PUF-based Kerberos Extension Protocol with Formal Analysis

doi:10.3969/j.issn.1671-1122.2020.12.012

Abstract

Abstract:

This paper proposes an extended Kerberos protocol based on the physical unclonable function (PUF). In basis of the challenge-response authentication mechanism, this paper employs the PUF challenge-response pairs to substitute the password or the certificate in standard Kerberos protocol, so as to resist the password guessing attack and impersonation attack. The advantages of this extended protocol lie in the following aspects: it provides mutual authentication between the authentication server and the device; the device is not pre-distributed with any password or key, which reduces the storage overhead and the disclosure risk of password or key. The formal analysis based on BAN Logic and comparison with different protocols are both given to prove the security of the PUF-based extended protocol.

Key words: physical unclonable function, Kerberos, authentication, key distribution, BAN logic

CLC Number:

TP309

ZHANG Zheng, ZHA Daren, LIU Yanan, FANG Xuming. PUF-based Kerberos Extension Protocol with Formal Analysis[J]. Netinfo Security, 2020, 20(12): 91-97.

Figures/Tables 4

References 17

[1]	RFC 4120. The Kerberos Network Authentication Service(V5)FC 4120. The Kerberos Network Authentication Service(V5)[S]. USA: IETF, 2005.
[2]	NEEDHAM R M, SCHROEDER M D. Using Encryption for Authentication in Large Networks of Computers[J]. Communications of the ACM, 1978,21(12):993-999. doi: 10.1145/359657.359659 URL
[3]	STEINER J G, NEUMAN B C, SCHILLER J I. Kerberos: An Authentication Service for Network System[EB/OL]. https://ieeexplore.ieee.org/document/312841/references#references, 2020-05-15.
[4]	RFC 6113. A Generalized Framework for Kerberos Pre-AuthenticationFC 6113. A Generalized Framework for Kerberos Pre-Authentication[S]. USA: IETF, 2011.
[5]	TUNG B, NEUMAN C, HUR M, Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)[EB/OL]. https://www.researchgate.net/publication/243788044_Public_key_cryptography_for_initial_authentication_in_Kerberos, 2020-05-15.
[6]	RFC 4556. Public Key Cryptography for Initial Authentication in Kerberos(PKINIT)[S]. USA: IETF, 2006.
[7]	GAIKWAD P P, GABHANE J P, GOLAIT S S. 3-level Secure Kerberos Authentication for Smart Home Systems Using IoT[EB/OL]. https://xueshu.baidu.com/usercenter/paper/show?paperid=df202d88fa2d7afc656e4958b5d8c00b&site=xueshu_se, 2020-05-15.
[8]	RAO K, BHARADWAJ, RAM N, et al. Application of Time Synchronization Process to Kerberos[J]. Procedia Computer Science, 2016(85):249-254.
[9]	SUTRADHAR M R, SULTANA N, DEY H, et al. A New Version of Kerberos Authentication Protocol Using ECC and Threshold Cryptography for Cloud Security[EB/OL]. https://ieeexplore.ieee.org/document/8641010, 2020-05-15.
[10]	JENA S K, TRIPATHY B K, GUPTA P, et al. A Kerberos Based Secure Communication System in Smart (Internet of Things) Environment[J]. Journal of Computational and Theoretical Nanoscience, 2019,16(5):2381-2388. doi: 10.1166/jctn.2019.7904 URL
[11]	DELVAUX J, PEETERS R, GU D, et al. A Survey on Lightweight Entity Authentication with Strong PUFs[J]. ACM Computing Surveys (CSUR), 2015,48(2):1-26.
[12]	ABUTALEB M, ALLAM A. FPGA-based Authenticated Key Exchange Scheme Utilizing PUF and CSI for Wireless Networks[EB/OL]. https://xueshu.baidu.com/usercenter/paper/show?paperid=86c0537a937e7aaf801639fd7786bbb2&site=xueshu_se, 2020-05-15.
[13]	LIU Dan, GUO Limin, YU Jun, et al. A Secure Mutual Authentication Protocol Based on SRAM PUF[J]. Journal of Cryptologic Research, 2017,4(4):58-69.
	刘丹, 郭丽敏, 俞军, 等. 一种基于SRAM PUF的安全双向认证协议[J]. 密码学报, 2017,4(4):58-69.
[14]	WANG Jun, LIU Shubo, LIANG Cai, et al. Two-factor Wearable Device Authentication Protocol Based on PUF and IPI[J]. Journal on Communications, 2017,38(6):127-135.
	王俊, 刘树波, 梁才, 等. 基于PUF和IPI的可穿戴设备双因子认证协议[J]. 通信学报, 2017,38(6):127-135.
[15]	CHATTERJEE U, CHAKRABORTY R S, MUKHOPADHYAY D. A PUF Based Secure Communication Protocol for IoT[J]. ACM Transactions on Embedded Computing Systems, 2017,16(3):1-25.
[16]	BRAEKEN A. PUF Based Authentication Protocol for IoT[J]. Symmetry, 2018,10(8):1-15. doi: 10.3390/sym10010001 URL
[17]	USMANI M A, KESHAVARZ S, MATTHEWS E, et al. Efficient PUF-based Key Generation in FPGAs Using Per-device Configuration[J]. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 2019,27(2):364-375. doi: 10.1109/TVLSI.2018.2877438 URL

符号	含义
PUF	物理不可克隆函数
CRP	激励响应对
D	设备
S	应用服务器
AS	认证服务器
TGS	票据授权服务器
ID	标识
Nonce	随机数
TGT	票据授权票据

		标准Kerberos协议	本文扩展协议
Message1	TGT_REQ	{ID_Client, password}	{ID_D}
Message2	AUTH_CHALLENGE	——	{ID_D,Chal_D,Nonce1,MAC1}
Message3	AUTH_RESPONSE	——	{ID_D,Nonce2,MAC2}
Message4	TGT_GRT	$\left\{ {{E}_{{{K}_{D}}}}\left( {{K}_{D,TGS}} \right)\text{ },TGT\text{ } \right\}$	${{E}_{{{K}_{D}}}}\left( Nonce2,{{K}_{D,TGS}} \right)\text{ },TGT\text{ }$

语句	含义
$A\|\equiv X$	A相信X
$A\triangleleft X$	A看到X,即A收到包含X的消息
$A\|\sim X$	A发送过X
$A\|\Rightarrow X$	A对X具有管辖权
$\#\left( X \right)$	X就是新鲜的
$A\xrightarrow{K}B$	A和B的共享密钥是K
${{\left\{ X \right\}}_{K}}$	使用密钥K加密X