IAX and RSA authentication 
IAX is the preferred solution when interconnecting two Asterisk. In addition to voice cipher (see “IAX trunk and voice ciphering“) and secret based authentication, it could be interesting to bring the authentication to an upper level: RSA key verification.
The purpose of this article is to explain how to setup RSA authentication in IAX trunk but also how to use X.509 certificates to get RSA keys from.
Introduction
RSA is a key algorithm that allows ciphering and signing operations. X.509 certificate is a key component of a PKI1 which includes also a key that could be an RSA one.
An RSA key is composed of two parts: a public and a private one. The public can be publicly exposed, sent through email or put on a web server. The private one should be kept securely. The two main function that can be performed with these keys are ciphering and signing. Any ciphering operation performed with the public key can only be deciphered by the private one. Signing a file is done with the private key and could be checked with the public one.
In the Asterisk IAX trunk context, the private key will be used at the calling extremity of the trunk and the public one at the callee one. For example, when using the FWD2 service, you validate incoming calls with the public RSA key of FWD, this key is present in the Asterisk distribution, but the private key isn’t available and used only at the FWD side.
Configuring the IAX trunk with RSA authentication
Even if we don’t have yet a key (see below), we start with the Asterisk configuration, which is very easy and straightforward. First we need the public and private part of the RSA key in two separate files. After we change the IAX trunk configuration we already have and include the authentication part. Here we have a trunk between Paris and London and Paris calls should be authenticated at the London Asterisk. Both configurations looks like:
| Paris | London |
[Trunk-London] type=peer username=TRUNK-London host=asterisk-london trunk=yes qualify=50 disallow=all allow=alaw auth=rsa outkey=Paris |
[TRUNK-London] type=user host=dynamic context=internal username=TRUNK-London trunk=yes auth=rsa inkeys=Paris |
In bold the new part of the configuration. Here you can see both key definition is called Paris, in fact this is the name of the file located on both servers in the /var/lib/asterisk/keys/ directory. The file in Paris should be named with a .key extension since it is a private key (this is a common mistake when getting a private key from any other tool). On the London server, the key file uses a .pub extension and is located in the same directory.
|
Posted by: Alexandre Chauvin-Hameau, on 08/27/2007 Trackback | Popularity: 37% tagged asterisk, IAX and security |  |
  (1 votes, average: 4 out of 5) Loading ... |
