Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Improving Trust and Authentication in
Kerberos with
Integrity Measurement
and Trusted Computing Components
Dr. Olga Chen
U.S. Naval Research Laboratory
September 10, 2013
UNCLASSIFIED
Outline
• Who are we?
• Motivation
• Kerberos overview
• Integrity Measurements and the Trusted Platform Module (TPM)
• TPM Key Management: the AIK and the quote
• Attestation integration with Kerberos
• Software integration into KRB5
• Demonstration
• Results
• Future work
2
UNCLASSIFIED
Who are we?
Dr. Olga Chen
– Computer Scientist at the Center for High Assurance Computer Systems, U.S.
Naval Research Laboratory
– Navy representative under US Government umbrella to the Trusted Computing
Group (TCG)
– Performing Trusted Platform Module research in secure BIOS, hard disk
encryption, OS hardening techniques, and TPM Backup/Recovery protocols
Dr. David Challener, Peter Kruus, James Farlow
– Researchers at Johns Hopkins University Applied Physics Laboratory
– Chair TCG activities
– Experience deploying integrity measurements solutions in corporate network
– Performing trusted computing research for government sponsors
3
UNCLASSIFIED
Motivation:
Need for Integrity Protection
Problem: Platform integrity state is not considered when
making access control or authentication decisions. – Potential to authenticate platforms in a compromised integrity state
Need: Mechanisms to exchange platform integrity
information along with authentication information – Enable access control points to make more informed access control decisions.
– Stronger authentication mechanisms rooted in hardware that are less vulnerable to
attack.
Solution: Integration of integrity together with
authentication information in the widely used
network/resource access protocol. – Kerberos + TPM = Big Impact on Security
4
UNCLASSIFIED
Motivation:
Kerberos and the TPM Kerberos
– Strong client/server mutual authentication
– Invented in 1980’s by MIT, open sourced in 1987, IETF standard in 1993
– Mother of single-sign-on protocols
Who uses Kerberos?
– Your grandparents, your gamer friends, your work colleagues… Just about everyone!
– Estimated 100 million++++ users works wide
– Integrated into every major OS (Windows, Mac OS, Red Hat Linux, xBox)
– Kerberos plugin mechanisms enable a relatively easy addition of code
Trusted Platform Modules (TPMs)
– Provides hardware root-of-trust integrity protection
– Hardware-rooted authentication, security, and integrity mechanisms
– Trusted Software Stack (TSS) for Linux is an open-source project
Who uses the TPM?
– Standard motherboard component on most business class desktops/laptops and now servers
– According to Trusted Computing Group: more than 500 million PCs have shipped with the TPM
Established background research
– NRL and APL are extending MITRE’s pre-auth plugin research
5
UNCLASSIFIED
The Big Picture
6
Kerberos Key Distribution
Center (KDC)
Client (TPM-
enabled
computer)
Resource
Server
1. Client authenticates
with integrity info
2. Server grants ticket based
on identity and integrity
UNCLASSIFIED
Kerberos Overview
7
Service Client AS TGS
Request – KRB_AS_REQ
Initialization
Kerberos
Keys
PASS
FAIL
Response - KRB_AS_REQ
Ticket Granting Ticket
ERROR
Request – KRB_AP_REQ
Response – KRB_AP_REP
Session Communications
Response – KRB_ERROR
Request – KRB_TGS_REQ
Response – KRB_TGS_REP Ticket
1
fs
d
f
1
1
fs
d
f
2
1
fs
d
f
2
a 1
fs
d
f
2
b 1
fs
d
f
3 1
fs
d
f
4
UNCLASSIFIED
Integrity Measurements
and the TPM Leverage Trusted Platform Module (TPM) – hardware or virtualized
Integrity Measurements are stored in the Platform Configuration Registers
(PCRs) – PCRs are not resettable and can be updated only through an “extend” operation
– PCRi+1 = Hash(PCRi + value)
– PCR values are updated on every system boot
Internal TPM key is used to sign measurements for external attestation (i.e.,
TPM Quote function)
PCRs exchanged for external attestation reflect platform’s boot state and
provide a measurement chain-of-trust tied to immutable BIOS
What PCRs we are going to use:
8
PCR 0 (BIOS) PCR 2 (Option ROM) PCR 4 (Bootloader)
PCR 1 (BIOS Config) PCR 3 (Option ROM Config) PCR 5 (Bootloader Config)
PCR 16 (Can be used for testing purposes)
UNCLASSIFIED
Attestation Identity Key
Attestation Identity Key (AIK)
–A special purpose TPM-resident non-migratable RSA key
that is used to provide platform authentication based on the
attestation capability of the TPM
–Is much more constrained than a general RSA key, in that it
can only be used by the TPM to sign specific TPM-
originated structures
The public portion of the AIK is sent to the KDC
(or server) to verify the integrity information sent
from the client and signed by the private portion
