On Thu, 2005-07-21 at 18:55 +0200, The Rev wrote: > Is there somebody who knows what is the effect on the overall security of > SIP sessions if we send the "nextnonce" in the Auth-Info of 200OK of > Register or INVITE. > > I'm a little bit afraid to implement because I may open a security hole > towards hackers since the hacker has e.g 60 min time to calculate a > response. I'm not a security expert unfortunately:-(
Providing a nextnonce does not, I think, create any new vulnerability. It just allows the server to indicate that the current nonce may not be valid for some future request and that the new nonce should be used. This saves a round trip when you invalidate a nonce and would otherwise have to re-challenge. Having the current nonce does not help an attacker unless they also have the password, and if they have that they don't need extra time. -- Scott Lawrence, Consulting Engineer Pingtel Corp. http://www.pingtel.com/ +1.781.938.5306 x162 or sip:[EMAIL PROTECTED] _______________________________________________ Sip-implementors mailing list [email protected] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
