Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2
RFC 4169
Document | Type |
RFC - Informational
(November 2005; No errata)
Was draft-torvinen-http-digest-aka-v2 (individual in tsv area)
|
|
---|---|---|---|
Authors | Mats Naslund , Jari Arkko , Vesa Torvinen | ||
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4169 (Informational) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Allison Mankin | ||
Send notices to | mankin@psg.com |
Network Working Group V. Torvinen Request for Comments: 4169 Turku Polytechnic Category: Informational J. Arkko M. Naslund Ericsson November 2005 Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2 Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2005). Abstract HTTP Digest, as specified in RFC 2617, is known to be vulnerable to man-in-the-middle attacks if the client fails to authenticate the server in TLS, or if the same passwords are used for authentication in some other context without TLS. This is a general problem that exists not just with HTTP Digest, but also with other IETF protocols that use tunneled authentication. This document specifies version 2 of the HTTP Digest AKA algorithm (RFC 3310). This algorithm can be implemented in a way that it is resistant to the man-in-the-middle attack. Torvinen Informational [Page 1] RFC 4169 HTTP Digest AKAv2 November 2005 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . 4 2. HTTP Digest AKAv2 . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Password generation . . . . . . . . . . . . . . . . . . 6 2.2. Session keys . . . . . . . . . . . . . . . . . . . . . . 6 3. Example Digest AKAv2 Operation . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4.1. Multiple Authentication Schemes and Algorithms . . . . . 7 4.2. Session Protection . . . . . . . . . . . . . . . . . . . 7 4.3. Man-in-the-middle attacks . . . . . . . . . . . . . . . 8 4.4. Entropy . . . . . . . . . . . . . . . . . . . . . . . . 9 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 5.1. Registration Information . . . . . . . . . . . . . . . . 10 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 6.1. Normative References . . . . . . . . . . . . . . . . . . 11 6.2. Informative References . . . . . . . . . . . . . . . . . 11 1. Introduction The Hypertext Transfer Protocol (HTTP) Digest Authentication, described in [4], has been extended in [6] to support the Authentication and Key Agreement (AKA) mechanism [7]. The AKA mechanism performs authentication and session key agreement in Universal Mobile Telecommunications System (UMTS) networks. HTTP Digest AKA enables the usage of AKA as a one-time password generation mechanism for Digest authentication. HTTP Digest is known to be vulnerable to man-in-the-middle attacks, even when run inside TLS, if the same HTTP Digest authentication credentials are used in some other context without TLS. The attacker may initiate a TLS session with a server, and when the server challenges the attacker with HTTP Digest, the attacker masquerades the server to the victim. If the victim responds to the challenge, the attacker is able to use this response towards the server in HTTP Digest. Note that this attack is an instance of a general attack that affects a number of IETF protocols, such as PIC. The general problem is discussed in [8] and [9]. Because of the vulnerability described above, the use of HTTP Digest "AKAv1" should be limited to the situations in which the client is able to demonstrate that, in addition to the AKA response, it possesses the AKA session keys. This is possible, for example, if the underlying security protocol uses the AKA-generated session keys to protect the authentication response. This is the case, for example, in the 3GPP IP Multimedia Core Network Subsystem (IMS), where HTTP Digest "AKAv1" is currently applied. However, HTTP Digest Torvinen Informational [Page 2] RFC 4169 HTTP Digest AKAv2 November 2005 "AKAv1" should not be used with tunnelled security protocols that do not utilize the AKA session keys. For example, the use of HTTP Digest "AKAv1" is not necessarily secure with TLS if the server side is authenticated using certificates and the client side is authenticated using HTTP Digest AKA. There are at least four potential solutions to the problem: 1. The use of the authentication credentials is limited to oneShow full document text