HTTP DIGEST AUTHENTICATION Using AKA full report
project report tiger|
Active In SP
Joined: Feb 2010
13-02-2010, 04:29 PM
HTTP DIGEST AUTHENTICATION Using AKA.doc (Size: 160 KB / Downloads: 83)
The IP Multimedia Subsystem is the standardized next generation networking architecture for telecom operators that want to provide fixed and mobile multimedia services. The aim of IMS is not only to provide new services but all the services, current and future, that the Internet provides. IMS supports many types of communications, including instant messaging, push to talk, video conferencing, It also provides roaming capabilities and authentication.
Since IMS provides a very wide connectivity across different networks, authentication of the users is an important security issue. IMS uses the IETF's (Internet engineering task force) HTTP digest authentication protocol for network access.The HTTP Authentication Framework includes two authentication schemes: Basic and Digest.
In HTTP basic authentication, a client has to send a password to the server for getting authenticated, so there is a chance that some one may intercept the network and get to know that password. The Basic scheme is inherently insecure in that it transmits user credentials in plain text.
HTTP digest authentication lets a client prove to the server that it knows a password, without having to send the password in clear. The client performs a computation based on the password and a random value supplied by the server. The result is transmitted to the server which performs the same computation and if finds identical answer, authenticates the client.
For several years, telecommunications pro\ iders have touted the potential of converged networks that offer a wide range of voice, data, and multimedia services, all over a single IP infrastructure.
However, these networks ha\e been just a vision until recently. Now, though, a growing number of telecommunications carriers and equipment vendors including Alcatel, Ericsson. Lucent Technologies, Motorola, and Nokia are beginning to release devices and services based on a convergence approach called IP Multimedia Subsystem.
The IP Multimedia Subsystem (IMS) is a standardized Next Generation Networking (NGN) architecture for telecom operators that want to provide mobile and fixed multimedia services. It uses a Voice-over-IP (VoIP) implementation based on a 3GPP-standardized implementation, and runs over the standard Internet Protocol (IP). Existing phone systems (both packet-switched and circuit-switched) are supported. With the advent of IMS the fixed-mobile convergence has become a key trend of the telecommunication industry in 2005-2006.
The basic idea behind convcrgance is to use the services available with one network to be easily accessible by other t\ pes of networks also. For this all the existing networks like the fixed networks and the upcoming mobile networks should be able to use a single network infrastructure. This ability to connect almost any hardware or software device opens the door to other potential problems in the fixed and mobile network - that of device malfunction and malicious attack.
Providing proper security, authentication and authorization to the users connected to such a converged network and to the network itself, becomes an important issue. To tackle security problems with such a growing number of interconnectivity between various types of networks, IMS uses the IETF's HTTP Digest Authentication protocol for mobile network-access security. Using HTTP Basic Authentication, IMS transmissions between client and server would be unencrypted and could be intercepted. HTTP Digest Authentication lets a client prove to a server that it knows the password
without having to send the password in the clear. The client performs a computation based on the password and a random value supplied by the server. The result is transmitted to the server, which performs the same computation and, if it obtains the identical answer, authenticates the client.
This is different from any basic authentication schemes where authentication tokens, like a username and password is directly transmitted between the client and the server, where it can easily be eavesdropped. Also it provides an integrity check for all the data, which is subsequently transmitted between the client and the server, to avoid any unwanted messages to get across the network, and leaking the confidential data.Data integrity is nothing but the property that the data has not been altered in an unauthorized manner.
The scope of this report is to highlight those properties of the security system of a converged network, based on u hich proper authentication and integrity of the data can be supported.
2. CONVERGED NETWORKS
2.1 WHAT IS CONVERGENCE
The term "converged networks" relates to the integration of voice (fixed and wireless), data and video services. Converged networks, which combine voice, data, fax and video transmissions into a cohesi\e networking infrastructure - all centered on the Internet Protocol, or IP - promise a number of advantages over existing, separate networking environments. Convergence also relates to the combining of what were once four distinct networks - circuit switched telephone network, cable network, mobile network and Internet service provider networks. Convergence was made possible by being able to transport voice, data and video in exactly the same way. The explosion in data traffic has led to the move to packet ise voice, turning it into another form of data. Hence the introduction of VoIP - the means of running voice over data/packet networks.
Voice over Internet Protocol, also called VoIP, IP Telephony. Internet telephony, Broadband telephony, Broadband Phone and Voice over Broadband is the routing of voice conversations over the Internet or through any other IP-based network.
Converged voice, video and data using a packet based transport offers flexible, scalable, and cost efficient sen ices. There is no longer any need to provide and manage separate voice, data and \ ideo networks, which presents significant cost savings. The standardization of technology in the converged network means that risk is reduced on a number of fronts. Functionality can be added in days not weeks, a greater choice of applications and equipment arc available.
2.2 IMPLEMENTING WITH THK REAL NETWORKS
The implementation of such a convergence of the networks became a reality after the advent of the technology known as IMS- IP Multimedia Subsystem.IMS was originally designed for the mobile networks, but was later expanded to implement the convergence of the mobiles with the traditional wired networks.
The vision is for people to use one phone with one number, address book and voicemail bank, taking advantage of cheap, high-speed connectivity in their fixed-line home or office setting, while enjoying mobility oulside in the wide-area mobile phone network. It also includes a seamless handover of calls between fixed-line and mobile networks.
3. IP MULTIIV11 1)1 A SUBSYSTEM
3.1 BASIC PRINCIPLES
The IP Multimedia Subsystem (IMS) is a standardized Next Generation Networking (NGN) architecture for telecom operators that want to provide mobile and fixed multimedia services. It uses a Voice-over-IP (VoIP) implementation based on a 3GPP standardized implementation of SIP, and runs over the standard Internet Protocol (IP). Existing phone systems (both packet-switched and circuit-switched) are supported.
The aim of IMS is not only to provide new services but all the services, current
and future, that the Internet provides. In this way, IMS will give network operators and
service providers the ability to control and charge for each service. In addition, users have
to be able to execute all their services when roaming as well as from their home
networks. To achieve these goals, IMS uses open standard IP protocols, defined by the
IETF. So, a multimedia session between two IMS users, between an IMS user and a user
on the Internet, and between two users on the Internet is established using exactly the
same protocol. Moreover, the interfaces for service developers are also based on IP
protocols. This is why IMS truly merges the Internet with the cellular world; it uses
cellular technologies to provide ubiquitous access and Internet technologies to provide
Telecommunications operators can provide services to users irrespective of their location, access technology, and terminal. IMS guarantees interworking with existing phone systems, while providing an upgrade path for modern multimedia sessions (like a videophone).
3.2 VOICE OVER IP
Protocols, which are used to carry voice signals over the IP network, are
commonly referred to as Voice over IP or VoIP protocols. VoIP converts the voice signal from your telephone into a digital signal that travels over the Internet. If you are calling a regular phone number, the signal is then converted back at the other end. VoIP can allow you to make a call directly from a computer, a special VoIP phone, or a traditional phone
using an adapter. In addition, new wireless "hot spots" in public locations such as airports, parks, and cafes, allow you to connect to the Internet, and may enable you to use VoIP service wirelessly. If you make a call using a phone with an adapter, you'll be able to dial just as you always have, and the service provider may also provide a dial tone. If your service assigns you a regular phone number, then a person can call you from his or her regular phone without using special equipment.
As we can see Convergence principles are bringing together all the existing networks, making them virtual!) one. To provide proper security to all the networks and the user equipments connected to such a vast network is a big challenge. It uses a Digest authentication scheme for authenticating the users to access the network.
4. AUTHENTICATION SCHEMES
4.1 BASIC AUTHENTICATION SCHEME
This is a very basic authentication scheme used in normal web connections.Here the client has to send a password to the server for authentication. As a normal procedure here the client sends an initial request to the server for authentication, on receiving which the server sends a message to the client based on which it prompts the user to enter the credentials. Once entered say, username and password, these are sent through the media to the server. The server verifies them based on the stored values in the database and accordingly accepts or rejects the request. If accepted it sends a success response back to the client and the services requested by the users are then available to them through the client.
