PIN numbers are stored in MD5 which is not reversible, but due to the numeric-only attributes of PIN numbers they can be brute-forced as shown here: http://wiki.sipfoundry.org/display/xecsuser/PIN+retrieval+tool
The SIP passwords (not used by users) are stored in plaintext in the DB. This has to be done because the SIP password value must be viewable to the administrator in cases of manual registration of devices. By default the PostgreSQL installation included with sipX has user and host permissions set to where no user outside of the server can connect to the database. If you have an HA setup, all PostgreSQL traffic is sent through an SSL encrypted tunnel (stunnel) so DB info isn't sent in plaintext over the wire. All XML-RPC and other communications between servers are generally sent SSL encrypted as well. Josh Patten Assistant Network Administrator Brazos County IT Dept. (979) 361-4676 On 6/14/2010 11:06 PM, Jiann-Ming Su wrote: > Our Information Security office has some questions about sipX security > that I'm hoping this list can answer: > > Can you ask the SIPX developers how passwords are stored in the > database and how authentication occurs in detail. From the > description of the admin interface, it sounds like the passwords are > stored in a reversible encryption rather than a one-way hash. Is this > accurate? If so, is the use of a one-way hash an option? What > encryption algorithm is used for the passwords and how is the key > stored/managed? When authentication occurs, is a hash of the password > compared to the stored hash, or is the password in the application > database decrypted and clear-text passwords are compared? > > > > _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
