Thanks Alex for clearing up the bit about the NONCE, that's what I was trying to remember when I said CallID :)
Good explanation by the way! :) On Thu, May 5, 2011 at 7:17 AM, Alex Balashov <[email protected]>wrote: > Bilal, > > > On 05/05/2011 08:08 AM, bilal ghayyad wrote: > > When the endpoint register on Asterisk or initiate a call, so they >> exchange the sip username and password. What is the possibility that >> this will be capture by the hacker and how to avoid this problem? >> > > Strictly speaking, there is no inherent connection between either > registration or call initiation on the one hand, and authentication. Both of > those scenarios can be performed in an authentication-free fashion. In > fact, in most cases the SIP UAC will first attempt to send both a REGISTER > and an INVITE request without any authentication credentials. > > However, it is typical of a SIP UAS providing retail services to the public > at large to reply to those requests with a 401 or 407 proxy challenge > requesting authentication. The UAC then resends the request with digest > authentication headers, including a password encrypted via a cryptographic > one-way hash function. The entire mechanism was borrowed from HTTP digest > authentication. > > The authorisation username can absolutely be intercepted, as it is > transmitted it in plain text. But this is not news. The password is > encrypted, and while the encrypted version can be intercepted, it is > encrypted using a one-time "nonce" value that is part of the 401 or 407 > challenge sent by the UAS. Nonce values typically have fairly stringent > expiration times, at least on good implementations, but nonce replay attacks > are possible in principle. > > This mechanism is reasonably secure, as a compromise with the > interoperability requirements of providing SIP service across the public > Internet. In high-stakes situations, however, it may not be sufficient, and > may call for SIP over a TLS transport, or encrypted tunnels. > > -- > Alex Balashov - Principal > Evariste Systems LLC > 260 Peachtree Street NW > Suite 2200 > Atlanta, GA 30303 > Tel: +1-678-954-0670 > Fax: +1-404-961-1892 > Web: http://www.evaristesys.com/ > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- Sherwood McGowan Telecommunications and VOIP Consultant
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
