axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Reinhold" <brianreinh...@lampreynetworks.com>
Subject RE: Rampart STS Username service not returning password in callback *Update to change algo to SHA*
Date Wed, 16 Jan 2013 13:32:03 GMT
We should invoke something. I just said MD5 as an example. The password
digest approach uses SHA-1.

 

If I can find the location in the source code where the password callback is
set I will simply add the observed password.

 

 

I would look at it this way. Add support for getSentPassword() in the
callback. It will be the actual password sent in the Username Token. If the
password was sent ‘in the clear’ (but using TLS) then I would use the
getSentPassword() routine to get the password sent. If I stored my passwords
as a SHA-1 digest, I would take that password, compute the SHA-1 digest, and
if it matched my stored password, I would call the setPassword() method
indicating that the password was okay. This, as I see it, would be
consistent with the WS-Trust standard and the current implementation and
would be fully backward compatible.

 

Brian

 

From: Martin Gainty [mailto:mgainty@hotmail.com] 
Sent: Tuesday, January 15, 2013 9:07 PM
To: java-dev@axis.apache.org
Subject: RE: Rampart STS Username service not returning password in callback
*Update to change algo to SHA*

 

Update: Apparently the chinese have broken MD5 with collision attacks
...perhaps we should consider implementing SHA-1 algorithm
http://en.wikipedia.org/wiki/MD5#Simple_Implementation
 
 

  _____  

From: mgainty@hotmail.com
To: java-dev@axis.apache.org
Subject: RE: Rampart STS Username service not returning password in callback
Date: Tue, 15 Jan 2013 20:03:39 -0500

 

Martin,

 

I looked in the code and it stated that the callback must provide the
password. 

MG>yep..the next snippet of code that I sent you ..the next line is
setPassword(password)

 

This is not good for a service that does not store the password but only a
password digest (for security reasons). 
MG>agreed

That means the service does not know the user’s password and a hacker cannot
obtain it by hacking into the service’s database.
MG>agreed..Im a bit surprised I havent seen this on a CVE yet

 The hacker might be able to obtain a single users password hidden in TLS
(unlikely) 
MG>if there is no encryption or decryption at transport layer..


but that would be only one. The idea would be to get the password, perform
the digest and if it matches the stored digest, it is okay. Set the
password, otherwise err.

MG>so the idea is when rampart puts a password on the wire the only thing
the sniffer sees is the MD5
MG>can we can fit MD5 into UsernameTokenType?

 
<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
.0.xsd> <xsd:complexType name="UsernameTokenType">
<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
.0.xsd> <xsd:annotation><xsd:documentation>This type represents a username
token per Section 4.1</xsd:documentation></xsd:annotation>
<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
.0.xsd> <xsd:sequence><xsd:element type="wsse:AttributedString"
name="Username"/><xsd:any processContents="lax" maxOccurs="unbounded"
minOccurs="0"/></xsd:sequence><xsd:attribute ref="wsu:Id"/><xsd:anyAttribute
namespace="##other" processContents="lax"/></xsd:complexType>

MG>the second child element of UTT is a lax unbounded element ..can we toss
the MD5 in there?


http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.
0.xsd

MG>What do others think?
MG>This is a great idea for tightening Rampart Security Brian... I think we
should push for a patch!

MG

 

 

From: Martin Gainty [mailto:mgainty@hotmail.com] 
Sent: Tuesday, January 15, 2013 4:26 PM
To: java-dev@axis.apache.org
Subject: RE: Rampart STS Username service not returning password in callback

 

Hi Brian
 
assuming rampart implements this configuration:
 
 <soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
        <wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd" soapenv:mustUnderstand="1">
           <wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" wsu:Id="Timestamp-12468716">
              <wsu:Created>2008-06-23T13:17:13.841Z</wsu:Created>
              <wsu:Expires>2008-06-23T13:22:13.841Z</wsu:Expires>
           </wsu:Timestamp>
           <wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" wsu:Id="UsernameToken-31571602">
              <wsse:Username>alice</wsse:Username>
              <wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token
-profile-1.0#PasswordText
<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-prof
ile-1.0#PasswordText%22%3ebobPW%3c/wsse:Password> ">bobPW</wsse:Password>
           </wsse:UsernameToken>
        </wsse:Security>
        <wsa:To>http://localhost:8081/axis2/services/sample01
<http://localhost:8081/axis2/services/sample01%3c/wsa:To> </wsa:To>
 
<wsa:MessageID>urn:uuid:AEDBA74A8D1FC94B631214227032877</wsa:MessageID>
        <wsa:Action>urn:echo</wsa:Action>
     </soapenv:Header>
     <soapenv:Body>
        <ns1:echo
xmlns:ns1="http://sample01.policy.samples.rampart.apache.org">
           <param0>Hello world</param0>
        </ns1:echo>
     </soapenv:Body>
  </soapenv:Envelope>
 
public void handle(Callback[] callbacks) throws
IOException,UnsupportedCallbackException {
 
        for (int i = 0; i < callbacks.length; i++) {
            
            //When the server side need to authenticate the user

            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];

            if (pwcb.getUsage() ==
WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {

                if(pwcb.getIdentifier().equals("bob") &&
pwcb.getPassword().equals("bobPW")) {
 
http://wso2.org/library/3733

HTH.,

Martin Gainty 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
dient lediglich dem Austausch von Informationen und entfaltet keine
rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire
informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
de ceci est interdite. Ce message sert à l'information seulement et n'aura
pas n'importe quel effet légalement obligatoire. Étant donné que les email
peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
aucune responsabilité pour le contenu fourni.



 

> From: brianreinhold@lampreynetworks.com
> To: java-dev@axis.apache.org
> Subject: Rampart STS Username service not returning password in callback
> Date: Tue, 15 Jan 2013 15:00:53 -0500
> 
> Has anyone else had this problem? I have a simple STS Username token
request
> for a SAML token where the username token is as follows:
> 
> <wsse:UsernameToken wsu:Id="UsernameToken-ID">
> <wsse:Username>myName</wsse:Username>
> <wsse:Password
>
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token
<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token%0b%3
e%20-profile-1.0#PasswordText> 
> -profile-1.0#PasswordText">myPassword</wsse:Password>
> </wsse:UsernameToken> 
> 
> 
> On the receive side there is a callback to verify the username token
> 
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException
> {
> for(Callback callback: callbacks)
> {
> WSPasswordCallback cb = (WSPasswordCallback)callback;
> int callbackType = cb.getUsage();
> switch(callbackType)
> {
> case WSPasswordCallback.USERNAME_TOKEN:
> try
> {
> if(cb.getType().equals(WSConstants.PASSWORD_TEXT))
> {
> String myPassword = cb.getPassword();
> ...
> 
> The returned 'myPassword' is null. Any ideas why?
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
> For additional commands, e-mail: java-dev-help@axis.apache.org
> 

  _____  

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2890 / Virus Database: 2638/6032 - Release Date: 01/14/13

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2890 / Virus Database: 2638/6032 - Release Date: 01/14/13

  _____  

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2890 / Virus Database: 2638/6037 - Release Date: 01/16/13

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2890 / Virus Database: 2638/6037 - Release Date: 01/16/13


Mime
View raw message