Internet Communications Using SIP : Delivering VoIP and Multimedia Services With Session Initiation Protocol {2Nd Ed.}

(Steven Felgate) #1

Security Mechanisms


This section will discuss the security mechanisms that can be used to counter
against a number of threats.

Authentication


SIP can use a number of Internet authenticationmechanisms. HTTP Digest
authentication, defined in RFC 2617 [3] and described for SIP in Section 22 of
RFC 3261, provides a simple way for a server or UA to challenge another UA
to produce a shared secret such as a username and password. The use of the
Message Digest 5 (MD5) hash algorithm means that the credential (password)
is never sent in the clear. Also, if each SIP request is challenged with a unique
nonce(a one time string used in the MD5 hash calculation), Digest responses
cannot be cut from one request and pasted into another request. As such,
Digest is a lightweight mechanism that can be used without encryption or con-
fidentiality. An example HTTP Digest exchange is shown in Figure 9.1.

Figure 9.1 Authentication using HTTP Digest

SIP User Agent

1 INVITE

Caller is
challenged by
Proxy Server
and Called
User Agent.

Relies on
“shared secret”
(username and
password)
exchange.

Proxy Server SIP User Agent

5 100 Trying

12 INVITE WWW-Auth:2

6 INVITE

10 ACK
11 INVITE Proxy-Auth:1, WWW-Auth:2
13 100 Trying
15 180 Ringing

Authenticated Media Session

18 ACK

17 200 OK

14 180 Ringing

8 401 Unauthorized

2 407 Proxy Authentication Required

7 401 Unauthorized
9 ACK

16 200 OK

19 ACK

3 ACK
4 INVITE Proxy-Auth:1

162 Chapter 9

Free download pdf