一、回顧SIP Register的認證過程
- Client(通常是話機)向REG Server(一般是OpenSIPS或Freeswitch)發起REGISTER注冊請求(注:此時發送的請求里,只有一些用戶名、客戶端類型之類的普通信息)
- REG Server收到請求后,發現里面沒有Digest等安全相關的摘要信息,直接返回401(未授權),同時會附加額外的安全信息(比如:realm/nonce/algorithm/qop)
- Client收到401拒絕返回后,根據服務端返回的realm/nonce/algorithm/qop信息,結合自己的password,計算出一個最終的response digiest(注:是一個md5值),重新發起第2次REGISTER,並附帶上response digest等認證相關信息。
- REG Server根據Client發過來的Authorization認證信息進行校驗,如果校驗通過,則返回200 OK,認證通過
二、認證過程中的SIP信令(報文)
這里介紹二種查看REGISTER過程SIP信令的方法:
2.1 打開FreeSwitch的SIP trace功能
sofia profile internal siptrace on|off
在FreeSwitch控制台中,輸入上面的命令行(on為打開,off為關閉),然后用Client(比如:免費開源軟電話MicroSIP)注冊,此時FreeSwitch中會輸出4段SIP報文,分別對應認證過程中的4個階段,類似下面這樣:
第1段 REGISTER(Client → FreeSwitch)
recv 647 bytes from tcp/[10.32.26.25]:51696 at 02:14:58.914917: ------------------------------------------------------------------------ REGISTER sip:10.32.26.25:5070;transport=tcp SIP/2.0 Via: SIP/2.0/TCP 10.32.26.25:51696;rport;branch=z9hG4bKPj8d4db68b24754f539dbf3b563a44fe55;alias Max-Forwards: 70 From: <sip:1000@10.32.26.25>;tag=89aefb1f3fc0413283a453eda5407f60 To: <sip:1000@10.32.26.25> Call-ID: 1e7af0e67a5044658fc7f6716d329642 CSeq: 36850 REGISTER User-Agent: MicroSIP/3.20.3 Supported: outbound, path Contact: <sip:1000@10.32.26.25:51696;transport=TCP;ob>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-0000-0000-000011058e7e>" Expires: 300 Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS Content-Length: 0
第2段 401 Unauthorized(FreeSwitch → Client)
send 670 bytes to tcp/[10.32.26.25]:51696 at 02:14:58.918913: ------------------------------------------------------------------------ SIP/2.0 401 Unauthorized Via: SIP/2.0/TCP 10.32.26.25:51696;rport=51696;branch=z9hG4bKPj8d4db68b24754f539dbf3b563a44fe55;alias From: <sip:1000@10.32.26.25>;tag=89aefb1f3fc0413283a453eda5407f60 To: <sip:1000@10.32.26.25>;tag=Q0m1g96BS3vpa Call-ID: 1e7af0e67a5044658fc7f6716d329642 CSeq: 36850 REGISTER User-Agent: FreeSWITCH-mod_sofia/1.6.18+git~20170612T211449Z~6e79667c0a~64bit Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE Supported: timer, path, replaces WWW-Authenticate: Digest realm="10.32.26.25", nonce="bee3366b-cf59-476e-bc5e-334e0d65b386", algorithm=MD5, qop="auth" Content-Length: 0
第3段 REGISTER (第2次 Client → FreeSwitch)
recv 921 bytes from tcp/[10.32.26.25]:51696 at 02:14:58.925916: ------------------------------------------------------------------------ REGISTER sip:10.32.26.25:5070;transport=tcp SIP/2.0 Via: SIP/2.0/TCP 10.32.26.25:51696;rport;branch=z9hG4bKPj414de93b6fd34f21a9c453d81117fee2;alias Max-Forwards: 70 From: <sip:1000@10.32.26.25>;tag=89aefb1f3fc0413283a453eda5407f60 To: <sip:1000@10.32.26.25> Call-ID: 1e7af0e67a5044658fc7f6716d329642 CSeq: 36851 REGISTER User-Agent: MicroSIP/3.20.3 Supported: outbound, path Contact: <sip:1000@10.32.26.25:51696;transport=TCP;ob>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-0000-0000-000011058e7e>" Expires: 300 Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS Authorization: Digest username="1000", realm="10.32.26.25", nonce="bee3366b-cf59-476e-bc5e-334e0d65b386", uri="sip:10.32.26.25:5070;transport=tcp", response="7a8049557b2e77602625fa9ee7d8f088", algorithm=MD5, cnonce="c3606b3f70544096a7e17fcdb4670795", qop=auth, nc=00000001 Content-Length: 0
第4段 200 Ok(FreeSwitch → Client)
send 646 bytes to tcp/[10.32.26.25]:51696 at 02:14:58.933914: ------------------------------------------------------------------------ SIP/2.0 200 OK Via: SIP/2.0/TCP 10.32.26.25:51696;rport=51696;branch=z9hG4bKPj414de93b6fd34f21a9c453d81117fee2;alias From: <sip:1000@10.32.26.25>;tag=89aefb1f3fc0413283a453eda5407f60 To: <sip:1000@10.32.26.25>;tag=r9Dtj4QFpcK9N Call-ID: 1e7af0e67a5044658fc7f6716d329642 CSeq: 36851 REGISTER Contact: <sip:1000@10.32.26.25:51696;transport=TCP;ob>;expires=300 Date: Mon, 06 Sep 2021 02:14:58 GMT User-Agent: FreeSWITCH-mod_sofia/1.6.18+git~20170612T211449Z~6e79667c0a~64bit Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE Supported: timer, path, replaces Content-Length: 0
2.2 采用WireShark抓包
參考上圖,啟動WireShark,指定網卡以及抓包的協議為sip后,本機用Client注冊登錄1次,就能抓到這4個階段的SIP信令(注:上圖的REG Server是OpenSIPS),跟FreeSwith做為REG Server對比,可以發現OpenSIPS第3階段,返回的Authorization里,少了cnounce、 qop、nc這3個值,這一點要注意一下。
三、Response Digest的計算過程
通過觀察SIP報文發現,整個注冊過程中Client始終沒有發送過任何password的明文,相對還是很安全的。Client第2次發起REGISTER時,附帶的Response值是關鍵!REG Server將校驗這個值的正確性,校驗通過才會注冊成功。
整個計算過程,分成三步:
3.1 計算HA1
規則如下:
|
algorithm
|
HA1
|
|---|---|
| MD5(或未指定) |
MD5(username:realm:password) |
| MD5-sess |
MD5(MD5(username:realm:password):nonce:cnonce) |
-
注:MD5計算出來的值為32位小寫,password為密碼,只有Client自己知道。
例1(FreeSwitch充當REG Server):
Client第2次提交的REGISTER請求中,Authorization信息為:
Authorization: Digest username="1000", realm="10.32.26.25", nonce="bee3366b-cf59-476e-bc5e-334e0d65b386", uri="sip:10.32.26.25:5070;transport=tcp", response="7a8049557b2e77602625fa9ee7d8f088", algorithm=MD5, cnonce="c3606b3f70544096a7e17fcdb4670795", qop=auth, nc=00000001
則HA1 = MD5("1000:10.32.26.25:1234") = 6a5e40ec8a6cbac75b9914b271516a47 (假設password為1234)
例2(OpenSIPS充當REG Server):
第2階段,FreeSwitch返回的Authorization如下:
Authorization: Digest username="440444", realm="10.2.60.171", nonce="6135e48401ea0109021093850f9c5db2bf101786", uri="sip:10.2.60.171:5060", response="885f45ae2179c9d8ce2bc1cbd8e4bb9f"
則HA1 = MD5("440444:10.2.60.171:440444") = 109cf921db79c57e146cd8d46429312d (假設password與username相同,都為440444)
3.2 計算HA2
規則如下:
|
qop
|
HA2
|
|---|---|
| auth(或未指定) |
MD5(method:digestURI) |
| auth-int |
MD5(method:digestURI:MD5(entityBody)) |
注:digestURI為SIP信令Authorization節點中的uri值,對於注冊來說,method即為固定值REGISTER
例1(FreeSwitch充當REG Server):
Client第2次提交的REGISTER請求中,Authorization信息為:
Authorization: Digest username="1000", realm="10.32.26.25", nonce="bee3366b-cf59-476e-bc5e-334e0d65b386", uri="sip:10.32.26.25:5070;transport=tcp", response="7a8049557b2e77602625fa9ee7d8f088", algorithm=MD5, cnonce="c3606b3f70544096a7e17fcdb4670795", qop=auth, nc=00000001
則HA2 = MD5("REGISTER:sip:10.32.26.25:5070;transport=tcp") = c0a1637fb943febd38e69c2087d58fe9
例2(OpenSIPS充當REG Server):
第2階段,FreeSwitch返回的Authorization如下:
Authorization: Digest username="440444", realm="10.2.60.171", nonce="6135e48401ea0109021093850f9c5db2bf101786", uri="sip:10.2.60.171:5060", response="885f45ae2179c9d8ce2bc1cbd8e4bb9f"
則HA2 = MD5("REGISTER:sip:10.2.60.171:5060") = 9f5c90dad45f8b57a9de5ad977027d7b
3.3 計算Response
根據前2步計算出來的HA1及HA2,計算response值,規則如下:
|
qop
|
response
|
|---|---|
| 未指定 | MD5(HA1:nonce:HA2) |
| auth或auth-int | MD5(HA1:nonce:nonceCount:cnonce:qop:HA2) |
計算結果如下:
|
|
例1(FreeSwitch充當REG Server)
|
例2(OpenSIPS充當REG Server)
|
|---|---|---|
| response | MD5("6a5e40ec8a6cbac75b9914b271516a47:bee3366b-cf59-476e-bc5e-334e0d65b386:00000001:c3606b3f70544096a7e17fcdb4670795:auth:c0a1637fb943febd38e69c2087d58fe9") =7a8049557b2e77602625fa9ee7d8f088 |
MD5("109cf921db79c57e146cd8d46429312d:6135e48401ea0109021093850f9c5db2bf101786:9f5c90dad45f8b57a9de5ad977027d7b") =885f45ae2179c9d8ce2bc1cbd8e4bb9f |
| qop | auth | 無 |
| nonceCount | 00000001 | 無 |
| nonce | bee3366b-cf59-476e-bc5e-334e0d65b386 | 6135e48401ea0109021093850f9c5db2bf101786 |
| HA2 | c0a1637fb943febd38e69c2087d58fe9 | 9f5c90dad45f8b57a9de5ad977027d7b |
| HA1 | 6a5e40ec8a6cbac75b9914b271516a47 | 109cf921db79c57e146cd8d46429312d |
| cnonce | c3606b3f70544096a7e17fcdb4670795 | 無 |
附1:話機注銷過程,其中跟注冊過程幾乎完全一樣,只是Expires值會設置為 0,交互報文如下:
recv 547 bytes from tcp/[10.32.26.25]:61932 at 09:21:34.274829: ------------------------------------------------------------------------ REGISTER sip:10.32.26.25:5070;transport=tcp SIP/2.0 Via: SIP/2.0/TCP 10.32.26.25:61932;rport;branch=z9hG4bKPj909d767a192f4db1ad491cb466fe9b99;alias Max-Forwards: 70 From: <sip:1099@10.32.26.25>;tag=c40977782b0d4b87912ff9636fdce333 To: <sip:1099@10.32.26.25> Call-ID: a08b443e427044e8815ed2e3f1dd51d0 CSeq: 23519 REGISTER User-Agent: MicroSIP/3.20.3 Supported: outbound, path Contact: <sip:1099@10.32.26.25:61932;transport=TCP;ob>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-0000-0000-000011058e7e>" Expires: 0 Content-Length: 0 ------------------------------------------------------------------------ send 670 bytes to tcp/[10.32.26.25]:61932 at 09:21:34.279829: ------------------------------------------------------------------------ SIP/2.0 401 Unauthorized Via: SIP/2.0/TCP 10.32.26.25:61932;rport=61932;branch=z9hG4bKPj909d767a192f4db1ad491cb466fe9b99;alias From: <sip:1099@10.32.26.25>;tag=c40977782b0d4b87912ff9636fdce333 To: <sip:1099@10.32.26.25>;tag=6e3DjUDX76p3N Call-ID: a08b443e427044e8815ed2e3f1dd51d0 CSeq: 23519 REGISTER User-Agent: FreeSWITCH-mod_sofia/1.6.18+git~20170612T211449Z~6e79667c0a~64bit Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE Supported: timer, path, replaces WWW-Authenticate: Digest realm="10.32.26.25", nonce="7ff40180-f465-465c-8ca1-44c77d2107f4", algorithm=MD5, qop="auth" Content-Length: 0 ------------------------------------------------------------------------ recv 821 bytes from tcp/[10.32.26.25]:61932 at 09:21:34.279829: ------------------------------------------------------------------------ REGISTER sip:10.32.26.25:5070;transport=tcp SIP/2.0 Via: SIP/2.0/TCP 10.32.26.25:61932;rport;branch=z9hG4bKPj793d3c194cd6461589e44c864e031e52;alias Max-Forwards: 70 From: <sip:1099@10.32.26.25>;tag=c40977782b0d4b87912ff9636fdce333 To: <sip:1099@10.32.26.25> Call-ID: a08b443e427044e8815ed2e3f1dd51d0 CSeq: 23520 REGISTER User-Agent: MicroSIP/3.20.3 Supported: outbound, path Contact: <sip:1099@10.32.26.25:61932;transport=TCP;ob>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-0000-0000-000011058e7e>" Expires: 0 Authorization: Digest username="1099", realm="10.32.26.25", nonce="7ff40180-f465-465c-8ca1-44c77d2107f4", uri="sip:10.32.26.25:5070;transport=tcp", response="92e6ae0a0f23e04d21b0866a7746decd", algorithm=MD5, cnonce="85b6265e67b949aa9c2c7bcc26cad2c9", qop=auth, nc=00000001 Content-Length: 0 ------------------------------------------------------------------------ send 578 bytes to tcp/[10.32.26.25]:61932 at 09:21:34.286827: ------------------------------------------------------------------------ SIP/2.0 200 OK Via: SIP/2.0/TCP 10.32.26.25:61932;rport=61932;branch=z9hG4bKPj793d3c194cd6461589e44c864e031e52;alias From: <sip:1099@10.32.26.25>;tag=c40977782b0d4b87912ff9636fdce333 To: <sip:1099@10.32.26.25>;tag=7Qv6Kpy04FDpH Call-ID: a08b443e427044e8815ed2e3f1dd51d0 CSeq: 23520 REGISTER Date: Thu, 23 Sep 2021 09:21:34 GMT User-Agent: FreeSWITCH-mod_sofia/1.6.18+git~20170612T211449Z~6e79667c0a~64bit Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE Supported: timer, path, replaces Content-Length: 0 ------------------------------------------------------------------------
附2:如果注冊過程中,digest校驗失敗,SIP會返回403,報文如下
recv 647 bytes from tcp/[10.32.26.25]:63125 at 09:26:04.493306: ------------------------------------------------------------------------ REGISTER sip:10.32.26.25:5070;transport=tcp SIP/2.0 Via: SIP/2.0/TCP 10.32.26.25:63125;rport;branch=z9hG4bKPj258fc605159e449ea95e1fdd55b4c16d;alias Max-Forwards: 70 From: <sip:1099@10.32.26.25>;tag=69516ebac8224d94a7225271fec56f87 To: <sip:1099@10.32.26.25> Call-ID: 514ac58ec6dd4d8295a62d8f04648c52 CSeq: 25348 REGISTER User-Agent: MicroSIP/3.20.3 Supported: outbound, path Contact: <sip:1099@10.32.26.25:63125;transport=TCP;ob>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-0000-0000-000011058e7e>" Expires: 