SIP Authentication and H.350 Presented at the Internet2 Spring 2005 Member Meeting

1. SIP Authentication and H.350Presented at the Internet2 Spring 2005 Member Meeting Larry Amiot Northwestern University

2. What You Need • A SIP client with a UID and password • A SIP Proxy Server with which to register (authenticate) • Unless the SIP Proxy Server has an internal database, a server that holds the authentication information • Systems that all understand the same method of authentication

3. Some methods of authentication • Digest • Kerberos • NTLM • Basic Problem- Not all clients and SIP Proxy Servers understand and use the same methods of authentication although the SIP standard does specify “Digest” as the method of choice! Basic is specifically not allowed.

4. An Example from Northwestern University • IPTEL SER SIP Server (Linux) • SER uses digest for authentication • Has internal SQL database, but we “catch” failures and use NU written Perl code to authenticate against H.350 • Wave3 or Windows Messenger client • H.350 server with SIPIdentity defined for user • Wrote Perl code to store UserID/Passwd in H.350 as well as other SIPIdentity parameters

5. SIPIdentity • SIPIdentityUserName • SIPIdentityPassword • SIPIdentityProxyAddress • SIPIdentityRegistrarAddress • SIPIdentityAddress • SIPIdentitySIPURI

6. Compare calculated and received MD5(nounce, MD5(passwd)) SIP Client SER Proxy H.350 Server Registration Request Authentication Challenge with nounce MD5(nounce,MD5(passwd)) Request Password MD5(password) Authenticated (or not)

7. What’s Next • Phase 1- Implement SSL for transmitting UserID/Passwds from H.350 to SIP Proxy Server • Phase 2 • Use Northwestern NetID/Passwds • Transmit NetID/Passwds to H.350 using SNAP/Keberos • Transmit NetID/Passwds from H.350 to SIP Proxy Server using Kerberos