asterisk users - Oct 2015 - Asterisk encrypted authentication for clients

On 10/28/2015 06:37 PM, Pete Mundy wrote:
> Hi Motty,
>
> Isn't the whole point of the nonce in a SIP registration to ensure the 
> secret doesn't go on the wire in plain-text? Is this not enough, or 
> are you looking to hide the username too?
>
> (if so, fair 'nuf, just wondering why :)
>
> Pete
>
> Ps, if so then I think TLS is the missing part of your equation.
>
> On 29/10/2015, at 11:54 AM, Motty <motty.cruz at gmail.com 
> <mailto:motty.cruz at gmail.com>> wrote:
>
>> Hello,
>> I am searching for a solution to encrypt authentication from Asterisk 
>> server to clients. Searching srtp seem to encrypt traffic, I just 
>> want client authentication with encryption. Can someone point to the 
>> right direction? has anybody used ZRTP? experience with ZRTP?
>>
>> Thanks,
>> _motty
>
>
You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP 
encrypt the actual voice traffic.

Cheers,

j
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20151029/3d77e9db/attachment.html>

Thanks Jeff,
I don't want SIP over TLS. I would like to encrypt password only, I 
suppose over TLS.

Thanks,
_motty

On 10/29/2015 01:11 PM, Jeff LaCoursiere wrote:
> On 10/28/2015 06:37 PM, Pete Mundy wrote:
>> Hi Motty,
>>
>> Isn't the whole point of the nonce in a SIP registration to ensure 
>> the secret doesn't go on the wire in plain-text? Is this not
enough,
>> or are you looking to hide the username too?
>>
>> (if so, fair 'nuf, just wondering why :)
>>
>> Pete
>>
>> Ps, if so then I think TLS is the missing part of your equation.
>>
>> On 29/10/2015, at 11:54 AM, Motty <motty.cruz at gmail.com 
>> <mailto:motty.cruz at gmail.com>> wrote:
>>
>>> Hello,
>>> I am searching for a solution to encrypt authentication from 
>>> Asterisk server to clients. Searching srtp seem to encrypt traffic,
>>> I just want client authentication with encryption. Can someone
point
>>> to the right direction? has anybody used ZRTP? experience with
ZRTP?
>>>
>>> Thanks,
>>> _motty
>>
>>
>
> You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP 
> encrypt the actual voice traffic.
>
> Cheers,
>
> j
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20151029/f99b30d9/attachment.html>

Motty,

Isn't this why digest authentication (ie the nonce[1]) is part of the
standard SIP auth handshake?

Ie, why do you think the password is not already encrypted?

Pete

[1]
https://andrewjprokop.wordpress.com/2015/01/27/understanding-sip-authentication/
(paragraph starting 'Take a look at the Proxy-Authenticate header and you
will see a Nonce parameter')


On 30/10/2015, at 10:01 AM, Motty <motty.cruz at gmail.com> wrote:
> Thanks Jeff, 
> I don't want SIP over TLS. I would like to encrypt password only, I
suppose over TLS.
> 
> On 10/29/2015 01:11 PM, Jeff LaCoursiere wrote:
>> You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP
encrypt the actual voice traffic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20151030/7ec9fd57/attachment.html>

On 10/29/2015 04:01 PM, Motty wrote:
>
>
> On 10/29/2015 01:11 PM, Jeff LaCoursiere wrote:
>> On 10/28/2015 06:37 PM, Pete Mundy wrote:
>>> Hi Motty,
>>>
>>> Isn't the whole point of the nonce in a SIP registration to
ensure
>>> the secret doesn't go on the wire in plain-text? Is this not
enough,
>>> or are you looking to hide the username too?
>>>
>>> (if so, fair 'nuf, just wondering why :)
>>>
>>> Pete
>>>
>>> Ps, if so then I think TLS is the missing part of your equation.
>>>
>>> On 29/10/2015, at 11:54 AM, Motty <motty.cruz at gmail.com>
wrote:
>>>
>>>> Hello,
>>>> I am searching for a solution to encrypt authentication from 
>>>> Asterisk server to clients. Searching srtp seem to encrypt
traffic,
>>>> I just want client authentication with encryption. Can someone 
>>>> point to the right direction? has anybody used ZRTP? experience
>>>> with ZRTP?
>>>>
>>>> Thanks,
>>>> _motty
>>>
>>>
>>
>> You want SIP over TLS.  That encrypts the signalling.  SRTP and ZRTP 
>> encrypt the actual voice traffic.
>>
>> Cheers,
>>
>> j
>>
>>
>
>
> Thanks Jeff,
> I don't want SIP over TLS. I would like to encrypt password only, I 
> suppose over TLS.
>
> Thanks,
> _motty
The password isn't sent - SIP auth involves a challenge/response with 
hashing (digest authentication).  If that's all you are interested in, 
you are already there.

Cheers,

j

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20151030/5bcb4142/attachment.html>