[asterisk-users] Encrypted password for voicemail
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Tue Nov 28 11:51:10 MST 2006
On Tue, Nov 28, 2006 at 08:52:22AM -0800, jezzzz . wrote:
> I was wondering if we could protect against both.
> Sending a password encrypted would protect against
> eavesdropping. Once the password has been received,
> the hash of it is taken and compared with the hash of
> the password saved, so it also takes care of a local
> attacker.
Send an encypted password? Encrypted how, exactly? One common mistake is
to suggest to simply send the hash, as it is encrypted. But this merely
makes the hash a "password equivalent": An evesdroper can use the hash
to authenticate without knowing the password.
>
> I could certainly use SSL/TLS, but that still doesn't
> take care of a local attack to obtain the passwords of
> the users.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir at jabber.org
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list