Our Information Security office has some questions about sipX security that I'm hoping this list can answer:
Can you ask the SIPX developers how passwords are stored in the database and how authentication occurs in detail. From the description of the admin interface, it sounds like the passwords are stored in a reversible encryption rather than a one-way hash. Is this accurate? If so, is the use of a one-way hash an option? What encryption algorithm is used for the passwords and how is the key stored/managed? When authentication occurs, is a hash of the password compared to the stored hash, or is the password in the application database decrypted and clear-text passwords are compared? -- Jiann-Ming Su "I have to decide between two equally frightening options. If I wanted to do that, I'd vote." --Duckman "The system's broke, Hank. The election baby has peed in the bath water. You got to throw 'em both out." --Dale Gribble "Those who vote decide nothing. Those who count the votes decide everything.” --Joseph Stalin _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
