Refining Computationally Sound Mech. Proofs for Kerberos

Similar documents
Computationally Sound Mechanized Proof of PKINIT for Kerberos

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos

Breaking and Fixing Public-Key Kerberos

Breaking and Fixing Public-Key Kerberos

Security Analysis of Network Protocols. John Mitchell Stanford University

Specifying Kerberos 5 Cross-Realm Authentication

Inductive Trace Properties for Computational Security

CS 395T. Formal Model for Secure Key Exchange

On Symmetric Encryption with Distinguishable Decryption Failures

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Plaintext Awareness via Key Registration

Concrete cryptographic security in F*

Proofs for Key Establishment Protocols

IND-CCA2 secure cryptosystems, Dan Bogdanov

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Homework 3: Solution

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

: Practical Cryptographic Systems March 25, Midterm

Automated Security Proofs with Sequences of Games

Inductive Trace Properties for Computational Security

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Lecture 8 - Message Authentication Codes

CSC 5930/9010 Modern Cryptography: Digital Signatures

for Compound Authentication

On the Security of a Certificateless Public-Key Encryption

CSC 774 Network Security

From CryptoVerif Specifications to Computationally Secure Implementations of Protocols

Overview of Cryptography

Applied Cryptography and Computer Security CSE 664 Spring 2017

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Uses of Cryptography

Session key establishment protocols

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Session key establishment protocols

CSC/ECE 774 Advanced Network Security

Cryptographic protocols

Identification Schemes

Solutions to exam in Cryptography December 17, 2013

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

Lecture 18 - Chosen Ciphertext Security

Design and Analysis of Protocols The Spyce Way

Verification of Security Protocols

Formal Methods and Cryptography

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2. Cas Cremers, ETH Zurich

Lecture 3.4: Public Key Cryptography IV

A modified eck model with stronger security for tripartite authenticated key exchange

Auth. Key Exchange. Dan Boneh

Key Establishment. Colin Boyd. May Department of Telematics NTNU

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

T Cryptography and Data Security

Security Protocol Verification: Symbolic and Computational Models

Security Protocol Verification: Symbolic and Computational Models

UNIT - IV Cryptographic Hash Function 31.1

Cryptography. Andreas Hülsing. 6 September 2016

Password. authentication through passwords

Cryptographically Sound Implementations for Typed Information-Flow Security

Cryptographic Hash Functions

Computer Security CS 526

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Formal Verification of the WireGuard Protocol

A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

A robust smart card-based anonymous user authentication protocol for wireless communications

A Framework for Universally Composable Diffie-Hellman Key Exchange

Crypto Background & Concepts SGX Software Attestation

Applied Cryptography and Computer Security CSE 664 Spring 2018

Symmetric Encryption 2: Integrity

Inductive Proofs of Computational Secrecy

Cryptographic Checksums

CS 161 Computer Security

Parallel Network File System with Authenticated Key Exchange Protocols

SEMINAR REPORT ON BAN LOGIC

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Fall 2010/Lecture 32 1

CSE 127: Computer Security Cryptography. Kirill Levchenko

Computer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

1 Identification protocols

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Feedback Week 4 - Problem Set

Advanced Cryptography 1st Semester Symmetric Encryption

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Attribute-Based Authenticated Key Exchange

Lecture 1: Course Introduction

Using CryptoVerif Proof technique Encrypt-then-MAC FDH Conclusion. CryptoVerif. Bruno Blanchet. INRIA Paris-Rocquencourt

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

1 Defining Message authentication

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

A Modular Security Analysis of the TLS Handshake Protocol

CS 395T. JFK Protocol in Applied Pi Calculus

CPSC 467: Cryptography and Computer Security

Encryption from the Diffie-Hellman assumption. Eike Kiltz

Towards Post-Quantum Cryptography Standardization. Lily Chen and Dustin Moody National Institute of Standards and Technology USA

Authenticated encryption

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

Transcription:

Refining Computationally Sound Mechanized Proofs for Kerberos Bruno Blanchet Aaron D. Jaggard Jesse Rao Andre Scedrov Joe-Kai Tsay 07 October 2009 Protocol exchange Meeting Partially supported by ANR, DGA, NSF, OSD/AFOSR, and ONR

Project Background Formalization and analysis of Kerberos 5, with and without PKINIT in public-key mode, using CryptoVerif CryptoVerif [Blanchet] works directly in the computational model Initial work on Kerberos was first computationally sound mechanized proof of an industrial-sized protocol Part of an ongoing analysis of the Kerberos 5 suite Previously discovered a flaw in a draft version of PKINIT used in Windows (XP/2000) and Windows Server 2003 [CJSTW] PKINIT in particular is complex; Kerberos and PKINIT are available for all major operating systems

Overview of Results Proved authentication, secrecy, and usability Keys might be distinguishable from random, but still fine to use [DDMW] Define INT-CTXT usability Refine earlier CryptoVerif formalization Study crypto assumptions needed

Related Protocol Work Symbolic analysis of Kerberos (basic and public key) using MSR (includes the attack on public-key mode in PKINIT draft version) [BCJSW 02, 03, 06],[CJSTW 06] Computationally sound, by-hand proofs using the BPW framework [BCJST 06] By-hand, symbolic correctness proof of IEEE 802.11i and TLS using PCL [HSDDM 05] By-hand correctness proof of Diffie-Hellman mode of PKINIT using Computational PCL [RDDM 07] ProVerif analysis of PKINIT in DH mode [KT, CSF 09] Symbolic analysis of IETF IKE with NRL Protocol Analyzer [M 99] Symbolic analysis of Kerberos 4 and TLS using Isabelle [BP 97],[P 97]

(Selected) Mechanized Prover Background CryptoVerif: computationally sound, mechanized prover [B 06, 07] Beginnings of automation of BPW using Isabelle [BBPSW 06] AVISPA tool for automated symbolic validation of protocols and applications [ABBCCCHDHKMMORSTVV 05] ProVerif: automatic Dolev Yao verification tool [B 04] Scyther: automatic Dolev Yao verification tool [C 06] Computationally sound, automated symbolic analysis using Casrul tool [CW 05]...

Kerberos Kerberos and CryptoVerif Goals Repeatedly authenticate a client to multiple servers based on single login Remote login, file access, print spooler, email, directory,... A real-world protocol Part of Windows, Linux, Unix, MacOS,... Cable TV boxes, high-availability server systems,... Standardization and ongoing extension/refinement by IETF RFC 4120 (Kerberos 5), RFC 4556 (PKINIT),...

Abstract Kerberos Messages C K : C, T, n 1 C K : C, TGT, {AK, n 1, t K, T } kc C T : TGT, {C, t C } AK, S, n 2 C T : C, ST, {SK, n 3, t T, S} AK C S: ST, {C, t C } SK C S: {t C } SK (TGT = {AK, t K, C} kt ) (ST = {SK, t T, C} ks )

Abstract Kerberos Messages C K : C, T, n 1 C K : C, TGT, {AK, n 1, t K, T } kc C T : TGT, {C, t C } AK, S, n 2 C T : C, ST, {SK, n 3, t T, S} AK C S: ST, {C, t C } SK C S: {t C } SK (TGT = {AK, t K, C} kt ) (ST = {SK, t T, C} ks )

Abstract Kerberos Messages C K : C, T, n 1 C K : C, TGT, {AK, n 1, t K, T } kc C T : TGT, {C, t C } AK, S, n 2 C T : C, ST, {SK, n 3, t T, S} AK C S: ST, {C, t C } SK C S: {t C } SK (TGT = {AK, t K, C} kt ) (ST = {SK, t T, C} ks )

Public-Key Kerberos Extend basic Kerberos 5 to use public keys Change first round to avoid long-term shared keys (k C ): C K : Cert C, [t C, n 2] skc,c, T, n 1 C K : {{Cert K, [k, ck] skk }} pkc,c, TGT, {AK, n 1, t K, T } k (ck is checksum over request to which K is responding.) Motivation/benefits Administrative convenience: Avoid the need to register shared key to use Kerberized services Security: Avoid use of password-derived keys Smartcard authentication support

Public-Key Kerberos Extend basic Kerberos 5 to use public keys Change first round to avoid long-term shared keys (k C ): C K : Cert C, [t C, n 2] skc,c, T, n 1 C K : {{Cert K, [k, ck] skk }} pkc,c, TGT, {AK, n 1, t K, T } k (ck is checksum over request to which K is responding.) Motivation/benefits Administrative convenience: Avoid the need to register shared key to use Kerberized services Security: Avoid use of password-derived keys Smartcard authentication support

Cryptographic Assumptions Authentication Secrecy (IND-CCA2) Usability Public-key encryption assumed to satisfy IND-CCA2 Signature scheme assumed to satisfy UF-CMA Symmetric encryption assumed to satisfy IND-CPA and INT-CTXT (and thus IND-CCA2 and INT-PTXT [BN 00]) Hash function assumed to be collision resistant (We ll return to this.)

Cryptographic Assumptions Authentication Secrecy (IND-CCA2) Usability Public-key encryption assumed to satisfy IND-CCA2 Signature scheme assumed to satisfy UF-CMA Symmetric encryption assumed to satisfy IND-CPA and INT-CTXT (and thus IND-CCA2 and INT-PTXT [BN 00]) Hash function assumed to be collision resistant (We ll return to this.)

