Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
Philippe Sultan [EMAIL PROTECTED] writes: Well, if someone steals the md5secret (HA1) for a given username and realm, he can use it to authenticate to the SIP proxy or B2BUA that serves the target user. This is unavoidable with password-based systems. Either you transfer the password unencrypted on the network (or e.g. hashed with MD5, but that just means that the hash is the actual password), and then you can store the password as a hash on the server. Or you use a secure protocol, e.g. a nonce-based one, to prove that the other end has the same password as you -- but then the server needs to have the unhashed password available for comparison. SIP tries to do both, but effectively it picks the second choice: Trust the server, not the network. To do better you need public key cryptography. Alas, noone has invented a way to create a private key from a password, so that means you don't get to pick your own private key. Still, I think that would have been a vastly better choice for SIP and for anything else where humans aren't expected to regularly type their password. Either way, SIP can't do it. You can also go the whole way with client certificates and SIP/TLS, and then you can hire a few people to keep your PKI running and secure -- and I'm not sure that Asterisk can do it yet. /Benny ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
On 20 Aug 2008, at 18:00, Eric Chamberlain wrote: We are exploring using Asterisk for a project and we are looking for a way to encrypt/decrypt the peer passwords stored in the realtime database (postrges). Ideally, we want to use a public key to encrypt the passwords before they go into the database and have Asterisk use a private key to decrypt the password as part of the call out process. Has anyone developed something like this? I haven't done this in asterisk, but we did do a selective encryption layer for a database on a non-voip project. First - understand what you are protecting against: We wanted to be sure that if the backup/sever/tapes/disk were stolen then the personal data in the database would not be accessible without the private key. The way this worked was a bit oracle specific, but the same concepts are available in postgress. Basically you have a base table containing the encrypted fields, this is what is stored on the disk. You then layer on a view (with appropriate triggers/stored procedures) and the application (asterisk realtime in your case) uses this view. The view takes the encrypted fields from the base table and decrypts them before returning the data to the application. The trick is that the key is stored in the user's login session (ie in memory) and is initialized at startup (either by typing or from somewhere that isn't the disk - think of a flash drive superglued to the wall :-) with asterisk I'd be tempted to have it call me and I have to dtmf the key in! ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
We are exploring using Asterisk for a project and we are looking for a way to encrypt/decrypt the peer passwords stored in the realtime database (postrges). Ideally, we want to use a public key to encrypt the passwords before they go into the database and have Asterisk use a private key to decrypt the password as part of the call out process. Has anyone developed something like this? -- Eric Chamberlain Founder RF.com http://RF.com/ ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote: We are exploring using Asterisk for a project and we are looking for a way to encrypt/decrypt the peer passwords stored in the realtime database (postrges). Ideally, we want to use a public key to encrypt the passwords before they go into the database and have Asterisk use a private key to decrypt the password as part of the call out process. Has anyone developed something like this? What is the point in that? What threats does it help you to mitigate? -- Tzafrir Cohen icq#16849755 jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
Tzafrir Cohen wrote: On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote: We are exploring using Asterisk for a project and we are looking for a way to encrypt/decrypt the peer passwords stored in the realtime database (postrges). Ideally, we want to use a public key to encrypt the passwords before they go into the database and have Asterisk use a private key to decrypt the password as part of the call out process. Has anyone developed something like this? What is the point in that? What threats does it help you to mitigate? It helps you mitigate an incredible amount of headache if someone hacks in and gains access to your DB. The user accounts are still rather secure -- at least long enough to inform your users to change their passwords. And yes... you could just say, Don't let that happen. Use better security on the system. However, that's not 100% effective, and most hacks are done by disgruntled former employees who had legitimate access to the system in the first place. As long as it CAN be done without drastically affecting performance and/or user experience, any extra security is a Good Thing. N. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
I was thinking the same thing I believe Tzafrir just alluded to. If the passwords are encrypted in the DB with a public key then...asterisk needs to have the private key stored somewhere to be able to decrypt the values to authenticate the user. In this way there is nothing preventing whoever intrudes your boxes from getting that key and decrypting the values himself. I might be missing something though and if thats the case chime in, I'm interested in this issue. Regards, -- Igor Hernandez Escape Communications http://www.escapetel.com SIP wrote: Tzafrir Cohen wrote: On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote: We are exploring using Asterisk for a project and we are looking for a way to encrypt/decrypt the peer passwords stored in the realtime database (postrges). Ideally, we want to use a public key to encrypt the passwords before they go into the database and have Asterisk use a private key to decrypt the password as part of the call out process. Has anyone developed something like this? What is the point in that? What threats does it help you to mitigate? It helps you mitigate an incredible amount of headache if someone hacks in and gains access to your DB. The user accounts are still rather secure -- at least long enough to inform your users to change their passwords. And yes... you could just say, Don't let that happen. Use better security on the system. However, that's not 100% effective, and most hacks are done by disgruntled former employees who had legitimate access to the system in the first place. As long as it CAN be done without drastically affecting performance and/or user experience, any extra security is a Good Thing. N. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
