Improved Kerberos Security Protocol Evaluation ... - Semantic Scholar

Improved Kerberos Security Protocol Evaluation using Modified BAN Logic Abdelmajid, N.T., Hossain M.A. School of informatics University of Bradford {ntjabdel, mahossain1}@Bradford.ac.uk

Shepherd, S. School of Engineering University of Bradford [email protected]

Mahmoud, K. Department of Computer m Zarqa Private University [email protected]

Schroeder and CCITT X.509 [7]. Kerberos is one of the most common key distribution protocols and has a full BAN guarantee [8]. Even though Lowe [9] concluded that Kerberos is the strongest form of authentication, Kasslin and Tikkanen [10] proved that in some cases Kerberos suffers from replay attack. This paper presents three contributions; firstly, our improvement to Kerberos protocol that we call (NKerberos) by adding user's position co-ordinates in the authentication process. Secondly, we present the new model of BAN (N-BAN), which requires the user's position address to be present in the message. Finally, we validate N-Kerberos using N-BAN. The remainder of this paper is set up as follows; a brief description of BAN Logic is given in section two. Needham Schroeder and Kerberos protocols are presented in section three. Section four is talking about the drawbacks faced by both protocols when subjected to Ban logic. In section five, we introduce the modification of Kerberos protocol. In section six, we show the modification of BAN logic. In section seven, we validate the new form of Kerberos (N-Kerberos). Finally, our conclusion and future work are discussed in the last section.

Abstract Online communication offers organizations greater efficiency. However, online processes increase the threat level during message transfer. This necessitates researchers to develop and improve security protocols in order to enhance the security of communication lines. There are many evaluation tools such as BAN Logic to evaluate how secure authentication protocols' messages are. Despite the evaluation and acceptance of many authentication protocols, online communications remain insecure. We propose three approaches in order to increase the authenticity level; firstly, we propose to add the user's physical location as a new authentication factor into Kerberos protocol and call it N-Kerberos protocol. Secondly, we propose a new BAN logic based evaluation tool (N-BAN) to evaluate the N-Kerberos protocol. Finally, we validate the new form of Kerberos (NKerberos) using the new form of BAN (N-BAN) logic.

1. Introduction Online systems provide an opportunity for hackers and thieves to carry out their malicious works. To overcome this problem, security specialists have devised many encryption codes, such as RSA, DES or MD5. Although RSA is one of the most powerful encryption codes, certain security protocols that use RSA remain open to attack [1, 2, 3, 4, 5]. Therefore, most people do not feel that online communication is a secure environment. It is therefore clear that there is an essential need to evaluate security protocols. Burrows, Abadi and Needham produced a formal logic of authentication called BAN logic in 1989 to evaluate security protocols [6], which offers a formal testing structure for security protocol. Upon being subjected to BAN logic, many flaws have been found in different protocols such as Needham-

2. Brief Description of BAN Logic A formal logic model called BAN Logic was produced by M. Burrows, M. Abadi and R. Needham. BAN Logic helps the user to verify what is reasonable to be believed [11]. BAN consists of three main steps to analyze any protocol [2]. First, explore the initial assumptions from the protocol statements, and translate them to symbolic notations. For this purpose, BAN uses different logical constructs as shown in Figure 1. Second, verify the goal. Third, a group of rules are performed to acquire the goal.

1

• Upgrade2: it is from A believes that B said X to A believes that B believes X. To reach this, we need to concatenate postulate2 with performing upgrade1 which called postulate3 mentioned above [6]. • Upgrade 3: this upgrade is the final step; it is to upgrade from A believes that B believes X to A believe X. To achieve this, postulate4 mentioned above has to be performed. In the next section we will give details of the Needham Schroeder and Kerberos protocols and identify the problems faced by them when subjected to BAN logic.

A ≡ S : A believes S (i.e. may act as if S is true) A  X : A has received a message X. A ~ X : A once said X , A sent a message X. S ⇒ A : S has jurisdicti on over A (S has authority on A) # ( X ) : X is fresh K A ←⎯→ B : K is a shared key between A and B {X }k : Message X is encrypted by the key K

Figure 1. BAN logical constructs

3. Authentication Protocols

Constructs are used to build a series of logical postulates that consist of two parts; the numerator part is the condition and the denominator part is the result. For examples, Postulate 1: K

Security specialists have created many Security protocols. Their main aim is to establish a secure channel for client to communicate. In this section we shall introduce Needham-Schroeder (section 3.1) and Kerberos (section 3.2) protocols.

