Digest Authentication with SIP

Digest authentication for Session Initiation Protocol (SIP) is a type of security feature on the Oracle Communications Session Border Controller that provides a minimum level of security for basic Transport Control Protocol (TCP) and User Datagram Protocol (UDP) connections. Digest authentication verifies that both parties on a connection (host and endpoint client) know a shared secret (a password). This verification can be done without sending the password in the clear.

Digest authentication is disabled by default on the Oracle Communications Session Border Controller. When digest authentication is enabled, the Oracle Communications Session Border Controller (host) responds to authentication challenges from SIP trunking Service Providers (endpoint client). The Oracle Communications Session Border Controller performs authentication for each IP-PBX initiating the call. However, the authentication challenge process takes place between the host and the client only since the IP-PBX cannot handle authentication challenges. The following illustration shows the digest authentication process.

This call flow displays the SIP digest authentication process.

The digest authentication scheme is based on a simple challenge-response paradigm. A valid response contains a checksum (by default, the MD5 checksum) of the “username” and password. In this way, the password is never sent in the clear.

By default, the Oracle Communications Session Border Controller uses cached credentials for all requests within the same dialog, once the authentication session is established with a 200OK from the authenticating SIP element. If the in-dialog-methods attribute contains a value, it specifies the requests that have challenge-responses inserted within a dialog.

In digest authentication with SIP, the following can happen:

  • More than one authenticating SIP element (IP-PBX) may be the destination of requests.
  • More than one authentication challenge can occur in a SIP message. This can occur when there are additional authenticating SIP elements behind the first authenticating SIP element.
  • The Oracle Communications Session Border Controller distinguishes whether the IP-PBX is capable of handling the challenge. If Digest Authentication is disabled (no auth-attributes configured) on the Session Agent, the challenge is passed back to the IP-PBX.

    Note:

    If there are multiple challenges in the request, and if the Oracle Communications Session Border Controller has only some of the cached credentials configured, the Oracle Communications Session Border Controller adds challenge-responses for the requests it can handle, and does not pass the challenge back to the IP-PBX.
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents