IETF Logo Mail Archive

[Sip-security] RE: SIP authentication problem when using RES in Digest-AKA

Greg Rose <ggr@qualcomm.com> Fri, 15 March 2002 01:56 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA07597 for <sip-security-archive@odin.ietf.org>; Thu, 14 Mar 2002 20:56:05 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id UAA25171 for sip-security-archive@odin.ietf.org; Thu, 14 Mar 2002 20:56:07 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id UAA25031; Thu, 14 Mar 2002 20:54:27 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id UAA24945 for <sip-security@optimus.ietf.org>; Thu, 14 Mar 2002 20:54:24 -0500 (EST)
Received: from warlock.qualcomm.com (warlock.qualcomm.com [129.46.64.204]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA07528; Thu, 14 Mar 2002 20:54:20 -0500 (EST)
Received: from avalon.qualcomm.com (avalon.qualcomm.com [203.30.171.11]) by warlock.qualcomm.com (8.12.1/8.9.3/8.9) with ESMTP id g2F1rVJL000307; Thu, 14 Mar 2002 17:53:32 -0800 (PST)
Received: from NAVAJO.qualcomm.com by avalon.qualcomm.com (8.8.8+Sun/SMI-SVR4) id MAA29557; Fri, 15 Mar 2002 12:52:50 +1100 (EST)
Message-Id: <4.3.1.2.20020315124047.05271fd8@127.0.0.1>
X-Sender: ggr2@127.0.0.1
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
Date: Fri, 15 Mar 2002 12:52:06 +1100
To: Sanjoy Sen <sanjoy@nortelnetworks.com>
From: Greg Rose <ggr@qualcomm.com>
Cc: 'John W Noerenberg II' <jwn2@qualcomm.com>, sipping@ietf.org, sip-security@ietf.org, Greg Rose <ggr@qualcomm.com>, aki.niemi@nokia.com, jari.arkko@ericsson.com, vesa.torvinen@ericsson.fi, James Undery <jundery@ubiquity.net>
In-Reply-To: <933FADF5E673D411B8A30002A5608A0E011879EA@zrc2c012.us.norte l.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Subject: [Sip-security] RE: SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org

At 06:48 PM 3/14/2002 -0600, Sanjoy Sen wrote:

>draft-undery-sip-auth-00.txt doesn't make any recommendation as to how the 
>password should be computed. However, I remember that when we took the 
>proposal of using Digest for the first time to 3GPP, we had recommended 
>using IK as the password.

That's right. draft-undery-sip-auth-00.txt assumes that the password is 
strong, and by itself has no problems. draft-niemi-sipping-digest-aka-00 
assumes that RES is used as the password only once for the authentication, 
and by itself has no problems. Put the two together, and there's a problem...

BTW, my suggestion to use IK would solve this juxtaposition problem (since 
a 128 bit "choke point" is not seen to be a problem), but is not seen to be 
acceptable to 3GPP SA3, because that would mean that IK was to be used for 
two distinct things potentially at the same time, although I don't agree 
with this  argument (it seems to me that the 3GPP mechanism and 
draft-undery-... can't both be used at the same time). However the 
Ciphering Key CK is also available, 128 bits, and is not expected to be 
used for anything. Anyway, possible solutions can be examined further.

Thanks to John Noerenberg for helping me distribute this information.

regards,
Greg.


>Sanjoy
>
> > -----Original Message-----
> > From: John W Noerenberg II 
> [<mailto:jwn2@qualcomm.com>mailto:jwn2@qualcomm.com]
> > Sent: Thursday, March 14, 2002 6:38 PM
> > To: sipping@ietf.org; sip-security@ietf.org
> > Cc: Greg Rose; aki.niemi@nokia.com; jari.arkko@ericsson.com;
> > vesa.torvinen@ericsson.fi; James Undery; Sen, Sanjoy [NGC:B692:EXCH]
> > Subject: SIP authentication problem when using RES in Digest-AKA
> >
> >
> > Greg Rose has identified a security problem when HTTP-Digest is
> > combined with the mechanism proposed in
> > draft-niemi-sipping-digest-aka-00 and draft-undery-sip-auth-00.  He's
> > outlined this for the 3GPP TSG SA WG3, one of the TSG security area
> > working groups.
> >
> > Essentially the problem is a consequence of using a RES that is
> > shorter than the key from which it is derived, typically as small as
> > 32 bits.  RES's length results from the goal of maintaining backward
> > compatibility with existing USIMs.  RES is a choke point that can be
> > used to break the authentication.  Instead of using RES, IK has much
> > greater entropy, and makes the attack prohibitively difficult.  A
> > description of the attack against RES is given below.
> >
> > The authentication process can be summarized as follows:
> >
> > 1. UE attempts to register.
> > 2. The attempt is rejected because the UE is unauthenticated.  The
> > rejection message includes AKA-related information and an HTTP-Digest
> > nonce.
> > 3. UE/USIM checks the AKA information and computes RES.
> > 4. RES is now used as the password shared by the UE and the CSCF.
> > 5. UE computes HTTP-Digest response based on RES, and
> > attempts to register.
> > 6. Registration succeeds.
> >
> > Subsequently
> >
> > 7. UE sends another SIP message (e.g. Invite) and the HTTP-Digest
> > method calculates authentication information based on RES.
> > (Actually, A1 is used, but it is derived from RES).
> >
> > Choke Point Attack
> >
> > An attacker monitoring the traffic would break the scheme as follows:
> >
> > The attacker has all the messages from steps 2 and 5 above.  All of
> > the information used in the calculation of the response in step 5,
> > except for the value of RES is present in these messages.  Assuming
> > RES is 32 bits, the attacker tries the 2**32 possible values,
> > comparing them to the captured response generated for step 5.  With
> > very high probability, he will succeed with exactly one candidate
> > value for RES, in the time needed to calculate 2**31 MD5 hashes.
> > This takes ~5 minutes on a typical laptop.
> >
> > Once the value of RES is known, the attacker can now forge SIP
> > messages or alter them in transit, recalculating the Digest after
> > altering the message.
> >
> > By replacing the use of RES with a higher entropy quantity, this
> > attack can be prevented.  As noted above, Greg recommends using IK as
> > a replacement for RES.
> >
> > best,
> > --
> >
> > john noerenberg
> > jwn2@qualcomm.com
> >
> > --------------------------------------------------------------
> > ------------
> >    The truth knocks on the door and you say, "Go away, I'm looking
> >    for the truth,"  and so it goes away.  Puzzling.
> >    -- Zen and the Art of Motorcycle Maintenance, Robert M.
> > Pirsig, 1974
> >
> > --------------------------------------------------------------
> > ------------
> >


Greg Rose                                       INTERNET: ggr@qualcomm.com
Qualcomm Australia          VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,                http://people.qualcomm.com/ggr/
Gladesville NSW 2111    232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C


_______________________________________________
Sip-security mailing list
Sip-security@ietf.org
https://www1.ietf.org/mailman/listinfo/sip-security

v2.23.0 | Report a Bug | By Email