The procedures in ts 24229 clause 5263 apply in the p

Info icon This preview shows pages 96–98. Sign up to view the full content.

View Full Document Right Arrow Icon
established during registration. The procedures in TS 24.229, clause 5.2.6.3 apply in the P-CSCF without changes. A minor change of the local S-CSCF behaviour is required when the mechanism is used in conjunction with SIP Digest proxy-authentication, cf. next paragraph. - SIP Digest proxy-authentication: This case is different from the previous cases in that proxy-authentication is transparent to the P-CSCF. The P-CSCF therefore cannot assert any identity to the S-CSCF. However, the S-CSCF has now secure knowledge of the user’s private identity. The P-CSCF-related procedures in TS 24.229, clause 5.2.6.3 therefore can remain the same only when they are used in conjunction with the IP address check. In order to cover a potential error condition of a mismatch in the S-CSCF between the identity asserted by the P-CSCF by means of IP address check and the identity verified by the S-CSCF by means of Digest proxy-authentication, the rule is added that the latter shall take precedence as Digest proxy-authentication is the stronger of the two mechanisms, cf. below. Q.3 Strengths and boundary conditions for the use of authentication mechanisms for non-registration messages - TLS: During the set-up phase SIP Digest with TLS is somewhat weaker than IMS AKA with IPsec because the client end of the TLS tunnel is authenticated by means of the password-based Digest mechanism, and not the UICC-based AKA mechanism, and because the session keys are cryptographically tied to authentication with IMS AKA, which is not the case for SIP Digest with TLS. But once the TLS tunnel has been set up securely, the strengths of TLS and IPsec are comparable, and no attacks, except attacks on the security of endpoint platforms, seem feasible. TLS requires TCP and does not work for UDP. - SIP Digest proxy-authentication: This mechanism is weaker than TLS or IPsec because the message origin authentication relies on a message authentication code (the Digest response in the Proxy-Authorization header), which is not cryptographically tied to the body nor to the header of the SIP message. (Note that qop = auth-int, which would at least provide a cryptographic tie with the message body, cannot be used in the IMS context.) Therefore, certain man-in-the- middle attacks are theoretically conceivable where an attacker could “steal” a Digest response from one message and append it to another. These attacks may, however, be impractical in many deployment scenarios so that the SIP Digest proxy-authentication provides sufficient security in these scenarios. An attacker being only able to spoof source IP address and port would not be able to break SIP Digest proxy-authentication. 3GPP 3GPP TS 33.203 V12.67.0 (2014-0609) 96 Release 12
Image of page 96

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
There would be no technical problem in using SIP Digest proxy-authentication together with TLS, but the only security advantage would be increased home control, in case the P-CSCF is in a visited network.
Image of page 97
Image of page 98
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern