IETF Logo Mail Archive

[Sip-security] RE: SIP authentication problem when using RES in Digest-AKA

"Sanjoy Sen"<sanjoy@nortelnetworks.com> Fri, 15 March 2002 16:26 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA03195 for <sip-security-archive@odin.ietf.org>; Fri, 15 Mar 2002 11:26:43 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id LAA05576 for sip-security-archive@odin.ietf.org; Fri, 15 Mar 2002 11:26:46 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id LAA05482; Fri, 15 Mar 2002 11:25:14 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id LAA05442 for <sip-security@optimus.ietf.org>; Fri, 15 Mar 2002 11:25:12 -0500 (EST)
Received: from zrc2s0jx.nortelnetworks.com (zrc2s0jx.nortelnetworks.com [47.103.122.112]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA03168; Fri, 15 Mar 2002 11:25:09 -0500 (EST)
Received: from zrc2c011.us.nortel.com (zrc2c011.us.nortel.com [47.103.120.51]) by zrc2s0jx.nortelnetworks.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id g2FGOX126284; Fri, 15 Mar 2002 10:24:33 -0600 (CST)
Received: by zrc2c011.us.nortel.com with Internet Mail Service (5.5.2653.19) id <G6V97GLP>; Fri, 15 Mar 2002 10:24:33 -0600
Message-ID: <933FADF5E673D411B8A30002A5608A0E011879EC@zrc2c012.us.nortel.com>
From: Sanjoy Sen <sanjoy@nortelnetworks.com>
To: "'Niemi Aki (NET/Espoo)'" <aki.niemi@nokia.com>
Cc: 'John W Noerenberg II' <jwn2@qualcomm.com>, sipping@ietf.org, sip-security@ietf.org, Greg Rose <ggr@qualcomm.com>, jari.arkko@ericsson.com, vesa.torvinen@ericsson.fi, James Undery <jundery@ubiquity.net>
Date: Fri, 15 Mar 2002 10:24:30 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C1CC3D.E2315600"
Subject: [Sip-security] RE: SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org

> -----Original Message-----
> From: Niemi Aki (NET/Espoo) [mailto:aki.niemi@nokia.com]
> Sent: Friday, March 15, 2002 3:28 AM

<snip>

> 
> However, by doing this you will lose the one thing that 
> Digest provides, 
> which is authentication of the SIP message, or at least parts of it 
> during the authentication procedure.
> 
> So all in all, from the AKA perspective, both options should 
> be equally 
> secure, but with Digest AKA, the SIP message is better protected. How 
> desirable exactly this added protection is, and indeed is the 
> added cost 
> of calculating the Digest MD5 worth the received benefits, is open to 
> discussion.

You can always integrity-protect the message body using a separate
Authorization header, if so desired. Actually, for integrity protection
between UE and the P-CSCF, you would use a separate header anyways. Keeping
AKA and MD5 separate gives you the option of *not* using MD5, if so desired.


Sanjoy

v2.23.0 | Report a Bug | By Email