[Asterisk-Users] RE: IAX Incoming/Outgoing
Tim Panton
tim at mexuar.com
Sun Mar 26 03:38:52 MST 2006
On 25 Mar 2006, at 19:15, Douglas Garstang wrote:
> Why do I need a username at all if I am doing rsa authentication?
> Why doesn't it match against the key?
So you want the receiving asterisk to take an incoming key and
speculatively see if it
matches _any_ of the keys mentioned in it's iax.conf? Not only is
that a bit expensive
computationally, but it also allows an attacker to test 10 (say) keys
for the price of one.
Keys are for authentication not identification.
Tim.
Tim Panton
tim at mexuar.com
More information about the asterisk-users
mailing list