Security Mechanisms
This section will discuss the security mechanisms that can be used to counter
against a number of threats.Authentication
SIP can use a number of Internet authenticationmechanisms. HTTP Digest
authentication, defined in RFC 2617 [3] and described for SIP in Section 22 of
RFC 3261, provides a simple way for a server or UA to challenge another UA
to produce a shared secret such as a username and password. The use of the
Message Digest 5 (MD5) hash algorithm means that the credential (password)
is never sent in the clear. Also, if each SIP request is challenged with a unique
nonce(a one time string used in the MD5 hash calculation), Digest responses
cannot be cut from one request and pasted into another request. As such,
Digest is a lightweight mechanism that can be used without encryption or con-
fidentiality. An example HTTP Digest exchange is shown in Figure 9.1.Figure 9.1 Authentication using HTTP DigestSIP User Agent1 INVITECaller is
challenged by
Proxy Server
and Called
User Agent.Relies on
“shared secret”
(username and
password)
exchange.Proxy Server SIP User Agent5 100 Trying12 INVITE WWW-Auth:26 INVITE10 ACK
11 INVITE Proxy-Auth:1, WWW-Auth:2
13 100 Trying
15 180 RingingAuthenticated Media Session18 ACK17 200 OK14 180 Ringing8 401 Unauthorized2 407 Proxy Authentication Required7 401 Unauthorized
9 ACK16 200 OK19 ACK3 ACK
4 INVITE Proxy-Auth:1162 Chapter 9