Tuesday, November 30, 2010

Simulating a Smurf attack with Scapy

Wikipedia says..
The Smurf attack is a way of generating significant computer network traffic on a victim network. This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.

This attack relies on a perpetrator sending a large amount of ICMP echo request (ping) traffic to IP broadcast addresses, all of which have a spoofed source IP address of the intended victim.

If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding.

To simulate a Smurf attack we need to do the following..

1. Install Scapy

On Mac this is how you do it..

On Ubuntu : sudo apt-get install python-scapy

2. Send a large amount of ICMP request to the broadcast address of the victim network(Directed Broadcast Address).

3. Source IP of the attacker must be spoofed.

As per [2] when we send a ICMP request with a spoofed IP been set to the broadcast IP of the network, the server will broadcast the ICMP response to the entire network..

In the following example with Scapy, we are not using a broadcast IP - instead using an IP address of a different machine in the network.

Target machine IP : 192.168.2.11
Server machine IP : 192.168.2.10

From the attackers machine, I start Scapy;

$ sudo scapy

Then type the following - you can see the source IP been spoofed to the target machine IP.

>>> send(IP(src="192.168.2.11", dst="192.168.2.10")/ICMP())

That's it - since we want to confirm the response from the server, 192.168.2.10 goes to 192.168.2.11 - I am also running scapy there too..

$ sudo scapy

>>> a=sniff(filter="icmp and src 192.168.2.11")

The above will trace ICMP traffic targeting 192.168.2.11 - after sometime press Ctrl+C and type the following on the target machine..

>>> a.nsummary()
0000 Ether / IP / ICMP 192.168.2.11 > 192.168.2.10 echo-request 0

Smurf attacks can be prevented by,

1. Configuring the individual hosts and routers not to respond to ping requests.
2. Configuring routers not to forward packets directed to broadcast addresses.

Monday, November 29, 2010

WSO2 @ University of Peradeniya Job Fair


Sunday, November 28, 2010

Installing Scapy on Mac OS X

I wouldn't have written this blog post, if everything went well for me while doing the $subject..

I was trying with MacPorts - it gave me the following error..

:error:configure db46 requires the Java for Mac OS X development headers.
:error:configure Download the Java Developer Package from:
:error:configure Target org.macports.configure returned: missing Java headers
:debug:configure Backtrace: missing Java headers while executing
"$pre $targetname"

By going through some of the MacPorts tickets found out that we need to have Java for Mac OS X 10.6 Update 3 Developer Package installed first - which you can get from here.

Once that is done, only following is needed..

$ sudo port install scapy

Thursday, November 25, 2010

Kerberos Debugging Tips

I worked on adding Kerberos support for Apache Rampart and WSS4J during last few weeks and interop testing with WCF.

Following lists some useful debugging tips I came across..

1. How to list all the Kerberos tickets issued to the logged in client principal in Windows
c:\Program Files (x86)\Resource Kit>klist

Current LogonId is 0:0x29a6f

Cached Tickets: (2)

#0>     Client: administrator @ WSO2.COM
        Server: krbtgt/WSO2.COM @ WSO2.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 11/25/2010 13:19:58 (local)
        End Time:   11/25/2010 23:19:58 (local)
        Renew Time: 12/2/2010 13:19:58 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#1>     Client: administrator @ WSO2.COM
        Server: service/myserver @ WSO2.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
        Start Time: 11/25/2010 13:19:58 (local)
        End Time:   11/25/2010 23:19:58 (local)
        Renew Time: 12/2/2010 13:19:58 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)

2. How to remove cached Kerberos tickets in Windows
c:\Program Files (x86)\Resource Kit>klist purge

Current LogonId is 0:0x29a6f
        Deleting all tickets:
        Ticket(s) purged!

3. How to publish Kerberos error logs in to the Event Viewer in Windows

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
The Parameters subkey stores configuration options for the Kerberos V5 authentication protocol in Windows Server 2003/2008.

LogValue
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

This entry does not exist in the registry by default. The default value is false - to publish to to Event Viewer set it to 1

Following are some more registry entries related to Kerberos...

AllowTgtSessionKey
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

This entry controls whether session keys are exported with initial or cross-realm TGTs. This entry does not exist in the registry by default. The default value is false due to security concerns.

CacheS4UTickets
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

This entry enables and disables Service-for-User (S4U) caching. This entry does not exist in the registry by default. The default value is true.

ClientIpAddresses
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

This entry controls adding IP addresses in KRB_AS_REQ, thus forcing the Caddr field to contain IP addresses in all tickets. This entry does not exist in the registry by default. The default value is false, due to potential DHCP client and network address translation (NAT) issues.

DefaultEncryptionType
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

This entry controls the default encryption type for PreAuth. This entry does not exist in the registry by default. The default value is KERB_ETYPE_RC4_HMAC_NT.

FarKdcTimeout
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

This entry controls the time-out interval, in minutes, that is used to invalidate a domain controller from a different site in the domain controller cache. This entry does not exist in the registry by default. The default value is 10 minutes.

KdcBackoffTime
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

This entry specifies a time value, in seconds, between successive calls to the Key Distribution Center (KDC) if the previous call failed. This entry does not exist in the registry by default. The default value is 5 seconds.

