[asterisk-biz] PBX got Hacked
Olle E. Johansson
oej at edvina.net
Thu Mar 12 03:38:39 CDT 2009
11 mar 2009 kl. 20.31 skrev Trixter aka Bret McDanel:
> On Wed, 2009-03-11 at 15:13 -0400, Andrew M. Lauppe wrote:
>>> Despite of all the arguments on other things we could do, why not
>>> increase
>>> the level of security in Asterisk if there is a possibility to do
>>> so?
>>>
>> Bottom line here, I think, is that the security holes aren't just in
>> Asterisk, they're in SIP, and Asterisk has to support SIP. It is SIP
>> that passes the usernames/passwords in plaintext. If SIP supported a
>> more secure authentication scheme, Asterisk would support it.
>>
>
> sip does do more secure auth, TLS but its not supported in asterisk
> because it requires TCP (RFC requires tcp support anyway, yet asterisk
> does not officially do that either).
>
> And passwords are NOT in plaintext.
>
> The username, nonce, and what you are doing (REGISTER for example) are
> all cleartext, but the password is not. The nonce is a short duration
> disposable number to prevent replay attacks.
To clarify: The password is never sent over the wire. It's a challenge-
response
authentication mechanism that sends a MD5 digest of a combination of
data sent in clear text and a shared secret that is not sent at all
("password").
I see two other alternatives:
- TLS authentication. This requires a lot of certificate/key pair
management.
- Stronger challenge-response by moving away from MD5 to SHAxxx.
/O
More information about the asterisk-biz
mailing list