< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index Next in Thread >

Re: [reSIProcate] Helper::advancedAuthenticateRequest() and old nonces


Hi

I believe that code below will allow any server to recognize nonces
between restarts.

BasicNonceHelper* myNonceHelper = new BasicNonceHelper();
myNonceHelper->setPrivateKey( Data( "yourServerPrivateKey" ) );
Helper::setNonceHelper( myNonceHelper );


With best regards
Alexander Altshuler
http://xeepe.com

-----Original Message-----
From: resiprocate-devel-bounces@xxxxxxxxxxxxxxx
[mailto:resiprocate-devel-bounces@xxxxxxxxxxxxxxx] On Behalf Of Byron
Campen
Sent: Tuesday, March 11, 2008 7:57 PM
To: resiprocate-devel
Subject: [reSIProcate] Helper::advancedAuthenticateRequest() and old
nonces

        The code in Helper::advancedAuthenticateRequest() will return
Failed  
if it sees a nonce it doesn't recognize as its own. Unfortunately,  
this is based on random bits generated at startup, meaning that if a  
resip-based server is restarted, it will cease to recognize the  
nonces it has issued, and will start 403ing every time one of them  
comes in. This is less-than-desirable behavior. Would it be sane to  
just treat this as an expired nonce, and issue a new challenge? This  
wouldn't give a malicious endpoint anything it couldn't have gotten  
already. Getting a 401 vs a 403 tells the endpoint nothing new about  
the nonce it just used (in fact, it gives _less_ information), and it  
could have just sent a request with no credentials if it wanted to  
see what nonce we would generate.

        Any thoughts?

Best regards,
Byron Campen