nonce is supposed to be time sensitive. Storing HA1 creates the possibility of a replay attack.
-Deepak
"Arunachalam Venkatraman" <[EMAIL PROTECTED]>@cs.columbia.edu on
11/04/2002 11:08:11 AM
Sent by: [EMAIL PROTECTED]
To: "Avshalom Houri" <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>
cc: "Ran Bar-Lavie" <[EMAIL PROTECTED]>
Subject: RE: [Sip-implementors] LDAP servers and SIP Authentication
How about storing H(A1), instead of the password, in the LDAP server?
This is actually discussed in RFC2617 in section 3.2.2.1
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:sip-implementors-admin@;cs.columbia.edu]On Behalf Of Avshalom Houri
Sent: Monday, November 04, 2002 10:00 AM
To: [EMAIL PROTECTED]
Cc: Ran Bar-Lavie
Subject: [Sip-implementors] LDAP servers and SIP Authentication
Since basic authentication has been deprecated from SIP and LDAP servers
do not
support a uniform way for querying passwords. It seems that there is a
problem with
using SIP with LDAP server as a directory.
For example, some LDAP servers return the user's password hashed (using
MD5 or SHA
or something else) but we cannot compare this with the hashed password
from the client,
even if the same hashing algorithm was used, because LDAP returns only
the
password
hashed, while the client-supplied hash includes more info in the digest.
The only way we
can do this is by getting the password cleartext from LDAP, and do our
own
digest, but most
LDAP servers do not allow that, not even for the directory admin.
Any ideas?
Thanks
Avshalom
(See attached file: C.htm)
How
about storing H(A1), instead of the password, in the LDAP
server?
This
is actually discussed in RFC2617 in section 3.2.2.1
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Avshalom Houri
Sent: Monday, November 04, 2002 10:00 AM
To: [EMAIL PROTECTED]
Cc: Ran Bar-Lavie
Subject: [Sip-implementors] LDAP servers and SIP Authentication
Since basic authentication has been deprecated from SIP and LDAP servers do not
support a uniform way for querying passwords. It seems that there is a problem with
using SIP with LDAP server as a directory.
For example, some LDAP servers return the user's password hashed (using MD5 or SHA
or something else) but we cannot compare this with the hashed password from the client,
even if the same hashing algorithm was used, because LDAP returns only the password
hashed, while the client-supplied hash includes more info in the digest. The only way we
can do this is by getting the password cleartext from LDAP, and do our own digest, but most
LDAP servers do not allow that, not even for the directory admin.
Any ideas?
Thanks
Avshalom
