[asterisk-users] why is nonce="584760da" used in sip packets?
Stanisław Pitucha
stanis at zimbra-1.gradwell.net
Wed Aug 15 05:58:06 CDT 2007
----- "Rizwan Hisham" <rizwanhasham at gmail.com> wrote:
> WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="584760da"
> Authorization: Digest username="bernart48", realm="asterisk", algorithm=MD5, uri="sip:bernart48 at 64.182.161.2:9060", nonce="584760da", response="948d3923bf2df47eca17c572713af2c7", opaque=""
> What i dont know, and would very much like to know, is what is the
> purpose of this parameter in sip packets?
It's kind of challenge algorithm. What you see in "response" is not MD5(password), but MD5('password', 'realm', ..., 'nonce'). Nonce is generated by server so that you don't get the same hash for for every authorization by that user. It prevents someone who can see only one way communication from breaking your sip session + makes breaking hash a little bit harder.
Nonce should be unique per authorization.
If nonce wasn't used you could reuse the same response in next connection even if you don't know the real password.
More information about the asterisk-users
mailing list