[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] Implementing SHA digest auth (new topic)

To: Johansson Olle E <oej at edvina.net>
Subject: Re: [Sip] Implementing SHA digest auth (new topic)
From: "Dale Worley" <dworley at nortel.com>
Date: Sun, 04 Jan 2009 11:24:30 -0500
Cc: IETF SIP List <sip at ietf.org>
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <2DC20D47-8F42-486A-9D18-AE6A6FA86001 at edvina.net>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
Organization: Nortel Networks
References: <EA758E56-AD03-4C53-AA20-1FF3F37366CA at softarmor.com> <07953AE2-F02A-4E6D-82F5-6730383B44FF at edvina.net> <1230910444.3835.1.camel at victoria-pingtel-com.us.nortel.com> <5D6CB5AC-3ADF-4294-89E9-2FA197545865 at edvina.net> <1230913633.3835.29.camel at victoria-pingtel-com.us.nortel.com> <2DC20D47-8F42-486A-9D18-AE6A6FA86001 at edvina.net>
Sender: sip-bounces at ietf.org

On Fri, 2009-01-02 at 17:45 +0100, Johansson Olle E wrote:
> So in that case, the implementation guideline for an UA set for both
> methods would be to first try with the strongest algorithm, then upon  
> reception of a 401/407 to that one, test with the next one in list until it is  
> out of algorithms in which case the 401/407 means that the password is indeed  
> wrong.

I don't see why you'd want to have a multiple-try algorithm -- if you're
willing to send the MD5 hash at all, you should send it the first time.
Otherwise you're just adding round-trips before you send the MD5 hash.

> The UA could also, as you point out, send all headers at once to make it
> a quicker round-trip, but doing it that way would also expose the  
> weaker MD5 hash which we want to avoid.

We actually haven't resolved the question whether using MD5 *exposes*
your key.  As far as I can tell, what's been shown is that *trusting* an
MD5 is not a good idea.  But I'm not a crypto expert.

Dale

_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] Implementing SHA digest auth (new topic)
  - From: Nils Ohlmeier

References:
- [Sip] News article on CA impersonation attack
  - From: Dean Willis
- Re: [Sip] News article on CA impersonation attack
  - From: Johansson Olle E
- Re: [Sip] News article on CA impersonation attack
  - From: Dale Worley
- Re: [Sip] News article on CA impersonation attack
  - From: Johansson Olle E
- Re: [Sip] News article on CA impersonation attack
  - From: Dale Worley
- Re: [Sip] Implementing SHA digest auth (new topic)
  - From: Johansson Olle E

Prev by Date: [Sip] I-D Action:draft-ietf-sip-info-events-02.txt
Next by Date: [Sip] INFO Stunning Silence
Previous by thread: Re: [Sip] Implementing SHA digest auth (new topic)
Next by thread: Re: [Sip] Implementing SHA digest auth (new topic)
Index(es):
- Date
- Thread