The Session Initiation Protocol (SIP) is a signaling protocol that provides a mechanism for a computing device to locate another device it wants to communicate with over a computer network and to establish a communication session therewith. In this context, the first device is typically referred to as the “caller,” the second device as the “callee,” and both are “SIP clients.” SIP is a versatile protocol and has been used for establishing communication sessions in many different scenarios. For instance, SIP is used for Internet conferencing, telephony, presence, event notification, and instant messaging. An important strength of SIP is its support of personal mobility by providing the ability to reach a called party (user) under a single location-independent address even when the called party has moved to a different computer.
One common mode of session initiation operation under the SIP is the “proxy mode.” In this mode, the caller sends an INVITE message identifying the intended callee by an e-mail like address. This INVITE message is typically first sent to an outbound SIP proxy of the caller SIP client. The outbound SIP proxy then forwards the INVITE message, often through other intermediate SIP proxies, to a SIP proxy with which the callee has registered, which then sends the INVITE to the callee. The acceptance message (“200 OK”) of the callee is returned through the signaling chain to the caller, which can then communicate with the callee through a media channel that is typically different from the signaling channel. Because of the important role of the SIP proxies in the session initiation operations, several client-server authentication mechanisms have been proposed for use with SIP for authentication between SIP clients and SIP proxies.
One existing problem with SIP is that it has a two-tier routing system that requires both a Directory Naming Service (DNS) and a registration database to provide routing information. This two-tier system makes it difficult for the end users to authenticate each other. Traditional authentication schemes proposed for use with SIP for client-server authentication do not effectively address this problem. For instance, the DIGEST and NTLM mechanisms require the use of user passwords, which is not suitable for user-to-user authentication. The Kerboros scheme, another proposed client-server authentication mechanism for SIP, typically employs domain-based ticket-granting agents and is difficult to deploy in cross-domain communications. Currently, there is no provision for a way that uses standard-based technology to allow authentication between end users that communicate under the SIP protocol.