[asterisk-users] Hide the plain text password
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Wed Feb 16 06:13:01 CST 2011
On Tue, Feb 15, 2011 at 11:51:26PM +0100, Hans Witvliet wrote:
> On Tue, 2011-02-15 at 07:18 -0500, Richard Kenner wrote:
> > > Anyway, the answer is: No, it's mathematically impossible to do
> > > that. Even if the passwords were stored encrypted, Asterisk itself
> > > has to be able to get the plaintext passwords to send to the remote
> > > server; so the code to decrypt them must necessarily be located on
> > > the machine. And the Source Code to Asterisk is readily available,
> > > which is how come you were able to benefit from it, so it would be
> > > trivial to extract the passwords in any case.
> >
> > But there IS a way to improve things, and it's what Cisco routers do.
> > You can have all password stored in config file encrypted with a
> > single master key. That key is stored in a special file, containing
> > just that key. THAT file must then be heavily-protected, but all
> > OTHER config files can now be placed into CM or anywhere else they
> > might be needed.
> >
> >
> > --
>
> sounds like asymetric cryptography ....
Well, it does not have to be. As I mentioned, this can already be
implemented today, with #exec. And technically there's no requirement
for it to use asymetric cryptography.
(Now, what happens if you ever have to replace the key? The old content
from the version control becomes unusable. And of course you can't keep
the key in version-control)
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list