Chris Rowson wrote: > Am I right in thinking that all passwords sent across the network in > Asterisk are MD5 encrypted without me having to specifically set > anything up to make it happen?
The simple answer is 'yes', the correct answer is 'no' :-) MD5 is not encryption, it is a digest (hash) function. What happens in SIP (and HTTP basic auth) is that the shared secret (the password) is run through a supposedly secure digest function (MD5), along with a shared non-secret value (the nonce). The result of this digest function is then sent to the other party, which does the same calculation and compares the result. If the result matches, then the shared secret must have been the same. So, since your goal is to avoid the secret being sent unprotected, that is the case; the password is *never* sent across the wire, even when encryption is in use (SIP over TLS, for example). -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA skype: kpfleming | jabber: kpflem...@digium.com Check us out at www.digium.com & www.asterisk.org _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users