[Asterisk-Dev] Wish List / Brain Storm from AstriCon
Michael Sandee
ms at zeelandnet.nl
Thu Sep 30 14:20:47 MST 2004
Replay attack?
A (psuedo) random challenge is generated (supposedly), so that should
remove the possibility for a replay attack (assuming the same challenge
will not be generated again in any feasible time period, but that is not
really convenient).
The easiest way to "circumvent" this protection is either hijacking the
connection after a succesful authentication by another party, which is
common for all clear text (unencrypted) protocols. Or to do an offline
crack of the password... (assuming you were able to obtain both the
challenge and the response)... which can be done quite efficiently, and
even more efficiently with the recent found flaws (in theory).
Jeremy McNamara wrote:
> Benjamin on Asterisk Mailing Lists wrote:
>
>> On Tue, 28 Sep 2004 13:56:11 -0500, Steven Sokol
>> <ssokol at sokol-associates.com> wrote:
>>
>>> == Managing Asterisk - Manager API, XML Web Services, Etc. ==
>>>
>>
>>
>> What about MD5 authentication for Manager logins on port 5038 ???
>>
>> This is something that has been raised many times before.
>
>
>
> You can use an md5 challenge on manager. still subject to the replay
> attack, but still a bit more secure than plain text.
>
>
> Jeremy McNamara
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-dev
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
>
More information about the asterisk-dev
mailing list