[Sip-security] RE: SIP authentication problem when using RES in Digest-AKA

Forgive me for being a bit slow, but I can't see how this attack works.
Firstly I'll check RES uses a shared secret and some entropy to create a
session password to provide forward security?

Comments inline.

> -----Original Message-----
> From: John W Noerenberg II [mailto:jwn2@qualcomm.com]
> Sent: 15 March 2002 00:38
> To: sipping@ietf.org; sip-security@ietf.org
> Cc: Greg Rose; aki.niemi@nokia.com; jari.arkko@ericsson.com;
> vesa.torvinen@ericsson.fi; James Undery; Sanjoy Sen
> Subject: SIP authentication problem when using RES in Digest-AKA
> 
> 
> Greg Rose has identified a security problem when HTTP-Digest is 
> combined with the mechanism proposed in 
> draft-niemi-sipping-digest-aka-00 and draft-undery-sip-auth-00.  He's 
> outlined this for the 3GPP TSG SA WG3, one of the TSG security area 
> working groups.
> 
> Essentially the problem is a consequence of using a RES that is 
> shorter than the key from which it is derived, typically as small as 
> 32 bits.  RES's length results from the goal of maintaining backward 
> compatibility with existing USIMs.  RES is a choke point that can be 
> used to break the authentication.  Instead of using RES, IK has much 
> greater entropy, and makes the attack prohibitively difficult.  A 
> description of the attack against RES is given below.
> 
> The authentication process can be summarized as follows:
> 
> 1. UE attempts to register.
> 2. The attempt is rejected because the UE is unauthenticated.  The 
> rejection message includes AKA-related information and an HTTP-Digest 
> nonce.
> 3. UE/USIM checks the AKA information and computes RES.
> 4. RES is now used as the password shared by the UE and the CSCF.
> 5. UE computes HTTP-Digest response based on RES, and 
> attempts to register.
> 6. Registration succeeds.
> 
> Subsequently
> 
> 7. UE sends another SIP message (e.g. Invite) and the HTTP-Digest 
> method calculates authentication information based on RES. 
> (Actually, A1 is used, but it is derived from RES).
> 
> Choke Point Attack
> 
> An attacker monitoring the traffic would break the scheme as follows:
> 
> The attacker has all the messages from steps 2 and 5 above.  All of 
> the information used in the calculation of the response in step 5, 
> except for the value of RES is present in these messages.  Assuming 
> RES is 32 bits, the attacker tries the 2**32 possible values, 
> comparing them to the captured response generated for step 5.  With 
> very high probability, he will succeed with exactly one candidate 
> value for RES, in the time needed to calculate 2**31 MD5 hashes. 
> This takes ~5 minutes on a typical laptop.

The RES 'secret' is surely going to be recalculated each time the
session entropy (i.e. nonce) changes. Thus I'd modify step 4 and add
pre7

4. RES is now used as the password shared by the UE and the CSCF for the
register.

pre7. UE/USIM checks the AKA information and computes RES. RES is now
used as the password shared by the UE and the CSCF until the nonce is
changed.

The attacker now can obtain the old RES 'secret' and it has bought him
zip unless given enough of these he can break the method the RES
'secret' is calculated.

> Once the value of RES is known, the attacker can now forge SIP 
> messages or alter them in transit, recalculating the Digest after 
> altering the message.
> 
> By replacing the use of RES with a higher entropy quantity, this 
> attack can be prevented.  As noted above, Greg recommends using IK as 
> a replacement for RES.

_______________________________________________
Sip-security mailing list
Sip-security@ietf.org
https://www1.ietf.org/mailman/listinfo/sip-security