If rejected the user is not authenticated to use the services.Here when the client sends the passwords, it is vulnerable to interception. This is a major security issue, as the password is sent in clear text. Even if it is encoded, the encoded password can be replayed by the eavesdropper.
4.2 DIGEST AUTHENTICATION
The Basic scheme is inherently insecure in that it transmits user credentials in plain text. The Digest scheme improves security by hiding user credentials with cryptographic hashes, and additionally by providing limited message integrity.Authentication and Key Agreement (AKA) is the mechanism used to generate the authentication vectors for the HTTP Digest authentication scheme.
The AKA operation can be described in the following steps:
1. A shared secret K is established beforehand between the UE (User equipment) and the Authentication Center (AuC).
2. The AuC of the home network produces an authentication vector AV, based on the shared secret K and a sequence number SQN. The
authentication vector contains a random challenge RAND, network authentication token AUTN, expected authentication result XRES, a session key for integrity check IK, and a session key for encryption CK.
3. The authentication vector is downloaded to a server. Optionally, the server can also download a batch of AVs, containing more than one authentication vector.
4. The server creates an authentication request, which contains the random challenge RAND, and die network authenticator token AUTN.
5. The authentication request is delivered to the client.
6. Using the shared secret K and the sequence number SQN, the client verifies the AUTN with the user equipment. If the verification is successful, the network has been authenticated. The client then produces an authentication response RES, using the shared secret K and the random challenge RAND.
7. The authentication response, RES, is delivered to the server.
8. The server compares the authentication response RES with the expected response, XRES. If the two match, the user has been successfully authenticated, and the session keys, IK and CK, can be used for protecting further communications between the clients and the server.
When a client receives a Digest AKA authentication challenge, it extracts the RAND and AUTN, and assesses the AUTN token provided by the server. If the client successfully authenticates the server with the AUTN, and determines that the SQN used in generating the challenge is within expected range, the AKA algorithms are run with the RAND challenge and shared secret K.
4.3 PROVIDING MESSAGE INTEGRITY
sword \ lici-vh function
$l$r6T8CUB 9 $ O: :e41 FJyF/3 gkPIuvE. 0 Q9 0
Figure 1: Message integrity using Cryptographic hashes A cryptographic hash function is a hash function with certain additional security
properties to make it suitable for use as a primitive in various information security
applications, such as authentication and message integrity.
A hash function takes a long string (or message) of any length as input and
produces a fixed length string as output, sometimes termed a message digest or a digital
fingerprint. A cryptographic hash function should behave as much as possible like a
random function while still being deterministic and efficiently computable.
A hash is a kind of signature for a stream of data, which represents its content. Its
different from encryption in the way that, encryption is reversible process, you can
decode the encrypted data if you know the encryption algorithm. But hashes are
irreversible. Suppose the server wants to compare the password received from the client.
Then he should have that stored password with it before hand, so that it can compare the
password received from the client with it But storing the passwords in clear can be a
security threat. So they can be stored as a hash. Since it is impossible to know which
password produced which hash, the user's password can never be know. When a user
sends a password that will fed to the hash and then the output will be matched with the
stored hashes. Moreover transmitting hashes through the network is even safer than
sending clear text messages, because a small change in the text value, brings a large
change in the hash produced, because of the large size of the hashes, so it becomes easier to detect whether the message is tampered. This mechanism is used in digest authentication to provide integrity to the messages, so as to detect whether the message has been tampered with.
4.4 MESSAGE FLOW
Register Req Auth Req ^ J
Controls AuCV getVectors
Un Auth Resp Functii HSS
Auth Ans base
Figure 2: Server Challenge to the U.E.
First when the client is started, it sends a request to register with the server (as an example when SIM card is inserted into the mobile, this process is initiated), it goes to a control function, which is the main logical block of an IMS network, it reads the request and then passes to authentication center, then AuC enquires a database, where for each user the authentication vectors are stored. It fetches those from the database and sends it to control function, which then applies various algorithms and generates authentication tokens, which has to be sent to the client for authentication.
