jain-sip Wrong Nonce Count handling in Digest authentication

Wrong Nonce Count handling in Digest authentication

Open kashiro opened this issue 6 years ago • 0 comments

RFC 2617 stated that the nonce data string should be uniquely generated (§3.2.1) But to detect/prevent replay attack the server side could reuse the same nonce (§4.3,§4.4,§4.5)

the nonce count is hard coded so when receiving the same nonce again the nonce count is still 1 and the server detect a replay attack thus refusing the registration.

1st registration works ok REGISTER --> <-- 401 unauthorized nonce ="12345678" REGISTER --> nonce="12345678", nonce count="00000001" <-- 200 OK

2nd registration REGISTER --> <-- 401 unauthorized nonce ="12345678" REGISTER --> nonce="12345678", nonce count="00000001" <-- 403 FORBIDDEN Warning: Digest replay attack detected

May 18 '18 08:05 kashiro

jain-sip jain-sip copied to clipboard

Wrong Nonce Count handling in Digest authentication

jain-sip
jain-sip copied to clipboard