<div dir="ltr">Thanks A. J.<br><br><br><div><div class="gmail_extra"><br clear="all"><div> <b style="color:rgb(153,153,153)"><span style="color:rgb(153,153,153)"><font><font><span style="font-family:verdana,sans-serif"><span style="font-family:trebuchet ms,sans-serif"><span style="font-family:verdana,sans-serif">José Pablo Méndez</span></span></span></font><br>
</font></span></b><b style="color:rgb(153,153,153)"><span style="color:rgb(153,153,153)"></span></b><b style="color:rgb(153,153,153)"><span style="color:rgb(153,153,153)"></span></b><b style="color:rgb(153,153,153)"><span style="color:rgb(153,153,153)"></span></b><b style="color:rgb(153,153,153)"><span style="color:rgb(153,153,153)"></span></b></div>
<br><br><div class="gmail_quote">On Wed, Jan 22, 2014 at 3:22 AM, A J Stiles <span dir="ltr"><<a href="mailto:asterisk_list@earthshod.co.uk" target="_blank">asterisk_list@earthshod.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Wednesday 22 January 2014, José Pablo Méndez Soto wrote:<br>
> Hello,<br>
><br>
> Is there anyway to encrypt or scramble a bit the secret used to register<br>
> with a provider? Im talking about the<br>
><br>
> register => fromuser@fromdomain:secret@host<br>
><br>
> directive in<br>
</div>> sip.conf<<a href="http://www.voip-info.org/wiki/view/Asterisk+config+sip.conf" target="_blank">http://www.voip-info.org/wiki/view/Asterisk+config+sip.conf</a>><br>
<br>
No.<br>
<br>
Well. You *could* scramble it for storage; but that would only lull you into<br>
a false sense of security, because ultimately it would have to be able to be<br>
unscrambled by a program that was already right there on the machine,<br>
somewhere under /usr/src/ where any competent programmer can look at it.<br>
<br>
The client *has* to know the password in plaintext (or at least, how to<br>
decrypt the stored, encrypted password), in order to be able to send it to<br>
the server.<br>
<br>
<br>
The way things stand, the configuration file with the password in it need only<br>
be readable by the root user. And you know it has a password in it, so you<br>
take care with it.<br>
<br>
<br>
Here is an explanation from the developers of the Pidgin IM client, as to why<br>
they store passwords in plaintext in their configuration file:<br>
<br>
<a href="https://developer.pidgin.im/wiki/PlainTextPasswords" target="_blank">https://developer.pidgin.im/wiki/PlainTextPasswords</a><br>
<div class="im"><br>
> This clever dude modified the code back in 1.4:<br>
><br>
> <a href="http://www.oneharding.com/voip/asterisk_md5_register.html" target="_blank">http://www.oneharding.com/voip/asterisk_md5_register.html</a><br>
<br>
</div>Unfortunately, that doesn't work. It just elevates a stolen hash to the same<br>
level of usefulness as a stolen password (and she even says so much, in the<br>
linked article).<br>
<div class="im"><br>
> I imagine that so many years later, and now with the implementation of<br>
> pjsip this secret could be better protected?<br>
<br>
</div>No, because the underlying problem -- that decrypting a stored password also<br>
requires the decryption key; but if the decryption key and encrypted password<br>
are stored on the same machine, then anyone with access to the machine is able<br>
to decrypt the password -- is a limitation of the universe, *not* a limitation<br>
of present-day technology. There is simply nothing that anybody could invent<br>
that would get around this.<br>
<div class="im"><br>
> It is very unsafe to keep the<br>
> accounts password right out there. Any ideas?<br>
<br>
</div>It's hidden behind another password, and that's about as secure as it's<br>
mathematically possible ever to make it. And if someone else has root access<br>
to your machine, then I humbly suggest that a SIP password might not be the<br>
driest lentil you have to soak.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
AJS<br>
<br>
Answers come *after* questions.<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</font></span></blockquote></div><br></div></div></div>