KdcSendRetries
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

This entry controls the number of retry attempts that a client makes in order to contact a KDC. This entry does not exist in the registry by default. The default value is 3.

KdcWaitTime
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

This entry specifies a time value, in seconds, that is used to time out the Winsock calls. This entry does not exist in the registry by default. The default value is 5 seconds.

KerbDebugLevel
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

4. How to set a Service Principal Name [SPN] for a user in AD - in Windows
c:\Program Files (x86)\Resource Kit>setspn -A test/wso2 prabath
Registering ServicePrincipalNames for CN=prabath,CN=Users,DC=wso2,DC=com
        test/wso2
Updated object

5. How to list all the SPNs of a given user in AD - Windows
c:\Program Files (x86)\Resource Kit>setspn -L prabath
Registered ServicePrincipalNames for CN=prabath,CN=Users,DC=wso2,DC=com:
        test/wso2
        service/myserver

6. How to make java clients work with IWA

By default, Windows does not allow the session key of a TGT to be accessed. Add the following registry key on the client side, so that the session key for TGT is accessible and Java can use it to acquire additional service tickets.

For Windows XP and Windows 2000, the registry key and value should be:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01

For Windows 2003 and Windows Vista, the registry key and value should be:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01

Tuesday, November 23, 2010

FOSDEM Tech Talks

Secure communications with Jabber



AMQP



MySQL High Availability Solutions

Mac OS X 10.6 terminal gets so long to load

This is something I faced after using the MacBook Pro for a month long...

Following is the solution..

sudo rm -f /private/var/log/asl/*

Make sure, you backed up any logs you require before executing the above...

Monday, November 22, 2010

Capturing via tcpdump to view in Wireshark

$sudo tcpdump -i en1 -s0 -w captured.pcap

-i Listening interface

-s Snarf snaplen bytes of data from each packet rather than the default of 64K bytes. Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause pack- ets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 means use the required length to catch whole packets.

Setting up WSO2 P2 Repo Locally

Currently WSO2 doesn't host the P2 repository as a single distribution to download - so whenever you want to add a new Feature, you need to point your Carbon instance to the online p2 repo hosted at http://dist.wso2.org/p2/carbon/releases/3.0.0/

This is how you can download the entire repository and set it up locally..

$ pwd

/Users/prabath/p2_repo

$ wget -r -l inf http://dist.wso2.org/p2/carbon/releases/3.0.0/

The above will download the entire P2 repo to the local machine.

Once that is done, go to the running carbon instance, Configure --> Features --> Settings --> Add Repository --> Select Location as Local and set it as, /Users/prabath/p2_repo/dist.wso2.org/p2/carbon/releases/3.0.0 and that's it...

Sunday, November 21, 2010

Building and installing MacPorts on Mac OS X 10.6 from source

The MacPorts project is an open-source community initiative to design an easy-to-use system for compiling, installing, and upgrading either command-line, X11 or Aqua based open-source software on the Mac OS X operating system.

1. svn co http://svn.macports.org/repository/macports/trunk/base/ macports

2. cd macports

3. ./configure

4. make

5. sudo make install

6. sudo /opt/local/bin/port -v selfupdate

To test the setup, lets try to install MySQL via MacPorts...

1. export PATH=/Developer/usr/bin:/Developer/usr/sbin:/opt/local/bin:/opt/local/sbin:$PATH

2. sudo port install mysql5-server

Thursday, November 18, 2010

SSL Debugging - Part - II - Intercepting traffic between WSO2 Carbon FE and BE

All WSO2 products are based on WSO2 Carbon, which sits as the core for all of them.

We do have a clear Front-End [FE], Back-End [BE] separation - where the FE web application talks to the BE, via web service calls.

This benefits the end user - which adds the flexibility of developing his own client to the corresponding back end functionality in a language independent manner.

All UI components you see in the default distribution talk to the BE services via SOAP over HTTPS.

In case of digging in to an issue - since this is on HTTPS - it's hard to intercept the communication channel and figure what exact messages being passed from FE to BE.

This is how you can do it - to intercept messages flowing over SSL.

Prerequisites:
1. ssldump
2. The private key of WSO2 Carbon, in PEM format - you can download it from here.

Run the following command from where you have the private key, and start any WSO2 Carbon based product - say on HTTPS port 9443

:\> sudo ssldump -Ad -k wso2carbon.pem -p wso2carbon -i lo0 host localhost and port 9443

Make sure to have the correct interface set as per your system.[-i lo0] and start the ssldump before you start the server.

