23.4.2 Tunneling Integrity and Authentication 23.4.2 隧道完整性和身份验证 Tunneling SIP messages within S/MIME bodies can provide integrity for SIP header fields if the header fields that the sender wishes to secure are replicated in a "message/sip" MIME body signed with a CMS detached signature. 如果发送方希望保护的报头字段被复制到使用CMS分离签名签名的“message/SIP”MIME主体中,则在S/MIME主体内对SIP消息进行隧道传输可以为SIP报头字段提供完整性。 Provided that the "message/sip" body contains at least the fundamental dialog identifiers (To, From, Call-ID, CSeq), then a signed MIME body can provide limited authentication. At the very least, if the certificate used to sign the body is unknown to the recipient and cannot be verified, the signature can be used to ascertain that a later request in a dialog was transmitted by the same certificate-holder that initiated the dialog. If the recipient of the signed MIME body has some stronger incentive to trust the certificate (they were able to validate it, they acquired it from a trusted repository, or they have used it frequently) then the signature can be taken as a stronger assertion of the identity of the subject of the certificate. 如果“message/sip”主体至少包含基本对话标识符(To、From、Call ID、CSeq),则签名MIME主体可以提供有限的身份验证。至少,如果用于签署主体的证书对接收者来说是未知的,并且无法验证,则可以使用签名来确定对话中稍后的请求是由发起对话的同一证书持有者发送的。如果签名MIME主体的接收者有更强的动机信任证书(他们能够验证证书,他们从受信任的存储库获得证书,或者他们经常使用证书),那么签名可以被视为对证书主体身份的更强断言。 In order to eliminate possible confusions about the addition or subtraction of entire header fields, senders SHOULD replicate all header fields from the request within the signed body. Any message bodies that require integrity protection MUST be attached to the "inner" message. 为了消除有关添加或减去整个报头字段的可能混淆,发送方应在签名正文中复制请求中的所有报头字段。任何需要完整性保护的消息正文都必须附加到“内部”消息。 If a Date header is present in a message with a signed body, the recipient SHOULD compare the header field value with its own internal clock, if applicable. If a significant time discrepancy is detected (on the order of an hour or more), the user agent SHOULD alert the user to the anomaly, and note that it is a potential security breach. 如果带有签名正文的邮件中存在Date报头,则接收方应将报头字段值与其自己的内部时钟进行比较(如果适用)。如果检测到显著的时间差异(大约一个小时或更长时间),用户代理应提醒用户注意异常情况,并注意这是潜在的安全漏洞。 If an integrity violation in a message is detected by its recipient, the message MAY be rejected with a 403 (Forbidden) response if it is a request, or any existing dialog MAY be terminated. UAs SHOULD notify users of this circumstance and request explicit guidance on how to proceed.
如果消息的接收方检测到消息中的完整性违反,则如果消息是请求,则可能会使用403(禁止)响应来拒绝该消息,或者可能会终止任何现有对话。UAs应将这种情况通知用户,并要求就如何进行提供明确的指导。
The following is an example of the use of a tunneled "message/sip" body: 以下是使用隧道“message/sip”主体的示例: INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8 To: Bob <sip:bob@biloxi.com> From: Alice <sip:alice@atlanta.com>;tag=1928301774 Call-ID: a84b4c76e66710 CSeq: 314159 INVITE Max-Forwards: 70 Date: Thu, 21 Feb 2002 13:02:03 GMT Contact: <sip:alice@pc33.atlanta.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary=boundary42 Content-Length: 568 --boundary42 Content-Type: message/sip INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8 To: Bob <bob@biloxi.com> From: Alice <alice@atlanta.com>;tag=1928301774 Call-ID: a84b4c76e66710 CSeq: 314159 INVITE Max-Forwards: 70 Date: Thu, 21 Feb 2002 13:02:03 GMT Contact: <sip:alice@pc33.atlanta.com> Content-Type: application/sdp Content-Length: 147 v=0 o=UserA 2890844526 2890844526 IN IP4 here.com s=Session SDP c=IN IP4 pc33.atlanta.com t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000 --boundary42 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s; handling=required
ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 7GhIGfHfYT64VQbnj756 --boundary42-