23 Oct
2003
23 Oct
'03
1:50 p.m.
On 23-10 15:29, Jan Janak wrote:
To prevent replay attacks, the hash would have to be calculated also over To tag. The hash should contain To tag because it is generated by remote party and thus the possible "attacker" can't predict it's value.
This also means we would have to update the Record-Route header field when processing 200 OK, which complicates things a bit.
If we don't add To tag, then it would be really easy to use same hash for other requests as well provided that you use the same From tag.
I am silly, this is, of course, not going to work because callee would receive hash without to tag.
Jan.