Association for Computing Machinery
Public Key Kerberos (PKINIT) is a standardized authentication and key establishment protocol which is used by the windows active directory subsystem. In this paper the authors show that card-based public key kerberos is awed. In particular, access to a user's card enables an adversary to impersonate that user even after the adversary's access to the card is revoked. The attack neither exploits physical properties of the card, nor extracts any of its secrets. They propose protocol fixes and discuss properties that authentication and/or key establishment protocols should provide in order to be better equipped against the threats that arise due to the usage of smart cards.