SIP Password Security - How much is yours worth?
Overview
SIP uses a challenge response mechanism to authenticate certain types of requests in particular REGISTER and INVITE requests. The SIP standard does dictate that other types of requests such as ACKs, BYEs, CANCELs etc. but SIP servers will often overlook that requirement.
Assuming the SIP request is being authenticated then the typical procedure is that the SIP client will send a request without credentials to the server to which the server will respond with an authentication challenge. The simplest authentication challenge that a SIP server can send contains a realm and a nonce.
WWW-Authenticate: Digest realm="sipsorcery.com",nonce="16409782311597338199"
The client combines the realm and nonce along with the username, password, request type and request URI to construct an MD5 hash that is then sent back to the server. In the example below the response field contains the 128 bit MD5 hash.
Authorization: Digest username="someuser",realm="sipsorcery.com",nonce="16409782311597338199", uri="sip:sipsorcery.com",response="4bafec8d920b26740681dd286b316f85",algorithm=MD5
The server will then perform the same process to arrive at its won MD5 hash and if it’s the same as the one supplied by the client then it can have a degree of confidence that the client knows the password.
MD5 Algorithm
The server can’t be certain the client knows the password, for example the client could be a malicious party that managed to get hold of a previous request from a genuine client and has resent it without ever knowing the password. That’s where the nonce comes it’s how the server can protect against replay attacks. This means the server must have a good policy regarding how it generates and accepts nonces in authorisation headers. A typical approach is for a server to encode a timestamp in the nonce and only accept the header if the nonce contains a timestamp that is within a short amount of time to the current time.
Replay and other attacks aside the protection offered by the SIP digest authentication approach comes down to the cryptographic strength of the MD5 hash and the length of the password supplied to the hash; a short or common password means an attacker can quickly use a brute force or dictionary attack to try lots of different password values until they generate the same hash and then will know the password.
Assuming a strong password is being used then the strength of the MD5 algorithm is the next point of vulnerability. The algorithm was invented in 1991 and since that time it has been subject to extensive scrutiny and a number of weaknesses have been found with it such that in December 2008 the United States Computer Emergency Readiness Team (US-CERT) issued a vulnerability notice for the MD5 algorithm that contained the paragraph below.
Do not use the MD5 algorithmSoftware developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.
The US-CERT security advisory uses the example of attackers generating an SSL certificate to impersonate a trusted Certificate Authority (CA). For a Certificate Authority a compromise of their certificate is a very serious issue. Since their whole business model of selling SSL certificates relies on people trusting their signed certificates if an attacker was able to forge their signature then it would potentially put many millions of dollars in revenue at risk.
Brute Forcing SIP MD5 hashes
But what does it mean for SIP? How easy is it for an attacker to use an MD5 hash they have obtained from a digest in a SIP authentication header to acquire the original password? How much does it cost to simply brute force an MD5 hash?
Now I’m not a cryptanalyst so exploiting the flaws identified in the MD5 algorithm is beyond me. Also from my limited understanding the flaws revolve around generating a hash collision where two plain text values are able to generate the same MD5 hash. That’s a big problem for someone like a Certificate Authority who is relying on their hashes for a period measured in years but for SIP where the nonce can be rotated in periods of minutes or seconds it means even if a fake SIP request could be generated that produced the same MD5 hash as genuine request it’s only going to be useful for a short period of time and even then the customisations that would have to be made to the SIP request to cause the collision would probably make it an invalid request and stop it even getting to the authentication stage.
That leaves dictionary and brute force attacks. Dictionary attacks aren’t that interesting since it’s a certainty that if plain words or even permutations such as replacing vowels with numbers are used the MD5 hash password can be found in minutes if not seconds by applying extensive word list files.
What I’m interested in is random passwords made up of a pseudo-random combination of the 95 printable ASCII characters for example something like Jh53%aq()d. What length of password is likely to be required to make it prohibitively expensive for an attacker to bother with? Before answering that question a value needs to be attached to a SIP password. That value is going to be somewhat arbitrary but $100 is likely to be more than the credit available in most SIP accounts and it’s also likely to be around the level that fraud detection algorithms will be triggered for anomalous call patterns and therefore is around the amount an attacker may be able to extract from a compromised account before they are detected and blocked.
To answer my question I needed to run a brute force attack against MD5 hashes with different sized passwords and determine how much the computing power for that attack costed. An easy way to attach a value to the computing power was to do the brute force attack on Amazon’s EC2 infrastructure which charges by the hour. After a bit of trial and error testing I decided on a certain instance size and image and then located some easily accessible testing tools.
Crackin MD5's with John the Ripper, SIPCrack and Amazon's EC2
Of course the intention of this guide isn't to make it easier for bad people to compromise people's SIP passwords. Instead it's to educate people to exactly what's inolved for an attacker wanting to crack their password and thereby hopefully make them use SIP passwords of an adequate strength.
- Launch an EC2 Hi-CPU Extra Large (c1.large) instance of a publicly available CentOS Linux image (ami-0129cc68). The per hour cost for the instance at the time of the test was $0.68/hour,
- I ended up using the particular image because it already had most of the developer tools already installed (I was too lazy to build my own image from scratch).
The openssl development package is missing and needs to be installed using:
yum install openssl-devel - The tool I used to do the brute force of the SIP digest was called SIPCrack. It’s always good to be careful when using security tools like
this and I did a quick review of the source code just to make sure there were no obvious backdoors or such being installed. In addition since I was doing
the test on an EC2 image which I was going to terminate once the test has completed there was very limited risk.
wget http://www.codito.de/prog/SIPCrack-0.3pre.tar.gz
tar -zxf SIPCrack-0.3pre.tar.gz
cd SIPCrack-0.3pre
make
- 4. As well as the brute force tool a way to generate password attempts is needed. To do that I used another accessible tool dramatically called John the Ripper.
Despite the gruesome name I used it solely to generate the brute force password attempts to supply to SIPCrack.
wget http://www.openwall.com/john/g/john-1.7.9.tar.gz
tar -zxf john-1.7.9.tar.gz
cd john-1.7.9/src
make clean linux-x86-64
-
Now the tools are all set and the next thing is to get a SIP authentication digest for SIPCrack to actually crack. There is another tool in the SIPCrack package that can extract a digests from a WireShark
packet capture however the format of the file SIPCrack requires is very simple so I just created it manually rather than do a capture. As an example the text below pasted into a file called digest.txt is all SIPCrack needs.
10.1.1.2"69.59.142.213"someuser"sipsorcery.com"REGISTER"sip:sipsorcery.com"15624921921188954060 """"MD5"4bafec8d920b26740681dd286b316f85 -
To run a brute force attempt involves two steps that run in parallel. The first step is to use “John the Ripper” to generate the password attempts and put them into an in-memory file (an in memory file is better than writing the file to disk given the size of file it would take).
The second step is to get SIPCrack to read the passwords from the in-memory file and apply them to the SIP digest. The test commands below use a lower case character set and passwords up to 6 characters in length and takes approximately 5 and a half minutes to execute.
mkfifo myfifofile
./john-1.7.9/run/john --incremental=alpha --stdout=6 > myfifofile &
./SIPCrack-0.3/sipcrack –p 10000000 –w myfifofile digest.txt
SIP MD5 Brute Force Test Results
The test methodology was to increment the maximum size of the password and also to use different character sets to get an approximation of how long it would be likely to take an attacker to brute force a password of a certain length using a certain character set. From the results obtained it would then be possible to extrapolate for larger password sizes.
| Character Set | Password Length | Passwords Attempted | Time (s) | Time (s)/Password |
|---|---|---|---|---|
| Lower case alphabetic | 6 | 321,272,406 | 251 | 7.81e-7 |
| Lower case alphabetic | 7 | 2,548,193,457 (test stopped early when password found) | 1987 | 7.79e-7 |
| Alpha numeric and ! $%~-._#@/?'^(+;,)=[]:><"\{`|}. | 5 | 1,587,031,810 | 1261 | 7.74e-7 |
| All 95 printable ASCII characters. | 4 | 82,317,121 | 64 | 7.77e-7 |
As to be expected the brute force attempts resulted in a consistent time for each password attempt. I did some quick tests on other Amazon image types to get an idea of whether any would offer a more cost effective option.
| Instance Type | Cores | Cost | Time (s)/Password | Cost ($)/Password |
|---|---|---|---|---|
| m1.large | 2 (4 ECUs) | $0.34/hour | 1.01e-6 | 9.54e-11 |
| c1.large | 8 (20 ECUs) | $0.68/hour | 7.77e-7 | 1.47e-10 |
| m2.4xlarge | 8 (26 ECUs) | $2/hour | 6.07e-7 | 3.37e-10 |
The m1.large EC2 instance is the most cost effective to do the brute force attempt with each password check costing $0.0000000000954 or put another way approximately $1 of compute resources will be enough to brute force each item in the list below.
- A 7 character password that only uses lower case alphabetic passwords,
- A 6 character password that only uses alphabetic, numeric and a select few other ASCII characters,
- A 5 character password that uses all printable ASCII characters.
How much is a SIP password worth?
Using the assumption that an attacker will be interested in brute forcing a SIP digest for anything under $100 the minimum lengths for a SIP password are listed below.
- For a password that only uses lower case alphabetic characters a length of 9 characters is required,
- For a password that uses alphabetic, numeric and a select few other ASCII characters a length of 7 characters is required,
- For a password that uses characters that cover the printable ASCII range a length of 6 characters is required.
The guidelines above rely on the price per password for the Amazon EC2 on demand instances. The prices come down a lot for example the m1.large instance can get down from $0.34 to $0.08 per hour. In addition the Amazon hardware isn’t renowned for being the cheapest way to buy compute power and hosted dedicated server or even an attacker’s own hardware sitting in their bedroom is likely to be a cheaper approach for them. Computer hardware is also improving all the time so a hard to brute force password today may not be so next year.
In conclusion it’s recommended that the minimum password requirements for a password that gets used in a SIP digest are at least 8 characters long, preferrably 10 characters, and have characters that meet all of the requirements in the list below.
- Lower case alphabetic,
- Upper case alphabetic,
- A number,
- A non-alphabetic, non-numeric ASCII character.