[SR-Users] Meddling with password during authentication

Olli Heiskanen ohjelmistoarkkitehti at gmail.com
Sat Dec 27 11:02:05 CET 2014 

Thanks for your input, I thought about working with pv_auth_check, but the
problem is I can't decrypt the passwords from the database, they will be
either md5 hashes or some other hashes that can't be decrypted. Also I
can't access the password user is sending in order to encrypt it, so this
way of solving my problem seems to be impossible as I suspected.

I'll have to solve the problem some other way, but thanks very much for
your excellent response.

Thanks



2014-12-27 8:48 GMT+02:00 Muhammad Shahzad <shaheryarkh at gmail.com>:

> I am not sure if i understand your question correctly, but if you want to
> use any authentication source or encryption algorithm (for back-end
> storage, e.g. for compliance with PCI DSS v2.0 and above) other then
> standard db and ha1 hash then you may consider using pv_auth_check,
>
>
> http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.f.pv_auth_check
>
> just query whatever subscriber back-end you have, fetch the password
> (decrypt according to your architecture requirements) and supply it to this
> method through AVP. I recommend never to use plain text passwords, even in
> this scenario (you should make ha1 hash before encrypting it specific to
> your back-end requirements, so that when kamailio script decrypts it at run
> time, it would get ha1 hash, rather then plaintext, thus keep it somewhat
> safe even against memory exploits from remote hackers).
>
> Regarding the digest response hash sent by client, no it is not possible
> to decrypt it (at least under normal circumstance). You may find ways to
> modify the response hash, but it would be most likely pointless (since you
> do not know what was actually entered by the user as password).
>
> Thank you.
>
>
>
> On Fri, Dec 26, 2014 at 7:33 PM, Olli Heiskanen <
> ohjelmistoarkkitehti at gmail.com> wrote:
>
>>
>> Hello all,
>>
>> During authentication, is there any way to affect the password user is
>> sending? I do suspect not as it is a clear security matter, but won't hurt
>> to ask. I use auth_db module with calculate_ha1 parameter set to 1. For
>> reasons in integrating Kamailio into my system architecture there is a need
>> to store a password in some other format than for example
>> md5('555:domain.com:password)') while not allowing any passwords to be
>> stored as plaintext.
>>
>> For example: md5('555:domain.com:md5('password')') but this would
>> require me to hash the password before authentication, in Kamailio script
>> as I can't do it in the clients.
>>
>> Reason for this question is to have my users in a separate database, and
>> these users could have 0-n sip peers assigned to them, and have users
>> authenticate to my software and the sip peers using the same password.
>>
>> cheers,
>> Olli
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20141227/3a82a4e9/attachment.html>

More information about the sr-users mailing list