Hi, On Thursday 21 July 2005 18:55, The Rev wrote: > Is there somebody who knows what is the effect on the overall security of > SIP sessions if we send the "nextnonce" in the Auth-Info of 200OK of > Register or INVITE. > > I'm a little bit afraid to implement because I may open a security hole > towards hackers since the hacker has e.g 60 min time to calculate a > response. I'm not a security expert unfortunately:-(
if you do not use qop, which you should, it tells the eavesdropper how long he can use the last reply for replay attacks. If you use qop it should not matter. Regards Nils Ohlmeier -- gpg-key: http://www.ohlmeier.org/public_key.asc _______________________________________________ Sip-implementors mailing list [email protected] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
