Dave Platt
2009-Mar-26 20:41 UTC
[asterisk-users] Is there a public blacklist of hackers' IPaddresses?
> SIP was written in such a way that the hashes it sends for passwords > could, with only a trivial rewrite of the server code, be SHA1 instead > of MD5 -- which would increase security to the level that, currently, it > would be far more trouble than it's worth to even bother to attempt to > crack.I strongly doubt that the known weaknesses in the MD5 hash are the "weak point" in SIP account security. Weak passwords are almost certainly much more of a problem. Performing a dictionary attack is going to be a lot faster than attempting a brute-force mathematical attack against MD5... and switching from MD5 to SHA-1 provides no significant defense against dictionary attacks. The only good way to keep passwords secure against dictionary attacks, is to make sure that the passwords aren't guessable by that means... no common words, no names, no simple permutations or birthdates or anything like that. Use a decent random-number generator and number-to-character conversion algorithm to generate SIP passwords that are sufficiently long and very DTR8FBWF_==F?Z@\.-+!N$ and you'll be well defended.
SIP
2009-Mar-26 21:19 UTC
[asterisk-users] Is there a public blacklist of hackers' IPaddresses?
Dave Platt wrote:>> SIP was written in such a way that the hashes it sends for passwords >> could, with only a trivial rewrite of the server code, be SHA1 instead >> of MD5 -- which would increase security to the level that, currently, it >> would be far more trouble than it's worth to even bother to attempt to >> crack. >> > > I strongly doubt that the known weaknesses in the MD5 hash are > the "weak point" in SIP account security. > > Weak passwords are almost certainly much more of a problem. Performing > a dictionary attack is going to be a lot faster than attempting > a brute-force mathematical attack against MD5... and switching from > MD5 to SHA-1 provides no significant defense against dictionary > attacks. > > The only good way to keep passwords secure against dictionary attacks, > is to make sure that the passwords aren't guessable by that means... > no common words, no names, no simple permutations or birthdates or > anything like that. Use a decent random-number generator and > number-to-character conversion algorithm to generate SIP passwords > that are sufficiently long and very DTR8FBWF_==F?Z@\.-+!N$ and you'll > be well defended. > > >I'm referring to the weak link in the SIP protocol. Not in Asterisk's SIP accounts. The question was whether or not SIP itself was secure. -- Neil Fusillo CEO Infinideas, inc. http://www.ideasip.com