On 02/15/2011 06:18 AM, Richard Kenner wrote:
Anyway, the answer is: No, it's mathematically impossible to do
that. Even if the passwords were stored encrypted, Asterisk itself
has to be able to get the plaintext passwords to send to the remote
server; so the code to decrypt them must necessarily be located on
the machine. And the Source Code to Asterisk is readily available,
which is how come you were able to benefit from it, so it would be
trivial to extract the passwords in any case.
But there IS a way to improve things, and it's what Cisco routers do.
You can have all password stored in config file encrypted with a
single master key. That key is stored in a special file, containing
just that key. THAT file must then be heavily-protected, but all
OTHER config files can now be placed into CM or anywhere else they
might be needed.
How does that improve things? The reason that works with Cisco routers
is because the code that reads that special key file and uses it to
decrypt the other files is closed-source; nobody can see how it works.
As another poster said, that's not true for Asterisk. If Asterisk had
such a facility, the method used to decrypt the protected passwords
would be publicly available, as would the decryption key (in the special
key file). Anyone who wanted to decrypt the passwords from the config
files would have an only slightly more complex route to do so... it
would still be straightforward.
And before anyone proposes modifying the installed copy of Asterisk to
use a 'secret' method of decrypting the passwords... keep in mind that
it is highly likely that everyone involved here is using Asterisk under
the GPLv2 license, so distributing such a modified copy of Asterisk
would necessarily including also distributing the modified source code,
and thus the same problem arises.
"Security through obscurity" does not work with open source software.
--
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
skype: kpfleming | jabber: kflem...@digium.com
Check us out at www.digium.com & www.asterisk.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
