dslreports logo
Search similar:


uniqs
10424
pcunite
join:2010-04-10

pcunite

Member

SIP username/password credentials and encryption

While I don't expect the voice packets themselves to be encrypted are the SIP username/password secret encrypted?

Trev
AcroVoice & DryVoIP Official Rep
Premium Member
join:2009-06-29
Victoria, BC

Trev

Premium Member

With your usual SIP provider, your username will be transmitted in the clear but your password is never sent along the wire. Instead, it's used to generate a response to a challenge sent by the server.
MartinM
VoIP.ms
Premium Member
join:2008-07-21

1 edit

MartinM to pcunite

Premium Member

to pcunite
Your device will not send the password in its clear text form, will be clear text but hashed, as mentionned in the previous reply.

For example, With VoIP, when you register:

1. Linksys Registration request to VoIP.ms
2. VoIP.ms -> Send us that back with MD5 password please
3. Linksys Sends back registration including password in MD5 Checksum (For example, "hello" in md5 is 5d41402abc4b2a76b9719d911017c592)
4. VoIP.ms server will compare md5 local password to your md5 hash

Actual SIP Dialog Example of a registration:

 
Example with Zoiper Softphone:
192.168.0.1 = Your IP Address
SERVER_IP_ADDRESS = IP Address of server
 
Client to server: Softphone send the registration attempt
 
REGISTER sip:SERVER_IP_ADDRESS;transport=UDP SIP/2.0
Via: SIP/2.0/UDP 192.168.0.1:59733;branch=z9hG4bK-d8754z-e4223b781332f14e-1---d8754z-
Max-Forwards: 70
Contact: <sip:MY_USERNAME@192.168.0.1:59733;rinstance=d80a6e5927037b98;transport=UDP>
To: "Martin M"<sip:MY_USERNAME@SERVER_IP_ADDRESS;transport=UDP>
From: "Matin M"<sip:MY_USERNAME@SERVER_IP_ADDRESS;transport=UDP>;tag=3017ec58
Call-ID: YWZlMDQ5NGY1ZDRkODUzYjIwM2VjN2IxYzRkNTUwZjg.
CSeq: 1 REGISTER
Expires: 3600
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
User-Agent: Zoiper rev.6751
Allow-Events: presence
Content-Length: 0
 
Server to Client: Server replies it's trying
 
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.0.1:59733;branch=z9hG4bK-d8754z-e4223b781332f14e-1---d8754z-;received=192.168.0.1
From: "Martin M"<sip:MY_USERNAME@SERVER_IP_ADDRESS;transport=UDP>;tag=3017ec58
To: "Martin M"<sip:MY_USERNAME@SERVER_IP_ADDRESS;transport=UDP>
Call-ID: YWZlMDQ5NGY1ZDRkODUzYjIwM2VjN2IxYzRkNTUwZjg.
CSeq: 1 REGISTER
User-Agent: VoIPMS/SERAST
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Contact: <sip:MY_USERNAME@SERVER_IP_ADDRESS>
Content-Length: 0
 
Server to Client: Server replies, Unauthorized, it wants its password challenge
 
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.0.1:59733;branch=z9hG4bK-d8754z-e4223b781332f14e-1---d8754z-;received=192.168.0.1
From: "Martin M"<sip:MY_USERNAME@SERVER_IP_ADDRESS;transport=UDP>;tag=3017ec58
To: "Martin M"<sip:MY_USERNAME@SERVER_IP_ADDRESS;transport=UDP>;tag=as68355ca6
Call-ID: YWZlMDQ5NGY1ZDRkODUzYjIwM2VjN2IxYzRkNTUwZjg.
CSeq: 1 REGISTER
User-Agent: VoIPMS/SERAST
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm="sip.ca2.voip.ms", nonce="5e954418"
Content-Length: 0
 
Client to server: Softphone resend registration, this time with password in md5 located in the "response=" field
 
REGISTER sip:SERVER_IP_ADDRESS;transport=UDP SIP/2.0
Via: SIP/2.0/UDP 192.168.0.1:59733;branch=z9hG4bK-d8754z-30e2cd9136938a0f-1---d8754z-
Max-Forwards: 70
Contact: <sip:MY_USERNAME@192.168.0.1:59733;rinstance=d80a6e5927037b98;transport=UDP>
To: "Martin M"<sip:MY_USERNAME@SERVER_IP_ADDRESS;transport=UDP>
From: "Martin M"<sip:MY_USERNAME@SERVER_IP_ADDRESS;transport=UDP>;tag=3017ec58
Call-ID: YWZlMDQ5NGY1ZDRkODUzYjIwM2VjN2IxYzRkNTUwZjg.
CSeq: 2 REGISTER
Expires: 3600
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
User-Agent: Zoiper rev.6751
Authorization: Digest username="MY_USERNAME",realm="sip.ca2.voip.ms",nonce="5e954418",uri="sip:SERVER_IP_ADDRESS;transport=UDP",response="d7fb6af2a3b75e1f91b8f65ef8ea8156",algorithm=MD5
Allow-Events: presence
Content-Length: 0
 
Server to client: We're trying
 
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.0.1:59733;branch=z9hG4bK-d8754z-30e2cd9136938a0f-1---d8754z-;received=192.168.0.1
From: "Martin M"<sip:MY_USERNAME@SERVER_IP_ADDRESS;transport=UDP>;tag=3017ec58
To: "Martin M"<sip:MY_USERNAME@SERVER_IP_ADDRESS;transport=UDP>
Call-ID: YWZlMDQ5NGY1ZDRkODUzYjIwM2VjN2IxYzRkNTUwZjg.
CSeq: 2 REGISTER
User-Agent: VoIPMS/SERAST
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Contact: <sip:MY_USERNAME@SERVER_IP_ADDRESS>
Content-Length: 0
 
Server to client: Server is happy with that, sending the softphone the OK
 
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.0.1:59733;branch=z9hG4bK-d8754z-30e2cd9136938a0f-1---d8754z-;received=192.168.0.1
From: "Martin M"<sip:MY_USERNAME@SERVER_IP_ADDRESS;transport=UDP>;tag=3017ec58
To: "Martin M"<sip:MY_USERNAME@SERVER_IP_ADDRESS;transport=UDP>;tag=as68355ca6
Call-ID: YWZlMDQ5NGY1ZDRkODUzYjIwM2VjN2IxYzRkNTUwZjg.
CSeq: 2 REGISTER
User-Agent: VoIPMS/SERAST
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Expires: 3600
Contact: <sip:MY_USERNAME@192.168.0.1:59733;rinstance=d80a6e5927037b98;transport=UDP>;expires=3600
Date: Wed, 14 Apr 2010 22:04:34 GMT
Content-Length: 0
 
pcunite
join:2010-04-10

pcunite

Member

MartinM,
Thanks!
paul248
join:2001-09-04

paul248

Member

Your password is hashed along with a random "nonce" value that the server sends. If it weren't for that nonce value, then the hash would always be the same, and anyone could log in just by replaying your message.

That said, if someone captures your packets, they can use the nonce and hash to perform an offline dictionary attack, so the system is only secure if you use a strong password.

»en.wikipedia.org/wiki/Di ··· tication