Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community
 SearchSearch 

[asterisk-users] Asterisk encrypted authentication for clients


 
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users
View previous topic :: View next topic  
Author Message
pete at fiberphone.co.nz
Guest
PostPosted: Wed Oct 28, 2015 6:37 pm    Post subject: [asterisk-users] Asterisk encrypted authentication for clien Reply with quote
Hi Motty,


Isn't the whole point of the nonce in a SIP registration to ensure the secret doesn't go on the wire in plain-text? Is this not enough, or are you looking to hide the username too?

(if so, fair 'nuf, just wondering why Smile

Pete


Ps, if so then I think TLS is the missing part of your equation.


On 29/10/2015, at 11:54 AM, Motty <motty.cruz@gmail.com (motty.cruz@gmail.com)> wrote:
Quote:
Hello,
I am searching for a solution to encrypt authentication from Asterisk server to clients. Searching srtp seem to encrypt traffic, I just want client authentication with encryption. Can someone point to the right direction? has anybody used ZRTP? experience with ZRTP?

Thanks,
_motty
Back to top
ish at pack-net.co.uk
Guest
PostPosted: Thu Oct 29, 2015 5:18 am    Post subject: [asterisk-users] Asterisk encrypted authentication for clien Reply with quote
On 28 October 2015 at 22:54, Motty <motty.cruz@gmail.com (motty.cruz@gmail.com)> wrote:
Quote:
Hello,
I am searching for a solution to encrypt authentication from Asterisk server to clients. Searching srtp seem to encrypt traffic, I just want client authentication with encryption. Can someone point to the right direction? has anybody used ZRTP? experience with ZRTP?

Thanks,
_motty

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


https://wiki.asterisk.org/wiki/display/AST/SIP+TLS+Transport

--
Quote:
Ishfaq Malik
Department: VOIP Support
Company: Packnet Limited
t: +44 (0)161 660 2350
f: +44 (0)161 660 9825
e: ish@pack-net.co.uk (ish@pack-net.co.uk)
w: http://www.pack-net.co.uk

Registered Address: PACKNET LIMITED, Duplex 2, Ducie House
37 Ducie Street
Manchester, M1 2JW
COMPANY REG NO. 04920552
Back to top
jeff at jeff.net
Guest
PostPosted: Thu Oct 29, 2015 3:11 pm    Post subject: [asterisk-users] Asterisk encrypted authentication for clien Reply with quote
On 10/28/2015 06:37 PM, Pete Mundy wrote:

Quote:
Hi Motty,


Isn't the whole point of the nonce in a SIP registration to ensure the secret doesn't go on the wire in plain-text? Is this not enough, or are you looking to hide the username too?

(if so, fair 'nuf, just wondering why Smile

Pete


Ps, if so then I think TLS is the missing part of your equation.


On 29/10/2015, at 11:54 AM, Motty <motty.cruz@gmail.com (motty.cruz@gmail.com)> wrote:
Quote:
Hello,
I am searching for a solution to encrypt authentication from Asterisk server to clients. Searching srtp seem to encrypt traffic, I just want client authentication with encryption. Can someone point to the right direction? has anybody used ZRTP? experience with ZRTP?

Thanks,
_motty






You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP encrypt the actual voice traffic.

Cheers,

j
Back to top
motty.cruz at gmail.com
Guest
PostPosted: Thu Oct 29, 2015 4:02 pm    Post subject: [asterisk-users] Asterisk encrypted authentication for clien Reply with quote
Thanks Jeff,
I don't want SIP over TLS. I would like to encrypt password only, I suppose over TLS.

Thanks,
_motty

On 10/29/2015 01:11 PM, Jeff LaCoursiere wrote:

Quote:
On 10/28/2015 06:37 PM, Pete Mundy wrote:

Quote:
Hi Motty,


Isn't the whole point of the nonce in a SIP registration to ensure the secret doesn't go on the wire in plain-text? Is this not enough, or are you looking to hide the username too?

(if so, fair 'nuf, just wondering why Smile

Pete


Ps, if so then I think TLS is the missing part of your equation.


On 29/10/2015, at 11:54 AM, Motty <[url=mailto:motty.cruz@gmail.com]motty.cruz@gmail.com (motty.cruz@gmail.com)[/url]> wrote:
Quote:
Hello,
I am searching for a solution to encrypt authentication from Asterisk server to clients. Searching srtp seem to encrypt traffic, I just want client authentication with encryption. Can someone point to the right direction? has anybody used ZRTP? experience with ZRTP?

Thanks,
_motty






You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP encrypt the actual voice traffic.

Cheers,

j


Back to top
pete at fiberphone.co.nz
Guest
PostPosted: Thu Oct 29, 2015 11:20 pm    Post subject: [asterisk-users] Asterisk encrypted authentication for clien Reply with quote
Motty,


Isn't this why digest authentication (ie the nonce[1]) is part of the standard SIP auth handshake?

Ie, why do you think the password is not already encrypted?




Pete


[1] https://andrewjprokop.wordpress.com/2015/01/27/understanding-sip-authentication/
(paragraph starting 'Take a look at the Proxy-Authenticate header and you will see a Nonce parameter')






On 30/10/2015, at 10:01 AM, Motty <motty.cruz@gmail.com (motty.cruz@gmail.com)> wrote:
Quote:
Thanks Jeff,
I don't want SIP over TLS. I would like to encrypt password only, I suppose over TLS.

On 10/29/2015 01:11 PM, Jeff LaCoursiere wrote:

Quote:
You want SIP over TLS. That encrypts the signalling. SRTP and ZRTP encrypt the actual voice traffic.

Back to top
jrees at gmlnt.com
Guest
PostPosted: Thu Oct 29, 2015 11:20 pm    Post subject: [asterisk-users] Asterisk encrypted authentication for clien Reply with quote
Hello, Thank you for your email. I am currently out of the office and will return on Tuesday 3rd November 2015. Whilst I will periodically be checking my emails, your email has been forwarded to info@gmlnt.com. If your query is urgent then please contact 01255 851 999 and press option 2 to speak to one of my colleagues. Regards, Jamie Rees GML Networking Technologies
Back to top
jeff at jeff.net
Guest
PostPosted: Fri Oct 30, 2015 9:38 am    Post subject: [asterisk-users] Asterisk encrypted authentication for clien Reply with quote
On 10/29/2015 04:01 PM, Motty wrote:

Quote:


On 10/29/2015 01:11 PM, Jeff LaCoursiere wrote:

Quote:
On 10/28/2015 06:37 PM, Pete Mundy wrote:

Quote:
Hi Motty,


Isn't the whole point of the nonce in a SIP registration to ensure the secret doesn't go on the wire in plain-text? Is this not enough, or are you looking to hide the username too?

(if so, fair 'nuf, just wondering why Smile

Pete


Ps, if so then I think TLS is the missing part of your equation.


On 29/10/2015, at 11:54 AM, Motty <motty.cruz@gmail.com (motty.cruz@gmail.com)> wrote:
Quote:
Hello,
I am searching for a solution to encrypt authentication from Asterisk server to clients. Searching srtp seem to encrypt traffic, I just want client authentication with encryption. Can someone point to the right direction? has anybody used ZRTP? experience with ZRTP?

Thanks,
_motty






You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP encrypt the actual voice traffic.

Cheers,

j




Thanks Jeff,
I don't want SIP over TLS. I would like to encrypt password only, I suppose over TLS.

Thanks,
_motty

The password isn't sent - SIP auth involves a challenge/response with hashing (digest authentication).  If that's all you are interested in, you are already there.

Cheers,

j
Back to top
motty.cruz at gmail.com
Guest
PostPosted: Fri Oct 30, 2015 4:02 pm    Post subject: [asterisk-users] Asterisk encrypted authentication for clien Reply with quote
Thanks Jeff, just to confirm, password are not sent in plain text? I want to safeguard against man in the middle attacks, sniffing traffic of clients.

Thanks,
_motty

On 10/30/2015 07:37 AM, Jeff LaCoursiere wrote:

Quote:
On 10/29/2015 04:01 PM, Motty wrote:

Quote:


On 10/29/2015 01:11 PM, Jeff LaCoursiere wrote:

Quote:
On 10/28/2015 06:37 PM, Pete Mundy wrote:

Quote:
Hi Motty,


Isn't the whole point of the nonce in a SIP registration to ensure the secret doesn't go on the wire in plain-text? Is this not enough, or are you looking to hide the username too?

(if so, fair 'nuf, just wondering why Smile

Pete


Ps, if so then I think TLS is the missing part of your equation.