A ≡ B ←⎯→ A , A  X K A ≡B~X

This is called message-meaning rule. It means that if A treats K as a shared key which is only known by A and B, and A receives a message (X) encrypted by this key, then A would be sure that this message has been sent by B. Postulate 2:

A ≡ # (X

3.1 Needham Schroeder protocol In 1978, Needham and Schroeder built a distributed authentication protocol [6]. Needham and Schroeder protocol consists of five messages as shown in figure 2.

)

1 : A →

A ≡ # (X , Y )

This is known as Part of the message rule. This formula proves that if A believes that any part of the message was recently sent then A would believe that all parts of the message are recently sent. It avoids being confused by replays. Postulate 3:

A :

3 : A →

B :

4 : B →

A

5 : A →

B

{N

a

a

, B , K

{K ab , A }K : {N b }K : {N b − 1 }K

ab

, {K

ab

, A

}K

bs

}

K

as

bs

ab

ab

A ≡ # (X ) , A ≡ B ~ X

Figure 2. Needham-Schroeder protocol

A ≡B ≡X

Message1: A reads the clock, obtaining the current time Na, and sends (A, B, Na) to S. Then, S sends A message 2. According to postulate1, Since A believes "Kas" as a key known only by A and S, and A sees message2 encrypted by "Kas", then A concludes that S actually said message2. According to postulate2, since the clocks are synchronized, we can assume that S believes, message1 is fresh or recently sent. According to postulate 3, Since A believes that S said message2 and A also believes that message2 is fresh, then A believes that S actually believes all parts of the message 2. According to postulate 4, since A believes that S believes message 2 and A also believes that S has a jurisdiction over Kab, then A would believe Kab. A then forwards message3 to B. Message3 encrypted by Kbs which is only known by B and S. B can decrypt message3 and have the key Kab to start communicating with A by message 4 and 5. In message4 and 5, participants A and B used nuances and encryption key to ensure that they are both corresponded. As mentioned in postulate3, two compulsory conditions have to exist in the message to be secure. Message3 is encrypted by private

This is called nonce-verification rule. This verification postulate proves that A believes what B believes; if A believes that X was recently sent and believes that B is the sender of X, then A would believe that B believes X. Postulate 4:

S : A, B , N

2 : S →

A ≡ B ≡ (X , Y

),

A ≡ B ⇒

(X )

A ≡ X

This postulate is called jurisdiction rule; if A believes that B believes the message (x,y), and A also believes that B has a jurisdiction over any part of the message (x), then A is willing to believe X. BAN logic is based on two main points; the security level of the password and the freshness of the message. BAN has many steps to go through in order to upgrade from A receives X by B to A believes B as follows: • Upgrade1: it is to upgrade from A sees X to A believes that B said X. Postulate1 mentioned above would perform this [6].

2

key, which achieves the first condition. However, the second condition can not be realized, because there is nothing to prove that the message is fresh such as a nonce or time stamp. The main problem in this protocol is that message 3 is not protected by nonce.

1.KRB_AS_REQ 2.KRB_AS_REP 3.KRB_TGS_REQ 4.KRB_TGS_REP 5.KRB_AP_REQ 6 KRB_AP_REP

KDC Authentication Server

1

3.2 Kerberos Protocol

Ticket Granting Server

3 2

As workstations need to access servers to complete the processes, they are required to be authenticated. Kerberos is designed to authenticate the end-user to the server. To understand how Kerberos works, we divide it into three different steps: A. Authentication exchange: • The client requests a ticket from authentication server (AS) to the ticket-granting server (TGS) as shown in figure3 (KRB_AS_REQ). • AS then checks up the client in its database and generates a session key (SK1) to use between the client and the TGS (SK1C-TGS). • Kerberos encrypts the SK1 using the client’s secret key. The AS also uses the TGS’s secret key (KAS-TGS) to create and send the user a ticket-granting ticket (TGT). It is shown as (KRB_AS_REP) in figure3. B. Ticket-Granting Service exchange: • The client decrypts the message and recovers the session key, then uses it to create an authenticator containing the user’s name and a time stamp. • The client then sends this authenticator, along with the TGT, to the TGS, requesting access to the target server (KRB_TGS_REQ). • The TGS decrypts the TGT, and then uses the SK1 inside the TGT to decrypt the authenticator. It verifies information in the authenticator, the ticket and the time stamp. If all of these match then it allows the request to proceed. • Then the TGS creates a new session key (SK2) for the client and application server (AP) to use, then encrypts it using SK1 and sends it to the client. • The TGS also sends a new ticket containing the client’s name, a time stamp and an expiration time for the ticket (KRB_TGS_REP), all encrypted with the AP's secret key (KTGS-AP). C. Client/server exchange: • The client decrypts the message and gets the SK2. • Finally ready to approach the AP, the client creates a new authenticator encrypted with SK2. • The client sends the session ticket (already encrypted with the AP's secret key) and the encrypted authenticator. Since the authenticator contains plain text encrypted with SK2, this proves how the client knows the key (KRB_AP_REQ). • The AP decrypts and checks the ticket, the authenticator and the time stamp.

4 5

Client

6

Application Server

Figure 3. Kerberos 5 authentication messages.

In Figure 3, we refer to AS and TGS as Key Distribution Center (KDC). Figure 4 is messages of Kerberos, we refer to KDC as S, AP as B. The difference between message 2 in Kerberos and message2 in Needham Schroeder is adding Ns. This will assist B to verify the freshness of message3. Detailed analysis of Kerberos is available in [12, 13, 14, 15]. 1 : A → S : A, B

{

2 : S → A : N a,B,K

ab

, {N s , K

3 : A → B : {N s , A , K

ab

}K

4 : B → A : {N

b

+ 1}K ab

bs

ab

, A }K bs

, {N a , A }K ab

}

K

as

Figure 4. Kerberos protocol

Although Kerberos has a full BAN guarantee [8] and is trusted by many authors [16, 17], a number of weaknesses have been found in its messages by [18]. In the next section, we discuss a number of weaknesses and limitations in Kerberos.

4. Attack in Kerberos Some of the Kerberos problems reported in [19]. In this section, we demonstrate a Replay attack problem. It is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. Kerberos has many mechanisms aimed at making replay attacks difficult, such as authenticators rely on machines’ clocks being roughly synchronized. In some cases, synchronization protocols are unauthenticated [20, 21]. In addition, when a server is misled about the correct time, attacker can easily replay the authenticator. Moreover, the attacker might be able to mount the attack within the configured time. Furthermore, if the time is configured to

3

be too small, the client will face problems in time synchronization. Another mechanism, to guard against reuse, the server should use a cache to store used authenticators. This cache should hold all authenticators used within the allowable time skew. A server will reject all authenticators it has already seen [22]. Kerberos modification was made to store keys in shared memory. However, this area could be attacked. The authenticator key returned by TGS is stored in an accessible area. Therefore, the intruder can crack the local computer protection and steal the key. On the other hand, it is very difficult for TCP-based servers to store authenticators in UNIX system [23]. Moreover, there is a problem when client retransmit his request if the answer was lost [24]. The third Kerberos mechanism to stop replay attack is that, the ticket inside KRB_AP_REQ should include the network address of the client. Unfortunately the network address is under full control of the attacker [25]. Many protocols in Microsoft Windows domain use SMB (Server Message Block) and LDAPv3 (Lightweight Directory Access Protocol) are examples of such protocols. SMB and LDAPv3 protocols may be attacked by Replay Attack, password attack against TGT or preauthentication data and attack against message delivery time. In some cases, the server will accept the replayed message sent by the attacker allowing him full access to the service with the victim’s credentials [10]. We have to say that we are not suggesting that Kerberos is ineffective. To stop replay attacks, the server needs to be configured correctly by using integrity protection. However, such implementation is not easy and is not without its costs. For details of Kerberos configuration see [26].

legitimate users' positions addresses. Figure 5 shows NKerberos. 1. A → S : A, N a , B

{

2.S → A : N s , GPS b, B, K ab , {N s , GPS a , K ab , A}K bs

3. A → B : {N s , GPS a , K ab , A}Kbs , {A, GPS a , N a }K ab

}

K as

4.B → A : {GPS b , N a + 1}K ab

Figure 5. Kerberos protocol

If received GPSa does not match the obtained one, or the message does not have the GPSa, an error message is returned. Again, if all succeeds the client will send the ticket and authenticator to the service. Then, the GPSa in the ticket should match the GPSa in the authenticator, otherwise, an error message is returned. In the last message, the service will send both its identity and the client's GPS to the client. Again, the GPS received in message 4 from the service must match the GPS sent by the server in message 2. The Client's physical location must be used for the key exchange of the communication. Subsequently, the key can be used from any other place. Clearly, this causes a limitation, however this modification provides more protection against replay attacks.

6. Modification of BAN Logic (N-BAN) It has been proven that BAN is a very important and successful method to evaluate communication protocols [13]. Although the three upgrades mentioned in section 2 are successfully performed in the Kerberos protocol, and despite Kerberos having a full guarantee from BAN, Kerberos is still susceptible to attacks as explained above. Thus, BAN logic needs to be improved. We propose a new rule to be added to BAN logic. This rule indicates whether a message has been sent from a legitimate position or not. Our proposal is that the AP has to verify the physical location from which the ticket has been created as shown in figure 7.

5. N-Kerberos We propose a modification on Kerberos that we call NKerberos. It works by adding participant's physical position address determined by a Global-Position-System (GPS) receiver. GPS receivers are not expensive and give an accurate location output [28]. Many authors talk about increasing the security of GPS, these are some of them [26, 28, 29, 30]. GPS however is used only outdoors in the sense that the receiver should have a direct "view" to at least four GPS satellites. It is not easy for any entity in cyberspace to pretend to be in any place other than where its LSS actually is [31]. Therefore, cracking user's position is very complicated [32]. Kerberos KDC should include user's GPS address in the ticket it gives out at all time. Attacker will be enforced to use a maximum amount of time trying to decrypt GPS signals, which will cause problem with time synchronization. Our proposed work requires the server to have a database of a list of

B ≡ S ≡ ( X , Y ) , B ≡ S ⇒ ( X , Y ) , B  ( X )Y B ≡ X , B ≡Y Figure 7. Jurisdiction Rule in N-BAN

We propose a new factor to the jurisdiction rule; X in the authenticator should match X in the ticket, where X is the client's GPS. And X in message 4 should match X in message 2, where X is AP's GPS. Client will receive the ticket by KRB_TGS_REP, which includes client's GPS. Then, client will add the authenticator, which includes his GPS encrypted by the session key and send his request to

4

AP (KRB_AP_REQ). AP has to verify where the message is coming from in order to generate KRB_AP_REQ. To do this, AP will decrypt the authenticator using session key and compare the two GPSs. When Client received the respond of AP (KRB_AP_REP), AP's GPS sent by TGS should match the AP's GPS sent by AP. Using physical location factor as a prime condition to accept the message will help BAN to catch the replay attacks. The detailed explanation of new jurisdiction rule is demonstrated in next section.

(1) , ( 2 ) ⎧ N s , GPSb , K ab , B , ⎫ A≡ S ≡ ⎨ ⎬ ⎩{ N s , GPS a , K ab , A} k bs ⎭ K as

For the jurisdiction rule to be applied, the ticket is included in message 2, while message 4 will act as the authenticator. This is why we propose that this step takes place following the receipt of message 4.

7. Analyzing N-Kerberos using N-BAN

(3), A ≡ S ⇒ (Kab , GPSb ), A  (GPSb ) Kab A ≡ Kab

There are three main steps to analyze any security protocol using BAN Logic, as mentioned in section 2. Table 3 shows the first step.

