[asterisk-users] Hide the plain text password

Kevin P. Fleming kpfleming at digium.com
Tue Feb 15 06:48:23 CST 2011 

On 02/15/2011 06:18 AM, Richard Kenner wrote:
>> Anyway, the answer is: No, it's mathematically impossible to do
>> that.  Even if the passwords were stored encrypted, Asterisk itself
>> has to be able to get the plaintext passwords to send to the remote
>> server; so the code to decrypt them must necessarily be located on
>> the machine.  And the Source Code to Asterisk is readily available,
>> which is how come you were able to benefit from it, so it would be
>> trivial to extract the passwords in any case.
>
> But there IS a way to improve things, and it's what Cisco routers do.
> You can have all password stored in config file encrypted with a
> single master key.  That key is stored in a special file, containing
> just that key.  THAT file must then be heavily-protected, but all
> OTHER config files can now be placed into CM or anywhere else they
> might be needed.

How does that improve things? The reason that works with Cisco routers 
is because the code that reads that special key file and uses it to 
decrypt the other files is closed-source; nobody can see how it works.

As another poster said, that's not true for Asterisk. If Asterisk had 
such a facility, the method used to decrypt the protected passwords 
would be publicly available, as would the decryption key (in the special 
key file). Anyone who wanted to decrypt the passwords from the config 
files would have an only slightly more complex route to do so... it 
would still be straightforward.

And before anyone proposes modifying the installed copy of Asterisk to 
use a 'secret' method of decrypting the passwords... keep in mind that 
it is highly likely that everyone involved here is using Asterisk under 
the GPLv2 license, so distributing such a modified copy of Asterisk 
would necessarily including also distributing the modified source code, 
and thus the same problem arises.

"Security through obscurity" does not work with open source software.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
skype: kpfleming | jabber: kfleming at digium.com
Check us out at www.digium.com & www.asterisk.org

More information about the asterisk-users mailing list