[Sip-security] SIP authentication problem when using RES in Digest-AKA
John W Noerenberg II <jwn2@qualcomm.com> Fri, 15 March 2002 00:42 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA06045 for <sip-security-archive@odin.ietf.org>; Thu, 14 Mar 2002 19:42:28 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id TAA20490 for sip-security-archive@odin.ietf.org; Thu, 14 Mar 2002 19:42:30 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id TAA20172; Thu, 14 Mar 2002 19:38:58 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id TAA20132 for <sip-security@optimus.ietf.org>; Thu, 14 Mar 2002 19:38:55 -0500 (EST)
Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA05956; Thu, 14 Mar 2002 19:38:52 -0500 (EST)
Received: from [129.46.77.186] (eriador.qualcomm.com [129.46.77.186]) by mage.qualcomm.com (8.12.1/8.12.1/1.0) with ESMTP id g2F0c0Jw007529; Thu, 14 Mar 2002 16:38:01 -0800 (PST)
Mime-Version: 1.0
X-Sender: jwn2@mage.qualcomm.com
Message-Id: <a0510151db8b6de3d1fb1@[129.46.77.186]>
In-Reply-To: <B8B673A9.9436%gparsons@nortelnetworks.com>
References: <B8B673A9.9436%gparsons@nortelnetworks.com>
X-Mailer: eudora51carbon-0314020912
X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857
X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8
Date: Thu, 14 Mar 2002 16:37:48 -0800
To: sipping@ietf.org, sip-security@ietf.org
From: John W Noerenberg II <jwn2@qualcomm.com>
Cc: Greg Rose <ggr@qualcomm.com>, aki.niemi@nokia.com, jari.arkko@ericsson.com, vesa.torvinen@ericsson.fi, James Undery <jundery@ubiquity.net>, Sanjoy Sen <sanjoy@nortelnetworks.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Subject: [Sip-security] SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org
Greg Rose has identified a security problem when HTTP-Digest is combined with the mechanism proposed in draft-niemi-sipping-digest-aka-00 and draft-undery-sip-auth-00. He's outlined this for the 3GPP TSG SA WG3, one of the TSG security area working groups. Essentially the problem is a consequence of using a RES that is shorter than the key from which it is derived, typically as small as 32 bits. RES's length results from the goal of maintaining backward compatibility with existing USIMs. RES is a choke point that can be used to break the authentication. Instead of using RES, IK has much greater entropy, and makes the attack prohibitively difficult. A description of the attack against RES is given below. The authentication process can be summarized as follows: 1. UE attempts to register. 2. The attempt is rejected because the UE is unauthenticated. The rejection message includes AKA-related information and an HTTP-Digest nonce. 3. UE/USIM checks the AKA information and computes RES. 4. RES is now used as the password shared by the UE and the CSCF. 5. UE computes HTTP-Digest response based on RES, and attempts to register. 6. Registration succeeds. Subsequently 7. UE sends another SIP message (e.g. Invite) and the HTTP-Digest method calculates authentication information based on RES. (Actually, A1 is used, but it is derived from RES). Choke Point Attack An attacker monitoring the traffic would break the scheme as follows: The attacker has all the messages from steps 2 and 5 above. All of the information used in the calculation of the response in step 5, except for the value of RES is present in these messages. Assuming RES is 32 bits, the attacker tries the 2**32 possible values, comparing them to the captured response generated for step 5. With very high probability, he will succeed with exactly one candidate value for RES, in the time needed to calculate 2**31 MD5 hashes. This takes ~5 minutes on a typical laptop. Once the value of RES is known, the attacker can now forge SIP messages or alter them in transit, recalculating the Digest after altering the message. By replacing the use of RES with a higher entropy quantity, this attack can be prevented. As noted above, Greg recommends using IK as a replacement for RES. best, -- john noerenberg jwn2@qualcomm.com -------------------------------------------------------------------------- The truth knocks on the door and you say, "Go away, I'm looking for the truth," and so it goes away. Puzzling. -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974 -------------------------------------------------------------------------- _______________________________________________ Sip-security mailing list Sip-security@ietf.org https://www1.ietf.org/mailman/listinfo/sip-security
- [Sip-security] SIP authentication problem when us… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] [Sipping] RE: SIP authentication p… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… James Undery
- [Sip-security] Re: [Sipping] Re: SIP authenticati… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… John W Noerenberg II
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko