El Sábado, 19 de Julio de 2008, Iñaki Baz Castillo escribió: > El Sábado, 19 de Julio de 2008, Scott Lawrence escribió: > > A 'request replay' is an attempt by an attacker to use the > > authentication from one (legitimate) authenticated request to > > authenticate some other (forged) request. > > Thanks for the explanation. > And how can "nonce count" help here? If the original request has > "nc=000001" and the attacker then set "nc=000002", how can help "nc" here?
Ok, I understand. "nc" is useful since Digest "response" is computed with it. So, an attacker couldn't use the same authorization since "nc" should be greater (if not the server will reject it) and since "attacker" doesn't know the clear password it cannot compute it with a new "nc". :) -- Iñaki Baz Castillo _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