B ≡ # (N s )

K as ←⎯→ ⎯ S K as A ←⎯→ ⎯ S K bs B ←⎯→ ⎯ S K bs B ←⎯→ ⎯ S

S │≡ A

B │≡

(4)

In message 3, As B is required to believe the session key to access the authenticator, it first needs to believe the ticket. This is how we prove this:

Table 3. Derived Assumptions Extracted Assumptions expressed by logic of believe

A │≡

(3)

B ≡ # { N s , GPS B

S │≡ S │≡ #( Na ) A │≡ #( Ns ) B │≡ #( Na ) A │≡ #( Nb ) B │≡ #( Ns ) A │≡ S ⇒ GPSb A │≡ S ⇒ Kab S │≡ A ⇒ GPSa S │≡ B ⇒ GPSb A │≡ S ⇒ GPSa B │≡ S ⇒ Kab

, K ab , A } K bs

(5)

K bs ≡ B ←⎯ ⎯→ S ,

B 

B ≡ S ~

{N s , GPS {N s , GPS

a

,K

a , K

ab ab

, A }k bs , A }k bs

(6)

(5 ) , ( 6 ) B≡ S≡

{N s , GPS a , K ab , A}k

(7) bs

According to our new jurisdiction rule, if B believes that S sent the ticket (equation 6) and B believes that S has jurisdiction over the session key (kab) and the authenticator received by B is encrypted by the session key and the client's GPS in the ticket matches the client's GPS in the authenticator, then B believes the session key. Therefore B believes A.

To achieve a secure conversation, N-BAN requires three main conditions as opposed to two conditions in BAN to conclude that the message is secure; time stamp, encrypted key and the message should have the right user's physical position coordinates. The Prove as follows.

(6 ), B ≡ S ⇒ ( K ab , GPS a ), B  (GPS a )(8) K ab B ≡ K ab

K as ≡ A ←⎯ ⎯→ S,

⎧ N s , GPS , K ab , B , ⎫ A  ⎨ ⎬ ⎩ { N s , GPS a , K ab , A } k bs ⎭ K as (1) ⎧ N s , GPSb , K ab , B , ⎫ A ≡ S ~ ⎨ ⎬ ⎩ { N s , GPS a , K ab , A } k bs ⎭

A

K

A ≡ # (N s )

As we showed, the sender's position address should be included in the message. The server has to validate user's position address before allowing the users to use the services.

as

8. Conclusion and Future work

(2)

This paper has presented an innovative approach to improve the Kerberos security protocols. The protocol was evaluated using N-BAN logic in order to demonstrate

⎧ N s , GPSb , K ab , B , ⎫ A≡ #⎨ ⎬ ⎩ { N s , GPS a , K ab , A } k bs ⎭ K as

5

the merits and capabilities of the proposed approach. We first proposed to add the user's physical position to Kerberos protocol's messages as a new factor in addition to the obtained factors. Secondly, we proposed modified approach of BAN Logic; we modified the jurisdiction rule, which says that the message should be sent from the legitimate position. Finally, we analyzed improved Kerberos (N-Kerberos) protocol using modified BAN (NBAN). The possibility of replay attacks is reduced by using N-Kerberos as compared with Kerberos. In addition, we proved that N-BAN logic has the ability to halt replay attacks much better than BAN logic. Using NKerberos indoors needs further investigations in our future work.

[12] Kai Fan; Hui Li; Yue Wang, "Security Analysis of the Kerberos Protocol Using BAN Logic", Fifth International Conference on Information Assurance and Security, Xi'An China, 2009, pp. 467 – 470. [13] J. Steiner, C. Neuman, and J.I. Schiller, ‘‘Kerberos: An Authentication Service for Open Network Systems, Proc. Winter USENIX Conference, Citeseer, Dallas, 1988, pp. 191-201 [14] S.P. Miller, B.C. Neuman, J.I. Schiller, and J.H. Saltzer, ‘‘Kerberos Authentication and Authorization System,’’ in Project Athena Technical Plan, December 1987 [15] B. Bryant, "Designing an Authentication System: A Dialogue in Four Scenes", Draft February, February 8, 1988. [16] Kaufman, C., R. Perlman, and M. Speciner, "Network Security, Private Communication in a Public World", , Prentice Hall Press Upper Saddle River, NJ, USA, 2002, pp. 752 [17] W. John, B. Schneier, "Applied Cryptography", WileyIndia, New York, 2007 [18] S. M. Bellovin, M. Merritt , " Limitations of the Kerberos authentication system", ACM SIGCOMM Computer Communication Review, ACM New York, NY, USA, October 1990, pp. 119 – 132. [19] D. Davis and R. Swick, "Workstation Services and Kerberos Authentication at Project Athena", Technical

References [1] D. Brumley, and D. Boneh, "Remote timing attacks are practical", Computer Networks, Elsevier, Stanford University, USENIX Association Berkeley, CA, USA, 2005, pp. 1-1. [2] B. Kemal, and B. Nazife, "One-Time Passwords: Security Analysis Using BAN Logic and Integrating with Smartcard Authentication", Lecture notes in computer science, Springer, 2003, pp. 794-801. [3] J. Clulow, and J.S. Clulow, "The design and analysis of cryptographic application programming interfaces for security devices", CiteSeerX - Scientific Literature Digital Library and Search Engine, CiteSeerX, United state, 2008. [4] G. Hachez, and J. J. Quisquater, "Montgomery Exponentiation with no Final Subtraction: improved result", Cryptographic Hardware and Embedded Systems (CHES), springer, 2000, pp. 293-301 [5] P.C. Kocher,, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems", Lecture Notes in Computer Science, Springer-Verlag, London, Uk, 1996, pp. 104-113. [6] M. Burrows, and M. Abadi, and R. Needham, "A logic of authentication". ACM Transactions on Computer Systems (TOCS), ACM New York, NY, USA, 1990, pp. 18-36. [7] Spinellis, D., Gritzalis, S. and Georgiadis, P., "Security Protocols over open networks and distributed systems: Formal method for their Analysis, Design, and Verification", 1990, pp. 695-707. [8] Mukhamedov,A., "Full agreement in BAN kerberos",

Memorandum TM-424, MIT Laboratory for Computer Science, February 1990, pp. 424. [20] J.B. Postel and K. Harrenstien, ‘‘Time Protocol’’, RFC May 1983,pp. 868. [21] D.L. Mills, ‘‘Network Time Protocol (Version 3) specification, implementation and analysis’’, RFC 1305, March 1992. [22] J.B. Postel, ‘‘Transmission Control Protocol" , 1981. [23] J.B. Postel, ‘‘User Datagram Protocol", Citeseer, 1980. [24] R.T. Morris, ‘‘A Weakness in the 4.2BSD TCP/IP Software’’, Computing Science Technical Report , New Jersey 1985. [25] Kohl J. and Neuman B. C., "The Kerberos Network Authentication Service (Version 5)", IETF Intemet draft, Request for Comments, RFC1510, USA 1993 [26] Denning, D. and MacDoran, P., "Location-based authentication: grounding cyberspace for better security", Computer Fraud \& Security, Elsevier, 1996, pp. 12-16. [27] G. Sato, T. Asai, T. Sakamoto, T. Hase, "Improvement of the positioning accuracy of a software-based GPS receiver using a 32-bit embedded microprocessor", IEEE Transactions on Consumer Electronics, 2000, pp.521 - 530

Security and Privacy for Emerging Areas in Communication Networks, 2005. Workshop of the 1st International Conference on, Citeseer, Workshop of the 1st

[28] M. Matosevic, Z. Salcic, S. Berber, "A Comparison of Accuracy Using a GPS and a Low-Cost DGPS, Instrumentation and Measurement", IEEE Transactions on Instrumentation and Measurement, 2006, pp. 1677 – 1683. [29] M. Lehtinen, A. Happonen, J. Ikonen, "Accuracy and time to first fix using consumer-grade GPS receivers", Software, Telecommunications and Computer Networks, 2008. pp. 334 – 340. [30] A. Schmid, "Positioning Accuracy Improvement With Differential Correlation", IEEE Journal of Selected Topics in Signal Processing, 2009, pp. 587 – 598 [31] H. Wen, P.Y.R Huang, J. Dyer, A. Archinal and J. Fagan. " Countermeasures for GPS signal spoofing", ION GNSS, 2005, pp.13-16.

International Conference, 2005, PP. 218 - 223 [9] Lowe, G., "A hierarchy of authentication specifications", Proceedings of the 10th Computer Security Foundations Workshop (CSFW ’97) (1997), IEEE Computer Society, 1997. [10] Kimmo Kasslin, Antti Tikkanen, "Kerberos V Security: ReplayAttacks", Enhancing Trust, Citeseer, pp. 191 [11] Gong, L., Needham, R. and Yahalom, R., "Reasoning about belief in cryptographic protocols", IEEE Symposium on Security and Privacy, 1999, pp. 234.

6