Raven Authentication Service

Rymer, Graham; Llewellyn-Jones, David

doi:10.1007/978-3-030-03251-7_1

Graham Rymer¹⁸ &
David Llewellyn-Jones¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11286))

Included in the following conference series:

Cambridge International Workshop on Security Protocols

659 Accesses
1 Altmetric

Abstract

Raven is the name of the University of Cambridge’s central web authentication service. Many online resources within the University require Raven authentication to protect private data. Individual users are uniquely identified by their Common Registration Scheme identifier (CRSid), and protected online resources refer users to the Raven service for verification of a password. We perform a formal analysis of the proprietary Ucam Webauth protocol and identify a number of practical attacks against the Raven service that uses it. Having considered each vulnerability, we discuss the general principles and lessons that can be learnt to help avoid such vulnerabilities in the future.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
https://apereo.github.io/cas/5.0.x/protocol/CAS-Protocol-Specification.html.
2.
http://webauth.stanford.edu/protocol.html.
3.
https://www.ietf.org/rfc/rfc3447.txt.
4.
https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html.
5.
https://cabforum.org/2014/10/16/ballot-118-sha-1-sunset/.
6.
It should be noted that inference rule H has been considered unjustified by Teepe, who questions the soundness of BAN logic in [7].
7.
https://github.com/cambridgeuniversity/mod_ucam_webauth.
8.
https://github.com/cambridgeuniversity/ucam-webauth-php.
9.
https://github.com/cambridgeuniversity/mod_ucam_webauth/commit/dd4fedbe8192e3b147d9cfe05c8373b2fd8c195e#diff-db9058c9017dbde922e625e3be2d6557.
10.
https://github.com/cambridgeuniversity/ucam-webauth-php/commit/cd471c38612941c213716d4b7dd2dceff607bd04#diff-48bcdf5cb926243bf258df83114dd4e9.
11.
http://php.net/manual/en/function.fopen.php.
12.
http://php.net/manual/en/wrappers.data.php.
13.
https://github.com/cambridgeuniversity/UcamWebauth-protocol/commit/3d71cc2840ef745aed8caaf5a565e48988d39fbd#diff-90c8938be2a4fc76543eae935d1a4f2b.
14.
https://raven.cam.ac.uk/project/java-toolkit/.
15.
https://apereo.github.io/cas/5.2.x/planning/Security-Guide.html#service-management.
16.
https://hashcat.net/hashcat/.
17.
http://www.apache.org/licenses/LICENSE-2.0.html.
18.
https://uit.stanford.edu/service/saml/webauth-announce.
19.
https://github.com/grymer/ngxraven.

References

Abadi, M., Needham, R.: Prudent engineering practice for cryptographic protocols. IEEE Transactions on Software Engineering 22(1), 6–15 (1996)
Article Google Scholar
Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management part 1: General (revision 3). NIST special publication 800(57), 1–147 (2012)
Google Scholar
Burrows, M., Abadi, M.: A logic of authentication. In: Proc. R. Soc. Lond. A. vol. 426, no. 1871, pp. 233–271. The Royal Society (1989)
Google Scholar
Gaarder, K., Snekkenes, E.: On the formal analysis of pkcs authentication protocols. In: Proceedings of the International Conference on Cryptology: Advances in Cryptology. pp. 106–121. Springer-Verlag (1990)
Google Scholar
Gong, L., Needham, R., Yahalom, R.: Reasoning about belief in cryptographic protocols. In: Research in Security and Privacy, 1990. Proceedings., 1990 IEEE Computer Society Symposium on. pp. 234–248. IEEE (1990)
Google Scholar
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Annual International Cryptology Conference. pp. 570–596. Springer (2017)
Google Scholar
Teepe, W.: On BAN logic and hash functions or: how an unjustified inference rule causes problems. Autonomous Agents and Multi-Agent Systems 19(1), 76–88 (2009)
Article Google Scholar

Download references

Acknowledgments

The authors would like to thank Malcolm Scott (University of Cambridge, Computer Laboratory) for his contribution to the further development of the prototype nginx WAA. We would also like to thank Jon Warbrick, original designer of the Ucam Webauth protocol for many useful discussions.

Author information

Authors and Affiliations

Computer Laboratory, University of Cambridge, William Gates Building, 15 JJ Thomson Avenue, Cambridge, CB3 0FD, UK
Graham Rymer & David Llewellyn-Jones

Authors

Graham Rymer
View author publications
You can also search for this author in PubMed Google Scholar
David Llewellyn-Jones
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Graham Rymer .

Editor information

Editors and Affiliations

Masaryk University, Brno, Czech Republic
Vashek Matyáš
Masaryk University, Brno, Czech Republic
Petr Švenda
University of Cambridge, Cambridge, UK
Frank Stajano
University of Hertfordshire, Hatfield, UK
Bruce Christianson
Memorial University of Newfoundland, St. John's, NL, Canada
Jonathan Anderson

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Rymer, G., Llewellyn-Jones, D. (2018). Raven Authentication Service. In: Matyáš, V., Švenda, P., Stajano, F., Christianson, B., Anderson, J. (eds) Security Protocols XXVI. Security Protocols 2018. Lecture Notes in Computer Science(), vol 11286. Springer, Cham. https://doi.org/10.1007/978-3-030-03251-7_1

Download citation

DOI: https://doi.org/10.1007/978-3-030-03251-7_1
Published: 24 November 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03250-0
Online ISBN: 978-3-030-03251-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics