[prev in list] [next in list] [prev in thread] [next in thread]
List: asterisk-users
Subject: Re: [asterisk-users] Is there a way to encrypt passwords stored in
From: Igor Hernandez <emistz () gmail ! com>
Date: 2008-08-20 19:34:28
Message-ID: 48AC71C4.40203 () gmail ! com
[Download RAW message or body]
Hey SIP,
I understand what you're saying but keeping the key in memory
permanently doesn't protect you for very long, it just makes the
attacker waste a bit more time scanning the memory to get at the key.
In other words, if the key is available to asterisk it will be available
to anyone else in the system with sufficient privileges.
--
Igor Hernandez
Escape Communications
http://www.escapetel.com
SIP wrote:
> Igor Hernandez wrote:
>> I was thinking the same thing I believe Tzafrir just alluded to. If the
>> passwords are encrypted in the DB with a public key then...asterisk
>> needs to have the private key stored somewhere to be able to decrypt the
>> values to authenticate the user. In this way there is nothing preventing
>> whoever intrudes your boxes from getting that key and decrypting the
>> values himself.
>>
>> I might be missing something though and if thats the case chime in, I'm
>> interested in this issue.
>>
>> Regards,
>>
>>
> Absolutely. But if you can work it so that you have to key in the key
> manually on startup, or store it on a removable flash drive and it
> remains in memory during runtime, then you've achieved what you need.
> Again... this is considerable complexity in the code -- not a simple
> dialplan hack. BUT... it would add security.
>
> I'm just tossing out ideas here.
>
>
> N.
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
AstriCon 2008 - September 22 - 25 Phoenix, Arizona
Register Now: http://www.astricon.net
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic