On Wed, Aug 20, 2008 at 02:10:02PM -0700, Eric Chamberlain wrote:
>
> On Aug 20, 2008, at 10:19 AM, Tzafrir Cohen wrote:
>
> > On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote:
> >> We are exploring using Asterisk for a project and we are looking
> >> for a
> >> way to encrypt/decrypt the peer passwords stored in the realtime
> >> database (postrges).
> >>
> >> Ideally, we want to use a public key to encrypt the passwords before
> >> they go into the database and have Asterisk use a private key to
> >> decrypt the password as part of the call out process.
> >>
> >> Has anyone developed something like this?
> >
> > What is the point in that? What threats does it help you to mitigate?
> >
>
> Passwords are added/changed on a web front-end and stored in a database.
>
> We want to limit exposure to the Asterisk boxes, we don't want
> compromises of the web front-end or database to result in revealing
> passwords.
>
> These passwords are used to authenticate with other SIP systems, so
> storing a MD5 hash wouldn't work, hence the need to encrypt and decrypt.
Are those passwords used to authenticate to other SIP systems with the
same realm name? The SIP checksumed string includes a realm.
--
Tzafrir Cohen
icq#16849755 jabber:[EMAIL PROTECTED]
+972-50-7952406 mailto:[EMAIL PROTECTED]
http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
AstriCon 2008 - September 22 - 25 Phoenix, Arizona
Register Now: http://www.astricon.net
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