Figure 3: Authenticating U.E's Response
On the client side, here the client receives those authentication tokens and it decodes them and creates its own response based on the same functions which the
server uses to generate them (those functions are shared between the client and the server). CF compares the client's response and if finds correct, it asks AuC to authorize the client and provide it with a server address which hosts the service requested by the client. The AuC gets the server name from the database and authorizes that client to use it. And finally CF sends the client "authenticate" response, signifying to the client that its request is authenticated and its ready to use the service.
Upon receipt of a request (rum the CF, the AuC sends an ordered array of n authentication vectors to the CF. The authentication vectors are ordered based on sequence number. Each authentication vector consists of the following components: a random number RAND, an expected response XRES, a cipher key CK, an integrity key IK and an authentication token AUTN. fach authentication vector is good for one authentication and key agreement between the CF and the UE. When the CF initiates an authentication and key agreement, it selects the next authentication vector from the ordered array and sends the parameters RAND and AUTN to the user. Authentication vectors in a particular node are used on a lirst-in / first-out basis. The UE checks whether AUTN can be accepted and, if so, produces a response RES which is sent back to the CF. The UE also computes CK and IK. The CF compares the received RES with XRES. If they match the CF considers the authentication and key agreement exchange to be successfully completed. The established keys CK and IK will then be transferred by the UE and the CF to the entities, which perform ciphering and integrity functions.
5. GENERATION OF AUTHENTICATION VECTORS
t * t
t t, J* t Jt
r T T T 1
AUTN - SON * AK II AMF MAC
AV Â¢= RAND XRES I CK II IK AUTN
Figure 4: Generating Function for Auth Vectors
The AuC starts with generating a fresh sequence number SQN and an unpredictable challenge RAND.The HI has some flexibility in the management of sequence numbers, but some requirements need to be fulfilled by the mechanism used:
a) In case the SQN exposes the identity and location of the user, the AK may be
used as an anonymity key to
b) The generation mechanism shall allow protection against wrap around the
counter in the UE.
Subsequently the following values are computed:
A message authentication code MAC = flK(SQN || RAND || AMF) where fl is a message authentication function;
An expected response XRES = f2 K (RAND) where f2 is a (possibly truncated) message authentication function;
A cipher key CK = f3K (RAND) w here G is a key generating function;
An integrity key IK = f4K (RAND) where f4 is a key generating function;
An anonymity key AK = f5K (RAND) where f5 is a key generating function or f5
Finally the authentication token AUTN = SQN Ã‚Â© AK || AMF || MAC is constructed.
Here, AK is an anonymity key used to conceal the sequence number as the latter may expose the identity and location of the user. The concealment of the sequence number is to protect against passive attacks only. If no concealment is needed then f5 = 0 (AK = 0).
SQX e AK
t T T
Verify MAC = XMAC
Verify that SON is in the correct ranae
Figure 5: Authentication Function in Client
Upon receipt of RAND and AUTN the UE first computes the
anonymity key AK = f5K (RAND) and retrieves the sequence number SQN = (SQN ^ AK) Ã‚Â® AK. Next the UE computes XMAC = flK (SQN || RAND || AMF) and compares this with MAC which is included in AUTN. If they are different, the user sends user authentication reject back to the CF with an indication of the cause and the user abandons the procedure. In this case, CF shall initiate an Authentication Failure Report procedure towards the AuC CF may also decide to initiate a new identification and authentication procedure towards the user.
Next the UE verifies that the received sequence number SQN is in the correct range. If the UE considers the sequence number to be not in the correct range, it
sends synchronisation failure back to the CF including an appropriate parameter, and abandons the procedure.
If the sequence number is considered to be in the correct range however, the UE computes RES = f2K (RAM)) and includes this parameter in a user authentication response back to the CF. finally the UE computes the cipher key CK = f3K (RAND) and the integrity key IK = 14K (RAND). If this is more efficient, RES, CK and IK could also be computed earlier at any time after receiving RAND. UE shall store original CK, IK until the next successful execution of AKA.
