[asterisk-users] Misunderstood thing

Alex Balashov abalashov at evaristesys.com
Wed Jul 29 03:32:23 CDT 2009


So, there's two kinds of authentication that routinely go on in the SIP 
client/server world:

1) REGISTER authentication -- this is the 401 Unauthorized challenge to 
an initial REGISTER request that causes it to be resent with 
WWW-Authorize headers containing various authentication credentials, 
including an encrypted nonce.

    Client                        Server

    --------- REGISTER #1 ---------->
    <------ 401 Unauthorized --------
    --- REGISTER #2 + creds -------->
    <---------- 200 OK --------------

This authentication is for *registration* *only*.  It does *not* 
authorise you to place outbound calls.  It only provides a mechanism for 
authenticating your request to secure a contact binding to a certain AOR 
(address of record) on the SIP server side, in order to receive calls at 
that AOR.

Allowing calls to be placed on the basis that the originator is merely 
registered is not sufficiently secure.  I could place calls as you by 
spoofing your username (AOR) as long as you are registered from 
somewhere else.

2) INVITE authentication -- the 407 Proxy Authorization Required challenge.

The mechanism is very similar in its anatomy to the registration 
challenge, but is applied to an INVITE you originate toward the server 
instead.

     Client                    Server

     ---------- INVITE #1 -------->
     <--- 407 proxy challenge -----
     ---- INVITE #2 + creds ------>
     <-------- 100 Trying ---------
     <----- other prov. msgs etc --
     <---------- 200 OK -----------

...

Anyway, this deals with registration authentication (scenario #1):

    [general]

    register => user:pass at server:5060

And this deals with INVITE request authentication (scenario #2):

    username=user
    secret=pass

Does that help?

-- Alex

-- 
Alex Balashov
Evariste Systems
Web     : http://www.evaristesys.com/
Tel     : (+1) (678) 954-0670
Direct  : (+1) (678) 954-0671



More information about the asterisk-users mailing list