Digest Authentication with SIP

Digest authentication for Session Initiation Protocol (SIP) is a type of security feature on the Oracle® Enterprise Session Border Controller that provides a minimum level of security for basic Transport Control Protocol (TCP) and User Datagram Protocol (UDP) connections. Digest authentication verifies that both parties on a connection (host and endpoint client) know a shared secret (a password). This verification can be done without sending the password in the clear.

Digest authentication is disabled by default on the Oracle® Enterprise Session Border Controller. When digest authentication is enabled, the Oracle® Enterprise Session Border Controller (host) responds to authentication challenges from SIP trunking Service Providers (endpoint client). The Oracle® Enterprise Session Border Controller performs authentication for each IP-PBX initiating the call. However, the authentication challenge process takes place between the host and the client only since the IP-PBX cannot handle authentication challenges. The following illustration shows the digest authentication process.

The digest authentication scheme is based on a simple challenge-response paradigm. A valid response contains a checksum (by default, the MD5 checksum) of the “username” and password. In this way, the password is never sent in the clear.

By default, the Oracle® Enterprise Session Border Controller uses cached credentials for all requests within the same dialog, once the authentication session is established with a 200OK from the authenticating SIP element. If the in-dialog-methods attribute contains a value, it specifies the requests that have challenge-responses inserted within a dialog.

In digest authentication with SIP, the following can happen:

  • More than one authenticating SIP element (IP-PBX) may be the destination of requests.
  • More than one authentication challenge can occur in a SIP message. This can occur when there are additional authenticating SIP elements behind the first authenticating SIP element.
  • The Oracle® Enterprise Session Border Controller distinguishes whether the IP-PBX is capable of handling the challenge. If Digest Authentication is disabled (no auth-attributes configured) on the Session Agent, the challenge is passed back to the IP-PBX.

    Note:

    If there are multiple challenges in the request, and if the Oracle® Enterprise Session Border Controller has only some of the cached credentials configured, the Oracle® Enterprise Session Border Controller adds challenge-responses for the requests it can handle, and does not pass the challenge back to the IP-PBX.
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents