Thanks A. J.
*José Pablo Méndez * On Wed, Jan 22, 2014 at 3:22 AM, A J Stiles <[email protected]>wrote: > On Wednesday 22 January 2014, José Pablo Méndez Soto wrote: > > Hello, > > > > Is there anyway to encrypt or scramble a bit the secret used to register > > with a provider? Im talking about the > > > > register => fromuser@fromdomain:secret@host > > > > directive in > > sip.conf<http://www.voip-info.org/wiki/view/Asterisk+config+sip.conf> > > No. > > Well. You *could* scramble it for storage; but that would only lull you > into > a false sense of security, because ultimately it would have to be able to > be > unscrambled by a program that was already right there on the machine, > somewhere under /usr/src/ where any competent programmer can look at it. > > The client *has* to know the password in plaintext (or at least, how to > decrypt the stored, encrypted password), in order to be able to send it to > the server. > > > The way things stand, the configuration file with the password in it need > only > be readable by the root user. And you know it has a password in it, so you > take care with it. > > > Here is an explanation from the developers of the Pidgin IM client, as to > why > they store passwords in plaintext in their configuration file: > > https://developer.pidgin.im/wiki/PlainTextPasswords > > > This clever dude modified the code back in 1.4: > > > > http://www.oneharding.com/voip/asterisk_md5_register.html > > Unfortunately, that doesn't work. It just elevates a stolen hash to the > same > level of usefulness as a stolen password (and she even says so much, in > the > linked article). > > > I imagine that so many years later, and now with the implementation of > > pjsip this secret could be better protected? > > No, because the underlying problem -- that decrypting a stored password > also > requires the decryption key; but if the decryption key and encrypted > password > are stored on the same machine, then anyone with access to the machine is > able > to decrypt the password -- is a limitation of the universe, *not* a > limitation > of present-day technology. There is simply nothing that anybody could > invent > that would get around this. > > > It is very unsafe to keep the > > accounts password right out there. Any ideas? > > It's hidden behind another password, and that's about as secure as it's > mathematically possible ever to make it. And if someone else has root > access > to your machine, then I humbly suggest that a SIP password might not be the > driest lentil you have to soak. > > > -- > AJS > > Answers come *after* questions. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
