Hi Israel,
The phrase "cryptographically random" doesn't mean that the tag (or, in the
case of a hash, the inputs to the hash) is secret. What the phrase means is
that the way you generate those tags has to be (almost) unguessable. For
instance, starting with the tag "1" and generating successors of the
previously generated tags - "2", "3", "4", and so on - is not sufficient.
Neither would be using Delphi's Rand() function to generate (pseudo-)random
numbers since Delphi's random number generator is (as far as I know) not
very random at all.
Look at section 8.1.1.4 of RFC 3261, where they talk about generating
Call-IDs:
Using cryptographically random identifiers provides some
protection against session hijacking and reduces the likelihood of
unintentional Call-ID collisions.
Since tag-params form part of a dialog identifier, what counts for Call-ID
generation counts for To and From tag generation.
frank
"Israel Mor" <[EMAIL PROTECTED]> wrote:
> Hello ABN,
>
> thanks a lot for your reply!
>
> I was wondering that there is no real reason for the tag field to be
> encrypted (secret) as all other fields in the SIP message are clear text
so
> it is possible to check all addresses and messages using a simple sniffer,
> but I would like to confirm that to avoid any problem in interoperation in
> the network.
>
> So following RFC 3261 I believe I can use the tag with "." and include UA
> own IP address like in Call-ID field, but adding some random characters.
>
> Regards,
>
> Israel
>
>
> >From: "Nataraju A B" <[EMAIL PROTECTED]>
> >To: "'Israel Mor'" <[EMAIL PROTECTED]>,
> ><[email protected]>
> >Subject: RE: [Sip-implementors] Doubts about tag-param in to and from
> >headerfields
> >Date: Wed, 14 Jun 2006 11:24:38 +0530
> >
> >Comments inline...
> >
> >Thanks & Regards,
> >Nataraju A.B.
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> >[mailto:sip-implementors-
> > > [EMAIL PROTECTED] On Behalf Of Israel Mor
> > > Sent: Tuesday, June 13, 2006 8:47 PM
> > > To: [email protected]
> > > Subject: [Sip-implementors] Doubts about tag-param in to and from
> >headerfields
> > >
> > > Hello,
> > >
> > > I have some doubts about tag-param in to and from header fields:
> > >
> > > 1- In RFC 3261 section 19.3 page 159 it says the tag must be
> > > cryptographically random with at least 32 bits of randomness. Does it
> >means
> > > the tag must be encrypted (secret)? Can it include the UA own IP
> >address
> > > like in Call-ID (section 8.1.1.4 - pg. 38)?
> > >
> >[ABN] here cryptographically random, mean that the tag must be at least
> >32 bit random number, which must not be directly decipherable or
> >understood by analysis. I don't think there is any special meaning for
> >word "cryptographically" in this context...
> >
> >Other than this you can apply any logic to generate the tag, for example
> >cryptographic hash of IP_addres, port, date, time etc.,
> >
> >The ground requirement behind cryptographically randomness is, one
> >should not be able to learn how I am generating the tags in my UA.
> >
> > > 2- Can the character dot (".") be included in the tag field of to and
> >from
> > > headers (section 25.1 - pages 221, 230, 231)?
> > >
> >[ABN] yes, you can use it without any issues... you can see the
> >definition for "token"
> > > 3- What is the meaning of "The word construct is used in Call-ID to
> >allow
> > > most separators to be used." (section 25.1 - pg. 221)?
> > >
> >[ABN] you can see the definition of "word" in
> >
> > word = 1*(alphanum / "-" / "." / "!" / "%" / "*" /
> > "_" / "+" / "`" / "'" / "~" /
> > "(" / ")" / "<" / ">" /
> > ":" / "\" / DQUOTE /
> > "/" / "[" / "]" / "?" /
> > "{" / "}" )
> >
> > > This is an example of the tag I am generating in my UA (183-Session
> >Progress
> > > message, for example) and I would like to know if this is a valid To
> >field
> > > or not:
> > >
> > > To:
> > >
> ><sip:[EMAIL PROTECTED];user=phone>;tag=sIr3.0854o.000192.168.0.10119
> >2.
> > > 168.0.101
> > >
> >[ABN] it's a valid to-tag, whatz the problem ?
> > > Thanks,
> > >
> > > Israel Mor
> > >
> > > =====================================================
> > > ========
> > > RFC 3261
> > >
> > > 19.3 - pg. 159
> > > When a tag is generated by a UA for insertion into a request or
> >response, it
> > > MUST be globally unique and cryptographically random with at least 32
> >bits
> > > of randomness.
> > > Besides the requirement for global uniqueness, the algorithm for
> >generating
> > > a tag is implementation-specific.
> > >
> > > 8.1.1.4 - pg. 38
> > > Use of cryptographically random identifiers (RFC 1750 [12]) in the
> > > generation of Call-IDs is RECOMMENDED. Implementations MAY use the
> >form
> > > "[EMAIL PROTECTED]".
> > >
> > >
> > > 25.1 - pg. 221
> > > Many SIP header field values consist of words separated by LWS or
> >special
> > > characters. Unless otherwise stated, tokens are caseinsensitive. These
> > > special characters MUST be in a quoted string to be used within a
> >parameter
> > > value. The word construct is used in Call-ID to allow most separators
> >to be
> > > used.
> > > token = 1*(alphanum / "-" / "." / "!" / "%" / "*" / "_" / "+" / "'" /
> >"'" /
> > > "~" )
> > >
> > > 25.1 - pg. 230
> > > >From = ( "From" / "f" ) HCOLON from-spec
> > > from-spec = ( name-addr / addr-spec )*( SEMI from-param )
> > > from-param = tag-param / generic-param
> > > tag-param = "tag" EQUAL token
> > >
> > > 25.1 - pg. 231
> > > To = ( "To" / "t" ) HCOLON ( name-addr/ addr-spec ) *( SEMI to-param )
> > > to-param = tag-param / generic-param
> > >
> >
> >
>
>
> _______________________________________________
> Sip-implementors mailing list
> [email protected]
> https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
>
_______________________________________________
Sip-implementors mailing list
[email protected]
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
