This tool allows you to calculate an authorization header for a SIP
request. It requires a SIP request packet, challenge header
cnonce values can optionally be
supplied. This can be useful if you want to compare the output challenge
response with the value created from another system to confirm the correct
credentials were used.
This is HTTP digest auth applied to SIP. Digest auth verifies that both send/receive ends both know a shared secret, the SIP password. Typicaly a SIP packet is sent without an auth header, the receiving end will then challenge for auth (via a 401/407 response), the original SIP packet is then sent with a reply to this challenge.
The challenge response is made up by using the MD5 hash algortihm on several values in a particular order, including the secret password. Here is it in psuedo code (the colon character ':' is literal):
HA1=MD5(username:realm:password) HA2=MD5(method:digestURI) response=MD5(HA1:nonce:nc:cnonce:auth:HA2)
In HA1, the username is the SIP authusername if supplied, otherwise normal username/identifier. Some SIP setups use a completely different username for auth compared to calling. The realm is part of what's returned by the 40x response. If we have multiple credential sets to choose from this is one way to narrow down the selection for the specific endpoint.
For HA2, the method is just the full name, e.g. INVITE or REGISTER.
The digestURI is the request URI, e.g. for a full opening line of an INVITE
INVITE sip:+firstname.lastname@example.org SIP/2.0 it would be
The updated request packet's new auth header has some values beyond just the
response hash, these include:
This tool is limited to only md5 (not md5-sess or other types). Want more options? Get in touch!