300 Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS Content-Length: 0 ------------------------------------------------------------------------ send 670 bytes to tcp/[10.32.26.25]:63125 at 09:26:04.496305: ------------------------------------------------------------------------ SIP/2.0 401 Unauthorized Via: SIP/2.0/TCP 10.32.26.25:63125;rport=63125;branch=z9hG4bKPj258fc605159e449ea95e1fdd55b4c16d;alias From: <sip:1099@10.32.26.25>;tag=69516ebac8224d94a7225271fec56f87 To: <sip:1099@10.32.26.25>;tag=DemUyr3NK5j6p Call-ID: 514ac58ec6dd4d8295a62d8f04648c52 CSeq: 25348 REGISTER User-Agent: FreeSWITCH-mod_sofia/1.6.18+git~20170612T211449Z~6e79667c0a~64bit Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE Supported: timer, path, replaces WWW-Authenticate: Digest realm="10.32.26.25", nonce="7180f42a-1d76-4a6f-a846-6f9b34f7db4e", algorithm=MD5, qop="auth" Content-Length: 0 ------------------------------------------------------------------------ recv 921 bytes from tcp/[10.32.26.25]:63125 at 09:26:04.496305: ------------------------------------------------------------------------ REGISTER sip:10.32.26.25:5070;transport=tcp SIP/2.0 Via: SIP/2.0/TCP 10.32.26.25:63125;rport;branch=z9hG4bKPj6727ace0eb4d406cadf969591438a644;alias Max-Forwards: 70 From: <sip:1099@10.32.26.25>;tag=69516ebac8224d94a7225271fec56f87 To: <sip:1099@10.32.26.25> Call-ID: 514ac58ec6dd4d8295a62d8f04648c52 CSeq: 25349 REGISTER User-Agent: MicroSIP/3.20.3 Supported: outbound, path Contact: <sip:1099@10.32.26.25:63125;transport=TCP;ob>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-0000-0000-000011058e7e>" Expires: 300 Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS Authorization: Digest username="1099", realm="10.32.26.25", nonce="7180f42a-1d76-4a6f-a846-6f9b34f7db4e", uri="sip:10.32.26.25:5070;transport=tcp", response="ba8664d44668c11d030a9436800338e7", algorithm=MD5, cnonce="4c02d90a0bf94ae28a1ecd8cf30b126e", qop=auth, nc=00000001 Content-Length: 0 ------------------------------------------------------------------------ send 548 bytes to tcp/[10.32.26.25]:63125 at 09:26:04.499309: ------------------------------------------------------------------------ SIP/2.0 403 Forbidden Via: SIP/2.0/TCP 10.32.26.25:63125;rport=63125;branch=z9hG4bKPj6727ace0eb4d406cadf969591438a644;alias From: <sip:1099@10.32.26.25>;tag=69516ebac8224d94a7225271fec56f87 To: <sip:1099@10.32.26.25>;tag=eQDm0KmSge9rj Call-ID: 514ac58ec6dd4d8295a62d8f04648c52 CSeq: 25349 REGISTER User-Agent: FreeSWITCH-mod_sofia/1.6.18+git~20170612T211449Z~6e79667c0a~64bit Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE Supported: timer, path, replaces Content-Length: 0 ------------------------------------------------------------------------
參考文章:
https://en.wikipedia.org/wiki/Digest_access_authentication