using bcrypt passwd hashing

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

using bcrypt passwd hashing

Walter Martín Villalba
Hello,

I did some searches online and talked to some colleagues and it seems Kamailio only supports the traditional HTTP digest authentication, which uses MD5. I would like to know if any of you has been successful in using bcrypt/scrypt/pbkdf2 passwd hashing, instead of MD5, which has been deemed as obsolete and insecure a long time ago. Perhaps you've written your own auth module, or just modified the config script to call some other credential checking routine using a custom python/perl script (I'm thinking of doing the latter, of nothing better is available).

If any of you have done something like this, using bcrypt or any other current and secure hashing algorithm, I would appreciate some guidance.  If you haven't, aren't you concerned about storing MD5 password hashes in your database?

Note: if I can't find a good answer using this list, I will try the developer's list next.

Thanks in advance,

Martín.



_______________________________________________
Kamailio (SER) - Users Mailing List
[hidden email]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Reply | Threaded
Open this post in threaded view
|

Re: using bcrypt passwd hashing

Daniel-Constantin Mierla-6

Hello,

latest kamailio versions support also SHA256 algorithm:

  - https://www.kamailio.org/docs/modules/stable/modules/auth.html#idp36720604

However, the main blocker in suing a different hashing algorithm are the sip client devices (mainly hardphones), which implement only MD5. If you implement your own client app, then you can extend kamailio to support whatever hashing you do in the client.

Then, of course you can use client side tls certificates for authentication, which should be better than any hashing algorithm.

Cheers,
Daniel


On 11.11.17 01:11, Walter Martín Villalba wrote:
Hello,

I did some searches online and talked to some colleagues and it seems Kamailio only supports the traditional HTTP digest authentication, which uses MD5. I would like to know if any of you has been successful in using bcrypt/scrypt/pbkdf2 passwd hashing, instead of MD5, which has been deemed as obsolete and insecure a long time ago. Perhaps you've written your own auth module, or just modified the config script to call some other credential checking routine using a custom python/perl script (I'm thinking of doing the latter, of nothing better is available).

If any of you have done something like this, using bcrypt or any other current and secure hashing algorithm, I would appreciate some guidance.  If you haven't, aren't you concerned about storing MD5 password hashes in your database?

Note: if I can't find a good answer using this list, I will try the developer's list next.

Thanks in advance,

Martín.




_______________________________________________
Kamailio (SER) - Users Mailing List
[hidden email]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - www.asipto.com
Kamailio World Conference - www.kamailioworld.com

_______________________________________________
Kamailio (SER) - Users Mailing List
[hidden email]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Reply | Threaded
Open this post in threaded view
|

Re: using bcrypt passwd hashing

Alex Balashov
In reply to this post by Walter Martín Villalba
Do you know of any mainstream SIP UACs which support anything other than standard MD5 digest auth?

On November 10, 2017 7:11:26 PM EST, "Walter Martín Villalba" <[hidden email]> wrote:

>Hello,
>
>I did some searches online and talked to some colleagues and it seems
>Kamailio only supports the traditional HTTP digest authentication,
>which
>uses MD5. I would like to know if any of you has been successful in
>using
>bcrypt/scrypt/pbkdf2 passwd hashing, instead of MD5, which has been
>deemed
>as obsolete and insecure a long time ago. Perhaps you've written your
>own
>auth module, or just modified the config script to call some other
>credential checking routine using a custom python/perl script (I'm
>thinking
>of doing the latter, of nothing better is available).
>
>If any of you have done something like this, using bcrypt or any other
>current and secure hashing algorithm, I would appreciate some guidance.
> If
>you haven't, aren't you concerned about storing MD5 password hashes in
>your
>database?
>
>Note: if I can't find a good answer using this list, I will try the
>developer's list next.
>
>Thanks in advance,
>
>Martín.


-- Alex

--
Sent via mobile, please forgive typos and brevity.

_______________________________________________
Kamailio (SER) - Users Mailing List
[hidden email]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Reply | Threaded
Open this post in threaded view
|

Re: using bcrypt passwd hashing

Yuriy Gorlichenko
You can realize any of auth methods by yourself and include it via config file/kemi on lua/by adding module

forexample I added SSO auth without any troubles instead of basid MD5 for some projects.

2017-11-11 18:49 GMT+03:00 Alex Balashov <[hidden email]>:
Do you know of any mainstream SIP UACs which support anything other than standard MD5 digest auth?

On November 10, 2017 7:11:26 PM EST, "Walter Martín Villalba" <[hidden email]> wrote:
>Hello,
>
>I did some searches online and talked to some colleagues and it seems
>Kamailio only supports the traditional HTTP digest authentication,
>which
>uses MD5. I would like to know if any of you has been successful in
>using
>bcrypt/scrypt/pbkdf2 passwd hashing, instead of MD5, which has been
>deemed
>as obsolete and insecure a long time ago. Perhaps you've written your
>own
>auth module, or just modified the config script to call some other
>credential checking routine using a custom python/perl script (I'm
>thinking
>of doing the latter, of nothing better is available).
>
>If any of you have done something like this, using bcrypt or any other
>current and secure hashing algorithm, I would appreciate some guidance.
> If
>you haven't, aren't you concerned about storing MD5 password hashes in
>your
>database?
>
>Note: if I can't find a good answer using this list, I will try the
>developer's list next.
>
>Thanks in advance,
>
>Martín.


-- Alex

--
Sent via mobile, please forgive typos and brevity.

_______________________________________________
Kamailio (SER) - Users Mailing List
[hidden email]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


_______________________________________________
Kamailio (SER) - Users Mailing List
[hidden email]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Reply | Threaded
Open this post in threaded view
|

Re: using bcrypt passwd hashing

Daniel-Constantin Mierla-6



On 12.11.17 10:33, Yuriy Gorlichenko wrote:
You can realize any of auth methods by yourself and include it via config file/kemi on lua/by adding module

forexample I added SSO auth without any troubles instead of basid MD5 for some projects.
Out of curiosity, what do you refer by SSO?

Cheers,
Daniel

2017-11-11 18:49 GMT+03:00 Alex Balashov <[hidden email]>:
Do you know of any mainstream SIP UACs which support anything other than standard MD5 digest auth?

On November 10, 2017 7:11:26 PM EST, "Walter Martín Villalba" <[hidden email]> wrote:
>Hello,
>
>I did some searches online and talked to some colleagues and it seems
>Kamailio only supports the traditional HTTP digest authentication,
>which
>uses MD5. I would like to know if any of you has been successful in
>using
>bcrypt/scrypt/pbkdf2 passwd hashing, instead of MD5, which has been
>deemed
>as obsolete and insecure a long time ago. Perhaps you've written your
>own
>auth module, or just modified the config script to call some other
>credential checking routine using a custom python/perl script (I'm
>thinking
>of doing the latter, of nothing better is available).
>
>If any of you have done something like this, using bcrypt or any other
>current and secure hashing algorithm, I would appreciate some guidance.
> If
>you haven't, aren't you concerned about storing MD5 password hashes in
>your
>database?
>
>Note: if I can't find a good answer using this list, I will try the
>developer's list next.
>
>Thanks in advance,
>
>Martín.


-- Alex

--
Sent via mobile, please forgive typos and brevity.

_______________________________________________
Kamailio (SER) - Users Mailing List
[hidden email]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users



_______________________________________________
Kamailio (SER) - Users Mailing List
[hidden email]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - www.asipto.com
Kamailio World Conference - www.kamailioworld.com

_______________________________________________
Kamailio (SER) - Users Mailing List
[hidden email]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Reply | Threaded
Open this post in threaded view
|

Re: using bcrypt passwd hashing

Yuriy Gorlichenko
Hi Daniel

Some Single Sign On system. 

for example in the system that has multiple services but all works via one auth service by token for example.
So in this case i changed standart-auth-SIP scheme to the token-based-auth scheme.

Offcource it is not for mainstream clients software.


2017-11-13 11:22 GMT+03:00 Daniel-Constantin Mierla <[hidden email]>:



On 12.11.17 10:33, Yuriy Gorlichenko wrote:
You can realize any of auth methods by yourself and include it via config file/kemi on lua/by adding module

forexample I added SSO auth without any troubles instead of basid MD5 for some projects.
Out of curiosity, what do you refer by SSO?

Cheers,
Daniel


2017-11-11 18:49 GMT+03:00 Alex Balashov <[hidden email]>:
Do you know of any mainstream SIP UACs which support anything other than standard MD5 digest auth?

On November 10, 2017 7:11:26 PM EST, "Walter Martín Villalba" <[hidden email]> wrote:
>Hello,
>
>I did some searches online and talked to some colleagues and it seems
>Kamailio only supports the traditional HTTP digest authentication,
>which
>uses MD5. I would like to know if any of you has been successful in
>using
>bcrypt/scrypt/pbkdf2 passwd hashing, instead of MD5, which has been
>deemed
>as obsolete and insecure a long time ago. Perhaps you've written your
>own
>auth module, or just modified the config script to call some other
>credential checking routine using a custom python/perl script (I'm
>thinking
>of doing the latter, of nothing better is available).
>
>If any of you have done something like this, using bcrypt or any other
>current and secure hashing algorithm, I would appreciate some guidance.
> If
>you haven't, aren't you concerned about storing MD5 password hashes in
>your
>database?
>
>Note: if I can't find a good answer using this list, I will try the
>developer's list next.
>
>Thanks in advance,
>
>Martín.


-- Alex

--
Sent via mobile, please forgive typos and brevity.

_______________________________________________
Kamailio (SER) - Users Mailing List
[hidden email]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users



_______________________________________________
Kamailio (SER) - Users Mailing List
[hidden email]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - www.asipto.com
Kamailio World Conference - www.kamailioworld.com


_______________________________________________
Kamailio (SER) - Users Mailing List
[hidden email]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users