Web Services Security

1
Web Services Security

• Web services security not particularly difficult
  to implement.
  
• Inability to gain consensus on an approach is the
  gating factor.
  
• IBM, Microsoft, and Verisign have joined to
  establish web service security standards called
  WS-Security.

2
Web Services Security

• WS-Security is an OASIS-approved standard.
• WS-Security leverages the W3Cs XML Encryption,
  Signature, and Canonical standards.
  
• Microsoft created the Web Service Enhancements
  (WSE) add-on package for .NET.
  
• WSE provides a foundation for building
  applications based on Web services
  
• Specifications published by Microsoft and
  industry partners include
  
• WS-Security,
• WS-Policy,
• WSSecurityPolicy,
• WS-Trust,
• WS-SecureConversation, and
• WS-Addressing.

3
Digital Signatures Web Services
4
W3C IETF Web Services Security Initiatives

• The World Wide Web Consortium and the Internet
  Engineering Task Force working on
  
• XML digital signatures and encryption
  recommendations that will define the processing
  rule, and
  
• Syntax for securing XML data structures.
• These structures can be applied to information in
  any form, not just XML.
  
• The signed material can be attached to the
  signature or located remotely through a uniform
  resource identifier.
  
• At the same time, this standard will enable the
  scope of the signature to be matched to the
  hierarchical structure of XML documents.

5
Password Security

• Security providing a last line of defense with
  regards to authentication.
  
• Hacker goal obtain superuser status.
• Normal strategy
• badly installed software.
• bugs in (system)software.
• human errors.
• When someone attempts to hack into a computer,
• the first thing needed is a user account, usually
  easy to get.
  
• now the hacker needs a password.

6
Password Security (continued)

• It is of utmost importance that all (!) users on
  a system choose a password that is not easy to
  guess.
  
• The security of each individual user is closely
  related to the security of the whole system.
  
• Users often have no idea how a multi-user system
  works and don't realize that they, by choosing an
  easy to remember password, indirectly make it
  possible for an outsider to manipulate the entire
  system.
• It also says that it is important to notify the
  users of the security guidelines.

7
Password Security How to find passwords on a
Unix System

• In most cases, the passwords are stored
  encrypted in the file /etc/passwd or on the
  server in a c/s scenario.
  
• In the latter, can get the passwordfile by
  giving the command ypcat passwd.
  
• A line from the passwordfile looks like this
• accountcoded password datauidgidGCOS-fieldho
  medirshell
  
• A user with account gigawalt, crypted password
  fURfuu4.4hY0U, userid 129 (a user with userid 0,
  when there are more than one) is superuser),
  groupid 129, information (GCOS) Walter Belgers,
  homedirectory /home/gigawalt and shell /bin/csh
  will have an entry in /etc/passwd like this
• gigawaltfURfuu4.4hY0U129129Walter
  Belgers/home/gigawalt/bin/csh
  
• Passwords are crypted using DES.
• UNIX password encryption uses the DES algorithm
  25 times in a row.
  
• The first DES round uses 64 0-bits as input and
  encrypts them with the password the user inputs,
  with a permutation taking place during the
  encryption process.
• The chosen permutation is coded into two bytes
  called 'salt'.

8
Password Security How to find passwords on a
Unix System (continued)

• The salt is stored in the passwordfile.
• The output is used as input for the next DES
  round, which uses the same key and permutation.
  
• Process repeats until there is a final output
  from the 25th DES round.
  
• This method of encryption is almost
  irreversible.
  
• easy to encrypt a string.
• impossible to find the original of a string
  encrypted as described above.
  
• It is possible to find the original string
  encrypted using single DES.
  
• How can a user log in?
• the user inputs his or her password which is
  used as key to crypt 64 0-bits.
  
• using the salt found in the passwordfile for
  that user.
  
• If the output corresponds to the eleven bytes
  that represent the crypted password in the
  passwordfile the password is considered valid and
  the user will be permitted to access the system.

