no ad-versary can forge a valid tag for a new message.

Definition 2.5 [Unforgeability: UF-CMA] Let MAC =(K, T ) be a MAC scheme. It is called unforgeable againstchosen-message attacks or UF-CMA secure if any adver-sary A with reasonable resources can be successful in thefollowing experiment only with small probability. In theexperiment first the random key K is generated by K. Theadversary has access to the tagging oracle TK(·). It is suc-cessful if it can output a message-tag pair (M,σ) such thatσ is a valid tag for M under K, and M was not queried tothe tagging oracle.

3We call the value of an advantage “small” if it is very close to 0 (e.g.2−60.)

4A MAC does not have to be deterministic. But most practical schemesare, and in this paper we consider only detrministic MACs.

2007 IEEE Symposium on Security and Privacy(SP'07)0-7695-2848-1/07 $20.00 © 2007

Another (stronger) security definition requires that the out-put of the MAC is indistinguishable from a random string.

Definition 2.6 [PRF] Let MAC = (K, T ) be a MACscheme. Let R be the set of all functions with the samedomain and range as T . The MAC is called pseudorandomfunction or PRF secure if for any adversary A with reason-able resources and access to an oracle and

Pr[

K$← K : ATK(·) = 1

]− Pr

[g

$← R : Ag(·) = 1]

is small.

It is known that any MAC that is PRF is also UF-CMA.

Definition 2.7 [Hash functions] A hash function HF =(K,H) consists of two algorithms. The key generation al-gorithm K outputs a key K5. The hash algorithm H oninputs K and M outputs the hash value H .

Definition 2.8 [Collision-resistance] A hash functionHF = (K,H) is called collision-resistant if every adver-sary with reasonable resources who is given a random Koutput by K can output two messages M1,M2 such thatHK(M1) = HK(M2), M1 6= M2 only with small proba-bility.

An encoding scheme is an unkeyed invertible transfor-mation that is used to extend the message with some associ-ated data such as padding, a counter or random nonce, etc.Formally, an encoding scheme EC = (Enc,Dec) is definedby two algorithms. The (possibly) randomized or statefulencoding algorithm Enc takes a message M and outputs apair of messages (Me,Mt). The deterministic decoding al-gorithm takes Me and returns a pair (M,Mt) or (⊥,⊥) on

error. For any message M , let (Me,Mt)$← Enc(M) and

(M ′,M ′t) ← Dec(Me) then, the consistency condition re-

quires that M = M ′ and Mt = M ′t . The following is from

[13, 11].

Definition 2.9 [Coll-CPA] Let EC = (Enc,Dec) be anencoding scheme. It is called collision-resistant againstchosen-plaintext attacks or Coll-CPA if every adversary Awith reasonable resources has only small success probabil-ity in the following experiment. The adversary has access tothe encoding oracle Enc(·) and it is considered successfulif it ever gets two replies containing Mt and M ′

t such thatMt = M ′

t .

3 Analysis of Encryption in Kerberos v.5

GENERAL PROFILE. Kerberos allows the users to choosethe encryption scheme. All the options though conform toa general design that we outline below (it is further general-ized in [19]).

5All our results also apply to keyless hash functions.

Construction 3.1 [Encode-then-MAC-then-Encrypt]Let SE = (Ke, E ,D), EC = (Enc,Dec), MAC = (Km, T )be an encryption scheme, an encoding scheme anda checksum (i.e. MAC or hash function). The cor-responding Encode-then-MAC-then-Encrypt schemeSE ′ = (K′, E ′,D′) is defined as follows.• K′ runs Ke,Km and returns their outputs Ke ‖Km.• E ′ on inputs Ke ‖Km and M first gets the encodings

via (Me,Mt)$← Enc(M). It then computes σ ←

TKm(Mt), parses Me as Mel‖Mer and returns C$←

EKe(Mel ‖ σ ‖Mer).

• D′ on inputs Ke ‖ Km and C computes Me ←Mel ‖ Mer, σ from (Mel ‖ σ ‖ Mer) ← DKe

(C),decodes (M,Mt) ← Dec(Me), computes σ′ ←TKm

(Mt) and returns M if σ = σ′, and ⊥ otherwise.

Above we assume that the outputs of the encoding schemeare compatible with inputs to E , T .

The next construction specifies in more detail how Ker-beros’ encryption operates. Figure 1 illustrates the design.

plaintext

ciphertext

zeros

tag

padconfounder

plaintext

confounder padplaintext

ENCRYPT

CHECKSUM

ENCODE

Figure 1. General profile.

Construction 3.2 [Authenicated encryption in Ker-beros. General profile] Let E : {0, 1}k × {0, 1}n →{0, 1}n be a block cipher (e.g. DES). Let SE = (Ke, E ,D)be the CBC encryption mode with IV fixed to be astring of n zeros6. Let MAC = (Km, T ) describe a hashfunction, i.e. Km always returns ⊥, T is the keylesshash function algorithm with output of length l bits. LetEC = (Enc,Dec) be an encoding scheme such that Encon input M pads it to make the length multiple of n bits (so

6The Kerberos’ specification also allows the stateful update of the IV ,i.e. the IV is assigned to be the last block of the previous ciphertext. Ouranalyses applies to this case as well. But since this option is not commonlyused, we do not consider it in detail. We note however, that [22] does notspecify how the state and IV are updated when the receiver gets an invalidciphertext. The only reasonable resolution preventing malicious attacksdisrupting the future communication may be to issue an error message andreset the IV to 0n.

2007 IEEE Symposium on Security and Privacy(SP'07)0-7695-2848-1/07 $20.00 © 2007

that decoding is unambiguous), picks a random confounder

of n bits conf$← {0, 1}n, computes Me ← conf ‖M and

Mt ← conf ‖ 0l ‖M and returns (Me,Mt). Dec on inputMe parses it as conf‖M , computes Mt ← conf‖0l‖Mand returns (M,Mt). Then Construction 3.1 describes thegeneral profile of authenticated encryption in Kerberos7.

As we noted in the Introduction the recommended instantia-tions with DES and MD4 or MD5 are not good choices. Butwe point out that using AES and a collision-resistant hashfunction will not necessarily solve the problem. The rea-son is that the underlying Encode-then-MAC-then-Encryptconstruction does not provide integrity in general, even if itis based on secure primitives.

Theorem 3.3 Let EC = (Enc,Dec) be the encodingscheme from Construction 3.2. There exists an IND-CPA secure secure encryption scheme and a collision-resistant hash function so that the authenticated en-cryption obtained via Encode-then-MAC-then-Encrypt(Construction 3.1) does not provide integrity (is not INT-CTXT secure.)

The proof is in the full version of this paper [15] . In fact, theproof also shows that the general construction is insecureeven when a secure MAC is used, but in this case the attackmakes use of a rather artificial IND-CPA scheme. We notethat the attacks we provide in the proof does not translateinto an attack on any of the recommended options. It justshows a limitation in the general design.

We now look at a more specific Construction 3.2 andshow that it can nevertheless provide security in the strongsense, if a modification that does not require significantchanges to the protocol is made. Namely we suggest to usea secure MAC in place of the hash function and show thatthe resulting authenticated encryption scheme is secure.

Construction 3.4 [Modified general profile] The con-struction is like Construction 3.2, except that MAC =(Km, T ) is a message authentication code.

Theorem 3.5 The authenticated encryption scheme de-scribed by the modified general profile (Construction 3.4)is IND-CCA and INT-CTXT secure if the underlying blockcipher is a PRF and the MAC is UF-CMA secure.

The proof with concrete security results is in [15] . AESthat is believed to be a PRF, and HMAC that is proven to beUF-CMA secure if its underlying hash function is collisionresistant [8], constitute good instantiations for the above de-sign.

