authentication
Click on the red underlined text to get to the source
... security services,
which include denial-of-service prevention, authentication (both user
to user and proxy to user), integrity protection ...
... role in authorizing
outgoing requests. Authorization and authentication are handled in
SIP either on a request-by-request basis with a challenge/response
mechanism ...
... semantics of the message, by appending each subsequent
field-value to the first, each separated by a comma. The exceptions
to this rule are the WWW-Authenticate, Authorization, Proxy-
...
... are described in Section 26. Specifically, mechanisms exist for the
UAS and UAC to mutually authenticate. A limited set of privacy
features are also supported through encryption ...
... URI corresponding to the identity of the profiled user.
Recipients of requests can authenticate the originator of a request
in order to ascertain that they are who their From header field
...
... in order to ascertain that they are who their From header field
claims they are (see Section 22 for more on authentication).
The From field MUST contain a new "tag ...
...
failure responses that solicit an amendment to a request (for
example, a challenge for authentication), these retried requests are
not considered new requests, and therefore do not need new Call-ID
...
... UASs SHOULD process the requests in the order of the steps that
follow in this section (that is, starting with authentication, then
inspecting the method, the header fields ...
...
Once a request is authenticated (or authentication is skipped), the
UAS MUST inspect the method ...
... values as described for UASs in Section 8.2.2.
3. A registrar SHOULD authenticate the UAC. Mechanisms for the
authentication ...
... authenticate the UAC. Mechanisms for the
authentication of SIP user agents are described in Section 22.
Registration ...
... Registration behavior in no way overrides the generic
authentication framework for SIP. If no authentication
mechanism ...
... authentication framework for SIP. If no authentication
mechanism is available, the registrar MAY take the From address
as the asserted identity ...
... identity of the originator of the request.
4. The registrar SHOULD determine if the authenticated user is
authorized to modify registrations for this address-of-record ...
... authorization to modify bindings. If
the authenticated user is not authorized to modify bindings,
the registrar MUST return a 403 (Forbidden) and skip the
...
... 12) with the exception of the CSeq and the header fields related to
authentication. The sequence number of the CSeq header field MUST be
...
... received 503, 407, 501, and 404 responses, it may choose to
forward the 407 (Proxy Authentication Required) response.
1xx and 2xx responses may be involved in the establishment of
...
... happens, for instance, when combining 401 (Unauthorized) and
407 (Proxy Authentication Required) challenges, or combining
Contact values from unencrypted and unauthenticated 3xx
responses.
...
... If the selected response is a 401 (Unauthorized) or 407 (Proxy
Authentication Required), the proxy MUST collect any WWW-
Authenticate ...
... Authentication Required), the proxy MUST collect any WWW-
Authenticate and Proxy-Authenticate header field ...
... Authenticate and Proxy-Authenticate header field values from
all other 401 (Unauthorized) and 407 (Proxy ...
... header field values from
all other 401 (Unauthorized) and 407 (Proxy Authentication
Required) responses received so far in this response context
and add them to this response without modification before
...
... forwarding. The resulting 401 (Unauthorized) or 407 (Proxy
Authentication Required) response could have several WWW-
Authenticate AND Proxy ...
... Authentication Required) response could have several WWW-
Authenticate AND Proxy-Authenticate header field ...
... SIPS URI syntax allows this field to be present, its use is NOT
RECOMMENDED, because the passing of authentication information
in clear text (such as URIs) has proven to be a security risk ...
... Allow r - o - o o o
Allow 405 - m - m m m
Authentication-Info 2xx - o - o o o
Authorization R o o o o o o
...
... Via rc dr m m m m m m
Warning r - o o o o o
WWW-Authenticate 401 ar - m - m m m
WWW-Authenticate 407 ar - o - o o o
...
... WWW-Authenticate 401 ar - m - m m m
WWW-Authenticate 407 ar - o - o o o
Table 3: Summary of header fields ...
... Authentication-Info ...
... The Authentication-Info header field provides for mutual
authentication with HTTP Digest. A UAS MAY include this header field ...
... UAS MAY include this header field
in a 2xx response to a request that was successfully authenticated
using digest based on the Authorization header field ...
... Example:
Authentication-Info: nextnonce="47364c23432d2e131a5fb210812c"
...
... header
field, and Section 22.4 describes the syntax and semantics when used
with HTTP authentication.
This header field ...
... disposition-type" that renders content to the
user should only be processed when a message has been properly
authenticated.
The handling parameter, handling-param, describes how the UAS ...
... filter calls, so that only return calls for calls they
originated will be accepted. This field is not a substitute for
request authentication.
Example:
...
... Proxy-Authenticate ...
... client to identify
itself (or its user) to a proxy that requires authentication. A
Proxy-Authorization ...
... Authorization field value consists of credentials containing
the authentication information of the user agent for the proxy and/or
...
... WWW-Authenticate ...
... A WWW-Authenticate header field value contains an authentication
challenge. See Section 22.2 for further details on its usage.
...
... Example:
WWW-Authenticate: Digest realm="atlanta.com",
domain="sip:boxesbybob.com", qop="auth",
...
...
The request requires user authentication. This response is issued by
UASs and registrars, while 407 (Proxy Authentication Required ...
... user authentication. This response is issued by
UASs and registrars, while 407 (Proxy Authentication Required) is
used by proxy servers.
...
... 407 Proxy Authentication Required ...
... This code is similar to 401 (Unauthorized), but indicates that the
client MUST first authenticate itself with the proxy. SIP access
authentication ...
... authenticate itself with the proxy. SIP access
authentication is explained in Sections 26 and 22.3.
This status code ...
... communication channel (for example, a telephony gateway) rather than
the callee requires authentication.
...
... Usage of HTTP Authentication ...
... SIP provides a stateless, challenge-based mechanism for
authentication that is based on authentication in HTTP. Any time
...
... stateless, challenge-based mechanism for
authentication that is based on authentication in HTTP. Any time
that a proxy server ...
... authorization systems are recommended or discussed in this document.
The "Digest" authentication mechanism described in this section
provides message authentication and replay protection ...
... The "Digest" authentication mechanism described in this section
provides message authentication and replay protection only, without
message integrity ...
... Note that due to its weak security, the usage of "Basic"
authentication has been deprecated. Servers MUST NOT accept
credentials using the "Basic" authorization ...
... UAC. Additionally, registrars and redirect servers MAY make use of
401 (Unauthorized) responses for authentication, but proxies MUST
NOT, and instead MAY use the 407 (Proxy ...
... proxies MUST
NOT, and instead MAY use the 407 (Proxy Authentication Required)
response. The requirements ...
... Proxy-Authorization, WWW-Authenticate, and Authorization in the
various messages are identical to those described in RFC 2617draft ...
... Operators of user agents or proxy servers that will authenticate
received requests MUST adhere to the following guidelines for
creation of a realm string for their server:
...
...
Generally, SIP authentication is meaningful for a specific realm, a
protection domain. Thus, for Digest authentication ...
... authentication is meaningful for a specific realm, a
protection domain. Thus, for Digest authentication, each such
protection domain has its own set of usernames ...
... usernames and passwords. If a
server does not require authentication for a particular request, it
MAY accept a default username, "anonymous", which has no password ...
... SIP requests, there
are two requests defined by this document that require special
handling for authentication: ACK and CANCEL.
...
... ACK and CANCEL.
Under an authentication scheme that uses responses to carry values
used to compute nonces (such as Digest), some problems come up for
...
... UAC receives a challenge, it SHOULD render to the user the
contents of the "realm" parameter in the challenge (which appears in
either a WWW-Authenticate header field or Proxy-Authenticate ...
... WWW-Authenticate header field or Proxy-Authenticate header
field) if the UAC device does not already know of a credential ...
... User-to-User Authentication ...
... UAS receives a request from a UAC, the UAS MAY authenticate
the originator before the request is processed. If no credentials
...
... status code.
The WWW-Authenticate response-header field MUST be included in 401
(Unauthorized) response messages. The field value consists of at
...
... header field MUST be included in 401
(Unauthorized) response messages. The field value consists of at
least one challenge that indicates the authentication scheme(s) and
parameters applicable to the realm.
