<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

</head>

<body dir="auto">

<div>The authentication reponse is calculated as follows:</div>

<div><br>

</div>

<div><dd style="margin-left: 1.6em; margin-bottom: 0.1em; margin-right: 0px;"><span class="texhtml" style="-webkit-font-feature-settings: 'lnum' 1, 'tnum' 1; background-color: rgba(255, 255, 255, 0);">HA1=<a href="http://en.wikipedia.org/wiki/MD5" title="MD5" style="text-decoration: none; background-image: none;">MD5</a>(username:<a href="http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Authentication_Realms" title="Hypertext Transfer Protocol" style="text-decoration: none; background-image: none;">realm</a>:password)</span></dd><dd style="margin-left: 1.6em; margin-bottom: 0.1em; margin-right: 0px;"><span class="texhtml" style="-webkit-font-feature-settings: 'lnum' 1, 'tnum' 1; background-color: rgba(255, 255, 255, 0);">HA2=<a href="http://en.wikipedia.org/wiki/MD5" title="MD5" style="text-decoration: none; background-image: none;">MD5</a>(method:digestURI)</span></dd><dd style="margin-left: 1.6em; margin-bottom: 0.1em; margin-right: 0px;"><span class="texhtml" style="-webkit-font-feature-settings: 'lnum' 1, 'tnum' 1; background-color: rgba(255, 255, 255, 0);">response=<a href="http://en.wikipedia.org/wiki/MD5" title="MD5" style="text-decoration: none; background-image: none;">MD5</a>(HA1:nonce:HA2)</span></dd></div>

<div><br>

</div>

<div>Assume HA1 is known. HA2 is based on the initial request, let's assume method=INVITE and digestURI=sip:<a href="mailto:123456789@sipwise.com">123456789@sipwise.com</a>, so you can just invike MD5 with those 2 values and you will have HA2.</div>

<div>For the response you will need the nonce provided by NGCP in SIP 407 Proxy Authentication Required.</div>

<div>All you need to do is invoke MD5 with HA1, the nonce received from NGCP and HA2.</div>

<div><br>

</div>

<div>So where do I need the plain password? Remember that HA1  is known by the attacker in this scenario.</div>

<div><br>

</div>

<div>As an additional information, some software like Asterisk allows you to provide HA1 instead of clear text password for inbound and outbound authentication, so you don't even have to write a specific exploit kit.</div>

<div><br>

</div>

<div>Regards,</div>

<div><br>

</div>

<div>Marc</div>

<div><br>

</div>

<div><br>

On 1 mai 2015, at 08:28, Daniel Grotti <<a href="mailto:dgrotti@sipwise.com">dgrotti@sipwise.com</a>> wrote:<br>

<br>

</div>

<blockquote type="cite">

<div><span>Hi Marc,</span><br>

<span>Basically the ha1 is stored in the db and you can tell kamailio to use the ha1 password to compare against to the authentication values provided in the sip header.</span><br>

<span>You still need need though to insert the plain text password in your client if you want to authenticate and not the ha1 stored in the db. So since the ha1 is irreversible (based to md5) you cannot practically spoof the password like you can in plain text.

 This is what Raul is trying to say.</span><br>

<span></span><br>

<span>Raul, reason why we store plain text is basically because we won't be able to provisioning phones with ha1.

</span><br>

<span></span><br>

<span>Daniel</span><br>

<span>On May 1, 2015 7:55 AM, Raúl Alexis Betancor Santana <<a href="mailto:rabs@dimension-virtual.com">rabs@dimension-virtual.com</a>> wrote:</span><br>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>HOW do you generate a correct authentication with the HASH values? ... it's mathematicatly imposible, it's a HASH result, count not be reversed.</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>If you have the HA_1 and HA1_2 values AND you know the realm and the user URI, the most dangerous thing you could do ... it's try a brute-force attack, having the HASH values, you could do it localy, whitout sending AUTH attemps

 agains the SPCE, so not been banned, but that's all</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>The HASH values could not be reversed, on the other hand ... if someone have access to your DB, your minor problem it's them to get the hash values.</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>________________________________</span><br>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>De: "Marc Storck" <<a href="mailto:mstorck@voipgate.com">mstorck@voipgate.com</a>></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Para: <a href="mailto:spce-user@lists.sipwise.com">

spce-user@lists.sipwise.com</a></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Enviados: Jueves, 30 de Abril 2015 22:30:32</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Asunto: Re: [Spce-user] Hide customer password in Kamailio DB</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Unfortunately that's not completely correct.</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>You can not only check but also generate a correct authentication with the unencrypted HASH values.</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>So the storing HA1 and HA1_2 in the DB is no better than storing the password in DB. The only difference is that HA1 and HA1_2 don't reveal the underlying password.</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>If someone has access to your DB that someone can use the HA1 and HA1_2 values to authenticate correctly against you system and make fraudulent calls.</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Which is why I also call the HASH values "unencrypted".</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Regards,</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Marc</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>________________________________</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>From: Spce-user [<a href="mailto:spce-user-bounces@lists.sipwise.com">spce-user-bounces@lists.sipwise.com</a>] on behalf of Raúl Alexis Betancor Santana [<a href="mailto:rabs@dimension-virtual.com">rabs@dimension-virtual.com</a>]</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Sent: Thursday, April 30, 2015 18:11</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>To: <<a href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</a>></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Subject: Re: [Spce-user] Hide customer password in Kamailio DB</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Marc,</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>HA1 and HA1_2 are not 'unencrypted' text ... they are HASH values, generated from the user URI, the REALM and the PASSWORD ... your could not use the HA1 and HA1_2 values for anything than 'check' if the sended (by the SIP UA)

 credentials are Ok, you could not use them to 'know' the unencrypted password.</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Best regards</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>________________________________</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>De: "Marc Storck" <<a href="mailto:mstorck@voipgate.com">mstorck@voipgate.com</a>></span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>Para: "<<a href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</a>>" <<a href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</a>></span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>Enviados: Jueves, 30 de Abril 2015 12:57:35</span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>Asunto: Re: [Spce-user] Hide customer password in Kamailio DB</span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>What is the difference from reading the plain text (unencrypted) password or reading the plain text (unencrypted) HA1 and HA1_2 values from DB?</span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>AFAIK, an attacker, who was able to read either of them from your DB, can use those values to correctly authenticate to the SPCE in any case.</span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span> </span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>On 30 Apr 2015, at 13:45, Mathys Frédéric <<a href="mailto:frederic.mathys@nagra.com">frederic.mathys@nagra.com</a>> wrote:</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>Hello,</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span> </span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>When creating a new user, by default the password is saved in plaintext in the DB, column “password”. For obvious security reasons, I’d like to remove the password in this column and use only ha1 and ha1b values. To do that, I

 modified the “auth_db” module configuration :</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span> </span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>/etc/kamailio/proxy/kamailio.cfg</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>modparam("auth_db", "use_domain", 1)</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>modparam("auth_db", "calculate_ha1", 0)</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>modparam("auth_db", "password_column", "ha1")</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>modparam("auth_db", "password_column_2", "ha1_2")</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span> </span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>Then, I removed the password for all users in the DB, and everyone seems able to connect with this configuration. My problem is now when I create a new user, the password is automatically saved in plaintext and I don’t want that.

 So I tried to modify “kamctlrc” by adding the following line :</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span> </span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>/etc/kamailio/proxy/kamctlrc and /etc/kamailio/lb/kamctlrc</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>STORE_PLAINTEXT_PW=0</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span> </span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>This has no effect, what should I do to disable that?</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span> </span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>Thank you</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span> </span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>Frederic Mathys</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>System Integration & Validation Engineer</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>P Please consider the environment - do you really need to print this email ?</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span> </span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>_______________________________________________</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>Spce-user mailing list</span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span><a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a></span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span><a href="https://lists.sipwise.com/listinfo/spce-user">https://lists.sipwise.com/listinfo/spce-user</a></span><br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>_______________________________________________</span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span>Spce-user mailing list</span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span><a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a></span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite">

<blockquote type="cite"><span><a href="https://lists.sipwise.com/listinfo/spce-user">https://lists.sipwise.com/listinfo/spce-user</a></span><br>

</blockquote>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>_______________________________________________</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Spce-user mailing list</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span><a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span><a href="https://lists.sipwise.com/listinfo/spce-user">https://lists.sipwise.com/listinfo/spce-user</a></span><br>

</blockquote>

</blockquote>

<span>_______________________________________________</span><br>

<span>Spce-user mailing list</span><br>

<span><a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a></span><br>

<span><a href="https://lists.sipwise.com/listinfo/spce-user">https://lists.sipwise.com/listinfo/spce-user</a></span><br>

</div>

</blockquote>

</body>

</html>