Authentication I Kerberos and CryptoVerif Authentication Secrecy (IND-CCA2) Usability Using CryptoVerif, we can show that the following hold with overwhelming probability for basic and public-key Kerberos: Authentication (injective) of the KAS to the client If an honest client receives what appears to be a valid reply from the KAS, then the KAS generated a reply for the client. Authentication of request for service ticket If an honest TGS processes a valid request for a service ticket, then the ticket in the request was generated by the KAS and the authenticator included in the request was generated by the client.

Authentication II Kerberos and CryptoVerif Authentication Secrecy (IND-CCA2) Usability Again, with overwhelming probability for basic and public-key Kerberos: Authentication (injective) of TGS to client Authentication of request to server Authentication of server to client

Key Secrecy Kerberos and CryptoVerif Authentication Secrecy (IND-CCA2) Usability In both basic and public-key Kerberos, we have: Secrecy of AK If an honest client C finishes an AS exchange with the KAS that generate the authentication key AK for use between C and an honest TGS, then AK is secret w.r.t. the real-or-random definition of secrecy. Secrecy of SK If an honest client finishes a TG exchange with an honest TGS that generated the service key SK for use between C and an honest server S, then SK is secret with respect to the real-or-random definition of secrecy. These keys will be distinguishable from random once they are used for encryption in the subsequent requests.

Subsession Key Secrecy Authentication Secrecy (IND-CCA2) Usability The final round of Kerberos can be used by C and S to agree on a subsession key for further use This key can be generated by either the client or the server CryptoVerif proves that both basic and public-key Kerberos preserve: Secrecy of the key possessed by the party that generated the subsession key One-session secrecy of the key possessed by the other party of {C, S} Difference from possibility of replays Party accepting (not generating) key might accept same key multiple times, allowing it to be distinguished from random Current formalization lacks replay cache

Key Usability Kerberos and CryptoVerif Authentication Secrecy (IND-CCA2) Usability Notion of key usability introduced by Datta, Derek, Mitchell, and Warinschi [2006] Weaker than being indistinguishable from random Captures whether a key is still good for future cryptographic operations Important for protocols that perform operations with a key during a run and allow future use of the key Definition parallels definition of key indistinguishability Two-phase attacker (Ae, Ac): Ae interacts with protocol session, then Ac tries to win an attack game that uses the exchanged keys, e.g., IND-CCA2 against an encryption scheme During the second phase, Ac cannot interact with protocol sessions

Key Usability with CryptoVerif Authentication Secrecy (IND-CCA2) Usability Stronger version of key usability (w.r.t. IND-CCA2 encryption) adversary can still interact with uncompleted protocol sessions during the attack game: Adversary A first interacts with polynomially many protocol sessions A requests a session ID to be drawn at random; let k be the key locally output in that session A is given access to LR-encryption oracle E k and a decryption oracle D k corresponding to k A plays a variant of the IND-CCA2 game where: A may interact with uncompleted protocol sessions, But all sessions do not accept ciphertexts output by E k when they reach a point of the protocol at which at least one session expects to receive a message encrypted under k

Key Usability in Kerberos Authentication Secrecy (IND-CCA2) Usability We can use CryptoVerif to prove Usability of AK : If an honest client C finishes a session of basic or public-key Kerberos involving the KAS and an honest TGS, then the authentication key AK is (strongly) usable for IND-CCA2-secure encryption. Usability of SK : If an honest client C finishes a session of basic or public-key Kerberos involving the KAS, an honest TGS, and an honest server, then the service SK is (strongly) usable for IND-CCA2-secure encryption.

Weakening Crypto Kerberos and CryptoVerif Authentication Secrecy (IND-CCA2) Usability Leak contents of authenticators {C, t} AK, C, t instead of just {C, t} AK {C, t } SK, C, t instead of just {C, t } SK This was suggested by examining by-hand proofs in Dolev Yao model The authentication results still hold for both basic and public-key Kerberos The secrecy of the subsession key also still holds for both basic and public-key Kerberos Advantage of CryptoVerif very fine control over cryptographic assumptions

(Strong) Not previously defined; how to define? In standard INT-CTXT game, attacker tries to produce a valid ciphertext that was not generated by the encryption oracle In the key-usability game, the attacker interacts with protocol sessions If these include encryptions by protocol participants, the attacker can trivially win the game This possibility highlighted by the use of CryptoVerif Currently check (strong) INT-CTXT usability of a session key k by having the decryption oracle refuse: Ciphertexts produced by the encryption oracle Ciphertexts produced by participants (using any session key)

Game for First, A is given the security parameter η and A can interact, as an active adversary, with polynomially many protocol sessions of Σ. At some point, at the request of A, a session identifier sid is drawn at random and A is given access to a encryption oracle E k (.) and a decryption oracle D k (.), both keyed with a key k locally output in session sid.

