On Wed, 2005-07-27 at 14:51 +0200, Nils Ohlmeier wrote: > On Wednesday 27 July 2005 13:18, Pasztor Andras wrote: > > But if I don't allow the reusing of the "nonce" then we don't need qop. > > Am I right?
There are other reasons to use the 2617 version of the authentication handshake (using qop). It adds cnonce, which provides mutual authentication and prevents server-side dictionary attacks (I precompute lots of passwords for a fixed nonce and then pretend to be your server and give you the nonce - since you add nothing new to the hash except your password, the response is an index into my dictionary. If you add a cnonce then I can't precompute the response values). The use of the 'nc' parameter allows the server to prevent replay attacks (it should not accept two requests using the same nonce/nc pair). -- Scott Lawrence, Consulting Engineer Pingtel Corp. http://www.pingtel.com/ +1.781.938.5306 x162 or sip:[EMAIL PROTECTED] _______________________________________________ Sip-implementors mailing list [email protected] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
