IETF Logo Mail Archive

Re: [Sip-security] RE: SIP authentication problem when using RES in Digest-AKA

Greg Rose <ggr@qualcomm.com> Mon, 18 March 2002 20:44 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA19478 for <sip-security-archive@odin.ietf.org>; Mon, 18 Mar 2002 15:44:45 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id PAA05172 for sip-security-archive@odin.ietf.org; Mon, 18 Mar 2002 15:44:49 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id PAA05054; Mon, 18 Mar 2002 15:43:29 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id PAA05021 for <sip-security@ns.ietf.org>; Mon, 18 Mar 2002 15:43:26 -0500 (EST)
Received: from warlock.qualcomm.com (warlock.qualcomm.com [129.46.64.204]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA19447 for <sip-security@ietf.org>; Mon, 18 Mar 2002 15:43:21 -0500 (EST)
Received: from avalon.qualcomm.com (avalon.qualcomm.com [203.30.171.11]) by warlock.qualcomm.com (8.12.1/8.9.3/8.9) with ESMTP id g2IKgqJL028338; Mon, 18 Mar 2002 12:42:53 -0800 (PST)
Received: from NAVAJO.qualcomm.com by avalon.qualcomm.com (8.8.8+Sun/SMI-SVR4) id HAA05530; Tue, 19 Mar 2002 07:42:13 +1100 (EST)
Message-Id: <4.3.1.2.20020319073002.01ae0438@127.0.0.1>
X-Sender: ggr2@127.0.0.1
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
Date: Tue, 19 Mar 2002 07:41:00 +1100
To: jari.arkko@piuha.net
From: Greg Rose <ggr@qualcomm.com>
Subject: Re: [Sip-security] RE: SIP authentication problem when using RES in Digest-AKA
Cc: Greg Rose <ggr@qualcomm.com>, James Undery <jundery@ubiquity.net>, John W Noerenberg II <jwn2@qualcomm.com>, sip-security@ietf.org, aki.niemi@nokia.com, jari.arkko@ericsson.com, vesa.torvinen@ericsson.fi, Sanjoy Sen <sanjoy@nortelnetworks.com>
In-Reply-To: <3C960ACB.9040907@piuha.net>
References: <4.3.1.2.20020318120008.01ac4fb8@127.0.0.1>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org

Thanks for your questions.

At 05:42 PM 3/18/2002 +0200, Jari Arkko wrote:
>Greg Rose wrote in response to James Undery:
>
>
>>>The RES 'secret' is surely going to be recalculated each time the
>>>session entropy (i.e. nonce) changes. Thus I'd modify step 4 and add
>>>pre7
>>This is definitely not in line with the intent of AKA, or the existing 
>>architecture.
>
>
>What I understood James proposing is that *if* AKA is used for the
>authentication of an INVITE to the home after being used for authenticating
>a REGISTER, then AKA should be re-run.

Yes, in theory that would be fine, but I did not get this from my reading 
of draft-undery. It appears to me that it uses the same A1 that was 
calculated during the processing of the register message, in the subsequent 
step.

>In the above, do you mean the 3GPP architecture in 'the existing 
>architecture'?
> From what I understand the 3GPP architecture only intends to authenticate 
> REGISTERs
>with AKA. Therefore, if draft-niemi allows anything to happen after the
>first authentication, it is beyond the 3GPP architecture.

Yes, true.

>  If plugging a
>security hole requires that we never allow AKA authentication to be reused
>and always need a new full AKA run, I would say that's fine. Greg, does
>preventing reuse of the same RES help to block the security problem?

It helps but it doesn't completely solve the problem. Whatever the process 
by which RES (old *or new*) is used to calculate the authentication values, 
can be used by a man-in-the-middle:
1. Mal gets the SIP message, and blocks its onward delivery.
2. He quickly sets his lab of computers to the task of finding 32-bit RES.
3. Before the reply timer expires, he can create any message he wants, and 
authenticate it using that value of RES, even though it is only used once.

Note that even a 64-bit RES probably defeats this.

Note also that air-interface ciphering also stops it working, if Mal is on 
the air interface... but he might not be.

>Also, I have proposed simply requiring 128 bit RES values to be used,
>that solves the problem but is there any reason why we couldn't require
>it?

I had understood that there were compatibility issues with this, but that 
is a question for operators to answer... I don't know. Anyway, I'd be 
perfectly happy if that was done; all my objections would go away.

Thanks,
Greg.

Greg Rose                                       INTERNET: ggr@qualcomm.com
Qualcomm Australia          VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,                http://people.qualcomm.com/ggr/
Gladesville NSW 2111    232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C


_______________________________________________
Sip-security mailing list
Sip-security@ietf.org
https://www1.ietf.org/mailman/listinfo/sip-security

v2.23.0 | Report a Bug | By Email