Ticket #396 (closed enhancement: fixed)

Opened 10 years ago

Last modified 10 years ago

Support for 3GPP/IMS digest AKA (AKAv1-MD5) SIP authentication

Reported by: bennylp Owned by: bennylp
Priority: normal Milestone: release-0.8.0
Component: pjsip Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported:

Description (last modified by bennylp) (diff)

Digest AKA is utilized by 3GPP/IMS, and is specified in RFC 3310: Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA).

Change History

comment:1 Changed 10 years ago by bennylp

  • Status changed from new to assigned
  • Description modified (diff)
  • Summary changed from Support for digest AKA (AKAv1-MD5) SIP authentication to Support for 3GPP/IMS digest AKA (AKAv1-MD5) SIP authentication

In r1488:

Initial support for AKA framework in r:

  • added new library, libmilenage, under third_party directory for Milenage algorithms. This was taken directly from 3GPP spec.
  • the SIP credential structure (pjsip_cred_info) has been improved to support specifying non-MD5 credential and specifying callback to compute the response digest, and added with new information specific to AKA authentication.
  • added sip_auth_aka.[h|c] for the implementation of AKA response calculation.
  • added base64 encoding and decoding in PJLIB-UTIL

This implementation adds support for AKA authentication without adding footprint overhead to the stack.

To support AKA authentication, application just need to specify a new type of credential that uses callback function to calculate the response. Below is the snippet on how this should be used:

 pjsip_cred_info cred;

 // Always bzero as a good practice
 pj_bzero(&cred, sizeof(cred));

 cred.realm = pj_str("*");
 cred.scheme = pj_str("digest");
 cred.username = pj_str("THE_USER");
 cred.data_type = PJSIP_CRED_DATA_PLAIN_PASSWD | PJSIP_CRED_DATA_EXT_AKA;  // <-- NEW !!!
 cred.data = .. the password ..;  // <-- For MD5 authentication

 // AKA specific info
 cred.ext.aka.k = ...;   // permanent key
 cred.ext.aka.op = ...;  // operator variant key
 cred.ext.aka.amf = ...; // authentication management field.
 cred.ext.aka.cb = &pjsip_auth_create_akav1;

The PJSIP_CRED_DATA_EXT_AKA flag indicates that digest computation will be performed by the callback function in ext.aka.cb rather than the built-in MD5.

A new pjsip_auth_create_akav1() function is provided in the library to compute AKAv1 digest. When the algorithm in the challenge is "AKAv1-MD5" (case-insensitive), this function will parse nonce in the challenge to get RAND and AUTN values and compute AKAv1-MD5 response digest according to the AKA keys specified in the credential.

The pjsip_auth_create_akav1() function also supports falling back to the normal MD5 authentication, if the challenge specifies "MD5" as the algorithm. In this case, it assumes that data field contains the password of the credential, either in plain-text if PJSIP_CRED_DATA_PLAIN_PASSWD flag is specified, or hashed password if PJSIP_CRED_DATA_DIGEST flag is specified.

Alternatively application may create and use response calculation function other than pjsip_auth_create_akav1(), for example to support AKAv2 authentication.

comment:2 Changed 10 years ago by bennylp

r1489 added PJSIP_HAS_DIGEST_AKAv1_AUTH configuration to enable AKA support. Default is disabled for now.

comment:3 Changed 10 years ago by bennylp

Fixed compilation warnings in r1490 and r1492.

comment:4 Changed 10 years ago by bennylp

Updated Symbian DEF file in r1494

comment:5 Changed 10 years ago by bennylp

  • Status changed from assigned to closed
  • Resolution set to fixed

In r1500:

  • tested AKAv1 authentication (and it worked!)
  • implemented AKAv2
  • update pjsua to create AKA credential when AKA is enabled
  • fixed miscellaneous authentication stuffs to support AKA, including supporting sending empty Authorization header to force proxy server to use MD5 challenge.

comment:6 Changed 10 years ago by bennylp

Updated documentation. Please see: PJSIP Digest AKAv1 and AKAv2 Authentication API on how to enable and use AKA authentication.

comment:7 Changed 10 years ago by bennylp

Updated VS2005 and eVC projects in r1505

comment:8 Changed 10 years ago by bennylp

r1511: Updated libmilenage Visual Studio project to option to use /MD instead of /MT

Note: See TracTickets for help on using tickets.