Extending SIP Authentication to exploit user credentials stored in existing authentication Databases Stefano Salsano (1) , Andrea Polidoro (1) , Luca Veltri (2) (1) DIE, University of Rome “Tor Vergata”- Italy (2) Dpt. Information Engineering, University of Parma - Italy E-mail: stefano.salsano@uniroma2.it, andrea.polidoro@uniroma2.it, luca.veltri@unipr.it Abstract: The SIP protocol provides authentication and authorization of SIP requests through a challenge-response authentication scheme inherited by the HTTP protocol and named HTTP Digest Authentication. The current specification defines a particular algorithm for calculating the challenge response that uses the MD5 hash of a combination of user name, realm, and password. Unfortunately, a lot of authentication systems maintain the user credentials protected with a one-way function (usually a hash) in a way that is incompatible with the information required by the current HTTP Digest Authentication. Some examples are given by the mechanisms used for storing passwords by the Unix OS, LDAP servers, or other applications. In this paper, we propose to extends the original HTTP Digest Authentication by adding a new and flexible scheme that uses an arbitrary hash function and an arbitrary combination of various information such as user name, realm, password, salt, and/or other data. The proposed authentication scheme has been implemented within two testbeds in which a SIP UA authenticates itself with a remote proxy server (acting as authenticator) that uses respectively a LDAP server or a users' password file of a Joomla Content Management System. 1. INTRODUCTION The SIP (Session Initiation Protocol) [1] is the IETF standard for setting-up, maintaining, and tearing-down peer-to-peer sessions between two or more user agents (UAs). SIP is currently used as standard signaling protocol for VoIP (Voice-over-IP), Instant Messaging (IM), and conferencing applications, and has been adopted by the 3GPP (Third Generation Partnership Project) as standard signaling protocol for real-time applications within the IP Multimedia Subsystem (IMS) of the third generation mobile networks (UMTS) [3]. As specified in RFC3261 [1], SIP uses the HTTP Digest Authentication mechanism for authenticating and authorizing the users. The SIP servers that perform authentication/authorization usually access a database with the credential of the users. This database of credential can either store the clear text password (rarely used for security risks) or a non-revertible hash of the password, using a mechanism coherent with that used by the HTTP Digest Authentication. The problem is that with other user authentication/authorization mechanisms different and non compatible mechanisms are used to store non-revertible hashes of the password. This prevents reusing an existing database of user credentials to offer SIP based services. Examples of password storing mechanisms that are not compatible with the SIP Digest Authentication are those used by: i) LDAP server, ii) UNIX with shadow/password file, iii) Apache (and other systems) with htpasswd file, iv) SQL database. Therefore at the current state of the art, if someone wants to offer SIP services to a community of users that is authenticated using one of the four mechanisms shown above, a different SIP specific database of credentials need to be realized. This may pose some logistic problems and create user discomfort. For this reason, in this paper we propose a set of authentication mechanisms for SIP that extend the one specified in RFC 3261 [1]. These algorithms use specific hash algorithms and a combination of various data such as user name, real, password, salt, and/or other information, in order to interoperate with the storage of credentials in existing authentication/authorization mechanisms. This work was driven by two specific application scenarios that we had to face. The first scenario was a Wireless VoIP application, to be realized on top of an already realized WiFi authentication infrastructure. The WiFi authentication infrastructure relied on LDAP servers for storing the password and a set of users was already in the LDAP database. The advantage of reusing the same authentication is evident. The second scenario relates to a research project named “Simple Mobile Services” (founded by the EC) [2]. In this project we have developed a communication middleware based on SIP [10] to exchange messages among a set of mobile terminals and servers. In order to provide web based interaction a web portal is realized using the open source Content Management System (CMS) Joomla. Each user needs to be authenticated and authorized to access services on the Joomla web portal. At the same time the user’s mobile terminal uses a SIP UA that needs to be authenticated in order to use the middleware facilities and be able to send/receive messages. It was again natural to desire a single, integrated handling of user credential, and in particular to re- This work has been partially supported by the Italian Ministry for University and Research (MIUR) within the project PROFILES under the PRIN 2006 research program. Authorized licensed use limited to: Universita degli Studi di Roma. Downloaded on June 4, 2009 at 17:40 from IEEE Xplore. Restrictions apply.