[Asterisk-Users] What does the error "stale nonce' mean?

trixter http://www.0xdecafbad.com trixter at 0xdecafbad.com
Mon Oct 3 13:49:00 MST 2005 

A stale nonce is more of a warning than an error.  In SIP your
authorization credentials are encoded in the SIP headers.  To prevent
people from capturing that data and using it later to make calls on your
account a nonce is used.

A nonce is a disposable number that is added to the string a hash
algorithm will hash.  This makes hashing algorithms (like md5) have
different output.  This is a common cryptography technique.  

The SIP RFC requires that the nonce randomly change periodically.  If
the client uses a nonce that was expired it is considered a 'stale
nonce'.  The client should then get the current nonce and use that
instead.  This message lets you know that the client tried to use a
stale nonce, which can indicate someone trying a replay attack (using
captured data from a previous session) or a client that isnt properly
getting the new nonce, or even just timing issues as follows:

Client gets a nonce.  
Client goes to register/reregister using that nonce
At the same time the client is preparing the message to 
     register/reregister the server chooses a new nonce
Client sends the message with the now old nonce

Then again it could be something else entirely :)


On Mon, 2005-10-03 at 22:35 +0200, Morten Isaksen wrote:
> 
> On 10/3/05, Olle E. Johansson <oej at edvina.net> wrote: 
>         > Does anyone know what "stale nonce" is?
>         I've answered this question many times, so you should be able
>         to find 
>         the answer...
>         
>         A stale nonce is when a device tries to re-authenticate with a
>         nonce
>         that is no longer valid. We are telling them that the nonce
>         they used is
>         invalid, and re-issue a new challenge and a fresh nonce. It's
>         just an 
>         informative message, that I propably should move away to a
>         debug level
>         of some kind.
>  
>  
> I get this error when I use a Audiocodes MP-124 against Asterisk
> 1.2beta1 and asterisk refuses the call. When I
> use CVS-D2005.02.12.14.37.11-04/13/05-16:14:03 it works fine.
>  
> I do not have access to the debug and log file now, but I will send
> them tomorrow.
>  
> /Morten
>  
> _______________________________________________
> --Bandwidth and Colocation sponsored by Easynews.com --
> 
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
UK +44 870 340 4605   Germany +49 801 777 555 3402
US +1 360 207 0479 or +1 516 687 5200
FreeWorldDialup: 635378
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20051003/ec0928fc/attachment.pgp

More information about the asterisk-users mailing list