[asterisk-users] Is there a way to encrypt passwords stored in the realtime database?

Igor Hernandez emistz at gmail.com
Wed Aug 20 14:34:28 CDT 2008


Hey SIP,

I understand what you're saying but keeping the key in memory
permanently doesn't protect you for very long, it just makes the
attacker waste a bit more time scanning the memory to get at the key.

In other words, if the key is available to asterisk it will be available
to anyone else in the system with sufficient privileges.

-- 
Igor Hernandez
Escape Communications
http://www.escapetel.com


SIP wrote:
> Igor Hernandez wrote:
>> I was thinking the same thing I believe Tzafrir just alluded to. If the
>> passwords are encrypted in the DB with a public key then...asterisk
>> needs to have the private key stored somewhere to be able to decrypt the
>> values to authenticate the user. In this way there is nothing preventing
>> whoever intrudes your boxes from getting that key and decrypting the
>> values himself.
>>
>> I might be missing something though and if thats the case chime in, I'm
>> interested in this issue.
>>
>> Regards,
>>
>>   
> Absolutely. But if you can work it so that you have to key in the key 
> manually on startup, or store it on a removable flash drive and it 
> remains in memory during runtime, then you've achieved what you need. 
> Again... this is considerable complexity in the code -- not a simple 
> dialplan hack. BUT... it would add security.
> 
> I'm just tossing out ideas here.
> 
> 
> N.
> 
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> 





More information about the asterisk-users mailing list