securing large applications csci 5931 web security rungang mo, yingying sun
TRANSCRIPT
![Page 1: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/1.jpg)
Securing Large Applications
CSCI 5931 Web Security
Rungang Mo,
Yingying Sun
![Page 2: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/2.jpg)
Content
– Designing an online banking application;– Setting up the keys and certificates;– Configuring the database;– Building a database access tier;– Developing a web tier;– Constructing a client application;– Looking at areas for improvements.
![Page 3: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/3.jpg)
Online banking– Main features:
• Accept credit cards to open accounts;• Allow users to view their own account;• Allow finance agent to view all credit card data.
– Web Interface:
Entry
Register
Balance
![Page 4: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/4.jpg)
Network topology
BankCustomer
Web Server
Middleware CreditCard
Viewer
![Page 5: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/5.jpg)
Network connections– Customer to web server:
• Most dangerous;• Using SSL with authentication.
– Web server to middleware: • RMI over SSL.
– Middleware to database: • RMI over SSL.
– Credit card viewer to middleware:• Using SSL with authentication.
![Page 6: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/6.jpg)
Application security
– Database:• Encrypt credit card numbers by public key;• Run secure JDBC driver on the database.
– Middleware (Bank):• Only allow connections from web server and
credit card client.
– Credit card client:• Decrypt and view credit cards
![Page 7: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/7.jpg)
Application security (cont.)
– Web server:• Block access to most ports with a firewall.
– Web browser:• Using client authentication;• The browser protects the private key with
password-based encryption;
![Page 8: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/8.jpg)
Setting up the keys -Relationship between Components
Component Trusted Component
Web Browser Web Server
Web Server (Tomcat) Web Browser, Middleware
Middleware (Bankcomponent)
Web Server, Credit CardClient, Database
Credit Card Client Middleware
Database (MySQL) Middleware
![Page 9: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/9.jpg)
Generate the keys– Using default Java keystore to handle trust and
authentication;– Create private and public keys for each compon
ent;– Create truststores for each component that cont
ain the appropriate public keys;– Get a key from Thawte for web browser;– Using keytool to create the rest of the keys and c
ertificates for credit card client, middleware, and database. (Page 366)
![Page 10: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/10.jpg)
Export/ Import the certificates– In order to establish trust, we need to expo
rt all the certificate that need to be trusted:• c:\> keytool -export -keystore bankKeyStore -fil
e bank.cer
– Set up trust by creating trust store:• Web Server: need to trust a number of certificat
es• Certificate Recognition in Internet Explorer: Pag
e 367.
![Page 11: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/11.jpg)
The Database– MySQL:
• Cross- platform and freely available for non- commercial use;
– Tables:• Accounts: ID, name, balance, certificate serial numb
er.• Credit_card: account_id, session_key, cc_number.
– The database driver:• secureDriver_config.xml;• SecureDriver.policy.
![Page 12: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/12.jpg)
The Middleware - The Bank
– Creating an interface for clients to use;– Building data objects to enable items to be
stored in the database;– Creating an RMI object to connect the
interface to the data objects;– Constructing a way of starting the
middleware;– Configuring the middleware.
![Page 13: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/13.jpg)
The Bank Interface
– Four methods contained in the Bank class:• register(): register a new account given basic u
ser information.• getAccount(): find the account for a given client
certificate serial number.• getCreditCardDBO(): fetch the encrypted credit
card information for a given account ID.• getAllCreditCardAccountIDs(): get a list of all th
e account Ids in the database.
![Page 14: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/14.jpg)
Data objects– Account class:
• Hold information, which is not encrypted;• Contains accountID, balance, customer name,
certificate serial number;
– RegistrationInformation class: • Wrap up all of the user-entered information;• Contains credit card number, balance, name, c
ertificate serial number;
– CreditCardDBO class:
![Page 15: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/15.jpg)
Data objects (cont.)
– DatabaseOperations class:• Class for performing database operations;• Use the JDBC proxy to encrypt the connection
using RMI over SSL;• Store CreditCardDBO object and Account objec
t in the database separately;• Use the BASE64 encoder and decoder classes;
![Page 16: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/16.jpg)
Bank Implementation
– Creating an RMI object: BankImpl to connect the interface to the data objects;
– Extend UnicastRemoteObject so that it can be used over RMI;
– Important methods:• BankImpl ();• register ();• getAccount ();• getAllCreditCardAccountIDs ();• getCreditCardDBO ();
![Page 17: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/17.jpg)
Starting the Bank
– The BankInit class:• Construct a BankImpl object with a Properties o
bject that we read off the file system;• Commond-line argument indicates the propertie
s file to read;• Call Naming.rebind () on it so that it becomes a
vailable for RMI client;• A bug in JSSE v.1.0.2 and earlier.
![Page 18: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/18.jpg)
Configuration
– config.properties: define JDBC configuration and the location of the public key;
– BankInit.policy: start up the bank;– Collecting the files:
• SecureDriverClient.jar;• Bank.jar;• Associated data: keystore/ truststore/ creditcard.
cer
– Running the Bank:
![Page 19: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/19.jpg)
The Web Server
– Main functions:• Registration;
• Account viewing.
– Using SSL client authentication to identify users;
– Build the servlets and JSPs for the web tier;– Look at packaging the web application and d
eploying to Tomcat;– Run the application;
![Page 20: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/20.jpg)
Servlets and JSPs Diagram
index.html
invalidLogin.html
register.html
alreadyRegistered.html
RegisterServlet
BalanceServlet balance.jsp
![Page 21: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/21.jpg)
Servlets and JSPs
– HTMLs:• Register: sends data to RegisterServlet;• Login: takes users to the BalanceServlet;
– Servlets:• RegisterServlet: handles creating account;• BalanceServlet: loads account information, and sends it to a
JSP for display• AbstractEcommerceServlet:
– init();– getCertificate();– getRedirectURL();
– balance.jsp:
![Page 22: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/22.jpg)
Packaging the web application
– Policy file for Tomcat: tomcat.policy – Modifying web.xml;– Build the WAR file;– Copy the WAR file into Tomcat;– Delete other Webapps and Add the BankApp;– Enable SSL;– Enable policy support;– Add support file– Edit web server startup scripts
![Page 23: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/23.jpg)
Start the application
– Start the RMI registry on the database server;
– Start the database driver;– Start the RMI registry on the bank;– Start the bank;– Start the web server.
![Page 24: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/24.jpg)
Credit Card Client
– Allows a user to view all of the credit cards in the database, decrypting them with the private key;
– Modifications on Chapter 10 example:• The GUI for password instead of setting the key
store password on the command line;• Adding support for RMI: CreditCardClient class:
– decryptCreditCardDBO();– main();– getPassword();
![Page 25: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/25.jpg)
Credit Card Client (Cont.)
– Credit card client policy file: CreditCardClient.policy (Page 409);
– Packaging the credit card client: • create a JAR file, CreditCardClient.jar;• create a directory for the credit card client;
– Running the credit card client:
![Page 26: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/26.jpg)
Possible Modifications
– Logging:– Using SSL:– Web browser authentication:– The database:– Encrypting SSL keys:
![Page 27: Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun](https://reader035.vdocuments.net/reader035/viewer/2022062801/56649e405503460f94b31eae/html5/thumbnails/27.jpg)
Reference
– Jess Garms, Daniel Somerfield-- Professional Java Security;
– http://www.wrox.com;– http://xml.apache.org/xerces-j/index.html;– http://jakarta.apache.org/tomcat/index.html;– http://www.mysql.com– http://www.thawte.com/certs/personal– http://www.bouncycastle.org