jump to navigation

Web security attacks September 26, 2007

Posted by Coolguy in IT Security.
add a comment

Man in the middle attack: Attacker puts up a fake website and entices the user to log on.

Directory harvest: Spammers guess the addresses till they get it right.e-mail servers work at full capacity meanwhile.


Building secure webservices August 11, 2005

Posted by Coolguy in IT Security, Web Services.
add a comment

Broadly speaking there are might have five security requirements in webservices:

  1. Confidentiality : Ensuring that information is accessible only to those authorized to have access
  2. Authorization : The authorization process is used to decide if person, program or device X is allowed to have access to data, functionality or service Y
  3. Data integrity :Ensures that data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed
  4. Message origin authentication
  5. Non-repudiation : Nonrepudiation means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message. Nonrepudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message

First 3 of these can be safely managed by using we transport layer security mechanisms such as SSL. Using SSL the channel over which two parties communicate can be kept confidential – data is encrypted by the sender and decrypted by the recipient. With server-side SSL the client obtains a copy of the Web server’s certificate, allowing it to authenticate the server and establish an encrypted channel. Client-side SSL enables two-way authentication, enabling clients to authenticate service providers and service providers to authenticate clients. However, it requires that digital certificates be distributed to all users, which results in significant administrative problems.It would still work if we have a service used by clients whom we know. Obviously more secure than just server-side SSL and works well in reassuring clients of security of our services. These sould be pretty straight forward to implement.

Typical steps are likely to be:

  1. Approach any CA to issue digital certificate for your company.
  2. Use OpenSSL and Mod SSL to secure webservers.
  3. Give certificates to all clients who will access the system and would work straight away.

But SSL does not address the need for accountability (if its needed). It is difficult to even prove that an SSL session existed once it has been closed. Keyed-hashing such as HMAC, using a secret key shared in an authenticated way, is sufficient for message origin authentication, but not sufficient for non-repudiation. Non-repudiation requires a digital signature algorithm such as RSA or DSA. In effect you need to go for SOAP Layer security if:

  1. If you use of variety of transport protocols such as HTTP and SMTP, which could make transport layer security a bit flaky. Even though SOAP can use any transport layer, most widely used is HTTP.
  2. If there are intermediaries which handle the message before even reaching to your servers, then relying on SSL would fail.

So you might as well do with transport layer security as long as we dont need accountablility which might vary from application to application. If you do need accountability we could use employ XML signatures.

SSL fails to protect Web services from more traditional forms of attacks. For example, a hacker could stage a buffer overflow attack by sending through parameters that are longer than the Web service expects. Validating the content of messages before routing to the Web service and keeping account of Web service usage can counteract this type of attack. SSL does not identify harmful message content or provide records of usage that would enable these attacks to be detected. To ensure that no malicious data is sent to a Web Service that would cause that service to fail, the content of a message can be verified against an XML Schema. This ensures that the structure of the message is correct and may also involve checking that the values of parameters meet those outlined in the XML Schema.

Implementation details specific to Java:

JSSE which is now a part of JDK could be used to establish a connection with a SSL server. javax.net.ssl.*,javax.security.cert.X509Certificate and java.security.KeyStore packages will help in establishing a connection with a secure server. You give a keyfile,password and url to the clients who will then use this info and above classes to write clients which talk to secure server. Typically a client would:

  • Load the certificate
  • Check its still valid
  • Create a SSLSocket to the URL provided on the port provided.(443 on live and 444 for testing ?)
  • Write the SOAP message to the socket
  • Wait for server to acknowledge the message
  • Close and go away

Protecting Passwords February 23, 2005

Posted by Coolguy in IT Security.
add a comment

Protecting Passwords

Password Encryption: Rationale and Java Example February 23, 2005

Posted by Coolguy in IT Security.
add a comment

Password Encryption: Rationale and Java Example