[Spce-user] Hide customer password in Kamailio DB

Raúl Alexis Betancor Santana rabs at dimension-virtual.com
Sat May 2 04:41:26 EDT 2015 

So ... again ... if an attacker gains acces to your DB ... your minor problem is them to know the HA1 values. 
Moreover this is a problem to the kamailio list, I think ... not here. 

If you whant to have the passwords crypted on the DB, you will need to modify kamailio auth_db module for that ... and now you have another problem ... Who to cypt the text strings ... and how to safaty save the key for decrypting them. 

> De: "Marc Storck" <mstorck at voipgate.com>
> Para: spce-user at lists.sipwise.com
> Enviados: Viernes, 1 de Mayo 2015 22:25:55
> Asunto: Re: [Spce-user] Hide customer password in Kamailio DB

> The authentication reponse is calculated as follows:

> HA1= MD5 (username: realm :password) HA2= MD5 (method:digestURI) response= MD5
> (HA1:nonce:HA2)

> Assume HA1 is known. HA2 is based on the initial request, let's assume
> method=INVITE and digestURI=sip: 123456789 at sipwise.com , so you can just invike
> MD5 with those 2 values and you will have HA2.
> For the response you will need the nonce provided by NGCP in SIP 407 Proxy
> Authentication Required.
> All you need to do is invoke MD5 with HA1, the nonce received from NGCP and HA2.

> So where do I need the plain password? Remember that HA1 is known by the
> attacker in this scenario.

> As an additional information, some software like Asterisk allows you to provide
> HA1 instead of clear text password for inbound and outbound authentication, so
> you don't even have to write a specific exploit kit.

> Regards,

> Marc

> On 1 mai 2015, at 08:28, Daniel Grotti < dgrotti at sipwise.com > wrote:

>> Hi Marc,
>> Basically the ha1 is stored in the db and you can tell kamailio to use the ha1
>> password to compare against to the authentication values provided in the sip
>> header.
>> You still need need though to insert the plain text password in your client if
>> you want to authenticate and not the ha1 stored in the db. So since the ha1 is
>> irreversible (based to md5) you cannot practically spoof the password like you
>> can in plain text. This is what Raul is trying to say.

>> Raul, reason why we store plain text is basically because we won't be able to
>> provisioning phones with ha1.

>> Daniel
>> On May 1, 2015 7:55 AM, Raúl Alexis Betancor Santana <
>> rabs at dimension-virtual.com > wrote:

>>> HOW do you generate a correct authentication with the HASH values? ... it's
>>> mathematicatly imposible, it's a HASH result, count not be reversed.

>>> If you have the HA_1 and HA1_2 values AND you know the realm and the user URI,
>>> the most dangerous thing you could do ... it's try a brute-force attack, having
>>> the HASH values, you could do it localy, whitout sending AUTH attemps agains
>>> the SPCE, so not been banned, but that's all

>>> The HASH values could not be reversed, on the other hand ... if someone have
>>> access to your DB, your minor problem it's them to get the hash values.

>>> ________________________________

>>>> De: "Marc Storck" < mstorck at voipgate.com >

>>>> Para: spce-user at lists.sipwise.com

>>>> Enviados: Jueves, 30 de Abril 2015 22:30:32

>>>> Asunto: Re: [Spce-user] Hide customer password in Kamailio DB

>>>> Unfortunately that's not completely correct.

>>>> You can not only check but also generate a correct authentication with the
>>>> unencrypted HASH values.

>>>> So the storing HA1 and HA1_2 in the DB is no better than storing the password in
>>>> DB. The only difference is that HA1 and HA1_2 don't reveal the underlying
>>>> password.

>>>> If someone has access to your DB that someone can use the HA1 and HA1_2 values
>>>> to authenticate correctly against you system and make fraudulent calls.

>>>> Which is why I also call the HASH values "unencrypted".

>>>> Regards,

>>>> Marc

>>>> ________________________________

>>>> From: Spce-user [ spce-user-bounces at lists.sipwise.com ] on behalf of Raúl Alexis
>>>> Betancor Santana [ rabs at dimension-virtual.com ]

>>>> Sent: Thursday, April 30, 2015 18:11

>>>> To: < spce-user at lists.sipwise.com >

>>>> Subject: Re: [Spce-user] Hide customer password in Kamailio DB

>>>> Marc,

>>>> HA1 and HA1_2 are not 'unencrypted' text ... they are HASH values, generated
>>>> from the user URI, the REALM and the PASSWORD ... your could not use the HA1
>>>> and HA1_2 values for anything than 'check' if the sended (by the SIP UA)
>>>> credentials are Ok, you could not use them to 'know' the unencrypted password.

>>>> Best regards

>>>> ________________________________

>>>>> De: "Marc Storck" < mstorck at voipgate.com >

>>>>> Para: "< spce-user at lists.sipwise.com >" < spce-user at lists.sipwise.com >

>>>>> Enviados: Jueves, 30 de Abril 2015 12:57:35

>>>>> Asunto: Re: [Spce-user] Hide customer password in Kamailio DB

>>>>> What is the difference from reading the plain text (unencrypted) password or
>>>>> reading the plain text (unencrypted) HA1 and HA1_2 values from DB?

>>>>> AFAIK, an attacker, who was able to read either of them from your DB, can use
>>>>> those values to correctly authenticate to the SPCE in any case.

>>>>>> On 30 Apr 2015, at 13:45, Mathys Frédéric < frederic.mathys at nagra.com > wrote:

>>>>>> Hello,

>>>>>> When creating a new user, by default the password is saved in plaintext in the
>>>>>> DB, column “password”. For obvious security reasons, I’d like to remove the
>>>>>> password in this column and use only ha1 and ha1b values. To do that, I
>>>>>> modified the “auth_db” module configuration :

>>>>>> /etc/kamailio/proxy/kamailio.cfg

>>>>>> modparam("auth_db", "use_domain", 1)

>>>>>> modparam("auth_db", "calculate_ha1", 0)

>>>>>> modparam("auth_db", "password_column", "ha1")

>>>>>> modparam("auth_db", "password_column_2", "ha1_2")

>>>>>> Then, I removed the password for all users in the DB, and everyone seems able to
>>>>>> connect with this configuration. My problem is now when I create a new user,
>>>>>> the password is automatically saved in plaintext and I don’t want that. So I
>>>>>> tried to modify “kamctlrc” by adding the following line :

>>>>>> /etc/kamailio/proxy/kamctlrc and /etc/kamailio/lb/kamctlrc

>>>>>> STORE_PLAINTEXT_PW=0

>>>>>> This has no effect, what should I do to disable that?

>>>>>> Thank you

>>>>>> Frederic Mathys

>>>>>> System Integration & Validation Engineer

>>>>>> P Please consider the environment - do you really need to print this email ?

>>>>>> _______________________________________________

>>>>>> Spce-user mailing list

>>>>>> Spce-user at lists.sipwise.com

>>>>>> https://lists.sipwise.com/listinfo/spce-user

>>>>> _______________________________________________

>>>>> Spce-user mailing list

>>>>> Spce-user at lists.sipwise.com

>>>>> https://lists.sipwise.com/listinfo/spce-user

>>>> _______________________________________________

>>>> Spce-user mailing list

>>>> Spce-user at lists.sipwise.com

>>>> https://lists.sipwise.com/listinfo/spce-user

>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> https://lists.sipwise.com/listinfo/spce-user

> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20150502/ca77f398/attachment-0001.html>

More information about the Spce-user mailing list