sip user Authentication and 401
https://www.vocal.com/sip-2/sip-user-authentication/
https://tools.ietf.org/html/rfc3261
SIP User Authentication
There are two forms of authentication in SIP – authentication of a user agent (UA) by a proxy, redirect, or registration server and authentication of one UA by another. With Transport Layer Security (TLS), mutual authentication of proxies or a proxy and UA is accomplished using certificates. Authentication is used to allow only authorized access to a service or feature and prevent malicious or unauthorized use by other applications.
Digest Authentication
Digest authentication is a simple challenge/response method based on HTTP. For RFC 2069, it employs a MD5 hash algorithm to encode the username, realm, password, digest URI, and server generated nonce as follows:
- H1 = MD5(username : realm : password)
- H2 = MD5(method : digestURI)
- Response = MD5(H1 : nonce : H2)
RFC 2617 added a client generated nonce and quality of protection (QoP) to improve security as follows:
- Response = MD5(H1 : nonce : nonceCount : nonceClient : QoP : H2)
SIP Proxy and User Authentication
As depicted in the figure, the message flow for both proxy and user agent authentication is illustrated. The initial INVITE is challenged with a 407 Proxy authorization required. The UA responds with an ACK and then reissues the INVITE containing the authentication credentials. The next proxy server or end UA responds with a 401 Unauthorized message back to the source UA to again reissue the INVITE with the proper authentication credentials and complete the authentication process.
说明:
sip的认证算法真的是采用的这个算法:
- H1 = MD5(username : realm : password)
- H2 = MD5(method : digestURI)
- Response = MD5(H1 : nonce : H2)
其中,
realm 为事先就确定好的,realm及nonce 为服务器在告诉UA需要认证时给UA的;
method 为服务器给UA一些Digest算法选项,然后由UA选一种。
digestURI 为UA需要到达的目的地;示例如下(这是设备192.168.23.113上的2004拨打2007的invite信令):
Via: SIP/2.0/UDP 192.168.23.113:;branch=z9hG4bK.rxkOqoU6K;rport
From: "sabresd" <sip:@192.168.23.100>;tag=i-ljgBYGN
To: sip:@192.168.23.100
CSeq: INVITE
Call-ID: c2kQFPZtPJ
Max-Forwards:
Supported: replaces, outbound
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO, UPDATE
Content-Type: application/sdp
Content-Length:
Contact: <sip:@192.168.23.113;transport=udp>;+sip.instance="<urn:uuid:b13bc5f4-aefc-412f-b586-7a409b46e058>"
User-Agent: LinphoneAndroid/ (belle-sip/1.5.)
Authorization: Digest realm="asterisk", nonce="1007a06b", algorithm=MD5, username="", uri="sip:2007@192.168.23.100", response="45316d80ffca2b4094333af2631d0c9f" v=
o= IN IP4 192.168.23.113
s=Talk
c=IN IP4 192.168.23.113
b=AS:
t=
a=rtcp-xr:rcvr-rtt=all: stat-summary=loss,dup,jitt,TTL voip-metrics
m=audio RTP/AVP
a=rtpmap: opus//
a=fmtp: useinbandfec=
a=rtpmap: SILK/
a=rtpmap: speex/
a=fmtp: vbr=on
a=rtpmap: speex/
a=fmtp: vbr=on
a=rtpmap: telephone-event/
a=rtpmap: telephone-event/
a=rtpmap: telephone-event/
m=video RTP/AVP
a=rtpmap: H264/
a=fmtp: profile-level-id=42801F
a=rtcp-fb: nack pli
a=rtcp-fb: ccm fir
从上可以看出,此处的invite信令是要邀请sip:2007@192.168.23.100,因此digestURI即为"sip:2007@192.168.23.100"。
其中,Via的结构是 sip协议/sip版本/UDP,Via里的 192.168.23.113:5060 表示此信息从哪里发送的,此信息的responce应该带上此信息,服务器回复此信息的时候其Via里也需要带其收到的该信息,不需要改动,由此来表明此信息的目的地,因此非目的地设备收到此信息时可以忽略该信息。
sip user Authentication and 401的更多相关文章
- [原]openstack-kilo--issue(十三)Unauthorized: The request you have made requires authentication. (HTTP 401) (Request
在运行nova-list 的时候发现报错401:如下面 ========>>>>>>>>> 正常显示 [root@controller ~]# n ...
- 在安装Openstack的keystone认证服务时,出现The request you have made requires authentication. (HTTP 401) (Request-ID: req-f94bebba-f0c5-4a92-85问题的处理
创建openstack的keystone认证服务器报错: The request you have made requires authentication. (HTTP 401) (Reques ...
- devstack 使用openstack命令报错 The request you have made requires authentication. (HTTP 401) Missing value auth-url required for auth plugin password
关联错误: The request you have made requires authentication. (HTTP 401) (Request-ID: req-88ad2cba-0f2d-4 ...
- sip 注册流程
基本注册流程示意图: 注册流程描述如下: 1. SIP代理向SIP服务器发送REGISTER请求: 2. SIP服务器向SIP代理发送响应401,并在响应的消息头WWW ...
- node.js实现国标GB28181设备接入的sip服务器解决方案
方案背景 在介绍GB28181接入服务器的方案前,咱们先大概给大家介绍一下为什么我们选择了用nodejs开发国标GB28181的服务,我大概给很多人介绍过这个方案,大部分都为之虎躯一震,nodejs在 ...
- RFC3261--sip
本文转载自 http://www.ietf.org/rfc/rfc3261.txt 中文翻译可参考 http://wenku.baidu.com/view/3e59517b1711cc7931b716 ...
- http-code 未译
1xx Informational Request received, continuing process. This class of status code indicates a provis ...
- Fiddler实战深入研究(二)
Fiddler实战深入研究(二) 阅读目录 Fiddler不能捕获chrome的session的设置 理解数据包统计 请求重定向(AutoResponder) Composer选项卡 Filters选 ...
- 就是这么简单!使用Rest-assured 测试Restful Web Services
使用 Rest-assured 测试 Restful Web Services 转载注明出处: http://www.cnblogs.com/wade-xu/p/4298819.html 这里向大家介 ...
随机推荐
- MySQL MHA候选主库选择
MHA在选择新主库时,会将所有存活的从库分为下面几类: 存活从库数组:挑选所有存活的从库 最新从库数组: 挑选Master_Log_File+Read_Master_Log_Pos最高的从库 优选从库 ...
- unittest管理接口用例(数据分离-读取excel)
1.简单读取 #coding=utf-8 #调用封装好的excel读取公共方法 from python_API.common.ReadExcel import ReadExcel import req ...
- Web开发之跨域问题
最近在工作上遇到了跨域方面的问题,借此温习巩固. 跨域是受到浏览器的同源策略引起的,为了防止某些文档或脚本加载别的域下的未知内容造成泄露隐私,破坏系统等安全行为. 那什么是同源的呢? 同源是指:应用协 ...
- SHELL脚本编程-字符串处理
SHELL脚本编程-字符串处理 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.字符串切片 [root@node101.yinzhengjie.org.cn ~]# echo { ...
- MySQL安装-glibc方式安装
MySQL安装-glibc方式安装 版本说明:这里安装版本为MySQL-5.7系列的 mysql-5.7.27-linux-glibc2.12-x86_64.tar.gz 步骤 下载软件包 官网下载 ...
- Jquery的$(document).click() 在iphone手机上失效的问题
click事件和 touchstart事件共存 安卓IOS手机都适用 $(document).on("click touchstart", ".demo", f ...
- Alpha冲刺(10/10)——追光的人
1.队友信息 队员学号 队员博客 221600219 小墨 https://www.cnblogs.com/hengyumo/ 221600240 真·大能猫 https://www.cnblogs. ...
- SQL中的trim函数
Oracle TRIM函数是很常见的函数,下面对Oracle TRIM函数的语法作了详尽的阐述说明,希望可以让您对Oracle TRIM函数有更深的认识. 如果提到Oracle TRIM函数,最简单的 ...
- django-mysql事务
django文档:https://yiyibooks.cn/xx/django_182/topics/db/transactions.html mysql事务 1) 事务概念 一组mysql语句,要么 ...
- 36氪首发 | 掘金RPA百亿新蓝海,弘玑Cyclone获DCM、源码千万美元A轮融资
https://36kr.com/p/5213638?ktm_source=feed 在“没风口”的2019年,RPA算是一个“小风口”了. 36氪了解到,近日国内数家RPA公司已完成或即将完成融资, ...