[Sip-implementors] Authentication: qop/cnonce issue

[Sanjay Dhand]

Hi All, I have a query regarding "qop" and "cnonce" fields in Digest Authentication procedure. Looks like some gap in the specs. Please provide your input.   The problem is that if qop parameter does not arrive in the Challenge (401/407) and the algo for the session is "MD5-sess" then Hash Key A1 is built with "cnonce-value" at the client, but "cnonce-value" is not sent to the Server in the subsquent Requests. Then How will the Server decode the response without the "cnonce-value"? Does it mean that if Algo is "MD5-Sess", then qop parameter MUST be supplied to the client in the Challenge?   Quoted from RFC 2617, Sec 3.2.2: "If qop (Quality of Protection) is not sent to the Client then cnonce value and nonce-count value MUST NOT  be specified in the subsquents requests." AND (construction of the Hash Key A1) If Algo is "MD5-sess" then A1 is calculated as A1 =H(unq(username-value) ":" unq(realm-value) ":" passwd ":" unq(nonce-value) ":"   unq(cnonce-value) where A1 is the Session Key for authentication of subsquent requests and responses. A1 is used to calculate the response-digest along with the second hash Key A2. Best regards, Sanjay Dhand   Software Engineer ipDialog India Pvt Ltd 453, Udyog Vihar phase 5, Gurgaon INDIA.   ph: (91) (120) 6399051, 6399657/58 cell: 9810309914