[Sip-security] Re: SIP authentication problem when using RES in Digest-AKA
Jari Arkko <Jari.Arkko@lmf.ericsson.se> Fri, 15 March 2002 09:43 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA24587 for <sip-security-archive@odin.ietf.org>; Fri, 15 Mar 2002 04:43:24 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id EAA03082 for sip-security-archive@odin.ietf.org; Fri, 15 Mar 2002 04:43:26 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id EAA02899; Fri, 15 Mar 2002 04:41:47 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id EAA02848 for <sip-security@optimus.ietf.org>; Fri, 15 Mar 2002 04:41:45 -0500 (EST)
Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA24556; Fri, 15 Mar 2002 04:41:41 -0500 (EST)
Received: from fogerty.lmf.ericsson.se (fogerty.lmf.ericsson.se [131.160.11.6]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id g2F9fTUw010589; Fri, 15 Mar 2002 10:41:29 +0100 (MET)
Received: from lmf.ericsson.se (lmf4ws450.lmf.ericsson.se [131.160.38.50]) by fogerty.lmf.ericsson.se (8.12.1/8.12.1/lmf.8.12.1.jcs) with ESMTP id g2F9fQUD009677; Fri, 15 Mar 2002 11:41:26 +0200 (EET)
Message-ID: <3C91C1C6.E3464A36@lmf.ericsson.se>
Date: Fri, 15 Mar 2002 11:41:26 +0200
From: Jari Arkko <Jari.Arkko@lmf.ericsson.se>
Organization: Oy L M Ericsson Ab
X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.6 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: Greg Rose <ggr@qualcomm.com>
CC: Sanjoy Sen <sanjoy@nortelnetworks.com>, 'John W Noerenberg II' <jwn2@qualcomm.com>, sipping@ietf.org, sip-security@ietf.org, aki.niemi@nokia.com, jari.arkko@ericsson.com, vesa.torvinen@lmf.ericsson.se, James Undery <jundery@ubiquity.net>
References: <4.3.1.2.20020315124047.05271fd8@127.0.0.1>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Subject: [Sip-security] Re: SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org
Content-Transfer-Encoding: 7bit
Greg Rose wrote: > >draft-undery-sip-auth-00.txt doesn't make any recommendation as to how the > >password should be computed. However, I remember that when we took the > >proposal of using Digest for the first time to 3GPP, we had recommended > >using IK as the password. > > That's right. draft-undery-sip-auth-00.txt assumes that the password is > strong, and by itself has no problems. draft-niemi-sipping-digest-aka-00 > assumes that RES is used as the password only once for the authentication, > and by itself has no problems. Put the two together, and there's a problem... We are in agreement that IK should be used as the password for draft-undery. However, I feel that in this discussion we have been mixing draft-undery and draft-niemi in a manner that it doesn't clearly show that this is still being done. Let me try to clarify this situation in light of the 3GPP architecture: 1. Draft-undery is being used for UE - P-CSCF int. protection. Algorithm = MD5, password = IK (communicated to the P-CSCF using method X from the S-CSCF). 2. Draft-niemi is being used for UE - S-CSCF authentication. Algorithm = AKA and no traditional password, just the shared long term secret. The authentication is based on RES. As a side effect an IK is produced (and communicated to the P-CSCF using means beyond draft-niemi). So, in this particular case Draft-Undery *does* use the IK as the password. The only remaining issue is how Draft-Niemi calculates Digest results, and whether that reveals anything interesting to attackers. Draft-niemi is an application of Digest and as such has some integrity protection features, and particular way to calculate Response. This particular way is essentially MD5(... RES ...). So at this point we are not using IK twice anywhere. But perhaps there's an attack that would reveal RES, if it was too short. (I personally think we should simply require it to be long, but I'll ignore that for the moment.) Let's study this by considering two cases: (a) AKA is run at the beginning and if any further communications with the home network take place, the RES is cached and used as a password. This allows the attack described by Greg. But as Aki explained, it seems that we have forbidden this in Draft-niemi. (b) AKA has to be run every time, and a RES can't be reused. Is there a problem left then? Jari _______________________________________________ Sip-security mailing list Sip-security@ietf.org https://www1.ietf.org/mailman/listinfo/sip-security
- [Sip-security] SIP authentication problem when us… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] [Sipping] RE: SIP authentication p… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… James Undery
- [Sip-security] Re: [Sipping] Re: SIP authenticati… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… John W Noerenberg II
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko