Proving it with SIP Authentication

My name is Andrew Prokop and I live in Saint Paul, Minnesota.  I have brown hair and green eyes.  I grew up in Arizona and still think of the Sonoran desert as my second home.

I could go on and on with these so-called “facts” about me, but how do you know what’s true and what’s not?  Unless you know me in real life, the chances are that you don’t.  I could tell you anything I wanted to and unless you did some investigation you would have no idea if it was true or not.

All of which leads me to SIP.  This is a SIP blog, after all.  I could send you a SIP Invite asking you to join in a voice conversation, but how would you know that I, the real Andrew Prokop, was sending that message and not someone pretending to be me?   I suppose you could answer the call and listen to my voice to make your determination, but how many of you know what I sound like?  A video call wouldn’t help all that much either unless you knew me well enough to pick me out of a lineup.

The creators of SIP recognized that problem and built in a method to verify that the sender of a SIP message was in fact the real deal.  It goes like this.   Let’s say that my SIP phone sends an Invite message with a “To” of and a “From” of   Rather than bwilson simply accepting that I am aprokop, SIP makes me prove it.

That prove it comes in the form of a “407 Proxy Authentication Required” SIP response message.  Inside that 407 message will be a “WWW-Authenticate” header which contains everything that the alleged aprokop needs to encrypt his credentials (which might be an Active Directory password) and return them in another Invite.   At that point bwilson (or rather the SIP Proxy acting on behalf of bwilson) will check the returned credentials against aprokop’s actual credentials (e.g. do a password lookup) and either accept or reject the new Invite.

You might be thinking to yourself, “What would prevent someone from sniffing the LAN, grabbing aprokop’s credentials, and using them in a subsequent spoofed Invite?”  Actually, nothing.  Unless the message itself was encrypted, anyone can use something like Wireshark to acquire the encrypted credentials and attempt to use them.  The problem is that those credentials are only good for that single transaction.

The WWW-Authenticate contains something called a Nonce (Number Once) that can only be used one time.  Every 407 challenge will contain a unique Nonce which means any data encrypted with it as only good for a single transaction.   Those encrypted credentials become completely worthless after a single use.

Don’t Stop Now

Now, after spending all that effort to ensure that aprokop is really aprokop, isn’t just as important to guarantee that bwilson is in reality bwilson?  Absolutely and SIP allows for that, too.  In order for bwilson to be accessible he needs to register his client with a SIP Register message.  Like that Invite, the Register message can be challenged and bwilson will have to prove who he is before a proxy will route calls to him.

This extends to all SIP messages.  Every request can and should be challenged.  You don’t want people writing malicious software that goes around hanging up calls by sending out phony Bye messages.  Your SIP system needs to challenge them.

The same goes for the Message request which is used for instant message and the Refer message which is used to transfer sessions.  Challenge everything and you can be assured that Andrew Prokop really is Andrew Prokop no matter what he is trying to do.

However, this still doesn’t prove that I have green eyes.  Of course, I am an honest man and you can definitely trust me.  Honest.  Really.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: