Securing Large Applications
description
Transcript of Securing Large Applications
![Page 1: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/1.jpg)
Securing Large Applications
CSCI 5931 Web Security
Rungang Mo,
Yingying Sun
Revised by A. Yang
![Page 2: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/2.jpg)
Content
– Designing an online banking application;– Setting up the keys and certificates;– Configuring the database;– Building a database access tier;– Developing a web tier;– Constructing a client application;– Looking at areas for improvements.
![Page 3: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/3.jpg)
Online banking– Main features:
• Accept credit cards to open accounts;• Allow users to view their own account;• Allow finance agent to view all credit card data.
– Web Interface:
Entry
Register
Balance
![Page 4: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/4.jpg)
Network topology
BankCustomer
Web Server
Middleware CreditCard
Viewer
– Customer to web server:
• Most dangerous;• Using SSL with
mutual authentication
– Web server to middleware:
• RMI over SSL
– Middleware to database:
• RMI over SSL
– Credit card viewer to middleware:
• Using SSL with authentication
Connections
![Page 5: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/5.jpg)
Application security
– Database:• Encrypt credit card numbers by public key;• Run secure JDBC driver on the database.
– Middleware (Bank):• Only allow connections from web server and
credit card client.
– Credit card client:• Decrypt and view credit cards
![Page 6: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/6.jpg)
Application security (cont.)
– Web server:• Block access to most ports with a firewall.
– Web browser:• Using client authentication;• The browser protects the private key with
password-based encryption;
![Page 7: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/7.jpg)
Setting up the keys -Relationship between Components
Component Trusted Component(s)
Web Browser Web Server
Web Server (Tomcat) Web Browser, Middleware
Middleware (Bank component)
Web Server, Credit Card Client, Database
Credit Card Client Middleware
Database (MySQL) Middleware
![Page 8: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/8.jpg)
Generate the keys– Using default Java keystore to handle trust
and authentication;– Create private and public keys for each co
mponent;– Create truststore for each component that
contain the appropriate public keys;– Get a key from Thawte for web browser;– Using keytool to create the rest of the keys
and certificates for credit card client, middleware, and database. (Page 366)
![Page 9: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/9.jpg)
Export/ Import the certificates
– In order to establish trust, we need to export all the certificates that need to be trusted:
• c:\> keytool -export -keystore bankKeyStore -file bank.cer
– Set up trust by creating trust store:• Web Server: need to trust a number of certificat
es• Trusted certificates in Internet Explorer
![Page 10: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/10.jpg)
The Database– MySQL:
• Cross-platform and freely available for non- commercial use;
– Tables:• Accounts: ID, name, balance, certificate seria
l number.• Credit_card: account_id, session_key, cc_nu
mber.
– The database driver:• secureDriver_config.xml – config. Info for the
secure driver• secureDriver.policy – grant permissions to co
nnect, etc.
![Page 11: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/11.jpg)
The Middleware - The Bank
– Creating an interface for clients to use;– Building data objects to enable items to be
stored in the database;– Creating an RMI object to connect the
interface to the data objects;– Constructing a way of starting the
middleware;– Configuring the middleware.
![Page 12: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/12.jpg)
The Bank Interface
– Four methods contained in the Bank class:• register(): register a new account given basic u
ser information.• getAccount(): find the account for a given client
certificate serial number.• getCreditCardDBO(): fetch the encrypted credit
card information for a given account ID.• getAllCreditCardAccountIDs(): get a list of all th
e account Ids in the database.
![Page 13: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/13.jpg)
Data objects
– Account class: • Hold information, which is not encrypted;• Contains accountID, balance, customer name,
certificate serial number;
– RegistrationInformation class: • Wrap up all of the user-entered information;• Contains credit card number, balance, name, c
ertificate serial number;
– CreditCardDBO class:
![Page 14: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/14.jpg)
Data objects (cont.)
– DatabaseOperations class:• Class for performing database operations;• Use the JDBC proxy to encrypt the connection
using RMI over SSL;• Store CreditCardDBO object and Account objec
t in the database separately;• Use the BASE64 encoder and decoder classes;
![Page 15: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/15.jpg)
Bank Implementation
– Creating an RMI object: BankImpl to connect the interface to the data objects;
– Extend UnicastRemoteObject so that it can be used over RMI;
– Important methods:• BankImpl ();• register ();• getAccount ();• getAllCreditCardAccountIDs ();• getCreditCardDBO ();
![Page 16: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/16.jpg)
Starting the Bank
– The BankInit class:• Construct a BankImpl object with a Properties o
bject that we read off the file system;• Commond-line argument indicates the propertie
s file to read;• Call Naming.rebind () on it so that it becomes a
vailable for RMI client;• A bug in JSSE v.1.0.2 and earlier.
![Page 17: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/17.jpg)
Configuration
– config.properties: define JDBC configuration and the location of the public key;
– BankInit.policy: start up the bank;– Collecting the files:
• SecureDriverClient.jar;• Bank.jar;• Associated data: keystore/ truststore/ creditcard.
cer
– Running the Bank:
![Page 18: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/18.jpg)
The Web Server
– Main functions:• Registration;• Account viewing.
– Using SSL client authentication to identify users;
– Build the servlets and JSPs for the web tier;
– Look at packaging the web application and deploying to Tomcat;
– Run the application;
![Page 19: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/19.jpg)
Servlets and JSPs Diagram
index.html
invalidLogin.html
register.html
alreadyRegistered.html
RegisterServlet
BalanceServlet balance.jsp
![Page 20: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/20.jpg)
Servlets and JSPs– HTMLs:
• Register: sends data to RegisterServlet;• Login: takes users to the BalanceServlet;
– Servlets:• RegisterServlet: handles creating account;• BalanceServlet: loads account information, and sends it to a
JSP for display• AbstractEcommerceServlet:
– init();– getCertificate();– getRedirectURL();
– balance.jsp:
![Page 21: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/21.jpg)
Packaging the web application
– Policy file for Tomcat: tomcat.policy – Modifying web.xml;– Build the WAR file;– Copy the WAR file into Tomcat;– Delete other Webapps and Add the BankA
pp;– Enable SSL;– Enable policy support;– Add support file– Edit web server startup scripts
![Page 22: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/22.jpg)
Start the application
– Start the RMI registry on the database server;
– Start the database driver;– Start the RMI registry on the bank;– Start the bank;– Start the web server.
![Page 23: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/23.jpg)
Credit Card Client
– Allows a user to view all of the credit cards in the database, decrypting them with the private key;
– Modifications on Chapter 10 example:• The GUI for password instead of setting the key
store password on the command line;• Adding support for RMI: CreditCardClient class:
– decryptCreditCardDBO();– main();– getPassword();
![Page 24: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/24.jpg)
Credit Card Client (Cont.)
– Credit card client policy file: CreditCardClient.policy (Page 409);
– Packaging the credit card client: • create a JAR file, CreditCardClient.jar;• create a directory for the credit card client;
– Running the credit card client:
![Page 25: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/25.jpg)
Possible Modifications
– Logging:– Using SSL:– Web browser authentication:– The database:– Encrypting SSL keys:
![Page 26: Securing Large Applications](https://reader035.fdocuments.us/reader035/viewer/2022062319/56814020550346895dab79d7/html5/thumbnails/26.jpg)
Reference
– Jess Garms, Daniel Somerfield-- Professional Java Security;
– http://www.wrox.com;– http://xml.apache.org/xerces-j/index.html;– http://jakarta.apache.org/tomcat/index.html;– http://www.mysql.com– http://www.thawte.com/certs/personal– http://www.bouncycastle.org