[asterisk-users] SIP password encryption

Chris Rowson christopherrowson at gmail.com
Mon Feb 9 15:46:04 CST 2009


On Mon, Feb 9, 2009 at 9:28 PM, Kevin P. Fleming <kpfleming at digium.com>wrote:

> Chris Rowson wrote:
>
> > Am I right in thinking that all passwords sent across the network in
> > Asterisk are MD5 encrypted without me having to specifically set
> > anything up to make it happen?
>
> The simple answer is 'yes', the correct answer is 'no' :-)
>
> MD5 is not encryption, it is a digest (hash) function.
>
> What happens in SIP (and HTTP basic auth) is that the shared secret (the
> password) is run through a supposedly secure digest function (MD5),
> along with a shared non-secret value (the nonce). The result of this
> digest function is then sent to the other party, which does the same
> calculation and compares the result. If the result matches, then the
> shared secret must have been the same.
>
> So, since your goal is to avoid the secret being sent unprotected, that
> is the case; the password is *never* sent across the wire, even when
> encryption is in use (SIP over TLS, for example).
>
> --
> Kevin P. Fleming
> Digium, Inc. | Director of Software Technologies
> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> skype: kpfleming | jabber: kpfleming at digium.com
> Check us out at www.digium.com & www.asterisk.org
>
> Thank for taking the time to write such a comprehensive answer Kevin!

Cheers

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20090209/1a9cb3c3/attachment.htm 


More information about the asterisk-users mailing list