[asterisk-users] Register => plain text password

José Pablo Méndez Soto auxcri at gmail.com
Thu Jan 23 08:14:47 CST 2014


Thanks A. J.




*José Pablo Méndez *


On Wed, Jan 22, 2014 at 3:22 AM, A J Stiles
<asterisk_list at earthshod.co.uk>wrote:

> On Wednesday 22 January 2014, José Pablo Méndez Soto wrote:
> > Hello,
> >
> > Is there anyway to encrypt or scramble a bit the secret used to register
> > with a provider? Im talking about the
> >
> > register => fromuser at fromdomain:secret at host
> >
> > directive in
> > sip.conf<http://www.voip-info.org/wiki/view/Asterisk+config+sip.conf>
>
> No.
>
> Well.  You *could* scramble it for storage; but that would only lull you
> into
> a false sense of security, because ultimately it would have to be able to
> be
> unscrambled by a program that was already right there on the machine,
> somewhere under /usr/src/ where any competent programmer can look at it.
>
> The client *has* to know the password in plaintext  (or at least, how to
> decrypt the stored, encrypted password),  in order to be able to send it to
> the server.
>
>
> The way things stand, the configuration file with the password in it need
> only
> be readable by the root user.  And you know it has a password in it, so you
> take care with it.
>
>
> Here is an explanation from the developers of the Pidgin IM client, as to
> why
> they store passwords in plaintext in their configuration file:
>
> https://developer.pidgin.im/wiki/PlainTextPasswords
>
> > This clever dude modified the code back in 1.4:
> >
> > http://www.oneharding.com/voip/asterisk_md5_register.html
>
> Unfortunately, that doesn't work.  It just elevates a stolen hash to the
> same
> level of usefulness as a stolen password  (and she even says so much, in
> the
> linked article).
>
> > I imagine that so many years later, and now with the implementation of
> > pjsip this secret could be better protected?
>
> No, because the underlying problem -- that decrypting a stored password
> also
> requires the decryption key; but if the decryption key and encrypted
> password
> are stored on the same machine, then anyone with access to the machine is
> able
> to decrypt the password -- is a limitation of the universe, *not* a
> limitation
> of present-day technology.  There is simply nothing that anybody could
> invent
> that would get around this.
>
> > It is very unsafe to keep the
> > accounts password right out there. Any ideas?
>
> It's hidden behind another password, and that's about as secure as it's
> mathematically possible ever to make it.  And if someone else has root
> access
> to your machine, then I humbly suggest that a SIP password might not be the
> driest lentil you have to soak.
>
>
> --
> AJS
>
> Answers come *after* questions.
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140123/1194f07f/attachment.html>


More information about the asterisk-users mailing list