Re: [http-auth] I-D Action: draft-morand-http-digest-2g-aka-03.txt
Yaron Sheffer <yaronf.ietf@gmail.com> Tue, 03 September 2013 21:33 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84FC211E8141 for <http-auth@ietfa.amsl.com>; Tue, 3 Sep 2013 14:33:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4osXhGP42DOq for <http-auth@ietfa.amsl.com>; Tue, 3 Sep 2013 14:33:13 -0700 (PDT)
Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) by ietfa.amsl.com (Postfix) with ESMTP id 6D90711E8133 for <http-auth@ietf.org>; Tue, 3 Sep 2013 14:33:13 -0700 (PDT)
Received: by mail-wg0-f41.google.com with SMTP id a12so1810886wgh.2 for <http-auth@ietf.org>; Tue, 03 Sep 2013 14:33:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=JFIyDdDYdCa5YDkLJ9P4S/UDXsYjn8nk0ooervG/kG0=; b=gU/IjcE2suw309EGWmnZlwntdut84wQFW6v8er6qTYLBpU+uZcMkdkQzKyD8zRUQPo t8x8HFz4G7Q4Z1ByCLWfwg/Yg9b7ATZI1yj+o03RNBDiD4CQBPh88u8IZOvs5vDEG1vs 8AwVyL0aRTNlCQMVLsXGqRFhz1MpNOGHDP+u41JTnFyq5yq4vhM8il6O464/8IF9bf+u eQTW9ui2PSIuUM0ZFGWHfj1YlLFVS8SdDi597Ya0DNia1gztThAvMXrqtwX8vaYByfBN NMIVjTjA8PpvJxb6vdoqsNlMILSkNRFsDWt/59mZSL9fuPi2QXW3510b1XQwf4yV4XHP 95BA==
X-Received: by 10.181.12.16 with SMTP id em16mr12689712wid.36.1378243992476; Tue, 03 Sep 2013 14:33:12 -0700 (PDT)
Received: from [10.0.0.8] (bzq-79-182-222-201.red.bezeqint.net. [79.182.222.201]) by mx.google.com with ESMTPSA id jf2sm28407087wic.2.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 03 Sep 2013 14:33:11 -0700 (PDT)
Message-ID: <52265596.9090604@gmail.com>
Date: Wed, 04 Sep 2013 00:33:10 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <20130121181639.10474.27297.idtracker@ietfa.amsl.com> <5225E5BD.9040306@ieca.com> <D4896BEB-F6BA-4712-8345-96CA945020FC@checkpoint.com>
In-Reply-To: <D4896BEB-F6BA-4712-8345-96CA945020FC@checkpoint.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "<http-auth@ietf.org>" <http-auth@ietf.org>, lionel.morand@orange.com
Subject: Re: [http-auth] I-D Action: draft-morand-http-digest-2g-aka-03.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 21:33:14 -0000
While I agree with Yoav that this draft requires expertise that we
(httpauth) probably do not have, I also have a major issue with the draft.
Although TLS is proposed as a solution for mutual auth, there are no
requirements on the server's identity and so there is no way specified
to actually authenticate the server.
As a result, I suspect that this method can be used by a MITM attacker
to impersonate another IMSI ("user" in common terms) for regular
AKA-based authentication.
Thanks,
Yaron
On 09/03/2013 08:39 PM, Yoav Nir wrote:
> Hi Sean,
>
> Looking over the discussion in httpbis ([1]), it's not clear to me whether this is documenting existing practice or whether it's proposing a new method. Either way, this method seems specific to a domain, where I believe the author has much more expertise than people in the working group. I am personally fine with it proceeding as an independent submission. I would also be fine with the working group discussing this, but I don't know how much value we could add.
>
> Yoav (with no hats)
> [1] http://lists.w3.org/Archives/Public/ietf-http-wg/2012AprJun/0375.html
>
> On Sep 3, 2013, at 4:35 PM, Sean Turner <turners@ieca.com> wrote:
>
>> Hi!
>>
>> The following draft is currently on the IESG telechat for next week and as part of the process an AD does what's called and "RFC 5742 review", which is basically a check to see if there's been an endrun on the process. This draft has been around for a while and I know it was at least discussed on the httpbis wg mailing list in early '12 (and maybe even earlier), but that was before the httpauth working group was chartered. So I gotta ask: Is this something that the working group should consider adopting?
>>
>> spt
>> -------- Original Message --------
>> Subject: I-D Action: draft-morand-http-digest-2g-aka-03.txt
>> Date: Mon, 21 Jan 2013 10:16:39 -0800
>> From: internet-drafts@ietf.org
>> Reply-To: internet-drafts@ietf.org
>> To: i-d-announce@ietf.org
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>
>>
>> Title : Hypertext Transfer Protocol (HTTP) Digest Authentication Using GSM 2G Authentication and Key Agreement (AKA)
>> Author(s) : Lionel Morand
>> Filename : draft-morand-http-digest-2g-aka-03.txt
>> Pages : 15
>> Date : 2013-01-21
>>
>> Abstract:
>> This memo specifies a one-time password generation mechanism for
>> Hypertext Transfer Protocol (HTTP) Digest access authentication based
>> on Global System for Mobile Communications (GSM) authentication and
>> key generation functions A3 and A8, also known as GSM AKA or 2G AKA.
>> The HTTP Authentication Framework includes two authentication
>> schemes: Basic and Digest. Both schemes employ a shared secret based
>> mechanism for access authentication. The GSM AKA mechanism performs
>> user authentication and session key distribution in GSM and Universal
>> Mobile Telecommunications System (UMTS) networks. GSM AKA is a
>> challenge-response based mechanism that uses symmetric cryptography.
>>
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-morand-http-digest-2g-aka
>>
>> There's also a htmlized version available at:
>> http://tools.ietf.org/html/draft-morand-http-digest-2g-aka-03
>>
>> A diff from the previous version is available at:
>> http://www.ietf.org/rfcdiff?url2=draft-morand-http-digest-2g-aka-03
>>
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> _______________________________________________
>> I-D-Announce mailing list
>> I-D-Announce@ietf.org
>> https://www.ietf.org/mailman/listinfo/i-d-announce
>> Internet-Draft directories: http://www.ietf.org/shadow.html
>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>>
>>
>>
>> _______________________________________________
>> http-auth mailing list
>> http-auth@ietf.org
>> https://www.ietf.org/mailman/listinfo/http-auth
>
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth
>
- [http-auth] Fwd: I-D Action: draft-morand-http-di… Sean Turner
- Re: [http-auth] I-D Action: draft-morand-http-dig… Yoav Nir
- Re: [http-auth] I-D Action: draft-morand-http-dig… Yaron Sheffer
- Re: [http-auth] I-D Action: draft-morand-http-dig… lionel.morand
- Re: [http-auth] I-D Action: draft-morand-http-dig… Stephen Farrell
- Re: [http-auth] I-D Action: draft-morand-http-dig… Yaron Sheffer
- Re: [http-auth] I-D Action: draft-morand-http-dig… lionel.morand
- Re: [http-auth] I-D Action: draft-morand-http-dig… lionel.morand