[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sip] Request header integrity in HTTP Digest

To: "'James Undery'" <jundery@ubiquity.net>
Subject: RE: [Sip] Request header integrity in HTTP Digest
From: Corey Gates <corey@hearme.com>
Date: Tue, 19 Jun 2001 09:12:05 -0700
Cc: sip@ietf.org
List-Id: Session Initiation Protocol <sip.ietf.org>
Sender: sip-admin@ietf.org


James Undery wrote:

> 
> aki.niemi@nokia.com wrote:
> 
> > Hi,
> >
> > > Corey Gates wrote:
> > >
> > > > Jonathan,
> > > >
> > > > I believe you left out the "private-key" in the nonce computation in
> > > > draft-rosenberg-sip-http-pnonce-00.txt.  The nonce should be:
> > > >
> > > > nonce = H(source-IP:<canonicalization of headers to be
> > > > protected>:round-time:private-key)
> > > >
> > > > Without this the nonce could be generated.
> > >
> > > I fail to see what you've gained by hashing the password into
> > > the nonce,
> > > the nonce is only really
> > > there so the server can be sure the client's messages aren't
> > > just being
> > > replayed, the client will hash in the password to provide
> > > authentication. (Obviously this explanation is very simplistic.)
> >
> > As in RFC 2617, I think what was meant here was, that the private-key is
> > just some data only known to the server and not the shared secret
> > (password).
> >
> > I think this would also make sense for pnonce, since otherwise all
> > information contained in the hash can readily be found from the message
> > itself.
> 
> True although is only a suggestion for nonce generation, and digest
> authentication is quite weak.  The real problem with this draft is it is
> just plain broken. To my mind it is also unfixable until backwards
> compatibility is lost i.e. the client explicitly includes the required
> headers in the credentials along with the server provided time stamp.
Unless
> this is done a MITM attack will always be possible. (Then again I could be
> wrong about the fixability as security is a hard problem, not suited to
the
> amateur I am.)
> 
> James Undery

I agree that the draft is broken with respect to MITM attacks.  But without
the private-key known only to the server, the nonce generation is also
broken such that an attacker can get a client to generate credentials for
nonces that can be used later, even when the client is offline and the
attacker is no longer in the "middle"!

Again, I agree that Man-in-the-Middle attacks are not addressed in the
draft.  I just don't want someone to go off and implement a nonce generation
scheme that is less secure then RFC 2617...

Corey Gates






_______________________________________________
Sip mailing list
Sip@ietf.org
http://www.ietf.org/mailman/listinfo/sip

Prev by Date: RE: [Sip] Request header integrity in HTTP Digest
Next by Date: Re: Re: [SIP] Authentication and billing through proxy/re-direct server
Previous by thread: RE: [Sip] Request header integrity in HTTP Digest
Next by thread: RE: [Sip] Request header integrity in HTTP Digest
Index(es):
- Date
- Thread