[asterisk-users] SIP password encryption
A really, really quick question here! Am I right in thinking that all passwords sent across the network in Asterisk are MD5 encrypted without me having to specifically set anything up to make it happen? Thanks so much! Chris ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP password encryption
A really, really quick question here! Am I right in thinking that all passwords sent across the network in Asterisk are MD5 encrypted without me having to specifically set anything up to make it happen? Thanks so much! Chris Sorry, I forgot to add when using the SIP protocol ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP password encryption
Chris Rowson wrote: Am I right in thinking that all passwords sent across the network in Asterisk are MD5 encrypted without me having to specifically set anything up to make it happen? The simple answer is 'yes', the correct answer is 'no' :-) MD5 is not encryption, it is a digest (hash) function. What happens in SIP (and HTTP basic auth) is that the shared secret (the password) is run through a supposedly secure digest function (MD5), along with a shared non-secret value (the nonce). The result of this digest function is then sent to the other party, which does the same calculation and compares the result. If the result matches, then the shared secret must have been the same. So, since your goal is to avoid the secret being sent unprotected, that is the case; the password is *never* sent across the wire, even when encryption is in use (SIP over TLS, for example). -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA skype: kpfleming | jabber: kpflem...@digium.com Check us out at www.digium.com www.asterisk.org ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP password encryption
On Mon, Feb 9, 2009 at 9:28 PM, Kevin P. Fleming kpflem...@digium.comwrote: Chris Rowson wrote: Am I right in thinking that all passwords sent across the network in Asterisk are MD5 encrypted without me having to specifically set anything up to make it happen? The simple answer is 'yes', the correct answer is 'no' :-) MD5 is not encryption, it is a digest (hash) function. What happens in SIP (and HTTP basic auth) is that the shared secret (the password) is run through a supposedly secure digest function (MD5), along with a shared non-secret value (the nonce). The result of this digest function is then sent to the other party, which does the same calculation and compares the result. If the result matches, then the shared secret must have been the same. So, since your goal is to avoid the secret being sent unprotected, that is the case; the password is *never* sent across the wire, even when encryption is in use (SIP over TLS, for example). -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA skype: kpfleming | jabber: kpflem...@digium.com Check us out at www.digium.com www.asterisk.org Thank for taking the time to write such a comprehensive answer Kevin! Cheers Chris ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
