[Spce-user] Hide customer password in Kamailio DB

Raúl Alexis Betancor Santana rabs at dimension-virtual.com
Fri May 1 05:33:43 EDT 2015 

I know Daniel, I know ... I was just asking him to tell me HOW it would authenticate against Kamailio, knwoing only the HA values ... that's not possible.

I think he missundestood how kamailio use the HA and HA1 values.


----- Mensaje original -----
> De: "Daniel Grotti" <dgrotti at sipwise.com>
> Para: "Raúl Alexis Betancor Santana" <rabs at dimension-virtual.com>
> CC: spce-user at lists.sipwise.com
> Enviados: Viernes, 1 de Mayo 2015 7:27:22
> Asunto: Re: [Spce-user] Hide customer password in Kamailio DB

> Hi Marc,
> Basically the ha1 is stored in the db and you can tell kamailio to use the ha1
> password to compare against to the authentication values provided in the sip
> header.
> You still need need though to insert the plain text password in your client if
> you want to authenticate and not the ha1 stored in the db. So since the ha1 is
> irreversible (based to md5) you cannot practically spoof the password like you
> can in plain text. This is what Raul is trying to say.
> 
> Raul, reason why we store plain text is basically because we won't be able to
> provisioning phones with ha1.
> 
> Daniel
> On May 1, 2015 7:55 AM, Raúl Alexis Betancor Santana
> <rabs at dimension-virtual.com> wrote:
>>
>> HOW do you generate a correct authentication with the HASH values? ... it's
>> mathematicatly imposible, it's a HASH result, count not be reversed.
>>
>> If you have the HA_1 and HA1_2 values AND you know the realm and the user URI,
>> the most dangerous thing you could do ... it's try a brute-force attack, having
>> the HASH values, you could do it localy, whitout sending AUTH attemps agains
>> the SPCE, so not been banned, but that's all
>>
>> The HASH values could not be reversed, on the other hand ... if someone have
>> access to your DB, your minor problem it's them to get the hash values.
>>
>> ________________________________
>>>
>>> De: "Marc Storck" <mstorck at voipgate.com>
>>> Para: spce-user at lists.sipwise.com
>>> Enviados: Jueves, 30 de Abril 2015 22:30:32
>>> Asunto: Re: [Spce-user] Hide customer password in Kamailio DB
>>>
>>> Unfortunately that's not completely correct.
>>>
>>> You can not only check but also generate a correct authentication with the
>>> unencrypted HASH values.
>>>
>>> So the storing HA1 and HA1_2 in the DB is no better than storing the password in
>>> DB. The only difference is that HA1 and HA1_2 don't reveal the underlying
>>> password.
>>>
>>> If someone has access to your DB that someone can use the HA1 and HA1_2 values
>>> to authenticate correctly against you system and make fraudulent calls.
>>>
>>> Which is why I also call the HASH values "unencrypted".
>>>
>>> Regards,
>>>
>>> Marc
>>> ________________________________
>>> From: Spce-user [spce-user-bounces at lists.sipwise.com] on behalf of Raúl Alexis
>>> Betancor Santana [rabs at dimension-virtual.com]
>>> Sent: Thursday, April 30, 2015 18:11
>>> To: <spce-user at lists.sipwise.com>
>>> Subject: Re: [Spce-user] Hide customer password in Kamailio DB
>>>
>>> Marc,
>>>
>>> HA1 and HA1_2 are not 'unencrypted' text ... they are HASH values, generated
>>> from the user URI, the REALM and the PASSWORD ... your could not use the HA1
>>> and HA1_2 values for anything than 'check' if the sended (by the SIP UA)
>>> credentials are Ok, you could not use them to 'know' the unencrypted password.
>>>
>>> Best regards
>>>
>>> ________________________________
>>>>
>>>> De: "Marc Storck" <mstorck at voipgate.com>
>>>> Para: "<spce-user at lists.sipwise.com>" <spce-user at lists.sipwise.com>
>>>> Enviados: Jueves, 30 de Abril 2015 12:57:35
>>>> Asunto: Re: [Spce-user] Hide customer password in Kamailio DB
>>>>
>>>> What is the difference from reading the plain text (unencrypted) password or
>>>> reading the plain text (unencrypted) HA1 and HA1_2 values from DB?
>>>>
>>>> AFAIK, an attacker, who was able to read either of them from your DB, can use
>>>> those values to correctly authenticate to the SPCE in any case.
>>>>  
>>>>>
>>>>> On 30 Apr 2015, at 13:45, Mathys Frédéric <frederic.mathys at nagra.com> wrote:
>>>>> Hello,
>>>>>  
>>>>> When creating a new user, by default the password is saved in plaintext in the
>>>>> DB, column “password”. For obvious security reasons, I’d like to remove the
>>>>> password in this column and use only ha1 and ha1b values. To do that, I
>>>>> modified the “auth_db” module configuration :
>>>>>  
>>>>> /etc/kamailio/proxy/kamailio.cfg
>>>>> modparam("auth_db", "use_domain", 1)
>>>>> modparam("auth_db", "calculate_ha1", 0)
>>>>> modparam("auth_db", "password_column", "ha1")
>>>>> modparam("auth_db", "password_column_2", "ha1_2")
>>>>>  
>>>>> Then, I removed the password for all users in the DB, and everyone seems able to
>>>>> connect with this configuration. My problem is now when I create a new user,
>>>>> the password is automatically saved in plaintext and I don’t want that. So I
>>>>> tried to modify “kamctlrc” by adding the following line :
>>>>>  
>>>>> /etc/kamailio/proxy/kamctlrc and /etc/kamailio/lb/kamctlrc
>>>>> STORE_PLAINTEXT_PW=0
>>>>>  
>>>>> This has no effect, what should I do to disable that?
>>>>>  
>>>>> Thank you
>>>>>  
>>>>> Frederic Mathys
>>>>> System Integration & Validation Engineer
>>>>> P Please consider the environment - do you really need to print this email ?
>>>>>  
>>>>> _______________________________________________
>>>>> Spce-user mailing list
>>>>> Spce-user at lists.sipwise.com
>>>>> https://lists.sipwise.com/listinfo/spce-user
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Spce-user mailing list
>>>> Spce-user at lists.sipwise.com
>>>> https://lists.sipwise.com/listinfo/spce-user
>>>
>>>
>>> _______________________________________________
>>> Spce-user mailing list
>>> Spce-user at lists.sipwise.com
> >> https://lists.sipwise.com/listinfo/spce-user

More information about the Spce-user mailing list