Dialogic 05-2239-009 IP Phone User Manual


 
286
Dialogic Corporation
standard type of SIP authentication is called “digest authentication”, which refers to the encryption
method used for secure transmission of the user’s secret password in the message, and is
documented in IETF RFC 2617.
To be able to respond automatically respond to authentication challenges, a UAC typically registers
one or more triplets containing {realm, username, password}, where realm identifies the protected
domain and the username and password identify the specific user. When a UAC receives a 401 or
407 response, it searches the triplets for a realm string that matches the one contained in the
WWW-Authenticate or Proxy-Authenticate header field in the response. If it finds a matching
realm string, it calculates a digest of the corresponding username and password strings and
includes that result in the Authorization header field of the request it re-sends to the UAS.
The Global Call implementation of digest authorization extends this model to use quadruplets of
{realm, identity, username, password}, where the identity represents the user’s URI in the realm.
This extension allows applications to either register a single username and password for a given
realm, or multiple username/password pairs that are each associated with a different identity URI.
For quadruplets that have an empty string as the identity element, the Dialogic
®
Global Call API
library matching process uses the realm element only, exactly as if it were using a conventional
authentication triplet instead of a quadruplet. If the identity element is a non-empty string, the
library compares the identity string against the URI in the From header field of the 401/407
response. When the identity is non-empty, the library re-sends the request with the
username/password digest only if both the realm and identity match the appropriate fields in the
response message.
As an example, if the following header fields are received in a 401 Unauthorized response:
From: <sip:bob@example.com>;tag=0-13c4-4129f5f4-3bf3065a-7fc2
...
WWW-Authenticate: Digest realm="atlanta.com", domain="sip:ss1.carrier.com", qop="auth",
nonce="f84f1cec41e6cbe5aea9c8e88d359", opaque="", stale=FALSE, algorithm=MD5
both of the following quadruplets would be considered to be matches:
{"atlanta.com", "sip:bob@example.com", "bob", "password1"}
{"atlanta.com", "", "anonymous", ""}
Applications that require multiple identities per realm set multiple quadruplets with different, non-
empty identity strings. Such applications may also set a default username and password by setting a
quadruplet with an empty identity string. This default username/password is only used when a
401/407 response does not match the identity in any of the triplets for the given realm and may be
an anonymous authentication as shown in the preceding example.
Applications that require only a single username/password pair per realm set only a single
quadruplet with an empty identity string. In this case the application would not set any quadruplets
that include non-empty identity strings.
Applications that wish to use the authentication mechanism should configure the desired
authentication quadruplets before calling any function that may send a SIP request. Any 401 or 407
response that is received for a request that was sent before authentication quadruplets were
configured causes the call/request to be terminated and not re-sent by Global Call even if an