Securing Large Applications

judgedrunkshipServers

Nov 17, 2013 (3 years and 6 months ago)

82 views

Securing Large Applications

CSCI 5931 Web Security

Rungang Mo,

Yingying Sun


Content


Designing an online banking application;


Setting up the keys and certificates;


Configuring the database;


Building a database access tier;


Developing a web tier;


Constructing a client application;


Looking at areas for improvements.

Online banking


Main features:


Accept credit cards to open accounts;


Allow users to view their own account;


Allow finance agent to view all credit card data.


Web Interface:

Entry

Register

Balance

Network topology

Bank
Customer
Web Server
Middleware
Credit
Card
Viewer
Network connections


Customer to web server:


Most dangerous;


Using SSL with authentication.


Web server to middleware:


RMI over SSL.


Middleware to database:


RMI over SSL.


Credit card viewer to middleware:


Using SSL with authentication.


Application security


Database:


Encrypt credit card numbers by public key;


Run secure JDBC driver on the database.


Middleware (Bank):


Only allow connections from web server and
credit card client.


Credit card client:


Decrypt and view credit cards

Application security (cont.)


Web server:


Block access to most ports with a firewall.


Web browser:


Using client authentication;


The browser protects the private key with
password
-
based encryption;

Setting up the keys


-
Relationship between Components

Component
Trusted Component
Web Browser
Web Server
Web Server (Tomcat)
Web Browser, Middleware
Middleware (Bank
component)
Web Server, Credit Card
Client, Database
Credit Card Client
Middleware
Database (MySQL)
Middleware
Generate the keys


Using default Java keystore to handle trust
and authentication;


Create private and public keys for each
component;


Create truststores for each component that
contain the appropriate public keys;


Get a key from Thawte for web browser;


Using keytool to create the rest of the keys
and certificates for credit card client,
middleware, and database. (Page 366)

Export/ Import the certificates


In order to establish trust, we need to
export all the certificate that need to be
trusted:


c:
\
> keytool
-
export
-
keystore bankKeyStore
-
file bank.cer


Set up trust by creating trust store:


Web Server: need to trust a number of
certificates


Certificate Recognition in Internet Explorer:
Page 367.

The Database


MySQL:


Cross
-

platform and freely available for non
-

commercial use;


Tables:


Accounts: ID, name, balance, certificate serial
number.


Credit_card: account_id, session_key,
cc_number.


The database driver:


secureDriver_config.xml;


SecureDriver.policy.

The Middleware
-

The Bank


Creating an interface for clients to use;


Building data objects to enable items to be
stored in the database;


Creating an RMI object to connect the
interface to the data objects;


Constructing a way of starting the
middleware;


Configuring the middleware.

The Bank Interface


Four methods contained in the Bank class:


register(): register a new account given basic
user information.


getAccount(): find the account for a given client
certificate serial number.


getCreditCardDBO(): fetch the encrypted credit
card information for a given account ID.


getAllCreditCardAccountIDs(): get a list of all
the account Ids in the database.


Data objects


Account class:


Hold information, which is not encrypted;


Contains accountID, balance, customer name,
certificate serial number;


RegistrationInformation class:


Wrap up all of the user
-
entered information;


Contains credit card number, balance, name,
certificate serial number;


CreditCardDBO class:

Data objects (cont.)


DatabaseOperations class:


Class for performing database operations;


Use the JDBC proxy to encrypt the connection
using RMI over SSL;


Store CreditCardDBO object and Account
object in the database separately;


Use the BASE64 encoder and decoder classes;

Bank Implementation


Creating an RMI object: BankImpl to
connect the interface to the data objects;


Extend UnicastRemoteObject so that it can
be used over RMI;


Important methods:


BankImpl ();


register ();


getAccount ();


getAllCreditCardAccountIDs ();


getCreditCardDBO ();

Starting the Bank


The BankInit class:


Construct a BankImpl object with a Properties
object that we read off the file system;


Commond
-
line argument indicates the
properties file to read;


Call Naming.rebind () on it so that it becomes
available for RMI client;


A bug in JSSE v.1.0.2 and earlier.

Configuration


config.properties: define JDBC configuration
and the location of the public key;


BankInit.policy: start up the bank;


Collecting the files:


SecureDriverClient.jar;


Bank.jar;


Associated data: keystore/ truststore/
creditcard.cer


Running the Bank:

The Web Server


Main functions:


Registration;


Account viewing.


Using SSL client authentication to identify
users;


Build the servlets and JSPs for the web tier;


Look at packaging the web application and
deploying to Tomcat;


Run the application;

Servlets and JSPs Diagram





index.html

invalidLogin.html

register.html

alreadyRegistered.html

RegisterServlet

BalanceServlet

balance.jsp

Servlets and JSPs


HTMLs:


Register: sends data to RegisterServlet;


Login: takes users to the BalanceServlet;


Servlets:


RegisterServlet: handles creating account;


BalanceServlet: loads account information, and
sends it to a JSP for display


AbstractEcommerceServlet:


init();


getCertificate();


getRedirectURL();


balance.jsp:

Packaging the web application


Policy file for Tomcat: tomcat.policy


Modifying web.xml;


Build the WAR file;


Copy the WAR file into Tomcat;


Delete other Webapps and Add the
BankApp;


Enable SSL;


Enable policy support;


Add support file


Edit web server startup scripts

Start the application


Start the RMI registry on the database
server;


Start the database driver;


Start the RMI registry on the bank;


Start the bank;


Start the web server.

Credit Card Client


Allows a user to view all of the credit cards
in the database, decrypting them with the
private key;


Modifications on Chapter 10 example:


The GUI for password instead of setting the
keystore password on the command line;


Adding support for RMI: CreditCardClient class:


decryptCreditCardDBO();


main();


getPassword();

Credit Card Client (Cont.)


Credit card client policy file:
CreditCardClient.policy (Page 409);


Packaging the credit card client:


create a JAR file, CreditCardClient.jar;


create a directory for the credit card client;


Running the credit card client:

Possible Modifications


Logging:


Using SSL:


Web browser authentication:


The database:


Encrypting SSL keys:

Reference


Jess Garms, Daniel Somerfield
--

Professional Java Security;


http://www.wrox.com;


http://xml.apache.org/xerces
-
j/index.html;


http://jakarta.apache.org/tomcat/index.html;


http://www.mysql.com


http://www.thawte.com/certs/personal


http://www.bouncycastle.org