[Asterisk-Users] Q. on key sniffing/spoofing

[Matt Lawson]

Hi everyone,

I'd like to set up the RSA keys for the IAX registration, but have a 
couple of Q's.  I have the manual and can follow the instructions, but I 
want to understand the limitations.

First, understand there will be a central Asterisk (which has the 
private key?) and several remote Asterisks (which are as automated as 
possible, and each have the same public key?).  We don't want the remote 
Asterisks to be able to spoof each other.

1.  Do I have to type in the same "PEM passphrase" on both the central 
(at our office) and the remote asterisk?  Or can the remote one just do 
"init keys" or "asterisk -i" without needing anything else.  I 
understand the key has to be copied over there.

2.  What's to stop someone from sniffing and spoofing the data coming 
from a remote Asterisk just as easily as a plaintext password.  Could 
Joe Blow set up an Asterisk at his house, and give it the same public 
key, and it would register as whichever one he wanted (assuming he could 
guess an installation name).

3.  What information is actually contained in the encrypted message from 
the remote Asterisk?

Is the solution to create a separate key pair for each remote system, so 
that no two systems have the same public key?  I'm assuming Asterisk can 
handle different keys from each one.

Thanks,

Matt