Hi,
OK.
I think using nextnonce is very useful for decreasing the load of the
network element since no need for extra round with 401. If I have to handle
1M calls per hour then the using of nextnonce can give signifcant load
decrease.
br
Andras
From: Nils Ohlmeier <[EMAIL PROTECTED]>
To: Pasztor Andras <[EMAIL PROTECTED]>
CC: [email protected], The Rev <[EMAIL PROTECTED]>
Subject: Re: [Sip-implementors] Security aspects of nextnonce in
AuthenticationInfo header
Date: Wed, 27 Jul 2005 14:51:20 +0200
On Wednesday 27 July 2005 13:18, Pasztor Andras wrote:
> But if I don't allow the reusing of the "nonce" then we don't need qop.
> Am I right?
Yes principally that is right. But then you also do not need nextnonce
(your
original question).
I fear there are implementations which re-use the nonce without using qop.
In
this case nextnonce would a nice hint for all attackers. Simply avoid that
by
using qop always if it is supported.
Nils
> br
> Andras
>
> Nils Ohlmeier <[EMAIL PROTECTED]> írta:
> > Hi,
> >
> > On Thursday 21 July 2005 18:55, The Rev wrote:
> > > Is there somebody who knows what is the effect on the
>
> overall security of
>
> > > SIP sessions if we send the "nextnonce" in the Auth-Info
>
> of 200OK of
>
> > > Register or INVITE.
> > >
> > > I'm a little bit afraid to implement because I may open
>
> a security hole
>
> > > towards hackers since the hacker has e.g 60 min time to
>
> calculate a
>
> > > response. I'm not a security expert unfortunately:-(
> >
> > if you do not use qop, which you should, it tells the
>
> eavesdropper how long
>
> > he can use the last reply for replay attacks. If you use
>
> qop it should not
>
> > matter.
> >
> > Regards
> > Nils Ohlmeier
> > --
> > gpg-key: http://www.ohlmeier.org/public_key.asc
> > _______________________________________________
> > Sip-implementors mailing list
> > [email protected]
> > http://lists.cs.columbia.edu/mailman/listinfo/sip-
>
> implementors
>
>
> _______________________________________________________________________
> [freemail] extra 1GB-os postafiókkal, Önnek már van? http://freemail.hu
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
_______________________________________________
Sip-implementors mailing list
[email protected]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
