[Sip-security] RE: [Sipping] RE: SIP authentication problem when using RES in Di gest-AKA

["Krister Boman (EMW)" <Krister.Boman@emw.ericsson.se>]

Dear All,
just realized that the format I used did not come out well 
on the mailing lists. Hence I re-submit this message that 
hopefully will be easier to read. Sorry for that.

I have anyway some comments especially to the text from 
John below. I interpret the text below as being 3GPP 
architecture specific since the terms UE and CSCF are 
mentioned. I think that regarding authentication 
and integrity protection 3GPP have the following possible 
scenarios under discussion:

Authentication:
1. Digest AKA is used for authentication and the subscriber 
could potentially use the RES as a password.

Integrity protecion:
2a. Using Extensions to Digest as described in the 
Undery I-D and in TS33.203 where the *IK* (128 bits) should 
be used as integrity key/password, please consult 
TS33.203 version 200 clause C.2.1. 

2b. Using IPSec ESP as a basis were SIP take 
the IKE role etc. Still the same key i.e. *IK* will be used 
as in 2a but it has to be transported to the IPSec layer but 
it would also be 128 bits.

So regardless if 2a or 2b is finally the preferred solution 
still case 1. is applicable for both solutions. Hence 7. 
below should not occur according to TS33.203.

Question: Is there any really security problems which is 
specifically linked between Digest AKA and 
the Undery I-D/TS33.203? I cannot see that right now. But 
maybe I have misinterpreted something?

Another question: why cannot 3GPP mandate for case 1. that 
the RES shall be 128 bits for IMS access if that is used as 
a password to Digest AKA?

Regards
Krister Boman
Editor of TS33.203

-----Original Message-----
From: James Undery [mailto:jundery@ubiquity.net]
Sent: fredag 15 mars 2002 11:08
To: John W Noerenberg II; sipping@ietf.org; sip-security@ietf.org
Cc: Greg Rose; aki.niemi@nokia.com; jari.arkko@ericsson.com;
vesa.torvinen@lmf.ericsson.se; Sanjoy Sen
Subject: [Sipping] RE: SIP authentication problem when using RES in
Digest-AKA


Forgive me for being a bit slow, but I can't see how this attack works.
Firstly I'll check RES uses a shared secret and some entropy to create a
session password to provide forward security?

Comments inline.

> -----Original Message-----
> From: John W Noerenberg II [mailto:jwn2@qualcomm.com]
> Sent: 15 March 2002 00:38
> To: sipping@ietf.org; sip-security@ietf.org
> Cc: Greg Rose; aki.niemi@nokia.com; jari.arkko@ericsson.com;
> vesa.torvinen@ericsson.fi; James Undery; Sanjoy Sen
> Subject: SIP authentication problem when using RES in Digest-AKA
> 
> 
> Greg Rose has identified a security problem when HTTP-Digest is 
> combined with the mechanism proposed in 
> draft-niemi-sipping-digest-aka-00 and draft-undery-sip-auth-00.  He's 
> outlined this for the 3GPP TSG SA WG3, one of the TSG security area 
> working groups.
> 
> Essentially the problem is a consequence of using a RES that is 
> shorter than the key from which it is derived, typically as small as 
> 32 bits.  RES's length results from the goal of maintaining backward 
> compatibility with existing USIMs.  RES is a choke point that can be 
> used to break the authentication.  Instead of using RES, IK has much 
> greater entropy, and makes the attack prohibitively difficult.  A 
> description of the attack against RES is given below.
> 
> The authentication process can be summarized as follows:
> 
> 1. UE attempts to register.
> 2. The attempt is rejected because the UE is unauthenticated.  The 
> rejection message includes AKA-related information and an HTTP-Digest 
> nonce.
> 3. UE/USIM checks the AKA information and computes RES.
> 4. RES is now used as the password shared by the UE and the CSCF.
> 5. UE computes HTTP-Digest response based on RES, and 
> attempts to register.
> 6. Registration succeeds.
> 
> Subsequently
> 
> 7. UE sends another SIP message (e.g. Invite) and the HTTP-Digest 
> method calculates authentication information based on RES. 
> (Actually, A1 is used, but it is derived from RES).
> 
> Choke Point Attack
> 
> An attacker monitoring the traffic would break the scheme as follows:
> 
> The attacker has all the messages from steps 2 and 5 above.  All of 
> the information used in the calculation of the response in step 5, 
> except for the value of RES is present in these messages.  Assuming 
> RES is 32 bits, the attacker tries the 2**32 possible values, 
> comparing them to the captured response generated for step 5.  With 
> very high probability, he will succeed with exactly one candidate 
> value for RES, in the time needed to calculate 2**31 MD5 hashes. 
> This takes ~5 minutes on a typical laptop.

The RES 'secret' is surely going to be recalculated each time the
session entropy (i.e. nonce) changes. Thus I'd modify step 4 and add
pre7

4. RES is now used as the password shared by the UE and the CSCF for the
register.

pre7. UE/USIM checks the AKA information and computes RES. RES is now
used as the password shared by the UE and the CSCF until the nonce is
changed.

The attacker now can obtain the old RES 'secret' and it has bought him
zip unless given enough of these he can break the method the RES
'secret' is calculated.

> Once the value of RES is known, the attacker can now forge SIP 
> messages or alter them in transit, recalculating the Digest after 
> altering the message.
> 
> By replacing the use of RES with a higher entropy quantity, this 
> attack can be prevented.  As noted above, Greg recommends using IK as 
> a replacement for RES.


_______________________________________________
Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sip@ietf.org for new developments of core SIP

_______________________________________________
Sip-security mailing list
Sip-security@ietf.org
https://www1.ietf.org/mailman/listinfo/sip-security