of the AIK
9
UNCLASSIFIED
TPM Quote
TPM is used to ensure the integrity and trust of integrity
measurements
A quote represents a current state of a platform and
contains a set of the PCR values signed by the TPM’s AIK
TPM Quote can be verified with AIK’s public key
component – Quote contains composite of PCR values that can be compared to a trusted
baseline measurement
– Baseline measurements are recorded during a provisioning process
– The PCR Composite Object
» Array of hashes and their composite digest value
– Quote creation process:
» Create PCR Composite Object -> select PCRs -> Tpsi_TPM_Quote()
» The result is the TSS_VALIDATION struct
10
UNCLASSIFIED
Changes to Kerberos
Pre-authentication plugin
Initial client request is rejected – More authentication information requested (quote)
– Nonce is returned in the error message and used in the TPM Quote generation for
liveliness and anti-replay protection
PCR mask is returned in the error message. – The mask allows Key Distribution Center (KDC) to tailor information gathered by
the client
Nonce is verified
Client’s quote is compared by KDC against a baseline
value
Ticket granted only after successful verification
11
UNCLASSIFIED
Kerberos with Pre-Auth Attestation
12
Service Client AS TGS
Request – KRB_AS_REQ
Initialization • Kerberos keys
• AIK public
• Baseline PCRs
FAIL ERROR msg. from pre-auth
plugin returns a NONCE and
PCR Mask
Request – KRB_AP_REQ
Response – KRB_AP_REP
Session Communications
Response – KRB_ERROR
Request – KRB_TGS_REQ
Response – KRB_TGS_REP
1
fs
d
f
1
1
fs
d
f
2
1
fs
d
f
2
a 1
fs
d
f
2
b 1
fs
d
f
3 1
fs
d
f
4
Modified response from
Client’s pre-auth plugin
contains TPM Quote signed
by AIK
Successful authentication
and attestation produces
normal KDC response with
ticket
Kerberos KDC
Remaining
Kerberos
exchanges are
unaffected
UNCLASSIFIED
Software Design
MITRE performed original cryptographic protocol analysis
and identified the pre-auth plugin setup – Follows the Kerberos plugin methodology
NRL/APL made changes to pre-auth plugin on Client and
Server
13
Changes to Client Changes to Server
• Receives PCR mask and NONCE from
Server. • Generates TPM Quote signed with AIK • Sends TSS_VALIDATION struct to Server
for attestation • Messages sent as specific pre-auth type
(set in configuration file)
• Pre-auth plugin sends error message to
Client as a reply with PCR mask and NONCE
• Maintains persistent record of session info
(principal, realm, and NONCE) • Verification code to verify TPM Quote
signature with Client AIK public key. • Attest TPM Quote to “golden standard”
stored in internal database
• Maintain provisioning data (AIK public key, golden PCR quote, principal, realm)
UNCLASSIFIED
Demo
Provisioning of the client
–Creation of the AIK and the PCR Composite are done out-
of-bounds. Assume registration with KDC has been
completed.
Demonstration of the kinit exchange between the client
and the server
–Scenario 1: Client’s identity is successfully verified,
connection granted
–Scenario 2: A modification in client’s identity is detected,
connection rejected
»Failure is forced to the client’s integrity state by modifying PCR
16
14
UNCLASSIFIED
Demo
15
UNCLASSIFIED
Results
Integrity measurement exchange integrated
within existing Kerberos protocol messages
Minimal performance impact
Currently TPM only required on Client
platform
–Server performs verify without TPM crypto
–Server leverages TPM for random NONCE
16
UNCLASSIFIED
Future Work
Include mechanisms to prevent rebooting into “bad” states
– Inclusion of tickStamps into measurement chain
Protecting Tickets
– Cryptographically bind tickets with TPM to good integrity states
– Bound by client to client state, or bound by AS to client state
Integrity Measurement Architecture (IMA)
– Include IBM’s IMA measurements into attestation decision
– Static load-time measurements made by Linux kernel
Modify the Tickets to include information for real-time boot cycle
checks
Software Testing
– Test robustness with more Kerberos clients
– Test with servers not equipped with pre-auth plugins to make sure they default to
normal passwords
– Use of different PCRs - depending on the client’s/server’s system requirements
17
UNCLASSIFIED
Future Work
(issues to address)
Migrate to current version of Kerberos
–Currently our version 5-1.8 version 5-1.11.3
Address registration process of clients (i.e., initial
provisioning of clients)
Address re-registration (in case of legitimate platform
changes, such as system updates)
Integrate certificate infrastructure
Design database/storage solutions for KDC’s client
attestation information/measurements
18
UNCLASSIFIED
Contact
Dr. Olga Chen, NRL
Dr. David Challener, JHU/APL
19
Thank You