On Wednesday 27 July 2005 13:18, Pasztor Andras wrote: > But if I don't allow the reusing of the "nonce" then we don't need qop. > Am I right?
Yes principally that is right. But then you also do not need nextnonce (your original question). I fear there are implementations which re-use the nonce without using qop. In this case nextnonce would a nice hint for all attackers. Simply avoid that by using qop always if it is supported. Nils > br > Andras > > Nils Ohlmeier <[EMAIL PROTECTED]> írta: > > Hi, > > > > On Thursday 21 July 2005 18:55, The Rev wrote: > > > Is there somebody who knows what is the effect on the > > overall security of > > > > SIP sessions if we send the "nextnonce" in the Auth-Info > > of 200OK of > > > > Register or INVITE. > > > > > > I'm a little bit afraid to implement because I may open > > a security hole > > > > towards hackers since the hacker has e.g 60 min time to > > calculate a > > > > response. I'm not a security expert unfortunately:-( > > > > if you do not use qop, which you should, it tells the > > eavesdropper how long > > > he can use the last reply for replay attacks. If you use > > qop it should not > > > matter. > > > > Regards > > Nils Ohlmeier > > -- > > gpg-key: http://www.ohlmeier.org/public_key.asc > > _______________________________________________ > > Sip-implementors mailing list > > [email protected] > > http://lists.cs.columbia.edu/mailman/listinfo/sip- > > implementors > > > _______________________________________________________________________ > [freemail] extra 1GB-os postafiókkal, Önnek már van? http://freemail.hu _______________________________________________ Sip-implementors mailing list [email protected] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
