[Sip-security] RE: SIP authentication problem when using RES in Digest-AKA
"Sanjoy Sen"<sanjoy@nortelnetworks.com> Fri, 15 March 2002 01:20 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA06859 for <sip-security-archive@odin.ietf.org>; Thu, 14 Mar 2002 20:20:15 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id UAA22909 for sip-security-archive@odin.ietf.org; Thu, 14 Mar 2002 20:20:17 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id UAA22839; Thu, 14 Mar 2002 20:19:34 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id UAA22798 for <sip-security@optimus.ietf.org>; Thu, 14 Mar 2002 20:19:30 -0500 (EST)
Received: from zrc2s0jx.nortelnetworks.com (zrc2s0jx.nortelnetworks.com [47.103.122.112]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA06844; Thu, 14 Mar 2002 20:19:28 -0500 (EST)
Received: from zrc2c011.us.nortel.com (zrc2c011.us.nortel.com [47.103.120.51]) by zrc2s0jx.nortelnetworks.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id g2F1Irh21795; Thu, 14 Mar 2002 19:18:53 -0600 (CST)
Received: by zrc2c011.us.nortel.com with Internet Mail Service (5.5.2653.19) id <G6V97BQA>; Thu, 14 Mar 2002 19:18:55 -0600
Message-ID: <933FADF5E673D411B8A30002A5608A0E011879EB@zrc2c012.us.nortel.com>
From: Sanjoy Sen <sanjoy@nortelnetworks.com>
To: 'John W Noerenberg II' <jwn2@qualcomm.com>, sipping@ietf.org, sip-security@ietf.org
Cc: Greg Rose <ggr@qualcomm.com>, aki.niemi@nokia.com, jari.arkko@ericsson.com, vesa.torvinen@ericsson.fi, James Undery <jundery@ubiquity.net>
Date: Thu, 14 Mar 2002 19:18:54 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C1CBBF.5F5B3710"
Subject: [Sip-security] RE: SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org
Another option to think about is whether there is any need to carry AKA credentials (as is) in the HTTP *-Authenticate and *-Authorization headers. This means that we define AKA as an authentication scheme at par with Digest (instead of using it as a password generation tool, say, for Digest MD5). In HTTP Authentication syntax, challenge = "AKA" AKA-challenge AKA-challenge = 1#(rand | autn | auth-param) credential = "AKA" AKA-response AKA-response = 1#(res | [auts]) where, rand, res, autn, auts (all AKA parameters) are all base64 encoded. One advantage of this approach is that you need not run Digest algorithms (draft-niemi-sipping-digest-aka-00 forces you to run both a Digest algorithm and the AKA authentication algorithm). We discussed about this option but never reached any agreement on whether to go for this. It was not clear whether transferring res will lead to any potential security attacks. Any comments/thoughts? Sanjoy > -----Original Message----- > From: John W Noerenberg II [mailto:jwn2@qualcomm.com] > Sent: Thursday, March 14, 2002 6:38 PM > To: sipping@ietf.org; sip-security@ietf.org > Cc: Greg Rose; aki.niemi@nokia.com; jari.arkko@ericsson.com; > vesa.torvinen@ericsson.fi; James Undery; Sen, Sanjoy [NGC:B692:EXCH] > Subject: SIP authentication problem when using RES in Digest-AKA > > > Greg Rose has identified a security problem when HTTP-Digest is > combined with the mechanism proposed in > draft-niemi-sipping-digest-aka-00 and draft-undery-sip-auth-00. He's > outlined this for the 3GPP TSG SA WG3, one of the TSG security area > working groups. > > Essentially the problem is a consequence of using a RES that is > shorter than the key from which it is derived, typically as small as > 32 bits. RES's length results from the goal of maintaining backward > compatibility with existing USIMs. RES is a choke point that can be > used to break the authentication. Instead of using RES, IK has much > greater entropy, and makes the attack prohibitively difficult. A > description of the attack against RES is given below. > > The authentication process can be summarized as follows: > > 1. UE attempts to register. > 2. The attempt is rejected because the UE is unauthenticated. The > rejection message includes AKA-related information and an HTTP-Digest > nonce. > 3. UE/USIM checks the AKA information and computes RES. > 4. RES is now used as the password shared by the UE and the CSCF. > 5. UE computes HTTP-Digest response based on RES, and > attempts to register. > 6. Registration succeeds. > > Subsequently > > 7. UE sends another SIP message (e.g. Invite) and the HTTP-Digest > method calculates authentication information based on RES. > (Actually, A1 is used, but it is derived from RES). > > Choke Point Attack > > An attacker monitoring the traffic would break the scheme as follows: > > The attacker has all the messages from steps 2 and 5 above. All of > the information used in the calculation of the response in step 5, > except for the value of RES is present in these messages. Assuming > RES is 32 bits, the attacker tries the 2**32 possible values, > comparing them to the captured response generated for step 5. With > very high probability, he will succeed with exactly one candidate > value for RES, in the time needed to calculate 2**31 MD5 hashes. > This takes ~5 minutes on a typical laptop. > > Once the value of RES is known, the attacker can now forge SIP > messages or alter them in transit, recalculating the Digest after > altering the message. > > By replacing the use of RES with a higher entropy quantity, this > attack can be prevented. As noted above, Greg recommends using IK as > a replacement for RES. > > best, > -- > > john noerenberg > jwn2@qualcomm.com > > -------------------------------------------------------------- > ------------ > The truth knocks on the door and you say, "Go away, I'm looking > for the truth," and so it goes away. Puzzling. > -- Zen and the Art of Motorcycle Maintenance, Robert M. > Pirsig, 1974 > > -------------------------------------------------------------- > ------------ >
- [Sip-security] SIP authentication problem when us… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] [Sipping] RE: SIP authentication p… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… James Undery
- [Sip-security] Re: [Sipping] Re: SIP authenticati… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… John W Noerenberg II
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko