Raven Authentication Service
Raven is the name of the University of Cambridge’s central web authentication service. Many online resources within the University require Raven authentication to protect private data. Individual users are uniquely identified by their Common Registration Scheme identifier (CRSid), and protected online resources refer users to the Raven service for verification of a password. We perform a formal analysis of the proprietary Ucam Webauth protocol and identify a number of practical attacks against the Raven service that uses it. Having considered each vulnerability, we discuss the general principles and lessons that can be learnt to help avoid such vulnerabilities in the future.
KeywordsWeb authentication Single-Sign-On Vulnerability Network security
The authors would like to thank Malcolm Scott (University of Cambridge, Computer Laboratory) for his contribution to the further development of the prototype nginx WAA. We would also like to thank Jon Warbrick, original designer of the Ucam Webauth protocol for many useful discussions.
- 2.Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management part 1: General (revision 3). NIST special publication 800(57), 1–147 (2012)Google Scholar
- 3.Burrows, M., Abadi, M.: A logic of authentication. In: Proc. R. Soc. Lond. A. vol. 426, no. 1871, pp. 233–271. The Royal Society (1989)Google Scholar
- 4.Gaarder, K., Snekkenes, E.: On the formal analysis of pkcs authentication protocols. In: Proceedings of the International Conference on Cryptology: Advances in Cryptology. pp. 106–121. Springer-Verlag (1990)Google Scholar
- 5.Gong, L., Needham, R., Yahalom, R.: Reasoning about belief in cryptographic protocols. In: Research in Security and Privacy, 1990. Proceedings., 1990 IEEE Computer Society Symposium on. pp. 234–248. IEEE (1990)Google Scholar
- 6.Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Annual International Cryptology Conference. pp. 570–596. Springer (2017)Google Scholar