rfc 3310 Hypertext Transfer Protocol HTTP Digest Authentication

  • Slides: 11
Download presentation
rfc 3310 Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA)

rfc 3310 Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Kangsan Lee kslee@contela. com

Contents Introduction n Terminology n Overview n Specification of Digest AKA n Messages n

Contents Introduction n Terminology n Overview n Specification of Digest AKA n Messages n

Introduction n AKA (UMTS IM Services Identity Module (ISIM)) ¨ Authentication ¨ Session key

Introduction n AKA (UMTS IM Services Identity Module (ISIM)) ¨ Authentication ¨ Session key distribution ¨ Challenge-response based ¨ Symmetric cryptography n A mapping AKA parameters onto HTTP Digest authentication (rfc 2617) ¨ One-time password generation for digest authentication

Terminology Description AKA Authentication and Key Agreement Au. C Authentication Center AUTN Authentication Token,

Terminology Description AKA Authentication and Key Agreement Au. C Authentication Center AUTN Authentication Token, 128 bits, generated by the Au. C (+RAND) AUTS Authentication Token, 112 bits, generated by the client CK Cipher Key, An AKA session key for encryption IK Integrity Key, An AKA session key for integrity check ISIM IP Multimedia Services Identity Module PIN Personal Identification Number RAND Random Challenge RES Authentication Response, generated by ISIM Subscriber Identity Module, GSM counter part for ISIM SQN Sequence Number UMTS Universal Mobile Telecommunication System XRES Expected Authentication Response

Overview 1/2

Overview 1/2

Specification 1/3 n Algorithm directive n Nonce directive

Specification 1/3 n Algorithm directive n Nonce directive

Specification 2/3 n Client Authentication (1/2) ¨ Extract RAND/AUTN from “nonce” ¨ Verify AUTN

Specification 2/3 n Client Authentication (1/2) ¨ Extract RAND/AUTN from “nonce” ¨ Verify AUTN ¨ Check SQN ¨ Generate RES with RAND/K

Specification 3/3 n Synchronization Failure (2/2) Base 64 encoded AKA AUTS parameter ¨ Re-synchronize

Specification 3/3 n Synchronization Failure (2/2) Base 64 encoded AKA AUTS parameter ¨ Re-synchronize server side SQN ¨ Re-generate a fresh AV with SQN ¨ n Server Authentication ¨ Use XRES as “password”

Messages 1/2 Client Server 1) REGISTER Server runs AKA algorithm, Generates RAND and AUTN.

Messages 1/2 Client Server 1) REGISTER Server runs AKA algorithm, Generates RAND and AUTN. 2) 401 Unauthorized WWW-Authenticate: Digest (RAND, AUTN deliveried) Client run AKA algorithms on ISIM, Verify AUTNm derives RES and session keys. 3) REGISTER Authorization: Digest (RES is used) Server checks the given RES, And finds it corret. 2) 200 OK Authentication-Info (XRES is used)

Messages 2/2 1) Initial request REGISTER sip: home. mobile. biz SIP/2. 0 2) Response

Messages 2/2 1) Initial request REGISTER sip: home. mobile. biz SIP/2. 0 2) Response containing a challenge SIP/2. 0 401 Unauthorized WWW-Authenticate: Digest realm="Roaming. Users@mobile. biz", nonce="Cj. Pk 9 m. Rq. Nu. T 25 e. Rkaj. M 09 u. Tl 9 n. Mz 5 OX 25 PZz==", qop="auth, auth-int", opaque="5 ccc 069 c 403 ebaf 9 f 0171 e 9517 f 40 e 41", algorithm=AKAv 1 -MD 5 3) Request containing credentials REGISTER sip: home. mobile. biz SIP/2. 0 Authorization: Digest username="jon. dough@mobile. biz", realm="Roaming. Users@mobile. biz", nonce="Cj. Pk 9 m. Rq. Nu. T 25 e. Rkaj. M 09 u. Tl 9 n. Mz 5 OX 25 PZz==", uri="sip: home. mobile. biz", qop=auth-int, nc=00000001, cnonce="0 a 4 f 113 b", response="6629 fae 49393 a 05397450978507 c 4 ef 1", opaque="5 ccc 069 c 403 ebaf 9 f 0171 e 9517 f 40 e 41" 4) Successful response SIP/2. 0 200 OK Authentication-Info: qop=auth-int, rspauth="6629 fae 49393 a 05397450978507 c 4 ef 1", cnonce="0 a 4 f 113 b", nc=00000001