The authentication framework for the Session Initiation Protocol (SIP, RFC 3261) closely parallels that of the Hypertext Transfer Protocol (HTTP) Digest Access Authentication (RFC 2617). RFC 2617 was obsoleted by RFC 7616, which introduces more secure digest algorithms (e.g., SHA-256 and SHA-512-256). This document updates the authentication scheme used by SIP to add support for these more secure algorithms that are listed in the "Hash Algorithms for HTTP Digest Authentication" registry created by RFC 7616. Although the MD5 algorithm is considered cryptographically broken, it is still supported for backward compatibility.
Working Group Summary
Work on this topic (initially as draft-yusef-sipcore-digest-scheme) started in January 2014, somewhat in parallel with the HTTP Digest Access Authentication work [RFC7616]. The SIPCORE participants who voiced an opinion thought it was a good idea, and provided careful reviews. The draft went through multiple iterations as feedback was incorporated. There was no pushback against the concept on-list; however, at the London IETF 89 SIPCORE WG session, it was discussed that SIP authentication in general needed an overhaul, not just the digest scheme. While some work went into that effort, both the new work and draft-yusef-sipcore-digest-scheme expired about six months later. In 2017 the author resurrected the draft, and again the draft received support and feedback, but then the draft expired later in the year. It was resurrected again in spring 2019, and adopted as a WG item.
The content of this document has been implemented and deployed in mobile IMS networks. Several reviewers provided substantial feedback and they have been thanked in the Acknowledgments section. The content of the document does not require expert review.
Document Shepherd: Jean Mahoney
Responsible Area Director: Adam Roach