[Users] dbtext, password encryption (MD5) and authentication - how it works? CHAP?

Istvan Hubay Cebrian ihc.www at gmail.com
Thu Mar 16 17:12:33 CET 2006


Hi,

Regarding my previous e-mails please disregard them since I have fixed the
problem. It was simply a miss configuration on my part, thanks to everyone
that helped! I do however have another question regarding the same topic.

Currently I am using 'dbtext' for authentication and MD5 hash strings for
password encryption. Everything is working correctly however I don't
understand how authentication is working.

The subscribers file contains two MD5 hash strings, HA1 (username only) and
HA1B (username and realm) and the password is not being stored as text. When
I consult the SIP messages from my UA I notice the username and realm are
being sent:

Authorization: Digest
username="qaz",realm="my.domain.com",nonce="387925b86f0cb610949dcea9079a3042
1020169f",response="d0f5e24cb8c022667aff65889b883155",uri="sip:my.domain.com
"

However the password isn't being sent. So how does authentication work? What
is 'nonce' (above) and 'response'? 

Is authentication based on CHAP? Thus:
- UA sends username and realm (identifying user)
- UA receives random unique challenge (response???)
- UA sends challenge and password hash string
- Authorization successful or not.

If CHAP is what is being used, I still can't figure out how the password is
being extracted since MD5 hash strings can't be reverted. And the password
is being sent together with the challenge this there's nothing to compare
with.

I simply can't get my head around this.

Any help will be much appreciated.

Thanks,
Istvan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.2.4/282 - Release Date: 15-03-2006
 





More information about the sr-users mailing list