LabVIEW

cancel
Showing results for 
Search instead for 
Did you mean: 

Web services login from python

Jeff,

 

Thank you for expressing your concern regarding this issue.  We appreciate the detailed explanation of the problem and we are looking into the issue further.  

 

Regards,

 

Jacob S.

Applications Engineering

National Instruments

0 Kudos
Message 11 of 27
(2,481 Views)

Thanks so much! FWIW, my research partner is leaving for Beijing Saturday to negotiate with the contract on the implementation of our technology in China, and I'm giving a lecture at a MGH-MIT institute on the technology barriers to implementing distributed medical devices in two weeks. Some clarity would be beneficial.

 

Jeff

0 Kudos
Message 12 of 27
(2,476 Views)

Jeff,

 

I have passed along the issue to another team for a deeper investigation.  If this issue affects a project you are working on and you want to discuss this issue further with NI, feel free to create a service request.  A service request will be the most effective way to clarify how this situation could affect your application.

 

Regards,

 

Jacob S.

Applications Engineering

National Instruments

0 Kudos
Message 13 of 27
(2,459 Views)

Jeff,

 

I would look into HTTPS as a workaround to this issue.

0 Kudos
Message 14 of 27
(2,433 Views)

Hi Jeff,

 

We are trying to figure out how to make security for web services better. Please send me an email if you would like to discuss this further.

 

On a slightly related note, I started a new community group to gather more of a critical mass around LabVIEW web application development. I wrote a series of tutorials to teach n00bs the basics of AJAX with the LabVIEW web server. I would appreciate any help you could provide in "furnishing" the community with some relevant examples - we don't have any related to authentication at this point.

https://decibel.ni.com/content/groups/web-services

 

 

Joey S.
Senior Product Manager, Software
National Instruments
0 Kudos
Message 15 of 27
(2,373 Views)

I did some more digging. Having read the SRP documentation, this seems a likely approach. Here is some Python code:

 

import requests
import srp
import base64

username = 'testuser'
myserver = 'http://127.0.0.1:8080'
r = requests.get(myserver + '/login?username=' + username)
niauthheader = r.headers.get('x-ni-auth-params')
my_fields = niauthheader.split(",")
srpdict = {}
for field in my_fields:
	g = field.partition('=')
	srpdict[g[0]]=base64.b64decode(g[2])

# srpdict now contains s, B, and ss. NI Auth wants us to return a POST containing
# A,M, and ss. We can snoop what the Silverlight plugin returns given the values for
# s, B, the username and password using a MITM attack (ZAP is good for this). If we
# can replicate the calls to SRP, we should get the same values for A & M. Referring
# to the Python srp 1.05 documentation, the easiest thing to try is:
usr      = srp.User( username, 'password' )
uname, A = usr.start_authentication()
M        = usr.process_challenge( s, B )

print 'A=' + base64.b64encode(A)
print 'M=' + base64.b64encode(M)

 This doesn't result in the snooped values for A & M. Two questions:
1) Is NI using something other than default values for the hash_alg or the ng_type?
2) What is ss? It changes on every call, but it doesn't seem to map to anything in srp.

I have much better things to do with my time that to reverse engineer NI Auth. Much
easier to just handle security myself through Apache, but if NI provided a little bit
of documentation on their implementation, this would be nice. Conversely, if NI permitted

passing an external authentication routine to the web server & http client routines, this

would be even nicer.

 

0 Kudos
Message 16 of 27
(2,341 Views)

@jemandel wrote:

I did some more digging. Having read the SRP documentation, this seems a likely approach. Here is some Python code:

 

import requests
import srp
import base64

username = 'testuser'
myserver = 'http://127.0.0.1:8080'
r = requests.get(myserver + '/login?username=' + username)
niauthheader = r.headers.get('x-ni-auth-params')
my_fields = niauthheader.split(",")
srpdict = {}
for field in my_fields:
	g = field.partition('=')
	srpdict[g[0]]=base64.b64decode(g[2])

# srpdict now contains s, B, and ss. NI Auth wants us to return a POST containing
# A,M, and ss. We can snoop what the Silverlight plugin returns given the values for
# s, B, the username and password using a MITM attack (ZAP is good for this). If we
# can replicate the calls to SRP, we should get the same values for A & M. Referring
# to the Python srp 1.05 documentation, the easiest thing to try is:
usr      = srp.User( username, 'password' )
uname, A = usr.start_authentication()
M        = usr.process_challenge( s, B )

print 'A=' + base64.b64encode(A)
print 'M=' + base64.b64encode(M)

 This doesn't result in the snooped values for A & M. Two questions:
1) Is NI using something other than default values for the hash_alg or the ng_type?
2) What is ss? It changes on every call, but it doesn't seem to map to anything in srp.

I have much better things to do with my time that to reverse engineer NI Auth. Much
easier to just handle security myself through Apache, but if NI provided a little bit
of documentation on their implementation, this would be nice. Conversely, if NI permitted

passing an external authentication routine to the web server & http client routines, this

would be even nicer.

 


No one is keeping you from using something else "better" documented.

 

 

0 Kudos
Message 17 of 27
(2,332 Views)

Comments like this are so unhelpful.

0 Kudos
Message 18 of 27
(2,325 Views)

@jemandel wrote:

Comments like this are so unhelpful.


And your complaint about NI is helpful?

 

You made your choice to use Python with NI software.

If there is something better, then you should be using that product.

Common sense.

 

 I never understood when people whine about choices they themselves made.

0 Kudos
Message 19 of 27
(2,316 Views)

I have a legitimate reason for using Python on inexpensive hardware - I'm developing a drug control system to be used in the developing world, and I'm trying to keep the hardware cost low. I have a legitimate reason for using Labview - the pharmacokinetic calculations make heavy use of the Control and Optimization VIs.I have a legitimate reason to have this done securely, partly having to do with regulatory compliance, and partly to prevent the system from being cloned. As a long time customer of NI, it is reasonable for me to request that interfaces be documented, particularly when security is the issue. If you don't ask for features, they rarely appear out of the blue.

 

So again, if you have a contribution to make, I'm quite interested in hearing what you have to say. If you just enjoy flaming people, might I suggest you get a Twitter account. I hear that sort of stuff is quite popular there.

0 Kudos
Message 20 of 27
(2,302 Views)