Re: [Mip4] dynamic keys
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Mip4] dynamic keys

Jeremy,

I'd like to clarify a few things:

1) The MN-AAA shared secret is used more than once
2) It is periodically refreshed
3) It is configured per mobile and is not shared by other mobiles
4) aaa-keys does not say how the key is periodically refreshed.

I've acted as the editor, addressing security review comments and other comments from IETF and 3GPP2 folks. Summary: (1) The MN-AAA secret had to be refreshed periodically. That was added to the text. (2) The term "security association" was overloaded; "mobility security association", etc., were added to the text. There was an IANA assignment that did not match earlier text in the draft, and other editorial nits. Those were fixed.


- Tom

PS In an earlier email, I provided a link to an MN-AAA shared secret provisioning 3GPP2 specification that uses https. A problem with provisioning in cdma2000 is that the mobile may not have an IP address at the time the provisioning server wishes to refresh the shared secret or other data, the phone may have just been purchased, etc., so there are radio network specific scenarios to be specified.


Jeremy A. Greene wrote:

I was referring to the offline attacks. Where does it say in the mip-key or diameter-aaa drafts that username/pw would only be used once?


From section 5 of the mip-key draft:


1. Using the Key Generation Nonce from the extension, the mobile

node calculates


key = HMAC-MD5 (AAA-key, {Key Generation Nonce || home

address})

...

The secret key used within the HMAC-MD5 computation is indicated by

the AAA Security Association indexed by the AAA SPI, which has been

previously configured as the basis for the AAA Security Association

between the mobile node and the AAA server creating the key material.


If I understand what you’re suggesting, the aaa-key above would be generated from a username/password on the MN (and HA, somehow). But the text above seems to imply it will be used every time the aaah sends a new nonce to create new ‘session’ keys.


And I still think there’s a practical issue of using passwords to create a hash on the MN since the HA won’t be able to verify it without the password clear-text to run through the same hash.


Sorry if I’m being slow on this, but everything with security is way too confusing!


Jeremy


-----Original Message-----
From: Henrik Levkowetz [mailto:henrik@levkowetz.com]
Sent: Wednesday, February 11, 2004 2:56 PM
To: Jeremy A. Greene
Cc: mip4@ietf.org; aaa-wg@merit.edu
Subject: Re: [Mip4] dynamic keys


Jeremy,


Wednesday 11 February 2004, Jeremy A. Greene wrote:

 But, more importantly, there's a concern in the 802.11, wpa area that



 touches on this:





 http://wifinetnews.com/archives/002452.html




 


No, there's no real similarity here.  The concern in this article is



that it uses a broken procedure to generate a temporary session key,



resulting in eavesdropping being possible, and goes on to discusses



offline attacks on the passphrase.  Offline attacks on an authenticating



password/username combination is not that relevant in a bootstrap



scenario where you only use a specific username/password combination



once, and any repeated use will be blocked.



 


      Henrik





--
Mip4 mailing list
Mip4@ietf.org
https://www.ietf.org/mailman/listinfo/mip4

























Note:  Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.