Adversary A plays a variant of an INT-CTXT game in which: A may submit messages m to E k (.), which returns E k (m); A never queries D k (.) on a cyphertext output by E k (.); A may interact with uncompleted protocol sessions; and if k is a key that is used at least once for encryption, then A never queries D k (.) on a cyphertext encrypted by any key playing the role of k in any one of the protocol sessions. (I.e., in Kerberos, if k is an authentication, resp. service, key that is used at least once for encryption, then A never queries D k (.) on a cyphertext encrypted by any authentication, resp. service, key.) The experiment outputs 1 (and A wins) if the decryption oracle properly decrypts a query by the adversary, i.e., outputs m, otherwise the experiment outputs 0.

(Strong) CryptoVerif can handle this definition Is it the right one? (It seems reasonable.) Proofs of INT-CTXT usability of AK and SK Recall that we have secrecy/one-session secrecy for the subsession key

The Problem Kerberos and CryptoVerif Additional Oracles Checksum Requirements Pointed out by Chao Feng (National University of Defense Technology, Hunan, China) In earlier formalization, only honest clients could get certificates This precluded insider attacks by dishonest clients

The Solution Kerberos and CryptoVerif Additional Oracles Checksum Requirements Added oracle to allow the attacker to obtain certificates for dishonest clients Without this, CryptoVerif proves security for broken version of PKINIT However, without these oracles we couldn t prove security using earlier version of CryptoVerif Added oracle to allow the attacker to obtain certificates for dishonest KASes KAS is assumed to be honest, so this doesn t have practical effect We can prove all the same results as before

PKINIT Message Flow Additional Oracles Checksum Requirements C K : Cert C, [t C, n 2] skc,c, T, n 1 C K : {{Cert K, [k, ck] skk }} pkc,c, TGT, {AK, n 1, t K, T } k ck is checksum over request to which K is responding This is a keyed hash; various options in specification

The Checksum Question Additional Oracles Checksum Requirements In checking the implementation of these oracles, the following issue arose: K sends C the message {{Cert K, [k, ck] skk }} pkc, C, TGT, {AK, n 1, t K, T } k ck is a checksum, keyed with k, over the request received by K This is intended to bind K s response to C s request Added after MITM attack discovered against draft version of PKINIT [CJSTW] If acting as a client, the adversary receives the k used to compute ck; might this help an attack?

Effects on Automated Proof Additional Oracles Checksum Requirements If K replies to the adversary (as a client), the adversary then gets the key k used to compute ck in that response One scenario: Adversary sends PKINIT request to K (as a client) and receives a response with k C sends PKINIT request to which the adversary responds with k In CryptoVerif, C gets name of TGS from the adversary If TGS namespace is large, the adversary may be able to influence the C s request so that the checksum (computed using k) matches that previously signed by K Adversary could then reply to C, replaying checksum signed by K In general, revelation of k to adversary seems to cause problems with proofs

Observations I Kerberos and CryptoVerif Additional Oracles Checksum Requirements If we assume ck is the output of a collision-resistant hash function, CryptoVerif is able to prove security as described If we assume ck is a UF-CMA MAC, then CryptoVerif cannot complete the proof Attacker knows the key k used to compute ck and can influence the message over which ck is computed The adversary learning the key

Observations II Kerberos and CryptoVerif Additional Oracles Checksum Requirements Temporal arguments are outside the scope of CryptoVerif. However: k is freshly generated by K and the adversary only learns k after ck has been computed After obtaining [k, ck] skk and learning k, the adversary must induce C to send a request whose checksum (computed with k) is ck The only part of C s message that the adversary can influence is the name of the TGS If the set of possible TGSes isn t too large, the adversary won t have enough flexibility We believe this is a modeling challenge, not a viable attack

Summary Kerberos and CryptoVerif Additional Oracles Checksum Requirements Proof of authentication and secrecy properties of PKINIT using the tool CryptoVerif Survey of initial results Extended our Kerberos analysis project to include mechanized proofs First mechanized proof of authentication and secrecy for a commercial/real-world protocol directly in the computational model Stronger notion of IND-CCA2 usability suitable for CryptoVerif Definition of (strong) INT-CTXT usability Suitable for use with CryptoVerif Proofs for Kerberos keys Added oracles needed for insider attacks Study of crypto assumptions for checksums

Future Work Kerberos and CryptoVerif Additional Oracles Checksum Requirements Refine INT-CTXT key usability definitions? Using weaker crypto (both for checksums and generally) What properties are required (or implicitly assumed)? What properties do we need? Add more details from Kerberos RFCs Adding lots of detail to key generation may cause games to explode

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback