[asterisk-users] Asterisk encrypted authentication for clients
Motty
motty.cruz at gmail.com
Fri Oct 30 16:02:04 CDT 2015
Thanks Jeff, just to confirm, password are not sent in plain text? I
want to safeguard against man in the middle attacks, sniffing traffic of
clients.
Thanks,
_motty
On 10/30/2015 07:37 AM, Jeff LaCoursiere wrote:
> On 10/29/2015 04:01 PM, Motty wrote:
>>
>>
>> On 10/29/2015 01:11 PM, Jeff LaCoursiere wrote:
>>> On 10/28/2015 06:37 PM, Pete Mundy wrote:
>>>> Hi Motty,
>>>>
>>>> Isn't the whole point of the nonce in a SIP registration to ensure
>>>> the secret doesn't go on the wire in plain-text? Is this not
>>>> enough, or are you looking to hide the username too?
>>>>
>>>> (if so, fair 'nuf, just wondering why :)
>>>>
>>>> Pete
>>>>
>>>> Ps, if so then I think TLS is the missing part of your equation.
>>>>
>>>> On 29/10/2015, at 11:54 AM, Motty <motty.cruz at gmail.com> wrote:
>>>>
>>>>> Hello,
>>>>> I am searching for a solution to encrypt authentication from
>>>>> Asterisk server to clients. Searching srtp seem to encrypt
>>>>> traffic, I just want client authentication with encryption. Can
>>>>> someone point to the right direction? has anybody used ZRTP?
>>>>> experience with ZRTP?
>>>>>
>>>>> Thanks,
>>>>> _motty
>>>>
>>>>
>>>
>>> You want SIP over TLS. That encrypts the signalling. SRTP and ZRTP
>>> encrypt the actual voice traffic.
>>>
>>> Cheers,
>>>
>>> j
>>>
>>>
>>
>>
>> Thanks Jeff,
>> I don't want SIP over TLS. I would like to encrypt password only, I
>> suppose over TLS.
>>
>> Thanks,
>> _motty
>
> The password isn't sent - SIP auth involves a challenge/response with
> hashing (digest authentication). If that's all you are interested in,
> you are already there.
>
> Cheers,
>
> j
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20151030/db487650/attachment.html>
More information about the asterisk-users
mailing list