[asterisk-users] Encrypted password for voicemail
jezzzz .
jezonthenet at yahoo.com
Tue Nov 28 22:12:19 MST 2006
Encrypt voicemail password with Asterisk public key.
Asterisk then decrypts the password and takes the hash
of it and compares it with the hash stored in
voicemail.conf. This way the real password is never
stored in voicemail.conf and there is no way to know
what the password is just by looking at the file.
--- Tzafrir Cohen <tzafrir.cohen at xorcom.com> wrote:
> On Tue, Nov 28, 2006 at 08:52:22AM -0800, jezzzz .
> wrote:
> > I was wondering if we could protect against both.
> > Sending a password encrypted would protect against
> > eavesdropping. Once the password has been
> received,
> > the hash of it is taken and compared with the hash
> of
> > the password saved, so it also takes care of a
> local
> > attacker.
>
> Send an encypted password? Encrypted how, exactly?
> One common mistake is
> to suggest to simply send the hash, as it is
> encrypted. But this merely
> makes the hash a "password equivalent": An
> evesdroper can use the hash
> to authenticate without knowing the password.
>
> >
> > I could certainly use SSL/TLS, but that still
> doesn't
> > take care of a local attack to obtain the
> passwords of
> > the users.
>
> --
> Tzafrir Cohen
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com
More information about the asterisk-users
mailing list