Presence and IntComm WG

[Ben Teitelbaum <>]

Larry,

This is very interesting and, by way of this note, I am forwarding to
the PIC working group.  H.350-enabled single-sign-on (WiFi and SIP) is
among the goals that the PIC WG has set for the Austin, TX rich
presence trial.  

We have not yet identified who is going to lead the back-end
integration with the meeting WiFi authentication system.  Interested?  

-- ben

--- Begin Message ---

• From: Larry Amiot <>
• To: "'VidMid-VC'" <>, videnet-testbed mailing list <>
• Cc: (Jim Lindsay)
• Subject: Digest Authentication with IPTEL SER and H.350
• Date: Wed, 09 Jun 2004 14:38:34 -0500
• List-archive: <https://mail.internet2.edu/wws/arc/vidmid-vc>
• List-id: <vidmid-vc.internet2.edu>
• Xref: curvaceous mail.inbox:55195

Jim Lindsay and I have been doing some work here at Northwestern University with SIP that I thought might interest you. We have put up a version of the IPTEL SER SIP server and are using it to register Windows Messenger, Wave3 Sessions, and French Telcom eCONF SIP clients.

What I think is of interest, is that we have modified the SER SIP server so that all of the clients authenticate with SER using Digest and our H.350 LDAP server in a testbed environment.

First, we wrote a Perl program that allows users to create SIPIdentity records on the H.350 server. They input their SIP URL, their domain, user name, and their password using a Web form to build the SIPIdentity records on the H.350 server. The Perl script creates a MD5 encryption of the domain, user name, and password and that is what is stored as the password in the SIPIdentity record.

When a SIP client tries to register with the SER server, the server challenges the client to authenticate using Digest and sends the client a nounce. The client forms a MD5 first of the domain, user name, and password and then another MD5 of the previous MD5 and the nounce. This is sent to the SER server. The server tries to authenticate the MD5 against its internal SQL database, and fails. We added code to the SER server that catches the failure. It picks up the MD5, nounce, and username from the SER code, searches the H.350 server for a record that has that user name, and gets the previously computed MD5 from that SIPIdentity record on the H.350 server. It does a MD5 of the nounce and the MD5 it got from the H.350 server and compares the result to the MD5 sent by the client. If they match, the client is authenticated. If they do not match, the SER tells the client that it is not authenticated.

We still have a little work to do to use ssh on some of the links. Also, I dont want to give the impression that we have interoperability between the clients I mentioned above or even that we have succeed in getting Windows Messenger clients to do point to point video using the SER: Sessions to Sessions and eCONF to eCONF does work. The real success, however, is that all three clients can register and authenticate through SER using Digest and the H.350 server. ......Larry

***********************************************************************************     
                            Larry Amiot                 
Northwestern University         Argonne National Laboratory
NU Library 2 EAST                       Building 208
1970 Campus Drive                       9700 South Cass Ave.
Evanston, Illinois 60208-2323           Argonne, Illinois 60439
Video: 0011169 176885           Video: 0011169 125432
Phone: 847 467 6885                     Phone: 630 252 5432     
FAX 847 491 4132                        
Email:    Email:     
                                
***********************************************************************************        
--- End Message ---