Now you can track all the messages between FE and BE in clear text.
1 8 0.0621 (0.0007) C>SV3.1(203) application_data
---------------------------------------------------------------
POST /services/AuthenticationAdmin HTTP/1.1
Content-Type: application/soap+xml; charset=UTF-8; action="urn:login"
User-Agent: Axis2
Host: localhost:9443
Transfer-Encoding: chunked

---------------------------------------------------------------
1 9 0.0626 (0.0005) C>SV3.1(399) application_data
---------------------------------------------------------------
173
    <?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
 <soapenv:Body>
  <ns1:login xmlns:ns1="http://authentication.services.core.carbon.wso2.org">
   <ns1:username>admin</ns1:username>
   <ns1:password>admin</ns1:password>
   <ns1:remoteAddress>0:0:0:0:0:0:0:1%0</ns1:remoteAddress>
  </ns1:login>
 </soapenv:Body>
</soapenv:Envelope>
0

---------------------------------------------------------------
1 10 0.2071 (0.1445) S>CV3.1(544) application_data
---------------------------------------------------------------
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=37FC902E5E7C6C0D081E28B4DF067A76; Path=/; Secure
Content-Type: application/soap+xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 19 Nov 2010 02:44:26 GMT

11f
    <?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
 <soapenv:Body>
  <ns:loginResponse
   xmlns:ns="http://authentication.services.core.carbon.wso2.org">
   <ns:return>true</ns:return>
  </ns:loginResponse>
 </soapenv:Body>
</soapenv:Envelope>

Installing Wget on Mac OS X

1. Download from http://ftp.gnu.org/pub/gnu/wget/wget-1.9.1.tar.gz

2. cd ~/Downloads/wget-1.9.1

3. ./configure

4. make

5. sudo make install

6. wget http://dist.wso2.org/products/esb/java/3.0.1/wso2esb-3.0.1.zip

Wednesday, November 17, 2010

SSL Debugging - Part - I

We've been involved in many cases solving issues related to SSL.

The latest one I came across was at a customer site, where WSO2 ESB wants to communicate with an SSL end point(WCF) hosted on IIS 7.

The only thing here what we have to do is, importing the CA certificate of the WCF end point to the ESB's client-trustore.jks [which is under ESB_HOME\resources\security].

This worked well at the start - but in one machine it started to fail - with no clue at all..

This is where we need some handy SSL debugging tools - and the easiest one is setting the system property javax.net.debug=all. For example you need to start the WSO2 ESB as,

:\> sh wso2server.sh -Djavax.net.debug=all

Once you set this, it will print the entire SSL handshake.

By going through the logs, we could figure out the issue - where by mistake in this particular machine, in IIS, for this end point - 'Require SSL' being set to Accept, instead of Ignore.

What does that mean.. and why did that fail..?

When we set the above parameter to Accept, the server validates the client certificate only if it's been sent in the request from the client.

In our case at the ESB end we set following two system properties,

System.setProperty("javax.net.ssl.keyStore", "keyStorePath");
System.setProperty("javax.net.ssl.keyStorePassword", "password");


When you set these two, the client will automatically attach the client certificate to the SSL handshake - in our case it failed because we were not expecting mutual authentication, so IIS didn't trust ESB as a client.

Another tool comes in handy while SSL debugging is openssl s_client.

There was a case, where WSO2 ESB talking to an SSL end point behind an Apache server - in that case all the configuration options we provided didn't work - so the option left behind was to test the SSL setup of the Apache server in an independent manner - and proved us Apache server had issues in SSL setup. There we used openssl s_client. For example if you want to verify the SSL handshake with the end point, localhost:9443, you can use the following command.

:\>openssl s_client -connect localhost:9443 -state -nbio 2>&1 | grep "^SSL"

The above will result in the following out put.
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
SSL handshake has read 1149 bytes and written 293 bytes
SSL-Session:
To see all the options available with s_client, type the following,

:\>openssl s_client --help

Let's finish off the first part of the SSL debugging series with ssldump.

ssldump is an SSL/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSL/TLS traffic. When it identifies SSL/TLS traffic, it decodes the records and displays them in a textual form to stdout.

