[Sip-security] RE: SIP authentication problem when using RES in Digest-AKA

["Sanjoy Sen"<sanjoy@nortelnetworks.com>]

draft-undery-sip-auth-00.txt doesn't make any recommendation as to how the
password should be computed. However, I remember that when we took the
proposal of using Digest for the first time to 3GPP, we had recommended
using IK as the password. 

Sanjoy

> -----Original Message-----
> From: John W Noerenberg II [mailto:jwn2@qualcomm.com]
> Sent: Thursday, March 14, 2002 6:38 PM
> To: sipping@ietf.org; sip-security@ietf.org
> Cc: Greg Rose; aki.niemi@nokia.com; jari.arkko@ericsson.com;
> vesa.torvinen@ericsson.fi; James Undery; Sen, Sanjoy [NGC:B692:EXCH]
> Subject: SIP authentication problem when using RES in Digest-AKA
> 
> 
> Greg Rose has identified a security problem when HTTP-Digest is 
> combined with the mechanism proposed in 
> draft-niemi-sipping-digest-aka-00 and draft-undery-sip-auth-00.  He's 
> outlined this for the 3GPP TSG SA WG3, one of the TSG security area 
> working groups.
> 
> Essentially the problem is a consequence of using a RES that is 
> shorter than the key from which it is derived, typically as small as 
> 32 bits.  RES's length results from the goal of maintaining backward 
> compatibility with existing USIMs.  RES is a choke point that can be 
> used to break the authentication.  Instead of using RES, IK has much 
> greater entropy, and makes the attack prohibitively difficult.  A 
> description of the attack against RES is given below.
> 
> The authentication process can be summarized as follows:
> 
> 1. UE attempts to register.
> 2. The attempt is rejected because the UE is unauthenticated.  The 
> rejection message includes AKA-related information and an HTTP-Digest 
> nonce.
> 3. UE/USIM checks the AKA information and computes RES.
> 4. RES is now used as the password shared by the UE and the CSCF.
> 5. UE computes HTTP-Digest response based on RES, and 
> attempts to register.
> 6. Registration succeeds.
> 
> Subsequently
> 
> 7. UE sends another SIP message (e.g. Invite) and the HTTP-Digest 
> method calculates authentication information based on RES. 
> (Actually, A1 is used, but it is derived from RES).
> 
> Choke Point Attack
> 
> An attacker monitoring the traffic would break the scheme as follows:
> 
> The attacker has all the messages from steps 2 and 5 above.  All of 
> the information used in the calculation of the response in step 5, 
> except for the value of RES is present in these messages.  Assuming 
> RES is 32 bits, the attacker tries the 2**32 possible values, 
> comparing them to the captured response generated for step 5.  With 
> very high probability, he will succeed with exactly one candidate 
> value for RES, in the time needed to calculate 2**31 MD5 hashes. 
> This takes ~5 minutes on a typical laptop.
> 
> Once the value of RES is known, the attacker can now forge SIP 
> messages or alter them in transit, recalculating the Digest after 
> altering the message.
> 
> By replacing the use of RES with a higher entropy quantity, this 
> attack can be prevented.  As noted above, Greg recommends using IK as 
> a replacement for RES.
> 
> best,
> -- 
> 
> john noerenberg
> jwn2@qualcomm.com
>    
> --------------------------------------------------------------
> ------------
>    The truth knocks on the door and you say, "Go away, I'm looking
>    for the truth,"  and so it goes away.  Puzzling.
>    -- Zen and the Art of Motorcycle Maintenance, Robert M. 
> Pirsig, 1974
>    
> --------------------------------------------------------------
> ------------
>