...
... parameters applicable to the realm.
An example of the WWW-Authenticate header field in a 401 challenge
is:
...
... is:
WWW-Authenticate: Digest
realm="biloxi.com",
qop="auth,auth-int",
...
... The UAC may require input from the originating user before
proceeding. Once authentication credentials have been supplied
(either directly by the user ...
... credentials have been located, any UA that wishes to
authenticate itself with a UAS or registrar -- usually, but not
necessarily, after receiving ...
... Authorization field value consists of credentials containing the
authentication information of the UA for the realm of the resource
being requested as well as parameters required in support of
...
... UA for the realm of the resource
being requested as well as parameters required in support of
authentication and replay protection.
...
... receiving a
401 (Unauthorized) or 407 (Proxy Authentication Required) response,
it MUST increment the CSeq header field value as it would normally
...
... Proxy-to-User Authentication ...
... UAC sends a request to a proxy server, the proxy
server MAY authenticate the originator before the request is
processed. If no credentials (in the Proxy ...
... credentials by rejecting the request with a 407
(Proxy Authentication Required) status code. The proxy MUST populate
...
... proxy MUST populate
the 407 (Proxy Authentication Required) message with a Proxy-
Authenticate ...
... Authentication Required) message with a Proxy-
Authenticate header field value applicable to the proxy for the
...
... header field. All 407 (Proxy
Authentication Required) responses MUST be forwarded upstream toward
the UAC ...
... When the originating UAC receives the 407 (Proxy Authentication
Required) it SHOULD, if it is able, re-originate the request with the
proper credentials. It should follow the same procedures for the
...
... If a UA receives a Proxy-Authenticate header field value in a 401/407
response to a request with a particular Call-ID ...
...
Any UA that wishes to authenticate itself to a proxy server --
usually, but not necessarily, after receiving ...
... receiving a 407 (Proxy
Authentication Required) response -- MAY do so by including a Proxy-
Authorization ...
... client to identify
itself (or its user) to a proxy that requires authentication. The
Proxy-Authorization ...
... header field value consists of credentials
containing the authentication information of the UA for the proxy
...
... whose realm is identified in the "realm" parameter (this proxy may
previously have demanded authentication using the Proxy-Authenticate
...
... previously have demanded authentication using the Proxy-Authenticate
field). When multiple proxies are used in a chain, a Proxy ...
... value.
Note that if an authentication scheme that does not support realms is
used in the Proxy-Authorization ...
... networks, proxy servers SHOULD use an
authentication scheme that supports realms in the Proxy-Authorization
...
... forking proxy server is responsible for aggregating these challenges
into a single response. Each WWW-Authenticate and Proxy-Authenticate
...
... into a single response. Each WWW-Authenticate and Proxy-Authenticate
value received in responses to the forked request MUST be placed into
the single response that is sent by the forking proxy ...
... proxy may forward a
request simultaneously to multiple proxy servers that require
authentication, each of which in turn will not forward the request
until the originating UAC has authenticated ...
... require
authentication, each of which in turn will not forward the request
until the originating UAC has authenticated itself in their
respective realm. If the UAC does not provide credentials ...
... When resubmitting its request in response to a 401 (Unauthorized) or
407 (Proxy Authentication Required) that contains multiple
challenges, a UAC MAY include an Authorization ...
... UAC MAY include an Authorization value for each WWW-
Authenticate value and a Proxy-Authorization value for each Proxy ...
... Authorization value for each Proxy-
Authenticate value for which the UAC wishes to supply a credential.
...
... It is possible for multiple challenges associated with the same realm
to appear in the same 401 (Unauthorized) or 407 (Proxy Authentication
Required). This can occur, for example, when multiple proxies within
the same administrative domain ...
... The Digest Authentication Scheme ...
... This section describes the modifications and clarifications required
to apply the HTTP Digest authentication scheme to SIP. The SIP
...
... 2617draft. Note, however, that SIP
servers MUST NOT accept or request Basic authentication.
The rules for Digest authentication ...
... Basic authentication.
The rules for Digest authentication follow those defined in [17],
with "HTTP/1.1 ...
