[Spce-user] Hide customer password in Kamailio DB

Raúl Alexis Betancor Santana rabs at dimension-virtual.com
Fri May 1 01:55:30 EDT 2015 

HOW do you generate a correct authentication with the HASH values? ... it's mathematicatly imposible, it's a HASH result, count not be reversed. 

If you have the HA_1 and HA1_2 values AND you know the realm and the user URI, the most dangerous thing you could do ... it's try a brute-force attack, having the HASH values, you could do it localy, whitout sending AUTH attemps agains the SPCE, so not been banned, but that's all 

The HASH values could not be reversed, on the other hand ... if someone have access to your DB, your minor problem it's them to get the hash values. 

> De: "Marc Storck" <mstorck at voipgate.com>
> Para: spce-user at lists.sipwise.com
> Enviados: Jueves, 30 de Abril 2015 22:30:32
> Asunto: Re: [Spce-user] Hide customer password in Kamailio DB

> Unfortunately that's not completely correct.

> You can not only check but also generate a correct authentication with the
> unencrypted HASH values.

> So the storing HA1 and HA1_2 in the DB is no better than storing the password in
> DB. The only difference is that HA1 and HA1_2 don't reveal the underlying
> password.

> If someone has access to your DB that someone can use the HA1 and HA1_2 values
> to authenticate correctly against you system and make fraudulent calls.

> Which is why I also call the HASH values "unencrypted".

> Regards,

> Marc

> From: Spce-user [spce-user-bounces at lists.sipwise.com] on behalf of Raúl Alexis
> Betancor Santana [rabs at dimension-virtual.com]
> Sent: Thursday, April 30, 2015 18:11
> To: <spce-user at lists.sipwise.com>
> Subject: Re: [Spce-user] Hide customer password in Kamailio DB

> Marc,

> HA1 and HA1_2 are not 'unencrypted' text ... they are HASH values, generated
> from the user URI, the REALM and the PASSWORD ... your could not use the HA1
> and HA1_2 values for anything than 'check' if the sended (by the SIP UA)
> credentials are Ok, you could not use them to 'know' the unencrypted password.

> Best regards

>> De: "Marc Storck" <mstorck at voipgate.com>
>> Para: "<spce-user at lists.sipwise.com>" <spce-user at lists.sipwise.com>
>> Enviados: Jueves, 30 de Abril 2015 12:57:35
>> Asunto: Re: [Spce-user] Hide customer password in Kamailio DB

>> What is the difference from reading the plain text (unencrypted) password or
>> reading the plain text (unencrypted) HA1 and HA1_2 values from DB?

>> AFAIK, an attacker, who was able to read either of them from your DB, can use
>> those values to correctly authenticate to the SPCE in any case.

>>> On 30 Apr 2015, at 13:45, Mathys Frédéric < frederic.mathys at nagra.com > wrote:
>>> Hello,
>>> When creating a new user, by default the password is saved in plaintext in the
>>> DB, column “password”. For obvious security reasons, I’d like to remove the
>>> password in this column and use only ha1 and ha1b values. To do that, I
>>> modified the “auth_db” module configuration :
>>> /etc/kamailio/proxy/kamailio.cfg
>>> modparam("auth_db", "use_domain", 1)
>>> modparam("auth_db", "calculate_ha1", 0)
>>> modparam("auth_db", "password_column", "ha1")
>>> modparam("auth_db", "password_column_2", "ha1_2")
>>> Then, I removed the password for all users in the DB, and everyone seems able to
>>> connect with this configuration. My problem is now when I create a new user,
>>> the password is automatically saved in plaintext and I don’t want that. So I
>>> tried to modify “kamctlrc” by adding the following line :
>>> /etc/kamailio/proxy/kamctlrc and /etc/kamailio/lb/kamctlrc
>>> STORE_PLAINTEXT_PW=0
>>> This has no effect, what should I do to disable that?
>>> Thank you
>>> Frederic Mathys
>>> System Integration & Validation Engineer
>>> P Please consider the environment - do you really need to print this email ?
>>> _______________________________________________
>>> Spce-user mailing list
>>> Spce-user at lists.sipwise.com
>>> https://lists.sipwise.com/listinfo/spce-user

>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> https://lists.sipwise.com/listinfo/spce-user

> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20150501/50e8759b/attachment.html>

More information about the Spce-user mailing list