[asterisk-users] Is there a way to encrypt passwords stored in the realtime database?

[Philippe Sultan]

Well, if someone steals the md5secret (HA1) for a given username and
realm, he can use it to authenticate to the SIP proxy or B2BUA that
serves the target user.

On both sides (SIP client and proxy or B2BUA), the values to be
compared are the computed results of MD5(HA1:nonce:HA2), where :
HA1 = MD5(username:realm:password) and HA2=MD5(Method:Request-URI)

The nonce string is generated by the SIP server,  as well as the realm
value. So, even without knowing the user's password, you can still get
access to his SIP account.


On Wed, Aug 20, 2008 at 10:17 PM, BJ Weschke <bweschke at gmail.com> wrote:
> Igor Hernandez wrote:
>> I was thinking the same thing I believe Tzafrir just alluded to. If the
>> passwords are encrypted in the DB with a public key then...asterisk
>> needs to have the private key stored somewhere to be able to decrypt the
>> values to authenticate the user. In this way there is nothing preventing
>> whoever intrudes your boxes from getting that key and decrypting the
>> values himself.
>>
>> I might be missing something though and if thats the case chime in, I'm
>> interested in this issue.
>>
>> Regards,
>>
>>
>
>  You are. md5secret simply stores the crypt hash. When it receives the
> password attempt, it too, is crypted using MD5 algorithm and then the
> two hashes are compared. Using MD5 crypt hash, there is no way to
> "decrypt" the hash. It's a "brute force" methodology to get the password
> back if you've lost it.
>
> --
> --
> Bird's The Word Technologies, Inc.
> http://www.btwtech.com/
>
>
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>



-- 
Philippe Sultan