On Wed, Aug 20, 2008 at 02:20:50PM -0400, SIP wrote: Tzafrir Cohen wrote: On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote: We are exploring using Asterisk for a project and we are looking for a way to encrypt/decrypt the peer passwords stored in the realtime database (postrges). Ideally, we want to use a public key to encrypt the passwords before they go into the database and have Asterisk use a private key to decrypt the password as part of the call out process. Has anyone developed something like this? What is the point in that? What threats does it help you to mitigate? It helps you mitigate an incredible amount of headache if someone hacks in and gains access to your DB. The user accounts are still rather secure -- at least long enough to inform your users to change their passwords. So those passwords are used elsewhere? In that case, look into md5secret. That is: store a digest of the password (and a few more bits) on the DB. -- Tzafrir Cohen icq#16849755 jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
Igor Hernandez wrote: I was thinking the same thing I believe Tzafrir just alluded to. If the passwords are encrypted in the DB with a public key then...asterisk needs to have the private key stored somewhere to be able to decrypt the values to authenticate the user. In this way there is nothing preventing whoever intrudes your boxes from getting that key and decrypting the values himself. I might be missing something though and if thats the case chime in, I'm interested in this issue. Regards, Absolutely. But if you can work it so that you have to key in the key manually on startup, or store it on a removable flash drive and it remains in memory during runtime, then you've achieved what you need. Again... this is considerable complexity in the code -- not a simple dialplan hack. BUT... it would add security. I'm just tossing out ideas here. N. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
Igor Hernandez wrote: I was thinking the same thing I believe Tzafrir just alluded to. If the passwords are encrypted in the DB with a public key then...asterisk needs to have the private key stored somewhere to be able to decrypt the values to authenticate the user. In this way there is nothing preventing whoever intrudes your boxes from getting that key and decrypting the values himself. I might be missing something though and if thats the case chime in, I'm interested in this issue. Some of us place databases on separate systems so the cracker would have to break into two systems -- the database box and the Asterisk box. Rod -- Regards, ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
Hey SIP, I understand what you're saying but keeping the key in memory permanently doesn't protect you for very long, it just makes the attacker waste a bit more time scanning the memory to get at the key. In other words, if the key is available to asterisk it will be available to anyone else in the system with sufficient privileges. -- Igor Hernandez Escape Communications http://www.escapetel.com SIP wrote: Igor Hernandez wrote: I was thinking the same thing I believe Tzafrir just alluded to. If the passwords are encrypted in the DB with a public key then...asterisk needs to have the private key stored somewhere to be able to decrypt the values to authenticate the user. In this way there is nothing preventing whoever intrudes your boxes from getting that key and decrypting the values himself. I might be missing something though and if thats the case chime in, I'm interested in this issue. Regards, Absolutely. But if you can work it so that you have to key in the key manually on startup, or store it on a removable flash drive and it remains in memory during runtime, then you've achieved what you need. Again... this is considerable complexity in the code -- not a simple dialplan hack. BUT... it would add security. I'm just tossing out ideas here. N. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
I've never used it, but check out the md5 one-way encryption of passwords: http://www.voip-info.org/wiki/index.php?page=Asterisk+sip+md5secret http://books.google.com/books?id=vAT8Mfvp8GsCpg=PA225lpg=PA225dq=asterisk+md5+secretsource=webots=1mUADiyRkPsig=FJSBgcWMY3K0zoilVvgNvibJE4Ahl=ensa=Xoi=book_resultresnum=6ct=result On Wed, Aug 20, 2008 at 10:00 AM, Eric Chamberlain [EMAIL PROTECTED] wrote: We are exploring using Asterisk for a project and we are looking for a way to encrypt/decrypt the peer passwords stored in the realtime database (postrges). Ideally, we want to use a public key to encrypt the passwords before they go into the database and have Asterisk use a private key to decrypt the password as part of the call out process. Has anyone developed something like this? -- Eric Chamberlain Founder RF.com http://RF.com/ ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Nicholas Blasgen [EMAIL PROTECTED] 408.497.9796 (c) ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
Igor Hernandez wrote: I was thinking the same thing I believe Tzafrir just alluded to. If the passwords are encrypted in the DB with a public key then...asterisk needs to have the private key stored somewhere to be able to decrypt the values to authenticate the user. In this way there is nothing preventing whoever intrudes your boxes from getting that key and decrypting the values himself. I might be missing something though and if thats the case chime in, I'm interested in this issue. Regards, You are. md5secret simply stores the crypt hash. When it receives the password attempt, it too, is crypted using MD5 algorithm and then the two hashes are compared. Using MD5 crypt hash, there is no way to decrypt the hash. It's a brute force methodology to get the password back if you've lost it. -- -- Bird's The Word Technologies, Inc. http://www.btwtech.com/ ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
