Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proof Methods for an MSR Analysis of Kerberos 5 Frederick Butler, Iliano Cervesato, Aaron D. Jaggard, and Andre Scedrov Supported by ONR URI.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Proof Methods for an MSR Analysis of Kerberos 5 Frederick Butler, Iliano Cervesato, Aaron D. Jaggard, and Andre Scedrov Supported by ONR URI."— Presentation transcript:

1 Proof Methods for an MSR Analysis of Kerberos 5 Frederick Butler, Iliano Cervesato, Aaron D. Jaggard, and Andre Scedrov Supported by ONR URI

2 Kerberos Project Goals uGive precise statement and formal analysis of a real world protocol Formalize and analyze Kerberos 5 using MSR uIdentify and formalize protocol goals uGive proofs of achieved protocol goals Gain experience in reasoning with MSR uNote any anomalous behavior Consider possible fixes, test these

3 Background uKerberos 4 Analyzed using inductive approach (Bella & Paulson) uKerberos 5 Simplified version analyzed with Murφ (Mitchell, Mitchell, & Stern) uMultiSet Rewriting (MSR) (Cervesato, Durgin, Lincoln, Mitchell, & Scedrov)

4 Achievements uFormalizations of fragments of Kerberos 5 Using MSR 2.0 + extensions Three formalizations (look at two here) uFormal analysis of protocol Proofs of protocol properties –Using rank and corank functions (our focus here) –Properties and proofs show parallels between abstract and detailed formalizations Curious behavior seen uInteractions with Kerberos designers

5 Introduction Kerberos Overview Formalizing Kerberos 5 Analyzing Kerberos 5 Anomalies

6 Kerberos 5 uAuthentication Repeatedly authenticate a client to multiple servers uClient C wants ticket for end server S Tickets are encrypted – unreadable by C uC first obtains long term (e.g., 1 day) ticket from a Kerberos Authentication Server K Makes use of C’s long term key uC then obtains short term (e.g., 5 min.) ticket from a Ticket Granting Server T Based on long term ticket from K C sends this ticket to S

7 Protocol Messages Please give me ticket for T Ticket for C to give to T C K Ticket from K, one for S? Ticket for C to give to S C T Ticket from T Confirmation (optional) C S C K C T C S C K|T|S Error message (unencrypted)

8 Introduction Kerberos Overview Formalizing Kerberos 5 Analyzing Kerberos 5 Anomalies

9 Two Formalizations uUse MSR 2.0 + some extensions uAbstract formalization Contains core protocol –Enough detail to prove authentication and confidentiality Exhibits some curious behavior (structural) uDetailed formalization Refines abstract formalization by adding options, checksums Exhibits additional curious behavior

10 MSR Facts and States uFix a first order signature corresponding to the protocol uTerm t ::= a | x | f(t 1, …, t n ) uFact F ::= P(t 1, …, t n ) Predicate describes network, intruder knowledge, internal states, or stored data uState Multiset of facts

11 MSR Rules uTransition rule R C 1, …, C i, F 1, …, F j   x 1 …  x m. G 1, …, G k Constraints C 1, …, C i satisfied and M a multiset containing F 1, …, F j Obtain new multiset M’ from M by –Deleting F 1, …, F j –Adding G 1, …, G k with fresh symbols in place of the x i Free variables in rule universally quantified uTrace Sequence of multisets with M i+1 obtained from M i via some rule ρ i

12 Introduction Kerberos Overview Formalizing Kerberos 5 Analyzing Kerberos 5 Anomalies

13 Proof Methods uTwo classes of functions defined on MSR facts k-Rank –Data origin authentication –Work done to encrypt a specific message with key k E-Corank –Confidentiality –Work needed to extract information using keys from the set E uInspired by work of Schneider Our corank functions parallel his rank functions

14 The k-rank of t relative to m 0 t =ρ k (t; m 0 ) = Atomic0 {m 0 } k 1 {m 1 } k, ρ k (m 1 ; m 0 ) = 0, m 1  m 0 0 {m 1 } k, ρ k (m 1 ; m 0 ) > 0ρ k (m 1 ; m 0 ) + 1 {m 1 } k’, k’  kρ k (m 1 ; m 0 ) [m 0 ] k 1 [m 0 ] k, ρ k (m 1 ; m 0 ) = 0, m 1  m 0 0 [m 1 ] k, ρ k (m 1 ; m 0 ) > 0ρ k (m 1 ; m 0 ) + 1 [m 1 ] k’, k’  kρ k (m 1 ; m 0 ) t 1,t 2 max{ρ k (t 1 ; m 0 ), ρ k (t 2 ; m 0 )}

