1 Internet Engineering Task Force B. Sterman
2 AAA Working Group D. Sadolevsky
3 Internet Draft D. Schwartz
4 draft-sterman-aaa-sip-00.txt deltathree, Inc.
5 Nov 12, 2001 D. Williams
6 Expires: Apr 12 2002 Cisco Systems
9 RADIUS Extension for Digest Authentication
13 This document is an Internet-Draft and is in full conformance
14 with all provisions of Section 10 of RFC2026.
16 Internet-Drafts are working documents of the Internet Engií
17 neering Task Force (IETF), its areas, and its working groups.
18 Note that other groups may also distribute working documents
21 Internet-Drafts are draft documents valid for a maximum of six
22 months and may be updated, replaced, or obsoleted by other
23 documents at any time. It is inappropriate to use Internet-
24 Drafts as reference material or to cite them other than as
27 The list of current Internet-Drafts can be accessed at
28 http://www.ietf.org/ietf/1id-abstracts.txt
30 To view the list Internet-Draft Shadow Directories, see
31 http://www.ietf.org/shadow.html.
35 Basic and Digest authentication schemes (RFC2617 [1]) are
36 widely used in protocols such as SIP (RFC2543 [2]) and HTTP
37 (RFC2616 [3]). RADIUS (RFC2865 [4]) is a protocol for back end
38 authentication. RADIUS supports Basic authentication natively,
39 as well as several other authentication schemes, such as CHAP,
40 but does not support Digest authentication scheme. This docuí
41 ment describes an extension to RADIUS for Digest authenticaí
42 tion and provides a scenario of Digest user authentication.
50 In this document, the key words "MUST", "MUST NOT", "REí
51 QUIRED", "SHALL", "SHALLNOT", "SHOULD", "SHOULD NOT", "RECOMí
52 MENDED", "MAY", and "OPTIONAL" are to be interpreted as deí
57 Figure 1 depicts the scenario that is relevant for this docuí
58 ment. It shows a generic case where entities A and B communií
59 cate in the front-end using protocols such as HTTP/SIP, while
60 entities B and C communicate in the back-end using RADIUS.
65 +-----+ (1) +-----+ +-----+
77 +-----+ +-----+ +-----+
82 Figure 1: Scenario relevant to document
85 The roles played by the entities in this scenario are as folí
88 A: HTTP client / SIP UA
90 B: {HTTP server / HTTP proxy server / SIP proxy server / SIP
91 UAS} acting also as a RADIUS NAS
95 The relevant order of messages sent in this scenario is as
98 A sends B an HTTP/SIP request without authorization header
99 (step 1). B challenges A sending an HTTP/SIP "(Proxy) Authoí
100 rization required" response containing a locally generated
101 nonce (step 2). A sends B an HTTP/SIP request with authorizaí
102 tion header (step 3). B sends C a RADIUS Access-Request with
103 attributes described in this document (step 4). C responds to
104 B with a RADIUS Access-Accept/Access-Reject response (step 5).
105 If credentials were accepted B receives an Access-Accept reí
106 sponse and the message sent from A is considered authentic. If
107 B receives an Access-Reject response, however, B then responds
108 to A with a "(Proxy) Authorization required" response (step
114 Basic and Digest authentication are used within protocols such
115 as HTTP and SIP. Recently, there have been efforts towards the
116 use of an Extensible Authentication Protocol (EAP) within proí
117 tocols such as HTTP and SIP. [5] is one such effort. The adí
118 vantage here is that, new authentication schemes may be used
119 without any modification to the SIP/HTTP protocol itself. This
120 is because the EAP packet for the particular authentication
121 scheme is carried transparently by the SIP/HTTP protocol.
123 However, the use of Basic and Digest authentication is likely
124 to continue to be used directly within protocols such as
125 SIP/HTTP in the near future, and hence their interoperability
126 with a back-end authentication protocol such as RADIUS is
129 There is also an ongoing effort to accomplish the same thing
130 as this document does in relation to DIAMETER [6], but DIAMEí
131 TER itself has not reached the RFC status as of the time of
132 writing this. When it happens and when [6] reaches the RFC
133 status too, implementers are encouraged to switch to [6].
137 The approach taken here is to extend RADIUS to support Digest
138 authentication by mimicking its native support for CHAP auí
139 thentication. According to [4], the RADIUS server distinguishí
140 es between different authentication schemes by looking at the
141 presence of an attribute specific for that scheme. For the
142 three natively supported authentication schemes, these atí
143 tributes are: User-Password for PAP (or any other clear-text
144 password scheme), CHAP-Password for CHAP, and State + User-
145 Password for challenge-response scheme. This document adds aní
146 other attribute to be used in this role: Digest-Response. Alí
147 so according to [4], "An Access-Request packet MUST contain
148 either a User-Password or a CHAP-Password or a State. It MUST
149 NOT contain both a User-Password and a CHAP-Password. If fuí
150 ture extensions allow other kinds of authentication informaí
151 tion to be conveyed, the attribute for that can be used iní
152 stead of User-Password or CHAP-Password." The Digest-Response
153 introduced here therefore can be used instead of User-Password
156 The HTTP Authentication parameters found in the Proxy-Authoí
157 rization or Authorization request header are mapped into two
158 newly defined experimental RADIUS attributes. The Digest-Reí
159 sponse attribute and the Digest-Attributes attribute carrying
160 multiple HTTP Digest parameters as subattributes. These 2 new
161 RADIUS attributes are defined in the document together with
162 some other information required for calculating the correct
163 digest response on the RADIUS server with exception of the
164 password, which the RADIUS server is assumed to be able to reí
165 trieve from a data store given the username. The structure of
166 Digest-Response, the structure of Digest-Attributes and the
167 mapping/meaning of its subattributes are described in the next
172 2 New RADIUS attributes
174 2.1 Digest-Response attribute
178 This attribute contains the request-digest response value
179 contained in a Digest (Proxy)Authorization header. It is
180 only used in Access-Request packets. If this attribute is
181 present, the RADIUS server SHOULD view the Access-Request
184 A summary of the Digest-Attributes attribute format is shown
185 below. The fields are transmitted from left to right.
188 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
189 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
190 | Type | Length | String...
191 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
195 206(Experimental) for Digest-Response.
202 String which proves the user knows a password. The String
203 field is 32 octets long and contains hexadecimal represení
204 tation of 16 octet digest value as it was calculated by the
205 authenticated client. The String field SHOULD be copied
206 from request-digest of digest-response ([1]).
209 2.2 Digest-Attributes attribute
213 This attribute contains subattributes which indicate the
214 values contained in a Digest (Proxy)Authorization header
215 together with other information necessary to calculate the
216 correct digest response value. It is only used in Access-
217 Request packets. There can be multiple Digest-Attributes
218 attributes contained in one Access-Request packet. In this
219 case RADIUS server MUST interpret a concatenation of their
220 values as if it came in one attribute.
222 A summary of the Digest-Attributes attribute format is shown
223 below. The fields are transmitted from left to right.
226 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
227 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
228 | Type | Length | String...
229 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
233 207(Experimental) for Digest-Attributes.
241 The String field is 3 or more octets and contains one or
242 more subattributes. Format of a subattribute is shown beí
243 low. The fields are transmitted from left to right.
246 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
247 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
248 | Sub-Type | Sub-Length | Sub-Value...
249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
253 Subattribute type. Meanings of the following defined
254 types can be found in section 2.3
273 Subattribute-specific value
287 String, copied from realm-value of digest-response ([1])
301 String, copied from nonce-value of digest-response ([1])
315 String, copied from digest-response. Method is taken from
316 request-URI of message ([2/3])
330 String, copied from digest-uri-value of digest-response
345 String, copied from qop-value of digest-response ([1])
359 String, "MD5" | "MD5-sess" | token, copied from algorithm
360 of digest-response ([1])
