110 likes | 123 Views
This document outlines the use of Digest AKA for secure authentication in HTTP, mapping AKA parameters onto HTTP Digest authentication, and session key distribution methods. It covers challenge-response mechanisms, symmetric cryptography, and one-time password generation. The authentication process involves client-ISIM interaction, server authentication, and message exchanges for verification.
E N D
rfc 3310Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Kangsan Lee kslee@contela.com
Contents • Introduction • Terminology • Overview • Specification of Digest AKA • Messages
Introduction • AKA (UMTS IM Services Identity Module (ISIM)) • Authentication • Session key distribution • Challenge-response based • Symmetric cryptography • A mapping AKA parameters onto HTTP Digest authentication(rfc 2617) • One-time password generation for digest authentication
Overview 2/2 • 클라이언트의 ISIM과 AuC는 Shared Secret인 K를 공유한다. • AuC는 K와 SEQ로 AV를 생성한다. AV={RAND || AUTN || XRES || CK || IK} • 서버에 AV를 전달한다. • 서버는 클라이언트에게 Authentication Request를 전달한다. Authentication Request = {RAND || AUTN} • 클라이언트는 AUTN을 검증한 후, 정상적일 때, RES를 생성해서 서버에게 전달한다. • 서버는 RES와 XRES를 비교하여 일치할 경우, 클라이언트를 인증한다.
Specification 1/3 • Algorithm directive • Nonce directive
Specification 2/3 • Client Authentication (1/2) • Extract RAND/AUTN from “nonce” • Verify AUTN • Check SQN • Generate RES with RAND/K
Specification 3/3 • Synchronization Failure (2/2) • Base64 encoded AKA AUTS parameter • Re-synchronize server side SQN • Re-generate a fresh AV with SQN • Server Authentication • Use XRES as “password”
Messages 1/2 Client Server 1) REGISTER Server runs AKA algorithm, Generates RAND and AUTN. 2) 401 Unauthorized WWW-Authenticate: Digest (RAND, AUTN deliveried) Client run AKA algorithms on ISIM, Verify AUTNm derives RES and session keys. 3) REGISTER Authorization: Digest (RES is used) Server checks the given RES, And finds it corret. 2) 200 OK Authentication-Info (XRES is used)
Messages 2/2 1) Initial request REGISTER sip:home.mobile.biz SIP/2.0 2) Response containing a challenge SIP/2.0 401 Unauthorized WWW-Authenticate: Digest realm="RoamingUsers@mobile.biz", nonce="CjPk9mRqNuT25eRkajM09uTl9nM09uTl9nMz5OX25PZz==", qop="auth,auth-int", opaque="5ccc069c403ebaf9f0171e9517f40e41", algorithm=AKAv1-MD5 3) Request containing credentials REGISTER sip:home.mobile.biz SIP/2.0 Authorization: Digest username="jon.dough@mobile.biz", realm="RoamingUsers@mobile.biz", nonce="CjPk9mRqNuT25eRkajM09uTl9nM09uTl9nMz5OX25PZz==", uri="sip:home.mobile.biz", qop=auth-int, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41" 4) Successful response SIP/2.0 200 OK Authentication-Info: qop=auth-int, rspauth="6629fae49393a05397450978507c4ef1", cnonce="0a4f113b", nc=00000001