Re: [Sip] Request header integrity in HTTP Digest

[James Undery <jundery@ubiquity.net>]

aki.niemi@nokia.com wrote:

> Hi,
>
> > Corey Gates wrote:
> >
> > > Jonathan,
> > >
> > > I believe you left out the "private-key" in the nonce computation in
> > > draft-rosenberg-sip-http-pnonce-00.txt.  The nonce should be:
> > >
> > > nonce = H(source-IP:<canonicalization of headers to be
> > > protected>:round-time:private-key)
> > >
> > > Without this the nonce could be generated.
> >
> > I fail to see what you've gained by hashing the password into
> > the nonce,
> > the nonce is only really
> > there so the server can be sure the client's messages aren't
> > just being
> > replayed, the client will hash in the password to provide
> > authentication. (Obviously this explanation is very simplistic.)
>
> As in RFC 2617, I think what was meant here was, that the private-key is
> just some data only known to the server and not the shared secret
> (password).
>
> I think this would also make sense for pnonce, since otherwise all
> information contained in the hash can readily be found from the message
> itself.

True although is only a suggestion for nonce generation, and digest
authentication is quite weak.  The real problem with this draft is it is
just plain broken. To my mind it is also unfixable until backwards
compatibility is lost i.e. the client explicitly includes the required
headers in the credentials along with the server provided time stamp. Unless
this is done a MITM attack will always be possible. (Then again I could be
wrong about the fixability as security is a hard problem, not suited to the
amateur I am.)

James Undery


_______________________________________________
Sip mailing list
Sip@ietf.org
http://www.ietf.org/mailman/listinfo/sip