draft-ietf-sip-digest-aka-02.txt   draft-ietf-sip-digest-aka-03.txt 
Network Working Group A. Niemi Network Working Group A. Niemi
Internet-Draft Nokia Internet-Draft Nokia
Expires: November 13, 2002 J. Arkko Expires: November 18, 2002 J. Arkko
V. Torvinen V. Torvinen
Ericsson Ericsson
May 15, 2002 May 20, 2002
HTTP Digest Authentication Using AKA HTTP Digest Authentication Using AKA
draft-ietf-sip-digest-aka-02 draft-ietf-sip-digest-aka-03
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http:// The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt. www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 13, 2002. This Internet-Draft will expire on November 18, 2002.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract Abstract
The Hypertext Transfer Protocol (HTTP) Authentication Framework The Hypertext Transfer Protocol (HTTP) Authentication Framework
includes two authentication schemes: Basic and Digest. Both schemes includes two authentication schemes: Basic and Digest. Both schemes
employ a shared secret based mechanism for access authentication. employ a shared secret based mechanism for access authentication.
skipping to change at page 3, line 20 skipping to change at page 3, line 20
access authentication. The Basic scheme is inherently insecure in access authentication. The Basic scheme is inherently insecure in
that it transmits user credentials in plain text. The Digest scheme that it transmits user credentials in plain text. The Digest scheme
improves security by hiding user credentials with cryptographic improves security by hiding user credentials with cryptographic
hashes, and additionally by providing limited message integrity. hashes, and additionally by providing limited message integrity.
The Authentication and Key Agreement (AKA) [6] mechanism performs The Authentication and Key Agreement (AKA) [6] mechanism performs
authentication and session key distribution in Universal Mobile authentication and session key distribution in Universal Mobile
Telecommunications System (UMTS) networks. AKA is a challenge- Telecommunications System (UMTS) networks. AKA is a challenge-
response based mechanism that uses symmetric cryptography. AKA is response based mechanism that uses symmetric cryptography. AKA is
typically run in a UMTS IM Services Identity Module (ISIM), which typically run in a UMTS IM Services Identity Module (ISIM), which
resides on a smart card like device that also provides tamper proof resides on a smart card like device that also provides tamper
storage of shared secrets. resistant storage of shared secrets.
This document specifies a mapping of AKA parameters onto HTTP Digest This document specifies a mapping of AKA parameters onto HTTP Digest
authentication. In essence, this mapping enables the usage of AKA as authentication. In essence, this mapping enables the usage of AKA as
a one-time password generation mechanism for Digest authentication. a one-time password generation mechanism for Digest authentication.
As the Session Initiation Protocol (SIP) [3] Authentication Framework As the Session Initiation Protocol (SIP) [3] Authentication Framework
closely follows the HTTP Authentication Framework, Digest AKA is closely follows the HTTP Authentication Framework, Digest AKA is
directly applicable to SIP as well as any other embodiment of HTTP directly applicable to SIP as well as any other embodiment of HTTP
Digest. Digest.
skipping to change at page 4, line 47 skipping to change at page 4, line 47
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1]. document are to be interpreted as described in RFC 2119 [1].
2. AKA Mechanism Overview 2. AKA Mechanism Overview
This chapter describes the AKA operation in detail: This chapter describes the AKA operation in detail:
1. A shared secret K is established beforehand between the ISIM and 1. A shared secret K is established beforehand between the ISIM and
the Authentication Center (AuC). The secret is stored in the the Authentication Center (AuC). The secret is stored in the
ISIM, which resides on a smart card like, tamper proof device. ISIM, which resides on a smart card like, tamper resistant
device.
2. The AuC of the home network produces an authentication vector AV 2. The AuC of the home network produces an authentication vector AV
based on the shared secret K and a sequence number SQN. The based on the shared secret K and a sequence number SQN. The
authentication vector contains a random challenge RAND, network authentication vector contains a random challenge RAND, network
authentication token AUTN, expected authentication result XRES, a authentication token AUTN, expected authentication result XRES, a
session key for integrity check IK, and a session key for session key for integrity check IK, and a session key for
encryption CK. encryption CK.
3. The authentication vector is downloaded to a server. Optionally, 3. The authentication vector is downloaded to a server. Optionally,
the server can also download a batch of AVs, containing more than the server can also download a batch of AVs, containing more than
skipping to change at page 15, line 9 skipping to change at page 15, line 9
protected even if the RAND parameter happened to be the same for two protected even if the RAND parameter happened to be the same for two
authentication requests. More importantly, this offers additional authentication requests. More importantly, this offers additional
protection for the case where an attacker replays an old protection for the case where an attacker replays an old
authentication request sent by the network. The client will be able authentication request sent by the network. The client will be able
to detect that the request is old, and refuse authentication. This to detect that the request is old, and refuse authentication. This
proves liveliness of the authentication request even in the case proves liveliness of the authentication request even in the case
where a MitM attacker tries to trick the client into providing an where a MitM attacker tries to trick the client into providing an
authentication response, and then replaces parts of the message with authentication response, and then replaces parts of the message with
something else. In other words, a client challenged by Digest AKA is something else. In other words, a client challenged by Digest AKA is
not vulnerable for chosen plain text attacks. Finally, frequent not vulnerable for chosen plain text attacks. Finally, frequent
sequence number errors would reveal an attack where the tamper- sequence number errors would reveal an attack where the tamper
resistant card has been cloned and is being used in multiple devices. resistant card has been cloned and is being used in multiple devices.
The downside of sequence number tracking is that servers must hold The downside of sequence number tracking is that servers must hold
more information for each user than just their long-term secret, more information for each user than just their long-term secret,
namely the current SQN value. However, this information is typically namely the current SQN value. However, this information is typically
not stored in the SIP nodes, but in dedicated authentication servers not stored in the SIP nodes, but in dedicated authentication servers
instead. instead.
5.7 Improvements to AKA Security 5.7 Improvements to AKA Security
 End of changes. 

This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/