1 / 11

Kangsan Lee kslee@contela

rfc 3310 Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA). Kangsan Lee kslee@contela.com. Contents. Introduction Terminology Overview Specification of Digest AKA Messages. Introduction. AKA (UMTS IM Services Identity Module (ISIM))

rainville
Download Presentation

Kangsan Lee kslee@contela

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. rfc 3310Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Kangsan Lee kslee@contela.com

  2. Contents • Introduction • Terminology • Overview • Specification of Digest AKA • Messages

  3. Introduction • AKA (UMTS IM Services Identity Module (ISIM)) • Authentication • Session key distribution • Challenge-response based • Symmetric cryptography • A mapping AKA parameters onto HTTP Digest authentication(rfc 2617) • One-time password generation for digest authentication

  4. Terminology

  5. Overview 1/2

  6. Overview 2/2 • 클라이언트의 ISIM과 AuC는 Shared Secret인 K를 공유한다. • AuC는 K와 SEQ로 AV를 생성한다. AV={RAND || AUTN || XRES || CK || IK} • 서버에 AV를 전달한다. • 서버는 클라이언트에게 Authentication Request를 전달한다. Authentication Request = {RAND || AUTN} • 클라이언트는 AUTN을 검증한 후, 정상적일 때, RES를 생성해서 서버에게 전달한다. • 서버는 RES와 XRES를 비교하여 일치할 경우, 클라이언트를 인증한다.

  7. Specification 1/3 • Algorithm directive • Nonce directive

  8. Specification 2/3 • Client Authentication (1/2) • Extract RAND/AUTN from “nonce” • Verify AUTN • Check SQN • Generate RES with RAND/K

  9. Specification 3/3 • Synchronization Failure (2/2) • Base64 encoded AKA AUTS parameter • Re-synchronize server side SQN • Re-generate a fresh AV with SQN • Server Authentication • Use XRES as “password”

  10. Messages 1/2 Client Server 1) REGISTER Server runs AKA algorithm, Generates RAND and AUTN. 2) 401 Unauthorized WWW-Authenticate: Digest (RAND, AUTN deliveried) Client run AKA algorithms on ISIM, Verify AUTNm derives RES and session keys. 3) REGISTER Authorization: Digest (RES is used) Server checks the given RES, And finds it corret. 2) 200 OK Authentication-Info (XRES is used)

  11. Messages 2/2 1) Initial request REGISTER sip:home.mobile.biz SIP/2.0 2) Response containing a challenge SIP/2.0 401 Unauthorized WWW-Authenticate: Digest realm="RoamingUsers@mobile.biz", nonce="CjPk9mRqNuT25eRkajM09uTl9nM09uTl9nMz5OX25PZz==", qop="auth,auth-int", opaque="5ccc069c403ebaf9f0171e9517f40e41", algorithm=AKAv1-MD5 3) Request containing credentials REGISTER sip:home.mobile.biz SIP/2.0 Authorization: Digest username="jon.dough@mobile.biz", realm="RoamingUsers@mobile.biz", nonce="CjPk9mRqNuT25eRkajM09uTl9nM09uTl9nMz5OX25PZz==", uri="sip:home.mobile.biz", qop=auth-int, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41" 4) Successful response SIP/2.0 200 OK Authentication-Info: qop=auth-int, rspauth="6629fae49393a05397450978507c4ef1", cnonce="0a4f113b", nc=00000001

More Related