[asterisk-users] SIP secruity: username and password
Sherwood McGowan
sherwood.mcgowan at gmail.com
Thu May 5 07:19:32 CDT 2011
Thanks Alex for clearing up the bit about the NONCE, that's what I was
trying to remember when I said CallID :)
Good explanation by the way! :)
On Thu, May 5, 2011 at 7:17 AM, Alex Balashov <abalashov at evaristesys.com>wrote:
> Bilal,
>
>
> On 05/05/2011 08:08 AM, bilal ghayyad wrote:
>
> When the endpoint register on Asterisk or initiate a call, so they
>> exchange the sip username and password. What is the possibility that
>> this will be capture by the hacker and how to avoid this problem?
>>
>
> Strictly speaking, there is no inherent connection between either
> registration or call initiation on the one hand, and authentication. Both of
> those scenarios can be performed in an authentication-free fashion. In
> fact, in most cases the SIP UAC will first attempt to send both a REGISTER
> and an INVITE request without any authentication credentials.
>
> However, it is typical of a SIP UAS providing retail services to the public
> at large to reply to those requests with a 401 or 407 proxy challenge
> requesting authentication. The UAC then resends the request with digest
> authentication headers, including a password encrypted via a cryptographic
> one-way hash function. The entire mechanism was borrowed from HTTP digest
> authentication.
>
> The authorisation username can absolutely be intercepted, as it is
> transmitted it in plain text. But this is not news. The password is
> encrypted, and while the encrypted version can be intercepted, it is
> encrypted using a one-time "nonce" value that is part of the 401 or 407
> challenge sent by the UAS. Nonce values typically have fairly stringent
> expiration times, at least on good implementations, but nonce replay attacks
> are possible in principle.
>
> This mechanism is reasonably secure, as a compromise with the
> interoperability requirements of providing SIP service across the public
> Internet. In high-stakes situations, however, it may not be sufficient, and
> may call for SIP over a TLS transport, or encrypted tunnels.
>
> --
> Alex Balashov - Principal
> Evariste Systems LLC
> 260 Peachtree Street NW
> Suite 2200
> Atlanta, GA 30303
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
--
Sherwood McGowan
Telecommunications and VOIP Consultant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110505/9a191e83/attachment.htm>
More information about the asterisk-users
mailing list