On 29/10/2015, at 11:54 AM, Motty <[url=mailto:motty.cruz@gmail.com]motty.cruz@gmail.com (motty.cruz@gmail.com)[/url]> wrote:
Quote:
Hello,
I am searching for a solution to encrypt authentication from Asterisk server to clients. Searching srtp seem to encrypt traffic, I just want client authentication with encryption. Can someone point to the right direction? has anybody used ZRTP? experience with ZRTP?

Thanks,
_motty






You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP encrypt the actual voice traffic.

Cheers,

j




Thanks Jeff,
I don't want SIP over TLS. I would like to encrypt password only, I suppose over TLS.

Thanks,
_motty

The password isn't sent - SIP auth involves a challenge/response with hashing (digest authentication).  If that's all you are interested in, you are already there.

Cheers,

j



Back to top
dplatt at radagast.org
Guest
PostPosted: Sat Oct 31, 2015 12:48 pm    Post subject: [asterisk-users] Asterisk encrypted authentication for clien Reply with quote
Quote:
Thanks Jeff, just to confirm, password are not sent in plain text? I
want to safeguard against man in the middle attacks, sniffing traffic of
clients.

That's correct.

The way it works is:

- Both the client, and Asterisk, know what the password is.

- The client sends a SIP message which would require authorization
(a register or invite, for example). It provides the username
in the message.

- The server generates a random "nonce" (basically a big random
number) and sends it back to the client... basically saying
"Use this nonce, and your password, to prove who you are."

- The client combines the nonce, and the password, and uses the
combined data as input into a hashing function (I can't recall
whether MD-5, SHA-1, or something more modern is used). I
*think* some of the other details of the original message are
also included in the hash but don't recall for certain.

- The client re-sends the original message, and includes its
username, the nonce, and the hash. It does not send the
password at all.

- The server makes sure that the nonce is is the most recent
one it sent, and that this is the first time the client has
sent back that particular nonce. Once that's certain, the
server uses the nonce and its copy of the password to
compute the hash, and compares this with the hash the client
sent.

- If the hashes match, the server "knows" that the client knows
the correct password (to a very high degree of certainty) and
it allows the command to proceed. If they don't match, the
client doesn't know the password, and the command is rejected.

The hash functions that are used, are ones which would make it
extremely difficult (months or years of computing time) to
figure out what the password is, by breaking the hash algorithm.

Of course, if a "weak" (short, guessable) password is used, it
can be broken by a dictionary attack or brute force - the hash
technique can't defend against this.



--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Back to top
motty.cruz at gmail.com
Guest
PostPosted: Mon Nov 02, 2015 10:47 am    Post subject: [asterisk-users] Asterisk encrypted authentication for clien Reply with quote
Thank you very much Dave,

_Motty

On 10/31/2015 10:47 AM, Dave Platt wrote:
Quote:
Quote:
Thanks Jeff, just to confirm, password are not sent in plain text? I
want to safeguard against man in the middle attacks, sniffing traffic of
clients.
That's correct.

The way it works is:

- Both the client, and Asterisk, know what the password is.

- The client sends a SIP message which would require authorization
(a register or invite, for example). It provides the username
in the message.

- The server generates a random "nonce" (basically a big random
number) and sends it back to the client... basically saying
"Use this nonce, and your password, to prove who you are."

- The client combines the nonce, and the password, and uses the
combined data as input into a hashing function (I can't recall
whether MD-5, SHA-1, or something more modern is used). I
*think* some of the other details of the original message are
also included in the hash but don't recall for certain.

- The client re-sends the original message, and includes its
username, the nonce, and the hash. It does not send the
password at all.

- The server makes sure that the nonce is is the most recent
one it sent, and that this is the first time the client has
sent back that particular nonce. Once that's certain, the
server uses the nonce and its copy of the password to
compute the hash, and compares this with the hash the client
sent.

- If the hashes match, the server "knows" that the client knows
the correct password (to a very high degree of certainty) and
it allows the command to proceed. If they don't match, the
client doesn't know the password, and the command is rejected.

The hash functions that are used, are ones which would make it
extremely difficult (months or years of computing time) to
figure out what the password is, by breaking the hash algorithm.

Of course, if a "weak" (short, guessable) password is used, it
can be broken by a dictionary attack or brute force - the hash
technique can't defend against this.





--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Back to top
Display posts from previous:   
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

VoiceMeUp - Corporate & Wholesale VoIP Services