IETF Logo Mail Archive

[Sip-security] Re: SIP authentication problem when using RES in Digest-AKA

Jari Arkko <Jari.Arkko@lmf.ericsson.se> Fri, 15 March 2002 09:43 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA24587 for <sip-security-archive@odin.ietf.org>; Fri, 15 Mar 2002 04:43:24 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id EAA03082 for sip-security-archive@odin.ietf.org; Fri, 15 Mar 2002 04:43:26 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id EAA02899; Fri, 15 Mar 2002 04:41:47 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id EAA02848 for <sip-security@optimus.ietf.org>; Fri, 15 Mar 2002 04:41:45 -0500 (EST)
Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA24556; Fri, 15 Mar 2002 04:41:41 -0500 (EST)
Received: from fogerty.lmf.ericsson.se (fogerty.lmf.ericsson.se [131.160.11.6]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id g2F9fTUw010589; Fri, 15 Mar 2002 10:41:29 +0100 (MET)
Received: from lmf.ericsson.se (lmf4ws450.lmf.ericsson.se [131.160.38.50]) by fogerty.lmf.ericsson.se (8.12.1/8.12.1/lmf.8.12.1.jcs) with ESMTP id g2F9fQUD009677; Fri, 15 Mar 2002 11:41:26 +0200 (EET)
Message-ID: <3C91C1C6.E3464A36@lmf.ericsson.se>
Date: Fri, 15 Mar 2002 11:41:26 +0200
From: Jari Arkko <Jari.Arkko@lmf.ericsson.se>
Organization: Oy L M Ericsson Ab
X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.6 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: Greg Rose <ggr@qualcomm.com>
CC: Sanjoy Sen <sanjoy@nortelnetworks.com>, 'John W Noerenberg II' <jwn2@qualcomm.com>, sipping@ietf.org, sip-security@ietf.org, aki.niemi@nokia.com, jari.arkko@ericsson.com, vesa.torvinen@lmf.ericsson.se, James Undery <jundery@ubiquity.net>
References: <4.3.1.2.20020315124047.05271fd8@127.0.0.1>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Subject: [Sip-security] Re: SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org
Content-Transfer-Encoding: 7bit

Greg Rose wrote:

> >draft-undery-sip-auth-00.txt doesn't make any recommendation as to how the
> >password should be computed. However, I remember that when we took the
> >proposal of using Digest for the first time to 3GPP, we had recommended
> >using IK as the password.
> 
> That's right. draft-undery-sip-auth-00.txt assumes that the password is
> strong, and by itself has no problems. draft-niemi-sipping-digest-aka-00
> assumes that RES is used as the password only once for the authentication,
> and by itself has no problems. Put the two together, and there's a problem...

We are in agreement that IK should be used as the password
for draft-undery. However, I feel that in this discussion we
have been mixing draft-undery and draft-niemi in a manner
that it doesn't clearly show that this is still being
done. Let me try to clarify this situation in light
of the 3GPP architecture:

1. Draft-undery is being used for UE - P-CSCF int. protection.
   Algorithm = MD5, password = IK (communicated to the P-CSCF
   using method X from the S-CSCF).

2. Draft-niemi is being used for UE - S-CSCF authentication.
   Algorithm = AKA and no traditional password, just the
   shared long term secret. The authentication is based on
   RES. As a side effect an IK is produced (and communicated
   to the P-CSCF using means beyond draft-niemi).

So, in this particular case Draft-Undery *does* use the
IK as the password. The only remaining issue is how
Draft-Niemi calculates Digest results, and whether
that reveals anything interesting to attackers. 

Draft-niemi is an application of Digest and as such has some
integrity protection features, and particular way to
calculate Response. This particular way is essentially
MD5(... RES ...). So at this point we are not using IK
twice anywhere. But perhaps there's an attack that would
reveal RES, if it was too short. (I personally think we
should simply require it to be long, but I'll ignore that
for the moment.)

Let's study this by considering two cases:

(a) AKA is run at the beginning and if any further
    communications with the home network take place,
    the RES is cached and used as a password. This
    allows the attack described by Greg. But as
    Aki explained, it seems that we have forbidden
    this in Draft-niemi.

(b) AKA has to be run every time, and a RES can't be
    reused. Is there a problem left then?

Jari

_______________________________________________
Sip-security mailing list
Sip-security@ietf.org
https://www1.ietf.org/mailman/listinfo/sip-security

v2.23.0 | Report a Bug | By Email