login | register
Sat 05 of Jul, 2008 [02:59 UTC]

voip-info.org

Navigation
Today's Deals
Recently Visited Pages
Search with Google
Search this site with Google. Results may not include recent changes.
 
Google Ads
Last Changes
Shoutbox
  • Samuel, Thu 03 of Jul, 2008 [13:41 UTC]: ok thank you
  • Mats Karlsson, Thu 03 of Jul, 2008 [13:37 UTC]: Nice Samuel, will look forward to rad it.
  • bwl_fernstudent, Thu 03 of Jul, 2008 [09:08 UTC]: Your blog shows some usefull code
  • Samuel, Thu 03 of Jul, 2008 [08:04 UTC]: I'll translate it, for sure
  • Mats Karlsson, Wed 02 of Jul, 2008 [20:46 UTC]: LOL, in french! Translate it to English and I will read it.
  • Samuel, Wed 02 of Jul, 2008 [08:07 UTC]: Hello, i wrote a blog about Asterisk, speaking about installation,programming and more http://sambranche.blogspot.com/
  • Nick Barnes, Tue 01 of Jul, 2008 [17:46 UTC]: Steve - Asterisk doesn't 'fit into linux' - it's an application which runs on top of Linux.
  • Steve, Mon 30 of Jun, 2008 [18:07 UTC]: anyone know where I can find a block diagram of how asterisk fits into linux. my f'ing bosses want me to draw something up.. ugh.
  • akbar, Fri 27 of Jun, 2008 [10:37 UTC]: marley_boyz@yahoo.com how to configure call forward, call back, call pick up using TDM and asterisk 1.2.13... please help me.. thx...
  • Matthew Williams, Tue 24 of Jun, 2008 [22:37 UTC]: We are looking for Tier II VoIP Support Technicians in St Louis. Send resumes to mwilliams AT voxitas DOT com.
Server Stats
  • Execution time: 0.46s
  • Memory usage: 2.60MB
  • Database queries: 34
  • GZIP: Disabled
  • Server load: 0.75

Asterisk iax rsa auth

How to use secure RSA authentication with the Asterisk IAX2 channel

The IAX2 protocol supports strong authentication with asymmetric encryption keys, using RSA. This enables you to authenticate a user (someone that places calls in to your PBX) and authenticate your PBX to a peer when calling out to the peer.

Quote from res_krypto.c:

Asterisk uses RSA keys with SHA-1 message digests for its digital signatures. The choice of RSA is due to its higher throughput on verification, and the choice of SHA-1 based on the recently discovered collisions in MD5's compression algorithm and recommendations of avoiding MD5 in new schemes from various industry experts.

We use OpenSSL to provide our crypto routines, although we never actually use full-up SSL


Creating keys

RSA encryption keys can be generated with the astgenkey utility included in the Asterisk asterisk/contrib/scripts directory. The script will generate the files {name}.pub and {name}.key in the script's working directory which are the public and private keys, respectively. By default, Asterisk will look for these files in the /var/lib/asterisk/keys directory, so copy them there and make sure only the asterisk user id can read the keys and that no one can write over them.

Protect the private key strongly; never distribute it to other computers or make it accessible to users of the Linux system.

The astgenkey utility by default creates keys protected by a passphrase, a password you have to enter each time they're used (or once when asterisk is started if you start Asterisk with the -i option.) To avoid needing the passphrase, which prevents unattended restarts and reboots of your PBX, use astgenkey with the -n switch, which creates keys without passphrases.

Note - The -n switch is a newer addition. With older versions of astgenkey you can remove the passphrase by changing this row in astgenkey:
 openssl genrsa -out ${KEY}.key -des3 1024
to this (remove the -des3 part):
 openssl genrsa -out ${KEY}.key 1024


WARNING: If you do not force the use of a passphrase, the key file needs to be protected carefully. While you'll make life a bit easier for yourself by disabling the key password, so will you likewise do for anyone that gets their hands on the key file. (:eek:)

CLI commands

  • Add the '-i' flag to the asterisk command line if you want to automatically initialize passcodes at launch.
init keys: Initalizes the RSA keys and prompts for passwords if needed
  • Show keys: Displays RSA key information
(so what are the commands?)


Dialing syntax

With RSA keys
  IAX2/[<user>:[name-of-key]@]<peer>[:<portno>][/<exten>[@<context>][/<options>]]

The [] parameters around the key name are verbatim, they need to be there. The key name is the name of the key files minus the extension (.key and .pub).

Assigning key sets in IAX.conf


For each IAX client, you may designate a key pair for authentication.

Declaration of IAX2 user with RSA key authentication

A peer receives calls. The following would be needed in iax.conf on the peer machine to verify (authenticate) the identify of the user before allowing calls from that user. This is done using the user's public key.

[username]
 type=user
 auth=rsa
 inkeys=name-of-the-public-key
 context=iax2users


Declaration of IAX2 peer with RSA key authentication

A user makes calls. The following would be needed in iax.conf on the user machine to identify (authenticate) itself to the peer before the peer will take the call. This is done with this user's private key. The user must make sure to provide the peer a copy of the user's public key (.pub). The user's private key (.key) is never sent to anyone but instead remains hidden safely in the user's Asterisk key directory.

[peername]
 type=peer
 host=hostname.domain.tld
 auth=rsa
 outkey=name_of_your_key_set             ; redundant if already embedded in Dial string
 username=username-at-the-host            ; redundant if already embedded in Dial string
 

Further reading on this topic


Created by oej, Last modification by JustRumours on Wed 14 of Dec, 2005 [14:26 UTC]

Comments

Comments Filter

init keys

by Gabor Balogh on Saturday 25 of February, 2006 [09:50:24 UTC]
Dunno whether i made a mistake or the problem is with my Asterisk, but init keys command entered at the CLI did not load the newly generated keys files for me. What solved this problem was to reload the whole res_crypto module by type 'reload res_crypto.so' at the CLI. Though this little piece of information could be useful.

great page

by Jason SJOBECK on Friday 19 of November, 2004 [10:16:52 UTC]
(:biggrin:)
Thanks to whomever wrote this page ... great page. I hope RSA auth becomes common place & used everywhere, simple, easy, secure, makes sense.

Please update this page with new information, just login and click on the "Edit" or "Add Comment" button above. Get a free login here: Register Thanks! - support@voip-info.org

Page Changes | Comments

Sponsored by:
Terms of Service Privacy Policy
© 2003-2008 VOIP-Info.org LLC

Powered by bitweaver