... Authorization header field for HTTP Digest
authentication is not enclosed in quotation marks. (The
example in Section 3.5 of RFC 2617draft is correct.) For SIP ...
... 7. As a clarification to the calculation of the A2 value for
message integrity assurance in the Digest authentication
scheme, implementers should assume, when the entity ...
... remain optional for clients and servers to receive. However,
servers MUST always send a "qop" parameter in WWW-Authenticate
and Proxy-Authenticate ...
...
RFC 2543(-> 3265prop | 3264prop | 3263prop | 3262prop | 3261prop) did not allow usage of the Authentication-Info header field
(it effectively used RFC 2069(-> 2617draft) ...
... header field, since it provides integrity checks over the bodies and
provides mutual authentication. RFC 2617draft [17] defines mechanisms for
...
...
As a means of providing some degree of end-to-end authentication,
integrity or confidentiality ...
... Language, Alert-Info, Error-Info,
Authentication-Info, Expires, In-Reply-To, Require, Supported,
Unsupported, Retry-After ...
... Authorization, Priority, and WWW-
Authenticate. This category also includes those header fields that
can be changed by proxy servers ...
... Call-ID, CSeq), then a
signed MIME body can provide limited authentication. At the very
least, if the certificate used to sign the body is unknown to the
...
... start-up. The message flow is shown in Figure 9.
Note that the authentication usually required for registration is not
shown for simplicity.
...
... protocol elements.
Some elements (authentication) force hex alphas to be lower case.
LHEX = DIGIT ...
... / "406" ; Not Acceptable
/ "407" ; Proxy Authentication Required
/ "408" ; Request Timeout
/ "410" ; Gone
...
...
Authentication-Info = "Authentication-Info" HCOLON ainfo
*(COMMA ainfo)
ainfo = nextnonce / message-qop
...
... Proxy-Authenticate = "Proxy-Authenticate" HCOLON challenge
challenge = ("Digest" LWS digest-cln *(COMMA digest-cln))
/ other-challenge
...
... Prevention of this threat requires a means by which UAs can
authenticate the servers to whom they send requests.
...
... route requests through trusted proxy
servers. Regardless of how that trust is established (authentication
of proxies is discussed elsewhere in this section), a UA ...
... confidentiality, integrity, and
authentication. These end-to-end services should be independent of
...
...
The most effective countermeasure to this threat is the
authentication of the sender of the BYE. In this instance, the
recipient needs only know that the BYE came from the same party with
...
... denial-of-service attacks open up if REGISTER requests
are not properly authenticated and authorized by registrars.
Attackers could de-register ...
... replay attacks
or message spoofing, providing for the authentication and privacy of
the participants in a session ...
... security
services of confidentiality, integrity, and authentication.
Rather than defining new security mechanisms ...
... proxy server, that identity should in some way be
verifiable. A cryptographic authentication mechanism is provided in
SIP to address ...
... SIP message bodies supplies an
alternative means of end-to-end mutual authentication, as well as
providing a limit on the degree to which user agents must trust ...
... security, and these certificates can also be used to provide a means
of authentication in many architectures.
...
...
The use of SIPS in particular entails that mutual TLS authentication
SHOULD be employed, as SHOULD the ciphersuite
...
... SHA. Certificates received in the
authentication process SHOULD be validated with root certificates ...
... HTTP Authentication ...
...
SIP provides a challenge capability, based on HTTP authentication,
that relies on the 401 and 407 response codes as well as header
fields ...
... credentials. Without significant
modification, the reuse of the HTTP Digest authentication scheme in
SIP allows for replay protection ...
... SIP allows for replay protection and one-way authentication.
The usage of Digest authentication ...
... one-way authentication.
The usage of Digest authentication in SIP is detailed in Section 22.
...
... confidentiality and integrity for
message bodies, as well as mutual authentication. It is also
possible to use S/MIME to provide a form of integrity ...
... redirect servers, and registrars MUST implement TLS,
and MUST support both mutual and one-way authentication. It is
strongly RECOMMENDED that UAs be capable initiating TLS ...
... UAs MAY have
certificates of their own for mutual authentication with TLS, but no
provisions are set forth in this document for their use. All SIP
elements ...
