<br><br><div class="gmail_quote">On Mon, Feb 9, 2009 at 9:28 PM, Kevin P. Fleming <span dir="ltr"><<a href="mailto:kpfleming@digium.com">kpfleming@digium.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">Chris Rowson wrote:<br>
<br>
> Am I right in thinking that all passwords sent across the network in<br>
> Asterisk are MD5 encrypted without me having to specifically set<br>
> anything up to make it happen?<br>
<br>
</div>The simple answer is 'yes', the correct answer is 'no' :-)<br>
<br>
MD5 is not encryption, it is a digest (hash) function.<br>
<br>
What happens in SIP (and HTTP basic auth) is that the shared secret (the<br>
password) is run through a supposedly secure digest function (MD5),<br>
along with a shared non-secret value (the nonce). The result of this<br>
digest function is then sent to the other party, which does the same<br>
calculation and compares the result. If the result matches, then the<br>
shared secret must have been the same.<br>
<br>
So, since your goal is to avoid the secret being sent unprotected, that<br>
is the case; the password is *never* sent across the wire, even when<br>
encryption is in use (SIP over TLS, for example).<br>
<br>
--<br>
Kevin P. Fleming<br>
Digium, Inc. | Director of Software Technologies<br>
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA<br>
skype: kpfleming | jabber: <a href="mailto:kpfleming@digium.com">kpfleming@digium.com</a><br>
Check us out at <a href="http://www.digium.com" target="_blank">www.digium.com</a> & <a href="http://www.asterisk.org" target="_blank">www.asterisk.org</a><br>
<br>
</blockquote><div>Thank for taking the time to write such a comprehensive answer Kevin!<br><br>Cheers<br><br>Chris <br></div></div><br>