Web Services Security - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Web Services Security

Description:

Kournikova (2001) In February, an email with an attached JPEG image of tennis star Anna Kournikova propagates in cyberspace. ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 16
Provided by: ellise
Category:

less

Transcript and Presenter's Notes

Title: Web Services Security


1
Web Services Security
  • Web services security not particularly difficult
    to implement.
  • Inability to gain consensus on an approach is the
    gating factor.
  • IBM, Microsoft, and Verisign have joined to
    establish web service security standards called
    WS-Security.

2
Web Services Security
  • WS-Security is an OASIS-approved standard.
  • WS-Security leverages the W3Cs XML Encryption,
    Signature, and Canonical standards.
  • Microsoft created the Web Service Enhancements
    (WSE) add-on package for .NET.
  • WSE provides a foundation for building
    applications based on Web services
  • Specifications published by Microsoft and
    industry partners include
  • WS-Security,
  • WS-Policy,
  • WSSecurityPolicy,
  • WS-Trust,
  • WS-SecureConversation, and
  • WS-Addressing.

3
Digital Signatures Web Services
4
W3C IETF Web Services Security Initiatives
  • The World Wide Web Consortium and the Internet
    Engineering Task Force working on
  • XML digital signatures and encryption
    recommendations that will define the processing
    rule, and
  • Syntax for securing XML data structures.
  • These structures can be applied to information in
    any form, not just XML.
  • The signed material can be attached to the
    signature or located remotely through a uniform
    resource identifier.
  • At the same time, this standard will enable the
    scope of the signature to be matched to the
    hierarchical structure of XML documents.

5
Password Security
  • Security providing a last line of defense with
    regards to authentication.
  • Hacker goal obtain superuser status.
  • Normal strategy
  • badly installed software.
  • bugs in (system)software.
  • human errors.
  • When someone attempts to hack into a computer,
  • the first thing needed is a user account, usually
    easy to get.
  • now the hacker needs a password.

6
Password Security (continued)
  • It is of utmost importance that all (!) users on
    a system choose a password that is not easy to
    guess.
  • The security of each individual user is closely
    related to the security of the whole system.
  • Users often have no idea how a multi-user system
    works and don't realize that they, by choosing an
    easy to remember password, indirectly make it
    possible for an outsider to manipulate the entire
    system.
  • It also says that it is important to notify the
    users of the security guidelines.

7
Password Security How to find passwords on a
Unix System
  • In most cases, the passwords are stored
    encrypted in the file /etc/passwd or on the
    server in a c/s scenario.
  • In the latter, can get the passwordfile by
    giving the command ypcat passwd.
  • A line from the passwordfile looks like this
  • accountcoded password datauidgidGCOS-fieldho
    medirshell
  • A user with account gigawalt, crypted password
    fURfuu4.4hY0U, userid 129 (a user with userid 0,
    when there are more than one) is superuser),
    groupid 129, information (GCOS) Walter Belgers,
    homedirectory /home/gigawalt and shell /bin/csh
    will have an entry in /etc/passwd like this
  • gigawaltfURfuu4.4hY0U129129Walter
    Belgers/home/gigawalt/bin/csh
  • Passwords are crypted using DES.
  • UNIX password encryption uses the DES algorithm
    25 times in a row.
  • The first DES round uses 64 0-bits as input and
    encrypts them with the password the user inputs,
    with a permutation taking place during the
    encryption process.
  • The chosen permutation is coded into two bytes
    called 'salt'.

8
Password Security How to find passwords on a
Unix System (continued)
  • The salt is stored in the passwordfile.
  • The output is used as input for the next DES
    round, which uses the same key and permutation.
  • Process repeats until there is a final output
    from the 25th DES round.
  • This method of encryption is almost
    irreversible.
  • easy to encrypt a string.
  • impossible to find the original of a string
    encrypted as described above.
  • It is possible to find the original string
    encrypted using single DES.
  • How can a user log in?
  • the user inputs his or her password which is
    used as key to crypt 64 0-bits.
  • using the salt found in the passwordfile for
    that user.
  • If the output corresponds to the eleven bytes
    that represent the crypted password in the
    passwordfile the password is considered valid and
    the user will be permitted to access the system.

9
Password Security How to find passwords on a
Unix System (continued)
  • Although decryption nearly impossible, it is
    possible to encrypt 64 0-bits with some words and
    see if the result 'incidentally' is the password.
  • Once accomplished, then the account is hacked.
  • Could speculate on capability to check all
    possible passwords this way.
  • Would take the fastest computer longer than the
    time the universe exists.
  • Alternatively, trying out only passwords
    consisting of six lowercase characters enahnces
    the possibility to try out all combinations in
    reasonable time.
  • Using an extremely powerful computer, latest
    record for passwords decryption (consisting of
    six lowercase characters) stands at one hour per
    user.
  • Passwords of accounts that are attractive to
    hackers should therefore never consist solely of
    lowercase characters!

10
Password Examples
Common passwords 23 child's name 19 partner'
s name 12 birthdays 9 football team 9 cel
ebrities and bands 9 favorite places 8 own n
ame 8 pet's name Source Egg survey 2003
Egg is an online financial services provider
based in England
11
Password Hacking Example
  • Password guessing program used on a passwordfile
    of a system in operation.
  • Program used was Crack v4.1 with ufcrypt
    (ultra-fast crypt, a fast implementation of the
    DES algorithm) on a network of SUN ELC computers.
  • The performance of these computers (20 MIPS) is
    comparable to that of a modern PC.
  • The program was stopped before it was finished
    after almost 60 hours. The passwords that were
    found were found within the first 25 hours.
  • Results
  • Type of machines 11x SUN ELC
  • Total number of accounts 521
  • Number of hacked accounts 58 (11.1) (with
    interactive shell 56 (10.7))
  • Total time 5913 (real time, not CPU time)
  • 1 lists 42 (7.2)
  • 2 common names 1 (0.2)
  • 3 user/account name 5 (0.9)
  • 4 phrases and patterns 3 (0.5)
  • 5 women's names 2 (0.3)
  • 6 men's names 4 (0.7)
  • 7 cities 1 (0.2)

12
Hacking
  • Digital terrorism versus true hacking.
  • Word hacker first applied to people who pushed
    the limits of technology.
  • Stemmed from practical jokers violating phone
    network.
  • Radio was where the term was first applied.
  • Applied to computers.
  • Word long used to describe the elaborate college
    pranks, particularly at MIT.
  • Hackers golden age marked by quest knowledge
    ended around early 90s.
  • Best hack of all time.
  • Two employees derived open set of rules to run
    machines.
  • Net result was Unix created by Dennis Ritchie and
    Ken Thompson.


13
Hacking (continued) Hacker Profile
  • Four types of hackers
  • Old School Hackers.
  • 60s style computer programmers.
  • Lines of code focus.
  • Hacking is badge of honor.
  • Script Kiddies, or Cyber-Punk.
  • Between 12 30 years.
  • Predominately white and male.
  • Avg. of 12 grade education.
  • Professional Criminals, or Crackers.
  • Hacking as a way of living.
  • Break-in and sell the info.
  • Coders and Virus Writers.
  • Elite status.
  • Extensive programming background.
  • Networking and hacking communities or clubs.

14
Hacking (continued) Famous Hoaxes
  • Jdbgmgr.exe Hoax (2002) an email instructs
    users to delete the file Jdbgmgr.exe (teddy
    bear icon) because it is a destructive virus
    spread through MSN Messenger.
  • Truth file is actually vital system file for
    Windows.
  • WTC Survivor (2001) email advises users to
    delete any message with the subject line WTC
    Survivor or else a virus will delete their
    entire Cdrive.
  • This massive chain-letter hoax played on peoples
    emotions following the Sept. 11, 2001 tragedy.
  • Kournikova (2001) In February, an email with an
    attached JPEG image of tennis star Anna
    Kournikova propagates in cyberspace.
  • The JPEG was a relatively harmless virus easily
    detected by anti-virus easily detected by
    anti-virus software. Thus, many companies were
    unwilling to admit whether it had affected their
    systems, resulting in a light sentence for the
    author of the virus.

15
Next Session Highlights
  • Final Exam
Write a Comment
User Comments (0)
About PowerShow.com