Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2
RFC 4169
| Document | Type |
RFC - Informational
(November 2005; No errata)
Was draft-torvinen-http-digest-aka-v2 (individual in tsv area)
|
|
|---|---|---|---|
| Last updated | 2015-10-14 | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 4169 (Informational) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Allison Mankin | ||
| Send notices to | mankin@psg.com | ||
Network Working Group V. Torvinen
Request for Comments: 4169 Turku Polytechnic
Category: Informational J. Arkko
M. Naslund
Ericsson
November 2005
Hypertext Transfer Protocol (HTTP) Digest Authentication Using
Authentication and Key Agreement (AKA) Version-2
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
HTTP Digest, as specified in RFC 2617, is known to be vulnerable to
man-in-the-middle attacks if the client fails to authenticate the
server in TLS, or if the same passwords are used for authentication
in some other context without TLS. This is a general problem that
exists not just with HTTP Digest, but also with other IETF protocols
that use tunneled authentication. This document specifies version 2
of the HTTP Digest AKA algorithm (RFC 3310). This algorithm can be
implemented in a way that it is resistant to the man-in-the-middle
attack.
Torvinen Informational [Page 1]
RFC 4169 HTTP Digest AKAv2 November 2005
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . 4
2. HTTP Digest AKAv2 . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Password generation . . . . . . . . . . . . . . . . . . 6
2.2. Session keys . . . . . . . . . . . . . . . . . . . . . . 6
3. Example Digest AKAv2 Operation . . . . . . . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
4.1. Multiple Authentication Schemes and Algorithms . . . . . 7
4.2. Session Protection . . . . . . . . . . . . . . . . . . . 7
4.3. Man-in-the-middle attacks . . . . . . . . . . . . . . . 8
4.4. Entropy . . . . . . . . . . . . . . . . . . . . . . . . 9
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
5.1. Registration Information . . . . . . . . . . . . . . . . 10
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6.1. Normative References . . . . . . . . . . . . . . . . . . 11
6.2. Informative References . . . . . . . . . . . . . . . . . 11
1. Introduction
The Hypertext Transfer Protocol (HTTP) Digest Authentication,
described in [4], has been extended in [6] to support the
Authentication and Key Agreement (AKA) mechanism [7]. The AKA
mechanism performs authentication and session key agreement in
Universal Mobile Telecommunications System (UMTS) networks. HTTP
Digest AKA enables the usage of AKA as a one-time password generation
mechanism for Digest authentication.
HTTP Digest is known to be vulnerable to man-in-the-middle attacks,
even when run inside TLS, if the same HTTP Digest authentication
credentials are used in some other context without TLS. The attacker
may initiate a TLS session with a server, and when the server
challenges the attacker with HTTP Digest, the attacker masquerades
the server to the victim. If the victim responds to the challenge,
the attacker is able to use this response towards the server in HTTP
Digest. Note that this attack is an instance of a general attack
that affects a number of IETF protocols, such as PIC. The general
problem is discussed in [8] and [9].
Because of the vulnerability described above, the use of HTTP Digest
"AKAv1" should be limited to the situations in which the client is
able to demonstrate that, in addition to the AKA response, it
possesses the AKA session keys. This is possible, for example, if
the underlying security protocol uses the AKA-generated session keys
to protect the authentication response. This is the case, for
example, in the 3GPP IP Multimedia Core Network Subsystem (IMS),
where HTTP Digest "AKAv1" is currently applied. However, HTTP Digest
Torvinen Informational [Page 2]
RFC 4169 HTTP Digest AKAv2 November 2005
"AKAv1" should not be used with tunnelled security protocols that do
not utilize the AKA session keys. For example, the use of HTTP
Digest "AKAv1" is not necessarily secure with TLS if the server side
is authenticated using certificates and the client side is
authenticated using HTTP Digest AKA.
There are at least four potential solutions to the problem:
1. The use of the authentication credentials is limited to one
Show full document text