[asterisk-dev] SIP authentication with SHA
Olle E Johansson
oej at edvina.net
Sat Feb 11 06:27:06 MST 2006
Tzafrir Cohen wrote:
> On Fri, Feb 10, 2006 at 02:56:59PM +0100, Michael Prochaska wrote:
>
>>Olle E. Johansson schrieb:
>>
>>>...write an RFC :-)
>>>
>>
>>i don't think that this is necessary :-)
>>
>>
>>>The MD5 is in the SIP RFC, and I've never seen anyone using SHA.
>>
>>no, md5 is NOT in the SIP RFC. HTTP digest authentication is not
>>automatically md5
>>
>>and in the HTTP digest RFC there is md5 as example but SHA could also be
>>used.
>>
>>i think if asterisk would support HTTP digest with SHA it would be easy
>>to extend the UA's to support it too.
>
>
> If SHA1 is practically not in use, then what you suggest is a new
> extension. If so: why SHA1 and not a different digest algorithm?
>
> See, e.g.
> http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
>
...and checking with Apache, HTTP basic digest seems to be MD5 only
in the HTTP world, if supported.
I am not saying that we should not add other hash algorithms, just
trying to find more information about the use of other digest mechanisms
in HTTP digest auth.
/O
More information about the asterisk-dev
mailing list