9
Password Security How to find passwords on a
Unix System (continued)

• Although decryption nearly impossible, it is
  possible to encrypt 64 0-bits with some words and
  see if the result 'incidentally' is the password.
  
• Once accomplished, then the account is hacked.
• Could speculate on capability to check all
  possible passwords this way.
  
• Would take the fastest computer longer than the
  time the universe exists.
  
• Alternatively, trying out only passwords
  consisting of six lowercase characters enahnces
  the possibility to try out all combinations in
  reasonable time.
• Using an extremely powerful computer, latest
  record for passwords decryption (consisting of
  six lowercase characters) stands at one hour per
  user.
• Passwords of accounts that are attractive to
  hackers should therefore never consist solely of
  lowercase characters!
  

10
Password Examples
Common passwords 23 child's name 19 partner'
s name 12 birthdays 9 football team 9 cel
ebrities and bands 9 favorite places 8 own n
ame 8 pet's name Source Egg survey 2003
Egg is an online financial services provider
based in England
11
Password Hacking Example

• Password guessing program used on a passwordfile
  of a system in operation.
  
• Program used was Crack v4.1 with ufcrypt
  (ultra-fast crypt, a fast implementation of the
  DES algorithm) on a network of SUN ELC computers.
  
• The performance of these computers (20 MIPS) is
  comparable to that of a modern PC.
  
• The program was stopped before it was finished
  after almost 60 hours. The passwords that were
  found were found within the first 25 hours.
  
• Results
• Type of machines 11x SUN ELC
• Total number of accounts 521
• Number of hacked accounts 58 (11.1) (with
  interactive shell 56 (10.7))
  
• Total time 5913 (real time, not CPU time)
• 1 lists 42 (7.2)
• 2 common names 1 (0.2)
• 3 user/account name 5 (0.9)
• 4 phrases and patterns 3 (0.5)
• 5 women's names 2 (0.3)
• 6 men's names 4 (0.7)
• 7 cities 1 (0.2)

12
Hacking

• Digital terrorism versus true hacking.
• Word hacker first applied to people who pushed
  the limits of technology.
  
• Stemmed from practical jokers violating phone
  network.
  
• Radio was where the term was first applied.
• Applied to computers.
• Word long used to describe the elaborate college
  pranks, particularly at MIT.
  
• Hackers golden age marked by quest knowledge
  ended around early 90s.
  
• Best hack of all time.
• Two employees derived open set of rules to run
  machines.
  
• Net result was Unix created by Dennis Ritchie and
  Ken Thompson.
  

13
Hacking (continued) Hacker Profile

• Four types of hackers
• Old School Hackers.
• 60s style computer programmers.
• Lines of code focus.
• Hacking is badge of honor.
• Script Kiddies, or Cyber-Punk.
• Between 12 30 years.
• Predominately white and male.
• Avg. of 12 grade education.
• Professional Criminals, or Crackers.
• Hacking as a way of living.
• Break-in and sell the info.
• Coders and Virus Writers.
• Elite status.
• Extensive programming background.
• Networking and hacking communities or clubs.

14
Hacking (continued) Famous Hoaxes

• Jdbgmgr.exe Hoax (2002) an email instructs
  users to delete the file Jdbgmgr.exe (teddy
  bear icon) because it is a destructive virus
  spread through MSN Messenger.
• Truth file is actually vital system file for
  Windows.
  
• WTC Survivor (2001) email advises users to
  delete any message with the subject line WTC
  Survivor or else a virus will delete their
  entire Cdrive.
• This massive chain-letter hoax played on peoples
  emotions following the Sept. 11, 2001 tragedy.
  
• Kournikova (2001) In February, an email with an
  attached JPEG image of tennis star Anna
  Kournikova propagates in cyberspace.
  
• The JPEG was a relatively harmless virus easily
  detected by anti-virus easily detected by
  anti-virus software. Thus, many companies were
  unwilling to admit whether it had affected their
  systems, resulting in a light sentence for the
  author of the virus.

15
Next Session Highlights

• Final Exam