doc

mexicanmorningΔιαχείριση Δεδομένων

16 Δεκ 2012 (πριν από 4 χρόνια και 10 μήνες)

130 εμφανίσεις

Lon Smith

Aaron Gremmert

1

What the $#*! Is my password?



Operational Concepts


A system that implements a secure means to store usernames, password and other sensitive
information on the web in a way that is accessible
through any internet connection
. The system
would be composed

of a database storing encrypted information and a web service interface to
make a user’s information available to them anywhere the user can access the internet with any
browser. A windows application to provide more convenient home access and or a mobil
e
application to make the user’s information available through a web enabled mobile device could
also be implemented if the time and resources make these features feasible.


The security of the system and the user information is the top priority. A user
name and picture
password would be used to access a user’s information from the web. The user’s information
would be sent in an encrypted form from the database across the web and then decrypted and
displayed to the user

by the website
.


This system will
not store the information locally, and will not
autocomplete online forms for the
user. The system will simply provide an easily accessible and secure location to store sensitive
user information. This system would be used by anyone (almost everyone) tha
t has too many
passwords to remember and needs a place to store them that is more secure than a text document
on their desktop.



System Requirements


The essential features of the

system involve

a secure information data

store
, accessible

from any
interne
t access
,

and
a
user friendly interface

to allow data access and manipulation
.


The security of the information will be necessary to make this system useful. An insecure
location for sensitive material defeats the purpose of this system. Security will be

provided by
encrypting the information in the database and encrypting the information as it is sent across the
web from the server to the client website. The encryption used to send the information to the
website would ideally be unique to the current us
er login, providing additional security.


The accessibility of the information is important to make the system as useful as possible to the
user. Many systems can store passwords locally on a home machine, but that makes the
information useless when using

another machine. This system will provide a website interface to
make the user’s sensitive information available anywhere the

user can log onto the internet.


The website interface must be user friendly. The interface must be simple in order to minimize

the extra e
ffort required to use the system
.


Although this extra effort is justifiable to securely
store sensitive information, many users will not want to use the system if it is overly complicated
to store and retrieve their passwords.

Lon Smith

Aaron Gremmert

2


Only the websit
e interface will be visible to the user.
A

login
page

that asks a user to provide
their username and
password will provide an initial layer of security. Next, a separate page that
is accessed after successfully logging in with a username and password wil
l display a picture that
the user must click on to gain access to their secure information. The user will be able to specify
unique points on the picture that they later must select to verify their identity. Once the user has
successfully clicked on thei
r picture, another web page will display their stored information.
Other various web forms
will also be necessary to add, delete or change
the user’s information or
login picture.


For example, the following picture has five points selected that the user
would need to click on to
access their secure information. The selection of points to log in would also include dummy
points
selected randomly by the user
that have no affect, but provide additional safeguards
against eavesdropping.








System and Software Architecture


Lon Smith

Aaron Gremmert

3

The key features of the architecture include a database server for storing data, a web servic
e that
provides an interface to

the db, and a client application which communicates with the web
service to decrypt
and access stored information. The high l
evel relationships are captured

in the
following diagram
.




The database could be one of any number of available technologies

(mySQL, postgreSQL, etc.)
.
The best choice would easily inte
grate with the chosen development platform for the web service
and clients.


The web service would provide a secure interface for accessing the stored user information. It
would be tightly integrated with the database through a series of stored procedures
that access
and manipulate the encrypted data in the database. These stored procedures would also be
responsible for producing

the encrypted XML
data that is sent

to the client.


The client would provide a user friendly interface to display the informat
ion to the user. This
interface would allow the user to update and configure their personal account information. The
client would also be responsible for decrypting the encrypted XML data received from the web
service.


The platform used to implement the

web service and client would
determine

which database
technology
is

utilized. Based on preliminary research, both the Java and .ne
t platforms appear to
provide robust libraries for integration with existing database resources. Both platforms also
suppor
t the construction of the proposed system architecture.





DB Server


Web Service

Web Site

Desktop App

WEP / Palm

Server

Client

Lon Smith

Aaron Gremmert

4

Lifecycle Plan


The targeted user for this system is anyone that

needs to easily access securely stored
information
. Most individuals have an online email account, and nearly any online website ha
s
some kind of username and password interface. However, the extra effort to maintain and access
the account may alienate some users who are not technologically inclined.


The
project will be implemented by a small group of six to eight people in approxim
ately eight
weeks.
After defining the interfaces and the general look of the website interface, the project
w
ould be implemented by splitting the work into three smaller groups. One group would be
responsible for the database and server side application
while a second group would work on the
user interface and client side web pages. The third group would be responsible for
designing and
implementing the encryption

scheme

to secure the communication between

the client and server
components.


The short tim
eline requires careful planning of the interfaces of the system before any of the
server or client side components are implemented. The first step of the project would be to
select
the development platform,
ensure the feasibility of the e
ncryption process
es and define

the
interfaces between the different components. The next step would be dividing the work between
the client, server and cryptography groups to start implementing the core functionality of the
system. The goal is to have the
core functional
ity of the system working with any incomplete
features well defined before the beta version is released. Once the beta version is released, any
incomplete features
would be implemented before releasing the final version.



Feasibility Rational
e


There are

two assumptions that could make or break the feasibility of the system. The first
assumption is that
the technology will allow
the

web interface
to communicate with the

database
server. The second assumption is that encrypting the data will not be an in
surmountable
challenge in the short time allocated to implement the system. These assumptions are major
risks because they both address the core functionality of the system. If the website cannot
communicate securely with the database server, the system
simply wouldn’t be useful to the user.