[asterisk-users] Misunderstood thing
Alex Balashov
abalashov at evaristesys.com
Wed Jul 29 03:32:23 CDT 2009
So, there's two kinds of authentication that routinely go on in the SIP
client/server world:
1) REGISTER authentication -- this is the 401 Unauthorized challenge to
an initial REGISTER request that causes it to be resent with
WWW-Authorize headers containing various authentication credentials,
including an encrypted nonce.
Client Server
--------- REGISTER #1 ---------->
<------ 401 Unauthorized --------
--- REGISTER #2 + creds -------->
<---------- 200 OK --------------
This authentication is for *registration* *only*. It does *not*
authorise you to place outbound calls. It only provides a mechanism for
authenticating your request to secure a contact binding to a certain AOR
(address of record) on the SIP server side, in order to receive calls at
that AOR.
Allowing calls to be placed on the basis that the originator is merely
registered is not sufficiently secure. I could place calls as you by
spoofing your username (AOR) as long as you are registered from
somewhere else.
2) INVITE authentication -- the 407 Proxy Authorization Required challenge.
The mechanism is very similar in its anatomy to the registration
challenge, but is applied to an INVITE you originate toward the server
instead.
Client Server
---------- INVITE #1 -------->
<--- 407 proxy challenge -----
---- INVITE #2 + creds ------>
<-------- 100 Trying ---------
<----- other prov. msgs etc --
<---------- 200 OK -----------
...
Anyway, this deals with registration authentication (scenario #1):
[general]
register => user:pass at server:5060
And this deals with INVITE request authentication (scenario #2):
username=user
secret=pass
Does that help?
-- Alex
--
Alex Balashov
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
More information about the asterisk-users
mailing list