IETF Logo Mail Archive

[Sip-security] RE: SIP authentication problem when using RES in Digest-AKA

Greg Rose <ggr@qualcomm.com> Fri, 15 March 2002 02:03 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA07857 for <sip-security-archive@odin.ietf.org>; Thu, 14 Mar 2002 21:03:37 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id VAA26427 for sip-security-archive@odin.ietf.org; Thu, 14 Mar 2002 21:03:40 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id VAA26087; Thu, 14 Mar 2002 21:02:45 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id VAA26010 for <sip-security@optimus.ietf.org>; Thu, 14 Mar 2002 21:02:33 -0500 (EST)
Received: from warlock.qualcomm.com (warlock.qualcomm.com [129.46.64.204]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA07771; Thu, 14 Mar 2002 21:02:30 -0500 (EST)
Received: from avalon.qualcomm.com (avalon.qualcomm.com [203.30.171.11]) by warlock.qualcomm.com (8.12.1/8.9.3/8.9) with ESMTP id g2F228JL001273; Thu, 14 Mar 2002 18:02:09 -0800 (PST)
Received: from NAVAJO.qualcomm.com by avalon.qualcomm.com (8.8.8+Sun/SMI-SVR4) id NAA29586; Fri, 15 Mar 2002 13:01:28 +1100 (EST)
Message-Id: <4.3.1.2.20020315125435.01bd4360@127.0.0.1>
X-Sender: ggr2@127.0.0.1
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
Date: Fri, 15 Mar 2002 13:00:44 +1100
To: Sanjoy Sen <sanjoy@nortelnetworks.com>
From: Greg Rose <ggr@qualcomm.com>
Cc: 'John W Noerenberg II' <jwn2@qualcomm.com>, sipping@ietf.org, sip-security@ietf.org, Greg Rose <ggr@qualcomm.com>, aki.niemi@nokia.com, jari.arkko@ericsson.com, vesa.torvinen@ericsson.fi, James Undery <jundery@ubiquity.net>
In-Reply-To: <933FADF5E673D411B8A30002A5608A0E011879EB@zrc2c012.us.norte l.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Subject: [Sip-security] RE: SIP authentication problem when using RES in Digest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org

At 07:18 PM 3/14/2002 -0600, Sanjoy Sen wrote:

>Another option to think about is whether there is any need to carry AKA 
>credentials (as is) in the HTTP *-Authenticate and *-Authorization 
>headers. This means that we define AKA as an authentication scheme at par 
>with Digest (instead of using it as a password generation tool, say, for 
>Digest MD5). In HTTP Authentication syntax,
>
>challenge = "AKA" AKA-challenge
>AKA-challenge = 1#(rand | autn | auth-param)
>
>credential = "AKA" AKA-response
>AKA-response = 1#(res | [auts])
>
>where, rand, res, autn, auts (all AKA parameters) are all base64 encoded. 
>One advantage of this approach is that you need not run Digest algorithms 
>(draft-niemi-sipping-digest-aka-00 forces you to run both a Digest 
>algorithm and the AKA authentication algorithm).
>
>We discussed about this option but never reached any agreement on whether 
>to go for this. It was not clear whether transferring res will lead to any 
>potential security attacks.

I think that somehow doing it directly got tied up with use of EAP to 
encapsulate everything, and the EAP approach was then dropped. But direct 
use of AKA instead of doing both AKA and then Digest is (IMO) far 
preferable. Then A1 for draft-undery-... could be IK (or derived from it) 
without any problem I'm aware of. I'm not sure what happened to this 
possibility.

The security analysis of 3GPP AKA is available, and it is clear that there 
is no security exposure in revealing RAND, RES and AUTN publicly (except 
enabling brute-force offline attack, which was already true for HTTP-Digest).

Greg.


> > -----Original Message-----
> > From: John W Noerenberg II 
> [<mailto:jwn2@qualcomm.com>mailto:jwn2@qualcomm.com]
> > Sent: Thursday, March 14, 2002 6:38 PM
> > To: sipping@ietf.org; sip-security@ietf.org
> > Cc: Greg Rose; aki.niemi@nokia.com; jari.arkko@ericsson.com;
> > vesa.torvinen@ericsson.fi; James Undery; Sen, Sanjoy [NGC:B692:EXCH]
> > Subject: SIP authentication problem when using RES in Digest-AKA
> >
> >
> > Greg Rose has identified a security problem when HTTP-Digest is
> > combined with the mechanism proposed in
> > draft-niemi-sipping-digest-aka-00 and draft-undery-sip-auth-00.  He's
> > outlined this for the 3GPP TSG SA WG3, one of the TSG security area
> > working groups.
> >
> > Essentially the problem is a consequence of using a RES that is
> > shorter than the key from which it is derived, typically as small as
> > 32 bits.  RES's length results from the goal of maintaining backward
> > compatibility with existing USIMs.  RES is a choke point that can be
> > used to break the authentication.  Instead of using RES, IK has much
> > greater entropy, and makes the attack prohibitively difficult.  A
> > description of the attack against RES is given below.
> >
> > The authentication process can be summarized as follows:
> >
> > 1. UE attempts to register.
> > 2. The attempt is rejected because the UE is unauthenticated.  The
> > rejection message includes AKA-related information and an HTTP-Digest
> > nonce.
> > 3. UE/USIM checks the AKA information and computes RES.
> > 4. RES is now used as the password shared by the UE and the CSCF.
> > 5. UE computes HTTP-Digest response based on RES, and
> > attempts to register.
> > 6. Registration succeeds.
> >
> > Subsequently
> >
> > 7. UE sends another SIP message (e.g. Invite) and the HTTP-Digest
> > method calculates authentication information based on RES.
> > (Actually, A1 is used, but it is derived from RES).
> >
> > Choke Point Attack
> >
> > An attacker monitoring the traffic would break the scheme as follows:
> >
> > The attacker has all the messages from steps 2 and 5 above.  All of
> > the information used in the calculation of the response in step 5,
> > except for the value of RES is present in these messages.  Assuming
> > RES is 32 bits, the attacker tries the 2**32 possible values,
> > comparing them to the captured response generated for step 5.  With
> > very high probability, he will succeed with exactly one candidate
> > value for RES, in the time needed to calculate 2**31 MD5 hashes.
> > This takes ~5 minutes on a typical laptop.
> >
> > Once the value of RES is known, the attacker can now forge SIP
> > messages or alter them in transit, recalculating the Digest after
> > altering the message.
> >
> > By replacing the use of RES with a higher entropy quantity, this
> > attack can be prevented.  As noted above, Greg recommends using IK as
> > a replacement for RES.
> >
> > best,
> > --
> >
> > john noerenberg
> > jwn2@qualcomm.com
> >
> > --------------------------------------------------------------
> > ------------
> >    The truth knocks on the door and you say, "Go away, I'm looking
> >    for the truth,"  and so it goes away.  Puzzling.
> >    -- Zen and the Art of Motorcycle Maintenance, Robert M.
> > Pirsig, 1974
> >
> > --------------------------------------------------------------
> > ------------
> >


Greg Rose                                       INTERNET: ggr@qualcomm.com
Qualcomm Australia          VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,                http://people.qualcomm.com/ggr/
Gladesville NSW 2111    232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C


_______________________________________________
Sip-security mailing list
Sip-security@ietf.org
https://www1.ietf.org/mailman/listinfo/sip-security

v2.23.0 | Report a Bug | By Email