a formal analysis of some properties of kerberos 5 using
play

A Formal Analysis of Some Properties of Kerberos 5 Using MSR - PowerPoint PPT Presentation

Jan 23, 2024 •210 likes •474 views

A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato, Aaron D. Jaggard, and Andre Scedrov Project Goals Give precise statement and formal analysis of a real world protocol Find a real world

  1. A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato, Aaron D. Jaggard, and Andre Scedrov

  2. Project Goals  Give precise statement and formal analysis of a real world protocol • Find a real world protocol – Kerberos 5 • Pick favorite formalization method - MSR  Identify and formalize protocol goals  Give proofs of achieved protocol goals • Gain experience in reasoning with MSR  Note any anomalous behavior • Suggest possible fixes, test these

  3. Related Kerberos Work  Kerberos 4 - Bella & Riccobene • Gurevich’s Abstract State Machine  Bella & Paulson • Inductive approach using theorem prover Isabelle • Proofs of authentication and confidentiality • Incorporated timestamps and temporal checks  Kerberos 5 - Mitchell, Mitchell, & Stern • Analyzed simplified protocol with state exploration tool Mur φ • Attack found, but fixed in full protocol

  4. Related Formal Work  MultiSet Rewriting (MSR) formalism • Lincoln, Mitchell, Scedrov, Durgin, and Cervesato • Extended to Typed MSR by Cervesato  Rank functions • Defined by Schneider • Our proof methods adapted from this idea

  5. Main Results  Formalized Kerberos 5 at different levels of detail • Typed MSR + extensions  Observed anomalous behavior • Recovery from key loss • Some properties of Kerberos 4 do not hold for Kerberos 5  Proofs of properties which do hold here • Methods adapted from Schneider  Interactions with Kerberos working group

  6. Introduction Kerberos Overview Two Views of Kerberos 5 Anomalies Proof Methods

  7. Protocol Goals and History  Protocol goals • Repeatedly authenticate a client to multiple servers • Minimize use of client’s long term key(s) • Does not guard against DOS attacks  Kerberos 4 - 1989  Kerberos 5 • Specified in RFC 1510 (1993) • Subsequent revisions by working group  A real world protocol • Windows 2000 (RFC 1510 + extensions) • User login, file access, printing, etc.

  8. Kerberos 5  Client C wants ticket for end server S • Tickets are encrypted – unreadable by C  C first obtains long term (e.g., 1 day) ticket from a Kerberos Authentication Server K • Makes use of C’s long term key  C then obtains short term (e.g., 5 min.) ticket from a Ticket Granting Server T • Based on long term ticket from K • C sends this ticket to S

  9. Protocol Messages Please give me ticket for T C K Ticket for C to give to T C K Ticket from K, one for S? C T Ticket for C to give to S C T Ticket from T C S Confirmation (optional) C S

  10. Introduction Kerberos Overview Two Views of Kerberos 5 Anomalies Proof Methods

  11. Abstract Formalization  Contains core protocol • Other formalization refines this one  Exhibits an anomaly • This appears to be structural and not due to omitted detail  Allows us to prove authentication results

  12. Messages in Abstract Level C,T,n 1 C K C,{k CT ,C} kT , {k CT ,n 1 ,T} kC C K {k CT ,C} kT ,{C} kCT ,C,S,n 2 C T C,{k CS ,C} kS ,{k CS ,n 2 ,S} kCT C T {k CS ,C} kS ,{C,t} kCS C S {t} kCS C S

  13. Detailed Formalization  Uses richer message structure • Adds some fields for options – E.g., anonymous tickets • Models encryption type • Adds checksums  Exhibits anomalies • Encryption type option specific to this level • Structural anomaly also seen at abstract level – Also variations which use added detail

