Creating a SOAP type login method 2

[1DMF]

Hi,

How would I go about creating a script which would allow a SOAP connection?

I need a 3rd party website to log into our system without displaying a QS in the browser.

Basically our system would allow a URL with UserID & Password on the QS and log the user in.

My concern is if you did that the URL shown in the browser would show someones userid and password.

So how do I write a script that will allow connection from a 3rd party server, log the user in securely and then redirect the browser to the extranet without showing user credentials on the QS.

I'm wondering how you go about creating such a module / script, so I can perform login securely and remotely.

How would you enforce they connect to you via a SOAP type method and not QS or post data to call the script ?

All sugestions welcome.

thanks,1DMF

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[feherke]

Hi

I need a 3rd party website to log into our system without displaying a QS in the browser.

Basically our system would allow a URL with UserID & Password on the QS and log the user in.

Better use HTTP authentication instead. See RFC 2617. ( The Basic access authentication and Digest access authentication Wikipedia articles have simple communication examples too. )

Feherke.

http://free.rootshell.be/~feherke/

 

[1DMF]

Thanks fehere.

So I get there is a Base64 encoding, so where does this encoding take place?

Do they send the encoded string as a QS to my perl script.

How does the perl script then decode it?

This will all be done over https.

Can you give me an example of how you would implement this.

Cheers,
1DMF


"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[feherke]

Hi

So I get there is a Base64 encoding

HTTP authentication is a process, the encoding is only a minor piece.

where does this encoding take place?

Client-side. Note that is highly encouraged the use of digest HTTP authentication, where no base64 encoding is involved.

Please read the RFC. If you ask me, it is not optional.

However, your task should be simple as configuring your web server to password protect the given script. Or you may find modules like CGI::Authent to do it programmatically.

Feherke.

http://free.rootshell.be/~feherke/

 

[1DMF]

Hi Feherke,

I think that this method is not possible.

I say this because if you mean using windows authentication for users, I understod this requires a user licence per user which the company is not prepared to pay for, with over 200 members @ £25-£50 per CAL, that's 1,000's of pounds.

If this isn't what you mean when you say password protecting the IIS6 web server, then i'm not sure I understand.

I appreciate reading the RFC may not be optional but reading something and understanding it are two different things ;-)

If the method you describe requires server user CALS fotr each user so I can add them to the group for the protected script, then I think I need a different approach :-(

I was thinking I can process the request they send, log the user in , and use cookies so I can redirect the browser and read the cookie to get current user details.

Do you see this as an option?



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[feherke]

Hi

if you mean using windows authentication

Certainly not.

password protecting the IIS6 web server

I know nothing about IIS, but HTTP authentication is available ( probably ) in every web server. For example in Apache it is configured like this :

<Files passthesoap.pl>
  AuthName "Customers Only"
  AuthType Basic
  AuthBasicProvider file
  AuthUserFile .htpass
  Require valid-user
</Files>

I appreciate reading the RFC may not be optional but reading something and understanding it are two different things

Yes, RFC can be quite prosaic. That is why I suggested to look at the communication examples in the Wikipedia articles.

How could I explain it... HTTP authentication is when your browser displays a native browser dialog with two input fields, one for user name and one for password. And if you cancel it, you get a 401 Authorization Required error document.


Feherke.

http://free.rootshell.be/~feherke/

 

[1DMF]

HTTP authentication is when your browser displays a native browser dialog with two input fields, one for user name and one for password. And if you cancel it, you get a 401 Authorization Required error document.

hmm I think we are talking the same thing then, however to authenticate user names and paswords on a windows IIS server in this manner, you have to create a user account on the windows box.


For each account created you need to buy a User CAL (Client Access Licence). The server only comes with 5 CALS out the box.

As I understand it you can use .htaccess file to control usernames and passwords on Apache/*nix boxes, it's not that easy on Windows.

Unless i'm mistaken and our web host has miss-informed me, I certainly hope that's the case, so if anyone can confirm this, it's much appreciated.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[feherke]

Hi

Ouch. You are right. I found it on MSDN :

Requires the creation of individual Windows accounts for each user.

I can say just two words : 1) stupid; 2) robbery.

( Why am I surprised ? URL rewriting is similar : free/included in price in most web servers, extra charged in IIS. )

As I understand it you can use .htaccess file to control usernames and passwords on Apache/*nix boxes, it's not that easy on Windows.

Actually, it is the case of Apache on any operating system. And not only Apache. All web servers I saw/read about so far, used their own account lists, primarily stored in file, optionally in a database.

Sorry for beating this dead horse for so long.

If you will have to send userid and password in the URL, you could implement a challenge :
[ul]
[li]client : requests the document without authentication information[/li]
[li]server : sends back a challenge string ( a random ( hopefully unique ) number/string )[/li]
[li]client : requests the document together with userid and password encrypted as md5($challenge.$password)[/li]
[li]server : calculates the encrypted password of the given user and compares it with the received one[/li]
[/ul]
As you can see, there is an extra step, because the server has to send the challenge before the client can send the authentication data.