:\>sudo ssldump -i en1 port 443

The above prints following [only a part displayed], when I visit https://cloud.wso2.com.
New TCP connection #1: 192.168.1.3(49986) <-> ec2-184-73-175-181.compute-1.amazonaws.com(443)
1 1  0.3614 (0.3614)  C>S  Handshake
      ClientHello
        Version 3.1 
        cipher suites
        Unknown value 0xc00a
        Unknown value 0xc009
        Unknown value 0xc007
        Unknown value 0xc008
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc011
        Unknown value 0xc012
        Unknown value 0xc004
        Unknown value 0xc005
        Unknown value 0xc002
        Unknown value 0xc003
        Unknown value 0xc00e
        Unknown value 0xc00f
        Unknown value 0xc00c
        Unknown value 0xc00d
        Unknown value 0x2f
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        Unknown value 0x35
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        Unknown value 0x32
        Unknown value 0x33
        Unknown value 0x38
        Unknown value 0x39
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        compression methods
                  NULL
1 2  0.7638 (0.4023)  S>C  Handshake
      ServerHello
        Version 3.1 
        session_id[32]=
          22 24 f7 6c 43 84 ba 39 6f b9 02 5c 4d 76 cf 97 
          ad b4 39 1b 82 fe c1 cf d7 5b 14 41 87 bd 6a 81 
        cipherSuite         Unknown value 0x2f
        compressionMethod                   NULL
1 3  1.1691 (0.4053)  S>C  Handshake
      Certificate
1 4  1.1691 (0.0000)  S>C  Handshake
      ServerHelloDone
1 5  1.1749 (0.0058)  C>S  Handshake
      ClientKeyExchange
1 6  1.1749 (0.0000)  C>S  ChangeCipherSpec
1 7  1.1750 (0.0000)  C>S  Handshake
1 8  1.5787 (0.4037)  S>C  ChangeCipherSpec
1 9  1.5787 (0.0000)  S>C  Handshake
1 10 1.5794 (0.0006)  C>S  application_data
1 11 2.1889 (0.6095)  S>C  application_data
1 12 2.1889 (0.0000)  S>C  application_data
1 13 2.1889 (0.0000)  S>C  application_data
1 14 2.1889 (0.0000)  S>C  application_data
1 15 2.1889 (0.0000)  S>C  application_data
1 16 2.1889 (0.0000)  S>C  application_data
1 17 2.1889 (0.0000)  S>C  application_data
1 18 2.1889 (0.0000)  S>C  application_data
1 19 2.1896 (0.0007)  C>S  Alert
1    2.1902 (0.0005)  C>S  TCP FIN
New TCP connection #2: 192.168.1.3(49987) <-> ec2-184-73-175-181.compute-1.amazonaws.com(443)
2 1  0.3662 (0.3662)  C>S  Handshake
      ClientHello
        Version 3.1 
        resume [32]=
          22 24 f7 6c 43 84 ba 39 6f b9 02 5c 4d 76 cf 97 
          ad b4 39 1b 82 fe c1 cf d7 5b 14 41 87 bd 6a 81 
        cipher suites
        Unknown value 0xc00a
        Unknown value 0xc009
        Unknown value 0xc007
        Unknown value 0xc008
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc011
        Unknown value 0xc012
        Unknown value 0xc004
        Unknown value 0xc005
        Unknown value 0xc002
        Unknown value 0xc003
        Unknown value 0xc00e
        Unknown value 0xc00f
        Unknown value 0xc00c
        Unknown value 0xc00d
        Unknown value 0x2f
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        Unknown value 0x35
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        Unknown value 0x32
        Unknown value 0x33
        Unknown value 0x38
        Unknown value 0x39
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        compression methods
                  NULL
2 2  0.9732 (0.6070)  S>C  Handshake
      ServerHello
        Version 3.1 
        session_id[32]=
          22 24 f7 6c 43 84 ba 39 6f b9 02 5c 4d 76 cf 97 
          ad b4 39 1b 82 fe c1 cf d7 5b 14 41 87 bd 6a 81 
        cipherSuite         Unknown value 0x2f
        compressionMethod                   NULL
2 3  0.9732 (0.0000)  S>C  ChangeCipherSpec
2 4  0.9732 (0.0000)  S>C  Handshake
2 5  0.9735 (0.0003)  C>S  ChangeCipherSpec
2 6  0.9736 (0.0000)  C>S  Handshake
2 7  0.9737 (0.0001)  C>S  application_data
2 8  1.6900 (0.7162)  S>C  application_data
2 9  1.6900 (0.0000)  S>C  application_data
2 10 1.6900 (0.0000)  S>C  application_data
2 11 1.6900 (0.0000)  S>C  application_data
2 12 1.6900 (0.0000)  S>C  application_data
2 13 1.6900 (0.0000)  S>C  application_data
2 14 1.6900 (0.0000)  S>C  application_data
2 15 1.6900 (0.0000)  S>C  application_data
2 16 1.6903 (0.0002)  C>S  Alert
2    1.6909 (0.0006)  C>S  TCP FIN
New TCP connection #3: 192.168.1.3(49988) <-> ec2-184-73-175-181.compute-1.amazonaws.com(443)
3 1  0.3674 (0.3674)  C>S  Handshake
      ClientHello
        Version 3.1 
        resume [32]=
          22 24 f7 6c 43 84 ba 39 6f b9 02 5c 4d 76 cf 97 
          ad b4 39 1b 82 fe c1 cf d7 5b 14 41 87 bd 6a 81 
        cipher suites
        Unknown value 0xc00a
        Unknown value 0xc009
        Unknown value 0xc007
        Unknown value 0xc008
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc011
        Unknown value 0xc012
        Unknown value 0xc004
        Unknown value 0xc005
        Unknown value 0xc002
        Unknown value 0xc003
        Unknown value 0xc00e
        Unknown value 0xc00f
        Unknown value 0xc00c
        Unknown value 0xc00d
        Unknown value 0x2f
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        Unknown value 0x35
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        Unknown value 0x32
        Unknown value 0x33
        Unknown value 0x38
        Unknown value 0x39
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        compression methods
                  NULL

Saturday, November 13, 2010

Forgot My Password

Almost all online services provide a way to recover your password, in case you forget it.



And this is the first thing a hacker will look into, to gain control of your account.... so, this is something we need to design carefully...

Let's look at different ways this feature being implemented by major online service providers..

Secret Questions with Yahoo

- You need to set your Secret Questions at the time you sign up - and later you can change if you wish
- But - you need to make sure you set strong secret questions for the first time - if you set weaker ones there your account can be compromised at any time - even you change it later..
- Make sure answers to your secret questions cannot be found via any of your social networking profiles..
- What if somebody gain control of your account via the secret questions? and later change the original secret questions to a different set
- Yahoo still let you gain the control back
- You can go through 'Forgot Password' flow and ask for your original secret questions [not the ones the attacker did set]
- Then you can gain access to your account, but you will never be able to change the original secret questions, so if the attacker knows the original, he can comeback anytime and get the control of your account once again.
- A captcha being used

Password reset link to the email with Google

- You need to have a secondary email address registered
- Secondary email address is not shown to the user during the process of password recovery
- Password reset link being sent to the secondary email address and that link is valid only for a limited time frame
- Even though the password recovery link being sent - still the user can login with the original password, if resetting was not done
- No temporary passwords generated
- Once the password resetting initiated a mail being also sent to the original email address, so if this is an attacker who is doing this, the actual owner of the email account get to know something is going on
- A captcha being used

Password reset code with Facebook

- You need to have either an email address or mobile number registered with your account
- Once you initiate password resetting process, a code will be sent to you
- You need confirm the receipt of the confirmation code to reset the password
- Till you reset the password, you can use the original password to login
- No captcha being used

Password reset link to the email with Twitter

- Need to have an email address registered
- Password reset link being sent to the email address and that link is valid only for a limited time frame
- Even though the password recovery link being sent - still the user can login with the original password, if resetting was not done
- No temporary passwords generated
- No captcha being used

Original password sent back to the email

- Forget them, they store your passwords in clear text

Generate a temporary password and send back to the email

- This is better than the previous one
- Since the original password being replaced by the temporary one, if initiated by an attacker, the true owner won't be able to login till he rest again or check his email
- Should be protected with a captcha

Thursday, November 11, 2010

.NET Client / Web App - Authorization with WSO2 Identity Server, XACML Engine

1. Download the WSO2 Identity Server 3.0.1 from http://wso2.com/products/identity-server/

2. Start the Identity Server and go to https://localhost:9443/carbon - then go to Policies --> Entitlement and add a new XACML Policy - then replace the default one with the one below.

The XACML policy below addresses following authorization requirements.

- The operation getVesrion1 and getVersion2 in the service /services/Customers should be accessed by any user

- Request to any other service or operation should only be accessed by the users belong to the group(s) admin_emps or admin or both
<?xml version="1.0" encoding="UTF-8"?>
<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
  <Description>Sample XACML Authorization Policy</Description>
  <Target>
    <Subjects>
      <AnySubject/>
    </Subjects>
    <Actions>
      <AnyAction/>
    </Actions>
    <Resources>
      <AnyResource/>
    </Resources>
  </Target>
  <Rule Effect="Permit" RuleId="primary-resource-rule">
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
        <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
          <ResourceAttributeDesignator
            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/services/Customers/getVersion1</AttributeValue>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/services/Customers/getVersion2</AttributeValue>
          </Apply>
        </ResourceMatch>
      </Resources>
      <Actions>
        <AnyAction/>
      </Actions>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <ResourceAttributeDesignator
          AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/services/Customers/getVersion1</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/services/Customers/getVersion2</AttributeValue>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
  <Rule Effect="Permit" RuleId="primary-group-emps-rule">
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
        <Resource>
          <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/services/Customers/</AttributeValue>
            <ResourceAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ResourceMatch>
        </Resource>
      </Resources>
      <Actions>
        <Action>
          <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
            <ActionAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ActionMatch>
        </Action>
      </Actions>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_emps</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
  <Rule Effect="Deny" RuleId="deny-rule"/>
</Policy>

3. Download the .NET client from hear - unzip it - edit the app.config to point to correct EPRs where your Identity Server [XACML engine] is running.

4. You can parse the XML response returned from the XACMl engine to get the decision.

Wednesday, November 10, 2010

Guide to write XACML policies in WSO2 Identity Server - Part - 7

This blog post is a follow up to the Guide to write XACML policies in WSO2 Identity Server - Part - 6.

This post addresses following authorization requirements.

1. The operation getVesrion1 and getVersion2 in the service http://localhost:8280/services/Customers should be accessed by any user

2. Request to any other service or operation should only be accessed by the users belong to the group(s) admin_emps or admin or both
<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
  <Description>Sample XACML Authorization Policy</Description>
  <Target>
    <Subjects>
      <AnySubject/>
    </Subjects>
    <Actions>
      <AnyAction/>
    </Actions>
    <Resources>
      <AnyResource/>
    </Resources>
  </Target>
  <Rule Effect="Permit" RuleId="primary-resource-rule">
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
        <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
          <ResourceAttributeDesignator
            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion1</AttributeValue>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion2</AttributeValue>
          </Apply>
        </ResourceMatch>
      </Resources>
      <Actions>
        <AnyAction/>
      </Actions>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <ResourceAttributeDesignator
          AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion1</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getVersion2</AttributeValue>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
  <Rule Effect="Permit" RuleId="primary-group-emps-rule">
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
          <AnyResource/>
      </Resources>
      <Actions>
        <Action>
          <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
            <ActionAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ActionMatch>
        </Action>
      </Actions>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_emps</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
  <Rule Effect="Deny" RuleId="deny-rule"/>
</Policy>

Guide to write XACML policies in WSO2 Identity Server - Part - 6

This blog post is a follow up to the Guide to write XACML policies in WSO2 Identity Server - Part - 5.

This post addresses following authorization requirements.