  14. Messages in Detailed Level KOpts,C,T,n 1 ,e 1 C K C,{Tflags,k CT ,C} kT , {k CT ,n 1 ,Tflags,T} e 1 ’ kC C K {Tflags,k CT ,C} kT ,{C,MD,t} kCT ,Topts,C,S,n 2 ,e 2 C T C,{Sflags,k CS ,C} kS ,{k CS ,n 2 , Sflags,S} e 2 ’ kCT C T SOpts,{Sflags,k CS ,C} kS ,{C,MD’,t’} kCS C S [{t’} e ] kCS C S KRB_ERROR,[-|t|t’],t err ,ErrCode,C,(K|T|S) C K|T|S

  15. Introduction Kerberos Overview Two Views of Kerberos 5 Anomalies Proof Methods

  16. Encryption Type Anomaly  Kerberos 5 allows C to specify encryption types that she wants used in K’s response Please give me ticket for T using C K etype (sent unencrypted) Ticket for C to give to T (other C K info encrypted using etype)  C’s key associated with the etype e bad is k bad • Intruder I learns k bad • C knows this and attempts to avoid e bad /k bad • I can still force k bad to be used • How to recover from a lost key

  17. Ticket Anomaly Ticket for C to give to T C K  Kerberos 4: • Ticket is enclosed in another encryption {Ticket, Other data} kC  Kerberos 5: • Ticket is separate from other encryption Ticket, {Other data} kC

  18. Ticket Anomaly  T grants the client C a ticket for S  C has never sent a proper request for a ticket • C never has the ticket for T • C thinks she has sent a proper request • C’s view of the world is inaccurate • Some properties of Kerberos 4 don’t hold here  Seen in both formalizations • Variations possible using added detail – Anonymous tickets  Still can authenticate origin of data

  19. Comments from Kerberos Designers  Generally positive response • Methods helpful • Encouraged to pursue further • Should look at protocol extensions  Anomalies • These scenarios can occur • Practical concern unclear • Anonymous ticket variation of interest – Status of this option may change – Good to highlight possible concerns here

  20. Introduction Kerberos Overview Two Views of Kerberos 5 Anomalies Proof Methods

  21. Rank and Corank  Inspired by work of Schneider  Define functions on MSR facts • k-Rank – encryptions by k – Data origin authentication • E-Corank – level of protection by keys in E – Secrecy  Proofs • State desired property • Find applicable (co)rank functions • Determine effect of MSR rules on these functions

  22. An Authentication Theorem  If T processes the message {k CT ,C} kT ,{C} kCT ,C,S,n 2 then some K sent the message C,{k CT ,C} kT , {k CT ,n 1 ,T} kC and C sent some message X,{C} kCT ,C,S’,n’ 2  Authenticate data origin using rank • Show ticket {k CT ,C} kT originates with some K • Show authenticator {C} kCT originates with C – This makes use of a corank argument for confidentiality  In Kerberos 4, C must have sent the ticket and not the generic X (Bella & Paulson)

  23. A Second Authentication Theorem  If S processes the message {k CS ,C} kS ,{C,t} kCS then some T sent the message C,{k CS ,C} kS , {k CS ,n 2 ,S} kCT and C sent some message X,{C,t} kCS

  24. Conclusions  Formalizations of Kerberos 5 at different levels of detail • Used MSR + extensions • MSR can handle real world protocols  Anomalous behavior • Stated weakened authentication properties which hold for Kerberos 5  Proofs of properties which hold here • Adapted methods from Schneider • Gained additional experience in reasoning with MSR  Interactions with Kerberos designers

  25. Future Work  Investigate fixes for anomalies  Look at additional properties • Further authentication, confidentiality • Defense against replay attacks  Continue interaction with Kerberos designers  Give additional formalizations • Additional structure and functionality • Public key extensions  Explore use of automated tools

Recommend

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

251 views • 11 slides
Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal verification uses algorithms to rigorously prove properties of hardware or software design. 20 years ago, we had the FDIV bug: 42.0 / 7.0 = 8.0 Formal

576 views • 6 slides
Grammar formalisms Tree Adjoining Grammar: Formal Properties, Part I Parsing Formal Properties

Grammar formalisms Tree Adjoining Grammar: Formal Properties, Part I Parsing Formal Properties

Some sample languages Pumping Lemma for TAL Closure Properties Grammar formalisms Tree Adjoining Grammar: Formal Properties, Part I Parsing Formal Properties of TAG Laura Kallmeyer, Timm Lichte, Wolfgang Maier Universit at T ubingen

260 views • 14 slides
Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
Optimality Properties of Planning via Petri Net Unfolding: A Formal Analysis Sebastian Sardina

Optimality Properties of Planning via Petri Net Unfolding: A Formal Analysis Sebastian Sardina

Optimality Properties of Planning via Petri Net Unfolding: A Formal Analysis Sebastian Sardina and Sarah Hickmott RMIT University Australia ICAPS 2009 1 / 18 Planning via Directed Unfolding 1. Forward search partial order planning STRIPS,

802 views • 25 slides
Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov Supported by ONR, NSF, NRL Overview Introduction Kerberos 5 Formalization Properties

454 views • 24 slides
A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol developed at MIT as part of Project Athena. Is a shared-secret, trusted third party authentication system. Uses encryption to provide

280 views • 8 slides
Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61 Kerberos Extensibility Document Status Notational Conventions Future Plans 1 Document Status Updates from -00 Update I-D boilerplate

407 views • 7 slides
OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006 Background Proposal is to define extensions to Kerberos V5 (rfc4120) to support pre-authentication using an OTP Three main aims: Allow an OTP

180 views • 14 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many Authentication ? Servers Users How do users prove their identities when requesting services from machines on the network? Nave solution:

359 views • 10 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1 Agenda Distributed system security Introduction to Kerberos V4 Kerberos Realms Authentication with Kerberos in Windows NT 5

751 views • 30 slides
Kerberos & X.509 11

Kerberos & X.509 11

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

767 views • 51 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Lecture 7: Formal Methods for Analysis Technique situation situation consequences Analysis

Lecture 7: Formal Methods for Analysis Technique situation situation consequences Analysis

Topic Area Requirements Engineering: Content (A Selection of) Analysis Techniques Introduction VL 6 Softwaretechnik / Software-Engineering Requirements Specification Desired Properties Focus Kinds of Requirements current

237 views • 10 slides
Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking, Theorem Proving SMT Solving, Abstraction, and Static Analysis With SAL, PVS, and Yices, and more John Rushby Computer Science Laboratory SRI

1.89k views • 161 slides
Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal and Automated Theorem Proving and Applications. Belgrade, February 3-4, 2012. Marko Malikovi Mirko ubrilo Predrag Janii Faculty of Humanities

406 views • 27 slides
Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet of system Apply to both hardware and software 1 Formal methods Complement other

524 views • 25 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

494 views • 28 slides
Formal Analysis of Electronic Voting Systems Mark Ryan University of Birmingham joint work with

Formal Analysis of Electronic Voting Systems Mark Ryan University of Birmingham joint work with

Formal Analysis of Electronic Voting Systems Mark Ryan University of Birmingham joint work with Ben Smyth Steve Kremer Imperial College 21 April 2010 Outline Potential & current situation 1 Desired properties 2 Example 3 Modelling

958 views • 60 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 149 Outline Introduction 1 Formal

861 views • 68 slides
Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

226 views • 22 slides
Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading assignment: Chapters 13-14 G. Noubir, Network Security Kerberos Outline Kerberos V4 Kerberos V5 G. Noubir, Network Security Kerberos 2 What is

1.16k views • 9 slides
Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions Principal Names are not remapped in cross-realm The destination KDC is not involved in cross-realm Privacy of principal names 1 Why Remap

534 views • 19 slides

More recommend