SIP Digest Authentication

Built upon HTTP’s challenge/response mechanism

Challenges:

401 Authentication Required or
407 Proxy Authorization Required

Header fields:

Digest	the schema name
username="A"	The user name as specified in the credentials realm - copied from the challenge
realm="sip:proxy.com	realm indicates the domain for the authentication
nonce="e288df84f1cec4341ade6e5a359"	nonce - copied from the challenge a unique string - typically generated from a timestamp (and possibly a seed), then encrypted with the user’s private key
opaque="63632f41"	opaque string which should be returned unchanged to be matched against the challenge (allows for a stateless system)
uri="sip:UserB@there.com"	URI from the Request-URI
response="1d19580cd833064324a787ecc"	message digest computed using user’s credentials and the nonce

Transcript

[slide356] We also saw yesterday the basic approach that was used was taken directly from HTTP to be able to do authentication. So you basically did a challenge, either with the proxy or with the user agent, and the approach was you generated a nonce. And that way the person had to do the calculation with a value that they couldn't predict in advance, so they couldn't pre-compute it. They had to actually compute it then, and then they would send a digest response, which was calculated based on the nonce and their secret, etc. Very straightforward.