[En-Nut-Discussion] Web page security?

Edwin van den Oetelaar edwin at oetelaar.com
Mon Feb 20 19:39:16 CET 2006 

Tim Tait wrote:

>
> I gave a couple of questions on security of the ethernut web 
> authorization (as shown in the httpd sample app), as I am planning on 
> using for some home automation tasks.
>
> - Are passwords encrypted on the wire?

No, not really, it looks like this on the wire : (Ethereal)

HTTP/1.1 401 Authorization Required
Date: Mon, 20 Feb 2006 18:24:40 GMT
Server: Apache/1.3.27 (Unix) mod_perl/1.27 PHP/4.3.6
Set-Cookie: ZDEDebuggerPresent=php,phtml,php3
Set-Cookie: PHPSESSID=f319d122615b46a84c596ff6aa6d2ec8; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0
Pragma: no-cache
WWW-Authenticate: Basic realm="Welcome to DreamSolution Kiekie"
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
 
19 
Error 401 - Access denied
0

-- this generates a login request on the client
-- the client responds with something like this
 
POST /handlers/formhandler.php HTTP/1.1
Host:  Noneofyourbusiness.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) 
Gecko/20060124 Firefox/1.5.0.1
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 

Accept-Language: nl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://removedmyserveraddress.nl/HomePage/edit/1
Cookie: ZDEDebuggerPresent=php,phtml,php3; 
ZDEDebuggerPresent=php,phtml,php3; 
PHPSESSID=f319d122615b46a84c596ff6aa6d2ec8
Authorization: Basic ZWR3aW46b2V0ZWxhYXI=
Content-Type: multipart/form-data; 
boundary=---------------------------8677702311271115801079909650
Content-Length: 3257
 
Take a look at the BASIC AUTHORIZATION : THIS IS BASE64 (look at auth.c 
in pro directory)

> - If so by what means?
> - Are replay attacks possible?
>
Yes, If you don't want replay attacks you need a challenge/response 
solution even if passwords were encrypted

> I read some stuff about TEA (Tiny Encryption Algorithm) 
> <http://www.ftp.cl.cam.ac.uk/ftp/papers/djw-rmn/djw-rmn-tea.html>, has 
> anybody used it with NutOs/NutNet to secure web pages or telnet?
>
I have not used it.

> Thanks-
>
> Tim

More information about the En-Nut-Discussion mailing list