But if I don't allow the reusing of the "nonce" then we don't need qop. Am I right?
br Andras Nils Ohlmeier <[EMAIL PROTECTED]> írta: > Hi, > > On Thursday 21 July 2005 18:55, The Rev wrote: > > Is there somebody who knows what is the effect on the overall security of > > SIP sessions if we send the "nextnonce" in the Auth-Info of 200OK of > > Register or INVITE. > > > > I'm a little bit afraid to implement because I may open a security hole > > towards hackers since the hacker has e.g 60 min time to calculate a > > response. I'm not a security expert unfortunately:-( > > if you do not use qop, which you should, it tells the eavesdropper how long > he can use the last reply for replay attacks. If you use qop it should not > matter. > > Regards > Nils Ohlmeier > -- > gpg-key: http://www.ohlmeier.org/public_key.asc > _______________________________________________ > Sip-implementors mailing list > [email protected] > http://lists.cs.columbia.edu/mailman/listinfo/sip- implementors > _______________________________________________________________________ [freemail] extra 1GB-os postafiókkal, Önnek már van? http://freemail.hu _______________________________________________ Sip-implementors mailing list [email protected] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
