JWT token

[bp2468]

what's the solution to overcome the security issue in using plain text password? Is it a better option to use short lived JWT token? How to?

[bp2468]

??

[InnovateAsterisk]

You would need to generate a Json Web Token on the server (with your private key), parse it down to the client (browser-phone), and then parse it back to yourself in the REGISTER or INVITE, and then validate it (with the same key). It's nothing more than simple encryption, and decription.

Asterisk does not support this.

Also, the risk is the same as pain text. Since a JWT is a bearer token, if someone else intercepts the process, they will have your JWT and can present it with the REGISTER or the INVITE and gain access. The only thing a JWT prevents is that the content of the token cannot be changed. So for as long as the validity of the token, another user will be able to use the same token. This could be hours or days, it will depend on how you made the token.

The same goes for pre-hashed passwords... although you now don't store the actual password, if you present a pre-hashed password from the client to the server, again the same applies. If someone else "gets" the password hash and presents it as pre-hashed auth details, the REGISTER or INVITE will parse. This only overcomes the problem that as a provider you can save the hash, and not the actual password - meaning the customer would only "know the password", they hash it, and present it. You as the provider would only know if their hash matches your hash.