[OpenSER-Users] Authentication with LDAP databse

Daniel-Constantin Mierla miconda at gmail.com
Mon May 19 21:26:26 CEST 2008 

Hello,

I had a quick look at the code and the module should work with HA1 in 
the PV and calculate_ha1=0. Can you set the debug =5 and send the log to 
me for such case (the 3 in your list). It will help to troubleshoot quickly.

Cheers,
Daniel



On 05/19/08 15:05, Ahmed Huraimel wrote:
> Hello,
>
> i am successfully integrated an openLDAP server with my openSER SIP 
> proxy server. however i am facing a security problem. let me explain 
> it briefly.
>
> **** Successful Registration with password save as clear in openLDAP 
> DB ****
>
> *          # Configration #
> - user name was stored in clear in openSER database
> - modparam("auth", "calculate_ha1", 1) which means the server will 
> assume that the "password_spec" pseudo-variable contains plaintext 
> passwords and it will calculate HA1 strings on the fly.
>
>           # Senario #
> - after the UAC receives Authentication request he will build the 
> response = MD5(username + MD5(passowrd) + realm + nonce)
> - then the server will build the challenge by searching the the user 
> in the database and retrieving the password in clear then hash the 
> password with MD5 build the challenge such that challenge=MD5(username 
> + MD5(passowrd) + realm + nonce) . .
> - by comparing the the response the with the challenge the user will 
> be authenticated.
> - *it works *
>  
>
> **** Successful Registration with password save as MD5 in openLDAP DB ****
>
> *          # Configration #
> - user name was stored in MD5 in openSER database
> - modparam("auth", "calculate_ha1", 0) which means the server assumes 
> the pseudo-variable contains the HA1 strings directly and will not 
> calculate them.
>
>           # Senario #
> - after the UAC receives Authentication request he will build the 
> response = MD5(username + MD5(password) + realm + nonce)
> - then the server will build the challenge by searching the the user 
> in the database and retrieving the password in MD5 then challenge such 
> that challenge=MD5(username + MD5(password) + realm + nonce) .
> - by comparing the the response the with the challenge the user will 
> be authenticated.
> - *401 unauthorized !!!!
>
> ***** CONCLUSION ****
>
> *there for possible scenarios:
> 1- password clear + calculate_ha1= 0 ==> 401 unauthorized !!!!
> 2- password clear + calculate_ha1= 1 ==> Authorized
> 3- password MD5  + calculate_ha1= 0 ==> 401 unauthorized !!!!
> 4- password MD5  + calculate_ha1= 1 ==> 401 unauthorized !!!!
> *
> *-----------------------------------------------------------------------------------------
> *
> asuumptions:
>
> *1- the password might be not hashed. if so then why  modparam("auth", 
> "calculate_ha1", ) used? does it mean that the password might be 
> received hashed or not?
> _2- in scenario(2) the sip server hash the password by setting 
> calculate_ha1= 1. if the password is already hashed in the database 
> then scenario(3) should work unless there is a conflict with the hash. 
> is this might be related to hash type or size?_ or something else that 
> i do not know!!!
>
> *question*:
>
> 1- why scenario(3) does not work? where might be the problem?
> 2- what to do if i want to change the hash algorithm used? for example 
> i need to SSH1 instead of MD5 because nowadays MD5  is proved to be 
> weak algorithm
>
> regards,
> Ahmed ALALI
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.openser.org
> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>   

-- 
http://www.asipto.com

More information about the sr-users mailing list