draft-ietf-sipcore-digest-scheme-01.txt   draft-ietf-sipcore-digest-scheme-02.txt 
SIP Core R. Shekh-Yusef SIP Core R. Shekh-Yusef
Internet-Draft Avaya Internet-Draft Avaya
Updates: 3261 (if approved) May 7, 2019 Updates: 3261 (if approved) May 9, 2019
Intended status: Standards Track Intended status: Standards Track
Expires: November 8, 2019 Expires: November 10, 2019
The Session Initiation Protocol (SIP) Digest Authentication Scheme The Session Initiation Protocol (SIP) Digest Authentication Scheme
draft-ietf-sipcore-digest-scheme-01 draft-ietf-sipcore-digest-scheme-02
Abstract Abstract
This document updates the Digest Access Authentication scheme used by This document updates the Digest Access Authentication scheme used by
the Session Initiation Protocol (SIP) to add support for secure the Session Initiation Protocol (SIP) to add support for secure
digest algorithms to replace the broken MD5 algorithm. digest algorithms to replace the broken MD5 algorithm.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 8, 2019. This Internet-Draft will expire on November 10, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 21
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. The SIP Digest Authentication Scheme . . . . . . . . . . . . 3 2. The Updated SIP Digest Authentication Scheme . . . . . . . . 3
2.1. Hash Algorithms . . . . . . . . . . . . . . . . . . . . . 3 2.1. Hash Algorithms . . . . . . . . . . . . . . . . . . . . . 3
2.2. Representation of Digest Values . . . . . . . . . . . . . 3 2.2. Representation of Digest Values . . . . . . . . . . . . . 3
2.3. The Authenticate Response Header Field . . . . . . . . . 4 2.3. The Authenticate Response Header Field . . . . . . . . . 4
2.4. The Authorization Request Header Field . . . . . . . . . 4 2.4. The Authorization Request Header Field . . . . . . . . . 4
2.5. Forking . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.5. Forking . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.6. HTTP Modifications . . . . . . . . . . . . . . . . . . . 5 2.6. HTTP Modifications . . . . . . . . . . . . . . . . . . . 5
3. Augmented BNF for the SIP Protocol . . . . . . . . . . . . . 6 2.7. Augmented BNF for the SIP Protocol . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 3. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7
7. Normative References . . . . . . . . . . . . . . . . . . . . 7 6. Normative References . . . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
The SIP protocol [RFC3261] uses the same mechanism used by the HTTP The SIP protocol [RFC3261] uses the same mechanism used by the HTTP
protocol for authenticating users, which is a simple challenge- protocol for authenticating users, which is a simple challenge-
response authentication mechanism that allows a server to challenge a response authentication mechanism that allows a server to challenge a
client request and allows a client to provide authentication client request and allows a client to provide authentication
information in response to that challenge. information in response to that challenge.
skipping to change at page 3, line 16 skipping to change at page 3, line 16
SIP to support the list of digest algorithms defined in the "Hash SIP to support the list of digest algorithms defined in the "Hash
Algorithms for HTTP Digest Authentication" registry defined by Algorithms for HTTP Digest Authentication" registry defined by
[RFC7616]. [RFC7616].
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. The SIP Digest Authentication Scheme 2. The Updated SIP Digest Authentication Scheme
This section describes the modifications to the operation of the This section describes the modifications to the operation of the
Digest mechanism as specified in [RFC3261] in order to support the Digest mechanism as specified in [RFC3261] in order to support the
SHA- 256 and SHA-512/256 algorithms as described in [RFC7616], and SHA- 256 and SHA-512/256 algorithms as described in [RFC7616], and
also to require support for the "qop" option." also to require support for the "qop" option."
