Improving Trust and Authentication in

Kerberos with

Integrity Measurement

and Trusted Computing Components

Dr. Olga Chen

U.S. Naval Research Laboratory

September 10, 2013

UNCLASSIFIED

Outline

• Who are we?

• Motivation

• Kerberos overview

• Integrity Measurements and the Trusted Platform Module (TPM)

• TPM Key Management: the AIK and the quote

• Attestation integration with Kerberos

• Software integration into KRB5

• Demonstration

• Results

• Future work

2

UNCLASSIFIED

Who are we?

Dr. Olga Chen

– Computer Scientist at the Center for High Assurance Computer Systems, U.S.

Naval Research Laboratory

– Navy representative under US Government umbrella to the Trusted Computing

Group (TCG)

– Performing Trusted Platform Module research in secure BIOS, hard disk

encryption, OS hardening techniques, and TPM Backup/Recovery protocols

Dr. David Challener, Peter Kruus, James Farlow

– Researchers at Johns Hopkins University Applied Physics Laboratory

– Chair TCG activities

– Experience deploying integrity measurements solutions in corporate network

– Performing trusted computing research for government sponsors

3

UNCLASSIFIED

Motivation:

Need for Integrity Protection

Problem: Platform integrity state is not considered when

making access control or authentication decisions. – Potential to authenticate platforms in a compromised integrity state

Need: Mechanisms to exchange platform integrity

information along with authentication information – Enable access control points to make more informed access control decisions.

– Stronger authentication mechanisms rooted in hardware that are less vulnerable to

attack.

Solution: Integration of integrity together with

authentication information in the widely used

network/resource access protocol. – Kerberos + TPM = Big Impact on Security

4

UNCLASSIFIED

Motivation:

Kerberos and the TPM Kerberos

– Strong client/server mutual authentication

– Invented in 1980’s by MIT, open sourced in 1987, IETF standard in 1993

– Mother of single-sign-on protocols

Who uses Kerberos?

– Your grandparents, your gamer friends, your work colleagues… Just about everyone!

– Estimated 100 million++++ users works wide

– Integrated into every major OS (Windows, Mac OS, Red Hat Linux, xBox)

– Kerberos plugin mechanisms enable a relatively easy addition of code

Trusted Platform Modules (TPMs)

– Provides hardware root-of-trust integrity protection

– Hardware-rooted authentication, security, and integrity mechanisms

– Trusted Software Stack (TSS) for Linux is an open-source project

Who uses the TPM?

– Standard motherboard component on most business class desktops/laptops and now servers

– According to Trusted Computing Group: more than 500 million PCs have shipped with the TPM

Established background research

– NRL and APL are extending MITRE’s pre-auth plugin research

5

UNCLASSIFIED

The Big Picture

6

Kerberos Key Distribution

Center (KDC)

Client (TPM-

enabled

computer)

Resource

Server

1. Client authenticates

with integrity info

2. Server grants ticket based

on identity and integrity

UNCLASSIFIED

Kerberos Overview

7

Service Client AS TGS

Request – KRB_AS_REQ

Initialization

Kerberos

Keys

PASS

FAIL

Response - KRB_AS_REQ

Ticket Granting Ticket

ERROR

Request – KRB_AP_REQ

Response – KRB_AP_REP

Session Communications

Response – KRB_ERROR

Request – KRB_TGS_REQ

Response – KRB_TGS_REP Ticket

1

fs

d

f

1

1

fs

d

f

2

1

fs

d

f

2

a 1

fs

d

f

2

b 1

fs

d

f

3 1

fs

d

f

4

UNCLASSIFIED

Integrity Measurements

and the TPM Leverage Trusted Platform Module (TPM) – hardware or virtualized

Integrity Measurements are stored in the Platform Configuration Registers

(PCRs) – PCRs are not resettable and can be updated only through an “extend” operation

– PCRi+1 = Hash(PCRi + value)

– PCR values are updated on every system boot

Internal TPM key is used to sign measurements for external attestation (i.e.,

TPM Quote function)

PCRs exchanged for external attestation reflect platform’s boot state and

provide a measurement chain-of-trust tied to immutable BIOS

What PCRs we are going to use:

8

PCR 0 (BIOS) PCR 2 (Option ROM) PCR 4 (Bootloader)

PCR 1 (BIOS Config) PCR 3 (Option ROM Config) PCR 5 (Bootloader Config)

PCR 16 (Can be used for testing purposes)

UNCLASSIFIED

Attestation Identity Key

Attestation Identity Key (AIK)

