Hi I'm trying to implement support for handling challenges with algorithm "AKAv1-MD5". Somehow I don't seem to get the correct calculated response, and at the same time RFC3310 seems pretty straightforward.
AKAv1-MD5 consists of two steps, first calculate the RES using OperatorKey, SecretKey and RAND (using Milenage.f2). I have verified that this RES is the same as XRES sent to CSCF from HSS (I have a capture of Diameter traffic between those elements and can find XRES in an AVP of MAA). The next step according to RFC3310 is to simply use the RES as 'password' in HTTP Digest (RFC 2617). Pretty easy, right? The WWW-Authenticate header in 401 looks like this: WWW-Authenticate: Digest algorithm=AKAv1-MD5, realm="realm", nonce="CtLuNvjh254Q3Yx10PkGF8BMFlC+pwAALFEEq+ZPox8=", ik="3c558bac29cad7d7377c52e30b71383e", ck="c83d7447d360313b22eb8ed062e4898c" Using secretKey, operatorKey and RAND I get RES= 36575d09db3173bd Since there are no qop, I follow RFC2617 to get response: MD5(H(A1):nonce:H(A2)) Where A1 = myUser:realm:36575d09db3173bd A2 = REGISTER:sip:myRegistrar.org This gives the input to the final calculation MD5(f51c402fe89c57b68d103bd497ab1cbd:CtLuNvjh254Q3Yx10PkGF8BMFlC+pwAALFEEq+ZPox8=:9fe1f02246207cb97c55b9236d76bf13) which in turn gives the response f0977e849015b918f21e645f24dd4847 which gets rejected by the CSCF Is it obvious where I have done a mistake? The only thing I can think about is that the password should maybe not be the HEX string, instead some other format. But I have tested other formats with the same result, the response isn't accepted. Or should I do something else before using RES as password, isnt it correct to simply use the RES (which have been verified to be the same as XRES from Diameter capture)? Does anyone know of a good example on internet where I can find call flows and the keys needed to do my own calculation? I have seen plenty of call flows, but haven't found somewhere that also says which secretKey and operatorKey is used. Regards, // Andreas _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
