Breaking and Fixing Public-Key Kerberos

Similar documents
Breaking and Fixing Public-Key Kerberos

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos

Refining Computationally Sound Mech. Proofs for Kerberos

Computationally Sound Mechanized Proof of PKINIT for Kerberos

Specifying Kerberos 5 Cross-Realm Authentication

Security Analysis of Network Protocols. John Mitchell Stanford University

Applied Cryptography and Computer Security CSE 664 Spring 2017

Information Security CS 526

Computer Networks & Security 2016/2017

Key Agreement Schemes

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Network Security: Kerberos. Tuomas Aura

Lecture 1: Course Introduction

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Kerberized Certificate Issuance Protocol (KX509)

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Outline More Security Protocols CS 239 Computer Security February 4, 2004

CIS 4360 Secure Computer Systems Applied Cryptography

CPSC 467b: Cryptography and Computer Security

Session key establishment protocols

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Session key establishment protocols

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Grenzen der Kryptographie

User Authentication Protocols Week 7

Real-time protocol. Chapter 16: Real-Time Communication Security

for Compound Authentication

Cryptography and Network Security

The Kerberos Authentication System Course Outline

Security Handshake Pitfalls

User Authentication Protocols

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Fall 2010/Lecture 32 1

Formal Methods for Assuring Security of Computer Networks

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Network Security: Classic Protocol Flaws, Kerberos. Tuomas Aura

CS 494/594 Computer and Network Security

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Authentication Handshakes

T Cryptography and Data Security

Radius, LDAP, Radius, Kerberos used in Authenticating Users

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

KEY DISTRIBUTION AND USER AUTHENTICATION

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CSC 474/574 Information Systems Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

March 26, Abstract

CS 161 Computer Security

1 Identification protocols

The KX.509 Protocol. William Doster Marcus Watts Dan Hyde University of Michigan ABSTRACT

Cryptographic Protocols 1

Cryptographically Sound Security Proofs forbasic and Public-Key Kerberos

Network Security (NetSec)

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Public-key cryptography extensions into. Kerberos

Implementing Cryptography: Good Theory vs. Bad Practice

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2. Cas Cremers, ETH Zurich

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

Network Security (NetSec)

Persistent key, value storage

Chapter 9: Key Management

The Kerberos Authentication Service

Authentication in Distributed Systems

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Strong Password Protocols

6. Security Handshake Pitfalls Contents

Course Administration

Protecting TLS from Legacy Crypto

Datasäkerhetsmetoder föreläsning 7

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Trusted Intermediaries

AIT 682: Network and Systems Security

CS 161 Computer Security

A Smart Card Based Authentication Protocol for Strong Passwords

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Logic of Authentication

One-Time-Password-Authenticated Key Exchange

Kerberos V Security: Replay Attacks

Key Encryption as per T10/06-103

Outline Key Management CS 239 Computer Security February 9, 2004

Chip Authentication for E-Passports: PACE with Chip Authentication Mapping v2

Deploying a New Hash Algorithm. Presented By Archana Viswanath

NIST Cryptographic Toolkit

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

EEC-682/782 Computer Networks I

CSE 127: Computer Security Cryptography. Kirill Levchenko

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Network Security. Kerberos and other Frameworks for Client Authentication. Dr. Heiko Niedermayer Cornelius Diekmann. Technische Universität München

Network Security and Internet Protocols

Overview. Terminology. Password Storage

Digital Signatures. Secure Digest Functions

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Transcription:

Breaking and Fixing Public-Key Kerberos Iliano Cervesato Carnegie Mellon University - Qatar iliano@cmu.edu Joint work with Andre Scedrov, Aaron Jaggard, Joe-Kai Tsay, Christopher Walstad ASIAN 06 December 7, 2006

Outline Kerberos 5 PKINIT Breaking PKINIT Fixing PKINIT Developments I. Cervesato: Breaking and Fixing Public-Key Kerberos 1

The Kerberos Verification Project Started in 2001 Test MSR on a real protocol Kerberos 5 was gaining popularity 2002-03: detailed analysis of main protocol Kerberos 5 behaves as expected Authentication and confidentiality properties hold Some anomalous behavior, but not attacks One still under review in the IETF Working Group 2004: cross-realm authentication Detailed analysis of what can go wrong if uncheckable hypothesis not met 2005: public-key extension of Kerberos PKINIT Serious attack Close, ongoing interactions with IETF WG I. Cervesato: Breaking and Fixing Public-Key Kerberos 2

Kerberos Goals Repeatedly authenticate a client to multiple servers Remote login, file access, print spooler, email,directory, Transparent to user History Kerberos 4: 1989 now (less and less) Kerberos 5: 1993 now (more and more) Developed by IETF Members from across industry Define interoperability standards 10 active documents, over 350 pages This is a live protocol New extensions under development in IETF WG A real world protocol Part of Windows, Linux, Unix, Mac OS, Microsoft will phase out all other authentication technology Cable TV boxes, high availability server systems, I. Cervesato: Breaking and Fixing Public-Key Kerberos 3

Basic Kerberos Operation User U Log on Client C Kerberos Authenticate C for U Credentials (TGT) KAS TGS Server Service S 1 st time Want to use S; here s the TGT Access request other times Credentials to use S (ST) Want to use S; here s the ST Ok Application messages I. Cervesato: Breaking and Fixing Public-Key Kerberos 4

Abstract Messages TGT = {AK,C} kt ST = {SK,C} ks C KAS T S Authenticate C, T, n 1 C for U C, Credentials TGT, {AK,n (TGT) 1,T} kc PKINIT Want TGT, to use {C,t} S; AK here s, C, S, the n 2 TGT Credentials C, ST, {SK,n to use 2,S} S AK (ST) Want to ST, use S; {C,t } here s SK the ST {t } Ok SK I. Cervesato: Breaking and Fixing Public-Key Kerberos 5

Public-Key Kerberos Extend basic Kerberos 5 to use Public Keys Change first round to avoid long-term shared keys (k C ) C KAS C, T, n 1 C, TGT, {AK,n 1,T} kc Motivations Security Avoid use of password-derived keys Smartcard authentication support If KAS is compromised, don t need to regenerate shared keys Administrative convenience Avoid the need to register in advance of using Kerberized services Delegate management of keys to external PKI I. Cervesato: Breaking and Fixing Public-Key Kerberos 6

PKINIT Revisions Now RFC 4556 Then, a series of IETF Drafts Last, -34 We found attack in 25 (May 2005) We analyzed -26 Traced back to 00 (1996) Attack fixed in 27 (July 2005) Widely deployed All versions of Windows since Win2K Linux since 2003 (Heimdal implementation) Domain specific systems CableLabs implementation for TV cable boxes, Under development for MIT reference implementation Unix, Mac OS, I. Cervesato: Breaking and Fixing Public-Key Kerberos 7

Two Modes No more key k C shared between C and KAS Credentials for C encrypted under a temporary key k How to generate and deliver k? Public-key encryption k is generated by KAS k encrypted under C s public key and signed by KAS Attack is against this mode Diffie-Hellman k is derived from DH exchange between C and KAS C and KAS each send signed data contributing to DH key Option for reuse of the shared secret Not widely implemented CableLabs appears to be only implementation of DH mode Initial inspection did not turn up attacks against this mode I. Cervesato: Breaking and Fixing Public-Key Kerberos 8

PKINIT in PKE-mode TGT = {AK,C} kt ST = {SK,C} ks C KAS T S Cert C, [t C, n 2 ] skc, C, T, n 1 {{Cert K, [k, n 2 ] skk }} pkc, C, TGT, {AK,n 1,T} k TGT, {C,t} AK, C, S, n 2 C, ST, {SK,n 2,S} AK ST, {C,t } SK {t } SK {m} k : shared-key encryption {{m}} pk : public-key encryption [m] sk : digital signature I. Cervesato: Breaking and Fixing Public-Key Kerberos 9

Outline Kerberos 5 PKINIT Breaking PKINIT Fixing PKINIT Developments I. Cervesato: Breaking and Fixing Public-Key Kerberos 10

The Attack TGT = {AK, I} kt C I KAS Cert C, [t C, n 2 ] skc, C, T, n 1 Cert I, [t C, n 2 ] ski, C, T, n 1 {{Cert K, [k, n 2 ] skk }} pki, I, TGT, {AK,n 1,T} k {{Cert K, [k, n 2 ] skk }} pkc, C, TGT, {AK,n 1,T} k Failure of authentication C believes to be talking to KAS, is talking to I instead Failure of confidentiality I knows AK (and k) C believes KAS produced AK and k just for her I. Cervesato: Breaking and Fixing Public-Key Kerberos 11

After the First Round I repeats attack on follow up exchanges Monitors communications Learns keys in replies I impersonates servers Forge reply messages T, S not involved C I KAS T S C I KAS T S Mixed strategy C I KAS T S I. Cervesato: Breaking and Fixing Public-Key Kerberos 12

Notes about this Attack This is a deterministic attack Conducted at symbolic Dolev-Yao level Man-in-the-middle attack I must be a legal user Otherwise, KAS would not talk to him C is authenticated to S as I (not as C) I does not trick S to believe he is C I can observe all communications between C and S I can pretend to be S to C DH mode appears to avoid this attack Still need to formally prove security for DH I. Cervesato: Breaking and Fixing Public-Key Kerberos 13

Outline Kerberos 5 PKINIT Breaking PKINIT Fixing PKINIT Developments I. Cervesato: Breaking and Fixing Public-Key Kerberos 14

What Went Wrong? C cannot tell the reply was not for her {{Cert K, [k, n 2 ] skk }} pki, I, {AK, I} kt, {AK,n 1,T} k Can be tempered with Opaque to C (TGT) Misbinding of request and reply I can Tamper with signature in request Tamper with encryption in reply I. Cervesato: Breaking and Fixing Public-Key Kerberos 15

A Familiar Attack Tampering with signatures 1992: Signature-based variant of StS [Diffie, van Oorschot,Wiener] 2003: basic authenticated DH mode in IKE [Canetti, Krawczyk] Tampering with encryption 1996: Needham-Schroeder public key protocol [Lowe] Tampering with both 1995: SPLICE/AS [Hwang, Chen] [Clark, Jacob] Our attack is the first instance in a widely deployed real-world protocol I. Cervesato: Breaking and Fixing Public-Key Kerberos 16

Desired Authentication Property If a client C processes a message containing KASgenerated public-key credentials, then the KAS produced such credentials for C The attack shows this property does not hold in PKINIT-00/-26 What are the necessary conditions for the property to hold? I. Cervesato: Breaking and Fixing Public-Key Kerberos 17

C KAS General Fix Cert C, [t C, n 2 ] skc, C, T, n 1 {{Cert K, [k, F(C,n i )] skk }} pkc, C, TGT, {AK,n 1,T} k Sign data identifying client The KAS signs k, F(C, n i ) Either n 1 or n 2 (or both) Assume F(C, n) = F(C, n ) implies C = C and n = n We have formally proved that this guarantees authentication n 2 is redundant Further questions Does cname/crealm uniquely identify client? Added secrecy properties if F(C, n i ) identifies pkc? I. Cervesato: Breaking and Fixing Public-Key Kerberos 18

C KAS Initial Proposal Cert C, [t C, n 2 ] skc, C, T, n 1 {{Cert K, [k, C, n 2 ] skk }} pkc, C, TGT, {AK,n 1,T} k F(C,n i ) = C,n 2 Traditional approach I. Cervesato: Breaking and Fixing Public-Key Kerberos 19

Fix Adopted by Kerberos WG F(C,n i ) = Keyed hash of request C KAS Cert C, [t C, n 2 ] skc, C, T, n 1 {{Cert K, [k, cksum] skk }} pkc, C, TGT, {AK,n 1,T} k cksum = H k (Cert C, [t C, n 2 ] skc, C, T, n 1 ) E.g., H = hmac-sha1-96-aes128 Why?? Easier to implement than signing k, C, n 2 Included in PKINIT-27 Formal assumptions H is preimage resistant KAS s signature key is secret I. Cervesato: Breaking and Fixing Public-Key Kerberos 20

Outline Kerberos 5 PKINIT Breaking PKINIT Fixing PKINIT Developments I. Cervesato: Breaking and Fixing Public-Key Kerberos 21

Timeline Early May 05: Top Kerb. WG members notified Request to hold off full disclosure Late May: fixes proposed June: Microsoft reproduces attack Hold off any disclosure July: Kerberos WG notified July: IETF adopts fix July: PKINIT-27 incorporates it Aug.: Attack reported in MS Security Bullettin Oct.: Patch available for Heimdal (Linux) I. Cervesato: Breaking and Fixing Public-Key Kerberos 22

Real-World Impact Design vulnerability on widely deployed protocol Immediate responses IETF fix to specification Microsoft patch http://www.microsoft.com/technet/security/bulletin/ms05-042.mspx Linux patch CERT entry http://www.kb.cert.org/vuls/id/477341 Request to IETF developers to seek formal validation of protocols I. Cervesato: Breaking and Fixing Public-Key Kerberos 23

Interactions with IETF Close collaboration with IETF Kerberos WG Discussed possible fixes we were considering Attack announced on WG list in July We verified a fix the WG suggested This was incorporated into PKINIT-27 Presented this work at IETF-63 Discussed possible fixes and our analysis of these Useful discussions with WG participants on other areas for work Now regular participants at IETF / krb-wg meetings Impact of formal methods in IETF security area At security-area level, they want to see more interaction with formal methods I. Cervesato: Breaking and Fixing Public-Key Kerberos 24

Conclusions Extended formalization of Kerberos 5 to PKINIT Serious attack against public-key encryption mode in PKINIT-00/-26 Protocol-level attack with real-world effects General fix defending against this Close collaboration with IETF WG Discussion and analysis of possible fixes We ve analyzed the fix employed in PKINIT-27 I. Cervesato: Breaking and Fixing Public-Key Kerberos 25

Future Work Fully analyze and verify PKINIT Computational proofs E.g., signature strength Look at DH mode Other parts of Kerberos suite Password changing subprotocol Continue interactions with WG Timed analysis I. Cervesato: Breaking and Fixing Public-Key Kerberos 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback