IETF Logo Mail Archive

[Sip-security] SIP authentication problem when using RES in Digest-AKA

John W Noerenberg II <jwn2@qualcomm.com> Fri, 15 March 2002 00:42 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA06045 for <sip-security-archive@odin.ietf.org>; Thu, 14 Mar 2002 19:42:28 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id TAA20490 for sip-security-archive@odin.ietf.org; Thu, 14 Mar 2002 19:42:30 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id TAA20172; Thu, 14 Mar 2002 19:38:58 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id TAA20132 for <sip-security@optimus.ietf.org>; Thu, 14 Mar 2002 19:38:55 -0500 (EST)
Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA05956; Thu, 14 Mar 2002 19:38:52 -0500 (EST)
Received: from [129.46.77.186] (eriador.qualcomm.com [129.46.77.186]) by mage.qualcomm.com (8.12.1/8.12.1/1.0) with ESMTP id g2F0c0Jw007529; Thu, 14 Mar 2002 16:38:01 -0800 (PST)
Mime-Version: 1.0
X-Sender: jwn2@mage.qualcomm.com
Message-Id: <a0510151db8b6de3d1fb1@[129.46.77.186]>
In-Reply-To: <B8B673A9.9436%gparsons@nortelnetworks.com>
References: <B8B673A9.9436%gparsons@nortelnetworks.com>
X-Mailer: eudora51carbon-0314020912
X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857
X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8
Date: Thu, 14 Mar 2002 16:37:48 -0800
To: sipping@ietf.org, sip-security@ietf.org
From: John W Noerenberg II <jwn2@qualcomm.com>
Cc: Greg Rose <ggr@qualcomm.com>, aki.niemi@nokia.com, jari.arkko@ericsson.com, vesa.torvinen@ericsson.fi, James Undery <jundery@ubiquity.net>, Sanjoy Sen <sanjoy@nortelnetworks.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Subject: [Sip-security] SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org

Greg Rose has identified a security problem when HTTP-Digest is 
combined with the mechanism proposed in 
draft-niemi-sipping-digest-aka-00 and draft-undery-sip-auth-00.  He's 
outlined this for the 3GPP TSG SA WG3, one of the TSG security area 
working groups.

Essentially the problem is a consequence of using a RES that is 
shorter than the key from which it is derived, typically as small as 
32 bits.  RES's length results from the goal of maintaining backward 
compatibility with existing USIMs.  RES is a choke point that can be 
used to break the authentication.  Instead of using RES, IK has much 
greater entropy, and makes the attack prohibitively difficult.  A 
description of the attack against RES is given below.

The authentication process can be summarized as follows:

1. UE attempts to register.
2. The attempt is rejected because the UE is unauthenticated.  The 
rejection message includes AKA-related information and an HTTP-Digest 
nonce.
3. UE/USIM checks the AKA information and computes RES.
4. RES is now used as the password shared by the UE and the CSCF.
5. UE computes HTTP-Digest response based on RES, and attempts to register.
6. Registration succeeds.

Subsequently

7. UE sends another SIP message (e.g. Invite) and the HTTP-Digest 
method calculates authentication information based on RES. 
(Actually, A1 is used, but it is derived from RES).

Choke Point Attack

An attacker monitoring the traffic would break the scheme as follows:

The attacker has all the messages from steps 2 and 5 above.  All of 
the information used in the calculation of the response in step 5, 
except for the value of RES is present in these messages.  Assuming 
RES is 32 bits, the attacker tries the 2**32 possible values, 
comparing them to the captured response generated for step 5.  With 
very high probability, he will succeed with exactly one candidate 
value for RES, in the time needed to calculate 2**31 MD5 hashes. 
This takes ~5 minutes on a typical laptop.

Once the value of RES is known, the attacker can now forge SIP 
messages or alter them in transit, recalculating the Digest after 
altering the message.

By replacing the use of RES with a higher entropy quantity, this 
attack can be prevented.  As noted above, Greg recommends using IK as 
a replacement for RES.

best,
-- 

john noerenberg
jwn2@qualcomm.com
   --------------------------------------------------------------------------
   The truth knocks on the door and you say, "Go away, I'm looking
   for the truth,"  and so it goes away.  Puzzling.
   -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974
   --------------------------------------------------------------------------

_______________________________________________
Sip-security mailing list
Sip-security@ietf.org
https://www1.ietf.org/mailman/listinfo/sip-security

v2.23.0 | Report a Bug | By Email