20.3.1 SIP Message Authentication Example
The device supports basic and digest (MD5) authentication types, according to SIP RFC
3261 standard. A proxy server might require authentication before forwarding an INVITE
message. A Registrar/Proxy server may also require authentication for client registration. A
proxy replies to an unauthenticated INVITE with a 407 Proxy Authorization Required
response, containing a Proxy-Authenticate header with the form of the challenge. After
sending an ACK for the 407, the user agent can then re-send the INVITE with a Proxy-
Authorization header containing the credentials.
User agents, Redirect or Registrar servers typically use the SIP 401 Unauthorized
response to challenge authentication containing a WWW-Authenticate header, and expect
the re-INVITE to contain an Authorization header.
The following example shows the Digest Authentication procedure, including computation
of user agent credentials:
1. The REGISTER request is sent to a Registrar/Proxy server for registration:
REGISTER sip:10.2.2.222 SIP/2.0
Via: SIP/2.0/UDP 10.1.1.200
From: <sip: 122@10.1.1.200>;tag=1c17940
To: <sip: 122@10.1.1.200>
Call-ID: 634293194@10.1.1.200
User-Agent: Sip-Gateway/Mediant 800 MSBR/v.6.60.010.006
CSeq: 1 REGISTER
Contact: sip:122@10.1.1.200:
Expires:3600
2. Upon receipt of this request, the Registrar/Proxy returns a 401 Unauthorized
response:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.2.1.200
From: <sip:122@10.2.2.222 >;tag=1c17940
To: <sip:122@10.2.2.222 >
Call-ID: 634293194@10.1.1.200
Cseq: 1 REGISTER
Date: Mon, 30 Jul 2012 15:33:54 GMT
Server: Columbia-SIP-Server/1.17
Content-Length: 0
WWW-Authenticate: Digest realm="audiocodes.com",
nonce="11432d6bce58ddf02e3b5e1c77c010d2",
stale=FALSE,
algorithm=MD5
3. According to the sub-header present in the WWW-Authenticate header, the correct
REGISTER request is created.
4. Since the algorithm is MD5:
• The username is equal to the endpoint phone number "122".
• The realm return by the proxy is "audiocodes.com".
• The password from the ini file is "AudioCodes".
• The equation to be evaluated is "122:audiocodes.com:AudioCodes". According to
the RFC, this part is called A1.
• The MD5 algorithm is run on this equation and stored for future usage.
• The result is "a8f17d4b41ab8dab6c95d3c14e34a9e1".
5. The par called A2 needs to be evaluated:
• The method type is "REGISTER".
• Using SIP protocol "sip".
• Proxy IP from ini file is "10.2.2.222".
To Next Page
Loading...
Need help?
General
