Extending SIP authentication to exploit user credentials stored in existing authentication databases

The SIP protocol provides authentication and authorization of SIP requests through a challenge-response authentication scheme inherited by the HTTP protocol and named HTTP Digest Authentication. The current specification defines a particular algorithm for calculating the challenge response that uses the MD5 hash of a combination of user name, realm, and password. Unfortunately, a lot of authentication systems maintain the user credentials protected with a one-way function (usually a hash) in a way that is incompatible with the information required by the current HTTP Digest Authentication. Some examples are given by the mechanisms used for storing passwords by the Unix OS, LDAP servers, or other applications. In this paper, we propose to extends the original HTTP Digest Authentication by adding a new and flexible scheme that uses an arbitrary hash function and an arbitrary combination of various information such as user name, realm, password, salt, and/or other data. The proposed authentication scheme has been implemented within two testbeds in which a SIP UA authenticates itself with a remote proxy server (acting as authenticator) that uses respectively a LDAP server or a userspsila password file of a Joomla Content Management System.