[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] Request header integrity in HTTP Digest

To: Corey Gates <corey@hearme.com>
Subject: Re: [Sip] Request header integrity in HTTP Digest
From: James Undery <jundery@ubiquity.net>
Date: Tue, 19 Jun 2001 03:32:06 -0400
Cc: "'Jonathan Rosenberg'" <jdrosen@dynamicsoft.com>, "'sip@ietf.org'" <sip@ietf.org>
List-Id: Session Initiation Protocol <sip.ietf.org>
Sender: sip-admin@ietf.org

Corey Gates wrote:

> Jonathan,
>
> I believe you left out the "private-key" in the nonce computation in
> draft-rosenberg-sip-http-pnonce-00.txt.  The nonce should be:
>
> nonce = H(source-IP:<canonicalization of headers to be
> protected>:round-time:private-key)
>
> Without this the nonce could be generated.

I fail to see what you've gained by hashing the password into the nonce,
the nonce is only really
there so the server can be sure the client's messages aren't just being
replayed, the client will hash in the password to provide
authentication. (Obviously this explanation is very simplistic.)

James Undery

_______________________________________________
Sip mailing list
Sip@ietf.org
http://www.ietf.org/mailman/listinfo/sip

Prev by Date: [Sip] SDP usage in RFC2543/100rel/bis-03/manyfolks
Next by Date: [Sip] I-D ACTION:draft-rosenberg-sip-http-pnonce-00.txt
Previous by thread: RE: [Sip] Request header integrity in HTTP Digest
Next by thread: RE: [Sip] Request header integrity in HTTP Digest
Index(es):
- Date
- Thread