–A special purpose TPM-resident non-migratable RSA key

that is used to provide platform authentication based on the

attestation capability of the TPM

–Is much more constrained than a general RSA key, in that it

can only be used by the TPM to sign specific TPM-

originated structures

The public portion of the AIK is sent to the KDC

(or server) to verify the integrity information sent

from the client and signed by the private portion

of the AIK

9

UNCLASSIFIED

TPM Quote

TPM is used to ensure the integrity and trust of integrity

measurements

A quote represents a current state of a platform and

contains a set of the PCR values signed by the TPM’s AIK

TPM Quote can be verified with AIK’s public key

component – Quote contains composite of PCR values that can be compared to a trusted

baseline measurement

– Baseline measurements are recorded during a provisioning process

– The PCR Composite Object

» Array of hashes and their composite digest value

– Quote creation process:

» Create PCR Composite Object -> select PCRs -> Tpsi_TPM_Quote()

» The result is the TSS_VALIDATION struct

10

UNCLASSIFIED

Changes to Kerberos

Pre-authentication plugin

Initial client request is rejected – More authentication information requested (quote)

– Nonce is returned in the error message and used in the TPM Quote generation for

liveliness and anti-replay protection

PCR mask is returned in the error message. – The mask allows Key Distribution Center (KDC) to tailor information gathered by

the client

Nonce is verified

Client’s quote is compared by KDC against a baseline

value

Ticket granted only after successful verification

11

UNCLASSIFIED

Kerberos with Pre-Auth Attestation

12

Service Client AS TGS

Request – KRB_AS_REQ

Initialization • Kerberos keys

• AIK public

• Baseline PCRs

FAIL ERROR msg. from pre-auth

plugin returns a NONCE and

PCR Mask

Request – KRB_AP_REQ

Response – KRB_AP_REP

Session Communications

Response – KRB_ERROR

Request – KRB_TGS_REQ

Response – KRB_TGS_REP

1

fs

d

f

1

1

fs

d

f

2

1

fs

d

f

2

a 1

fs

d

f

2

b 1

fs

d

f

3 1

fs

d

f

4

Modified response from

Client’s pre-auth plugin

contains TPM Quote signed

by AIK

Successful authentication

and attestation produces

normal KDC response with

ticket

Kerberos KDC

Remaining

Kerberos

exchanges are

unaffected

UNCLASSIFIED

Software Design

MITRE performed original cryptographic protocol analysis

and identified the pre-auth plugin setup – Follows the Kerberos plugin methodology

NRL/APL made changes to pre-auth plugin on Client and

Server

13

Changes to Client Changes to Server

• Receives PCR mask and NONCE from

Server. • Generates TPM Quote signed with AIK • Sends TSS_VALIDATION struct to Server

for attestation • Messages sent as specific pre-auth type

(set in configuration file)

• Pre-auth plugin sends error message to

Client as a reply with PCR mask and NONCE

• Maintains persistent record of session info

(principal, realm, and NONCE) • Verification code to verify TPM Quote

signature with Client AIK public key. • Attest TPM Quote to “golden standard”

stored in internal database

• Maintain provisioning data (AIK public key, golden PCR quote, principal, realm)

UNCLASSIFIED

Demo

Provisioning of the client

–Creation of the AIK and the PCR Composite are done out-

of-bounds. Assume registration with KDC has been

completed.

Demonstration of the kinit exchange between the client

and the server

–Scenario 1: Client’s identity is successfully verified,

connection granted

–Scenario 2: A modification in client’s identity is detected,

connection rejected

»Failure is forced to the client’s integrity state by modifying PCR

16

14

UNCLASSIFIED

Demo

15

UNCLASSIFIED

Results

Integrity measurement exchange integrated

within existing Kerberos protocol messages

Minimal performance impact

Currently TPM only required on Client

platform

–Server performs verify without TPM crypto

–Server leverages TPM for random NONCE

16

UNCLASSIFIED

Future Work

Include mechanisms to prevent rebooting into “bad” states

– Inclusion of tickStamps into measurement chain

Protecting Tickets

– Cryptographically bind tickets with TPM to good integrity states

– Bound by client to client state, or bound by AS to client state

Integrity Measurement Architecture (IMA)

– Include IBM’s IMA measurements into attestation decision

– Static load-time measurements made by Linux kernel

Modify the Tickets to include information for real-time boot cycle

checks

Software Testing

– Test robustness with more Kerberos clients

– Test with servers not equipped with pre-auth plugins to make sure they default to

normal passwords

– Use of different PCRs - depending on the client’s/server’s system requirements

17

UNCLASSIFIED

Future Work

(issues to address)

Migrate to current version of Kerberos

–Currently our version 5-1.8 version 5-1.11.3

Address registration process of clients (i.e., initial

provisioning of clients)

Address re-registration (in case of legitimate platform

changes, such as system updates)

Integrate certificate infrastructure

Design database/storage solutions for KDC’s client

attestation information/measurements

18

UNCLASSIFIED

Contact

Dr. Olga Chen, NRL

–olga.chen@nrl.navy.mil

Dr. David Challener, JHU/APL

–David.Challener@jhuapl.edu

19

Thank You