Feherke.

http://free.rootshell.be/~feherke/

 

[1DMF]

No probs, and I agree, it's total day light robbery of MS to have it work this way, the cost of owning an IIS server and using proper windows user authentication is disgusting!

But i just wanted to be sure it was a dead horse, before I discounted its use, there is no way the company will pay for MS user CALs for nearly 250 members!

I get your concept, but how does the client encrypt with MD5? and how does perl decrypt?

Also how do you tell a perl script to only allow POST method and the url must be SSL (HTTPS)?

I'm thinking if I can enforce POST method and encryption, then they can simply post me the username and password over SSL that way the page URL won't show a query string.

Then I dont' have to worry how they manage to post me the data with what ever system they are using (.NET) I beleive.

Because I can set the script to only work if it is posted over HTTPS.

Now I know how to set the HTTPS on the IIS box, so i could potentially lock encryption down that way, I just need to know how to use the CGI module and enforce POST data as by standard it accepts both GET/POST data.

Is it done by the Vars method?

my %hash = $cgi->Vars;

I usualy use $cgi->param('my_var') but that works on both GET & POST data.







"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[feherke]

Hi

I get your concept, but how does the client encrypt with MD5?

Who cares ? ;-) You are developing the server-side part. Anyway, if they use Perl, then with [tt]Digest::MD5[/tt], if the use PHP, then with [tt]md5()[/tt], and so on...

and how does perl decrypt?

Sorry for the wrong wording. MD5 is hashing, not encryption, so there is no decryption.

The server will do the same hashing as the client did : it knows the challenge ( yepp, it has to be stored locally until the client replies to the challenge ) and the password ( from its local database ). Then the resulted hash is compared with the one received from the client.

Also how do you tell a perl script to only allow POST method and the url must be SSL (HTTPS)?

That should be configured in the web server. Programmatically :

[b]die[/b] [green][i]'Method Not Allowed'[/i][/green] [b]unless[/b] [navy]$ENV[/navy][teal]{[/teal][green][i]'REQUEST_METHOD'[/i][/green][teal]}[/teal] [b]eq[/b] [green][i]'POST'[/i][/green][teal];[/teal]

[b]use[/b] CGI[teal];[/teal]

[b]my[/b] [navy]$cgi[/navy][teal]=[/teal]CGI[teal]->[/teal]new[teal];[/teal]

[b]if[/b] [teal]([/teal][navy]$cgi[/navy][teal]->[/teal][COLOR=darkgoldenrod]request_method[/color][teal]()[/teal] ne [green][i]'POST'[/i][/green][teal])[/teal] [teal]{[/teal]
  [b]print[/b] [navy]$cgi[/navy][teal]->[/teal][COLOR=darkgoldenrod]header[/color][teal](-[/teal]status[teal]=>[/teal][green][i]'405 Method Not Allowed'[/i][/green][teal]);[/teal]
  [b]exit[/b][teal];[/teal]
[teal]}[/teal]

Feherke.

http://free.rootshell.be/~feherke/

 

[stevexff]

By using MD5, you only ever send the hash across the wire. The client and the server both know all the plaintext that is used to create the hash, but because only the challenge is ever sent as plaintext it can't be hacked by a listener. MD5 hashing is a one-way operation, and so can't be decrypted.

The client hashes the challenge (a GUID perhaps), his userid and password. The server receives the hash, and then independently performs the same hashing operation as the client. If the resulting hashes match, then the user is authenticated. This is similar but not quite like how Kerberos works - the password is never actually sent across the wire.

Steve

[small]"Every program can be reduced by one instruction, and every program has at least one bug. Therefore, any program can be reduced to one instruction which doesn't work." (Object:erlDesignPatterns)[/small]

 

[1DMF]

got ya!

Thanks guys.

D'oh, didn't cross my mind to check the $ENV hash!

Is there a shared key that is used in the hashing process , that we both need to know about, or is it simply having a string and telling the server / module to 'MD5' it.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[feherke]

Hi

Is there a shared key that is used in the hashing process

No. MD5 is a checksum, like the CRC used in the old times on DOS. The original content is not preserved. ( The MD5 of the string '1DMF' and the MD5 of War and Peace by Leo Tolstoy are both 32 hexa digits long. ) That is why it can not be reversed and it not needs encryption key.

Feherke.

http://free.rootshell.be/~feherke/

 

[1DMF]

wicked, just what I was looking for.

But I'm curious, if 1DMF (MD5'd) always equals the same 32 hexa digit checksum, how is it not able to be reversed?

Also, I assume they MD5 the username/pword string, and pass me the hash, how do I unhash it to know what user they are trying to log in and also check password.

Do I need to run some process which stores a user's credentials in the SQL DB as a MD5 hash, so I can then do a SQL lookup?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[feherke]

Hi

Also, I assume they MD5 the username/pword string, and pass me the hash, how do I unhash it to know what user they are trying to log in and also check password.

The username should not be hashed. That is kind of public information anyway. ( Raise your hands who not knows what is 1DMF's username on Tek-Tips. )

If you want, you can send that too as MD5 hash, but separately, not concatenated with the password and the challenge.

Do I need to run some process which stores a user's credentials in the SQL DB as a MD5 hash, so I can then do a SQL lookup?

Yes, if you are sending the username too as MD5 hash, is better to store it in the database too.

Storing the password only as MD5 hash is the suggested way. ( By security maniacs anyway. ) However this makes things abit more complicated when a challenge comes into view.

For example having this data :

[navy]$username[/navy][teal]=[/teal][green][i]'1DMF'[/i][/green][teal];[/teal]
[navy]$password[/navy][teal]=[/teal][green][i]'padavan'[/i][/green][teal];[/teal]
[navy]$salt[/navy][teal]=[/teal][COLOR=darkgoldenrod]md5_hex[/color][teal]([/teal]time[teal].[/teal]$$[teal].[/teal][b]rand[/b][teal]);[/teal]
[navy]$passsalt[/navy][teal]=[/teal][COLOR=darkgoldenrod]md5_hex[/color][teal]([/teal][green][i]"$password $salt"[/i][/green][teal]);[/teal]

 username | passsalt                         | salt
----------+----------------------------------+----------------------------------
 1DMF     | 3e205f67daf9d6d59d1ff9783926f882 | 9959c098f7c14b7ddf93624adac82b6f

[ul]
[li]server : thinks to a challenge [tt][navy]$challenge[/navy][teal]=[/teal]md5_hex[teal]([/teal]time[teal].[/teal]$$[teal].[/teal]rand[teal]);[/teal] [gray]# 2a560205dd7718ecc098a0a5e30acf35[/gray][/tt], stores the challenge locally, sends challenge and credential.salt to client[/li]
[li]client : calculates the password's hash [tt][navy]$passhash[/navy][teal]=[/teal]md5_hex[teal]([/teal]md5_hex[teal]([/teal][green]"$password $salt"[/green][teal]).[/teal]" [navy]$challenge[/navy][teal]);[/teal] [gray]# f5da5e01262b6000ca39037882d8c364[/gray][/tt] and sends it to the server[/li]
[li]server : calculates the password's hash [tt][navy]$passhash[/navy][teal]=[/teal]md5_hex[teal]([/teal][navy]$credential[/navy][teal]{[/teal][green]'passalt'[/green][teal]}[/teal][teal].[/teal]" [navy]$challenge[/navy][teal]);[/teal] [gray]# f5da5e01262b6000ca39037882d8c364[/gray][/tt] and compares it with the one received from the client[/li]
[/ul]
This way the $password is neither sent or stored and the credential.passsalt is not sent over the network.

The above is based on Paul Johnston's removed article, Login System. Which was replaced by the less clear Protecting Passwords.

As you can guess, the problem will be with the subscription. But I suppose that not affects you in this case.


Feherke.

http://free.rootshell.be/~feherke/

 

[1DMF]

So I need to accept a call to the script with a User ID requesting a user 'salt' hash. (store this hash in the User table)

I return the MD5 'salt' hash.

Then they resend a login request with a UserID & MD5 hash of the password and 'salt' hash.

The script then looks up the salt hash and does another MD5 hash of the salt hash and password, if it matches what is being passed, log them in.

I think I got it

Your help is much appreciated.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[feherke]

Hi

MD5 hash of the password and 'salt' hash.

Actually should be :

[red]MD5 hash of the ([/red]MD5 hash of the [red]([/red]password and 'salt' hash[red]) and challenge)[/red]

Otherwise the same salted password would be used every time. For the attacker would be no difference.

In case I was not clear : the salt is permanent, the challenge is valid for a single login attempt.


Feherke.

http://free.rootshell.be/~feherke/

 

[1DMF]

But I thought the salt was a hash of the epoch time using random some how, I haven't quite got my head round

$salt=md5_hex(time.$$.rand);

I thought the salt was unique and changed every challenge.

Is that not a good approach?

So 3rd party system requests a random MD5 hash (salt), I store the random salt hash in the DB.

They use that hash in combination with the password to create another hash and pass that back as the login credentials.

I look up the stored salt hash I recorded, create another hash based on that and the password in the DB and see if it matches the hash being supplied as the login credentials.

Is this not right?





"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[feherke]

Hi

$salt=md5_hex(time.$$.rand);

[gray](...)[/gray]
I thought the salt was unique and changed every challenge.

The code you quoted I labeled "subscription data". I mean that code is executed only when registering the user. That data is then stored in the database as in the sample labeled as "credential table".

The authentication's steps are those enumerated in the unordered list.

Feherke.

http://free.rootshell.be/~feherke/

 

[1DMF]

Gotcha,

Should have paid more attention of the label

Thanks,

Feherke

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts