Mutual Authentication for SIP: A Semantic Meaning for the SIP Opaque Values

The session initiation protocol (SIP) is rapidly becoming the dominant signalling protocol for calls over the Internet. It has quickly made large inroads into the voice over IP (VoIP) market. SIP is an application-layer control operating on top of a transport protocol and allows to create, modify, and terminate sessions with one or more participants. With security considerations, these operations require authentication from participating end-points, confidentiality, data integrity, and protection against internal and external attacks. For authentication, SIP relies on HTTP Digest by default; the client is authenticated to the SIP proxy server. In order to have mutual authentication between client and server, SIP could be implemented over TLS (transport layer security) when TCP is supported by SIP architecture network. In this paper, we propose a mutual authentication mechanism within HTTP Digest since this later is implemented by default in all SIP environments. It consists in providing meaning and semantic to some of the parameters' values generated by the participating end-points during SIP session establishment, especially to the "nonce" values. Our solution is backward-compatible with today implementations. Without being in opposition to security protocols like TLS, this approach helps in reducing DoS (denial of service) attacks, detects server identity spoofing and ensures basic mutual authentication with comparison to HTTP digest.