[asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Wed Aug 20 23:37:31 CDT 2008
On Wed, Aug 20, 2008 at 02:10:02PM -0700, Eric Chamberlain wrote:
>
> On Aug 20, 2008, at 10:19 AM, Tzafrir Cohen wrote:
>
> > On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote:
> >> We are exploring using Asterisk for a project and we are looking
> >> for a
> >> way to encrypt/decrypt the peer passwords stored in the realtime
> >> database (postrges).
> >>
> >> Ideally, we want to use a public key to encrypt the passwords before
> >> they go into the database and have Asterisk use a private key to
> >> decrypt the password as part of the call out process.
> >>
> >> Has anyone developed something like this?
> >
> > What is the point in that? What threats does it help you to mitigate?
> >
>
> Passwords are added/changed on a web front-end and stored in a database.
>
> We want to limit exposure to the Asterisk boxes, we don't want
> compromises of the web front-end or database to result in revealing
> passwords.
>
> These passwords are used to authenticate with other SIP systems, so
> storing a MD5 hash wouldn't work, hence the need to encrypt and decrypt.
Are those passwords used to authenticate to other SIP systems with the
same realm name? The SIP checksumed string includes a realm.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list