HTTP DIGEST AUTHENTICATION Using AKA

ABSTRACT

The IP Multimedia Subsystem is the standardized next generation networking architecture

for telecom operators that want to provide fixed and mobile multimedia services. The aim of IMS is not
only to provide new services but all the services, current and future, that the Internet provides. IMS
supports many types of communications, including instant messaging, push to talk, video conferencing, It
also provides roaming capabilities and authentication.

Since IMS provides a very wide connectivity across different networks, authentication of
the users is an important security issue. IMS uses the IETF's (Internet engineering task force) HTTP
digest authentication protocol for network access.The HTTP Authentication Framework includes two
authentication schemes: Basic and Digest.

In HTTP basic authentication, a client has to send a password to the server for getting
authenticated, so there is a chance that some one may intercept the network and get to know that
password. The Basic scheme is inherently insecure in that it transmits user credentials
in plain text.

HTTP digest authentication lets a client prove to the server that it knows a password,
without having to send the password in clear. The client performs a computation based on the password
and a random value supplied by the server. The result is transmitted to the server which performs the
same computation and if finds identical answer, authenticates the client.

1. INTRODUCTION

For several years, telecommunications pro\ iders have touted the potential of converged networks that

offer a wide range of voice, data, and multimedia services, all over a single IP infrastructure.

However, these networks ha\e been just a vision until recently. Now, though, a growing

number of telecommunications carriers and equipment vendors including Alcatel, Ericsson. Lucent

Technologies, Motorola, and Nokia are beginning to release devices and services based on a convergence

approach called IP Multimedia Subsystem.

The IP Multimedia Subsystem (IMS) is a standardized Next Generation Networking (NGN)

architecture for telecom operators that want to provide mobile and fixed multimedia services. It uses a

Voice-over-IP (VoIP) implementation based on a 3GPP-standardized implementation, and runs over the

standard Internet Protocol (IP). Existing phone systems (both packet-switched and circuit-switched) are

supported. With the advent of IMS the fixed-mobile convergence has become a key trend of the

telecommunication industry in 2005-2006.

DEPT. of CSE SNGCE, Kolenchery

HTTP DIGEST AUTHENTICATION Using AKA

The basic idea behind convcrgance is to use the services available with one network to be

easily accessible by other t\ pes of networks also. For this all the existing networks like the fixed

networks and the upcoming mobile networks should be able to use a single network infrastructure. This

ability to connect almost any hardware or software device opens the door to other potential problems in

the fixed and mobile network - that of device malfunction and malicious attack.

Providing proper security, authentication and authorization to the users connected to such

a converged network and to the network itself, becomes an important issue. To tackle security problems

with such a growing number of interconnectivity between various types of networks, IMS uses the

IETF's HTTP Digest Authentication protocol for mobile network-access security. Using HTTP Basic

Authentication, IMS transmissions between client and server would be unencrypted and could be

intercepted. HTTP Digest Authentication lets a client prove to a server that it knows the password

DEPT. of CSE SNGCE, Kolenchery

HTTP DIGEST AUTHENTIC A TION USINl > AKA

without having to send the password in the clear. The client performs a computation based on the

password and a random value supplied by the server. The result is transmitted to the server, which

performs the same computation and, if it obtains the identical answer, authenticates the client.

This is different from any basic authentication schemes where authentication tokens, like

a username and password is directly transmitted between the client and the server, where it can easily be

eavesdropped. Also it provides an integrity check for all the data, which is subsequently transmitted

between the client and the server, to avoid any unwanted messages to get across the network, and leaking

the confidential data.Data integrity is nothing but the property that the data has not been altered in an

unauthorized manner.

The scope of this report is to highlight those properties of the security system of a

converged network, based on u hich proper authentication and integrity of the data can be supported.

Dept. of CSE SNGCE, Kolenchery

HTTP DIGESTAUTHENTIC A TION US1.W i AKA

2. CONVERGED NETWORKS

2.1 WHAT IS CONVERGENCE?

The term "converged networks" relates to the integration of voice (fixed and wireless),

data and video services. Converged networks, which combine voice, data, fax and video transmissions

into a cohesi\e networking infrastructure - all centered on the Internet Protocol, or IP - promise a number

of advantages over existing, separate networking environments. Convergence also relates to the

combining of what were once four distinct networks - circuit switched telephone network, cable network,

mobile network and Internet service provider networks. Convergence was made possible by being able to

transport voice, data and video in exactly the same way. The explosion in data traffic has led to the move

to packet ise voice, turning it into another form of data. Hence the introduction of VoIP - the means of

running voice over data/packet networks.

Voice over Internet Protocol, also called VoIP, IP Telephony. Internet telephony,

Broadband telephony, Broadband Phone and Voice over Broadband is the routing of voice conversations

over the Internet or through any other IP-based network.

Converged voice, video and data using a packet based transport offers flexible, scalable,

and cost efficient sen ices. There is no longer any need to provide and manage separate voice, data and \

ideo networks, which presents significant cost savings. The standardization of technology in the

converged network means that risk is reduced on a number of fronts. Functionality can be added in days

not weeks, a greater choice of applications and equipment arc available.

2.2 IMPLEMENTING WITH T H K REAL NETWORKS

The implementation of such a convergence of the networks became a reality after the

advent of the technology known as IMS- IP Multimedia Subsystem.IMS was originally designed for the

mobile networks, but was later expanded to implement the convergence of the mobiles with the

traditional wired networks.

Dept. of CSE 4 SNGCE, Kolenchery

HTTP DIGEST A UTHENTICA TION USI\(, AKA

The vision is for people to use one phone with one number, address book and voicemail bank, taking

advantage of cheap, high-speed connectivity in their fixed-line home or office setting, while enjoying

mobility oulside in the wide-area mobile phone network. It also includes a seamless handover of calls

between fixed-line and mobile networks.

Dept. of CSE 5 SNGCE, Kolenchery

HTTP DIGEST AUTHENTICATION USI.W i AKA

3. IP MULTIIV11 1)1 A SUBSYSTEM

3.1 BASIC PRINCIPLES

The IP Multimedia Subsystem (IMS) is a standardized Next Generation Networking (NGN) architecture

for telecom operators that want to provide mobile and fixed multimedia services. It uses a Voice-over-IP

(VoIP) implementation based on a 3GPP standardized implementation of SIP, and runs over the standard

Internet Protocol (IP). Existing phone systems (both packet-switched and circuit-switched) are supported.

The aim of IMS is not only to provide new services but all the services, current

and future, that the Internet provides. In this way, IMS will give network operators and

service providers the ability to control and charge for each service. In addition, users have

to be able to execute all their services when roaming as well as from their home

networks. To achieve these goals, IMS uses open standard IP protocols, defined by the

IETF. So, a multimedia session between two IMS users, between an IMS user and a user

on the Internet, and between two users on the Internet is established using exactly the

same protocol. Moreover, the interfaces for service developers are also based on IP

protocols. This is why IMS truly merges the Internet with the cellular world; it uses

cellular technologies to provide ubiquitous access and Internet technologies to provide

appealing services.

Telecommunications operators can provide services to users irrespective of their location,

access technology, and terminal. IMS guarantees interworking with existing phone systems, while

providing an upgrade path for modern multimedia sessions (like a videophone).

3.2 VOICE OVER IP

Protocols, which are used to carry voice signals over the IP network, are

commonly referred to as Voice over IP or VoIP protocols. VoIP converts the voice signal from your

telephone into a digital signal that travels over the Internet. If you are calling a regular phone number, the

signal is then converted back at the other end. VoIP can allow you to make a call directly from a

computer, a special VoIP phone, or a traditional phone

Dept. of CSE 6 SNGCE, Kolenchery

HTTP DIGESTAUTHENTICATION USIXi/ AKA

using an adapter. In addition, new wireless "hot spots" in public locations such as airports, parks, and

cafes, allow you to connect to the Internet, and may enable you to use VoIP service wirelessly. If you

make a call using a phone with an adapter, you'll be able to dial just as you always have, and the service

provider may also provide a dial tone. If your service assigns you a regular phone number, then a person

can call you from his or her regular phone without using special equipment.

