[OpenSER-Users] Authentication with LDAP databse

Ahmed Huraimel huraimel at gmail.com
Mon May 19 14:05:43 CEST 2008 

Hello,

i am successfully integrated an openLDAP server with my openSER SIP proxy
server. however i am facing a security problem. let me explain it briefly.

**** Successful Registration with password save as clear in openLDAP DB ****

*          # Configration #
- user name was stored in clear in openSER database
- modparam("auth", "calculate_ha1", 1) which means the server will assume
that the "password_spec" pseudo-variable contains plaintext passwords and it
will calculate HA1 strings on the fly.

          # Senario #
- after the UAC receives Authentication request he will build the response =
MD5(username + MD5(passowrd) + realm + nonce)
- then the server will build the challenge by searching the the user in the
database and retrieving the password in clear then hash the password with
MD5 build the challenge such that challenge=MD5(username + MD5(passowrd) +
realm + nonce) . .
- by comparing the the response the with the challenge the user will be
authenticated.
- *it works *


**** Successful Registration with password save as MD5 in openLDAP DB ****

*          # Configration #
- user name was stored in MD5 in openSER database
- modparam("auth", "calculate_ha1", 0) which means the server assumes the
pseudo-variable contains the HA1 strings directly and will not calculate
them.

          # Senario #
- after the UAC receives Authentication request he will build the response =
MD5(username + MD5(password) + realm + nonce)
- then the server will build the challenge by searching the the user in the
database and retrieving the password in MD5 then challenge such that
challenge=MD5(username + MD5(password) + realm + nonce) .
- by comparing the the response the with the challenge the user will be
authenticated.
- *401 unauthorized !!!!

***** CONCLUSION ****

*there for possible scenarios:
1- password clear + calculate_ha1= 0 ==> 401 unauthorized !!!!
2- password clear + calculate_ha1= 1 ==> Authorized
3- password MD5  + calculate_ha1= 0 ==> 401 unauthorized !!!!
4- password MD5  + calculate_ha1= 1 ==> 401 unauthorized !!!!
*
*
-----------------------------------------------------------------------------------------
*
asuumptions:

*1- the password might be not hashed. if so then why  modparam("auth",
"calculate_ha1", ) used? does it mean that the password might be received
hashed or not?
*2- in scenario(2) the sip server hash the password by setting
calculate_ha1= 1. if the password is already hashed in the database then
scenario(3) should work unless there is a conflict with the hash. is this
might be related to hash type or size?* or something else that i do not
know!!!

*question*:

1- why scenario(3) does not work? where might be the problem?
2- what to do if i want to change the hash algorithm used? for example i
need to SSH1 instead of MD5 because nowadays MD5  is proved to be weak
algorithm

regards,
Ahmed ALALI
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kamailio.org/pipermail/users/attachments/20080519/9454f07a/attachment.htm

More information about the Users mailing list