Philippe Sultan [EMAIL PROTECTED] writes:
Well, if someone steals the md5secret (HA1) for a given username and
realm, he can use it to authenticate to the SIP proxy or B2BUA that
serves the target user.
This is unavoidable with password-based systems.
Either you transfer the password
On 20 Aug 2008, at 18:00, Eric Chamberlain wrote:
We are exploring using Asterisk for a project and we are looking for a
way to encrypt/decrypt the peer passwords stored in the realtime
database (postrges).
Ideally, we want to use a public key to encrypt the passwords before
they go into
We are exploring using Asterisk for a project and we are looking for a
way to encrypt/decrypt the peer passwords stored in the realtime
database (postrges).
Ideally, we want to use a public key to encrypt the passwords before
they go into the database and have Asterisk use a private key to
On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote:
We are exploring using Asterisk for a project and we are looking for a
way to encrypt/decrypt the peer passwords stored in the realtime
database (postrges).
Ideally, we want to use a public key to encrypt the passwords
Tzafrir Cohen wrote:
On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote:
We are exploring using Asterisk for a project and we are looking for a
way to encrypt/decrypt the peer passwords stored in the realtime
database (postrges).
Ideally, we want to use a public key to
I was thinking the same thing I believe Tzafrir just alluded to. If the
passwords are encrypted in the DB with a public key then...asterisk
needs to have the private key stored somewhere to be able to decrypt the
values to authenticate the user. In this way there is nothing preventing
whoever
On Wed, Aug 20, 2008 at 02:20:50PM -0400, SIP wrote:
Tzafrir Cohen wrote:
On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote:
We are exploring using Asterisk for a project and we are looking for a
way to encrypt/decrypt the peer passwords stored in the realtime
Igor Hernandez wrote:
I was thinking the same thing I believe Tzafrir just alluded to. If the
passwords are encrypted in the DB with a public key then...asterisk
needs to have the private key stored somewhere to be able to decrypt the
values to authenticate the user. In this way there is
Igor Hernandez wrote:
I was thinking the same thing I believe Tzafrir just alluded to. If the
passwords are encrypted in the DB with a public key then...asterisk
needs to have the private key stored somewhere to be able to decrypt the
values to authenticate the user. In this way there is
Hey SIP,
I understand what you're saying but keeping the key in memory
permanently doesn't protect you for very long, it just makes the
attacker waste a bit more time scanning the memory to get at the key.
In other words, if the key is available to asterisk it will be available
to anyone else in
I've never used it, but check out the md5 one-way encryption of passwords:
http://www.voip-info.org/wiki/index.php?page=Asterisk+sip+md5secret
Igor Hernandez wrote:
I was thinking the same thing I believe Tzafrir just alluded to. If the
passwords are encrypted in the DB with a public key then...asterisk
needs to have the private key stored somewhere to be able to decrypt the
values to authenticate the user. In this way there is
I understand the advantage of md5 hashing, its been the standard for
years for day to day user auths. What we were discussing was the merits
of the proposed public key scheme for this application, where the
private key would always need to be available therefore not giving any
real security.
On Aug 20, 2008, at 10:19 AM, Tzafrir Cohen wrote:
On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote:
We are exploring using Asterisk for a project and we are looking
for a
way to encrypt/decrypt the peer passwords stored in the realtime
database (postrges).
Ideally, we
On Aug 20, 2008, at 12:34 PM, Igor Hernandez wrote:
Hey SIP,
I understand what you're saying but keeping the key in memory
permanently doesn't protect you for very long, it just makes the
attacker waste a bit more time scanning the memory to get at the key.
In other words, if the key is
Hey Eric,
That I really have no experience with. Never really played with security
modules. Although someone more experienced should be able to chime in.
Eric Chamberlain wrote:
On Aug 20, 2008, at 12:34 PM, Igor Hernandez wrote:
Hey SIP,
I understand what you're saying but keeping the key
Well, if someone steals the md5secret (HA1) for a given username and
realm, he can use it to authenticate to the SIP proxy or B2BUA that
serves the target user.
On both sides (SIP client and proxy or B2BUA), the values to be
compared are the computed results of MD5(HA1:nonce:HA2), where :
HA1 =
On Wed, Aug 20, 2008 at 02:10:02PM -0700, Eric Chamberlain wrote:
On Aug 20, 2008, at 10:19 AM, Tzafrir Cohen wrote:
On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote:
We are exploring using Asterisk for a project and we are looking
for a
way to encrypt/decrypt the
18 matches
Mail list logo
