How does md5-auth (pjsip with md5_cred) work?

I am using pjsip with md5 auth for my phones.
example with random values:

type = auth
username = alice
auth_type = md5
md5_cred = 700d85bf1a3cc76ee39e04d633575b9a

I create the hashes with md5(USERNAME:REALM:PASSWORD).
works perfect, no problems at all.

But today I noticed that I would like to understand how this works (and I am sorry if this is stupid question).
How can asterisk verify that? I mean, for my understanding asterisk has to do also something like md5(USERNAME:REALM:PASSWORD) to verify if the hash fits the registration submitted by a phone. But how can asterisk do that? As far as I know asterisk never sees the plaintext password because in typical registration dialogs it always comes combined with a nonce.

Thank you so much for any information about that.

That’s not the end md5 hash. Multiple md5 hashes occur, and the value of md5_cred is just part of it and fed into another.

Thank you, I apreciate your fast reply.
I know that the md5_cred that I provide in my config is not the end hash. Still I don’t understand how this is done.
Phone sends a register, asterisk sends an “Unauthorized” with a nonce in the Authenticate header. Client responds with a “response” that contains the credentials (multiple) hashed together with the nonce. So everything that asterisk now has is the nonce, the response and the md5_cred. And since no one can get the password out of the response, I really would like to understand how asterisk now can tell that this is valid or not.

If the locally produced hash matches the one from the remote side, then they match and it is correct. So to be more specific, it’s not checking that the password alone is correct. It’s checking that everything involved in creation of the hash is correct - realm, username, password, SIP method used, URI

Yes. But how can asterisk build a local hash without having the password?

Ah, I think now I am beginning to understand. The client builds the response something like this (inspired by SIP authentication response with nonce in SIP header - Ask Admin ):

$a1 = md5_hex(“$authid:$realm:$pwd”);
$a2 = md5_hex(“$method:$uri”);
print md5_hex(“$a1:$nonce:$a2”), “\n”;

So since $a1 is already the same as our md5_cred, asterisk can do the same.

I understand now, sorry to bother so long. Thank you!