375 String, hexadecimal representation of a digest calculated
376 over entity-body of HTTP/SIP request ([1/2]). Computed by
377 entity B in figure 1. This attribute is not part of the
378 HTTP Digest response.
392 String copied from cnonce-value of digest-response ([1])
406 String, 8LHEX, copied from nc-value of digest-response
421 String copied from username-value of digest-response ([1])
422 the RADIUS server SHOULD NOT use this value for password
423 finding, but only for digest calculation purpose. In order
424 to find the user record containing password, the RADIUS
425 server SHOULD use the value of the User-Name _attribute_
429 This is an example sniffed from the traffic between HearMe
430 softphone (A), Cisco Systems Proxy Server (B) and deltathree
431 RADIUS server (C) (The communication between Cisco Systems
432 Proxy Server and a SIP PSTN gateway is omitted for brevity):
436 INVITE sip:97226491335@213.137.69.38 SIP/2.0
437 Via: SIP/2.0/UDP 213.137.67.67:5061
438 From: <sip:12345678@213.137.67.67>;tag=216ae97f
439 To: sip:97226491335@213.137.69.38
440 Contact: sip:12345678@213.137.67.67:5061
441 Call-ID: da591c98-f056-4803-a751-0bd296170875@213.137.67.67
444 Content-Type: application/sdp
445 User-Agent: HearMe SoftPHONE
448 o=HearMe 2544265 2544265 IN IP4 213.137.67.67
450 c=IN IP4 213.137.67.67
452 m=audio 8000 RTP/AVP 0 4
459 Via: SIP/2.0/UDP 213.137.67.67:5061
460 Call-ID: da591c98-f056-4803-a751-0bd296170875@213.137.67.67
461 From: <sip:12345678@213.137.67.67>;tag=216ae97f
462 To: sip:97226491335@213.137.69.38
468 SIP/2.0 407 Proxy Authentication Required
469 Via: SIP/2.0/UDP 213.137.67.67:5061
470 Call-ID: da591c98-f056-4803-a751-0bd296170875@213.137.67.67
471 From: <sip:12345678@213.137.67.67>;tag=216ae97f
472 To: sip:97226491335@213.137.69.38;tag=3f5611de-22a007dc
474 Proxy-Authenticate: DIGEST realm="deltathree", nonce="3bada1a0", algorithm="md5"
479 ACK sip:97226491335@213.137.69.38 SIP/2.0
480 Via: SIP/2.0/UDP 213.137.67.67:5061
481 From: <sip:12345678@213.137.67.67>;tag=216ae97f
482 To: sip:97226491335@213.137.69.38;tag=3f5611de-22a007dc
483 Call-ID: da591c98-f056-4803-a751-0bd296170875@213.137.67.67
489 INVITE sip:97226491335@213.137.69.38 SIP/2.0
490 Via: SIP/2.0/UDP 213.137.67.67:5061
491 From: <sip:12345678@213.137.67.67>;tag=29e97f
492 To: sip:97226491335@213.137.69.38
493 Contact: sip:12345678@213.137.67.67:5061
494 Call-ID: b0f487c9-04a0-4108-a5a3-580ecbaf0e24@213.137.67.67
497 Content-Type: application/sdp
498 User-Agent: HearMe SoftPHONE
499 Proxy-Authorization: DIGEST algorithm="md5",nonce="3bada1a0",opaque=""
500 ,realm="deltathree",response="2ae133421cda65d67dc50d13ba0eb9bc"
501 ,uri="sip:97226491335@213.137.69.38",username="12345678"
504 o=HearMe 2544265 2544265 IN IP4 213.137.67.67
506 c=IN IP4 213.137.67.67
508 m=audio 8000 RTP/AVP 0 4
515 Via: SIP/2.0/UDP 213.137.67.67:5061
516 Call-ID: b0f487c9-04a0-4108-a5a3-580ecbaf0e24@213.137.67.67
517 From: <sip:12345678@213.137.67.67>;tag=29e97f
518 To: sip:97226491335@213.137.69.38
524 Code = 1 (Access-Request)
527 Authenticator = 56 7b e6 9a 8e 43 cf b6 fb a6 c0 f0 9a 92 6f 0e
529 NAS-IP-Address = d5 89 45 26 (213.137.69.38)