1. The operation getEmployees in the service http://localhost:8280/services/Customers should only be accessed by the users belong to the group(s) admin_emps or admin or both

2. Request to any other service or operation should fail

3. But the users admin1 and admin2 should be able to access any resource irrespective of their role
<?xml version="1.0" encoding="UTF-8"?>
<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
  <Description>Sample XACML Authorization Policy</Description>
  <Target>
    <Subjects>
      <AnySubject/>
    </Subjects>
    <Actions>
      <AnyAction/>
    </Actions>
    <Resources>
      <AnyResource/>
    </Resources>
  </Target>
  <Rule Effect="Permit" RuleId="primary-user-rule">
    <Target>
      <Subjects>
        <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
          <SubjectAttributeDesignator
            AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
            DataType="http://www.w3.org/2001/XMLSchema#string" SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin1</AttributeValue>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin2</AttributeValue>
          </Apply>
        </SubjectMatch>
      </Subjects>
      <Resources>
        <AnyResource/>
      </Resources>
      <Actions>
        <AnyAction/>
      </Actions>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <SubjectAttributeDesignator
          AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin1</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin2</AttributeValue>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
  <Rule Effect="Permit" RuleId="primary-group-emps-rule">
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
        <Resource>
          <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getEmployees</AttributeValue>
            <ResourceAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ResourceMatch>
        </Resource>
      </Resources>
      <Actions>
        <Action>
          <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
            <ActionAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ActionMatch>
        </Action>
      </Actions>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_emps</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
  <Rule Effect="Deny" RuleId="deny-rule"/>
</Policy>

Guide to write XACML policies in WSO2 Identity Server - Part - 5

This blog post is a follow up to the Guide to write XACML policies in WSO2 Identity Server - Part - 4.

This posts addresses following authorization requirements.

1. The operation getEmployees in the service http://localhost:8280/services/Customers should only be accessed by the users belong to the group(s) admin_emps or admin or both

2. Request to any other service or operation should fail
<?xml version="1.0" encoding="UTF-8"?>
<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
  <Description>Sample XACML Authorization Policy</Description>
  <Target>
    <Subjects>
      <AnySubject/>
    </Subjects>
    <Actions>
      <AnyAction/>
    </Actions>
    <Resources>
      <AnyResource/>
    </Resources>
  </Target>
  <Rule Effect="Permit" RuleId="primary-group-emps-rule">
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
        <Resource>
          <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getEmployees</AttributeValue>
            <ResourceAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ResourceMatch>
        </Resource>
      </Resources>
      <Actions>
        <Action>
          <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
            <ActionAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ActionMatch>
        </Action>
      </Actions>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_emps</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
  <Rule Effect="Deny" RuleId="deny-rule"/>
</Policy>

Guide to write XACML policies in WSO2 Identity Server - Part - 4

This blog post is a follow up to the Guide to write XACML policies in WSO2 Identity Server - Part - 3.

This post addresses following authorization requirements.

1. The operation getEmployees in the service http://localhost:8280/services/Customers should only be accessed by the users belong to both the groups admin_emps and admin

2. If the user belongs to more groups than admin_emps and admin - request should fail

3. Request to any other service or operation should fail
<?xml version="1.0" encoding="UTF-8"?>
<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
  <Description>Sample XACML Authorization Policy</Description>
  <Target>
    <Subjects>
      <AnySubject/>
    </Subjects>
    <Actions>
      <AnyAction/>
    </Actions>
    <Resources>
      <AnyResource/>
    </Resources>
  </Target>
  <Rule Effect="Permit" RuleId="primary-group-emps-rule">
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
        <Resource>
          <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getEmployees</AttributeValue>
            <ResourceAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ResourceMatch>
        </Resource>
      </Resources>
      <Actions>
        <Action>
          <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
            <ActionAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ActionMatch>
        </Action>
      </Actions>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-set-equals">
        <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_emps</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
  <Rule Effect="Deny" RuleId="deny-rule"/>
</Policy>

Guide to write XACML policies in WSO2 Identity Server - Part - 3

This blog post is a follow up to the Guide to write XACML policies in WSO2 Identity Server - Part - 2.

This post addresses following authorization requirements.

1. The operation getCustomers in the service http://localhost:8280/services/Customers should only be accessed by the users belong to group admin_customers

2. The operation getEmployees in the service http://localhost:8280/services/Customers should only be accessed by the users belong to group admin_emps

3. Request to any other service or operation should fail
<?xml version="1.0" encoding="UTF-8"?>
<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
  <Description>Sample XACML Authorization Policy</Description>
  <Target>
    <Subjects>
      <AnySubject/>
    </Subjects>
    <Actions>
      <AnyAction/>
    </Actions>
    <Resources>
      <AnyResource/>
    </Resources>
  </Target>
  <Rule Effect="Permit" RuleId="primary-group-customer-rule">
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
        <Resource>
          <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getCustomers</AttributeValue>
            <ResourceAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ResourceMatch>
        </Resource>
      </Resources>
      <Actions>
        <Action>
          <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
            <ActionAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ActionMatch>
        </Action>
      </Actions>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_customers</AttributeValue>
        </Apply>
        <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/>
      </Apply>
    </Condition>
  </Rule>
  <Rule Effect="Permit" RuleId="primary-group-emps-rule">
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
        <Resource>
          <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getEmployees</AttributeValue>
            <ResourceAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ResourceMatch>
        </Resource>
      </Resources>
      <Actions>
        <Action>
          <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
            <ActionAttributeDesignator
              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ActionMatch>
        </Action>
      </Actions>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_emps</AttributeValue>
        </Apply>
        <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/>
      </Apply>
    </Condition>
  </Rule>
  <Rule Effect="Deny" RuleId="deny-rule"/>
</Policy>
Following are few valid requests which will result in "Permit/Not Applicable/Deny" once evaluated against the above policy.

XACML request - 1
Resource : http://localhost:8280/services/Customers/getCustomers
User : "admin" belongs only to "admin_customers" group
Result : Permit
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Subject>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
  <Attribute AttributeId="group"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin_customers</AttributeValue>
  </Attribute>
 </Subject>
 <Resource>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>http://localhost:8280/services/Customers/getCustomers</AttributeValue>
  </Attribute>
 </Resource>
 <Action>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>read</AttributeValue>
  </Attribute>
 </Action>
 <Environment />
</Request> 

XACML request - 2
Resource : http://localhost:8280/services/Customers/getCustomers
User : "admin" belongs only to "admin_emps" group
Result : Deny
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Subject>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
  <Attribute AttributeId="group"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin_emps</AttributeValue>
  </Attribute>
 </Subject>
 <Resource>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>http://localhost:8280/services/Customers/getCustomers</AttributeValue>
  </Attribute>
 </Resource>
 <Action>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>read</AttributeValue>
  </Attribute>
 </Action>
 <Environment />
</Request> 

Guide to write XACML policies in WSO2 Identity Server - Part - 2

This blog post is a follow up to the Guide to write XACML policies in WSO2 Identity Server 2.0 - Part - I and also you may go through following as well..

- Using XACML Fine Grained Authorization with the WSO2 Product Platform
- Identity Server 2.0 as an XACML engine
- Anatomy of the XACML Request

Here I will present a XACML policy which addresses following requirement.

"A given resource can be accessed only by any user belong to a particular role and all the requests to any other resource other than this should fail"
<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
 xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
 <Description>Sample XACML Authorization Policy</Description>
 <Target>
  <Subjects>
   <AnySubject />
  </Subjects>
  <Actions>
   <AnyAction />
  </Actions>
  <Resources>
   <AnyResource />
  </Resources>
 </Target>
 <Rule Effect="Permit" RuleId="primary-group-rule">
  <Target>
   <Subjects>
    <AnySubject />
   </Subjects>
   <Resources>
   <Resource>
    <ResourceMatch
     MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/
     </AttributeValue>
     <ResourceAttributeDesignator
      AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
      DataType="http://www.w3.org/2001/XMLSchema#string" />
    </ResourceMatch>
   </Resource>
   </Resources>
   <Actions>
    <Action>
     <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
      <ActionAttributeDesignator
       AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
       DataType="http://www.w3.org/2001/XMLSchema#string" />
     </ActionMatch>
    </Action>
   </Actions>
  </Target>
  <Condition>
   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
    </Apply>
    <SubjectAttributeDesignator AttributeId="group"
     DataType="http://www.w3.org/2001/XMLSchema#string" />
   </Apply>
  </Condition>
 </Rule>
 <Rule Effect="Deny" RuleId="deny-rule" />
</Policy>
Following are few valid requests which will result in "Permit/Not Applicable/Deny" once evaluated against the above policy.

XACML request - 1
Resource : http://localhost:8280/services/echo/
User : "admin" belongs only to "admin" group
Result : Permit
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Subject>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
  <Attribute AttributeId="group"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
 </Subject>
 <Resource>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
  </Attribute>
 </Resource>
 <Action>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>read</AttributeValue>
  </Attribute>
 </Action>
 <Environment />
</Request> 

XACML request - 2
Resource : http://localhost:8280/services/echo/
User : "admin" belongs to "admin" group and "business" group
Result : Permit
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Subject>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
  <Attribute AttributeId="group"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
  <Attribute AttributeId="group"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>business</AttributeValue>
  </Attribute>
 </Subject>
 <Resource>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
  </Attribute>
 </Resource>
 <Action>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>read</AttributeValue>
  </Attribute>
 </Action>
 <Environment />
</Request>

XACML request - 3
Resource : http://localhost:8280/services/test/
User : "admin" belongs to "admin" group
Result : Deny
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Subject>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
  <Attribute AttributeId="group"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
 </Subject>
 <Resource>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>http://localhost:8280/services/test/</AttributeValue>
  </Attribute>
 </Resource>
 <Action>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>read</AttributeValue>
  </Attribute>
 </Action>
 <Environment />
</Request>

XACML request - 4
Resource : http://localhost:8280/services/echo/
User : "admin" belongs to "business" group
Result : Deny
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Subject>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>admin</AttributeValue>
  </Attribute>
  <Attribute AttributeId="group"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>business</AttributeValue>
  </Attribute>
 </Subject>
 <Resource>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>http://localhost:8280/services/echo/</AttributeValue>
  </Attribute>
 </Resource>
 <Action>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
   DataType="http://www.w3.org/2001/XMLSchema#string">
   <AttributeValue>read</AttributeValue>
  </Attribute>
 </Action>
 <Environment />
</Request>

Monday, November 8, 2010

Get Google search updates right on to iPad Flipboard



Flipboard is one of the best apps for iPad.

