[Asterisk-Dev] AES voice encryption for IAX2
Duane
digium at aus-biz.com
Mon Apr 19 17:02:49 MST 2004
Adam Hart wrote:
> And how exactly is asterisk meant to know which user it should
> authenicating against? My model solves the problem of not using public
> key cryptography by exploiting the fact that both parties already have a
> secret.. the password. If you don't know the username, you won't know
> the password.
You can also skip the password bit and use ADH (I think that's the right
acronym, way too many TLAs), it makes it possible to have encryption
without PKI and without passwords, obviously increases the risk to MitM
attacks but this is all a matter of perspectives. If you are calling
your neighbour to come over for a BBQ, you don't care if someone listens
in really but having the comms channel encrypted in this simplistic
manner prevents passive packet sniffing.
Passwords aren't very secure and people write them on their monitors...
PKI solution is obviously better security, but to simplify things, what
if the situation was dealt with similar to that of HTTPS, where the
server requires the certificate but the clients don't... More then
likely there will still be a need for client authentication, although
with a PKI solution you could use client certificates to authenticate
instead of passwords as is the current practise...
> Of course, we should be using public key crypto when possible, but we
> also need to cater for situations without.
This goes with out saying, but in the cases that isn't deemed needing
PKI is passwords really the better option?
--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://happysnapper.com.au - Sell your photos over the net!
http://e164.org - Using Enum.164 to interconnect asterisk servers
More information about the asterisk-dev
mailing list