formal security analysis of authentication in an
play

Formal security analysis of authentication in an asynchronous - PowerPoint PPT Presentation

May 16, 2023 •453 likes •1.71k views

Formal security analysis of authentication in an asynchronous communication model Bsc thesis presentation Jacob Wahlgren & Sam Hedin June 18 KTH 1 Outline Introduction Background Secure Data Sharing Methods Results Owner event

  1. local owner is authentic lemma local_owner_is_authentic: //If a user is the owner at time i "All obj localuser owner #i. LocalOwner(obj, localuser, owner) @i //there must previously have been an owner //who created a change owner event before time i ==> (Ex prev_owner #j. ChangeOwner(obj, prev_owner, owner) @j & not(#i < #j)) //or the user created the object themselves. | (Ex #j. CreateObject(obj, owner) @j & not(#i < #j))" 21

  2. Owner event: Lemmas pt. 3 22

  3. Owner event: Lemmas pt. 3 • We found that the lemma local_owner_is_authentic only provides non-injective agreement. 22

  4. Owner event: Lemmas pt. 3 • We found that the lemma local_owner_is_authentic only provides non-injective agreement. • This means that the apparent owner at some point actually was the owner, however the signature is not unique per event. 22

  5. Owner event: Lemmas pt. 3 • We found that the lemma local_owner_is_authentic only provides non-injective agreement. • This means that the apparent owner at some point actually was the owner, however the signature is not unique per event. • Because the signature may be reused, it is possible to fake ownership if one was previously the owner of the object through a replay attack (explained next slide). 22

  6. Owner event: Lemmas pt. 3 • We found that the lemma local_owner_is_authentic only provides non-injective agreement. • This means that the apparent owner at some point actually was the owner, however the signature is not unique per event. • Because the signature may be reused, it is possible to fake ownership if one was previously the owner of the object through a replay attack (explained next slide). • A way to remedy this is to make signatures unique for each event. For instance, an incrementing serial number could be added to each signature. 22

  7. Example replay attack 23

  8. Example replay attack Bob Alice Home Server grantAccess(Alice sign, Bob, object, ...) revokeAccess(Alice sign, Bob, object, ...) grantAccess(Alice sign, Bob, object, ...) (Replay attack) 23

  9. Example replay attack Bob Alice Home Server grantAccess(Alice sign, Bob, object, ...) revokeAccess(Alice sign, Bob, object, ...) grantAccess(Alice sign, Bob, object, ...) (Replay attack) • The diagram shows an example of a possible exploit which exists when signatures can be re-used between events. 23

  10. Example replay attack Bob Alice Home Server grantAccess(Alice sign, Bob, object, ...) revokeAccess(Alice sign, Bob, object, ...) grantAccess(Alice sign, Bob, object, ...) (Replay attack) • The diagram shows an example of a possible exploit which exists when signatures can be re-used between events. • Alice wishes to grant some level of access of an object to Bob. 23

  11. Example replay attack Bob Alice Home Server grantAccess(Alice sign, Bob, object, ...) revokeAccess(Alice sign, Bob, object, ...) grantAccess(Alice sign, Bob, object, ...) (Replay attack) • The diagram shows an example of a possible exploit which exists when signatures can be re-used between events. • Alice wishes to grant some level of access of an object to Bob. • Alice does this by creating and signing the event grantAccessEvent with Alice sign . 23

  12. Example replay attack Bob Alice Home Server grantAccess(Alice sign, Bob, object, ...) revokeAccess(Alice sign, Bob, object, ...) grantAccess(Alice sign, Bob, object, ...) (Replay attack) • The diagram shows an example of a possible exploit which exists when signatures can be re-used between events. • Alice wishes to grant some level of access of an object to Bob. • Alice does this by creating and signing the event grantAccessEvent with Alice sign . • Shortly thereafter, Alice revokes the previously granted access with revokeAccess . 23

  13. Example replay attack Bob Alice Home Server grantAccess(Alice sign, Bob, object, ...) revokeAccess(Alice sign, Bob, object, ...) grantAccess(Alice sign, Bob, object, ...) (Replay attack) • The diagram shows an example of a possible exploit which exists when signatures can be re-used between events. • Alice wishes to grant some level of access of an object to Bob. • Alice does this by creating and signing the event grantAccessEvent with Alice sign . • Shortly thereafter, Alice revokes the previously granted access with revokeAccess . • However, Bob copied Alice’s signature and uses it to grant himself illegitimate access to the object. 23

  14. Owner event: Summary 24

  15. Owner event: Summary • The signing key cannot be obtained by an attacker. 24

  16. Owner event: Summary • The signing key cannot be obtained by an attacker. • The owner event only provided a weaker form of authentication in the analysed version. 24

  17. Owner event: Summary • The signing key cannot be obtained by an attacker. • The owner event only provided a weaker form of authentication in the analysed version. • In version 0.06 of the protocol, an incrementing number was added to the signature to enforce ordering of owner events and provide stronger authenticity, based on our suggestion. 24

  18. Owner event: Summary • The signing key cannot be obtained by an attacker. • The owner event only provided a weaker form of authentication in the analysed version. • In version 0.06 of the protocol, an incrementing number was added to the signature to enforce ordering of owner events and provide stronger authenticity, based on our suggestion. • Reset events had a similar issue, which was also resolved in the same manner. 24

  19. Access event: Background 25

  20. Access event: Background • An access event modifies access rights to an entire object or for specific fields in that object. 25

  21. Access event: Background • An access event modifies access rights to an entire object or for specific fields in that object. • Access events are authenticated using a digital signature. 25

  22. Access event: Background • An access event modifies access rights to an entire object or for specific fields in that object. • Access events are authenticated using a digital signature. • In version 0.03 the signature was computed over the concatenation of the affected label, the user id of the user making the change, the device number, a counter value, and the list of users and what access level they are granted. 25

  23. Access event: Model 26

  24. Access event: Model • The model for access events builds upon the model for owner events. Different access levels are not modeled since they do not affect the authenticity of the messages. 26

  25. Access event: Model • The model for access events builds upon the model for owner events. Different access levels are not modeled since they do not affect the authenticity of the messages. • Granting access to an object is modeled by the send_access_event rule. It can be executed by a user who already has access to the object. 26

  26. Access event: Model • The model for access events builds upon the model for owner events. Different access levels are not modeled since they do not affect the authenticity of the messages. • Granting access to an object is modeled by the send_access_event rule. It can be executed by a user who already has access to the object. • The receive_access_event rule is then used to receive and verify the event and signature. 26

  27. Access event: Model • The model for access events builds upon the model for owner events. Different access levels are not modeled since they do not affect the authenticity of the messages. • Granting access to an object is modeled by the send_access_event rule. It can be executed by a user who already has access to the object. • The receive_access_event rule is then used to receive and verify the event and signature. • The rule owner_to_access acts as a bridge between the access and owner models, it makes sure that the owner is considered to have access as well. 26

  28. Access event: Lemma 27

  29. Access event: Lemma • There is only one lemma for access events - can_receive - which verifies that a user with the correct access rights can grant another user similar access rights. For example, the owner of an object should be able to assign a user as an administrator of that object. 27

  30. Access event: Lemma • There is only one lemma for access events - can_receive - which verifies that a user with the correct access rights can grant another user similar access rights. For example, the owner of an object should be able to assign a user as an administrator of that object. • The lemma was not originally intended to test any security properties. However, the trace it generated made us realise that the access event does not provide full agreement. 27

  31. Access event: Lemma • There is only one lemma for access events - can_receive - which verifies that a user with the correct access rights can grant another user similar access rights. For example, the owner of an object should be able to assign a user as an administrator of that object. • The lemma was not originally intended to test any security properties. However, the trace it generated made us realise that the access event does not provide full agreement. • In the generated trace, two objects were created, but the access event signature from one object was copied from the other object. Since the signature did not include the object identifier, it could be used in a replay attack to modify access rights for another object. 27

  32. Access event: Lemma • There is only one lemma for access events - can_receive - which verifies that a user with the correct access rights can grant another user similar access rights. For example, the owner of an object should be able to assign a user as an administrator of that object. • The lemma was not originally intended to test any security properties. However, the trace it generated made us realise that the access event does not provide full agreement. • In the generated trace, two objects were created, but the access event signature from one object was copied from the other object. Since the signature did not include the object identifier, it could be used in a replay attack to modify access rights for another object. • This is an authenticity problem because the signature may be reused in the wrong context. 27

  33. Access event: Lemma • There is only one lemma for access events - can_receive - which verifies that a user with the correct access rights can grant another user similar access rights. For example, the owner of an object should be able to assign a user as an administrator of that object. • The lemma was not originally intended to test any security properties. However, the trace it generated made us realise that the access event does not provide full agreement. • In the generated trace, two objects were created, but the access event signature from one object was copied from the other object. Since the signature did not include the object identifier, it could be used in a replay attack to modify access rights for another object. • This is an authenticity problem because the signature may be reused in the wrong context. • A user could incorrectly be given authorization to read, modify, or even delete an object which it should not have access to. 27