As we can see Convergence principles are bringing together all the existing

networks, making them virtual!) one. To provide proper security to all the networks and the user

equipments connected to such a vast network is a big challenge. It uses a Digest authentication scheme

for authenticating the users to access the network.

Dept. of CSE 7 SNGCE, Kolenchery

HTTP DIGEST AUTHENTIC A TION USI.Xi, AKA

4. AUTHENTICATION SCHEMES

4.1 BASIC AUTHENTICATION SCHEME

This is a very basic authentication scheme used in normal web connections.Here the

client has to send a password to the server for authentication. As a normal procedure here the client sends

an initial request to the server for authentication, on receiving which the server sends a message to the

client based on which it prompts the user to enter the credentials. Once entered say, username and

password, these are sent through the media to the server. The server verifies them based on the stored

values in the database and accordingly accepts or rejects the request. If accepted it sends a success

response back to the client and the services requested by the users are then available to them through the

client.

If rejected the user is not authenticated to use the services.Here when the client

sends the passwords, it is vulnerable to interception. This is a major security issue, as the password is

sent in clear text. Even if it is encoded, the encoded password can be replayed by the eavesdropper.

4.2 DIGEST AUTHENTICATION

The Basic scheme is inherently insecure in that it transmits user credentials in

plain text. The Digest scheme improves security by hiding user credentials with cryptographic hashes,

and additionally by providing limited message integrity.Authentication and Key Agreement (AKA) is the

mechanism used to generate the authentication vectors for the HTTP Digest authentication scheme.

The AKA operation can be described in the following steps:

1. A shared secret K is established beforehand between the UE (User equipment) and the
Authentication Center (AuC).

2. The AuC of the home network produces an authentication vector AV, based on the shared
secret K and a sequence number SQN. The

Dept. of CSE 8 SNGCE, Kolenchery

HTTP DIGEST A UTHENTICA TION USIXl i AKA

authentication vector contains a random challenge RAND, network authentication token

AUTN, expected authentication result XRES, a session key for integrity check IK, and a

session key for encryption CK.

3. The authentication vector is downloaded to a server. Optionally, the server can also
download a batch of AVs, containing more than one authentication vector.

4. The server creates an authentication request, which contains the random challenge RAND,
and die network authenticator token AUTN.

5. The authentication request is delivered to the client.

6. Using the shared secret K and the sequence number SQN, the client verifies the AUTN
with the user equipment. If the verification is successful, the network has been

authenticated. The client then produces an authentication response RES, using the shared

secret K and the random challenge RAND.

7. The authentication response, RES, is delivered to the server.

8. The server compares the authentication response RES with the expected response, XRES.
If the two match, the user has been successfully authenticated, and the session keys, IK and

CK, can be used for protecting further communications between the clients and the server.

When a client receives a Digest AKA authentication challenge, it extracts the RAND and AUTN, and

assesses the AUTN token provided by the server. If the client successfully authenticates the server with

the AUTN, and determines that the SQN used in generating the challenge is within expected range, the

AKA algorithms are run with the RAND challenge and shared secret K.
4.3 PROVIDING MESSAGE INTEGRITY

"liello"
password,---'"'"
(cleanest) ^

;hed lici -vh function

sword \

\. f
$l$r6T8CUB 9 $ O: :e41 FJyF/3 gkPIuvE. 0
Q9 0

password
store

Figure 1: Message integrity using Cryptographic hashes A cryptographic hash

function is a hash function with certain additional security

properties to make it suitable for use as a primitive in various information security

applications, such as authentication and message integrity.

A hash function takes a long string (or message) of any length as input and

produces a fixed length string as output, sometimes termed a message digest or a digital

fingerprint. A cryptographic hash function should behave as much as possible like a

random function while still being deterministic and efficiently computable.

Dept. of CSE 9 SNGCE, Kolenchery

HTTP DIGEST A UTHENTICA TION USIXl i AKA

A hash is a kind of signature for a stream of data, which represents its content. Its

different from encryption in the way that, encryption is reversible process, you can

decode the encrypted data if you know the encryption algorithm. But hashes are

irreversible. Suppose the server wants to compare the password received from the client.

Then he should have that stored password with it before hand, so that it can compare the

password received from the client with it But storing the passwords in clear can be a

security threat. So they can be stored as a hash. Since it is impossible to know which

password produced which hash, the user's password can never be know. When a user

sends a password that will fed to the hash and then the output will be matched with the

stored hashes. Moreover transmitting hashes through the network is even safer than

sending clear text messages, because a small change in the text value, brings a large

Dept. of CSE 9 SNGCE, Kolenchery

HTTP DIGESTAUTHENTICATION USI\i, AKA

change in the hash produced, because of the large size of the hashes, so it becomes easier to detect

whether the message is tampered. This mechanism is used in digest authentication to provide integrity to

the messages, so as to detect whether the message has been tampered with.

4.4 MESSAGE FLOW

Register Req Auth Req ^_______J

Controls AuCV getVecto
rs
Un Auth Resp HSS data
Funct

ii Auth Ans base

Figure 2: Server Challenge to the U.E.

First when the client is started, it sends a request to register with the server (as an example when

SIM card is inserted into the mobile, this process is initiated), it goes to a control function, which is the

main logical block of an IMS network, it reads the request and then passes to authentication center, then

AuC enquires a database, where for each user the authentication vectors are stored. It fetches those from

the database and sends it to control function, which then applies various algorithms and generates

authentication tokens, which has to be sent to the client for authentication.

Register Res

Assign
Authenticate

1 Figure 3: Authenticating U.E's Response

On the client side, here the client receives those authentication tokens and it decodes them and creates its

own response based on the same functions which the

server uses to generate them (those functions are shared between the client and the server). CF compares

the client's response and if finds correct, it asks AuC to authorize the client and provide it with a server

address which hosts the service requested by the client. The AuC gets the server name from the database

and authorizes that client to use it. And finally CF sends the client "authenticate" response, signifying to

the client that its request is authenticated and its ready to use the service.

Dept. of CSE SNGCE, Kolenchery

HTTP DIGESTAUTHENTICATION USI\i, AKA

Upon receipt of a request (rum the CF, the AuC sends an ordered array of n

authentication vectors to the CF. The authentication vectors are ordered based on sequence number. Each

authentication vector consists of the following components: a random number RAND, an expected

response XRES, a cipher key CK, an integrity key IK and an authentication token AUTN. fach

authentication vector is good for one authentication and key agreement between the CF and the UE.

When the CF initiates an authentication and key agreement, it selects the next authentication vector from

the ordered array and sends the parameters RAND and AUTN to the user. Authentication vectors in a

particular node are used on a lirst-in / first-out basis. The UE checks whether AUTN can be accepted

and, if so, produces a response RES which is sent back to the CF. The UE also computes CK and IK.

The CF compares the received RES with XRES. If they match the CF considers the authentication and

key agreement exchange to be successfully completed. The established keys CK and IK will then be

transferred by the UE and the CF to the entities, which perform ciphering and integrity functions.

Dept. of CSE SNGCE, Kolenchery

HTTP DIGEST AUTHENTICATION USING AKA

5. GENERATION OF AUTHENTICATION VECTORS

Generate SQN

Generate RAND

SQN
RAND
AMF

t * t t_____t, J*_______t Jt
fl
f5

MAC
r TTT1 XRES CK IK AK

AUTN - SON * AK II AMF MAC

AV •= RAND XRES I CK II IK AUTN

Figure 4: Generating Function for Auth Vectors

The AuC starts with generating a fresh sequence number SQN and an unpredictable
challenge RAND.The HI has some flexibility in the management of sequence numbers, but some
requirements need to be fulfilled by the mechanism used:

a) In case the SQN exposes the identity and location of the user, the AK may be

used as an anonymity key to

conceal it.

b) The generation mechanism shall allow protection against wrap around the

counter in the UE.

Dept. of CSE SNGCE, Kolenchery

HTTP DIGEST AUTHENTIC A TION US1\ (/ AKA

Subsequently the following values are computed:

A message authentication code MAC = flK(SQN || RAND || AMF) where fl is a message

authentication function;

An expected response XRES = f2 K (RAND) where f2 is a (possibly truncated) message

authentication function;

A cipher key CK = f3K (RAND) w here G is a key generating function;

An integrity key IK = f4K (RAND) where f4 is a key generating function;

An anonymity key AK = f5K (RAND) where f5 is a key generating function or f5

= 9-
Finally the authentication token AUTN = SQN © AK || AMF || MAC is constructed.

Here, AK is an anonymity key used to conceal the sequence number as the latter may expose the identity

and location of the user. The concealment of the sequence number is to protect against passive attacks

only. If n o concealment is needed then f5 = 0 (AK = 0).

Dept. of CSE ,4 SNGCE, Kolenchery

HTTP DIGEST A UTHENTICA TION USISX, AKA

RAND AUTN

f5 SQX e AK AMF MAC

t
AK

t T ▼ T
f4

XMAC RES CK IK

Verify MAC = XMAC

Verify that SON is in the correct ranae

Figure 5: Authentication Function in Client

Upon receipt of RAND and AUTN the UE first computes the

anonymity key AK = f5K (RAND) and retrieves the sequence number SQN = (SQN ^ AK) ® AK. Next

the UE computes XMAC = flK (SQN || RAND || AMF) and compares this with MAC which is included

in AUTN. If they are different, the user sends user authentication reject back to the CF with an indication

of the cause and the user abandons the procedure. In this case, CF shall initiate an Authentication Failure

Report procedure towards the AuC CF may also decide to initiate a new identification and authentication

procedure towards the user.

Next the UE verifies that the received sequence number SQN is in the correct range. If

the UE considers the sequence number to be not in the correct range, it

Dept. of CSE 15 SNGCE, Kolenchery

HTTP DIGEST AUTHENTICATION Using AKA

sends synchronisation failure back to the CF including an appropriate parameter, and abandons the

procedure.

If the sequence number is considered to be in the correct range however, the UE

computes RES = f2K (RAM)) and includes this parameter in a user authentication response back

to the CF. finally the UE computes the cipher key CK = f3K (RAND) and the integrity key IK =

14K (RAND). If this is more efficient, RES, CK and IK could also be computed earlier at any

time after receiving RAND. UE shall store original CK, IK until the next successful execution of

AKA.

Upon receipt of user authentication response the CF compares RES with the

expected response XRES from the selected authentication vector. If XRES equals RES then the

authentication of the user has passed. The CF also selects the appropriate cipher key CK and

integrity key IK from the selected authentication vector. If XRES and RES are different, CF shall

initiate an Authentication Failure Report procedure. CF may also decide to initiate a new

identification and authentication procedure towards the user.

The verification of the SQN by the UE will cause to reject an attempt by the

CF to re-use a SQN to establish a particular security context more than once. When the UE

receives an authentication request and discovers that a RAND is repeated, it shall

I

re-transmit the response. The UE shall delete the stored values RAND, RES as soon as the

connection is aborted.
6. SECURING AGAINST EAVESDROPPING
These are some ways adopted to avoid ea\ csdropping.

1) Anonymity Key AK - In case SQN exposes identity and location of the user.
2) Verifying the freshness of sequence number in the client.
3) Integrity Key IK - Provides the integrity check for all the messages.
AK, this is Anonymity Key is combined with the SQN when it is transmitted. This

is because database stores 32 SQNs, which are transmitted one after another for registration for that

particular client. So if that SQN is intercepted it can tell the location of the user, because the AuC of

that particular area will be having those SQNs. This is a security threat. To avoid this SQN is not

directly sent but combined with a randomly generated AK, which will be changing every time and

hence the SQN, which is transmitted, cannot be known.

Secondly the client also cheeks when it gets the SQN from the server that is it the

same SQN which it received in any of the last 32 authentication process, if it is the client knows

some body has intercepted and is replaying the same message so it must not respond to that message.

(Since server sends 32 different SQNs before repeating).

The Integrity key is added to all the responses after authentication so that the client

knows whether the message has been tampered. This is possible because the integrity key will be

added in such a wa\ that if the message will be tampered client or server will come to know by doing

the integrity check.

7. FUTURE SCOPE

DEPT. of CSE SNGCE, Kolenchery

HTTP DIGEST AUTHENTICATION Using AKA

As IMS is targeting the potential to deliver a great range of services across different networks, its

opening up the networks to malicious attacks, as never before.With the incorporation of AKA key

generating technique with the Digest authentication schemes, a part of user authentication problem is

being tried to overcome.But as IMS expands itself, maintaining the message integrity will be a big

challenge.The next step towards that is making the use of HTTP Digest for authentication possible

with application servers. Which by use of the AKA keys will help enhancing the message integrity in

the network.
8. CONCLUSION

IMS offers the potential to deliver a great range of innovative services to a range of different

networks. In doing so it offers an attractive target for fraud and disruption. The basic authentication

schemes used for H I "1 P, or even the digest authentication schemes cannot be sufficient for

providing the required level of security. The HTTP digest was vulnerable to the man-in-the-middle

attack. The attacker may initiate a session with a server, and when the server challenges the attacker

with HTTP Digest, the attacker disguises the server to the victim. If the victim responds to the

challenge, the attacker is able to use this response towards the server in HTTP Digest. To avoid this

it was necessary that the client is able to demonstrate that, in addition to the AKA response, it

possesses the AKA session keys. This was made possible by the use of the AKA-generated session

keys to protect the authentication responses.

9. REFERENCES

1) RFC 3310
2) 3GPP TS 33.102 v 4.4.0 (2006)
3) An Illustrated Guide to Cryptographic Hashes - Steve Friedl
4) Building Converged networks with IMS technology - David Geer
5) IETF RFC 4169: Hypertext Transfer Protocol (HTTP) Digest Authentication Using
Authentication and Key Agreement (AKA).

6) 3GPP TS 23.228: IP Multimedia Subsystem; Stage 2.

CONTENTS

Page No :

1. INTRODUCTION 2
2. CONVERGED NETWORKS 4
2.1 WHAT IS CONVERGENCE? 4
2.2 IMPLEMENTING WITH THE REAL NETWORKS 4
3. IP MULTIMEDIA SUBSYSTEM 6
3.1 BASIC PRINCIPLES 6
3.2 VOICE OVER IP 6
4. AUTHENTICATION SCHEMES 8
4.1 BASIC AUTHENTICATION SCHEME 8
4.2 DIGEST AUTHENTICATION 8
4.3 PROVIDING MESSAGE INTEGRITY 10

DEPT. of CSE SNGCE, Kolenchery

HTTP DIGEST AUTHENTICATION Using AKA

4.4 MESSAGE FLOW 11

5. GENERATION OF AUTHENTICATION VECTORS 13
6. SECURING AGAINST EAVESDROPPI NIG 17
7. FUTURE SCOPE !8
8. CONCLUSION 19
9. REFERENCES 20

DEPT. of CSE SNGCE, Kolenchery

HTTP DIGEST AUTHENTICATION Using AKA

DEPT. of CSE SNGCE, Kolenchery