[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sip] Request header integrity in HTTP Digest

To: jundery@ubiquity.net, corey@hearme.com
Subject: RE: [Sip] Request header integrity in HTTP Digest
From: aki.niemi@nokia.com
Date: Tue, 19 Jun 2001 14:26:46 +0300
Cc: jdrosen@dynamicsoft.com, sip@ietf.org
List-Id: Session Initiation Protocol <sip.ietf.org>
Sender: sip-admin@ietf.org

Hi,

> Corey Gates wrote:
> 
> > Jonathan,
> >
> > I believe you left out the "private-key" in the nonce computation in
> > draft-rosenberg-sip-http-pnonce-00.txt.  The nonce should be:
> >
> > nonce = H(source-IP:<canonicalization of headers to be
> > protected>:round-time:private-key)
> >
> > Without this the nonce could be generated.
> 
> I fail to see what you've gained by hashing the password into 
> the nonce,
> the nonce is only really
> there so the server can be sure the client's messages aren't 
> just being
> replayed, the client will hash in the password to provide
> authentication. (Obviously this explanation is very simplistic.)

As in RFC 2617, I think what was meant here was, that the private-key is
just some data only known to the server and not the shared secret
(password). 

I think this would also make sense for pnonce, since otherwise all
information contained in the hash can readily be found from the message
itself.

Br,
Aki

_______________________________________________
Sip mailing list
Sip@ietf.org
http://www.ietf.org/mailman/listinfo/sip

Prev by Date: [Sip] I-D ACTION:draft-rosenberg-sip-http-pnonce-00.txt
Next by Date: Re: [Sip] Request header integrity in HTTP Digest
Previous by thread: Re: [Sip] Request header integrity in HTTP Digest
Next by thread: Re: [Sip] Request header integrity in HTTP Digest
Index(es):
- Date
- Thread