60 likes | 70 Views
Digest AKA Authentication <draft-niemi-sipping-digest-aka-00.txt>. IETF53, SIP WG Minneapolis, 20.03.2002 Aki Niemi <aki.niemi@nokia.com> Vesa Torvinen <vesa.torvinen@ericsson.fi> Jari Arkko <jari.arkko@ericsson.com>. Overview. All security needs infrastructure
E N D
Digest AKA Authentication<draft-niemi-sipping-digest-aka-00.txt> IETF53, SIP WG Minneapolis, 20.03.2002 Aki Niemi <aki.niemi@nokia.com> Vesa Torvinen <vesa.torvinen@ericsson.fi> Jari Arkko <jari.arkko@ericsson.com>
Overview • All security needs infrastructure • Most of the setup cost is in equipment • Desire to reuse existing infrastructure • 3GPP IMS Authentication • Uses Authentication and Key Agreement (AKA) • Shared secret on a smart card like device • Previous proposal draft-torvinen-http-eap-01.txt • Feedback received after IETF52 • Scope of the work was changed
AKA Overview Client Server User Identity RAND, AUTN RES / AUTS
Digest AKA Features • Digest scheme is reused with AKA authentication • AKA parameters are encapsulated into Digest • Digest challenge contains the AKA challenge (RAND + AUTN) • AKA RES is used as input in calculating the Digest credentials • New auth-param is defined for SQN synchronization => AKA generates "one-time" passwords for Digest
Issues • "Choke point" attack when reusing RES • Not possible, since RES should always be used only once • Confusion on the relationship between Digest AKA and Enhanced Digest • Adopt draft-niemi-sipping-digest-aka-00... • Message integrity • Complementary to vanilla-Digest • …or create "clear-text" HTTP AKA solution • Simpler (no MD5 calculations) • Make message integrity optional? • Basically a new auth-scheme
Future • Work Item for SIP WG • RFC Category? • draft-niemi-digest-aka-00.txt adopted as solution • Work out the issues • This is needed for 3GPP Release 5 • => Time pressure