asterisk users - May 2011 - SIP secruity: username and password

Hi All;

When the endpoint register on Asterisk or initiate a call, so they exchange the
sip username and password. What is the possibility that this will be capture by
the hacker and how to avoid this problem?

Regards
Bilal

5 maj 2011 kl. 14.08 skrev bilal ghayyad:
> Hi All;
> 
> When the endpoint register on Asterisk or initiate a call, so they exchange
the sip username and password. What is the possibility that this will be capture
by the hacker and how to avoid this problem?
We never exchange passwords in clear text in SIP 2.0. SIP uses HTTP digest
authentication with MD5. There are many articles about that on the web, so that
you can find out how it works and what the risks are.

Cheers,
/O

Little to none...SIP is set up so that the packet contains identifiable data
(the username) but the authentication is performed with a digest of the
username password [domain] and [CalliD] (I think I got that right)

On Thu, May 5, 2011 at 7:08 AM, bilal ghayyad <bilmar_gh at yahoo.com>
wrote:
> Hi All;
>
> When the endpoint register on Asterisk or initiate a call, so they exchange
> the sip username and password. What is the possibility that this will be
> capture by the hacker and how to avoid this problem?
>
> Regards
> Bilal
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>


-- 
Sherwood McGowan
Telecommunications and VOIP Consultant
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20110505/256422c8/attachment-0001.htm>

Bilal,

On 05/05/2011 08:08 AM, bilal ghayyad wrote:
> When the endpoint register on Asterisk or initiate a call, so they
> exchange the sip username and password. What is the possibility that
>  this will be capture by the hacker and how to avoid this problem?
Strictly speaking, there is no inherent connection between either 
registration or call initiation on the one hand, and authentication. 
Both of those scenarios can be performed in an authentication-free 
fashion.  In fact, in most cases the SIP UAC will first attempt to send 
both a REGISTER and an INVITE request without any authentication 
credentials.

However, it is typical of a SIP UAS providing retail services to the 
public at large to reply to those requests with a 401 or 407 proxy 
challenge requesting authentication.  The UAC then resends the request 
with digest authentication headers, including a password encrypted via a 
cryptographic one-way hash function.  The entire mechanism was borrowed 
from HTTP digest authentication.

The authorisation username can absolutely be intercepted, as it is 
transmitted it in plain text.  But this is not news.  The password is 
encrypted, and while the encrypted version can be intercepted, it is 
encrypted using a one-time "nonce" value that is part of the 401 or
407
challenge sent by the UAS.  Nonce values typically have fairly stringent 
expiration times, at least on good implementations, but nonce replay 
attacks are possible in principle.

This mechanism is reasonably secure, as a compromise with the 
interoperability requirements of providing SIP service across the public 
Internet.  In high-stakes situations, however, it may not be sufficient, 
and may call for SIP over a TLS transport, or encrypted tunnels.

-- 
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/

On Thursday 05 May 2011, bilal ghayyad wrote:
> Hi All;
>
> When the endpoint register on Asterisk or initiate a call, so they exchange
> the sip username and password. What is the possibility that this will be
> capture by the hacker and how to avoid this problem?
If the two devices are connected by Ethernet cables and are on 192.168.x.x or 
10.x.x.x addresses, then nothing goes further than the router where your 
Internet connection comes in.  And we're presuming anyone within your bounds
is trustworthy.

If one of the devices is connected wirelessly, then the passwords will be 
broadcast over the air  (although they will be encrypted).  In fact, if there 
is a wireless access point anywhere on the network, then it may *potentially* 
broadcast data and credentials even if the calls are not going through it, 
until it has built up a routing table.  Wi-fi doesn't travel very far, but 
someone in your car park and who has your WPA2 key may be able to sniff 
packets.

If the phone call is going over the public Internet, then it really should be 
tunnelled through a secure VPN.  Otherwise, make sure the password is of as 
little use as possible to anyone who discovers it; for instance, put the 
offending extension into a context which can only make internal calls, or 
calls to carefully-selected external numbers.

-- 
AJS

Answers come *after* questions.