I understand the advantage of md5 hashing, its been the standard for years for day to day user auths. What we were discussing was the merits of the proposed public key scheme for this application, where the private key would always need to be available therefore not giving any real security. Regards, -- Igor Hernandez Escape Communications http://www.escapetel.com BJ Weschke wrote: Igor Hernandez wrote: I was thinking the same thing I believe Tzafrir just alluded to. If the passwords are encrypted in the DB with a public key then...asterisk needs to have the private key stored somewhere to be able to decrypt the values to authenticate the user. In this way there is nothing preventing whoever intrudes your boxes from getting that key and decrypting the values himself. I might be missing something though and if thats the case chime in, I'm interested in this issue. Regards, You are. md5secret simply stores the crypt hash. When it receives the password attempt, it too, is crypted using MD5 algorithm and then the two hashes are compared. Using MD5 crypt hash, there is no way to decrypt the hash. It's a brute force methodology to get the password back if you've lost it. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
On Aug 20, 2008, at 10:19 AM, Tzafrir Cohen wrote: On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote: We are exploring using Asterisk for a project and we are looking for a way to encrypt/decrypt the peer passwords stored in the realtime database (postrges). Ideally, we want to use a public key to encrypt the passwords before they go into the database and have Asterisk use a private key to decrypt the password as part of the call out process. Has anyone developed something like this? What is the point in that? What threats does it help you to mitigate? Passwords are added/changed on a web front-end and stored in a database. We want to limit exposure to the Asterisk boxes, we don't want compromises of the web front-end or database to result in revealing passwords. These passwords are used to authenticate with other SIP systems, so storing a MD5 hash wouldn't work, hence the need to encrypt and decrypt. -- Eric Chamberlain Founder RF.com http://RF.com/ ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
On Aug 20, 2008, at 12:34 PM, Igor Hernandez wrote: Hey SIP, I understand what you're saying but keeping the key in memory permanently doesn't protect you for very long, it just makes the attacker waste a bit more time scanning the memory to get at the key. In other words, if the key is available to asterisk it will be available to anyone else in the system with sufficient privileges. Assume I'm using a FIPS 140-2 Level 4 HSM, now, how can I protect my passwords when they are in the database? -- Eric Chamberlain Founder RF.com http://RF.com/ ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
Hey Eric, That I really have no experience with. Never really played with security modules. Although someone more experienced should be able to chime in. Eric Chamberlain wrote: On Aug 20, 2008, at 12:34 PM, Igor Hernandez wrote: Hey SIP, I understand what you're saying but keeping the key in memory permanently doesn't protect you for very long, it just makes the attacker waste a bit more time scanning the memory to get at the key. In other words, if the key is available to asterisk it will be available to anyone else in the system with sufficient privileges. Assume I'm using a FIPS 140-2 Level 4 HSM, now, how can I protect my passwords when they are in the database? -- Eric Chamberlain Founder RF.com http://RF.com/ ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Igor Hernandez Escape Communications http://www.escapetel.com ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
Well, if someone steals the md5secret (HA1) for a given username and realm, he can use it to authenticate to the SIP proxy or B2BUA that serves the target user. On both sides (SIP client and proxy or B2BUA), the values to be compared are the computed results of MD5(HA1:nonce:HA2), where : HA1 = MD5(username:realm:password) and HA2=MD5(Method:Request-URI) The nonce string is generated by the SIP server, as well as the realm value. So, even without knowing the user's password, you can still get access to his SIP account. On Wed, Aug 20, 2008 at 10:17 PM, BJ Weschke [EMAIL PROTECTED] wrote: Igor Hernandez wrote: I was thinking the same thing I believe Tzafrir just alluded to. If the passwords are encrypted in the DB with a public key then...asterisk needs to have the private key stored somewhere to be able to decrypt the values to authenticate the user. In this way there is nothing preventing whoever intrudes your boxes from getting that key and decrypting the values himself. I might be missing something though and if thats the case chime in, I'm interested in this issue. Regards, You are. md5secret simply stores the crypt hash. When it receives the password attempt, it too, is crypted using MD5 algorithm and then the two hashes are compared. Using MD5 crypt hash, there is no way to decrypt the hash. It's a brute force methodology to get the password back if you've lost it. -- -- Bird's The Word Technologies, Inc. http://www.btwtech.com/ ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Philippe Sultan ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a way to encrypt passwords stored in the realtime database?
On Wed, Aug 20, 2008 at 02:10:02PM -0700, Eric Chamberlain wrote: On Aug 20, 2008, at 10:19 AM, Tzafrir Cohen wrote: On Wed, Aug 20, 2008 at 10:00:55AM -0700, Eric Chamberlain wrote: We are exploring using Asterisk for a project and we are looking for a way to encrypt/decrypt the peer passwords stored in the realtime database (postrges). Ideally, we want to use a public key to encrypt the passwords before they go into the database and have Asterisk use a private key to decrypt the password as part of the call out process. Has anyone developed something like this? What is the point in that? What threats does it help you to mitigate? Passwords are added/changed on a web front-end and stored in a database. We want to limit exposure to the Asterisk boxes, we don't want compromises of the web front-end or database to result in revealing passwords. These passwords are used to authenticate with other SIP systems, so storing a MD5 hash wouldn't work, hence the need to encrypt and decrypt. Are those passwords used to authenticate to other SIP systems with the same realm name? The SIP checksumed string includes a realm. -- Tzafrir Cohen icq#16849755 jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
