[asterisk-users] Is there a way to encrypt passwords stored in the realtime database?

Igor Hernandez emistz at gmail.com
Wed Aug 20 13:32:28 CDT 2008 

I was thinking the same thing I believe Tzafrir just alluded to. If the
passwords are encrypted in the DB with a public key then...asterisk
needs to have the private key stored somewhere to be able to decrypt the
values to authenticate the user. In this way there is nothing preventing
whoever intrudes your boxes from getting that key and decrypting the
values himself.

I might be missing something though and if thats the case chime in, I'm
interested in this issue.

Regards,

-- 
Igor Hernandez
Escape Communications
http://www.escapetel.com

SIP wrote:
> Tzafrir Cohen wrote:
>> On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote:
>>   
>>> We are exploring using Asterisk for a project and we are looking for a  
>>> way to encrypt/decrypt the peer passwords stored in the realtime  
>>> database (postrges).
>>>
>>> Ideally, we want to use a public key to encrypt the passwords before  
>>> they go into the database and have Asterisk use a private key to  
>>> decrypt the password as part of the call out process.
>>>
>>> Has anyone developed something like this?
>>>     
>> What is the point in that? What threats does it help you to mitigate?
>>
>>   
> It helps you mitigate an incredible amount of headache if someone hacks 
> in and gains access to your DB. The user accounts are still rather 
> secure -- at least long enough to inform your users to change their 
> passwords.
> 
> And yes... you could just say, "Don't let that happen. Use better 
> security on the system."   However, that's not 100% effective, and most 
> hacks are done by disgruntled former employees who had legitimate access 
> to the system in the first place. As long as it CAN be done without 
> drastically affecting performance and/or user experience, any extra 
> security is a Good Thing.
> 
> N.
> 
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list