... security models to some degree. At a high
level, UAs authenticate themselves to servers (proxy servers,
redirect servers ...
... username and
password; servers authenticate themselves to UAs one hop away, or to
another server one hop away (and vice versa), with a site certificate ...
... UAs trust the network to authenticate one
another ordinarily; however, S/MIME can also be used to provide
...
... another ordinarily; however, S/MIME can also be used to provide
direct authentication when the network does not, or if the network
...
... TLS connection, the registrar SHOULD challenge the request with a 401
(Proxy Authentication Required) response. The "realm" parameter
within the Proxy-Authenticate ...
... Authentication Required) response. The "realm" parameter
within the Proxy-Authenticate header field of the response SHOULD
correspond to the domain ...
...
Since the registrar requires the user agent to authenticate
itself, it would be difficult for an attacker to forge REGISTER ...
...
Because the UA has already authenticated the server on the other
side of the TLS connection, all requests that come over this
...
... TLS connection Alex had established with the
registrar when he registered. Since Alex would receive this
request over his authenticated channel, he would be assured that
Alice's request had been authorized by the proxy server ...
... are servers that possess site certificates, mutual TLS authentication
SHOULD occur. Each side of the connection SHOULD verify and inspect
...
... domain it ascribes to itself; it does not allow biloxi.com to
ascertain how atlanta.com authenticated Alice. Only if biloxi.com
has some other way of knowing atlanta.com's authentication policies
...
... ascertain how atlanta.com authenticated Alice. Only if biloxi.com
has some other way of knowing atlanta.com's authentication policies
could it possibly ascertain how Alice proved her identity.
...
... requests that come from domains that are not known administratively
to share a common authentication policy with biloxi.com.
Once the INVITE ...
... to Bob. Since the request is received over a TLS connection that had
previously been authenticated as the biloxi proxy, Bob knows that the
From header field ...
...
The biloxi proxy has a policy for Bob that all non-authenticated
requests should be redirected to the appropriate contact address
...
... proxy servers SHOULD challenge questionable requests with
only a single 401 (Unauthorized) or 407 (Proxy Authentication
Required), forgoing the normal response retransmission algorithm, and
thus behaving statelessly towards unauthenticated requests.
...
...
Retransmitting the 401 (Unauthorized) or 407 (Proxy Authentication
Required) status response amplifies the problem of an attacker
using a falsified header field ...
... third party.
In summary, the mutual authentication of proxy servers through
mechanisms such as TLS ...
... Another limitation of HTTP Digest is the scope of realms. Digest is
valuable when a user wants to authenticate themselves to a resource
with which they have a pre-existing association, like a service
provider ...
... certificates are often globally verifiable, so that the UA can
authenticate the server with no pre-existing association.
...
... TLS only allows SIP entities to authenticate servers to which they
are adjacent; TLS offers strictly hop-by-hop security ...
... nor any other mechanism specified in this document, allows clients to
authenticate proxy servers to whom they cannot form a direct TCP
connection.
...
... target domain is somewhat complex. It is possible that
cryptographically authenticated proxy servers along the way that are
non-compliant or compromised may choose to disregard the forwarding
...
... 2543(-> 3265prop | 3264prop | 3263prop | 3262prop | 3261prop) defined, but did no sufficiently specify, a mechanism for
UA authentication of a server. That has been removed. Instead,
the mutual authentication ...
... authentication of a server. That has been removed. Instead,
the mutual authentication procedures of RFC 2617draft are allowed.
...
... unicast. The limitations as a result of that are documented.
o Basic authentication has been removed entirely and its usage
forbidden.
...
... Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A. and L. Stewart, "HTTP authentication: Basic and Digest Access Authentication", RFC 2617draft, June 1999. ...
... Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A. and L. Stewart, "HTTP authentication: Basic and Digest Access Authentication", RFC 2617draft, June 1999. ...
... Franks, J., Hallam-Baker, P., Hostetler, J., Leach, P., Luotonen, A., Sink, E. and L. Stewart, "An Extension to HTTP: Digest Access Authentication", RFC 2069(-> 2617draft), January 1997. ...