Can't Explain RTSP Authentication (Basic and Digest)

I apologize up front for the long post. Looking for any insight and help...

So I was trying to write a simple rtsp authentication grinder in python. I ran across a rtsp port on a (camera) in a test and when I accessed it I got back:

Received, 'RTSP/1.0 401 Unauthorized\r\n
CSeq: 1\r\n
Session:        645252166;timeout=60\r\n
WWW-Authenticate: Digest realm="4419b63f5e51", nonce="8b84a3b789283a8bea8da7fa7d41f08b", stale="FALSE"\r\n
WWW-Authenticate: Basic realm="4419b63f5e51"\r\nDate:  Sat, Aug 16 2014 02:22:28 GMT\r\n\r\n',

As you can see the response seems to indicate that the connection supports both a Basic and Digest authentication. So I tried basic first. I built the following message and sent it:

SETUP rtsp://192.168.201.113 RTSP/1.0
CSeq: 1
Transport: RTP/AVP;unicast;client_port 4588-4589
Authorization: Basic YWRtaW46NDQxOWI2M2Y1ZTUxOjEyMzQ=
User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)

Where I base64 encoded the "user:password" and came up with "YWRtaW46NDQxOWI2M2Y1ZTUxOjEyMzQ=".

Again this kicks back the 401 Unauthorized error.

So I whip out VLC and attempt to connect, just to make sure that the creds actually work, and in the VLC connection string I enter:

rtsp://user:pass@:554

Works like a charm!

So I fire up wireshark to see what it is doing and watch the traffic. Under the hood instead of basic authentication, vlc is using digest authentication.

So first question is, does basic authentication work with RTSP or is it lying to me? If it is suppose to, what am I missing to get it working?

To what I know works. So I try to build something with Digest based authentication. First thing I need to figure out, after reading several sites on digest authentication are the parameters it is using. From the 401 response all I have is:

1. realm
2. nonce

I don't have any qop, nor do I see in the outbound VLC message a cnonce. I assume we are using the basic form of Digest authentication where:

H(A1) = MD5(user:realm:pass)
H(A2) = MD5(method:digestURI)
response = MD5(H(A1):nonce:H(A2)

my specific values are:

H(A1) = MD5(admin:4419b63f5e51:1234) = d43b7f7d7f627da1aded72517f2a3c6c
H(A2) = MD5(DESCRIBE:rtsp://192.168.201.113) = a7c212739387f1550970752dc7a17fa2
response = MD5(d43b7f7d7f627da1aded72517f2a3c6c:57fa10a142d6c1f9e3dfabccc3ba045d:a7c212739387f1550970752dc7a17fa2) = 33477d22629eb37a6fc2d3435f03eb81

The specific response that VLC is sending is:

0bde767876cbe8e6a6dfbba3c62c6db1

!= 33477d22629eb37a6fc2d3435f03eb81

They don't match!! ??

There is not the proper information present to do the other form of Digest Auth, so what is going on here?

that is the correct user/pass combo, if you look down in where I state the specific values I state it is admin/1234.

Basic auth does not work. I tried several variations online and none of them worked. Nor did VLC use basic auth. That 4419b63f5e51 string is the realm value provided by the device I am connecting to.

In case of basic authentication realm string is not required at all. You just need to use username and password. So your correct SETUP request should contain following Authentication header "Authorization: Basic YWRtaW46MTIzNA=="

I did not use the realm for basic auth. I know how to do it, it didn't work. I have read that document and dozens of others. Trust me.

SETUP rtsp://192.168.201.113 RTSP/1.0 CSeq: 1 Transport: RTP/AVP;unicast;client_port 4588-4589 Authorization: Basic YWRtaW46NDQxOWI2M2Y1ZTUxOjEyMzQ= User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10) The Base64 string in your request is wrong if the user name and password is admin and 1234 respectively.

do you know what type of Authorization does axis use?

They use HTTP digest auth

While this is a valid remark, it's not an answer. Axis camera's do not reply with "WWW-Authenticate: Basic realm=...`.