open issue: rspauth generation not possible if RADIUS server choo ses nonces and qop=auth-int
"Beck01, Wolfgang" <BeckW@t-systems.com> Wed, 25 August 2004 16:12 UTC
Envelope-to: radiusext-data@psg.com
Delivery-date: Wed, 25 Aug 2004 16:12:53 +0000
Message-Id: <76C27E1CE3FFC847B4D51C645D6F42AA15FD79@E9JDF.mgb01.telekom.de>
From: "Beck01, Wolfgang" <BeckW@t-systems.com>
To: radiusext@ops.ietf.org
Subject: open issue: rspauth generation not possible if RADIUS server choo ses nonces and qop=auth-int
Date: Wed, 25 Aug 2004 18:12:13 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
rspauth generation not possible if RADIUS server chooses nonces and qop=auth-int Submitter name: Wolfgang Beck Submitter email address: beckw@t-systems.com Date first submitted: 25.8.2004 Reference: Document: RADIUS Extension for Digest Authentication Comment type: T Priority: 1 Section: 3.1, 3.2 Rationale/Explanation of issue: Jun Wang wrote: > As the RADIUS server does not know about the response body the > RADIUS client is going to send, it can't generate A2. > > In 3GPP2, we do need to perform auth-int because we need to protect the > response that is sent from the network to the MS. I hope in this draft you > could allow solution 3 or at least you will not preclude solution 3 so that > we can have 3GPP2 VSA to do it. > > Thanks, > Jun > > Beck01, Wolfgang wrote: >> Hello Jun, >> >> thank you for your review. Rahul Joshi told me about this problem >> some weeks ago and I think there are three possible solutions: 1) >> don't use authentication-info with auth-int 2) send all possible >> response body-digests to the RADIUS server 3) your suggestion. >> >> I am not sure about the security implications of 3). Replay >> attacks might be possible. Solution 2) is a bit bloated as it >> would double the work on client and server. >> >> In the San Diego meeting, I proposed using solution 1) and >> did not hear any objections. >> >> >> Jun Wang wrote >>> >>> By reviewing sterman draft (RADIUS Extension for Digest Authentication, >>> draft-sterman-aaa-sip-03.txt), I have questions on how the RADIUS sever can >>> calculate the Digest-Response that can be used by RADIUS client to >>> construct Auth-info header (mentioned in section 3.2 in sterman draft). >>> According to 3.2.3 of RFC 2617, if I understand correctly, the response >>> digest is calculated as for the request-digest except that A2 is slightly >>> different. But regardless, to calculate Digest-Response, the RADIUS server >>> needs to know H(entity-body), here entity-body, I think, is the body >>> contained in 200OK response. But RADIUS server doesn't know it. It seems to >>> me that the right thing is to pass some derived key to RADIUS client so >>> that the RADIUS client can calculate Auth-info. >>> >>> Requested change: [Jun Wang] >>> [..] It seems to me that the right thing is to pass some >>> derived key to RADIUS client so that the RADIUS client can >>> calculate Auth-info. [Wolfgang Beck] When using qop=auth-int, the response-auth value is response-auth = <"> < KD ( H(A1), unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" H(A2) ) <"> with algorithm = MD5, A1 and A2 are: A1 = unq(username-value) ":" unq(realm-value) ":" passwd A2 = ":" digest-uri-value ":" H(entity-body) Sending H(A1) in an Access-Accept message would be risky as A1 has no random components. Replay attacks are possible. with algorithm = MD5-sess, A1 and A2 are: A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value) A2 = ":" digest-uri-value ":" H(entity-body) here, A1 has some randomness. A possible solution might be: 1. Add a new attribute to carry H(A1), Digest-HA1 2. Use Digest-HA1 if server chooses nonces, qop=auth-int and algorithm=MD5-sess 3. Use a Digest-Response-Auth attribute (new, see issue 4, 5) if server chooses nonces and qop != auth-int. 4. On reception of Digest-HA1, the RADIUS client constructs rspauth, using the nonce received in a previous Access-Challenge I don't know if this is really secure. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>
- open issue: rspauth generation not possible if RA… Beck01, Wolfgang