Title: Web Services Security
1Web Services Security
- Web services security not particularly difficult
to implement.
- Inability to gain consensus on an approach is the
gating factor.
- IBM, Microsoft, and Verisign have joined to
establish web service security standards called
WS-Security.
2Web Services Security
- WS-Security is an OASIS-approved standard.
- WS-Security leverages the W3Cs XML Encryption,
Signature, and Canonical standards.
- Microsoft created the Web Service Enhancements
(WSE) add-on package for .NET.
- WSE provides a foundation for building
applications based on Web services
- Specifications published by Microsoft and
industry partners include
- WS-Security,
- WS-Policy,
- WSSecurityPolicy,
- WS-Trust,
- WS-SecureConversation, and
- WS-Addressing.
3Digital Signatures Web Services
4W3C IETF Web Services Security Initiatives
- The World Wide Web Consortium and the Internet
Engineering Task Force working on
- XML digital signatures and encryption
recommendations that will define the processing
rule, and
- Syntax for securing XML data structures.
- These structures can be applied to information in
any form, not just XML.
- The signed material can be attached to the
signature or located remotely through a uniform
resource identifier.
- At the same time, this standard will enable the
scope of the signature to be matched to the
hierarchical structure of XML documents.
5Password Security
- Security providing a last line of defense with
regards to authentication.
- Hacker goal obtain superuser status.
- Normal strategy
- badly installed software.
- bugs in (system)software.
- human errors.
- When someone attempts to hack into a computer,
- the first thing needed is a user account, usually
easy to get.
- now the hacker needs a password.
6Password Security (continued)
- It is of utmost importance that all (!) users on
a system choose a password that is not easy to
guess.
- The security of each individual user is closely
related to the security of the whole system.
- Users often have no idea how a multi-user system
works and don't realize that they, by choosing an
easy to remember password, indirectly make it
possible for an outsider to manipulate the entire
system. - It also says that it is important to notify the
users of the security guidelines.
7Password Security How to find passwords on a
Unix System
- In most cases, the passwords are stored
encrypted in the file /etc/passwd or on the
server in a c/s scenario.
- In the latter, can get the passwordfile by
giving the command ypcat passwd.
- A line from the passwordfile looks like this
- accountcoded password datauidgidGCOS-fieldho
medirshell
- A user with account gigawalt, crypted password
fURfuu4.4hY0U, userid 129 (a user with userid 0,
when there are more than one) is superuser),
groupid 129, information (GCOS) Walter Belgers,
homedirectory /home/gigawalt and shell /bin/csh
will have an entry in /etc/passwd like this - gigawaltfURfuu4.4hY0U129129Walter
Belgers/home/gigawalt/bin/csh
- Passwords are crypted using DES.
- UNIX password encryption uses the DES algorithm
25 times in a row.
- The first DES round uses 64 0-bits as input and
encrypts them with the password the user inputs,
with a permutation taking place during the
encryption process. - The chosen permutation is coded into two bytes
called 'salt'.
8Password Security How to find passwords on a
Unix System (continued)
- The salt is stored in the passwordfile.
- The output is used as input for the next DES
round, which uses the same key and permutation.
- Process repeats until there is a final output
from the 25th DES round.
- This method of encryption is almost
irreversible.
- easy to encrypt a string.
- impossible to find the original of a string
encrypted as described above.
- It is possible to find the original string
encrypted using single DES.
- How can a user log in?
- the user inputs his or her password which is
used as key to crypt 64 0-bits.
- using the salt found in the passwordfile for
that user.
- If the output corresponds to the eleven bytes
that represent the crypted password in the
passwordfile the password is considered valid and
the user will be permitted to access the system.
9Password Security How to find passwords on a
Unix System (continued)
- Although decryption nearly impossible, it is
possible to encrypt 64 0-bits with some words and
see if the result 'incidentally' is the password.
- Once accomplished, then the account is hacked.
- Could speculate on capability to check all
possible passwords this way.
- Would take the fastest computer longer than the
time the universe exists.
- Alternatively, trying out only passwords
consisting of six lowercase characters enahnces
the possibility to try out all combinations in
reasonable time. - Using an extremely powerful computer, latest
record for passwords decryption (consisting of
six lowercase characters) stands at one hour per
user. - Passwords of accounts that are attractive to
hackers should therefore never consist solely of
lowercase characters!
10Password Examples
Common passwords 23 child's name 19 partner'
s name 12 birthdays 9 football team 9 cel
ebrities and bands 9 favorite places 8 own n
ame 8 pet's name Source Egg survey 2003
Egg is an online financial services provider
based in England
11Password Hacking Example
- Password guessing program used on a passwordfile
of a system in operation.
- Program used was Crack v4.1 with ufcrypt
(ultra-fast crypt, a fast implementation of the
DES algorithm) on a network of SUN ELC computers.
- The performance of these computers (20 MIPS) is
comparable to that of a modern PC.
- The program was stopped before it was finished
after almost 60 hours. The passwords that were
found were found within the first 25 hours.
- Results
- Type of machines 11x SUN ELC
- Total number of accounts 521
- Number of hacked accounts 58 (11.1) (with
interactive shell 56 (10.7))
- Total time 5913 (real time, not CPU time)
- 1 lists 42 (7.2)
- 2 common names 1 (0.2)
- 3 user/account name 5 (0.9)
- 4 phrases and patterns 3 (0.5)
- 5 women's names 2 (0.3)
- 6 men's names 4 (0.7)
- 7 cities 1 (0.2)
12Hacking
- Digital terrorism versus true hacking.
- Word hacker first applied to people who pushed
the limits of technology.
- Stemmed from practical jokers violating phone
network.
- Radio was where the term was first applied.
- Applied to computers.
- Word long used to describe the elaborate college
pranks, particularly at MIT.
- Hackers golden age marked by quest knowledge
ended around early 90s.
- Best hack of all time.
- Two employees derived open set of rules to run
machines.
- Net result was Unix created by Dennis Ritchie and
Ken Thompson.
13Hacking (continued) Hacker Profile
- Four types of hackers
- Old School Hackers.
- 60s style computer programmers.
- Lines of code focus.
- Hacking is badge of honor.
- Script Kiddies, or Cyber-Punk.
- Between 12 30 years.
- Predominately white and male.
- Avg. of 12 grade education.
- Professional Criminals, or Crackers.
- Hacking as a way of living.
- Break-in and sell the info.
- Coders and Virus Writers.
- Elite status.
- Extensive programming background.
- Networking and hacking communities or clubs.
14Hacking (continued) Famous Hoaxes
- Jdbgmgr.exe Hoax (2002) an email instructs
users to delete the file Jdbgmgr.exe (teddy
bear icon) because it is a destructive virus
spread through MSN Messenger. - Truth file is actually vital system file for
Windows.
- WTC Survivor (2001) email advises users to
delete any message with the subject line WTC
Survivor or else a virus will delete their
entire Cdrive. - This massive chain-letter hoax played on peoples
emotions following the Sept. 11, 2001 tragedy.
- Kournikova (2001) In February, an email with an
attached JPEG image of tennis star Anna
Kournikova propagates in cyberspace.
- The JPEG was a relatively harmless virus easily
detected by anti-virus easily detected by
anti-virus software. Thus, many companies were
unwilling to admit whether it had affected their
systems, resulting in a light sentence for the
author of the virus.
15Next Session Highlights