multimedia services on both wired as well as wireless network. SIP ... other well-known Internet is suggested, such as,
A hash-based authentication scheme for SIP against off-line password guessing attacks Yen-Ching Lin1, Tzong-Chen Wu2, 3, and Wei-Hua He4 Networked Communications Program Office (NCPO), National Taiwan University, #1, Sec. 4, Roosevelt Rd., Taipei, 106, Taiwan, R.O.C.
[email protected] 2 Department of Information Management, National Taiwan University of Science and Technology (NTUST), #43, Sec. 4, Keelung Rd., Taipei,106, Taiwan, R.O.C.
[email protected] 3 Taiwan Information Security Center at NTUST (TWISC@NTUST) 4 Department of Computer Science and Information Management, ShooChow University, #70, Linhsi Rd., Shihlin, Taipei, 104, Taiwan, R.O.C.
[email protected] 1
Abstract. The Session Initiation Protocol (SIP) is widely signaling used for multimedia services on both wired as well as wireless network. SIP authentication is inherited from HTTP Digest Authentication scheme, which is a password-based authentication protocol. However, HTTP Digest Authentication scheme is vulnerable to off-line password guessing attacks and server spoofing attacks. Recently, some hash-based HTTP Digest Authentication schemes for SIP have been proposed, but those schemes cannot against off-line password guessing attacks. In this paper, we propose a simple and efficient authentication scheme for SIP against password guessing attacks, server spoofing attacks, stolen-verifier attacks, and replay attacks. Besides, our proposed scheme is suitable for the power and computation constrained signaling SIP applications, and only requires one-way hash functions and XOR operations. Keywords: Session Initiation Protocol, HTTP Digest Authentication scheme, off-line password guessing attacks, server spoofing attacks
1
Introduction
Session Initiation Protocol (SIP) is an application-layer signaling for creating, modifying, and terminating multimedia sessions with one or more participants. SIP is rapidly becoming the dominant signaling protocol for calls over the Internet. It has quickly made large inroads into the Voice over IP (VoIP) market. With security considerations, SIP specification in Internet Engineering Task Force (IETF) RFC 3261 [1] does not include any specific security mechanisms. Instead, the utilization of other well-known Internet is suggested, such as, HTTP Digest Authentication (HTTP DA) [2] Transport Secure Layer (TLS), IP Security (IPSec), and Secure MIME (S/MIME), etc. When one user wants to access an SIP service, he/she has to perform an authentication process in order to get services from the remote server. Therefore,
user identity authentication is one of the most important issues for SIP. SIP authentication is inherited from HTTP DA [2], which is a password-based authentication protocol. However, HTTP DA [2] scheme is vulnerable to the off-line password guessing attacks and server spoofing attacks. Due to those problems, Yang et al. [3], Durlanik et al. [4], Wu et al. [5], Yoon et al. [6], Arshad and Ikram [7] proposed variant SIP authentication and key exchange schemes, respectively. Those schemes are against off-line password guessing attacks based on Discrete Logarithm Problem (DLP) [8] or Elliptic Curve Discrete Logarithm Problem (ECDLP) [9]. Hence, those schemes are not lightweight signaling SIP, not suitable for VoIP environment. In order to solve the above problems, Guillet et al. [10] and Tsai [11] proposed SIP mutual authentication protocols using one-way hash function, respectively. However, their schemes are not against off-line password guessing attacks and stolen-verifier attacks. In this paper, we propose a hash-based mutual authentication scheme for SIP. Our proposed scheme is against password guessing attacks, server spoof attacks, stolen-verifier attacks, and replay attacks. Besides, our proposed scheme is suitable for the power and computation constrained signaling SIP applications, and only requires one-way hash functions and XOR operations.
2
Paper Preparation
Based on HTTP DA, the proposed scheme is the Client-Server architecture. There exists an SIP service server for Client registration when joining in the SIP service system and for Client authentication when logging in to the system. Also, the Client has a SIP service device, which is used for storing the secret information, generating nonce, and computing XOR and one-way hash function. The proposed scheme can be divided into two phases, namely, the registration phase and authentication phase. For the rest of our paper, the used notations are as follows: ni The nonce generated by Client for the ith session si The nonce generated by Server for the ith session ID The Client’s identity, include of username, IP address, etc. realm The Server’s domain realm p The pre-shared password between Client and Server wi The one-time password used at the ith session x The Server’s system master secret key k The pre-shared secret key between Client and Server The expected valid time interval for transmission delay H The cryptographic one-way hash function.
2.1Registration phase When Client wants to register in SIP service server, he/she selects an identity ID and password p, and then sends {ID, H(p)} to Server over a secure channel. Upon receiving {ID, H(p)}, Server generates the shared secret key k and saves k in Clients
SIP service device. For protecting Client’s password and the shared secret key, Server computes v1 = H(p)⊕H(ID, x) and v2 = k ⊕H(ID, x), and then saves ID, v1, and v2 in the verification table.
