datatracker.ietf.org
Sign in
Version 5.7.4, 2014-11-12
Report a bug

Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA)
RFC 3310

Document type: RFC - Informational (September 2002; No errata)
Document stream: IETF
Last updated: 2012-02-26
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 3310 (Informational)
Responsible AD: Allison Mankin
IESG Note: Responsible: RFC Editor
Send notices to: <dean.willis@softarmor.com>, <rohan@cisco.com>

Network Working Group                                           A. Niemi
Request for Comments: 3310                                         Nokia
Category: Informational                                         J. Arkko
                                                             V. Torvinen
                                                                Ericsson
                                                          September 2002

       Hypertext Transfer Protocol (HTTP) Digest Authentication
              Using Authentication and Key Agreement (AKA)

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   This memo specifies an Authentication and Key Agreement (AKA) based
   one-time password generation mechanism for Hypertext Transfer
   Protocol (HTTP) Digest access authentication.  The HTTP
   Authentication Framework includes two authentication schemes: Basic
   and Digest.  Both schemes employ a shared secret based mechanism for
   access authentication.  The AKA mechanism performs user
   authentication and session key distribution in Universal Mobile
   Telecommunications System (UMTS) networks.  AKA is a challenge-
   response based mechanism that uses symmetric cryptography.

Niemi, et. al.               Informational                      [Page 1]
RFC 3310          HTTP Digest Authentication Using AKA    September 2002

Table of Contents

   1.  Introduction and Motivation  . . . . . . . . . . . . . . . . .  2
   1.1 Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   1.2 Conventions  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  AKA Mechanism Overview . . . . . . . . . . . . . . . . . . . .  4
   3.  Specification of Digest AKA  . . . . . . . . . . . . . . . . .  5
   3.1 Algorithm Directive  . . . . . . . . . . . . . . . . . . . . .  5
   3.2 Creating a Challenge . . . . . . . . . . . . . . . . . . . . .  6
   3.3 Client Authentication  . . . . . . . . . . . . . . . . . . . .  7
   3.4 Synchronization Failure  . . . . . . . . . . . . . . . . . . .  7
   3.5 Server Authentication  . . . . . . . . . . . . . . . . . . . .  8
   4.  Example Digest AKA Operation . . . . . . . . . . . . . . . . .  8
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
   5.1 Authentication of Clients using Digest AKA . . . . . . . . . . 13
   5.2 Limited Use of Nonce Values  . . . . . . . . . . . . . . . . . 13
   5.3 Multiple Authentication Schemes and Algorithms . . . . . . . . 14
   5.4 Online Dictionary Attacks  . . . . . . . . . . . . . . . . . . 14
   5.5 Session Protection . . . . . . . . . . . . . . . . . . . . . . 14
   5.6 Replay Protection  . . . . . . . . . . . . . . . . . . . . . . 15
   5.7 Improvements to AKA Security . . . . . . . . . . . . . . . . . 15
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 15
   6.1 Registration Template  . . . . . . . . . . . . . . . . . . . . 16
       Normative References . . . . . . . . . . . . . . . . . . . . . 16
       Informative References . . . . . . . . . . . . . . . . . . . . 16
   A.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 17
       Full Copyright Statement . . . . . . . . . . . . . . . . . . . 18

1. Introduction and Motivation

   The Hypertext Transfer Protocol (HTTP) Authentication Framework,
   described in RFC 2617 [2], includes two authentication schemes: Basic
   and Digest.  Both schemes employ a shared secret based mechanism for
   access authentication.  The Basic scheme is inherently insecure in
   that it transmits user credentials in plain text.  The Digest scheme
   improves security by hiding user credentials with cryptographic
   hashes, and additionally by providing limited message integrity.

   The Authentication and Key Agreement (AKA) [6] mechanism performs
   authentication and session key distribution in Universal Mobile
   Telecommunications System (UMTS) networks.  AKA is a challenge-
   response based mechanism that uses symmetric cryptography.  AKA is
   typically run in a UMTS IM Services Identity Module (ISIM), which
   resides on a smart card like device that also provides tamper
   resistant storage of shared secrets.

Niemi, et. al.               Informational                      [Page 2]
RFC 3310          HTTP Digest Authentication Using AKA    September 2002

   This document specifies a mapping of AKA parameters onto HTTP Digest
   authentication.  In essence, this mapping enables the usage of AKA as

[include full document text]