for Compound Authentication

Similar documents
Protecting TLS from Legacy Crypto

Expires: September 10, 2015 Inria Paris-Rocquencourt A. Langley Google Inc. M. Ray Microsoft Corp. March 9, 2015

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Internet Engineering Task Force (IETF) Google Inc. M. Ray Microsoft Corp. September 2015

A messy state of the union:

Preventing Attackers From Using Verifiers: A-PAKE With PK-Id

Verfying the SSH TLP with ProVerif

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Network-based Origin Confusion Attacks against HTTPS Virtual Hosting

Information Security CS 526

MTAT Applied Cryptography

Part III TLS 1.3 and other Protocols

Noise Protocol Framework. Trevor Perrin

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Refining Computationally Sound Mech. Proofs for Kerberos

CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

Key Agreement Schemes

CS 395T. Formal Model for Secure Key Exchange

Authentication Handshakes

Verification of Security Protocols

CSC 474/574 Information Systems Security

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Auth. Key Exchange. Dan Boneh

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Real-time protocol. Chapter 16: Real-Time Communication Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Session key establishment protocols

Session key establishment protocols

Outline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection

CS 494/594 Computer and Network Security

CSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management

Outline. Key Management. CSCI 454/554 Computer and Network Security. Key Management

Network Security (NetSec)

CIS 4360 Secure Computer Systems Applied Cryptography

TLS1.2 IS DEAD BE READY FOR TLS1.3

CSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management

Breaking and Fixing Public-Key Kerberos

Outline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management

Breaking and Fixing Public-Key Kerberos

Spring 2010: CS419 Computer Security

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Virtual Private Networks

Cryptography. Lecture 12. Arpita Patra

Introduction to Public-Key Cryptography

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

NCP Secure Enterprise macos Client Release Notes

Configuring EAP-FAST CHAPTER

Journal of Internet Banking and Commerce

A Messy State of the Union: Taming the Composite State Machines of TLS

no more downgrades: protec)ng TLS from legacy crypto

Applied Cryptography and Computer Security CSE 664 Spring 2017

Formally Linking Security Protocol Models and Implementations

One-Time-Password-Authenticated Key Exchange

Key Encryption as per T10/06-103

The EN-4000 in Virtual Private Networks

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates. Felix Günther. Technische Universität Darmstadt, Germany

NCP Secure Entry macos Client Release Notes

T Cryptography and Data Security

1 Identification protocols

Request for Comments: 5422 Category: Informational H. Zhou Cisco Systems March 2009

CSCE 813 Internet Security Final Exam Preview

Hash Proof Systems and Password Protocols

Part II Bellare-Rogaway Model (Active Adversaries)

Attacks on re-keying and renegotiation in Key Exchange Protocols

A robust smart card-based anonymous user authentication protocol for wireless communications

Notes for Lecture 24

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

VPN Overview. VPN Types

Secure Network Access Authentication (SeNAA)

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Measuring small subgroup attacks against Diffie-Hellman

Cisco Live /11/2016

Network Security: IPsec. Tuomas Aura

HOST Authentication Overview ECE 525

CPSC 467: Cryptography and Computer Security

Configuring Security for VPNs with IPsec

Internet Engineering Task Force (IETF) Request for Comments: Google Inc. October 2018

Downgrade Resilience in Key-Exchange Protocols

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

Some optimizations can be done because of this selection of supported features. Those optimizations are specifically pointed out below.

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Transport Layer Security

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos

CSC/ECE 774 Advanced Network Security

Identification Schemes

review of the potential methods

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Overview of TLS v1.3 What s new, what s removed and what s changed?

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Formally Analyzing the TLS 1.3 proposal

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Cryptographic Concepts

State of TLS usage current and future. Dave Thompson

Transcription:

Verified Contributive Channel Bindings for Compound Authentication Antoine Delignat-Lavaud, Inria Paris Joint work with Karthikeyan Bhargavan and Alfredo Pironti

Motivation: Authentication Composition Protocols for authenticated key exchange (AKE) and user authentication (UA) are well-studied and verified in isolation In practice, applications use complex sequences of AKE and UA protocols with re-keying, resumption and re-authentication 2

Motivation: Authentication Composition TLS, IPsec, QUIC Anti-pervasive encryption: cred S = anon X.509, token, password 3

Problem: Credentials Forwarding Attacks C believes M=S U uses same credential on M and S 4

Credentials Compromise is Real Password reuse, token leakage, etc. Key compromise (e.g. Heartbleed), PKI failure Validation failure Certificate parsing (e.g. CVE-2014-1568 universal PKCS#1 forgery in NSS) Protocol implementation bugs Goto fail Coming to Oakland: State Machine AttaCKs against TLS (smacktls.com) User ignores warning Application skips basic checks (e.g. host validation) 5