2.1. Hash Algorithms 2.1. Hash Algorithms
The Digest scheme has an 'algorithm' parameter that specifies the The Digest scheme has an 'algorithm' parameter that specifies the
algorithm to be used to compute the digest of the response. The IANA algorithm to be used to compute the digest of the response. The IANA
skipping to change at page 6, line 39 skipping to change at page 6, line 39
properly handle "qop" parameter received in WWW-Authenticate and properly handle "qop" parameter received in WWW-Authenticate and
Proxy-Authenticate header fields. Servers MUST always send a "qop" Proxy-Authenticate header fields. Servers MUST always send a "qop"
parameter in WWW-Authenticate and Proxy-Authenticate header field parameter in WWW-Authenticate and Proxy-Authenticate header field
values, and clients MUST send the "qop" parameter in any resulting values, and clients MUST send the "qop" parameter in any resulting
authorization header field. authorization header field.
The usage of the Authentication-Info header field continue to be The usage of the Authentication-Info header field continue to be
allowed, since it provides integrity checks over the bodies and allowed, since it provides integrity checks over the bodies and
provides mutual authentication. provides mutual authentication.
3. Augmented BNF for the SIP Protocol 2.7. Augmented BNF for the SIP Protocol
This document updates the Augmented BNF for the SIP Protocol as This document updates the Augmented BNF for the SIP Protocol as
follows. follows.
It extends the request-digest as follows to allow for different It extends the request-digest as follows to allow for different
digest sizes: digest sizes:
request-digest = LDQUOT *LHEX RDQUOT request-digest = LDQUOT *LHEX RDQUOT
The number of hex digits must be specified by the specification of The number of hex digits must be specified by the specification of
the algorithm used. the algorithm used.
It extends the algorithm parameter as follows to allow for SHA2 It extends the algorithm parameter as follows to allow for SHA2
algorithms to be used: algorithms to be used:
algorithm = "algorithm" EQUAL ( "MD5" / "SHA-512-256" / "SHA-256" algorithm = "algorithm" EQUAL ( "MD5" / "SHA-512-256" / "SHA-256"
/ token ) / token )
4. Security Considerations 3. Security Considerations
This specification adds new secure algorithms to be used to with the This specification adds new secure algorithms to be used to with the
Digest mechanism to authenticate users, but leaves the broken MD5 Digest mechanism to authenticate users, but leaves the broken MD5
algorithm for backward compatibility. algorithm for backward compatibility.
This opens the system to the potential of a downgrade attack by man- This opens the system to the potential of a downgrade attack by man-
in-the-middle. The most effective way of dealing with this type of in-the-middle. The most effective way of dealing with this type of
attack is to either validate the client and challenge it accordingly, attack is to either validate the client and challenge it accordingly,
or remove the support for backward compatibility by not supporting or remove the support for backward compatibility by not supporting
MD5. MD5.
See section 5 of [RFC7616] for a detailed security discussion of the See section 5 of [RFC7616] for a detailed security discussion of the
Digest scheme. Digest scheme.
5. IANA Considerations 4. IANA Considerations
[RFC7616] defines an IANA registry named "Hash Algorithms for HTTP [RFC7616] defines an IANA registry named "Hash Algorithms for HTTP
Digest Authentication" to simplify the introduction of new algorithms Digest Authentication" to simplify the introduction of new algorithms
in the future. This document will use the algorithms defined in that in the future. This document will use the algorithms defined in that
registry. registry.
6. Acknowledgments 5. Acknowledgments
The author would like to thank the following individuals for their The author would like to thank the following individuals for their
careful reviews, comments, and suggestions: Paul Kyzivat, Olle careful reviews, comments, and suggestions: Paul Kyzivat, Olle
Johansson, Dale Worley, Michael Procter, Inaki Baz Castillo, Tolga Johansson, Dale Worley, Michael Procter, Inaki Baz Castillo, Tolga
Asveren, Christer Holmberg, and Brian Rosen. Asveren, Christer Holmberg, and Brian Rosen.
7. Normative References 6. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, H., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, H., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002. June 2002.
[RFC7234] Fielding, R., Nottingham, M., and J. Reschke, "Hypertext [RFC7234] Fielding, R., Nottingham, M., and J. Reschke, "Hypertext
 End of changes. 12 change blocks. 
16 lines changed or deleted 16 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/