15 t =cρ E (t; m 0 ) = m 0 (atomic)0 Atomic, t  m 0 ∞ {m 1 } k, k in Ecρ E (m 1 ; m 0 ) + 1 {m 1 } k, k not in Ecρ E (m 1 ; m 0 ) [m 1 ] k ∞ t 1,t 2 min{cρ E (t 1 ; m 0 ), cρ E (t 2 ; m 0 )} The E-corank of t relative to m 0

16 (Co)Rank of Facts and States uRank of a j-ary predicate P: ρ k (P(t 1, …, t j ); m 0 ) = max{ρ k (t 1 ; m 0 ), …, ρ k (t j ; m 0 )} uRank of a finite multiset M of facts ρ k (M; m 0 ) = max F in M {ρ k (F; m 0 )} uCorank of a j-ary predicate P: cρ k (P(t 1, …, t j ); m 0 ) = min{cρ k (t i 1 ; m 0 ), …, cρ k (t i n ; m 0 )}, where t i 1, …, t i n are the ‘public’ terms –Look at those terms may be placed on the network later –In particular, cρ E (I(m 0 ); m 0 ) = 0 uCorank of a finite multiset M of facts cρ k (M; m 0 ) = min F in M {cρ k (F; m 0 )}

17 Effect of Rules on (Co)Rank uFor a transition rule R: C 1, …, C i, F 1, …, F j   x 1 …  x m. G 1, …, G k Compare possible values of ρ k ({F 1, …, F j }; m 0 ) and ρ k ({G 1, …, G k }; m 0 ) Compare possible values of cρ k ({F 1, …, F j }; m 0 ) and cρ k ({G 1, …, G k }; m 0 ) Determine whether or not R can increase/decrese rank/corank

18 Intruder’s Use of Keys uA reasonable formalization should satisfy: If intruder rule R increases ρ k (_; m 0 ), then lhs(R) contains I(k) (i.e., intruder knows the key k) If intruder rule R decreases cρ E (_; m 0 ), then lhs(R) contains I(k) for some k in E or rhs(R) contains  m 0. uOur formalization of the Dolev-Yao intruder satisfies these properties

19 General Approach uAnalogs of Schneider’s Rank Theorem If ρ k (F; m 0 ) = 0 for every fact in initial state and no intruder rule can increase ρ k (_; m 0 ), then a fact F with ρ k (F; m 0 ) > 0 implies that some honest principal created {m 0 } k –Show that the must have been a certain principal If cρ E (F; m 0 ) > 0 for every fact in initial state, no intruder rule can decrease cρ E (_; m 0 ), and no honest principal creates a fact F with cρ E (F; m 0 ) = 0, then m 0 is secret –cρ E (I(m 0 ); m 0 ) = 0

20 Using Rank and Corank uDetermine which (co)rank function(s) are applicable to the desired property uInspect rules of principals Determine which can possibly raise rank or lower corank uLook at intruder rules Find conditions which ensure that the intruder cannot raise rank/lower corank –Usually secrecy of certain key(s)

21 Protocol Messages (Again) Please give me ticket for T Ticket for C to give to T C K Ticket from K, one for S? Ticket for C to give to S C T Ticket from T Confirmation (optional) C S C K C T C S C K|T|S Error message (unencrypted)

22 Two Formalizations KOpts,C,T,n 1,e C,{Tflags,k CT,C} k T, {k CT,n 1,Tflags,T} e’ k C {Tflags,k CT,C} k T,{C,MD,t} k CT,Topts,C,S,n 2,e C,{Sflags,k CS,C} k S,{k CS,n 2, Sflags,S} e’ k CT SOpts,{Sflags,k CS,C} k S,{C,MD’,t’} k CS [{t’} e k CS ] C K|T|S KRB_ERROR,[-|t|t’],t err,ErrCode,C,(K|T|S) C K C T C S C T C K C S

23 Properties Proved ConfidentialityAuthentication Ticket Granting Exchange Client/Server Exchange Abstract Detailed Abstract Detailed Abstract

24 Abstract Authentication Theorem uIf T processes the message {k CT,C} k T, {C} k CT,C,S,n 2 then some K created k CT and sent C,{k CT,C} k T, {k CT,n 1,T} k C and C sent some X,{C} k CT,C,S’,n’ 2 uIn Kerberos 4, C must have sent the ticket and not the generic X (Bella & Paulson) uSimilar theorem for Client/Server exchange Ticket came from T, authenticator from C

25 Detailed Authentication Theorem uAdd details to obtain theorem for detailed formalization Prove this by adding details to abstract level proof uIf T processes the message {TFlags,k CT,C} k T, {C,ck,t} k CT,TOpts,C,S,n 2,e then some K created k CT and sent C,{TFlags,k CT,C} k T, {k CT,n 1,TFlags,T} k C and C sent some X,{C,ck,t} k CT,TOpts’,C,S’,n’ 2,e’ with ck = [TOpts’,C,S’,n’ 2,e’] k CT

26 Proving Authentication uAuthenticate data origin using rank Show ticket {TFlags,k CT,C} k T originates with some K Show authenticator {C,ck,t} k CT originates with C –Relies on the confidentiality of k CT Prove confidentiality of k CT using {k C,k T }-corank –No proper subset of {k C,k T } protects k CT Abstract level proofs follow same outline

27 Introduction Kerberos Overview Formalizing Kerberos 5 Analyzing Kerberos 5 Anomalies

28 uInteresting curiosities, but don’t appear dangerous We’ve just seen that authentication does hold uEncryption type anomaly Difficult to recover from lost long term key uTicket switch anomaly Client has incorrect beliefs about data in her possession –Application to anonymous tickets (anonymous option under review) uTicket option anomaly Effects similar to ticket switch anomaly

29 Encryption Type Anomaly uKerberos 5 allows C to specify encryption types that she wants used in K’s response uC’s key associated with the etype e bad is k bad Intruder I learns k bad C knows this and attempts to avoid e bad /k bad I can still force k bad to be used Please give me ticket for T using etype (sent unencrypted) C K Ticket for C to give to T (other info encrypted using etype) C K

30 Ticket Anomaly Ticket for C to give to T C K uKerberos 4: Ticket is enclosed in another encryption uKerberos 5: Ticket is separate from other encryption {Ticket, Other data} k C Ticket, {Other data} k C

31 Ticket Anomaly Please give me a ticket for T Ticket for T, {Other data} k C C K X, Ticket for S? Ticket for S. T I X, {Other data} k C I (cuts Ticket)C I Ticket from K, ticket for S? IC C K T

32 Ticket Anomaly uT grants the client C a ticket for S uC has never sent a proper request for a ticket C never has the ticket for T C thinks she has sent a proper request C’s view of the world is inaccurate Some properties of Kerberos 4 don’t hold here uSeen in both formalizations Variations possible using added detail –Anonymous tickets

33 Ticket Option Anomaly uC obtains tickets ST and ST’ with different options for use with server S uC does not request mutual authentication from S, so she does not expect a response if the requests are successfully processed uAssume that S can detect replays Saves authenticators in a cache (following RFC 1510)

34 Ticket Option Anomaly Ticket ST from T, {t} k CS Replay error from time t I S C I Ticket ST’ from T, {t’} k’ CS C I Error at time t C I Ticket ST from T, {t} k CS I S (Accepted) Ticket ST from T, {t} k CS I S

35 Ticket Option Anomaly uC’s request at time t was accepted, but her request at time t’ was never seen by S uC sees an error message with the timestamp t Might assume request at t not accepted, request at t’ accepted I uses the replay to unpack the encrypted timestamp t S’s use of a replay cache allows this to occur uEffects are similar to those of ticket switch found before but for more ticket options Replay cache not yet formalized

36 Conclusions uFormalizations of Kerberos 5 at different levels of detail Extended MSR to do this MSR can handle real world protocols uProofs of properties which hold here Parallel theorems and proofs in two formalizations Authentication and confidentiality throughout Gained additional experience in reasoning with MSR uCurious behavior uInteractions with Kerberos designers

37 Future Work uSystematize definition and use of (co)rank functions Need to determine ‘public terms’ for corank uAnalysis Investigate temporal checks Properties in more detailed formalizations Anomalies – what can we still prove? Fix? Accept? uExtend formalizations Add structure and functionality uContinue interaction with Kerberos designers

Download ppt "Proof Methods for an MSR Analysis of Kerberos 5 Frederick Butler, Iliano Cervesato, Aaron D. Jaggard, and Andre Scedrov Supported by ONR URI."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
A less formal view of the Kerberos protocol J.-F. Pâris.

A less formal view of the Kerberos protocol J.-F. Pâris.
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:

Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL.

Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.

Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.

1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.

Similar presentations

Ads by Google