I think that yes, the qop parameter must be supplied to the client in the
Challenge if Algo is "MD5-Sess". Anyway, quoting RFC2617, section 3.2.1:
"This directive is optional, but is made so only for backward compatibility
with RFC 2069 [6]; it SHOULD be used by all implementations compliant with
this version of the Digest scheme."
and section 3.2.2:
"This directive [the qop directive] is optional in order to preserve
backward compatibility with a minimal implementation of RFC 2069 [6], but
SHOULD be used if the server indicated that qop is supported by providing a
qop directive in the WWW-Authenticate header field."
And since RFC 2069 doesn't mention "MD5-sess", you SHOULD never end up with
a challenge without qop but with "MD5-sess" as an Algo. And if you do, I
think you can just ignore it as it is just plain wrong.
Hope that helps.
AlexC
-----Original Message-----
From: Sanjay Dhand [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 06, 2001 12:07 AM
To: Sipimp
Subject: [Sip-implementors] Authentication: qop/cnonce issue
Hi All,
I have a query regarding "qop" and "cnonce" fields in Digest Authentication
procedure. Looks like some gap in the specs. Please provide your input.
The problem is that if qop parameter does not arrive in the Challenge
(401/407) and the algo for the session is "MD5-sess" then Hash Key A1 is
built with "cnonce-value" at the client, but "cnonce-value" is not sent to
the Server in the subsquent Requests.
Then How will the Server decode the response without the "cnonce-value"?
Does it mean that if Algo is "MD5-Sess", then qop parameter MUST be supplied
to the client in the Challenge?
Quoted from RFC 2617, Sec 3.2.2:
"If qop (Quality of Protection) is not sent to the Client then cnonce
value and nonce-count value MUST NOT be specified in the subsquents
requests."
AND (construction of the Hash Key A1)
If Algo is "MD5-sess" then A1 is calculated as
A1 =H(unq(username-value) ":" unq(realm-value) ":" passwd ":"
unq(nonce-value) ":" unq(cnonce-value)
where A1 is the Session Key for authentication of subsquent requests and
responses.
A1 is used to calculate the response-digest along with the second hash
Key A2.
Best regards,
Sanjay Dhand
Software Engineer
ipDialog India Pvt Ltd
453, Udyog Vihar phase 5,
Gurgaon INDIA.
ph: (91) (120) 6399051, 6399657/58
cell: 9810309914
_______________________________________________
Sip-implementors mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
