On Wed, 2009-03-11 at 15:13 -0400, Andrew M. Lauppe wrote: > > Despite of all the arguments on other things we could do, why not increase > > the level of security in Asterisk if there is a possibility to do so? > > > Bottom line here, I think, is that the security holes aren't just in > Asterisk, they're in SIP, and Asterisk has to support SIP. It is SIP > that passes the usernames/passwords in plaintext. If SIP supported a > more secure authentication scheme, Asterisk would support it. >
sip does do more secure auth, TLS but its not supported in asterisk because it requires TCP (RFC requires tcp support anyway, yet asterisk does not officially do that either). And passwords are NOT in plaintext. The username, nonce, and what you are doing (REGISTER for example) are all cleartext, but the password is not. The nonce is a short duration disposable number to prevent replay attacks. You can generate the hashes on the command line if you have md5sum installed. echo -n "username:sip.proxy.com:password" | md5sum [H1] echo -n "REGISTER:sip:sip.proxy.com" | md5sum [H2] 410af6915afa5485f59c31f118a90440e16f9f92 [nonce] [H1:nonce:H2] echo -n 02d0a5e971ca6406d490ab960f26acb7:410af6915afa5485f59c31f118a90440e16f9f92:a498bb31fc00ac6243518fbc4d749a64 | md5sum hash that is sent: 871117dbfca535464e3efd76fbc94e81 It works just as well for INVITE or other things that require auth. > Of course, that said, SIPS exists... I do believe Digium is working on > SIPS support, no? > there has been tls forks for a while, getting them merged into trunk seems to be where the hold up is. -- Trixter http://www.0xdecafbad.com Bret McDanel pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721
signature.asc
Description: This is a digitally signed message part
_______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz