Hi, dear all,
In SIP digest, which element starts a new challenge for the credential in
practice, SIP UA or proxy? Technically, cnouce and nouce, which one is
always changing and triggering a new credential negotiation.
In HTTP digest, it is SP's job to generate a new credential periodically by
feeding a new nouce to produce a challenge. This process happens after a
certain time, depending on local policy.
What is the situation in SIP digest. I was told every request ( i.e. every
transaction) is challenged by proxy to prevent credential hijack and reply
attack. but in all openSER or SER configuration examples that I saw is per
dialog. Credential negotiation happens upon receiving a new INVITE at the
proxy side. There is no such valid duration security policy in SIP proxy
like website in HTTP domain, as far as I know.
This issue is important to figure out a righ policy to cache Authorization
header (or Authentication header), when hacking into sip-comm. If SIP digest
is in passive mode, i.e. proxy starts challenging. Then the security cache
could be used as long as it is not challenged. In this case, nc and cnouce
only change when a new nouce is received.
TML@HUT, Helsinki, Finland