[asterisk-users] Asterisk encrypted authentication for clients

Motty motty.cruz at gmail.com
Mon Nov 2 09:47:05 CST 2015 

Thank you very much Dave,

_Motty

On 10/31/2015 10:47 AM, Dave Platt wrote:
>> Thanks Jeff, just to confirm, password are not sent in plain text? I
>> want to safeguard against man in the middle attacks, sniffing traffic of
>> clients.
> That's correct.
>
> The way it works is:
>
> -  Both the client, and Asterisk, know what the password is.
>
> -  The client sends a SIP message which would require authorization
>     (a register or invite, for example).  It provides the username
>     in the message.
>
> -  The server generates a random "nonce" (basically a big random
>     number) and sends it back to the client... basically saying
>     "Use this nonce, and your password, to prove who you are."
>
> -  The client combines the nonce, and the password, and uses the
>     combined data as input into a hashing function (I can't recall
>     whether MD-5, SHA-1, or something more modern is used).  I
>     *think* some of the other details of the original message are
>     also included in the hash but don't recall for certain.
>
> -  The client re-sends the original message, and includes its
>     username, the nonce, and the hash.  It does not send the
>     password at all.
>
> -  The server makes sure that the nonce is is the most recent
>     one it sent, and that this is the first time the client has
>     sent back that particular nonce.  Once that's certain, the
>     server uses the nonce and its copy of the password to
>     compute the hash, and compares this with the hash the client
>     sent.
>
> -  If the hashes match, the server "knows" that the client knows
>     the correct password (to a very high degree of certainty) and
>     it allows the command to proceed.  If they don't match, the
>     client doesn't know the password, and the command is rejected.
>
> The hash functions that are used, are ones which would make it
> extremely difficult (months or years of computing time) to
> figure out what the password is, by breaking the hash algorithm.
>
> Of course, if a "weak" (short, guessable) password is used, it
> can be broken by a dictionary attack or brute force - the hash
> technique can't defend against this.
>
>
>

More information about the asterisk-users mailing list