Transcript SIP Authentication and H.350 Presented at the Internet2 Spring

SIP Authentication and H.350
Presented at the Internet2 Spring 2005
Member Meeting
Larry Amiot
Northwestern University
What You Need
• A SIP client with a UID and password
• A SIP Proxy Server with which to register
(authenticate)
• Unless the SIP Proxy Server has an
internal database, a server that holds the
authentication information
• Systems that all understand the same
method of authentication
Some methods of authentication
•
•
•
•
Digest
Kerberos
NTLM
Basic
Problem- Not all clients and SIP Proxy Servers
understand and use the same methods of
authentication although the SIP standard does
specify “Digest” as the method of choice! Basic
is specifically not allowed.
An Example from Northwestern
University
• IPTEL SER SIP Server (Linux)
– SER uses digest for authentication
– Has internal SQL database, but we “catch” failures
and use NU written Perl code to authenticate against
H.350
• Wave3 or Windows Messenger client
• H.350 server with SIPIdentity defined for user
• Wrote Perl code to store UserID/Passwd in
H.350 as well as other SIPIdentity parameters
SIPIdentity
• SIPIdentityUserName
• SIPIdentityPassword
• SIPIdentityProxyAddress
• SIPIdentityRegistrarAddress
• SIPIdentityAddress
• SIPIdentitySIPURI
SIP Client
SER Proxy
H.350 Server
Registration Request
Authentication Challenge
with nounce
MD5(nounce,MD5(passwd))
Request Password
MD5(password)
Compare calculated and received
MD5(nounce, MD5(passwd))
Authenticated (or not)
What’s Next
• Phase 1- Implement SSL for transmitting
UserID/Passwds from H.350 to SIP Proxy
Server
• Phase 2
– Use Northwestern NetID/Passwds
– Transmit NetID/Passwds to H.350 using
SNAP/Keberos
– Transmit NetID/Passwds from H.350 to SIP
Proxy Server using Kerberos