On Mon, Feb 9, 2009 at 9:28 PM, Kevin P. Fleming <kpflem...@digium.com>wrote:
> Chris Rowson wrote: > > > Am I right in thinking that all passwords sent across the network in > > Asterisk are MD5 encrypted without me having to specifically set > > anything up to make it happen? > > The simple answer is 'yes', the correct answer is 'no' :-) > > MD5 is not encryption, it is a digest (hash) function. > > What happens in SIP (and HTTP basic auth) is that the shared secret (the > password) is run through a supposedly secure digest function (MD5), > along with a shared non-secret value (the nonce). The result of this > digest function is then sent to the other party, which does the same > calculation and compares the result. If the result matches, then the > shared secret must have been the same. > > So, since your goal is to avoid the secret being sent unprotected, that > is the case; the password is *never* sent across the wire, even when > encryption is in use (SIP over TLS, for example). > > -- > Kevin P. Fleming > Digium, Inc. | Director of Software Technologies > 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA > skype: kpfleming | jabber: kpflem...@digium.com > Check us out at www.digium.com & www.asterisk.org > > Thank for taking the time to write such a comprehensive answer Kevin! Cheers Chris
_______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users