[sip-comm-dev] aquestion about SIP digest


#1

Hi, dear all,
In SIP digest, which element starts a new challenge for the credential in
practice, SIP UA or proxy? Technically, cnouce and nouce, which one is
always changing and triggering a new credential negotiation.
In HTTP digest, it is SP's job to generate a new credential periodically by
feeding a new nouce to produce a challenge. This process happens after a
certain time, depending on local policy.
What is the situation in SIP digest. I was told every request ( i.e. every
transaction) is challenged by proxy to prevent credential hijack and reply
attack. but in all openSER or SER configuration examples that I saw is per
dialog. Credential negotiation happens upon receiving a new INVITE at the
proxy side. There is no such valid duration security policy in SIP proxy
like website in HTTP domain, as far as I know.

This issue is important to figure out a righ policy to cache Authorization
header (or Authentication header), when hacking into sip-comm. If SIP digest
is in passive mode, i.e. proxy starts challenging. Then the security cache
could be used as long as it is not challenged. In this case, nc and cnouce
only change when a new nouce is received.

BR

niepin

···

--
BR

niepin
TML@HUT, Helsinki, Finland


#2

Hello Niepin,

According to RFC3261 it is up to the proxy to decide whether or not to
challenge a request.

I can't find the precise place in the RFC but I do believe that you are
supposed to cache credentials for a dialog (though you are not supposed
to do so across dialogs).

Cheers
Emil

pin nie wrote:

···

Hi, dear all,
In SIP digest, which element starts a new challenge for the credential
in practice, SIP UA or proxy? Technically, cnouce and nouce, which one
is always changing and triggering a new credential negotiation.
In HTTP digest, it is SP's job to generate a new credential periodically
by feeding a new nouce to produce a challenge. This process happens
after a certain time, depending on local policy.
What is the situation in SIP digest. I was told every request ( i.e.
every transaction) is challenged by proxy to prevent credential hijack
and reply attack. but in all openSER or SER configuration examples that
I saw is per dialog. Credential negotiation happens upon receiving a new
INVITE at the proxy side. There is no such valid duration security
policy in SIP proxy like website in HTTP domain, as far as I know.

This issue is important to figure out a righ policy to cache
Authorization header (or Authentication header), when hacking into
sip-comm. If SIP digest is in passive mode, i.e. proxy starts
challenging. Then the security cache could be used as long as it is not
challenged. In this case, nc and cnouce only change when a new nouce is
received.

BR

niepin

--
BR

niepin
TML@HUT, Helsinki, Finland

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@sip-communicator.dev.java.net
For additional commands, e-mail: dev-help@sip-communicator.dev.java.net