Typical Countermeasure: Channel Binding Extract channel identifier cb Channel-bound credential 6

Examples of Typical Compound Protocols Composed with TLS Composed with IKEv2 Composed with SSH EAP EAP USERAUTH SASL (e.g. SCRAM-PLUS) Re-authentication Re-keying Channel ID (e.g. cookie) Resumption Renegotiation / Resumption 7

TLS Renegotiation Attack [Ray & Rex 09] Countermeasure: cb = hash(log) If cert M cert S Then cb cb Renegotiate(cert C, cb) Renegotiate(cert C, cb ) 8

Triple Handshake Attack [IEEE S&P 14] New tls-session-hash proposal. Is it secure? cb = (cvd, svd) doesn t prevent credential forwarding! 9

Research Questions What are the security goals of compound protocols? Which channel bindings effectively achieve these goals? We want formal guarantees this time! 10

Threat Model Symbolic Dolev-Yao Attacker Perfect cryptographic primitives Attacker can freely instantiate any protocol with peers or act as MitM Credentials compromise Client and server credentials can be compromised Honest participants may be using compromised credentials 11

Formal Problem Statement Definition: Agreement at a in Authentication Protocols If: Principal a completes protocol instance I Peer b sent a non-compromised credential Session secrets in l have not been leaked Then: b is not the attacker The dual instance l ran by b agrees with l on public parameters and session secrets Credentials ci, cr Session identifier sid Channel binding cb Session key sk 12

Formal Problem Statement Definition: Compound Authentication A set of protocols {P1,, Pk} achieves compound authentication if, for any sequence of instances of these protocols, the following property holds: If: Principal a completes the sequence of protocol instance [I1,, ln] Peer b sent a non-compromised credential in some instance li Session secrets in li have not been leaked Then: b is not the attacker For all j in [1,n], the dual instance lj ran by b agrees with lj 13

IPSec Example: IKEv2+EAP Question: does IKEv2+EAP achieve compound authentication? 14

Small Subgroup Confinement Attacks Channel binding of IKEv2 based on Diffie-Hellman share and nonces: cb I = (g x mod π, n i, n r, MAC g xy mod π, I ) (n i, n r ) are nonces, (π, g) are Diffie-Hellman parameters What if the order g x of is small in < π >? Initiator can pick π, g, x such that g x has a small order IKEv2 forbids 0, 1, -1 but allows other small subgroups MitM can synchronize cb on both sides Fact: IKEv2+EAP doesn t achieve compound authentication See paper for similar attacks on TLS-SRP and TLS-ECDHE on Curve25519 15

Small Subgroup Confinement Attacks If channel binding depends on public parameters + Diffie-Hellman shares, improper DH validation breaks compound authentication But these exclusions are unnecessary for Diffie-Hellman. D. Berstein on the order 8 subgroup of Curve25519 allegedly not requiring validation If a peer can pick an arbitrary group (e.g. TLS-DHE) validation may be hard. Is it safer to use a transcript hash as channel binding? 16

Transcript Synchronization Attacks via Resumption Transcript hash may not authenticate all session parameters during resumption or re-keying TLS: resumption only proves agreement on PMS; can be synchronized (3HS). IKEv2: resumption similar to TLS ticket resumption; results in impersonation attack if IKEv2 re-authentication is supported (rare in practice). Using keys as credentials is dangerous! 17

Formal Evaluation of Channel Bindings We create ProVerif models of composed authentication schemes and evaluate whether they satisfy agreement and compound authentication In addition to credential compromise, we model small subgroup confinement attacks by adding a constructor for bad elements that is invariant by exponentiation: DHExp(badDH(gr), y) = baddh(gr). 18

Structure of Models and Queries Agreement Queries Compound Authentication 19

Results Model Synchronization Agreement (I) Agreement (R) Compound Auth Verification Time SSH + AUTH None (after explicit key confirmation) SSH + AUTH + Rekey None (after explicit key confirmation) SSH + AUTH + Rekey (cumulative hash) None (no explicit key confirmation) 1.9 s 1.9 s 0.6 s TLS with Ren./Res. sid, ms, cr, sr N/A N/A 1.3 s TLS + SCRAM sid, ms, cr, sr 15.6 s TLS + SCRAM (session hash) None 21.6 s http://prosecco.inria.fr/projects/channelbindings/ 20

SSH Triple Exchange Attack New proposal: Host key from S is honest but 2 nd peer was malicious Weak compound authentication: secret of l1 must not leak 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback