[asterisk-users] Is there a way to encrypt passwords stored in the realtime database?

Igor Hernandez emistz at gmail.com
Wed Aug 20 15:36:44 CDT 2008


I understand the advantage of md5 hashing, its been the standard for
years for day to day user auths. What we were discussing was the merits
of the proposed public key scheme for this application, where the
private key would always need to be available therefore not giving any
real security.

Regards,

-- 
Igor Hernandez
Escape Communications
http://www.escapetel.com

BJ Weschke wrote:
> Igor Hernandez wrote:
>> I was thinking the same thing I believe Tzafrir just alluded to. If the
>> passwords are encrypted in the DB with a public key then...asterisk
>> needs to have the private key stored somewhere to be able to decrypt the
>> values to authenticate the user. In this way there is nothing preventing
>> whoever intrudes your boxes from getting that key and decrypting the
>> values himself.
>>
>> I might be missing something though and if thats the case chime in, I'm
>> interested in this issue.
>>
>> Regards,
>>
>>   
> 
>  You are. md5secret simply stores the crypt hash. When it receives the 
> password attempt, it too, is crypted using MD5 algorithm and then the 
> two hashes are compared. Using MD5 crypt hash, there is no way to 
> "decrypt" the hash. It's a "brute force" methodology to get the password 
> back if you've lost it.
> 





More information about the asterisk-users mailing list