[Sip-security] Re: [Sipping] SIP authentication problem when using RES in Digest-AKA
"Niemi Aki (NET/Espoo)" <aki.niemi@nokia.com> Fri, 15 March 2002 09:44 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA24618 for <sip-security-archive@odin.ietf.org>; Fri, 15 Mar 2002 04:44:45 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id EAA03305 for sip-security-archive@odin.ietf.org; Fri, 15 Mar 2002 04:44:48 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id EAA03194; Fri, 15 Mar 2002 04:43:51 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id EAA03146 for <sip-security@optimus.ietf.org>; Fri, 15 Mar 2002 04:43:48 -0500 (EST)
Received: from mgw-x3.nokia.com (mgw-x3.nokia.com [131.228.20.26]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA24604; Fri, 15 Mar 2002 04:43:39 -0500 (EST)
Received: from esvir01nok.ntc.nokia.com (esvir01nokt.ntc.nokia.com [172.21.143.33]) by mgw-x3.nokia.com (Switch-2.1.0/Switch-2.1.0) with ESMTP id g2F9iOi25489; Fri, 15 Mar 2002 11:44:24 +0200 (EET)
Received: from esebh003.NOE.Nokia.com (unverified) by esvir01nok.ntc.nokia.com (Content Technologies SMTPRS 4.2.5) with ESMTP id <T59a6359df8ac158f21082@esvir01nok.ntc.nokia.com>; Fri, 15 Mar 2002 11:43:41 +0200
Received: from nokia.com ([172.21.149.105]) by esebh003.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.3779); Fri, 15 Mar 2002 11:43:41 +0200
Message-ID: <3C91C23F.2020607@nokia.com>
Date: Fri, 15 Mar 2002 11:43:27 +0200
From: "Niemi Aki (NET/Espoo)" <aki.niemi@nokia.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020212
X-Accept-Language: en-us
MIME-Version: 1.0
To: ext Jari Arkko <jarkko@piuha.net>
CC: John W Noerenberg II <jwn2@qualcomm.com>, sipping@ietf.org, sip-security@ietf.org, Greg Rose <ggr@qualcomm.com>, jari.arkko@ericsson.com, vesa.torvinen@ericsson.fi, James Undery <jundery@ubiquity.net>, Sanjoy Sen <sanjoy@nortelnetworks.com>
References: <B8B673A9.9436%gparsons@nortelnetworks.com> <a0510151db8b6de3d1fb1@[129.46.77.186]> <3C9191C9.3000507@piuha.net>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 15 Mar 2002 09:43:41.0091 (UTC) FILETIME=[E3BEA730:01C1CC05]
Content-Transfer-Encoding: 7bit
Subject: [Sip-security] Re: [Sipping] SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org
Content-Transfer-Encoding: 7bit
Hi All, On 03/15/2002 08:16 AM, ext Jari Arkko wrote: > John, Greg, > > Thanks for an interesting describing this interesting attack! I believe > while making draft-niemi the authors have been assuming that we do not > use the GSM compatibility mode (which I believe is the reason why the RES > could be only 32 bits). That is, when full AKA is used this isn't a problem. > > So, we could either > > (1) Require the full use of AKA > (2) Switch to using IK and not RES as input in the Digest process As far as I understand the authentication/integrity protection schemes of 3GPP IMS, the authentication is between the UE and the S-CSCF, and the integrity protection is between the UE and the P-CSCF. Therefore I can't see a problem in using RES as input for Digest AKA in the authentication, and IK as input for the Digest in integrity protection. The RES would then constitute a one-time password type key, whereas IK is a more long term key for integrity protection. I don't see a need to group the two mechanisms together. Cheers, Aki > Greg, is the IK free of similar limitations when GSM compatibility > is used? > > Jari > > > > _______________________________________________ > Sipping mailing list https://www1.ietf.org/mailman/listinfo/sipping > This list is for NEW development of the application of SIP > Use sip-implementors@cs.columbia.edu for questions on current sip > Use sip@ietf.org for new developments of core SIP > _______________________________________________ Sip-security mailing list Sip-security@ietf.org https://www1.ietf.org/mailman/listinfo/sip-security
- [Sip-security] SIP authentication problem when us… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] [Sipping] RE: SIP authentication p… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… James Undery
- [Sip-security] Re: [Sipping] Re: SIP authenticati… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… John W Noerenberg II
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko