Using CryptoWallet By Zed A. Shaw. Overview Learning Objectives What is CryptoWallet How Is It...
-
date post
21-Dec-2015 -
Category
Documents
-
view
219 -
download
3
Transcript of Using CryptoWallet By Zed A. Shaw. Overview Learning Objectives What is CryptoWallet How Is It...
Using CryptoWalletUsing CryptoWallet
By Zed A. Shaw
OverviewOverview
• Learning Objectives
• What is CryptoWallet
• How Is It Designed
Learning ObjectivesLearning Objectives
• Knowledge of CryptoWallet’s Design
• Understanding of how to use CryptoWallet
• How to apply CryptoWallet to different problems
• Introduction to additional security problems with web applications
What Is CryptoWallet?What Is CryptoWallet?
• An abstract secure object storage layer
• Uses Password Based Encryption (PBE)
• Stores Serializable objects to storage
• Storage can be to disk or to RDBMS (soon).
• Very simple API
How Is It DesignedHow Is It Designed
• Two main classes to deal with WalletManager: Responsible for retrieving
wallets from storage and saving wallets to storage.
Wallet: A stripped down Map interface that stores its contents encrypted.
• Designed to be as simple as possible
• Not specific to uPortal
First StepsFirst Steps
• Acquiring Software
• Installing Pre-Reqs
• Compiling Source
• Configuring Test Bed
• Running Unit Tests
Acquiring The SoftwareAcquiring The Software
• Frequent releases available from the UBC Portal Enhancements site at:
http://ubcpe.sourceforge.net/
• Extensive documentation will be available also
Installing Pre-ReqsInstalling Pre-Reqs
• Install Jakarta Ant 1.4 AND Optionals• Get the release build from the UBC-PE
site• Unzip the archive to a directory• Enter the directory to work with
CryptoWallet• Make sure you add all ./lib/*.jar and the
build directory to CLASSPATH
Compiling The SourceCompiling The Source
• Sometimes, Ant is stupid Use provided ant.sh script to run Ant
• Run “ant” to get it to build If there are errors check for the jar files
• If you use MacOSX, make sure Stuffit didn’t truncate file extensions (.class becomes .cla)
Configuring Test BedConfiguring Test Bed
• Extensive unit test through JUnit• Edit Logger.properties AND
cryptowallet.properties• Make sure they are in your
CLASSPATH!!!! CryptoWallet loads the configuration out of
the CLASSPATH
• If you have problems, look at the log in logs
Running Unit TestsRunning Unit Tests
• Really easy, just type “ant test”
• Results are written in XML and HTML format to testresults directory Open testresults/index.html in a browser
• ALL tests should run If any do not, then check Logger.properties
and cryptowallet.properties
Using ItUsing It
• Installation
• Verification
InstallationInstallation
• Package the classes into a jar Probably want to remove everything but the
ca.ubc.itservices.portal.cryptowallet.* package
• Place jar file, Logger.properties, cryptowallet.properties into CLASSPATH
• Edit as appropriate for new location
VerificationVerification
• There are three things to verify it works:1. Add JUnit tests to CLASSPATH temporarily
and re-run (ant test)
2. Add WalletBrowser.class to CLASSPATH and interactively test it
3. Open wallet store directory and make sure files are there, and they are encrypted
Writing CodeWriting Code
• Accessing Wallets
• Using Wallets
• Saving Wallets
Accessing WalletsAccessing Wallets
// init the wallet manager, hopefully only once
WalletManager.init();
// get the wallet we want
Wallet mywallet = WalletManager.getWallet(uid.getBytes(), pw.getBytes);
Using WalletsUsing Wallets
// we should already have the wallet
// get the “thing” we want
Object thing = mywallet.get(“thekey”);
// store foo into wallet
String foo = new String();
mywallet.put(“fookey”, foo);
Saving WalletsSaving Wallets
// very simple, just put wallet
WalletManager.put(uid.getBytes(), pw.getBytes(), mywallet);
Additional Code SamplesAdditional Code Samples
• JUnit Tests in source/under ca/ubc/itservices/portal/cryptowallet/tests/
• WalletBrowser.java in source
• JabberChannel which is coming soon
Security ConcernsSecurity Concerns
• Coding Safety
• Controlling Access
• Testing & Verification
• Storage Medium
Coding SafetyCoding Safety
• There are a few additional security problems
1. Controlling Access
2. Testing & Verification
3. Storage Media
4. Other Web Application Security Problems
Controlling AccessControlling Access
• You can use the Security Manager to prevent access• It involves a complicated configuration• Many different files with things in many
different locations• Very difficult to setup• I’ll post a document to the UBC-PE site
about this
Testing & VerificationTesting & Verification
• Unit tests work well for this kind of verification
• New tests should be written for each new storage medium used
• Tests should also try to break things
• See tests already written for samples
Storage MediumStorage Medium
• Only file system storage is available
• RDBMS is coming soon
• File System has the advantage of Security Manager control Can prevent unauthorized code from updating
wallet store
• RDBMS can be controlled through SQLPermission class
Other Security ProblemsOther Security Problems
• SQL Injection
• Cross Site Scripting
• Session Hi-jacking
SQL InjectionSQL Injection
• You have this:String SQL = “SELECT * FROM myTable WHERE blah=“ + formField;
• I do this:1. Find form where “formField” comes from2. Read Oracle/DB2/MSSQL manual to find escape
sequences3. Post form with escape sequences to run “rm -rf /*.*”
on SQL server in the “formField”
• Use PreparedStatements to avoid this
Cross Site ScriptingCross Site Scripting
• You have a Forum or WebMail setup
• You allow people to write HTML (because you are lazy) Or, you try to escape all “<“ “>” sequences
• I figure out what you are filtering
• I use Unicode escapes to write “<script>” in a Unicode set your scanner does not grok
• I send my code to everyone on the forum and hack their computers
Session HijackingSession Hijacking
• You use an application server that picks bad session IDs
• The application server puts these IDs in cookies
• I connect randomly until I find a valid session ID
• I own the session now, no SSL decryption required (yeah!)
Getting More InformationGetting More Information
• These, and many other security problems, are available on:
http://www.owasp.org/
• There is a scanner in the works for most of these holes (which I’m working on) called WebScarab at http://www.owasp.org/webscarab/
ConclusionConclusion
• Hopefully this helped
• If you are still stuck, visit the UBC-PE site at http://ubcpe.sourceforge.net/ for more documentation
• I’m always available at [email protected] and will help
• Thanks for coming!
Questions?Questions?