(************************************************************************
* *
* Kerberos 5 protocol *
* *
* Joe-Kai Tsay, Bruno Blanchet, Aaron D. Jaggard, Andre Scedrov *
* *
* Copyright (C) University of Pennsylvania, ENS, CNRS, *
* Rutgers University, 2007-2008 *
* *
************************************************************************)
(*
Copyright University of Pennsylvania, ENS, CNRS, Rutgers University
authors of this file: Joe-Kai Tsay, jetsay@math.upenn.edu,
Bruno Blanchet, Bruno.Blanchet@ens.fr,
Aaron D. Jaggard, adj@dimacs.rutgers.edu,
Andre Scedrov, scedrov@math.upenn.edu
This file contains a model of the Kerberos 5 protocol, for use with the
cryptographic protocol verifier CryptoVerif. It is a companion to
the AsiaCCS'08 paper "Computationally Sound Mechanized Proofs for
Basic and Public-key Kerberos", by B. Blanchet, A. D. Jaggard, A. Scedrov,
and J.-K. Tsay.
This software is governed by the CeCILL license under French law and
abiding by the rules of distribution of free software. You can use,
modify and/ or redistribute the software under the terms of the CeCILL
license as circulated by CEA, CNRS and INRIA at the following URL
"http://www.cecill.info".
As a counterpart to the access to the source code and rights to copy,
modify and redistribute granted by the license, users are provided only
with a limited warranty and the software's author, the holder of the
economic rights, and the successive licensors have only limited
liability.
In this respect, the user's attention is drawn to the risks associated
with loading, using, modifying and/or developing or reproducing the
software by the user in light of its specific status of free software,
that may mean that it is complicated to manipulate, and that also
therefore means that it is reserved for developers and experienced
professionals having in-depth computer knowledge. Users are therefore
encouraged to load and test the software's suitability as regards their
requirements in conditions enabling the security of their systems and/or
data to be ensured and, more generally, to use and operate it in the
same conditions as regards security.
Anything other than deleting this file means that you have knowledge
of the CeCILL license and that you accept its terms.
*)
(* Note: This file requires CryptoVerif version 1.07 or higher. *)
(* basic Kerberos 5, first 2 rounds (AS_exchage and TG_exchange), consider authentication properties ans secrecy properties *)
param N.
param N2.
param N3.
param N4.
type nonce [large,fixed].
type kas [bounded].
type client [bounded].
type tgs [bounded].
type server [bounded].
type mkey [bounded].
type mkeyseed [fixed].
type key [fixed].
type keyseed [fixed].
type seed [fixed].
type macs [fixed].
type maxenc [bounded].
type timest [fixed].
(* Message construction functions *)
fun concat1(key, nonce, timest, tgs):maxenc [compos].
fun concat2(key, timest, client):maxenc [compos].
fun concat3(key, nonce, timest, server):maxenc [compos].
fun pad(client, timest):maxenc [compos].
fun padts(timest): maxenc [compos].
forall y:key, x:timest, z:client, t2:key, y2:nonce, x2:timest, z2:tgs; concat2(y,x,z) <> concat1(t2,y2,x2,z2).
forall t:key, y:nonce, x:timest, z:server, t2:key, y2:nonce, x2:timest, z2:tgs; concat3(t,y,x,z) <> concat1(t2,y2,x2,z2).
forall z:client, t:timest, t2:key, y2:nonce, x2:timest, z2:tgs; pad(z,t) <> concat1(t2,y2,x2,z2).
forall t:timest, t2:key, y2:nonce, x2:timest, z2:tgs; padts(t) <> concat1(t2,y2,x2,z2).
forall y:key, x:timest, z:client, t2: key, y2:nonce, x2:timest, z2:server; concat2(y,x,z) <> concat3(t2,y2,x2,z2).
forall y:key, x:timest, z:client, t2:timest, z2:client; concat2(y,x,z) <> pad(z2,t2).
forall y:key, x:timest, z:client, t2:timest; concat2(y,x,z) <> padts(t2).
forall t:key, y:nonce, x:timest, z:server, t2:timest, z2:client; concat3(t,y,x,z) <> pad(z2,t2).
forall t:key, y:nonce, x:timest, z:server, t2:timest; concat3(t,y,x,z) <> padts( t2).
forall t:timest, z:client, t2:timest; pad(z,t)<> padts(t2).
