https://www.vocal.com/sip-2/sip-user-authentication/

https://tools.ietf.org/html/rfc3261

SIP User Authentication

There are two forms of authentication in SIP – authentication of a user agent (UA) by a proxy, redirect, or registration server and authentication of one UA by another. With Transport Layer Security (TLS), mutual authentication of proxies or a proxy and UA is accomplished using certificates. Authentication is used to allow only authorized access to a service or feature and prevent malicious or unauthorized use by other applications.

Digest Authentication

Digest authentication is a simple challenge/response method based on HTTP. For RFC 2069, it employs a MD5 hash algorithm to encode the username, realm, password, digest URI, and server generated nonce as follows:

  • H1 = MD5(username : realm : password)
  • H2 = MD5(method : digestURI)
  • Response = MD5(H1 : nonce : H2)

RFC 2617 added a client generated nonce and quality of protection (QoP) to improve security as follows:

  • Response = MD5(H1 : nonce : nonceCount : nonceClient : QoP : H2)

SIP Proxy and User Authentication

As depicted in the figure, the message flow for both proxy and user agent authentication is illustrated. The initial INVITE is challenged with a 407 Proxy authorization required. The UA responds with an ACK and then reissues the INVITE containing the authentication credentials. The next proxy server or end UA responds with a 401 Unauthorized message back to the source UA to again reissue the INVITE with the proper authentication credentials and complete the authentication process.

说明:

sip的认证算法真的是采用的这个算法:

  • H1 = MD5(username : realm : password)
  • H2 = MD5(method : digestURI)
  • Response = MD5(H1 : nonce : H2)

其中,

realm 为事先就确定好的,realm及nonce 为服务器在告诉UA需要认证时给UA的;

method 为服务器给UA一些Digest算法选项,然后由UA选一种。

digestURI 为UA需要到达的目的地;示例如下(这是设备192.168.23.113上的2004拨打2007的invite信令):

Via: SIP/2.0/UDP 192.168.23.113:;branch=z9hG4bK.rxkOqoU6K;rport
From: "sabresd" <sip:@192.168.23.100>;tag=i-ljgBYGN
To: sip:@192.168.23.100
CSeq: INVITE
Call-ID: c2kQFPZtPJ
Max-Forwards:
Supported: replaces, outbound
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO, UPDATE
Content-Type: application/sdp
Content-Length:
Contact: <sip:@192.168.23.113;transport=udp>;+sip.instance="<urn:uuid:b13bc5f4-aefc-412f-b586-7a409b46e058>"
User-Agent: LinphoneAndroid/ (belle-sip/1.5.)
Authorization: Digest realm="asterisk", nonce="1007a06b", algorithm=MD5, username="", uri="sip:2007@192.168.23.100", response="45316d80ffca2b4094333af2631d0c9f" v=
o= IN IP4 192.168.23.113
s=Talk
c=IN IP4 192.168.23.113
b=AS:
t=
a=rtcp-xr:rcvr-rtt=all: stat-summary=loss,dup,jitt,TTL voip-metrics
m=audio RTP/AVP
a=rtpmap: opus//
a=fmtp: useinbandfec=
a=rtpmap: SILK/
a=rtpmap: speex/
a=fmtp: vbr=on
a=rtpmap: speex/
a=fmtp: vbr=on
a=rtpmap: telephone-event/
a=rtpmap: telephone-event/
a=rtpmap: telephone-event/
m=video RTP/AVP
a=rtpmap: H264/
a=fmtp: profile-level-id=42801F
a=rtcp-fb: nack pli
a=rtcp-fb: ccm fir

从上可以看出,此处的invite信令是要邀请sip:2007@192.168.23.100,因此digestURI即为"sip:2007@192.168.23.100"。

其中,Via的结构是 sip协议/sip版本/UDP,Via里的 192.168.23.113:5060 表示此信息从哪里发送的,此信息的responce应该带上此信息,服务器回复此信息的时候其Via里也需要带其收到的该信息,不需要改动,由此来表明此信息的目的地,因此非目的地设备收到此信息时可以忽略该信息。

sip user Authentication and 401的更多相关文章

  1. [原]openstack-kilo--issue(十三)Unauthorized: The request you have made requires authentication. (HTTP 401) (Request

    在运行nova-list 的时候发现报错401:如下面 ========>>>>>>>>> 正常显示 [root@controller ~]# n ...

  2. 在安装Openstack的keystone认证服务时,出现The request you have made requires authentication. (HTTP 401) (Request-ID: req-f94bebba-f0c5-4a92-85问题的处理

      创建openstack的keystone认证服务器报错: The request you have made requires authentication. (HTTP 401) (Reques ...

  3. devstack 使用openstack命令报错 The request you have made requires authentication. (HTTP 401) Missing value auth-url required for auth plugin password

    关联错误: The request you have made requires authentication. (HTTP 401) (Request-ID: req-88ad2cba-0f2d-4 ...

  4. sip 注册流程

    基本注册流程示意图: 注册流程描述如下: 1.         SIP代理向SIP服务器发送REGISTER请求: 2.         SIP服务器向SIP代理发送响应401,并在响应的消息头WWW ...

  5. node.js实现国标GB28181设备接入的sip服务器解决方案

    方案背景 在介绍GB28181接入服务器的方案前,咱们先大概给大家介绍一下为什么我们选择了用nodejs开发国标GB28181的服务,我大概给很多人介绍过这个方案,大部分都为之虎躯一震,nodejs在 ...

  6. RFC3261--sip

    本文转载自 http://www.ietf.org/rfc/rfc3261.txt 中文翻译可参考 http://wenku.baidu.com/view/3e59517b1711cc7931b716 ...

  7. http-code 未译

    1xx Informational Request received, continuing process. This class of status code indicates a provis ...

  8. Fiddler实战深入研究(二)

    Fiddler实战深入研究(二) 阅读目录 Fiddler不能捕获chrome的session的设置 理解数据包统计 请求重定向(AutoResponder) Composer选项卡 Filters选 ...

  9. 就是这么简单!使用Rest-assured 测试Restful Web Services

    使用 Rest-assured 测试 Restful Web Services 转载注明出处: http://www.cnblogs.com/wade-xu/p/4298819.html 这里向大家介 ...

随机推荐

  1. jQuery-使页面回到顶部

    <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8&quo ...

  2. 【Excel】【Salesforce】函数拓展

    1.if 2.vlookup

  3. C#与.net 入门

    C# 语言和 .NET Framework 介绍 https://docs.microsoft.com/zh-cn/dotnet/csharp/getting-started/introduction ...

  4. IDEA 导入Module,多个Module在同一个Project 下显示

    之前导入过,隔断时间就忘记了,干脆记下来,免得后续找的麻烦 此文章转载自: https://blog.csdn.net/yyym520/article/details/77527976 1.打开IDE ...

  5. PHP实现微信对账单处理

    最近要做支付对账,即检查第三方支付与数据库中账单是否一一对应,涉及到微信对账单的处理,成功时,微信账单接口返回数据以文本表格的方式返回,第一行为表头,后面各行为对应的字段内容,字段内容跟查询订单或退款 ...

  6. ElasticSearch(十二):Spring Data ElasticSearch 的使用(二)

    在前一篇博文中,创建了Spring Data Elasticsearch工程,并且进行了简单的测试,此处对Spring Data Elasticsearch进行增删改查的操作. 1.增加 在之前工程的 ...

  7. Linux服务-rsync

    目录 1. rsync简介 2. rsync特性 3. rsync的ssh认证协议 4. rsync命令 5. rsync+inotify Linux服务-rsync 1. rsync简介 rsync ...

  8. mysql where 1

    where后跟各种查询条件,当条件为真时即可查询出记录.在这里where 1,1为真,也就是where后的条件为真,查询表中所有内容. SELECT * FROM `sdb_pam_members` ...

  9. beta版本——第三次冲刺

    第三次冲刺 (1)SCRUM部分☁️ 成员描述: 姓名 李星晨 完成了哪个任务 认证学校那一栏增加检测机制的ui设计 花了多少时间 1h 还剩余多少时间 1h 遇到什么困难 没有困难 这两天解决的进度 ...

  10. Linux的rwx