subject:"\[asterisk\-users\] Asterisk encrypted authentication for clients"

Re: [asterisk-users] Asterisk encrypted authentication for clients

2015-11-02 Thread Motty


Thank you very much Dave,

_Motty

On 10/31/2015 10:47 AM, Dave Platt wrote:

Thanks Jeff, just to confirm, password are not sent in plain text? I
want to safeguard against man in the middle attacks, sniffing traffic of
clients.

That's correct.

The way it works is:

-  Both the client, and Asterisk, know what the password is.

-  The client sends a SIP message which would require authorization
(a register or invite, for example).  It provides the username
in the message.

-  The server generates a random "nonce" (basically a big random
number) and sends it back to the client... basically saying
"Use this nonce, and your password, to prove who you are."

-  The client combines the nonce, and the password, and uses the
combined data as input into a hashing function (I can't recall
whether MD-5, SHA-1, or something more modern is used).  I
*think* some of the other details of the original message are
also included in the hash but don't recall for certain.

-  The client re-sends the original message, and includes its
username, the nonce, and the hash.  It does not send the
password at all.

-  The server makes sure that the nonce is is the most recent
one it sent, and that this is the first time the client has
sent back that particular nonce.  Once that's certain, the
server uses the nonce and its copy of the password to
compute the hash, and compares this with the hash the client
sent.

-  If the hashes match, the server "knows" that the client knows
the correct password (to a very high degree of certainty) and
it allows the command to proceed.  If they don't match, the
client doesn't know the password, and the command is rejected.

The hash functions that are used, are ones which would make it
extremely difficult (months or years of computing time) to
figure out what the password is, by breaking the hash algorithm.

Of course, if a "weak" (short, guessable) password is used, it
can be broken by a dictionary attack or brute force - the hash
technique can't defend against this.






--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk encrypted authentication for clients

2015-10-31 Thread Dave Platt


> Thanks Jeff, just to confirm, password are not sent in plain text? I 
> want to safeguard against man in the middle attacks, sniffing traffic of 
> clients.

That's correct.

The way it works is:

-  Both the client, and Asterisk, know what the password is.

-  The client sends a SIP message which would require authorization
   (a register or invite, for example).  It provides the username
   in the message.

-  The server generates a random "nonce" (basically a big random
   number) and sends it back to the client... basically saying
   "Use this nonce, and your password, to prove who you are."

-  The client combines the nonce, and the password, and uses the
   combined data as input into a hashing function (I can't recall
   whether MD-5, SHA-1, or something more modern is used).  I
   *think* some of the other details of the original message are
   also included in the hash but don't recall for certain.

-  The client re-sends the original message, and includes its
   username, the nonce, and the hash.  It does not send the
   password at all.

-  The server makes sure that the nonce is is the most recent
   one it sent, and that this is the first time the client has
   sent back that particular nonce.  Once that's certain, the
   server uses the nonce and its copy of the password to
   compute the hash, and compares this with the hash the client
   sent.

-  If the hashes match, the server "knows" that the client knows
   the correct password (to a very high degree of certainty) and
   it allows the command to proceed.  If they don't match, the
   client doesn't know the password, and the command is rejected.

The hash functions that are used, are ones which would make it
extremely difficult (months or years of computing time) to
figure out what the password is, by breaking the hash algorithm.

Of course, if a "weak" (short, guessable) password is used, it
can be broken by a dictionary attack or brute force - the hash
technique can't defend against this.



-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk encrypted authentication for clients

2015-10-30 Thread Jeff LaCoursiere


On 10/29/2015 04:01 PM, Motty wrote:



On 10/29/2015 01:11 PM, Jeff LaCoursiere wrote:

On 10/28/2015 06:37 PM, Pete Mundy wrote:

Hi Motty,

Isn't the whole point of the nonce in a SIP registration to ensure 
the secret doesn't go on the wire in plain-text? Is this not enough, 
or are you looking to hide the username too?


(if so, fair 'nuf, just wondering why :)

Pete

Ps, if so then I think TLS is the missing part of your equation.

On 29/10/2015, at 11:54 AM, Motty  wrote:


Hello,
I am searching for a solution to encrypt authentication from 
Asterisk server to clients. Searching srtp seem to encrypt traffic, 
I just want client authentication with encryption. Can someone 
point to the right direction? has anybody used ZRTP? experience 
with ZRTP?


Thanks,
_motty





You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP 
encrypt the actual voice traffic.


Cheers,

j





Thanks Jeff,
I don't want SIP over TLS. I would like to encrypt password only, I 
suppose over TLS.


Thanks,
_motty


The password isn't sent - SIP auth involves a challenge/response with 
hashing (digest authentication).  If that's all you are interested in, 
you are already there.


Cheers,

j

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk encrypted authentication for clients

2015-10-30 Thread Motty

Thanks Jeff, just to confirm, password are not sent in plain text? I 
want to safeguard against man in the middle attacks, sniffing traffic of 
clients.


Thanks,
_motty

On 10/30/2015 07:37 AM, Jeff LaCoursiere wrote:

On 10/29/2015 04:01 PM, Motty wrote:



On 10/29/2015 01:11 PM, Jeff LaCoursiere wrote:

On 10/28/2015 06:37 PM, Pete Mundy wrote:

Hi Motty,

Isn't the whole point of the nonce in a SIP registration to ensure 
the secret doesn't go on the wire in plain-text? Is this not 
enough, or are you looking to hide the username too?


(if so, fair 'nuf, just wondering why :)

Pete

Ps, if so then I think TLS is the missing part of your equation.

On 29/10/2015, at 11:54 AM, Motty  wrote:


Hello,
I am searching for a solution to encrypt authentication from 
Asterisk server to clients. Searching srtp seem to encrypt 
traffic, I just want client authentication with encryption. Can 
someone point to the right direction? has anybody used ZRTP? 
experience with ZRTP?


Thanks,
_motty





You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP 
encrypt the actual voice traffic.


Cheers,

j





Thanks Jeff,
I don't want SIP over TLS. I would like to encrypt password only, I 
suppose over TLS.


Thanks,
_motty


The password isn't sent - SIP auth involves a challenge/response with 
hashing (digest authentication).  If that's all you are interested in, 
you are already there.


Cheers,

j





-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk encrypted authentication for clients

2015-10-29 Thread Jeff LaCoursiere


On 10/28/2015 06:37 PM, Pete Mundy wrote:

Hi Motty,

Isn't the whole point of the nonce in a SIP registration to ensure the 
secret doesn't go on the wire in plain-text? Is this not enough, or 
are you looking to hide the username too?


(if so, fair 'nuf, just wondering why :)

Pete

Ps, if so then I think TLS is the missing part of your equation.

On 29/10/2015, at 11:54 AM, Motty > wrote:



Hello,
I am searching for a solution to encrypt authentication from Asterisk 
server to clients. Searching srtp seem to encrypt traffic, I just 
want client authentication with encryption. Can someone point to the 
right direction? has anybody used ZRTP? experience with ZRTP?


Thanks,
_motty





You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP 
encrypt the actual voice traffic.


Cheers,

j
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk encrypted authentication for clients

2015-10-29 Thread Motty


Thanks Jeff,
I don't want SIP over TLS. I would like to encrypt password only, I 
suppose over TLS.


Thanks,
_motty

On 10/29/2015 01:11 PM, Jeff LaCoursiere wrote:

On 10/28/2015 06:37 PM, Pete Mundy wrote:

Hi Motty,

Isn't the whole point of the nonce in a SIP registration to ensure 
the secret doesn't go on the wire in plain-text? Is this not enough, 
or are you looking to hide the username too?


(if so, fair 'nuf, just wondering why :)

Pete

Ps, if so then I think TLS is the missing part of your equation.

On 29/10/2015, at 11:54 AM, Motty > wrote:



Hello,
I am searching for a solution to encrypt authentication from 
Asterisk server to clients. Searching srtp seem to encrypt traffic, 
I just want client authentication with encryption. Can someone point 
to the right direction? has anybody used ZRTP? experience with ZRTP?


Thanks,
_motty





You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP 
encrypt the actual voice traffic.


Cheers,

j




-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk encrypted authentication for clients

2015-10-29 Thread Ishfaq Malik

On 28 October 2015 at 22:54, Motty  wrote:

> Hello,
> I am searching for a solution to encrypt authentication from Asterisk
> server to clients. Searching srtp seem to encrypt traffic, I just want
> client authentication with encryption. Can someone point to the right
> direction? has anybody used ZRTP? experience with ZRTP?
>
> Thanks,
> _motty
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>   http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

https://wiki.asterisk.org/wiki/display/AST/SIP+TLS+Transport

-- 

Ishfaq Malik
Department: VOIP Support
Company: Packnet Limited
t: +44 (0)161 660 2350
f: +44 (0)161 660 9825
e: i...@pack-net.co.uk
w: http://www.pack-net.co.uk

Registered Address: PACKNET LIMITED, Duplex 2, Ducie House
37 Ducie Street
Manchester, M1 2JW
COMPANY REG NO. 04920552
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk encrypted authentication for clients

2015-10-29 Thread jrees

Hello,

Thank you for your email. I am currently out of the office and will return on Tuesday 3rd November 2015.

Whilst I will periodically be checking my emails, your email has been forwarded to i...@gmlnt.com. If your query is urgent then please contact 01255 851 999 and press option 2 to speak to one of my colleagues.

Regards,

Jamie Rees
GML Networking Technologies



-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk encrypted authentication for clients

2015-10-29 Thread Pete Mundy

Motty,

Isn't this why digest authentication (ie the nonce[1]) is part of the standard 
SIP auth handshake?

Ie, why do you think the password is not already encrypted?

Pete

[1] 
https://andrewjprokop.wordpress.com/2015/01/27/understanding-sip-authentication/
(paragraph starting 'Take a look at the Proxy-Authenticate header and you will 
see a Nonce parameter')


On 30/10/2015, at 10:01 AM, Motty  wrote:

> Thanks Jeff, 
> I don't want SIP over TLS. I would like to encrypt password only, I suppose 
> over TLS.
> 
> On 10/29/2015 01:11 PM, Jeff LaCoursiere wrote:
>> You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP encrypt 
>> the actual voice traffic.

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk encrypted authentication for clients

2015-10-29 Thread jrees

Hello,

Thank you for your email. I am currently out of the office and will return on Tuesday 3rd November 2015.

Whilst I will periodically be checking my emails, your email has been forwarded to i...@gmlnt.com. If your query is urgent then please contact 01255 851 999 and press option 2 to speak to one of my colleagues.

Regards,

Jamie Rees
GML Networking Technologies



-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] Asterisk encrypted authentication for clients

2015-10-28 Thread Motty


Hello,
I am searching for a solution to encrypt authentication from Asterisk 
server to clients. Searching srtp seem to encrypt traffic, I just want 
client authentication with encryption. Can someone point to the right 
direction? has anybody used ZRTP? experience with ZRTP?


Thanks,
_motty

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk encrypted authentication for clients

2015-10-28 Thread Pete Mundy

Hi Motty,

Isn't the whole point of the nonce in a SIP registration to ensure the secret 
doesn't go on the wire in plain-text? Is this not enough, or are you looking to 
hide the username too?

(if so, fair 'nuf, just wondering why :)

Pete

Ps, if so then I think TLS is the missing part of your equation.

On 29/10/2015, at 11:54 AM, Motty  wrote:

> Hello,
> I am searching for a solution to encrypt authentication from Asterisk server 
> to clients. Searching srtp seem to encrypt traffic, I just want client 
> authentication with encryption. Can someone point to the right direction? has 
> anybody used ZRTP? experience with ZRTP?
> 
> Thanks,
> _motty
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk encrypted authentication for clients

Re: [asterisk-users] Asterisk encrypted authentication for clients

Re: [asterisk-users] Asterisk encrypted authentication for clients

Re: [asterisk-users] Asterisk encrypted authentication for clients

Re: [asterisk-users] Asterisk encrypted authentication for clients

Re: [asterisk-users] Asterisk encrypted authentication for clients

Re: [asterisk-users] Asterisk encrypted authentication for clients

Re: [asterisk-users] Asterisk encrypted authentication for clients

Re: [asterisk-users] Asterisk encrypted authentication for clients

Re: [asterisk-users] Asterisk encrypted authentication for clients

[asterisk-users] Asterisk encrypted authentication for clients

Re: [asterisk-users] Asterisk encrypted authentication for clients

12 matches

Site Navigation

Mail list logo

Footer information