[asterisk-users] SIP password encryption
Kevin P. Fleming
kpfleming at digium.com
Mon Feb 9 15:28:46 CST 2009
Chris Rowson wrote:
> Am I right in thinking that all passwords sent across the network in
> Asterisk are MD5 encrypted without me having to specifically set
> anything up to make it happen?
The simple answer is 'yes', the correct answer is 'no' :-)
MD5 is not encryption, it is a digest (hash) function.
What happens in SIP (and HTTP basic auth) is that the shared secret (the
password) is run through a supposedly secure digest function (MD5),
along with a shared non-secret value (the nonce). The result of this
digest function is then sent to the other party, which does the same
calculation and compares the result. If the result matches, then the
shared secret must have been the same.
So, since your goal is to avoid the secret being sent unprotected, that
is the case; the password is *never* sent across the wire, even when
encryption is in use (SIP over TLS, for example).
--
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
skype: kpfleming | jabber: kpfleming at digium.com
Check us out at www.digium.com & www.asterisk.org
More information about the asterisk-users
mailing list