Rizwan Hisham
2007-Aug-15 10:36 UTC
[asterisk-users] why is nonce="584760da" used in sip packets?
Hi all, There is a parameter called "nonce" included in every register request that a UA sends to asterisk. I have read sip debug a lot and only found out that the "nonce" parameter value which is used in register request was generated by asterisk server in a previous sip response. As you can see in the sip debug (labled in red). <--- Transmitting (NAT) to 208.120.167.146:80 ---> SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 208.120.167.146:80;branch=z9hG4bK03891485;received208.120.167.146 From: <sip:bernart48 at magnum.axvoice.com>;tag=as65460c44 To: <sip:bernart48 at magnum.axvoice.com>;tag=as3a5cc850 Call-ID: 48f3a8b426c375a161dc1f4479bba956 at 127.0.0.1 CSeq: 19680 REGISTER User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="584760da" Content-Length: 0 <------------> Scheduling destruction of SIP dialog ' 48f3a8b426c375a161dc1f4479bba956 at 127.0.0.1' in 32000 ms (Method: REGISTER) magnum*CLI> <--- SIP read from 208.120.167.146:80 ---> REGISTER sip:magnum.axvoice.com SIP/2.0 Via: SIP/2.0/UDP 208.120.167.146:80;branch=z9hG4bK0c6c6f53 From: <sip:bernart48 at magnum.axvoice.com>;tag=as65460c44 To: <sip:bernart48 at magnum.axvoice.com>;tag=as3a5cc850 Call-ID: 48f3a8b426c375a161dc1f4479bba956 at 127.0.0.1 CSeq: 19681 REGISTER User-Agent: Asterisk PBX Authorization: Digest username="bernart48", realm="asterisk", algorithm=MD5, uri="sip:bernart48 at 64.182.161.2:9060", nonce="584760da", response="948d3923bf2df47eca17c572713af2c7", opaque="" Expires: 120 Contact: <sip:16474764942 at 208.120.167.146:80> Event: registration Content-Length: 0 What i dont know, and would very much like to know, is what is the purpose of this parameter in sip packets? -- Best Regards Rizwan Hisham Software Engineer Axvoice Inc. www.axvoice.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20070815/5d8b6099/attachment.htm
Stanisław Pitucha
2007-Aug-15 10:58 UTC
[asterisk-users] why is nonce="584760da" used in sip packets?
----- "Rizwan Hisham" <rizwanhasham at gmail.com> wrote:> WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="584760da"> Authorization: Digest username="bernart48", realm="asterisk", algorithm=MD5, uri="sip:bernart48 at 64.182.161.2:9060", nonce="584760da", response="948d3923bf2df47eca17c572713af2c7", opaque=""> What i dont know, and would very much like to know, is what is the > purpose of this parameter in sip packets?It's kind of challenge algorithm. What you see in "response" is not MD5(password), but MD5('password', 'realm', ..., 'nonce'). Nonce is generated by server so that you don't get the same hash for for every authorization by that user. It prevents someone who can see only one way communication from breaking your sip session + makes breaking hash a little bit harder. Nonce should be unique per authorization. If nonce wasn't used you could reuse the same response in next connection even if you don't know the real password.