[asterisk-users] Encrypted password for voicemail
jezzzz .
jezonthenet at yahoo.com
Tue Nov 28 09:52:22 MST 2006
I was wondering if we could protect against both.
Sending a password encrypted would protect against
eavesdropping. Once the password has been received,
the hash of it is taken and compared with the hash of
the password saved, so it also takes care of a local
attacker.
I could certainly use SSL/TLS, but that still doesn't
take care of a local attack to obtain the passwords of
the users.
Thanks
Jez
--- Tzafrir Cohen <tzafrir.cohen at xorcom.com> wrote:
> On Mon, Nov 27, 2006 at 05:12:19PM -0800, jezzzz .
> wrote:
> > Thanks for the response Tzafrir. I meant
> > voicemail.conf for the passwords of course - my
> > mistake. Trying to ensure that if voicemail.conf
> is
> > opened by an attacker that all the passwords are
> not
> > readily available. By hashing them or encrypting
> them
> > in a DB it's going to be much harder for an
> attacker
> > to obtain access to the passwords.
> >
> > The only way to encrypt the sending of passwords
> to
> > the voicemail is by using SIP-TLS?
>
> Those are two conflicting goals. If you only save a
> hash of the
> passowrd, as in /etc/shadow, you cannot reproduce
> the original password
> from it in order to calculate "similar" hashes for
> chalange-and-response
> authentication.
>
> So do you want to protect from an eves-dropper or
> from a local attacker?
> Anyway, at the current state of afairs, you get
> basically nothing.
>
> > (which is not yet
> > in production stage?).
>
> If we leave development issues aside and look at
> things you can use now:
> use stunnel to provide SSL/TLS support for it?
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com
More information about the asterisk-users
mailing list