03-03-2015 05:53 PM
Jeff,
Thank you for expressing your concern regarding this issue. We appreciate the detailed explanation of the problem and we are looking into the issue further.
Regards,
Jacob S.
Applications Engineering
National Instruments
03-03-2015 06:31 PM
Thanks so much! FWIW, my research partner is leaving for Beijing Saturday to negotiate with the contract on the implementation of our technology in China, and I'm giving a lecture at a MGH-MIT institute on the technology barriers to implementing distributed medical devices in two weeks. Some clarity would be beneficial.
Jeff
03-04-2015 01:10 PM
Jeff,
I have passed along the issue to another team for a deeper investigation. If this issue affects a project you are working on and you want to discuss this issue further with NI, feel free to create a service request. A service request will be the most effective way to clarify how this situation could affect your application.
Regards,
Jacob S.
Applications Engineering
National Instruments
03-05-2015 02:53 PM
Jeff,
I would look into HTTPS as a workaround to this issue.
03-21-2015 03:29 PM
Hi Jeff,
We are trying to figure out how to make security for web services better. Please send me an email if you would like to discuss this further.
On a slightly related note, I started a new community group to gather more of a critical mass around LabVIEW web application development. I wrote a series of tutorials to teach n00bs the basics of AJAX with the LabVIEW web server. I would appreciate any help you could provide in "furnishing" the community with some relevant examples - we don't have any related to authentication at this point.
https://decibel.ni.com/content/groups/web-services
03-29-2015 02:05 PM
I did some more digging. Having read the SRP documentation, this seems a likely approach. Here is some Python code:
import requests import srp import base64 username = 'testuser' myserver = 'http://127.0.0.1:8080' r = requests.get(myserver + '/login?username=' + username) niauthheader = r.headers.get('x-ni-auth-params') my_fields = niauthheader.split(",") srpdict = {} for field in my_fields: g = field.partition('=') srpdict[g[0]]=base64.b64decode(g[2]) # srpdict now contains s, B, and ss. NI Auth wants us to return a POST containing # A,M, and ss. We can snoop what the Silverlight plugin returns given the values for # s, B, the username and password using a MITM attack (ZAP is good for this). If we # can replicate the calls to SRP, we should get the same values for A & M. Referring # to the Python srp 1.05 documentation, the easiest thing to try is: usr = srp.User( username, 'password' ) uname, A = usr.start_authentication() M = usr.process_challenge( s, B ) print 'A=' + base64.b64encode(A) print 'M=' + base64.b64encode(M)
This doesn't result in the snooped values for A & M. Two questions:
1) Is NI using something other than default values for the hash_alg or the ng_type?
2) What is ss? It changes on every call, but it doesn't seem to map to anything in srp.
I have much better things to do with my time that to reverse engineer NI Auth. Much
easier to just handle security myself through Apache, but if NI provided a little bit
of documentation on their implementation, this would be nice. Conversely, if NI permitted
passing an external authentication routine to the web server & http client routines, this
would be even nicer.
03-29-2015 03:57 PM
@jemandel wrote:
I did some more digging. Having read the SRP documentation, this seems a likely approach. Here is some Python code:
import requests import srp import base64 username = 'testuser' myserver = 'http://127.0.0.1:8080' r = requests.get(myserver + '/login?username=' + username) niauthheader = r.headers.get('x-ni-auth-params') my_fields = niauthheader.split(",") srpdict = {} for field in my_fields: g = field.partition('=') srpdict[g[0]]=base64.b64decode(g[2]) # srpdict now contains s, B, and ss. NI Auth wants us to return a POST containing # A,M, and ss. We can snoop what the Silverlight plugin returns given the values for # s, B, the username and password using a MITM attack (ZAP is good for this). If we # can replicate the calls to SRP, we should get the same values for A & M. Referring # to the Python srp 1.05 documentation, the easiest thing to try is: usr = srp.User( username, 'password' ) uname, A = usr.start_authentication() M = usr.process_challenge( s, B ) print 'A=' + base64.b64encode(A) print 'M=' + base64.b64encode(M)This doesn't result in the snooped values for A & M. Two questions:
1) Is NI using something other than default values for the hash_alg or the ng_type?
2) What is ss? It changes on every call, but it doesn't seem to map to anything in srp.
I have much better things to do with my time that to reverse engineer NI Auth. Much
easier to just handle security myself through Apache, but if NI provided a little bit
of documentation on their implementation, this would be nice. Conversely, if NI permittedpassing an external authentication routine to the web server & http client routines, this
would be even nicer.
No one is keeping you from using something else "better" documented.
03-29-2015 04:13 PM
Comments like this are so unhelpful.
03-29-2015 05:10 PM - edited 03-29-2015 05:11 PM
@jemandel wrote:
Comments like this are so unhelpful.
And your complaint about NI is helpful?
You made your choice to use Python with NI software.
If there is something better, then you should be using that product.
Common sense.
I never understood when people whine about choices they themselves made.
03-29-2015 07:41 PM
I have a legitimate reason for using Python on inexpensive hardware - I'm developing a drug control system to be used in the developing world, and I'm trying to keep the hardware cost low. I have a legitimate reason for using Labview - the pharmacokinetic calculations make heavy use of the Control and Optimization VIs.I have a legitimate reason to have this done securely, partly having to do with regulatory compliance, and partly to prevent the system from being cloned. As a long time customer of NI, it is reasonable for me to request that interfaces be documented, particularly when security is the issue. If you don't ask for features, they rarely appear out of the blue.
So again, if you have a contribution to make, I'm quite interested in hearing what you have to say. If you just enjoy flaming people, might I suggest you get a Twitter account. I hear that sort of stuff is quite popular there.