(* Shared-key encryption (IND-CPA and INT-CTXT Stream cipher) *)
proba Penc.
proba Pencctxt.
expand IND_CPA_INT_CTXT_sym_enc(keyseed, key, maxenc, bitstring, seed, kgen, enc, dec, injbot, Z, Penc, Pencctxt).
(* The function Z returns for each bitstring, a bitstring of the same length, consisting only of zeroes. *)
const Zconcat1:maxenc.
const Zconcat2:maxenc.
const Zconcat3: maxenc.
const Zpad:maxenc.
const Zpadts: maxenc.
forall y:nonce, x:timest, z:tgs, t:key;
Z(concat1(t,y,x,z)) = Zconcat1.
forall y:key, x:timest, z:client;
Z(concat2(y,x,z)) = Zconcat2.
forall y:nonce, x:timest, z:server, t:key;
Z(concat3(t,y,x,z)) = Zconcat3.
forall z:client, t:timest;
Z(pad(z,t)) = Zpad.
forall t: timest;
Z(padts(t)) = Zpadts.
(* Channel declaration *)
channel c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11, c12, c13, c14, c15, c16, c17, c18, c19,c20, c21, c22, c23, c24, c25, start, finish, cC, cT.
(* Host names for honest hosts *)
const C : client.
const K : kas.
const T : tgs.
const S : server.
(* Final accept messages *)
fun acceptC1(kas): bitstring.
fun acceptC2(tgs,server): bitstring.
fun acceptC3(server): bitstring.
fun acceptT(client,server): bitstring.
fun acceptS(client): bitstring.
(* Authentication Queries *)
event fullKC(client, tgs, nonce, bitstring, bitstring).
event fullCK(tgs, nonce, bitstring, bitstring).
event partCT(tgs, bitstring, bitstring).
event fullCT(tgs, server, nonce, key, bitstring, bitstring, bitstring).
event partTC(client, bitstring, bitstring).
event fullTC(client, server, nonce, key, bitstring, bitstring, bitstring, bitstring).
query x:bitstring, y:bitstring, z:bitstring, N:nonce;
event inj:fullCK(T,N,x,y) ==> inj:fullKC(C,T,N,z,y).
query x:bitstring, x':bitstring, y:bitstring, y':bitstring, N:nonce;
event partTC(C,x,y) ==> partCT(T,x',y) && fullKC(C,T,N,x,y').
query z:bitstring, z':bitstring, y:bitstring, x:bitstring, x':bitstring, v:bitstring, N:nonce, k:key;
event inj:fullCT(T,S,N,k,x,z,y) ==> inj:fullTC(C,S,N,k,x',z',v,y).
query x:bitstring, y:bitstring, z:bitstring, x':bitstring, z':bitstring, v:bitstring, N:nonce, k:key, k':key;
event fullTC(C,S,N,k',x',z',v,y) && fullCT(T,S,N,k,x,z,y) ==> k=k'.
(* Theorem 7: secrecy of the key SK *)
query secret keySK.
query secret keyTSK.
(* Code for the client C *)
let processC =
in(c1, hostT:tgs); (* choose TGS hostT *)
new n1:nonce;
out(c2, (C, hostT, n1));
in(c3, (=C, m:bitstring, m2:bitstring)); (* m = Ticket Granting Ticket *)
let injbot(concat1(AK, =n1, tk, =hostT)) = dec(m2, Kc) in
event fullCK(hostT, n1, m, m2);
out(c18, acceptC1(K));
(! N3 processC2 ).
let processC2 =
in(c17, (hostT':tgs, hostS:server)); (* request service ticket for hostS from hostT *)
if hostT' = hostT then
new n3:nonce;
new tc:timest;
new r1:seed;
let e5 = enc(pad(C, tc), AK, r1) in
event partCT(hostT, m, e5);
out(c4, (m, e5, hostS, n3));
in(c5, (=C, m6:bitstring, m7:bitstring));
let injbot(concat3(SK, =n3, tt, =hostS))= dec(m7, AK) in (* m7 = {SK, n2, t_T, S}_AK if hostS = S and n3 = n2 *)
event fullCT(hostT, hostS, n3, SK, m, e5, m7);
out(c19, acceptC2(hostT, hostS));
(* OK *)
in(finish, ());
if hostT = T && hostS = S then
(
let keySK:key = SK
)
else out(cC, SK).
