[asterisk-users] why is nonce="584760da" used in sip packets?

Rizwan Hisham rizwanhasham at gmail.com
Wed Aug 15 06:52:25 CDT 2007 

thanx for the reply. what i have understood from ur reply and from googling
is that for every authorisation there is a unique nonce (or new nonce), and
previous nonce is expired. but i have seen in sip debug on my atserisk cli
that :

for the first register request, server sends an unauthorisation response
with a new nonce like below:

REGISTER sip:magnum.axvoice.com SIP/2.0
Via: SIP/2.0/UDP 208.120.167.146:80;branch=z9hG4bK722c974c
From: <sip:bernart48 at magnum.axvoice.com>;tag=as1acc7245
To: <sip:bernart48 at magnum.axvoice.com>
Call-ID: 48f3a8b426c375a161dc1f4479bba956 at 127.0.0.1
CSeq: 19710 REGISTER
User-Agent: Asterisk PBX
Authorization: Digest username="bernart48", realm="asterisk", algorithm=MD5,
uri="sip:magnum.axvoice.com", nonce="325611ed",
response="8105b402d3b955cb65bd9aa8e498cbc8", opaque=""
Expires: 120
Contact: <sip:16474764942 at 208.120.167.146:80>
Event: registration
Content-Length: 0

<--- Transmitting (NAT) to 208.120.167.146:80 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 208.120.167.146:80;branch=z9hG4bK722c974c;received=
208.120.167.146
From: <sip:bernart48 at magnum.axvoice.com>;tag=as1acc7245
To: <sip:bernart48 at magnum.axvoice.com>;tag=as1d329593
Call-ID: 48f3a8b426c375a161dc1f4479bba956 at 127.0.0.1
CSeq: 19710 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="1312f4b5"
Content-Length: 0

Now in the second register request, the nonce which should be used is the
one found in latest unauthorisation response recieved from server, but in
this case the nonce used is from previous unauthorisation response as shown
below.

<--- SIP read from 208.120.167.146:80 --->
REGISTER sip:magnum.axvoice.com SIP/2.0
Via: SIP/2.0/UDP 208.120.167.146:80;branch=z9hG4bK722c974c
From: <sip:bernart48 at magnum.axvoice.com>;tag=as1acc7245
To: <sip:bernart48 at magnum.axvoice.com>
Call-ID: 48f3a8b426c375a161dc1f4479bba956 at 127.0.0.1
CSeq: 19710 REGISTER
User-Agent: Asterisk PBX
Authorization: Digest username="bernart48", realm="asterisk", algorithm=MD5,
uri="sip:magnum.axvoice.com", nonce="325611ed",
response="8105b402d3b955cb65bd9aa8e498cbc8", opaque=""
Expires: 120
Contact: <sip:16474764942 at 208.120.167.146:80>
Event: registration
Content-Length: 0

This causes the asterisk server to send another unauthorisation response
with an additional parameter stale in WWW-Authenticate section as shown
below

<--- Transmitting (NAT) to 208.120.167.146:80 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 208.120.167.146:80;branch=z9hG4bK722c974c;received=
208.120.167.146
From: <sip:bernart48 at magnum.axvoice.com>;tag=as1acc7245
To: <sip:bernart48 at magnum.axvoice.com>;tag=as1d329593
Call-ID: 48f3a8b426c375a161dc1f4479bba956 at 127.0.0.1
CSeq: 19710 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="4f90fab4",
stale=true
Content-Length: 0

this stale=true field causes the asterisk server to display the following
NOTICE on the cli

NOTICE[8380]: chan_sip.c:8151 check_auth: Correct auth, but based on stale
nonce received from '<sip:bernart48 at magnum.axvoice.com>'

and this will continue happening unless the next register request uses the
nonce field recieved in latest unauthorisation response from server, and
untill then the user agent will not be able to register with the server.
This will cause problems in our services.

I hope u understand the problem. Sorry for this very long reply. If you know
how to deal with this problem then plz share ur solution. I have been facing
this problem for 2 weeks now and uptill now i only have found out the reason
for this problem. Now is the time for search for the solution.

Hope to hear from u soon


On 8/15/07, Stanisław Pitucha <stanis at zimbra-1.gradwell.net> wrote:
>
> ----- "Rizwan Hisham" <rizwanhasham at gmail.com> wrote:
> > WWW-Authenticate: Digest algorithm=MD5, realm="asterisk",
> nonce="584760da"
>
> > Authorization: Digest username="bernart48", realm="asterisk",
> algorithm=MD5, uri="sip:bernart48 at 64.182.161.2:9060", nonce="584760da",
> response="948d3923bf2df47eca17c572713af2c7", opaque=""
>
> > What i dont know, and would very much like to know, is what is the
> > purpose of this parameter in sip packets?
>
> It's kind of challenge algorithm. What you see in "response" is not
> MD5(password), but MD5('password', 'realm', ..., 'nonce'). Nonce is
> generated by server so that you don't get the same hash for for every
> authorization by that user. It prevents someone who can see only one way
> communication from breaking your sip session + makes breaking hash a little
> bit harder.
> Nonce should be unique per authorization.
> If nonce wasn't used you could reuse the same response in next connection
> even if you don't know the real password.
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>



-- 
Best Regards
Rizwan Hisham
Software Engineer
Axvoice Inc.
www.axvoice.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20070815/5eaa9968/attachment-0001.htm

More information about the asterisk-users mailing list