[Sip-security] RE: SIP authentication problem when using RES in Digest-AKA
"Sanjoy Sen"<sanjoy@nortelnetworks.com> Fri, 15 March 2002 00:49 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA06232 for <sip-security-archive@odin.ietf.org>; Thu, 14 Mar 2002 19:49:31 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id TAA21029 for sip-security-archive@odin.ietf.org; Thu, 14 Mar 2002 19:49:33 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id TAA20915; Thu, 14 Mar 2002 19:48:49 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id TAA20833 for <sip-security@optimus.ietf.org>; Thu, 14 Mar 2002 19:48:45 -0500 (EST)
Received: from zrc2s0jx.nortelnetworks.com (zrc2s0jx.nortelnetworks.com [47.103.122.112]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA06214; Thu, 14 Mar 2002 19:48:43 -0500 (EST)
Received: from zrc2c011.us.nortel.com (zrc2c011.us.nortel.com [47.103.120.51]) by zrc2s0jx.nortelnetworks.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id g2F0mBh16703; Thu, 14 Mar 2002 18:48:11 -0600 (CST)
Received: by zrc2c011.us.nortel.com with Internet Mail Service (5.5.2653.19) id <G6V97BM9>; Thu, 14 Mar 2002 18:48:13 -0600
Message-ID: <933FADF5E673D411B8A30002A5608A0E011879EA@zrc2c012.us.nortel.com>
From: Sanjoy Sen <sanjoy@nortelnetworks.com>
To: 'John W Noerenberg II' <jwn2@qualcomm.com>, sipping@ietf.org, sip-security@ietf.org
Cc: Greg Rose <ggr@qualcomm.com>, aki.niemi@nokia.com, jari.arkko@ericsson.com, vesa.torvinen@ericsson.fi, James Undery <jundery@ubiquity.net>
Date: Thu, 14 Mar 2002 18:48:10 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C1CBBB.147ACE80"
Subject: [Sip-security] RE: SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org
draft-undery-sip-auth-00.txt doesn't make any recommendation as to how the password should be computed. However, I remember that when we took the proposal of using Digest for the first time to 3GPP, we had recommended using IK as the password. Sanjoy > -----Original Message----- > From: John W Noerenberg II [mailto:jwn2@qualcomm.com] > Sent: Thursday, March 14, 2002 6:38 PM > To: sipping@ietf.org; sip-security@ietf.org > Cc: Greg Rose; aki.niemi@nokia.com; jari.arkko@ericsson.com; > vesa.torvinen@ericsson.fi; James Undery; Sen, Sanjoy [NGC:B692:EXCH] > Subject: SIP authentication problem when using RES in Digest-AKA > > > Greg Rose has identified a security problem when HTTP-Digest is > combined with the mechanism proposed in > draft-niemi-sipping-digest-aka-00 and draft-undery-sip-auth-00. He's > outlined this for the 3GPP TSG SA WG3, one of the TSG security area > working groups. > > Essentially the problem is a consequence of using a RES that is > shorter than the key from which it is derived, typically as small as > 32 bits. RES's length results from the goal of maintaining backward > compatibility with existing USIMs. RES is a choke point that can be > used to break the authentication. Instead of using RES, IK has much > greater entropy, and makes the attack prohibitively difficult. A > description of the attack against RES is given below. > > The authentication process can be summarized as follows: > > 1. UE attempts to register. > 2. The attempt is rejected because the UE is unauthenticated. The > rejection message includes AKA-related information and an HTTP-Digest > nonce. > 3. UE/USIM checks the AKA information and computes RES. > 4. RES is now used as the password shared by the UE and the CSCF. > 5. UE computes HTTP-Digest response based on RES, and > attempts to register. > 6. Registration succeeds. > > Subsequently > > 7. UE sends another SIP message (e.g. Invite) and the HTTP-Digest > method calculates authentication information based on RES. > (Actually, A1 is used, but it is derived from RES). > > Choke Point Attack > > An attacker monitoring the traffic would break the scheme as follows: > > The attacker has all the messages from steps 2 and 5 above. All of > the information used in the calculation of the response in step 5, > except for the value of RES is present in these messages. Assuming > RES is 32 bits, the attacker tries the 2**32 possible values, > comparing them to the captured response generated for step 5. With > very high probability, he will succeed with exactly one candidate > value for RES, in the time needed to calculate 2**31 MD5 hashes. > This takes ~5 minutes on a typical laptop. > > Once the value of RES is known, the attacker can now forge SIP > messages or alter them in transit, recalculating the Digest after > altering the message. > > By replacing the use of RES with a higher entropy quantity, this > attack can be prevented. As noted above, Greg recommends using IK as > a replacement for RES. > > best, > -- > > john noerenberg > jwn2@qualcomm.com > > -------------------------------------------------------------- > ------------ > The truth knocks on the door and you say, "Go away, I'm looking > for the truth," and so it goes away. Puzzling. > -- Zen and the Art of Motorcycle Maintenance, Robert M. > Pirsig, 1974 > > -------------------------------------------------------------- > ------------ >
- [Sip-security] SIP authentication problem when us… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] [Sipping] RE: SIP authentication p… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… James Undery
- [Sip-security] Re: [Sipping] Re: SIP authenticati… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… John W Noerenberg II
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko