Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun

Content –Designing an online banking application; –Setting up the keys and certificates; –Configuring the database; –Building a database access tier; –Developing a web tier; –Constructing a client application; –Looking at areas for improvements.

Online banking –Main features: Accept credit cards to open accounts; Allow users to view their own account; Allow finance agent to view all credit card data. –Web Interface: Entry Register Balance

Network topology

Network connections –Customer to web server: Most dangerous; Using SSL with authentication. –Web server to middleware: RMI over SSL. –Middleware to database: RMI over SSL. –Credit card viewer to middleware: Using SSL with authentication.

Application security –Database: Encrypt credit card numbers by public key; Run secure JDBC driver on the database. –Middleware (Bank): Only allow connections from web server and credit card client. –Credit card client: Decrypt and view credit cards

Application security (cont.) –Web server: Block access to most ports with a firewall. –Web browser: Using client authentication; The browser protects the private key with password-based encryption;

Setting up the keys -Relationship between Components

Generate the keys –Using default Java keystore to handle trust and authentication; –Create private and public keys for each component; –Create truststores for each component that contain the appropriate public keys; –Get a key from Thawte for web browser; –Using keytool to create the rest of the keys and certificates for credit card client, middleware, and database. (Page 366)

Export/ Import the certificates –In order to establish trust, we need to export all the certificate that need to be trusted: c:\> keytool -export -keystore bankKeyStore - file bank.cer –Set up trust by creating trust store: Web Server: need to trust a number of certificates Certificate Recognition in Internet Explorer: Page 367.

The Database –MySQL: Cross- platform and freely available for non- commercial use; –Tables: Accounts: ID, name, balance, certificate serial number. Credit_card: account_id, session_key, cc_number. –The database driver: secureDriver_config.xml; SecureDriver.policy.

The Middleware - The Bank –Creating an interface for clients to use; –Building data objects to enable items to be stored in the database; –Creating an RMI object to connect the interface to the data objects; –Constructing a way of starting the middleware; –Configuring the middleware.

The Bank Interface –Four methods contained in the Bank class: register(): register a new account given basic user information. getAccount(): find the account for a given client certificate serial number. getCreditCardDBO(): fetch the encrypted credit card information for a given account ID. getAllCreditCardAccountIDs(): get a list of all the account Ids in the database.

Data objects –Account class: Hold information, which is not encrypted; Contains accountID, balance, customer name, certificate serial number; –RegistrationInformation class: Wrap up all of the user-entered information; Contains credit card number, balance, name, certificate serial number; –CreditCardDBO class:

Data objects (cont.) –DatabaseOperations class: Class for performing database operations; Use the JDBC proxy to encrypt the connection using RMI over SSL; Store CreditCardDBO object and Account object in the database separately; Use the BASE64 encoder and decoder classes;

Bank Implementation –Creating an RMI object: BankImpl to connect the interface to the data objects; –Extend UnicastRemoteObject so that it can be used over RMI; –Important methods: BankImpl (); register (); getAccount (); getAllCreditCardAccountIDs (); getCreditCardDBO ();

Starting the Bank –The BankInit class: Construct a BankImpl object with a Properties object that we read off the file system; Commond-line argument indicates the properties file to read; Call Naming.rebind () on it so that it becomes available for RMI client; A bug in JSSE v and earlier.

Configuration –config.properties: define JDBC configuration and the location of the public key; –BankInit.policy: start up the bank; –Collecting the files: SecureDriverClient.jar; Bank.jar; Associated data: keystore/ truststore/ creditcard.cer –Running the Bank:

The Web Server –Main functions: Registration; Account viewing. –Using SSL client authentication to identify users; –Build the servlets and JSPs for the web tier; –Look at packaging the web application and deploying to Tomcat; –Run the application;

Servlets and JSPs Diagram index.html invalidLogin.html register.html alreadyRegistered.html RegisterServlet BalanceServlet balance.jsp

Servlets and JSPs –HTMLs: Register: sends data to RegisterServlet; Login: takes users to the BalanceServlet; –Servlets: RegisterServlet: handles creating account; BalanceServlet: loads account information, and sends it to a JSP for display AbstractEcommerceServlet: –init(); –getCertificate(); –getRedirectURL(); –balance.jsp:

Packaging the web application –Policy file for Tomcat: tomcat.policy –Modifying web.xml; –Build the WAR file; –Copy the WAR file into Tomcat; –Delete other Webapps and Add the BankApp; –Enable SSL; –Enable policy support; –Add support file –Edit web server startup scripts

Start the application –Start the RMI registry on the database server; –Start the database driver; –Start the RMI registry on the bank; –Start the bank; –Start the web server.

Credit Card Client –Allows a user to view all of the credit cards in the database, decrypting them with the private key; –Modifications on Chapter 10 example: The GUI for password instead of setting the keystore password on the command line; Adding support for RMI: CreditCardClient class: –decryptCreditCardDBO(); –main(); –getPassword();

Credit Card Client (Cont.) –Credit card client policy file: CreditCardClient.policy (Page 409); –Packaging the credit card client: create a JAR file, CreditCardClient.jar; create a directory for the credit card client; –Running the credit card client:

Possible Modifications –Logging: –Using SSL: –Web browser authentication: –The database: –Encrypting SSL keys:

Reference –Jess Garms, Daniel Somerfield-- Professional Java Security; – – – – – –