SIMPLIFIED PROFILE. Designers of Kerberos had the rightintuition that the general profile’s design is not particularly

7Our analysis does not take into account stateful approaches for keyderivation used in few options of general profile.

strong and proposed a new design that they call “simplifiedprofile” (cf. Section 5 in [22] and [21]). Again we start witha more general construction that outlines the design.

Construction 3.6 [Encode-then-Encrypt&MAC] LetSE = (Ke, E ,D), MAC = (Km, T ), EC = (Enc,Dec)be an encryption scheme, a MAC and an encodingscheme such that the outputs of the encoding schemeare compatible with inputs to E , T . The correspondingEncode-then-Encrypt&MAC scheme SE ′ = (K′, E ′,D′) isdefined as follows.

• K′ runs Ke,Km and returns their outputs Ke ‖Km.

• E ′ on inputs Ke ‖Km and M first gets the encodings

via (Me,Mt)$← Enc(M). It then computes C

$←EKe

(Me), σ ← TKm(Mt) and returns C ‖ σ.

• D′ on inputs Ke ‖ Km and C ‖ σ computes Me ←DKe

(C), decodes (M,Mt) ← Dec(Me), computesσ′ ← TKm

(Mt) and returns M if σ = σ′, and ⊥ oth-erwise.

The next construction defines the simplified profile in moredetail and Figure 2 depicts the design.

tagintermediate ciphertext

plaintext

plaintext

padconfounder

ciphertext

ENCRYPT MAC

ENCODE

Figure 2. Simplified profile.

Construction 3.7 [Authenicated encryption in Ker-beros. Simplified profile] Let E : {0, 1}k × {0, 1}n →{0, 1}n be a block cipher (e.g. AES). Let SE = (Ke, E ,D)be the CBC encryption mode with IV = 0n. LetMAC = (Km, T ) be a MAC, let EC = (Enc,Dec) bean encoding scheme such that Enc on input M pads Mto make its length multiple of n bits (while permittingunambiguous decoding), picks a random confounder of

n bits conf$← {0, 1}n, computes Me ← conf ‖ M and

Mt ← conf ‖M and returns (Me,Mt). Dec on input Me

parses it as conf‖M , computes Mt ← Me and returns(M,Mt). Then Construction 3.6 describes the simplifiedprofile of authenticated encryption in Kerberos.

We now formally confirm that the simplified profile pro-vides strong security guarantees.

2007 IEEE Symposium on Security and Privacy(SP'07)0-7695-2848-1/07 $20.00 © 2007

Theorem 3.8 The authenticated encryption scheme de-scribed by the simplified profile (Construction 3.7) is IND-CCA and INT-CTXT secure if the underlying block cipheris a PRF and the MAC is a PRF.

The proof with concrete security results is in [15]. AES isbelieved to be a PRF and HMAC was proven to be a PRF[7], therefore they are the right choices of instantiations forthe simplified profile.

4 Acknowledgments

We thank Ken Raeburn and Sam Hartman for clarifica-tions on Kerberos specifications, Bogdan Warinschi for use-ful discussions, the anonymous reviewers for their helpfulcomments, and Anupam Datta for comments on the prelim-inary draft. Alexandra Boldyreva is supported in part byNSF CAREER award 0545659.

References

[1] M. Backes, I. Cervesato, A. D. Jaggard, A. Scedrov, and J.-K. Tsay. Cryptographically sound security proofs for basicand public-key Kerberos. In ESORICS ’06. Springer, 2006.

[2] M. Backes and B. Pfitzmann. Symmetric encryption in asimulatable Dolev-Yao style cryptographic library. In CSFW’04. IEEE, 2004.

[3] M. Backes, B. Pfitzmann, and M. Waidner. A composablecryptographic library with nested operations. In CCS ’03.ACM, 2003.

[4] M. Backes, B. Pfitzmann, and M. Waidner. Symmetric au-thentication within a simulatable cryptographic library. InESORICS ’03. Springer, 2003.

[5] G. Bella and L. C. Paulson. Kerberos version 4: Inductiveanalysis of the secrecy goals. In ESORICS ’98. Springer,1998.

