[Asterisk-Users] asterisk@home scary log
Bruno Hertz
brrhtz at yahoo.de
Thu Feb 10 10:40:57 MST 2005
On Thu, 2005-02-10 at 09:57 -0700, Colin Anderson wrote:
> 5. Use key-based auth mechanism rather than password. It's my understanding
> that the key is never sent, only a hash of the key. The target system
> compares the hash against it's hash of the key, and if it matches, cool.
Not exactly, for the sake of completeness. Public/private key
authentication usually is based on the fact that messages encrypted by a
public key can only be decrypted by the private key. So your public key,
which is stored on the server, can be used by the server to send an
encrypted challenge. If you are able to decrypt that challenge, via the
private key stored on your desktop system, you've proven that you have
the private key and hence are the identity you said you are.
So, whoever has access to the private key, and to the (optional but
vital!) passphrase with which the key is encrypted for storage, can
authorize against the corresponding public key. That's why the private
key and it's passphrase must be kept secret.
On the other hand, all that travels the net are arbitrary one time
challenges, and no critical information is exposed.
Regards, Bruno.
More information about the asterisk-users
mailing list