RE: [Sip-implementors] MD5 Authorization: URI and CNonce fields

Wed, 14 Mar 2001 23:21:38 -0800 



 

> -----Original Message-----
> From: Attila Sipos [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, March 07, 2001 11:38 AM
> To: '[EMAIL PROTECTED]'
> Subject: [Sip-implementors] MD5 Authorization: URI and CNonce fields
> 
> 
> 
> In a SIP 401 Unauthorized message from a proxy,
> you will get a "WWW-Authenticate" field like this:
> 
>       WWW-Authenticate: Digest realm="AnyCom",
>       nonce="e519c3d7920e9d0b13aefd1abb5b15868e7d6fab26",
>       opaque="1234567890abcedef",
>       stale=false,
>       algorithm=MD5,
>       qop="auth, auth-int"
> 
> And in a response, you'd get something like this:
> 
>       Authorization:Digest username="user1",
>       realm="AnyCom",
>       nonce="e519c3d7920e9d0b13aefd1abb5b15868e7d6fab26",
>       uri="can_this_be_anything?",
>       qop=auth-int,
>       nc=00000001,
>       cnonce="can_this_also_be_anything?",
>       response="a_calculated_response",
>       opaque="1234567890abcedef"
> 
> 
> I realise that the "response" value has to be calculated exactly.
> And I realise the user agent has to use the URI and the CNonce
> to calculate the "response" value.
> 
> But my questions are:
> 
> Does a proxy care what quoted string you use in the URI field?

Yes. Quoting from rfc2617 directly:

   The authenticating server must assure that the resource designated by
   the "uri" directive is the same as the resource specified in the
   Request-Line; if they are not, the server SHOULD return a 400 Bad
   Request error. (Since this may be a symptom of an attack, server
   implementers may want to consider logging such errors.) The purpose
   of duplicating information from the request URL in this field is to
   deal with the possibility that an intermediate proxy may alter the
   client's Request-Line. This altered (but presumably semantically
   equivalent) request would not result in the same digest as that
   calculated by the client.

> Does a proxy care what quoted string you use in cnonce?

No. The whole idea is that its a client specified nonce.

-Jonathan R.

---
Jonathan D. Rosenberg                       72 Eagle Rock Ave.
Chief Scientist                             First Floor
dynamicsoft                                 East Hanover, NJ 07936
[EMAIL PROTECTED]                     FAX:   (973) 952-5050
http://www.cs.columbia.edu/~jdrosen         PHONE: (973) 952-5000
http://www.dynamicsoft.com
_______________________________________________
Sip-implementors mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors

Reply via email to