It helps you keep in touch with overwhelming data/information increasing in heaps of volumes day by day - getting what you exactly need is the challenge.

Flipboard pulls data from Twitter feeds - so, you can add any Twitter account you wish - and you are interested in.

Say - you want to get all the feeds from the web on "SOA Security" - how to get this to Flipboard..?

1.Go to Google Alerts and create an alert for "SOA Security" - set "Deliver To" - Feed - and capture Feed Url

2. Go to Twitter and create a new account - say @soa_security

3. Go to Twitter Feed - create new account there - set the feed from [1] and set the Twitter account from [2]

4. Now you will get Tweets for the search term you set, via Twitter

5. Go to the Flipboard on iPad, Add a Section and set your Twitter account created in [2] - now you will get updates to your iPad from the web on your search term

Sunday, November 7, 2010

Making a self-signed certificate trusted - within all domain computers

Have you ever seen - "This Connection is Untrusted" error while visiting a web site on a browser...

The error may vary depending on the browser you use - but the root cause is, you are trying to enter into a web site which is having an untrusted certificate..

This can be due to two reasons..

1. Certificate it self is invalid - that is CN in certificate doesn't match with URL [even though its signed by a trusted CA] - or the certificate being expired.

Try visiting http://amazon.com - you will see "This Connection is Untrusted" error - the reason is the CA certificate to Amazon is issued to www.amazon.com not for amazon.com - so, with the above url, it doesn't match with the CN in the certificate, which makes the browser to prompt the error.

2. Certificate is not signed by a trusted CA

Here - our certificate is not signed by a trusted CA.

Following are the steps to over come both - in your intranet with an Active Directory setup having self-signed certificates.

To over come [1] - we need to make the CN of our certificate is the same as our domain name [ say, esb.example.com - just an example]

To over come [2] - we need to make our domain trust our self signed certificate

All WSO2 products ship with a self signed certificate - inside wso2carbon.jks key store. Following explains, how to create your own certificate for your domain to use with WSO2 ESB and make that certificate trusted, with all the domain computers.

1. Let's do the the first one first - that is we are going to create our own certificate under our domain name...

Make sure you have JAVA_HOME\bin in under PATH system variable...

In any command prompt type the following..

:\> keytool -genkey -alias wso2carbon -keyalg RSA -keysize 1024 -dname "CN=esb.example.com,O=Example" -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon

The above will produce a file : wso2carbon.jks - copy it to ESB_HOME\resources\security

Note : If you have different values for -keypass and -storepass, you need to update ESB_HOME\repository\con\carbon.xml accordingly.

2. Now we need to export the public certificate from the key store we just created - go to the directory where you have wso2carbon.jks and type the following command in command prompt.

:\> keytool -export -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -file wso2carbon.cer

This will produce a file : wso2carbon.cer - which is our public certificate - keep it ready for the next step.

3. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management.

In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

Right-click the Default Domain Policy GPO, and then click Edit.

In the Group Policy Management Console (GPMC), go to Computer Configuration [earlier it was user configuration], Windows Settings, Security Settings, and then click Public Key Policies.

Go to Trusted Root Certification Authorities and Import the public certificate you exported.
Done - [3] will be effective as soon as users re-logged in..

In our case with the ESB, you can access it through https://esb.example.com:9443/carbon without any errors..

SOA security patterns - Part - I

It's been some time I desperately wanted to get started with the $subject - but things got delayed till I get my blog cleaned up with some missing images.

Sri Lanka lost the 3rd ODI today against Aussies and the match turned out quite boring after few minutes from the start - fixing missing images in the blog was less boring than watching the match..

Here I am ready to blog again :-)

"In software engineering, a design pattern is a general reusable solution to a commonly occurring problem in software design. A design pattern is not a finished design that can be transformed directly into code. It is a description or template for how to solve a problem that can be used in many different situations."

That's Wikipedia for you...

SOA has it's own patterns and in security space we have plenty too...

Let me list some of them which I will be discussing with further details in upcoming episodes of this series.

1. Direct authentication with user name and password - SOAP
2. Direct authentication with user name and password - REST
3. Direct authentication with certificates - SOAP
4. Direct authentication with certificates [mutual authentication] - REST
5. In direct authentication with certificates
6. Federated authentication with WS-Trust
7. In direct authentication with Kerberos
8. Authorization Enforcer pattern - fine grained authorization with XACML
9. REST client authenticating to a SOAP web service with user name and password
10.SOAP client authenticating to a RESTFull service with user name and password
11.Securing a service with multiple security policies
12.SSL bridging
13.Trusted Sub System pattern
14.Message Interceptor Gateway pattern
15.Secure Message Router pattern
16.Assertion Builder pattern
17.Credential Tokenizer pattern
18.Secure Service Facade pattern
19.Audit Interceptor pattern
20.Interceptor Validator pattern
21.Secure Pipe pattern

We have implemented all those security patterns with WSO2 products in various client deployments.

In the upcoming sessions of the SOA Security Patterns series I will cover them all with implementation details.