IETF Logo Mail Archive

[Sip-security] Re: SIP authentication problem when using RES in Digest-AKA

"Niemi Aki (NET/Espoo)" <aki.niemi@nokia.com> Fri, 15 March 2002 09:29 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA24351 for <sip-security-archive@odin.ietf.org>; Fri, 15 Mar 2002 04:29:28 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id EAA01594 for sip-security-archive@odin.ietf.org; Fri, 15 Mar 2002 04:29:30 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id EAA01457; Fri, 15 Mar 2002 04:27:59 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id EAA01415 for <sip-security@optimus.ietf.org>; Fri, 15 Mar 2002 04:27:56 -0500 (EST)
Received: from mgw-x3.nokia.com (mgw-x3.nokia.com [131.228.20.26]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA24306; Fri, 15 Mar 2002 04:27:50 -0500 (EST)
Received: from esvir01nok.ntc.nokia.com (esvir01nokt.ntc.nokia.com [172.21.143.33]) by mgw-x3.nokia.com (Switch-2.1.0/Switch-2.1.0) with ESMTP id g2F9SYi18793; Fri, 15 Mar 2002 11:28:34 +0200 (EET)
Received: from esebh001.NOE.Nokia.com (unverified) by esvir01nok.ntc.nokia.com (Content Technologies SMTPRS 4.2.5) with ESMTP id <T59a6271f85ac158f21082@esvir01nok.ntc.nokia.com>; Fri, 15 Mar 2002 11:27:51 +0200
Received: from nokia.com ([172.21.149.105]) by esebh001.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.3779); Fri, 15 Mar 2002 11:27:50 +0200
Message-ID: <3C91BE88.2000507@nokia.com>
Date: Fri, 15 Mar 2002 11:27:36 +0200
From: "Niemi Aki (NET/Espoo)" <aki.niemi@nokia.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020212
X-Accept-Language: en-us
MIME-Version: 1.0
To: ext Sanjoy Sen <sanjoy@nortelnetworks.com>
CC: 'John W Noerenberg II' <jwn2@qualcomm.com>, sipping@ietf.org, sip-security@ietf.org, Greg Rose <ggr@qualcomm.com>, jari.arkko@ericsson.com, vesa.torvinen@ericsson.fi, James Undery <jundery@ubiquity.net>
References: <933FADF5E673D411B8A30002A5608A0E011879EB@zrc2c012.us.nortel.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 15 Mar 2002 09:27:50.0871 (UTC) FILETIME=[AD5E9670:01C1CC03]
Content-Transfer-Encoding: 7bit
Subject: [Sip-security] Re: SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org
Content-Transfer-Encoding: 7bit

Hi Sanjoy,

> Another option to think about is whether there is any need to carry AKA 
> credentials (as is) in the HTTP *-Authenticate and *-Authorization 
> headers. This means that we define AKA as an authentication scheme at 
> par with Digest (instead of using it as a password generation tool, say, 
> for Digest MD5). In HTTP Authentication syntax,

You are right. This is an alternative option, as we have discussed 
before. As AKA is secure in itself, there shouldn't be a problem sending 
AKA parameters in the clear.

However, by doing this you will lose the one thing that Digest provides, 
which is authentication of the SIP message, or at least parts of it 
during the authentication procedure.

So all in all, from the AKA perspective, both options should be equally 
secure, but with Digest AKA, the SIP message is better protected. How 
desirable exactly this added protection is, and indeed is the added cost 
of calculating the Digest MD5 worth the received benefits, is open to 
discussion.

Cheers,
Aki



_______________________________________________
Sip-security mailing list
Sip-security@ietf.org
https://www1.ietf.org/mailman/listinfo/sip-security

v2.23.0 | Report a Bug | By Email