2.2 Authentication phase If a legal user wants to login to SIP service server, he/she keys in ID and password p. Then, he/she performs the following steps for logging at the ith session. Step 1. Client first inputs his/her ID and password p and then computes one-time subpassword wi = H(k, ti)⊕H(p) and the authentication information Qi = H(ID, wi, ti), where is the current date and time. Finally, Client sends {ID, ti, Qi} to Server. Step 2. Upon receiving {ID, ti, Qi} at the time t’i, Server authenticates Client with the following steps: (2.1)Verify the validity of the time interval between ti and t’i. If ti - t’i > , Server rejects the login request. (2.2)Compute one-time sub-password w’i = H(k, ti)⊕H(p), and then compute Q’i = H(ID, w’i, ti). If Q’i = Qi, Server accepts the login request. (2.3) Generate a nonce si, and then compute zi= si⊕w’i and Ci = H(zi, si, realm, ID, w’i) Finally, Server sends {zi, realm, ID, Ci} to Client. Step 3. Upon receiving {zi, realm, ID, Ci}, Client authenticates Server with the following steps: (3.1)Compute s’i= zi⊕wi and R’i = H(zi, s’i, realm, ID, wi). If C’i= Ci, Client accepts Server’s proof of identity. (3.2)Generate a nonce ni, and then compute Ri = H(si, ni, ID, realm). Finally, Client sends {ni, ID, realm, Ri} to Server. Step 4. Upon receiving {ni, ID, realm, Ri}, Server computes Ri = H(si, ni, ID, realm). If R’i= Ri, Server accepts Client’s proof of identity.
3
Security Analysis
We will analyze the security of our proposed scheme. Assume that the hash function, H is a secure, collision-free, one-way, hash function (SHF), and the Server’s secret
key x and the Client’s shared key k are under strict protection. In the following, we simply demonstrate our proposed scheme is resistant to the following known attacks. (1) Off-line password guessing attacks: An attacker can try to find a weak password by repeatedly guessing possible passwords and verifying the correctness of the guesses based on information obtained in an off-line manner. If an attacker intercepts {ID, ti, Qi}, {zi, realm, ID, Ci} and {ni, ID, realm, Ri} in the ith session, he/she cannot break password p by playing off-line guessing attacks, because SHF is computationally infeasible to inverse.
(2) Server spoofing attacks: The proposed scheme uses the shared value k and password p to provide the mutual authentication between Server and Client. In the authentication phase, the attacker cannot masquerade as the Server to send {zi, realm, ID, Ci} to the Client, because the attacker cannot compute Ri without knowing the pre-shared secret key k and password p.
(3) Stolen-Verifier attacks: An attacker may acquire v1 = H(p)⊕H(ID, x) and v2 = k ⊕H(ID, x) stored in Server. However, without knowing system master secret key x, the attacker cannot gain the pre-shared secret key k and password H(p), and then forges a valid {ID, ti, Qi} and {ni, ID, realm, Ri}. Therefore, the proposed scheme can resist against the stolen-verifier attacks.
(4) Replay attacks: The replay attack occurs when an attacker tries to imitate Client to login to the server by resending the message transmitted between Client and Server. Our proposed scheme uses the one-time password property, the verification of the valid time interval for transmission delay, and one-time nonce to prevent this type of attack.
4
Conclusions
In this paper, we propose a simple and efficient authentication scheme for SIP against password guessing attacks, server spoofing attacks, stolen-verifier attacks, and replay attacks. Besides, our proposed scheme is suitable for the power and computation constrained signaling SIP applications, and only requires one-way hash functions and XOR operations. Acknowledgments. This paper was partially supported by National Science Council, ROC, under the grant numbers NSC 100-3113-P-002-002-PO (Networked Communications Program, NCP), NSC 98-2221-E-011-073-MY3, NSC 99-2218-E011-011, and NSC 100-2219-E-011-002.
References 1 2 3 4 5 6 7 8 9 10 11
Rosenberg, J., Schulzrinne, H., Camarillo, G., Jonstone, A., Peterson, J., and Sparks, R.: SIP: Session Initiation Protocol. IETF RFC-3261 (2002) Frankd, J., Hallam-Baker P., Hostetler, J., Lawrence, S. Leach, P., and Luotonen, A.: HTTP authentication: basic and digest access authentication. IETF RFC-2617 (1999) Yang, C.C., Wang, R.C., and Liu, W.T.: Secure authentication scheme for session initiation protocol’. Comput. & Secur., 24, (5), pp. 381--386 (2005) Durlanik, A., and SogukpinaR, I.: SIP authentication scheme using ECDH. World Academy of Science, Engineering and Technology, 8, pp. 350--353 (2005) Wu, L., Zhang, Y., and Wang, F.: A new provably secure authentication and key agreement protocol for SIP using ECC. ACM SIGARCH Comput. Architecture News, 32, (3), pp. 286--291 (2009) Yoon, E.J., Yoo, K.Y., Kim, C., Hong, Y.S., Jo, M., and Chen, H.H.: A secure and efficient SIP authentication scheme for converged VoIP networks. Comput. Commun., 33, (14), pp. 1674--1681 (2010) Arshad, R., and Ikram, N.: A novel mutual authentication scheme for session initiation protocol based on elliptic curve cryptography. Proc. Int. Conf. on Advanced Commun. Tech. 2011, Seoul, pp.705--710 (2011) Diffie, W., and Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory, IT-22, pp. 644--654 (1976) Koblitz, N.: Elliptic curve cryptosystem. Mathematics of Computation, 48, pp. 203--209 (1987) Guillet, T., Serhrouchni, A., and Badra, M.: Mutual authentication for SIP: a semantic meaning for the SIP opaque values. Proc. Int. Conf. on New Technologies, Mobility and Security, Tangier, pp. 1--6 (2008 ) Tsai, J.L.: Efficient nonce-based authentication scheme for session initiation protocol. Int. J. of Net. Secur., 9, (1), pp. 12--16 (2009)
