10 Jun
2013
10 Jun
'13
2:05 p.m.
On 06.06.2013 16:35, Daniel-Constantin Mierla wrote:
Hello,
On 6/6/13 11:05 AM, Daniel Pocock wrote:
Just a comment: it does not give you any additional security to store
the passwords in hashed form - as also the hashed password can be used
to calculate a proper authentication response.
The only benefit to use the hashed form is if the same password is used
in other systems too - then leaking the subscriber table does not
compromise the other systems (for approximately 4 hours with todays MD5
hacking performance), but only the SIP system.
regards
Klaus
I was just looking over:
http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
A couple of things I noticed:
- Kamailio is using a column sippasswd which is not hashed. Asterisk
doesn't use that column at all. Is there any reason this can't be done
with the H(A1) and H(A1b) columns? The INSERT example shows a
non-encrypted password.
you can store hashed value there. In Kamailio is just a matter of config
parameter/function parameter to say the loaded value is either plain
text or ha1.