[Sip-security] RE: [Sipping] RE: SIP authentication problem when using RES in Di gest-AKA

"Krister Boman (EMW)" <Krister.Boman@emw.ericsson.se> Mon, 18 March 2002 12:32 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA04096 for <sip-security-archive@odin.ietf.org>; Mon, 18 Mar 2002 07:32:17 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id HAA00187 for sip-security-archive@odin.ietf.org; Mon, 18 Mar 2002 07:32:20 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id HAA00105; Mon, 18 Mar 2002 07:31:20 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id HAA00074 for <sip-security@optimus.ietf.org>; Mon, 18 Mar 2002 07:31:18 -0500 (EST)
Received: from albatross.wise.edt.ericsson.se (albatross-ext.wise.edt.ericsson.se [193.180.251.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA04079 for <sip-security@ietf.org>; Mon, 18 Mar 2002 07:31:11 -0500 (EST)
Received: from esealnt461 (esealnt461.al.sw.ericsson.se [153.88.251.61]) by albatross.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with SMTP id g2ICVBUw029411 for <sip-security@ietf.org>; Mon, 18 Mar 2002 13:31:11 +0100 (MET)
Received: FROM esealnt400.al.sw.ericsson.se BY esealnt461 ; Mon Mar 18 13:31:09 2002 +0100
Received: by esealnt400 with Internet Mail Service (5.5.2653.19) id <GQ9S8M6S>; Mon, 18 Mar 2002 13:29:27 +0100
Message-ID: <9BE4301455E0D211966C0008C75D692B0642964C@esemont031.gbg.edt.ericsson.se>
From: "Krister Boman (EMW)" <Krister.Boman@emw.ericsson.se>
To: 'James Undery' <jundery@ubiquity.net>, John W Noerenberg II <jwn2@qualcomm.com>, sipping@ietf.org, sip-security@ietf.org, Greg Rose <ggr@qualcomm.com>
Cc: aki.niemi@nokia.com, jari.arkko@ericsson.com, "Vesa Torvinen (LMF)" <Vesa.Torvinen@lmf.ericsson.se>, Sanjoy Sen <sanjoy@nortelnetworks.com>
Date: Mon, 18 Mar 2002 13:31:05 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Subject: [Sip-security] RE: [Sipping] RE: SIP authentication problem when using RES in Di gest-AKA
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org

Dear All,
sorry if I may repeat something due to coming late into the discussions here. 

I have anyway some comments especially to the text from John below. I interpret the text below as being 3GPP architecture specific since the terms UE and CSCF are mentioned. I think that regarding authentication and integrity protection 3GPP have the following possible scenarios under discussion:

Authentication:
1. Digest AKA is used for authentication and the subscriber could potentially use the RES as a password.

Integrity protecion:
2a. Using Extensions to Digest as described in the Undery I-D and in TS33.203 where the *IK* (128 bits) should be used as integrity key/password, please consult TS33.203 version 200 clause C.2.1.
2b. Using IPSec ESP as a basis were SIP take the IKE role etc. Still the same key i.e. *IK* as in 2a has to be transported to the IPSec layer so it would also be 128 bits.

So regardless if 2a or 2b is finally the preferred solution still case 1. is applicable for both solutions. Hence 7. below should not occur according to TS33.203.

Question: Is there any really security problems which is specifically linked between Digest AKA and the Undery I-D/TS33.203? I cannot see that right now. But maybe I have misinterpreted something?

Another question: why cannot 3GPP mandate for case 1. that the RES shall be 128 bits for IMS access if that is used as a password to Digest AKA?

Regards
Krister Boman
Editor of TS33.203





-----Original Message-----
From: James Undery [mailto:jundery@ubiquity.net]
Sent: fredag 15 mars 2002 11:08
To: John W Noerenberg II; sipping@ietf.org; sip-security@ietf.org
Cc: Greg Rose; aki.niemi@nokia.com; jari.arkko@ericsson.com;
vesa.torvinen@lmf.ericsson.se; Sanjoy Sen
Subject: [Sipping] RE: SIP authentication problem when using RES in
Digest-AKA


Forgive me for being a bit slow, but I can't see how this attack works.
Firstly I'll check RES uses a shared secret and some entropy to create a
session password to provide forward security?

Comments inline.

> -----Original Message-----
> From: John W Noerenberg II [mailto:jwn2@qualcomm.com]
> Sent: 15 March 2002 00:38
> To: sipping@ietf.org; sip-security@ietf.org
> Cc: Greg Rose; aki.niemi@nokia.com; jari.arkko@ericsson.com;
> vesa.torvinen@ericsson.fi; James Undery; Sanjoy Sen
> Subject: SIP authentication problem when using RES in Digest-AKA
> 
> 
> Greg Rose has identified a security problem when HTTP-Digest is 
> combined with the mechanism proposed in 
> draft-niemi-sipping-digest-aka-00 and draft-undery-sip-auth-00.  He's 
> outlined this for the 3GPP TSG SA WG3, one of the TSG security area 
> working groups.
> 
> Essentially the problem is a consequence of using a RES that is 
> shorter than the key from which it is derived, typically as small as 
> 32 bits.  RES's length results from the goal of maintaining backward 
> compatibility with existing USIMs.  RES is a choke point that can be 
> used to break the authentication.  Instead of using RES, IK has much 
> greater entropy, and makes the attack prohibitively difficult.  A 
> description of the attack against RES is given below.
> 
> The authentication process can be summarized as follows:
> 
> 1. UE attempts to register.
> 2. The attempt is rejected because the UE is unauthenticated.  The 
> rejection message includes AKA-related information and an HTTP-Digest 
> nonce.
> 3. UE/USIM checks the AKA information and computes RES.
> 4. RES is now used as the password shared by the UE and the CSCF.
> 5. UE computes HTTP-Digest response based on RES, and 
> attempts to register.
> 6. Registration succeeds.
> 
> Subsequently
> 
> 7. UE sends another SIP message (e.g. Invite) and the HTTP-Digest 
> method calculates authentication information based on RES. 
> (Actually, A1 is used, but it is derived from RES).
> 
> Choke Point Attack
> 
> An attacker monitoring the traffic would break the scheme as follows:
> 
> The attacker has all the messages from steps 2 and 5 above.  All of 
> the information used in the calculation of the response in step 5, 
> except for the value of RES is present in these messages.  Assuming 
> RES is 32 bits, the attacker tries the 2**32 possible values, 
> comparing them to the captured response generated for step 5.  With 
> very high probability, he will succeed with exactly one candidate 
> value for RES, in the time needed to calculate 2**31 MD5 hashes. 
> This takes ~5 minutes on a typical laptop.

The RES 'secret' is surely going to be recalculated each time the
session entropy (i.e. nonce) changes. Thus I'd modify step 4 and add
pre7

4. RES is now used as the password shared by the UE and the CSCF for the
register.

pre7. UE/USIM checks the AKA information and computes RES. RES is now
used as the password shared by the UE and the CSCF until the nonce is
changed.

The attacker now can obtain the old RES 'secret' and it has bought him
zip unless given enough of these he can break the method the RES
'secret' is calculated.

> Once the value of RES is known, the attacker can now forge SIP 
> messages or alter them in transit, recalculating the Digest after 
> altering the message.
> 
> By replacing the use of RES with a higher entropy quantity, this 
> attack can be prevented.  As noted above, Greg recommends using IK as 
> a replacement for RES.


_______________________________________________
Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sip@ietf.org for new developments of core SIP

_______________________________________________
Sip-security mailing list
Sip-security@ietf.org
https://www1.ietf.org/mailman/listinfo/sip-security