23 Oct
2003
23 Oct
'03
4:50 p.m.
On 23-10 15:29, Jan Janak wrote:
To prevent replay attacks, the hash would have to be
calculated also
over To tag. The hash should contain To tag because it is generated by
remote party and thus the possible "attacker" can't predict it's
value.
This also means we would have to update the Record-Route header
field when processing 200 OK, which complicates things a bit.
If we don't add To tag, then it would be really easy to use same hash
for other requests as well provided that you use the same From tag.
I am silly, this is, of course, not going to work because callee would
receive hash without to tag.
Jan.