[OpenSIPS-Users] SIP password auth mechanism

Abdul Basit basit.engg at gmail.com
Mon Jul 31 11:37:48 EDT 2017


Hi Bogdan,

Sorry for very late reply. I couldn't find any implementation if *EC-SRP *yet.

However, Ejabbered implemented https://en.wikipedia.org/wiki/
Salted_Challenge_Response_Authentication_Mechanism *(SCRAM)*
<https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism>

This is interesting model and can be adopted for SIP based services as
well.

--
regards,

abdul basit | p: +92 32 1416 4196 | o: +92 30 0841 1445

On Fri, Mar 10, 2017 at 8:29 PM, Bogdan-Andrei Iancu <bogdan at opensips.org>
wrote:

> Hi Abdul,
>
> I see that's a draft, so hard to judge on how far it will get. And
> something like this is not on our roadmap, maybe because of its very, very
> low priority in terms of needs. Do you have any idea if anyone actually
> implemented this ?
>
> Regards,
>
> Bogdan-Andrei Iancu
>   OpenSIPS Founder and Developer
>   http://www.opensips-solutions.com
>
> OpenSIPS Summit May 2017 Amsterdam
>   http://www.opensips.org/events/Summit-2017Amsterdam.html
>
> On 03/09/2017 12:37 PM, Abdul Basit wrote:
>
> Hi Geeks,
>
> While exploring further I found a draft explaining elliptic curve secure
> remote protocol (*EC-SRP*) for SIP authentication
> https://tools.ietf.org/html/draft-liu-sipcore-ec-srp5-03
>
> This explanation seems align with my requirements of not storing password
> in database.
> UAC and UAS both should support EC-SRP.
>
> Do we have any road-map of opensips implementing of EC-RSP or similar
> authentication mechanism?
> I will check the same with PJSIP because i couldn't find any traces on
> their forum as well.
>
> --
> regards,
>
> abdul basit
>
>
> On Wed, Mar 8, 2017 at 9:53 PM, Abdul Basit <basit.engg at gmail.com> wrote:
>
>> Hi Bogdan,
>>
>> I am using PJSIP as UAC and Opensips as UAS with radius for AAA.
>> I wanted to avoid getting into the code but let me check the flexibility.
>>
>> Thank you for your reply :)
>>
>> --
>> regards,
>>
>> abdul basit
>>
>> On Wed, Mar 8, 2017 at 1:34 AM, Bogdan-Andrei Iancu <
>> <bogdan at opensips.org>bogdan at opensips.org> wrote:
>>
>>> Hi Abdul,
>>>
>>> Besides the digest auth, there is no other standard auth mechanism for
>>> SIP, AFAIK.
>>>
>>> If you have control over the SIP UAC, of course, you could try to build
>>> your own auth mechanism - OpenSIPS offers enough flexibility in terms of
>>> both header manipulation and data computing.
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>>   OpenSIPS Founder and Developer
>>>   http://www.opensips-solutions.com
>>>
>>> OpenSIPS Summit May 2017 Amsterdam
>>>   http://www.opensips.org/events/Summit-2017Amsterdam.html
>>>
>>> On 03/07/2017 10:26 AM, Abdul Basit wrote:
>>>
>>> Hi,
>>> I have a scenario where I will create password HASH = SALT + STRING and
>>> save SALT and resulted HASH only in DB. I will transport random STRING
>>> value to my custom sip application as password.
>>> Digest authentication is not comply with this requirement. Is that any
>>> supported authentication mechanism that can fulfill this requirement.
>>> or is there any more appropriate authentication mechanism by
>>> opensips/kamailio?
>>> One of the objectives is in case DB will compromise, users passwords
>>> will not available because random STRING will not store in DB.
>>> Looking forward for suggestions and comments.
>>> -- regards,
>>> abdul basit
>>>
>>> _______________________________________________
>>> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170731/ec519ffb/attachment-0001.html>


More information about the Users mailing list