VoIP Toolbox - SIP Utilities & DNS Tools

Auth Header Calculator

This tool allows you to calculate an authorization header for a SIP request. It requires a SIP request packet, challenge header (WWW-Authenticate or Proxy-Authenticate) plus credentials.

The nc and cnonce values can optionally be supplied. This can be useful if you want to compare the output challenge response with the value created from another system to confirm the correct credentials were used.

Input

SIP Request

Challenge Auth Header Name

Challenge Auth Header Value

Username

Password

Optional Values

You don't have to supply either of these values, although if you're trying to replicate a specific Auth header generation for comparison you'll need to fill these in to avoid having random values used instead.

NC Value

cnonce Value

Output

Awaiting submission...

How does SIP auth work?

This is HTTP digest auth applied to SIP. Digest auth verifies that both send/receive ends both know a shared secret, the SIP password. Typicaly a SIP packet is sent without an auth header, the receiving end will then challenge for auth (via a 401/407 response), the original SIP packet is then sent with a reply to this challenge.

The challenge response is made up by using the MD5 hash algortihm on several values in a particular order, including the secret password. Here is it in psuedo code (the colon character ':' is literal):

HA1=MD5(username:realm:password)
HA2=MD5(method:digestURI)
response=MD5(HA1:nonce:nc:cnonce:auth:HA2)

In HA1, the username is the SIP authusername if supplied, otherwise normal username/identifier. Some SIP setups use a completely different username for auth compared to calling. The realm is part of what's returned by the 40x response. If we have multiple credential sets to choose from this is one way to narrow down the selection for the specific endpoint.

For HA2, the method is just the full name, e.g. INVITE or REGISTER. The digestURI is the request URI, e.g. for a full opening line of an INVITE packet, INVITE sip:+123@test.com SIP/2.0 it would be sip:+123@test.com.

The updated request packet's new auth header has some values beyond just the response hash, these include:

nonce, this is a one time number supplied in the 401/407 response
nc, this is our own count of requests we've sent with the supplied nonce.
cnonce, a one time number/string generated by us (the SIP point creating the request), "...avoid chosen plaintext attacks, to provide mutual authentication, and to provide some message integrity protection." (RFC 2617 3.2.2).
auth, allows for extensions but for our purpose this is typically the literal string "auth".

Limits

This tool is limited to only md5 (not md5-sess or other types). Want more options? Get in touch!