Professional Documents
Culture Documents
Understanding Sip Authentication
Understanding Sip Authentication
Understanding Sip Authentication
Take a look at the first six messages and you will see authentication in action. In this case, my
telephone is the UAC and Session Manager is acting as the UAS.
To kick things off, my telephone sends the following INVITE.
Upon receiving the INVITE, Session Manager responds with a 407 Proxy Authentication
Requiredresponse.
As you may already know, SIP borrowed heavily from other Internet protocols and the Proxy-
Authenticate header was lifted straight from HTTP. This header contains the data that must be
used by UAC to encrypt his or her credentials. In this case, the telephone will encrypt the user’s
telephone password.
If you insist on learning more about Proxy-Authenticate, please see RFC 2617.
Take a look at the Proxy-Authenticate header and you will see a Nonce parameter. Nonce stands
forNumber Once and is an arbitrary number used only once in a cryptographic communication. The
recipient of a Nonce will use it to encrypt his or her credentials. Number once refers to the fact that
encryption with this Nonce can only be done one time. If someone were to sniff the LAN and obtain
someone’s encrypted password, it wouldn’t do them any good because it can only be used in a single
transaction. It becomes stale and useless immediately after its first use.
This particular header instructs the client to encrypt the user’s telephone password with MD5 and the
given Nonce.
After the password has been encrypted, the UAC creates a new INVITE (not a re-INVITE) and places
that encrypted password into the response parameter of a Proxy-Authentication header.
Here is the new INVITE as sent by my telephone. Notice how Proxy-Authentication repeats much of
what was in Proxy-Authenticate.
A Slight Shift of Gears
I mentioned that there are two 4xx challenge responses. RFC 2617 states the following about the two
headers:
The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user
agent. This response MUST include a WWW-Authenticate header field containing at least one challenge
applicable to the requested resource. The 407 (Proxy Authentication Required) response message is used by a
proxy to challenge the authorization of a client and MUST include a Proxy-Authenticate header field containing
at least one challenge applicable to the proxy for the requested resource.
Generally, I see 407 responses for messages sent to SIP clients and 401 responses for messages sent
to SIP servers. That means that messages like INVITE and BYE will receive 407 responses and
REGISTER and SUBSCRIBE will receive 401 responses.
I captured the boot cycle of my phone to see the REGISTER and SUBSCRIBE messages it sends.
Here is a REGISTER message followed by a 401 response. Notice how the headers are different from
a 407, but the end result is a challenge that solicits my telephone’s encrypted password.
Mischief Managed
At this point, I think I have said enough about SIP authentication. As you can see, it adds a layer of
security that is not provided by either TLS or SRTP.