Quantcast

SIP password auth mechanism

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SIP password auth mechanism

Abdul Basit
Hi,

I have a scenario where I will create password HASH = SALT + STRING and save SALT and resulted HASH only in DB.

I will transport random STRING value to my custom sip application as password.

Digest authentication is not comply with this requirement.

Is that any supported authentication mechanism that can fulfill this requirement.
or is there any more appropriate authentication mechanism by opensips/kamailio?

One of the objectives is in case DB will compromise, users passwords will not available because random STRING will not store in DB.

Looking forward for suggestions and comments.

--
regards,

abdul basit

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SIP password auth mechanism

Bogdan-Andrei Iancu-2
Hi Abdul,

Besides the digest auth, there is no other standard auth mechanism for SIP, AFAIK.

If you have control over the SIP UAC, of course, you could try to build your own auth mechanism - OpenSIPS offers enough flexibility in terms of both header manipulation and data computing.

Regards,
Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Summit May 2017 Amsterdam
  http://www.opensips.org/events/Summit-2017Amsterdam.html
On 03/07/2017 10:26 AM, Abdul Basit wrote:
Hi,

I have a scenario where I will create password HASH = SALT + STRING and save SALT and resulted HASH only in DB.

I will transport random STRING value to my custom sip application as password.

Digest authentication is not comply with this requirement.

Is that any supported authentication mechanism that can fulfill this requirement.
or is there any more appropriate authentication mechanism by opensips/kamailio?

One of the objectives is in case DB will compromise, users passwords will not available because random STRING will not store in DB.

Looking forward for suggestions and comments.

--
regards,

abdul basit


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SIP password auth mechanism

Abdul Basit
Hi Bogdan,

I am using PJSIP as UAC and Opensips as UAS with radius for AAA.
I wanted to avoid getting into the code but let me check the flexibility.

Thank you for your reply :)

--
regards,

abdul basit

On Wed, Mar 8, 2017 at 1:34 AM, Bogdan-Andrei Iancu <[hidden email]> wrote:
Hi Abdul,

Besides the digest auth, there is no other standard auth mechanism for SIP, AFAIK.

If you have control over the SIP UAC, of course, you could try to build your own auth mechanism - OpenSIPS offers enough flexibility in terms of both header manipulation and data computing.

Regards,
Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Summit May 2017 Amsterdam
  http://www.opensips.org/events/Summit-2017Amsterdam.html
On 03/07/2017 10:26 AM, Abdul Basit wrote:
Hi,

I have a scenario where I will create password HASH = SALT + STRING and save SALT and resulted HASH only in DB.

I will transport random STRING value to my custom sip application as password.

Digest authentication is not comply with this requirement.

Is that any supported authentication mechanism that can fulfill this requirement.
or is there any more appropriate authentication mechanism by opensips/kamailio?

One of the objectives is in case DB will compromise, users passwords will not available because random STRING will not store in DB.

Looking forward for suggestions and comments.

--
regards,

abdul basit


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SIP password auth mechanism

Abdul Basit
Hi Geeks,

While exploring further I found a draft explaining elliptic curve secure remote protocol (EC-SRP) for SIP authentication
https://tools.ietf.org/html/draft-liu-sipcore-ec-srp5-03

This explanation seems align with my requirements of not storing password in database.
UAC and UAS both should support EC-SRP.

Do we have any road-map of opensips implementing of EC-RSP or similar authentication mechanism?
I will check the same with PJSIP because i couldn't find any traces on their forum as well.

--
regards,

abdul basit


On Wed, Mar 8, 2017 at 9:53 PM, Abdul Basit <[hidden email]> wrote:
Hi Bogdan,

I am using PJSIP as UAC and Opensips as UAS with radius for AAA.
I wanted to avoid getting into the code but let me check the flexibility.

Thank you for your reply :)

--
regards,

abdul basit

On Wed, Mar 8, 2017 at 1:34 AM, Bogdan-Andrei Iancu <[hidden email]> wrote:
Hi Abdul,

Besides the digest auth, there is no other standard auth mechanism for SIP, AFAIK.

If you have control over the SIP UAC, of course, you could try to build your own auth mechanism - OpenSIPS offers enough flexibility in terms of both header manipulation and data computing.

Regards,
Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Summit May 2017 Amsterdam
  http://www.opensips.org/events/Summit-2017Amsterdam.html
On 03/07/2017 10:26 AM, Abdul Basit wrote:
Hi,

I have a scenario where I will create password HASH = SALT + STRING and save SALT and resulted HASH only in DB.

I will transport random STRING value to my custom sip application as password.

Digest authentication is not comply with this requirement.

Is that any supported authentication mechanism that can fulfill this requirement.
or is there any more appropriate authentication mechanism by opensips/kamailio?

One of the objectives is in case DB will compromise, users passwords will not available because random STRING will not store in DB.

Looking forward for suggestions and comments.

--
regards,

abdul basit


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SIP password auth mechanism

Bogdan-Andrei Iancu-2
Hi Abdul,

I see that's a draft, so hard to judge on how far it will get. And something like this is not on our roadmap, maybe because of its very, very low priority in terms of needs. Do you have any idea if anyone actually implemented this ?

Regards,
Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Summit May 2017 Amsterdam
  http://www.opensips.org/events/Summit-2017Amsterdam.html
On 03/09/2017 12:37 PM, Abdul Basit wrote:
Hi Geeks,

While exploring further I found a draft explaining elliptic curve secure remote protocol (EC-SRP) for SIP authentication
https://tools.ietf.org/html/draft-liu-sipcore-ec-srp5-03

This explanation seems align with my requirements of not storing password in database.
UAC and UAS both should support EC-SRP.

Do we have any road-map of opensips implementing of EC-RSP or similar authentication mechanism?
I will check the same with PJSIP because i couldn't find any traces on their forum as well.

--
regards,

abdul basit


On Wed, Mar 8, 2017 at 9:53 PM, Abdul Basit <[hidden email]> wrote:
Hi Bogdan,

I am using PJSIP as UAC and Opensips as UAS with radius for AAA.
I wanted to avoid getting into the code but let me check the flexibility.

Thank you for your reply :)

--
regards,

abdul basit

On Wed, Mar 8, 2017 at 1:34 AM, Bogdan-Andrei Iancu <[hidden email]> wrote:
Hi Abdul,

Besides the digest auth, there is no other standard auth mechanism for SIP, AFAIK.

If you have control over the SIP UAC, of course, you could try to build your own auth mechanism - OpenSIPS offers enough flexibility in terms of both header manipulation and data computing.

Regards,
Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Summit May 2017 Amsterdam
  http://www.opensips.org/events/Summit-2017Amsterdam.html
On 03/07/2017 10:26 AM, Abdul Basit wrote:
Hi,
I have a scenario where I will create password HASH = SALT + STRING and save SALT and resulted HASH only in DB. I will transport random STRING value to my custom sip application as password.
Digest authentication is not comply with this requirement. Is that any supported authentication mechanism that can fulfill this requirement.
or is there any more appropriate authentication mechanism by opensips/kamailio?
One of the objectives is in case DB will compromise, users passwords will not available because random STRING will not store in DB.
Looking forward for suggestions and comments.
-- regards,
abdul basit
_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Loading...