Digest AKA Authentication<draft-niemi-sipping-digest-aka-00.txt>

IETF53, SIP WG

Minneapolis, 20.03.2002

Aki Niemi <aki.niemi@nokia.com>

Vesa Torvinen <vesa.torvinen@ericsson.fi>

Jari Arkko <jari.arkko@ericsson.com>

Overview

• All security needs infrastructure

Most of the setup cost is in equipment

Desire to reuse existing infrastructure

• 3GPP IMS Authentication

Uses Authentication and Key Agreement (AKA)

Shared secret on a smart card like device

• Previous proposal draft-torvinen-http-eap-01.txt

Feedback received after IETF52

Scope of the work was changed

AKA Overview

User Identity

RAND, AUTN

RES / AUTS

Client Server

Digest AKA Features

• Digest scheme is reused with AKA authentication

• AKA parameters are encapsulated into Digest

–Digest challenge contains the AKA challenge (RAND + AUTN)

–AKA RES is used as input in calculating the Digest credentials

–New auth-param is defined for SQN synchronization

=> AKA generates "one-time" passwords for Digest

Issues

• "Choke point" attack when reusing RES

Not possible, since RES should always be used only once

Confusion on the relationship between Digest AKA and Enhanced Digest

• Adopt draft-niemi-sipping-digest-aka-00...

Message integrity

Complementary to vanilla-Digest

• …or create "clear-text" HTTP AKA solution

Simpler (no MD5 calculations)

Make message integrity optional?

Basically a new auth-scheme

Future

• Work Item for SIP WG

RFC Category?

• draft-niemi-digest-aka-00.txt adopted as solution

Work out the issues

• This is needed for 3GPP Release 5

=> Time pressure