[SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...

Olle E. Johansson oej at edvina.net
Thu Jun 18 10:42:55 CEST 2020 


> On 17 Jun 2020, at 17:22, Maxim Sobolev <sobomax at sippysoft.com> wrote:
> 
> Whoever works on this needs to consider two things I think:
> 
> - ability to select algorithms when challenging UAC (MD5-only, SHA256-only, SHA-512/256-only, all permutations). The RFC allows UAS to include multiple HFs(*).  MD5-only should probably be the default. I suspect there might be a significantly non-trivial population of UACs that would get confused receiving multiple digests. Plus enabling challenges for all protocols would expand the size of 401s messages.
Agree, multiple challenges will break stuff. I’m not sure that implementations actually bother with parsing the algorithm parameter.
> 
> - ability to accept response in either of supported hashing methods or any combination of thereof. The reasonable default here is probably MD5-only for now, again to prevent the possibility of foul play when we only request MD5, while for some reason getting say SHA-256 back.
If you challenge with SHA512 only, you should not accept anything else.

> 
> -Max
> *) Example:
> 401 Unauthorized
> [..]
> WWW-Authenticate: Digest
>        realm="http-auth at example.org <mailto:http-auth at example.org>",
>        qop="auth, auth-int",
>        algorithm=SHA-256,
>        nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
>        opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"
> WWW-Authenticate: Digest
>        realm="http-auth at example.org <mailto:http-auth at example.org>",
>        qop="auth, auth-int",
>        algorithm=MD5,
>        nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
>        opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS”

So the question is how to migrate. I don’t believe migrating within the same UA base will work smootlhy ever. If you have a provisioning system
it is easy setting up a SIP subdomain, let’s say “strong.example.com <http://strong.example.com/>” and use that either for OB proxy or SIP domain, dependinig on your setup.
By doing that, you can have a zone witih devices/clients that can handle stronger auth and *only* use that. For the old ones, keep them
running until you reasonable can upgrade them. 

Of course you can do this witih realms too, but that requires a strong realm implementation in the UA’s, something that SNOM had in
the beginning but removed (maybe it was too hard to explain).

Cheers,
/O
> 
> 
> On Tue., Jun. 16, 2020, 12:13 p.m. Aymeric Moizard, <amoizard at gmail.com <mailto:amoizard at gmail.com>> wrote:
> 
> Le mar. 16 juin 2020 à 20:42, Henning Westerholt <hw at skalatan.de <mailto:hw at skalatan.de>> a écrit :
> Hello,
> 
>  
> 
> take a look to this parameter, you can switch between MD5 and SHA256, but only use once at a time:
> 
>  
> 
> https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm <https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm>
>  
> 
> About planned features – I am not aware of major extensions in this module. Of course, any contribution is welcome.
> 
> 
> Thanks for your answer.
> If I have some time, I might try to make a PR on being able to select the algorithm at runtime.
> 
> Regards,
> Aymeric
>  
>  
> 
> Cheers,
> 
>  
> 
> Henning
> 
>  
> 
> --
> 
> Henning Westerholt – https://skalatan.de/blog/ <https://skalatan.de/blog/>
> Kamailio services – https://gilawa.com <https://gilawa.com/>
>  
> 
> From: sr-users <sr-users-bounces at lists.kamailio.org <mailto:sr-users-bounces at lists.kamailio.org>> On Behalf Of Aymeric Moizard
> Sent: Monday, June 15, 2020 10:31 PM
> To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>>
> Subject: [SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...
> 
>  
> 
> Hi All,
> 
>  
> 
> I'd like to improve my setup by switching to SHA-256. 
> 
> However, as a first step, I would like to offer both MD5 and SHA-256
> 
> in 2 different WWW-Authenticate header.
> 
>  
> 
> If I'm correct, this is not doable with the latest auth module?
> 
> Is this a planned feature?
> 
>  
> 
> As an alternative, I would like to decide the algorithm in the script
> 
> instead of a module parameter. It looks to me this is also not doable?
> 
> Again, is this a planned feature?
> 
>  
> 
> Thanks to all,
> 
>  
> 
> Regards
> 
> Aymeric
> 
>  
> 
> --
> 
> Antisip - http://www.antisip.com <http://www.antisip.com/>
> 
> -- 
> Antisip - http://www.antisip.com <http://www.antisip.com/>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200618/d817dfab/attachment.html>

More information about the sr-users mailing list