Using CryptoWalletUsing CryptoWallet

By Zed A. Shaw

OverviewOverview

• Learning Objectives

• What is CryptoWallet

• How Is It Designed

Learning ObjectivesLearning Objectives

• Knowledge of CryptoWallet’s Design

• Understanding of how to use CryptoWallet

• How to apply CryptoWallet to different problems

• Introduction to additional security problems with web applications

What Is CryptoWallet?What Is CryptoWallet?

• An abstract secure object storage layer

• Uses Password Based Encryption (PBE)

• Stores Serializable objects to storage

• Storage can be to disk or to RDBMS (soon).

• Very simple API

How Is It DesignedHow Is It Designed

• Two main classes to deal with WalletManager: Responsible for retrieving

wallets from storage and saving wallets to storage.

Wallet: A stripped down Map interface that stores its contents encrypted.

• Designed to be as simple as possible

• Not specific to uPortal

First StepsFirst Steps

• Acquiring Software

• Installing Pre-Reqs

• Compiling Source

• Configuring Test Bed

• Running Unit Tests

Acquiring The SoftwareAcquiring The Software

• Frequent releases available from the UBC Portal Enhancements site at:

http://ubcpe.sourceforge.net/

• Extensive documentation will be available also

Installing Pre-ReqsInstalling Pre-Reqs

• Install Jakarta Ant 1.4 AND Optionals• Get the release build from the UBC-PE

site• Unzip the archive to a directory• Enter the directory to work with

CryptoWallet• Make sure you add all ./lib/*.jar and the

build directory to CLASSPATH

Compiling The SourceCompiling The Source

• Sometimes, Ant is stupid Use provided ant.sh script to run Ant

• Run “ant” to get it to build If there are errors check for the jar files

• If you use MacOSX, make sure Stuffit didn’t truncate file extensions (.class becomes .cla)

Configuring Test BedConfiguring Test Bed

• Extensive unit test through JUnit• Edit Logger.properties AND

cryptowallet.properties• Make sure they are in your

CLASSPATH!!!! CryptoWallet loads the configuration out of

the CLASSPATH

• If you have problems, look at the log in logs

Running Unit TestsRunning Unit Tests

• Really easy, just type “ant test”

• Results are written in XML and HTML format to testresults directory Open testresults/index.html in a browser

• ALL tests should run If any do not, then check Logger.properties

and cryptowallet.properties

Using ItUsing It

• Installation

• Verification

InstallationInstallation

• Package the classes into a jar Probably want to remove everything but the

ca.ubc.itservices.portal.cryptowallet.* package

• Place jar file, Logger.properties, cryptowallet.properties into CLASSPATH

• Edit as appropriate for new location

VerificationVerification

• There are three things to verify it works:1. Add JUnit tests to CLASSPATH temporarily

and re-run (ant test)

2. Add WalletBrowser.class to CLASSPATH and interactively test it

3. Open wallet store directory and make sure files are there, and they are encrypted

Writing CodeWriting Code

• Accessing Wallets

• Using Wallets

• Saving Wallets

Accessing WalletsAccessing Wallets

// init the wallet manager, hopefully only once

WalletManager.init();

// get the wallet we want

Wallet mywallet = WalletManager.getWallet(uid.getBytes(), pw.getBytes);

Using WalletsUsing Wallets

// we should already have the wallet

// get the “thing” we want

Object thing = mywallet.get(“thekey”);

// store foo into wallet

String foo = new String();

mywallet.put(“fookey”, foo);

Saving WalletsSaving Wallets

// very simple, just put wallet

WalletManager.put(uid.getBytes(), pw.getBytes(), mywallet);

Additional Code SamplesAdditional Code Samples

• JUnit Tests in source/under ca/ubc/itservices/portal/cryptowallet/tests/

• WalletBrowser.java in source

• JabberChannel which is coming soon

Security ConcernsSecurity Concerns

• Coding Safety

• Controlling Access

• Testing & Verification

• Storage Medium

Coding SafetyCoding Safety

• There are a few additional security problems

1. Controlling Access

2. Testing & Verification

3. Storage Media

4. Other Web Application Security Problems

Controlling AccessControlling Access

• You can use the Security Manager to prevent access• It involves a complicated configuration• Many different files with things in many

different locations• Very difficult to setup• I’ll post a document to the UBC-PE site

about this

Testing & VerificationTesting & Verification

• Unit tests work well for this kind of verification

• New tests should be written for each new storage medium used

• Tests should also try to break things

• See tests already written for samples

Storage MediumStorage Medium

• Only file system storage is available

• RDBMS is coming soon

• File System has the advantage of Security Manager control Can prevent unauthorized code from updating

wallet store

• RDBMS can be controlled through SQLPermission class

Other Security ProblemsOther Security Problems

• SQL Injection

• Cross Site Scripting

• Session Hi-jacking

SQL InjectionSQL Injection

• You have this:String SQL = “SELECT * FROM myTable WHERE blah=“ + formField;

• I do this:1. Find form where “formField” comes from2. Read Oracle/DB2/MSSQL manual to find escape

sequences3. Post form with escape sequences to run “rm -rf /*.*”

on SQL server in the “formField”

• Use PreparedStatements to avoid this

Cross Site ScriptingCross Site Scripting

• You have a Forum or WebMail setup

• You allow people to write HTML (because you are lazy) Or, you try to escape all “<“ “>” sequences

• I figure out what you are filtering

• I use Unicode escapes to write “<script>” in a Unicode set your scanner does not grok

• I send my code to everyone on the forum and hack their computers

Session HijackingSession Hijacking

• You use an application server that picks bad session IDs

• The application server puts these IDs in cookies

• I connect randomly until I find a valid session ID

• I own the session now, no SSL decryption required (yeah!)

Getting More InformationGetting More Information

• These, and many other security problems, are available on:

http://www.owasp.org/

• There is a scanner in the works for most of these holes (which I’m working on) called WebScarab at http://www.owasp.org/webscarab/

ConclusionConclusion

• Hopefully this helped

• If you are still stuck, visit the UBC-PE site at http://ubcpe.sourceforge.net/ for more documentation

• I’m always available at zed.shaw@ubc.ca and will help

• Thanks for coming!

Questions?Questions?