Last week I was given a task of coding a SIP terminal client. The first thing, as most of the people do, I googled RFC of SIP and started reading it. And in a day or so I started coding a simple sip client to just send a registeration request to the SIP server/Proxy. The good thing about SIP is; it's a mixture of HTTP & SMTP protocol & truely speaking, Some time I feel I'm coding for HTTP not for SIP.
SIP uses HTTP DIGEST method to authenticate the client and that was the most confusing part in the start. As I was unable to find any exact RFC for it plus most of the SIP document refering me to the HTTP DIGEST which is more complex then used by SIP. Although the procedure is exactly the same but the way RFC's explained, it sucks. The simple explanation to all the sutff which once took some time to code was this.
New RFC for SIP only recomment SIP DGIEST method to be use as authentication mechanism. In Digest server sends a challenge string "nonce" which should be encrypted along with our username, pass, URI,realm , request and send back to the server. All this is achievable using a simple three step formula.
1. H1= MD5 ( username : realm : pass)
2. H2= Md5 ( METHOD : URI)
3. responce = MD5 ( H1: nonce : H2 )
In case when Authentication is needed server reponce back with the 401 (unauthorized request) along with the realm and nonce. As we are registering with the server the METHOD should be "REGISTER" and URI on the server which we want to access, e.g sip:192.168.1.20