[VOIPSEC] VoIP and Fraud

[Christopher A. Martin]

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Geoffrey
Sent: Friday, February 18, 2005 6:23 AM
To: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] VoIP and Fraud

Christopher A. Martin wrote:
> You could only easily capture usable data if the carrier is not
implementing
> SIP Digest authentication which uses MD5 hash combined with a fresh random
> number provided during authentication (although not all methods are
> authenticated depending on the carrier).

>> So, how does one determine this?  That is, outside of taking the 
>> vendor's word for it.

I would begin by defining my requirements and make the vendor respond to my
requirements. Then I test to those very requirements. 

Example for the scenario above... the requirement was to verify that fresh
nonces are implemented. 

The test is to attempt a replay of a previous session (packet for packet),
remember these are udp packets.

In my test I generated packets from my workstation by spoofing the original
IP address of the sip phone (it was actually a hard client). I then took the
packets that were part of the original call setup of a call previously made
and transmitted the first packet and manually sent each one as quickly as I
felt would provide time for a response from the proxy...

The test failed by the proof that the called party began to ring. 

Had the called phone not rang or the packet capture which was also running
not captured any valid responses to the replay packets the test would have
passed due to non responsiveness. The proxy would have provided clues also
to the fact that the nonce was illegal and reissued a challenge with a fresh
nonce also since the replay nonce should no longer exist for the
registration session timeframe... something to look for.

Chris
-- 
Until later, Geoffrey

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org