  34. Access event: Lemma • There is only one lemma for access events - can_receive - which verifies that a user with the correct access rights can grant another user similar access rights. For example, the owner of an object should be able to assign a user as an administrator of that object. • The lemma was not originally intended to test any security properties. However, the trace it generated made us realise that the access event does not provide full agreement. • In the generated trace, two objects were created, but the access event signature from one object was copied from the other object. Since the signature did not include the object identifier, it could be used in a replay attack to modify access rights for another object. • This is an authenticity problem because the signature may be reused in the wrong context. • A user could incorrectly be given authorization to read, modify, or even delete an object which it should not have access to. • This can be remedied by making the signature in the access event include the object identifier. 27

  35. Access event: Summary 28

  36. Access event: Summary • In version 0.06 of the protocol, the object identifier was added to the signature, based on our suggestion. Therefore, the identified vulnerability no longer exists. 28

  37. Basic mode: Background 29

  38. Basic mode: Background • Users can register and authenticate themselves in the basic mode or end-to-end mode. 29

  39. Basic mode: Background • Users can register and authenticate themselves in the basic mode or end-to-end mode. • In the basic mode, users can register and authenticate with both stateless and stateful devices. Public key cryptography is not used, instead a user’s identity is their email address or phone number. 29

  40. Basic mode: Background • Users can register and authenticate themselves in the basic mode or end-to-end mode. • In the basic mode, users can register and authenticate with both stateless and stateful devices. Public key cryptography is not used, instead a user’s identity is their email address or phone number. • The purpose of the following procedure is to verify that API requests to the home server originate from the claimed user. The email channel is assumed to be secure. 29

  41. Basic mode: Step-by-step 30

  42. Basic mode: Step-by-step • Registration and authentication starts with the email address being sent to the home server. 30

  43. Basic mode: Step-by-step • Registration and authentication starts with the email address being sent to the home server. • The home server responds by sending a verification link to the specified email address. The link expires within 10 minutes. 30

  44. Basic mode: Step-by-step • Registration and authentication starts with the email address being sent to the home server. • The home server responds by sending a verification link to the specified email address. The link expires within 10 minutes. • When the user clicks the link, the server can match the URL to the user id, and thus conclude the request to be authentic. In that case, the server returns a session key which is used to authenticate further requests. 30

  45. Registration and authentication in the basic mode: Model 31

  46. Registration and authentication in the basic mode: Model • The steps described in the specification are represented by the rules fresh_verification_code , click_on_link , verify_user and create_user . 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri

EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri

EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri Blumenthal (analysis done by Sarvar Patel) Member of Technical Staff EAP-SIM Draft and its Security Claims Current EAP-SIM provides

342 views • 7 slides
Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile devices Carlos Luna Grupo de Seguridad Inform atica, InCo Facultad de Ingenier a, Universidad de la Rep ublica, Uruguay Formal analysis

751 views • 56 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA IIT Delhi, Fall 2010 Lecture 1: WriCng Secure Web ApplicaCons

472 views • 25 slides
Cisco Security Authentication Failure Rate Cisco Security Authentication Failure Rate or SHIT

Cisco Security Authentication Failure Rate Cisco Security Authentication Failure Rate or SHIT

Cisco Security Authentication Failure Rate Cisco Security Authentication Failure Rate or SHIT THAT DOES NOT WORK!!! security authentication failure rate To configure the number of allowable unsuccessful login attempts, use the security

476 views • 6 slides
Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based NFC M-coupon Protocol Ali Alshehri and Steve Schneider Agenda Introduc?on. Approach

498 views • 25 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

573 views • 32 slides
Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

865 views • 40 slides
Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

568 views • 41 slides
Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Formal Analysis of Key Integrity in PKCS#11 Andrea Falcone 1 Riccardo Focardi 1 1 Universit` a Ca Foscari di Venezia, Italy focardi@dsi.unive.it ARSPA-WITS10 Paphos, Cyprus March 27-28, 2010 Work partially supported by: Miur07

729 views • 17 slides
Web Security: Authentication &amp; UI-based attacks CS 161: Computer Security Prof. Raluca Ada

Web Security: Authentication &amp; UI-based attacks CS 161: Computer Security Prof. Raluca Ada

Web Security: Authentication &amp; UI-based attacks CS 161: Computer Security Prof. Raluca Ada Popa April 12, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Authentication &amp;

1.11k views • 73 slides
Tencrypt: Encrypting Tenant-Traffic in OpenShift Forschungsprojekt Anwendung // Dresden, 15th

Tencrypt: Encrypting Tenant-Traffic in OpenShift Forschungsprojekt Anwendung // Dresden, 15th

Dominik Pataky Faculty of Computer Science, Institute of Systems Architecture, Chair of Computer Networks Tencrypt: Encrypting Tenant-Traffic in OpenShift Forschungsprojekt Anwendung // Dresden, 15th November, 2018 Contents Introduction Red

1.26k views • 125 slides
Parallelized RSA Algorithm: An Analysis With Performance Evaluation using OpenMP Library in High

Parallelized RSA Algorithm: An Analysis With Performance Evaluation using OpenMP Library in High

Parallelized RSA Algorithm: An Analysis With Performance Evaluation using OpenMP Library in High Performance Computing Environment Md. Ahsan Ayub , Zishan Ahmed Onik, Steven Smith Department of Computer Science Tennessee Technological

507 views • 19 slides
Transition from Quasi-Static to Dynamic Fracture Carlos G. Dvila Structural Mechanics &amp;

Transition from Quasi-Static to Dynamic Fracture Carlos G. Dvila Structural Mechanics &amp;

https://ntrs.nasa.gov/search.jsp?R=20160006280 2018-07-31T20:38:53+00:00Z Damage Instability and Transition from Quasi-Static to Dynamic Fracture Carlos G. Dvila Structural Mechanics &amp; Concepts Branch NASA Langley Research Center

582 views • 45 slides
Digital On-Demand Computing Organism Dod Org SPP OC Kolloquium DFG SPP 1183 Organic

Digital On-Demand Computing Organism Dod Org SPP OC Kolloquium DFG SPP 1183 Organic

Digital On-Demand Computing Organism Dod Org SPP OC Kolloquium DFG SPP 1183 Organic Computing Mnchen, Oktober 7/8, 2010 KIT The cooperation of Forschungszentrum Karlsruhe GmbH and Universitt Karlsruhe (TH) Talk Overview Project

660 views • 28 slides
Toward a Dynamic Trust Establishment Approach for Multi-provider Intercloud Environment Canh Ngo ,

Toward a Dynamic Trust Establishment Approach for Multi-provider Intercloud Environment Canh Ngo ,

Toward a Dynamic Trust Establishment Approach for Multi-provider Intercloud Environment Canh Ngo , Yuri Demchenko {t.c.ngo, y.demchenko}@uva.nl System and Network Engineering Group University of Amsterdam Agenda Motivation Trust

507 views • 19 slides
THE MODEL: PERSPECTIVES AND CHALLENGES PERSPECTIVES AND CHALLENGES NOU 2012:2 Outside and Inside

THE MODEL: PERSPECTIVES AND CHALLENGES PERSPECTIVES AND CHALLENGES NOU 2012:2 Outside and Inside

THE MODEL: PERSPECTIVES AND CHALLENGES PERSPECTIVES AND CHALLENGES NOU 2012:2 Outside and Inside Norways Agreements with the EU Chapter 13, 27 and 28 THE MODEL? 1) Perspectives 1) Perspectives 2) Features of the model 3) Challenges )

457 views • 21 slides
unlimited use and unrestricted exposure , the lead agency shall review such action no less often

unlimited use and unrestricted exposure , the lead agency shall review such action no less often

Alternatives for Managing the Nations Complex Contaminated Michael Kavanaugh 1 Groundater Sites: NRC 2013: Key Findings, and Overview of Transition Assessments Alternatives for Managing the Nations Complex Contaminated Groundwater

264 views • 8 slides
KANTOROVICH AND CLOSE-COUPLING METHODS IN QUANTUM TUNNELING PROBLEM FOR A COUPLED PAIR OF IONS

KANTOROVICH AND CLOSE-COUPLING METHODS IN QUANTUM TUNNELING PROBLEM FOR A COUPLED PAIR OF IONS

KANTOROVICH AND CLOSE-COUPLING METHODS IN QUANTUM TUNNELING PROBLEM FOR A COUPLED PAIR OF IONS THROUGH LONG-RANGE POTENTIAL BARRIERS. Outline The problem statement A.A. Gusev, Close-coupling and Kantorovich (Adia- batic) methods O.

300 views • 29 slides

More recommend