Digest AKA Authentication <draft-niemi-sipping-digest-aka-00.txt>

1
Digest AKA Authenticationltdraft-niemi-sipping-dig
est-aka-00.txtgt

• IETF53, SIP WG
• Minneapolis, 20.03.2002
• Aki Niemi ltaki.niemi_at_nokia.comgt
• Vesa Torvinen ltvesa.torvinen_at_ericsson.figt
• Jari Arkko ltjari.arkko_at_ericsson.comgt

2
Overview

• All security needs infrastructure
• Most of the setup cost is in equipment
• Desire to reuse existing infrastructure
• 3GPP IMS Authentication
• Uses Authentication and Key Agreement (AKA)
• Shared secret on a smart card like device
• Previous proposal draft-torvinen-http-eap-01.txt
• Feedback received after IETF52
• Scope of the work was changed

3
AKA Overview
Client
Server
User Identity
RAND, AUTN
RES / AUTS
4
Digest AKA Features

• Digest scheme is reused with AKA authentication
• AKA parameters are encapsulated into Digest
• Digest challenge contains the AKA challenge (RAND
  AUTN)
• AKA RES is used as input in calculating the
  Digest credentials
• New auth-param is defined for SQN synchronization
  
• gt AKA generates "one-time" passwords for Digest

5
Issues

• "Choke point" attack when reusing RES
• Not possible, since RES should always be used
  only once
• Confusion on the relationship between Digest AKA
  and Enhanced Digest
• Adopt draft-niemi-sipping-digest-aka-00...
• Message integrity
• Complementary to vanilla-Digest
• or create "clear-text" HTTP AKA solution
• Simpler (no MD5 calculations)
• Make message integrity optional?
• Basically a new auth-scheme

6
Future

• Work Item for SIP WG
• RFC Category?
• draft-niemi-digest-aka-00.txt adopted as solution
• Work out the issues
• This is needed for 3GPP Release 5
• gt Time pressure