Upon receipt of user authentication response the CF compares RES with the expected response XRES from the selected authentication vector. If XRES equals RES then the authentication of the user has passed. The CF also selects the appropriate cipher key CK and integrity key IK from the selected authentication vector. If XRES and RES are different, CF shall initiate an Authentication Failure Report procedure. CF may also decide to initiate a new identification and authentication procedure towards the user.
The verification of the SQN by the UE will cause to reject an attempt by the CF to re-use a SQN to establish a particular security context more than once. When the UE receives an authentication request and discovers that a RAND is repeated, it shall
re-transmit the response. The UE shall delete the stored values RAND, RES as soon as the connection is aborted.
6. SECURING AGAINST EAVESDROPPING
These are some ways adopted to avoid ea\ csdropping.
1) Anonymity Key AK - In case SQN exposes identity and location of the user.
2) Verifying the freshness of sequence number in the client.
3) Integrity Key IK - Provides the integrity check for all the messages.
AK, this is Anonymity Key is combined with the SQN when it is transmitted. This is because database stores 32 SQNs, which are transmitted one after another for registration for that particular client. So if that SQN is intercepted it can tell the location of the user, because the AuC of that particular area will be having those SQNs. This is a security threat. To avoid this SQN is not directly sent but combined with a randomly generated AK, which will be changing every time and hence the SQN, which is transmitted, cannot be known.
Secondly the client also cheeks when it gets the SQN from the server that is it the same SQN which it received in any of the last 32 authentication process, if it is the client knows some body has intercepted and is replaying the same message so it must not respond to that message. (Since server sends 32 different SQNs before repeating).
The Integrity key is added to all the responses after authentication so that the client knows whether the message has been tampered. This is possible because the integrity key will be added in such a wa\ that if the message will be tampered client or server will come to know by doing the integrity check.
7. FUTURE SCOPE
As IMS is targeting the potential to deliver a great range of services across different networks, its opening up the networks to malicious attacks, as never before.With the incorporation of AKA key generating technique with the Digest authentication schemes, a part of user authentication problem is being tried to overcome.But as IMS expands itself, maintaining the message integrity will be a big challenge.The next step towards that is making the use of HTTP Digest for authentication possible with application servers. Which by use of the AKA keys will help enhancing the message integrity in the network.
IMS offers the potential to deliver a great range of innovative services to a range of different networks. In doing so it offers an attractive target for fraud and disruption. The basic authentication schemes used for H I "1 P, or even the digest authentication schemes cannot be sufficient for providing the required level of security. The HTTP digest was vulnerable to the man-in-the-middle attack. The attacker may initiate a session with a server, and when the server challenges the attacker with HTTP Digest, the attacker disguises the server to the victim. If the victim responds to the challenge, the attacker is able to use this response towards the server in HTTP Digest. To avoid this it was necessary that the client is able to demonstrate that, in addition to the AKA response, it possesses the AKA session keys. This was made possible by the use of the AKA-generated session keys to protect the authentication responses.
1) RFC 3310
2) 3GPP TS 33.102 v 4.4.0 (2006)
3) An Illustrated Guide to Cryptographic Hashes - Steve Friedl
4) Building Converged networks with IMS technology - David Geer
5) IETF RFC 4169: Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA).
6) 3GPP TS 23.228: IP Multimedia Subsystem; Stage 2.
Page No :
1. INTRODUCTION 2
2. CONVERGED NETWORKS 4
2.1 WHAT IS CONVERGENCE 4
2.2 IMPLEMENTING WITH THE REAL NETWORKS 4
3. IP MULTIMEDIA SUBSYSTEM 6
3.1 BASIC PRINCIPLES 6
3.2 VOICE OVER IP 6
4. AUTHENTICATION SCHEMES 8
4.1 BASIC AUTHENTICATION SCHEME 8
4.2 DIGEST AUTHENTICATION 8
4.3 PROVIDING MESSAGE INTEGRITY 10
4.4 MESSAGE FLOW 11
5. GENERATION OF AUTHENTICATION VECTORS 13
6. SECURING AGAINST EAVESDROPPI NIG 17
7. FUTURE SCOPE ! 8
8. CONCLUSION 19
9. REFERENCES 20