[Sip-security] Re: SIP authentication problem when using RES in Digest-AKA
"Niemi Aki (NET/Espoo)" <aki.niemi@nokia.com> Fri, 15 March 2002 09:29 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA24351 for <sip-security-archive@odin.ietf.org>; Fri, 15 Mar 2002 04:29:28 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id EAA01594 for sip-security-archive@odin.ietf.org; Fri, 15 Mar 2002 04:29:30 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id EAA01457; Fri, 15 Mar 2002 04:27:59 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id EAA01415 for <sip-security@optimus.ietf.org>; Fri, 15 Mar 2002 04:27:56 -0500 (EST)
Received: from mgw-x3.nokia.com (mgw-x3.nokia.com [131.228.20.26]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA24306; Fri, 15 Mar 2002 04:27:50 -0500 (EST)
Received: from esvir01nok.ntc.nokia.com (esvir01nokt.ntc.nokia.com [172.21.143.33]) by mgw-x3.nokia.com (Switch-2.1.0/Switch-2.1.0) with ESMTP id g2F9SYi18793; Fri, 15 Mar 2002 11:28:34 +0200 (EET)
Received: from esebh001.NOE.Nokia.com (unverified) by esvir01nok.ntc.nokia.com (Content Technologies SMTPRS 4.2.5) with ESMTP id <T59a6271f85ac158f21082@esvir01nok.ntc.nokia.com>; Fri, 15 Mar 2002 11:27:51 +0200
Received: from nokia.com ([172.21.149.105]) by esebh001.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.3779); Fri, 15 Mar 2002 11:27:50 +0200
Message-ID: <3C91BE88.2000507@nokia.com>
Date: Fri, 15 Mar 2002 11:27:36 +0200
From: "Niemi Aki (NET/Espoo)" <aki.niemi@nokia.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020212
X-Accept-Language: en-us
MIME-Version: 1.0
To: ext Sanjoy Sen <sanjoy@nortelnetworks.com>
CC: 'John W Noerenberg II' <jwn2@qualcomm.com>, sipping@ietf.org, sip-security@ietf.org, Greg Rose <ggr@qualcomm.com>, jari.arkko@ericsson.com, vesa.torvinen@ericsson.fi, James Undery <jundery@ubiquity.net>
References: <933FADF5E673D411B8A30002A5608A0E011879EB@zrc2c012.us.nortel.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 15 Mar 2002 09:27:50.0871 (UTC) FILETIME=[AD5E9670:01C1CC03]
Content-Transfer-Encoding: 7bit
Subject: [Sip-security] Re: SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org
Content-Transfer-Encoding: 7bit
Hi Sanjoy, > Another option to think about is whether there is any need to carry AKA > credentials (as is) in the HTTP *-Authenticate and *-Authorization > headers. This means that we define AKA as an authentication scheme at > par with Digest (instead of using it as a password generation tool, say, > for Digest MD5). In HTTP Authentication syntax, You are right. This is an alternative option, as we have discussed before. As AKA is secure in itself, there shouldn't be a problem sending AKA parameters in the clear. However, by doing this you will lose the one thing that Digest provides, which is authentication of the SIP message, or at least parts of it during the authentication procedure. So all in all, from the AKA perspective, both options should be equally secure, but with Digest AKA, the SIP message is better protected. How desirable exactly this added protection is, and indeed is the added cost of calculating the Digest MD5 worth the received benefits, is open to discussion. Cheers, Aki _______________________________________________ Sip-security mailing list Sip-security@ietf.org https://www1.ietf.org/mailman/listinfo/sip-security
- [Sip-security] SIP authentication problem when us… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] [Sipping] RE: SIP authentication p… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… James Undery
- [Sip-security] Re: [Sipping] Re: SIP authenticati… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… John W Noerenberg II
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko