<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-NZ" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Another approach is to modify a Radius auth module in freeRadius or maybe it can be done via freeRadius configuration.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">We have used Kamailio Radius integration successfully and the HA1 is stored in the Radius database. You would simply compute that as an SHA1 instead. HA2 is of course calculated dynamically by the Radius server
– it might be that this can be configured to use SHA instead – might be worth a look.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Cheers<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Shane<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> sr-users [mailto:sr-users-bounces@lists.sip-router.org]
<b>On Behalf Of </b>Mathys Frédéric<br>
<b>Sent:</b> Friday, 8 May 2015 1:38 a.m.<br>
<b>To:</b> miconda@gmail.com; Kamailio (SER) - Users Mailing List<br>
<b>Subject:</b> Re: [SR-Users] Kamailio authentication method<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Still on the subject, we are exploring the possibilities and one of them would be to use the diameter module. As stated in the documentation :<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Helvetica","sans-serif";background:white">“NOTE: diameter support was developed for DISC (DIameter Server Client project at
<a href="http://developer.berlios.de/projects/disc/">http://developer.berlios.de/projects/disc/</a>). This project seems to be no longer maintained and DIAMETER specifications were updated in the meantime. Thus, the module is obsolete and needs rework to be
usable with opendiameter or other DIAMETER servers.”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Is it planned to update this module on your side on not?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">One other solution would be to write our own module to connect to another server (which contains the users/passwords and calculate the HA1 and HA2 values), tcp layer would still be done by auth module.
To do that, is there a spec on how to communicate with auth module? And any documentation on custom module development and deployment? The principle would be more or less the same as diameter, but maybe our server would not use radius nor diameter protocols.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">By doing it, we try to reach two goals : use SHA instead of MD5 and increase the security of the user management by hosting it in a different way as Kamailio does.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Thank you,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Frederic<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> sr-users [<a href="mailto:sr-users-bounces@lists.sip-router.org">mailto:sr-users-bounces@lists.sip-router.org</a>]
<b>On Behalf Of </b>Daniel-Constantin Mierla<br>
<b>Sent:</b> Wednesday 6 May 2015 16:44<br>
<b>To:</b> Kamailio (SER) - Users Mailing List<br>
<b>Subject:</b> Re: [SR-Users] Kamailio authentication method<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Hello,<br>
<br>
to understand properly, do you need to have:<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">
<span lang="EN-US" style="font-family:"Calibri","sans-serif"">HA1=SHA(username:realm:password)<br>
HA2=SHA(method:digestURI)</span><span lang="EN-US"><br>
</span><span lang="EN-US" style="font-family:"Calibri","sans-serif"">response=SHA(HA1:nonce:HA2)</span><span lang="EN-US"><o:p></o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">
<span lang="EN-US">Perhaps it can be done with config file scripting, if you are familiar with transformations and header manipulation. But I think it will be simpler to extend auth module to support different hashing algorithm.<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">
<span lang="EN-US">The code for computing shaX is already in kamailio (used for shaX transformations), so the change in auth should be about advertising and detecting when the new algorithm has to be used.<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">
<span lang="EN-US">Cheers,<br>
Daniel<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On 06/05/15 16:28, Mathys Frédéric wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">In my scenario with a Kamailio server, I have a VOIP client connecting to the server which, for some reasons, cannot calculate MD5 hashes but only SHA. In this situation, would it be possible to change the authentication
algorithm by either modifying Kamailio scripts or writing an external module to do that?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">As far as I know, the authentication response is calculated as follow (standard HTTP Digest authentication) :<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">
<span lang="EN-US" style="font-family:"Calibri","sans-serif"">HA1=MD5(username:realm:password)</span><span lang="EN-US"><o:p></o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">
<span lang="EN-US" style="font-family:"Calibri","sans-serif"">HA2=MD5(method:digestURI)</span><span lang="EN-US"><o:p></o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">
<span lang="EN-US" style="font-family:"Calibri","sans-serif"">response=MD5(HA1:nonce:HA2)</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">For that, I have to save ha1 and ha1b values in the DB with the SHA function directly (with a trigger for example), and then change the authentication method too.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">What is the best solution to do that? Does a module already exists?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thank you!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-US" style="font-size:10.0pt">Frederic Mathys</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-US" style="font-size:10.0pt">System Integration & Validation</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
<br>
<o:p></o:p></span></p>
<pre><span lang="EN-US">_______________________________________________<o:p></o:p></span></pre>
<pre><span lang="EN-US">SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<o:p></o:p></span></pre>
<pre><span lang="EN-US"><a href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a><o:p></o:p></span></pre>
<pre><span lang="EN-US"><a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<pre><span lang="EN-US">-- <o:p></o:p></span></pre>
<pre><span lang="EN-US">Daniel-Constantin Mierla<o:p></o:p></span></pre>
<pre><span lang="EN-US"><a href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a><o:p></o:p></span></pre>
<pre><span lang="EN-US">Kamailio World Conference, May 27-29, 2015<o:p></o:p></span></pre>
<pre><span lang="EN-US">Berlin, Germany - <a href="http://www.kamailioworld.com">http://www.kamailioworld.com</a><o:p></o:p></span></pre>
</div>
</div>
</body>
</html>