[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sip] Request header integrity in HTTP Digest

To: "'aki.niemi@nokia.com'" <aki.niemi@nokia.com>, jundery@ubiquity.net
Subject: RE: [Sip] Request header integrity in HTTP Digest
From: Jonathan Rosenberg <jdrosen@dynamicsoft.com>
Date: Tue, 26 Jun 2001 18:18:40 -0400
Cc: sip@ietf.org
List-Id: Session Initiation Protocol <sip.ietf.org>
Sender: sip-admin@ietf.org



 

> -----Original Message-----
> From: aki.niemi@nokia.com [mailto:aki.niemi@nokia.com]
> Sent: Tuesday, June 26, 2001 10:48 AM
> To: jundery@ubiquity.net; jdrosen@dynamicsoft.com
> Cc: sip@ietf.org
> Subject: RE: [Sip] Request header integrity in HTTP Digest
> 
> 
> Hi,
> 
> May have missed some points in this thread. But let's not 
> totally trash this
> idea, creative usage of nonce values does indeed increase 
> security. I think
> this is stated in 2617, and this draft is exactly that, a 
> creative usage of
> nonce values.
> 
> But I have to agree with James on the fact, that ultimatelly, the same
> threats present with digest are still present with pnonce. 
> Hence, it doesn't
> deliver the goods it promises, which is integrity of headers.

I will back down on the statement that it provides header integrity, because
of the MITM attack that I agree is still possible.

However, it prevents against replay attacks which modify protected header
fields. These attacks can also be prevented with one time nonces. I will
agree that the approach cannot prevent any attacks that are prevented by
one-time nonces in rfc2617. But as the draft points out, one time nonces
require state in the server between the original request, and the new
request with credentials. As a result of this, the server becomes amenable
to DoS attacks since it stores state for unauthenticated requests. The
proposed mechanism, which is well within the spirit of rfc2617, which allows
for creative nonces as Aki has pointed out, provides the same benefits as
one time nonces without the cost of state.

In any case, its a local choice at the server, and need not be standardized.
If you think it won't help you, don't do it.

-Jonathan R.



---
Jonathan D. Rosenberg, Ph.D.                72 Eagle Rock Ave.
Chief Scientist                             First Floor
dynamicsoft                                 East Hanover, NJ 07936
jdrosen@dynamicsoft.com                     FAX:   (973) 952-5050
http://www.jdrosen.net                      PHONE: (973) 952-5000
http://www.dynamicsoft.com


_______________________________________________
Sip mailing list  http://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

Prev by Date: RE: [SIP] Congestion control
Next by Date: RE: [Sip] [Sip-implementors] another problem related to multiple call l egs at UAC
Previous by thread: Re: [Sip] Request header integrity in HTTP Digest
Next by thread: Re: [Sip] Request header integrity in HTTP Digest
Index(es):
- Date
- Thread