Disclaimer: This repository is a git-svn mirror of the project found at http://java.net/projects/jsip whose original repository is developed collaboratively by the Advanced Networking Technologies Division at the National Institute of Standards and Technology (NIST) - an agency of the United States Department of Commerce and by a community of individual and enterprise contributors. TeleStax, Inc. will perform some productization work, new features experimentation branches, etc for its TelScale jSIP product that doesn't concern the community from the main repository hence this git repository.
RFC 2617 stated that the nonce data string should be uniquely generated (§3.2.1)
But to detect/prevent replay attack the server side could reuse the same nonce (§4.3,§4.4,§4.5)
the nonce count is hard coded so when receiving the same nonce again the nonce count is still 1 and the server detect a replay attack thus refusing the registration.
1st registration works ok
REGISTER -->
<-- 401 unauthorized nonce ="12345678"
REGISTER --> nonce="12345678", nonce count="00000001"
<-- 200 OK
RFC 2617 stated that the nonce data string should be uniquely generated (§3.2.1) But to detect/prevent replay attack the server side could reuse the same nonce (§4.3,§4.4,§4.5)
the nonce count is hard coded so when receiving the same nonce again the nonce count is still 1 and the server detect a replay attack thus refusing the registration.
1st registration works ok REGISTER --> <-- 401 unauthorized nonce ="12345678" REGISTER --> nonce="12345678", nonce count="00000001" <-- 200 OK
2nd registration REGISTER --> <-- 401 unauthorized nonce ="12345678" REGISTER --> nonce="12345678", nonce count="00000001" <-- 403 FORBIDDEN Warning: Digest replay attack detected