how to properly secure a web service

md5 encryption and its pitfalls - rainbow tables and collisions..

Page 1 of 1

10 Replies - 2182 Views - Last Post: 24 August 2010 - 03:44 PM

#1 jeremy-t  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 28
  • Joined: 22-August 10

how to properly secure a web service

Posted 22 August 2010 - 05:41 PM

A company I recently worked for had a web service that they were securing with an md5 function. e.g.


 url - http://webservice.com/servicefunction.xml?id=123&msg=Hello&md5=a0dd9f...-the generated md5 function..


The idea is, that each user will be identified and basically 'logged on' to the service via a 16-character key that only they have. This 'security mechanism' works by computing the md5 of the request and the key, e.g.


 md5 = id123msgHelloa0dd9f...



(where it is a build of the request along with the key appended at the end. this is re-built on the server by re-generating the md5 and looking for a hash match)

I realize that this can be brute-forced, much like people are putting together rainbow tables and massive databases for passwords. However, the computational time to do something like this requires some serious processing power. But, the potential list of matches as a result of the brute force are relatively small, and can be tried one-by-one until a successful response is generated by the server.

The other thing is - since you already know everything that went into the md5 hash, including the md5 result, directly in the url, is it possible to create a tunneling program much like the way people are building md5 collision programs, to accomplish the same task of finding the 4-5 unknown blocks that went into the md5? I would expect if that is possible, it should generate a list of possible keys just like standard brute forcing, and also take considerably less processing time... but is that a possibility?

I was suggesting that this web service be protected by public/private key encryption - it needs to be something that is presently implemented in javascript, as calls need to be available strictly by javascript as well.

What are your suggestions? Is it reasonable to suggest that using md5 hashes in this manner to secure a web service is inherently insecure? And, is there a better mechanism as an alternative security option than public/private key encryption in this case?

Thank you all for your input and suggestions...

Is This A Good Question/Topic? 0
  • +

Replies To: how to properly secure a web service

#2 macosxnerd101  Icon User is offline

  • Self-Trained Economist
  • member icon




Reputation: 10183
  • View blog
  • Posts: 37,596
  • Joined: 27-December 08

Re: how to properly secure a web service

Posted 22 August 2010 - 05:42 PM

Moved to Web Development. Also note that Java != Javascript.
Was This Post Helpful? 0
  • +
  • -

#3 jeremy-t  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 28
  • Joined: 22-August 10

Re: how to properly secure a web service

Posted 22 August 2010 - 05:51 PM

It's actually both in this case, I would like it to stay in the Java forum - Implementations on the server is done in java, client can be done in java, .net, c++, etc., including javascript - i just mentioned javascript since a potential solution needs to be doable in javascript. Primary implementations are all done completely in java on the client and server...
Was This Post Helpful? 0
  • +
  • -

#4 macosxnerd101  Icon User is offline

  • Self-Trained Economist
  • member icon




Reputation: 10183
  • View blog
  • Posts: 37,596
  • Joined: 27-December 08

Re: how to properly secure a web service

Posted 22 August 2010 - 05:53 PM

Didn't realize that. I'll go ahead and move back to Java then. :)
Was This Post Helpful? 2
  • +
  • -

#5 jeremy-t  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 28
  • Joined: 22-August 10

Re: how to properly secure a web service

Posted 22 August 2010 - 05:57 PM

Thanks!
Was This Post Helpful? 0
  • +
  • -

#6 macosxnerd101  Icon User is offline

  • Self-Trained Economist
  • member icon




Reputation: 10183
  • View blog
  • Posts: 37,596
  • Joined: 27-December 08

Re: how to properly secure a web service

Posted 22 August 2010 - 06:21 PM

After talking more with jeremy-t, I am going to move this back to Web Development.
Was This Post Helpful? 0
  • +
  • -

#7 jeremy-t  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 28
  • Joined: 22-August 10

Re: how to properly secure a web service

Posted 24 August 2010 - 12:59 PM

*bump*

I did a little more looking into it, my remaining questions are as follows:

1. Would you consider using md5 in this manner an insecure approach either today or in the future
2. Is this mechanism vulnerable to a chosen-prefix collision attack (md5 collision attack)?
3. Using an encryption algorithm instead of hashing would also give the benefit of encrypting the message part - what encryption method would you suggest in this case - i.e. public/private key, aes?

Thanks for any input,
Was This Post Helpful? 0
  • +
  • -

#8 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3392
  • View blog
  • Posts: 9,586
  • Joined: 08-June 10

Re: how to properly secure a web service

Posted 24 August 2010 - 01:57 PM

you should use a better hashing algorithm than MD5. SHA256 and above as well as RIPEMD160 and above are pretty good. bear in mind that encryption can be reverted, so the "password" is only secure as long as the encryption keys are secure.
Was This Post Helpful? 2
  • +
  • -

#9 jeremy-t  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 28
  • Joined: 22-August 10

Re: how to properly secure a web service

Posted 24 August 2010 - 02:13 PM

In this situation, the signature parameter is a 16-character key composed of lower-case letters and numbers. This is a key that exists somewhere on the client machine and on the server's database for each user.

With encryption, the encryption keys would likely also be stored in the database on the server, and again somewhere on the client's machine.

i.e. for both the current hash-based situation or an encryption-based situation, access of either the client's machine or server's database compromises everything. There's not much of a difference in that part.

Thanks for the input - would you say it would still be good to use a hashing method if a better algorithm is used? And, let's say there is sensitive information in the url that may want to be encrypted - what would be the best way of using an encryption method instead, if that is desired?

Keep it coming, fellas - I welcome any valuable input..
Was This Post Helpful? 0
  • +
  • -

#10 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 5954
  • View blog
  • Posts: 23,217
  • Joined: 23-August 08

Re: how to properly secure a web service

Posted 24 August 2010 - 03:21 PM

As it stands, based on what you said, it's subject to replay attack. I would recommend visiting OWASP for some ideas on this.
Was This Post Helpful? 1
  • +
  • -

#11 jeremy-t  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 28
  • Joined: 22-August 10

Re: how to properly secure a web service

Posted 24 August 2010 - 03:44 PM

You are exactly correct about the replay attack..

Making matters worse - currently, their service is transmitted over http. The response even - which contains sensitive information, all available with a simple packet sniffer.

However, even if they use ssl to protect the webservice (it is a web service that needs to be available via just a 'get' request message), they are still vulnerable to a replay attack since ssl doesn't encrypt the url or url parameters, and are then still able to find out the sensitive information in the response immediately..

Good answer - this is leaning me towards aes...
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1