The Digest authentication is based on RFC 2617, HTTP Basic and Digest Access Authentication. Our objective in this chapter is to show the basics of a system with Digest authentication. It is not an answer to all the possible security problems with SIP, but it is certainly a good method to protect names and passwords traversing the network. The following figure shows how digest authentication works:
The Digest scheme is a simple challenge-response mechanism. It challenges UA using a nonce value. A valid response includes a checksum of all the parameters. Thus, the password is never transmitted as simple text.
If a server receives a REGISTER or an INVITE request and a valid Authorize header field is not sent, the server replies 401 unauthorized with a header field, WWW-Authenticate. This header contains a realm and nonce.
The client is expected to try again, now passing the Authorize header field. It contains the username, realm, nonce (passed...