hello,
is it possible to do source ip authentication besides normal www_authorize() for every user account?. This, as i understand, should prevent from intercepting credentials and later faking sip message to bypass www_authorization ? Or maybe there are some other counter measures against such fraud?
Does src_ip comes directly from ip layer? If so, i could probably use this to check with some external database (ie. ser subscriber)?
Antanas NTT
zolia@z1sys.com wrote:
hello,
is it possible to do source ip authentication besides normal www_authorize() for every user account?. This, as i understand, should prevent from intercepting credentials and later faking sip message to bypass www_authorization ?
this doesn't work. for each authentication challenge, ser generates an noun that is kept into memory for a short period of time. So, this kind of exploit is very limited - only if somebody trys in real time to do it and in very narrow time window. IP checking doesn't help you - they can be also spoof. Plus, against what address you check when the user register for the first time? or if the user use multiple client in the same time? bogdan
Or maybe there are some other counter measures against such fraud?
Does src_ip comes directly from ip layer? If so, i could probably use this to check with some external database (ie. ser subscriber)?
Antanas NTT
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hi all,
always about this...is it possible to do IP accounting by acc module, introducing something like to another parameter of log_mft for the Contact (if applicable) Header Field in the INVITE, BYE method?
Thanks in advance.
Franz ----- Original Message ----- From: "Bogdan-Andrei IANCU" iancu@fokus.fraunhofer.de To: zolia@z1sys.com Cc: serusers@lists.iptel.org Sent: Wednesday, July 28, 2004 2:12 PM Subject: Re: [Serusers] account + IP binding
zolia@z1sys.com wrote:
hello,
is it possible to do source ip authentication besides normal www_authorize() for every user account?. This, as i understand, should prevent from intercepting credentials and later faking sip message to bypass www_authorization ?
this doesn't work. for each authentication challenge, ser generates an noun that is kept into memory for a short period of time. So, this kind of exploit is very limited - only if somebody trys in real time to do it and in very narrow time window. IP checking doesn't help you - they can be also spoof. Plus, against what address you check when the user register for the first time? or if the user use multiple client in the same time? bogdan
Or maybe there are some other counter measures against such fraud?
Does src_ip comes directly from ip layer? If so, i could probably use
this
to check with some external database (ie. ser subscriber)?
Antanas NTT
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Francesco Bottà wrote:
Hi all,
always about this...is it possible to do IP accounting by acc module, introducing something like to another parameter of log_mft for the Contact (if applicable) Header Field in the INVITE, BYE method?
I see no immediate purpose of logging contact? or...? bogdan
Thanks in advance.
Franz ----- Original Message ----- From: "Bogdan-Andrei IANCU" iancu@fokus.fraunhofer.de To: zolia@z1sys.com Cc: serusers@lists.iptel.org Sent: Wednesday, July 28, 2004 2:12 PM Subject: Re: [Serusers] account + IP binding
zolia@z1sys.com wrote:
hello,
is it possible to do source ip authentication besides normal www_authorize() for every user account?. This, as i understand, should prevent from intercepting credentials and later faking sip message to bypass www_authorization ?
this doesn't work. for each authentication challenge, ser generates an noun that is kept into memory for a short period of time. So, this kind of exploit is very limited - only if somebody trys in real time to do it and in very narrow time window. IP checking doesn't help you - they can be also spoof. Plus, against what address you check when the user register for the first time? or if the user use multiple client in the same time? bogdan
Or maybe there are some other counter measures against such fraud?
Does src_ip comes directly from ip layer? If so, i could probably use
this
to check with some external database (ie. ser subscriber)?
Antanas NTT
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
On Wed, 28 Jul 2004, Bogdan-Andrei IANCU wrote:
zolia@z1sys.com wrote:
hello,
is it possible to do source ip authentication besides normal www_authorize() for every user account?. This, as i understand, should prevent from intercepting credentials and later faking sip message to bypass www_authorization ?
this doesn't work. for each authentication challenge, ser generates an noun that is kept into memory for a short period of time. So, this kind of exploit is very limited - only if somebody trys in real time to do it and in very narrow time window.
yes probably, is would work only in real time, ie. to write some small proxy, which rewrites authorization header putting in in parallel sniffed encrypted password. Its a bit harder..
IP checking doesn't help you - they can be also spoof. Plus, against what address you check when the user register for the first time? or if
What do you mean by "first time"? If there are only one IP from which UA requests MUST originate, then it should be possible to check it.
the user use multiple client in the same time?
This would not be possible in our scenario.
Antanas
bogdan
Or maybe there are some other counter measures against such fraud?
Does src_ip comes directly from ip layer? If so, i could probably use this to check with some external database (ie. ser subscriber)?
Antanas NTT
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
No, but I have this on my todo list. Currently it is possible to re-use credentials generated by user agent A also by user agent B provided that it can sniff the SIP messages and it is fast enough to send another message including the sniffed credentials. The credentials have limited lifetime (1 minute by default) so after 1 minute they cannot be re-used in other SIP messages.
If you have two user agents connected to the same hub (so that they can see SIP messages of each other) then you can modify one of them to steal the calls to the other user agent using sniffed digest credentials.
I am thinking about including the source IP address of the SIP message and some other header fields (Contact) into nonce to eliminate this weakness.
Jan.
On 28-07 15:00, zolia@z1sys.com wrote:
hello,
is it possible to do source ip authentication besides normal www_authorize() for every user account?. This, as i understand, should prevent from intercepting credentials and later faking sip message to bypass www_authorization ? Or maybe there are some other counter measures against such fraud?
Does src_ip comes directly from ip layer? If so, i could probably use this to check with some external database (ie. ser subscriber)?
Antanas NTT
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
hi,
As i understand it would be virtually impossible to replay with proper timestamp for certain request and with required ip, but nevetheless it would be possible to fake required source_ip and in that case my patch (posted earlier on this list) wouldn't help too. Adding source ip to nonce would remove additional administrative burden, isn't it? Probably the only advanatage of authorization by entering IP adresses separately would be independance from any other encryption or authorization mechanisms which could be used with SIP.
Antanas
On Sun, 1 Aug 2004, Jan Janak wrote:
No, but I have this on my todo list. Currently it is possible to re-use credentials generated by user agent A also by user agent B provided that it can sniff the SIP messages and it is fast enough to send another message including the sniffed credentials. The credentials have limited lifetime (1 minute by default) so after 1 minute they cannot be re-used in other SIP messages.
If you have two user agents connected to the same hub (so that they can see SIP messages of each other) then you can modify one of them to steal the calls to the other user agent using sniffed digest credentials.
I am thinking about including the source IP address of the SIP message and some other header fields (Contact) into nonce to eliminate this weakness.
Jan.
On 28-07 15:00, zolia@z1sys.com wrote:
hello,
is it possible to do source ip authentication besides normal www_authorize() for every user account?. This, as i understand, should prevent from intercepting credentials and later faking sip message to bypass www_authorization ? Or maybe there are some other counter measures against such fraud?
Does src_ip comes directly from ip layer? If so, i could probably use this to check with some external database (ie. ser subscriber)?
Antanas NTT
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Yes, that's right. We could also include the value of Contact header field into nonce. That way it won't be possible to reuse the same nonce for another Contact header field.
nonce string will be generate for Contact: A, another user agent trying to reuse the digest credentials with Contact: B to steal incoming calls will fail because the contact in nonce and Contact in the SIP message will not match.
Jan.
On 02-08 11:03, Antanas Masevicius wrote:
hi,
As i understand it would be virtually impossible to replay with proper timestamp for certain request and with required ip, but nevetheless it would be possible to fake required source_ip and in that case my patch (posted earlier on this list) wouldn't help too. Adding source ip to nonce would remove additional administrative burden, isn't it? Probably the only advanatage of authorization by entering IP adresses separately would be independance from any other encryption or authorization mechanisms which could be used with SIP.
Antanas
On Sun, 1 Aug 2004, Jan Janak wrote:
No, but I have this on my todo list. Currently it is possible to re-use credentials generated by user agent A also by user agent B provided that it can sniff the SIP messages and it is fast enough to send another message including the sniffed credentials. The credentials have limited lifetime (1 minute by default) so after 1 minute they cannot be re-used in other SIP messages.
If you have two user agents connected to the same hub (so that they can see SIP messages of each other) then you can modify one of them to steal the calls to the other user agent using sniffed digest credentials.
I am thinking about including the source IP address of the SIP message and some other header fields (Contact) into nonce to eliminate this weakness.
Jan.
On 28-07 15:00, zolia@z1sys.com wrote:
hello,
is it possible to do source ip authentication besides normal www_authorize() for every user account?. This, as i understand, should prevent from intercepting credentials and later faking sip message to bypass www_authorization ? Or maybe there are some other counter measures against such fraud?
Does src_ip comes directly from ip layer? If so, i could probably use this to check with some external database (ie. ser subscriber)?
Antanas NTT
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Antanas Masevicius -
Bogdan-Andrei IANCU -
Francesco Bottà -
Jan Janak -
zolia@z1sys.com