Skip to main content

Raven Authentication Service

Attacks and Countermeasures

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11286)

Abstract

Raven is the name of the University of Cambridge’s central web authentication service. Many online resources within the University require Raven authentication to protect private data. Individual users are uniquely identified by their Common Registration Scheme identifier (CRSid), and protected online resources refer users to the Raven service for verification of a password. We perform a formal analysis of the proprietary Ucam Webauth protocol and identify a number of practical attacks against the Raven service that uses it. Having considered each vulnerability, we discuss the general principles and lessons that can be learnt to help avoid such vulnerabilities in the future.

Keywords

  • Web authentication
  • Single-Sign-On
  • Vulnerability
  • Network security

This is a preview of subscription content, access via your institution.

Buying options

eBook
EUR   16.99
Price includes VAT (Netherlands)
  • ISBN: 978-3-030-03251-7
  • Instant EPUB and PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
EUR   17.31
Price includes VAT (Netherlands)
  • ISBN: 978-3-030-03250-0
  • Dispatched in 3 to 5 business days
  • Exclusive offer for individuals only
  • Free shipping worldwide
    See shipping information.
  • Tax calculation will be finalised during checkout
Fig. 1.
Fig. 2.

Notes

  1. 1.

    https://apereo.github.io/cas/5.0.x/protocol/CAS-Protocol-Specification.html.

  2. 2.

    http://webauth.stanford.edu/protocol.html.

  3. 3.

    https://www.ietf.org/rfc/rfc3447.txt.

  4. 4.

    https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html.

  5. 5.

    https://cabforum.org/2014/10/16/ballot-118-sha-1-sunset/.

  6. 6.

    It should be noted that inference rule H has been considered unjustified by Teepe, who questions the soundness of BAN logic in [7].

  7. 7.

    https://github.com/cambridgeuniversity/mod_ucam_webauth.

  8. 8.

    https://github.com/cambridgeuniversity/ucam-webauth-php.

  9. 9.

    https://github.com/cambridgeuniversity/mod_ucam_webauth/commit/dd4fedbe8192e3b147d9cfe05c8373b2fd8c195e#diff-db9058c9017dbde922e625e3be2d6557.

  10. 10.

    https://github.com/cambridgeuniversity/ucam-webauth-php/commit/cd471c38612941c213716d4b7dd2dceff607bd04#diff-48bcdf5cb926243bf258df83114dd4e9.

  11. 11.

    http://php.net/manual/en/function.fopen.php.

  12. 12.

    http://php.net/manual/en/wrappers.data.php.

  13. 13.

    https://github.com/cambridgeuniversity/UcamWebauth-protocol/commit/3d71cc2840ef745aed8caaf5a565e48988d39fbd#diff-90c8938be2a4fc76543eae935d1a4f2b.

  14. 14.

    https://raven.cam.ac.uk/project/java-toolkit/.

  15. 15.

    https://apereo.github.io/cas/5.2.x/planning/Security-Guide.html#service-management.

  16. 16.

    https://hashcat.net/hashcat/.

  17. 17.

    http://www.apache.org/licenses/LICENSE-2.0.html.

  18. 18.

    https://uit.stanford.edu/service/saml/webauth-announce.

  19. 19.

    https://github.com/grymer/ngxraven.

References

  1. Abadi, M., Needham, R.: Prudent engineering practice for cryptographic protocols. IEEE Transactions on Software Engineering 22(1), 6–15 (1996)

    CrossRef  Google Scholar 

  2. Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management part 1: General (revision 3). NIST special publication 800(57), 1–147 (2012)

    Google Scholar 

  3. Burrows, M., Abadi, M.: A logic of authentication. In: Proc. R. Soc. Lond. A. vol. 426, no. 1871, pp. 233–271. The Royal Society (1989)

    Google Scholar 

  4. Gaarder, K., Snekkenes, E.: On the formal analysis of pkcs authentication protocols. In: Proceedings of the International Conference on Cryptology: Advances in Cryptology. pp. 106–121. Springer-Verlag (1990)

    Google Scholar 

  5. Gong, L., Needham, R., Yahalom, R.: Reasoning about belief in cryptographic protocols. In: Research in Security and Privacy, 1990. Proceedings., 1990 IEEE Computer Society Symposium on. pp. 234–248. IEEE (1990)

    Google Scholar 

  6. Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Annual International Cryptology Conference. pp. 570–596. Springer (2017)

    Google Scholar 

  7. Teepe, W.: On BAN logic and hash functions or: how an unjustified inference rule causes problems. Autonomous Agents and Multi-Agent Systems 19(1), 76–88 (2009)

    CrossRef  Google Scholar 

Download references

Acknowledgments

The authors would like to thank Malcolm Scott (University of Cambridge, Computer Laboratory) for his contribution to the further development of the prototype nginx WAA. We would also like to thank Jon Warbrick, original designer of the Ucam Webauth protocol for many useful discussions.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Graham Rymer .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Rymer, G., Llewellyn-Jones, D. (2018). Raven Authentication Service. In: Matyáš, V., Švenda, P., Stajano, F., Christianson, B., Anderson, J. (eds) Security Protocols XXVI. Security Protocols 2018. Lecture Notes in Computer Science(), vol 11286. Springer, Cham. https://doi.org/10.1007/978-3-030-03251-7_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-03251-7_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-03250-0

  • Online ISBN: 978-3-030-03251-7

  • eBook Packages: Computer ScienceComputer Science (R0)