SIP RFC3261 refers to RFC 2617 for HTTP authentication
and I have a question regarding nonce.
(For your reference the RFC2617 section on nonce is at the end of this e-mail)
Specifically, it mentions an algorithm which incorporates a timestamp:
time-stamp H(time-stamp ":" ETag ":" private-key)
Then when a nonce arrives with a timestamp that is too old, the request
will be rejected as "stale".
My question is...
For a proxy, what is a typical lifetime for a nonce?
Incidentally, RFC3261, also says:
4. The example procedure for choosing a nonce based on Etag does
not work for SIP.
So, what would be a recommended algorithm?
Regards,
Attila
===================================================================
RFC2617 extract
nonce
A server-specified data string which should be uniquely generated
each time a 401 response is made. It is recommended that this
string be base64 or hexadecimal data. Specifically, since the
string is passed in the header lines as a quoted string, the
double-quote character is not allowed.
The contents of the nonce are implementation dependent. The quality
of the implementation depends on a good choice. A nonce might, for
example, be constructed as the base 64 encoding of
time-stamp H(time-stamp ":" ETag ":" private-key)
where time-stamp is a server-generated time or other non-repeating
value, ETag is the value of the HTTP ETag header associated with
the requested entity, and private-key is data known only to the
server. With a nonce of this form a server would recalculate the
hash portion after receiving the client authentication header and
reject the request if it did not match the nonce from that header
or if the time-stamp value is not recent enough. In this way the
server can limit the time of the nonce's validity. The inclusion of
the ETag prevents a replay request for an updated version of the
resource. (Note: including the IP address of the client in the
nonce would appear to offer the server the ability to limit the
reuse of the nonce to the same client that originally got it.
However, that would break proxy farms, where requests from a single
user often go through different proxies in the farm. Also, IP
address spoofing is not that hard.)
_______________________________________________
Sip-implementors mailing list
[email protected]
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