530 NAS-Port-Type = 5 (Virtual)
531 User-Name = "12345678"
532 Digest-Response (206) = "2ae133421cda65d67dc50d13ba0eb9bc"
533 Digest-Attributes (207) = [Realm (1) = "deltathree"]
534 Digest-Attributes (207) = [Nonce (2) = "3bada1a0"]
535 Digest-Attributes (207) = [Method (3) = "INVITE"]
536 Digest-Attributes (207) = [URI (4) = "sip:97226491335@213.137.69.38"]
537 Digest-Attributes (207) = [Algorithm (5) = "md5"]
538 Digest-Attributes (207) = [User-Name (10) = "12345678"]
542 Code = 2 (Access-Accept)
545 Authenticator = 6d 76 53 ce aa 07 9a f7 ac b4 b0 e2 96 2f c4 0d
550 Via: SIP/2.0/UDP 213.137.67.67:5061
551 From: <sip:12345678@213.137.67.67>;tag=29e97f
552 To: sip:97226491335@213.137.69.38;tag=7BF5248C-177E
553 Date: Tue, 25 Jan 2000 03:41:00 gmt
554 Call-ID: b0f487c9-04a0-4108-a5a3-580ecbaf0e24@213.137.67.67
555 Server: Cisco-SIPGateway/IOS-12.x
556 Record-Route: <sip:97226491335@213.137.69.38:5060;maddr=213.137.69.38>
563 Via: SIP/2.0/UDP 213.137.67.67:5061
564 From: <sip:12345678@213.137.67.67>;tag=29e97f
565 To: sip:97226491335@213.137.69.38;tag=7BF5248C-177E
566 Date: Tue, 25 Jan 2000 03:41:00 gmt
567 Call-ID: b0f487c9-04a0-4108-a5a3-580ecbaf0e24@213.137.67.67
568 Server: Cisco-SIPGateway/IOS-12.x
569 Record-Route: <sip:97226491335@213.137.69.38:5060;maddr=213.137.69.38>
571 Contact: <sip:97226491335@213.137.69.36:5060;user=phone>
572 Content-Type: application/sdp
576 o=CiscoSystemsSIP-GW-UserAgent 1901 5895 IN IP4 213.137.69.36
578 c=IN IP4 213.137.69.36
580 m=audio 17724 RTP/AVP 0
585 ACK sip:97226491335@213.137.69.38:5060 SIP/2.0
586 Via: SIP/2.0/UDP 213.137.67.67:5061
587 From: <sip:12345678@213.137.67.67>;tag=29e97f
588 To: sip:97226491335@213.137.69.38;tag=7BF5248C-177E
589 Call-ID: b0f487c9-04a0-4108-a5a3-580ecbaf0e24@213.137.67.67
592 Route: <sip:97226491335@213.137.69.36:5060;user=phone>
597 [1] J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence,
598 P. Leach, A. Luotonen, L. Stewart, "HTTP Authentication:
599 Basic and Digest Access Authentication", RFC 2617, June
602 [2] M. Handley, H. Schulzrinne, E. Schooler, J. Rosenberg,
603 "SIP: Session Initiation Protocol",
604 draft-ietf-sip-rfc2543bis-03.txt, IETF work in progress,
607 [3] R. Fielding, J. Gettys, J. Mogul, H. Frystyk,
608 L. Masinter, P. Leach, T. Berners-Lee, "Hypertext
609 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
611 [4] C. Rigney, S. Willens, Livingston, A. Rubens, Merit,
612 W. Simpson, Daydreamer, "Remote Authentication Dial In
613 User Service (RADIUS)", RFC 2865, June 2000
615 [5] J. Arkko, V. Torvinen, A. Niemi, "HTTP Authentication
616 with EAP", draft-http-eap-basic-04.txt, IETF work in
619 [6] Srinivas, Chan, Sengodan, Costa-Requena, "Mapping of
620 Basic and Digest Authentication to DIAMETER AAA
621 Messages", draft-srinivas-aaa-basic-digest-00.txt,
622 IETF work in progress, July 2001
627 We would like to acknowledge Kevin Mcdermott (Cisco Systems)
628 for providing comments and experimental implementation.
637 Jerusalem Technology Park
639 Jerusalem 91481 Israel
640 {baruch,daniels,davids}@deltathree.com
646 Research Triangle Park, NC 27709
648 Email: dwilli@cisco.com