How to avoid plaintext passwords ?

creating-secure-passwordsOffering protection and privacy to your SIP subscriber is something you must not overlook. The user passwords for SIP authentication are shared secrets that must be secured on the SIP platforms, in order to protect your subscriber against any data leaking.

Usually, when you start building a platform, the subscriber passwords are kept in plain-text format – it is simpler and easier to troubleshot. But it is not secure.

So, how to secure them ? Well, OpenSIPS allows you to keep the passwords in an
hashed format (pre-computed), known also as HA1 format (according to RFC2617):

HA1 = MD5( username ":" realm ":" password )

So, instead of storing the plain-text passwords, you can keep the the HA1 hash – besides offering user privacy, the HA1 passwords are also more secure – as they are not reversible, you cannot extract the plain-text password from it).

How to generate the HA1 passwords ?

First we need to understand how the password is stored in the subscriber table, as there are several fields involved in this:

  • password – this holds the plain text password, if used.
  • ha1 – this holds the HA1 password
  • ha1b – similar to HA1, but the username value also contain a domain part

Both the “opensipsctl” and OpenSIPS Control Panel provisioning tools automatically add the ha1 and ha1b fields when a new SIP subscriber is created (or password changed).

Nevertheless, if you are in the situation to migrate your OpenSIPS platform from plain-text passwords to HA1 passwords, you can manually compute the ha1 and ha1b fields, directly in the database:

UPDATE subscriber SET
 ha1 = MD5(CONCAT(username, ':', domain, ':', password)),
 ha1b = MD5(CONCAT(username, '@', domain ':', domain, ':', password)) ;

How to use HA1 passwords  from OpenSIPS script ?

In the auth_db module there are several parameters that control the password:

  1. password_column – which DB fields should be used for loading the password
  2. calculate_ha1 – if the loaded password is plain-text or not.

If you want to use plain-text passwords, you should do:

modparam("auth_db", "password_column", "password")
modparam("auth_db", "calculate_ha1", 1)

Be sure the password column in subscriber table holds plain text passwords !!

If you want to use HA1 passwords, you should do:

modparam("auth_db", "password_column", "ha1")
modparam("auth_db", "calculate_ha1", 0)

All the time you must be careful and keep the settings for these twp module parameters in a consistent way, otherwise the authentication result will be broken.

But how to troubleshoot authentication issues may be the subject of a future post 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s