[6] G. Bella and E. Riccobene. Formal analysis of the Kerberosauthentication system. Journal of Universal Computer Sci-ence, 3(12):1337–1381, 1997.

[7] M. Bellare. New proofs for NMAC and HMAC: Securitywithout collision-resistance. In CRYPTO, 2006.

[8] M. Bellare, R. Canetti, and H. Krawczyk. Keying hash func-tions for message authentication. In CRYPTO ’96. Springer,1996.

[9] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concretesecurity treatment of symmetric encryption. In FOCS ’97.IEEE, 1997.

[10] M. Bellare, J. Kilian, and P. Rogaway. The security ofthe cipher block chaining message authentication code. InCRYPTO ’04. Springer, 2004.

[11] M. Bellare, T. Kohno, and C. Namprempre. Authenticatedencryption in SSH: provably fixing the SSH binary packetprotocol. In CCS ’02. ACM, 2002.

[12] M. Bellare and C. Namprempre. Authenticated encryption:Relations among notions and analysis of the generic compo-sition paradigm. In ASIACRYPT ’00. Springer, 2000.

[13] M. Bellare and P. Rogaway. Encode-then-encipher encryp-tion: How to exploit nonces or redundancy in plaintexts forefficient cryptography. In ASIACRYPT ’00. Springer, 2000.

[14] S. M. Bellovin and M. Merritt. Limitations of the Kerberosauthentication system. SIGCOMM Comput. Commun. Rev.,20(5):119–132, 1990.

[15] A. Boldyreva and V. Kumar. Provable-security analysis ofauthenticated encryption in Kerberos. Full version of this pa-per. Available at http://www-static.cc.gatech.edu/∼aboldyre/publications.html, 2007.

[16] F. Butler, I. Cervesato, A. D. Jaggard, and A. Scedrov. AFormal Analysis of Some Properties of Kerberos 5 UsingMSR. In CSFW ’02. IEEE, 2002.

[17] F. Butler, I. Cervesato, A. D. Jaggard, A. Scedrov, andC. Walstad. Formal Analysis of Kerberos 5 Using. In Theo-retical Computer Science, 2006.

[18] J. T. Kohl. The use of encryption in Kerberos for networkauthentication (invited). In CRYPTO ’89. Springer, 1989.

[19] T. Kohno. Searchable symmetric encryption: Improveddefinitions and efficient constructions. UCSD Dissertation,2006.

[20] C. Neuman, T. Yu, S. Hartman, and K. Raeburn. The Ker-beros network authentication service (v5). Network WorkingGroup. Request for Comments: 4120. Available at http://www.ietf.org/rfc/rfc4120.txt, 2005.

[21] K. Raeburn. Advanced encryption standard (AES) encryp-tion for Kerberos 5. Network Working Group. Requestfor Comments: 3962. Available at http://www.ietf.org/rfc/rfc3962.txt, 2005.

[22] K. Raeburn. Encryption and checksum specifications forKerberos 5. Network Working Group. Request for Com-ments: 3961. Available at http://www.ietf.org/rfc/rfc3961.txt, 2005.

[23] S. G. Stubblebine and V. D. Gligor. On message integrityin cryptographic protocols. In Symposium on Security andPrivacy ’92. IEEE, 1992.

[24] X. Wang, D. Feng, X. Lai, and H. Yu. Collisions for hashfunctions MD4, MD5, HAVAL-128 and RIPEMD. ePrintArchive: Report 2004/199, 2004. Available at http://eprint.iacr.org/.

[25] T. D. Wu. A real-world analysis of Kerberos password secu-rity. In NDSS ’99. The Internet Society, 1999.

[26] T. Yu. The Kerberos network authentication service (version5). IETF Internet draft. Request for Comments: 1510, 2006.

[27] T. Yu, S. Hartman, and K. Raeburn. The perils of unauthen-ticated encryption: Kerberos version 4. In NDSS ’04. TheInternet Society, 2004.

2007 IEEE Symposium on Security and Privacy(SP'07)0-7695-2848-1/07 $20.00 © 2007