(* Code for registering the keys *)
let processCKEY =
in(c13, (Khost:client, Kkey:key));
let Rkey:key =
if Khost = C then Kc else (* The key for the client C is Kc; for other clients, the key is chosen by the adversary *)
Kkey.
let processTKEY =
in(c21, (Lhost:tgs, Lkey:key));
let Qkey:key =
if Lhost = T then Kt else (* The key for the TGS T is Kt; for other TGSs, the key is chosen by the adversary *)
Lkey.
let processSKEY =
in(c16,(Mhost1:tgs, Mhost2:server, Mkey:key));
let Pkey:key =
if Mhost1 = T && Mhost2 = S then Ks else (* The key between the TGS T and the server S is Ks; for other TGSs or servers,
the key is chosen by the adversary *)
Mkey.
(* Code for the Kerberos Authentication Server (KAS) K *)
let processK =
in(c14, (hostY:client, hostW:tgs, n:nonce));
find j1 <= N2 suchthat defined(Khost[j1],Rkey[j1]) && (Khost[j1] = hostY) then (* shared key KC *)
find j2 <= N2 suchthat defined(Lhost[j2],Qkey[j2]) && (Lhost[j2] = hostW) then (* shared key KT *)
new rAK:keyseed;
let AK = kgen(rAK) in
new tk:timest;
new r3:seed;
let e3 = enc(concat2(AK, tk, hostY), Qkey[j2], r3) in (* e3 = TGT *)
new r4:seed;
let e4 = enc(concat1(AK, n, tk, hostW), Rkey[j1], r4) in
event fullKC(hostY, hostW, n, e3, e4);
out(c15, (hostY, e3, e4)).
(* Code for the Ticket Granting Server (TGS) T *)
let processT =
in(c7, (m8:bitstring, m9:bitstring, hostW:server, n': nonce));
let injbot(concat2(AK, tk, hostY)) = dec(m8, Kt) in
let injbot(pad(=hostY, ts)) = dec(m9, AK) in
event partTC(hostY, m8, m9); (* m8 ={AK, C}_Kt (=TGT) and m9 = {C,t}_AK if hostY = C *)
find j3 <= N2 suchthat defined(Mhost1[j3],Mhost2[j3],Pkey[j3]) && (Mhost1[j3] = T && Mhost2[j3] = hostW) then
new SK:key;
new tt:timest;
new r10:seed;
let e10 = enc(concat2(SK, tt, hostY), Pkey[j3], r10 ) in
new r11:seed;
let e11 = enc(concat3(SK, n', tt, hostW), AK, r11) in
event fullTC(hostY, hostW, n', SK, m8, m9, e10, e11); (* e10 = Service Ticket (ST) = {SK, t_T, C}_Ks and e11 = {SK, n2, t_T, S}_AK if hostW = S, n'= n2 and tt = t_T *)
out(c8, (hostY, e10, e11, acceptT(hostY,hostW)));
(* OK *)
in(c9, ());
if hostY = C && hostW = S then
(
let keyTSK:key = SK
)
else
(
out(cT, SK)
).
(* Main process, which generates long-term keys and runs the various processes *)
process
in(start, ());
new rKc: keyseed;
let Kc = kgen(rKc) in (* Kc = enc key between client C and KAS K *)
new rKt: keyseed;
let Kt = kgen(rKt) in (* Kt = enc key between KAS K and TGS *)
new rKs: keyseed;
let Ks = kgen(rKs) in
out(c25, ());
((! N processC) |
(! N processK) |
(! N processT) |
(! N2 processCKEY)|
(! N2 processTKEY)|
(! N2 processSKEY))
(* EXPECTED
RESULT Could not prove event fullTC(C, S, N, k', x', z', v, y) && fullCT(T, S, N, k, x, z, y) ==> (k = k').
1.110s (user 1.090s + system 0.020s), max rss 76864K
END *)