1 / 31

Using CryptoWallet

Using CryptoWallet. By Zed A. Shaw. Overview. Learning Objectives What is CryptoWallet How Is It Designed. Learning Objectives. Knowledge of CryptoWallet’s Design Understanding of how to use CryptoWallet How to apply CryptoWallet to different problems

ranger
Télécharger la présentation

Using CryptoWallet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using CryptoWallet By Zed A. Shaw

  2. Overview • Learning Objectives • What is CryptoWallet • How Is It Designed

  3. Learning Objectives • Knowledge of CryptoWallet’s Design • Understanding of how to use CryptoWallet • How to apply CryptoWallet to different problems • Introduction to additional security problems with web applications

  4. What Is CryptoWallet? • An abstract secure object storage layer • Uses Password Based Encryption (PBE) • Stores Serializable objects to storage • Storage can be to disk or to RDBMS (soon). • Very simple API

  5. How Is It Designed • Two main classes to deal with • WalletManager: Responsible for retrieving wallets from storage and saving wallets to storage. • Wallet: A stripped down Map interface that stores its contents encrypted. • Designed to be as simple as possible • Not specific to uPortal

  6. First Steps • Acquiring Software • Installing Pre-Reqs • Compiling Source • Configuring Test Bed • Running Unit Tests

  7. Acquiring The Software • Frequent releases available from the UBC Portal Enhancements site at:http://ubcpe.sourceforge.net/ • Extensive documentation will be available also

  8. Installing Pre-Reqs • Install Jakarta Ant 1.4 AND Optionals • Get the release build from the UBC-PE site • Unzip the archive to a directory • Enter the directory to work with CryptoWallet • Make sure you add all ./lib/*.jar and the build directory to CLASSPATH

  9. Compiling The Source • Sometimes, Ant is stupid • Use provided ant.sh script to run Ant • Run “ant” to get it to build • If there are errors check for the jar files • If you use MacOSX, make sure Stuffit didn’t truncate file extensions (.class becomes .cla)

  10. Configuring Test Bed • Extensive unit test through JUnit • Edit Logger.properties AND cryptowallet.properties • Make sure they are in your CLASSPATH!!!! • CryptoWallet loads the configuration out of the CLASSPATH • If you have problems, look at the log in logs

  11. Running Unit Tests • Really easy, just type “ant test” • Results are written in XML and HTML format to testresults directory • Open testresults/index.html in a browser • ALL tests should run • If any do not, then check Logger.properties and cryptowallet.properties

  12. Using It • Installation • Verification

  13. Installation • Package the classes into a jar • Probably want to remove everything but the ca.ubc.itservices.portal.cryptowallet.* package • Place jar file, Logger.properties, cryptowallet.properties into CLASSPATH • Edit as appropriate for new location

  14. Verification • There are three things to verify it works: • Add JUnit tests to CLASSPATH temporarily and re-run (ant test) • Add WalletBrowser.class to CLASSPATH and interactively test it • Open wallet store directory and make sure files are there, and they are encrypted

  15. Writing Code • Accessing Wallets • Using Wallets • Saving Wallets

  16. Accessing Wallets // init the wallet manager, hopefully only once WalletManager.init(); // get the wallet we want Wallet mywallet = WalletManager.getWallet(uid.getBytes(), pw.getBytes);

  17. Using Wallets // we should already have the wallet // get the “thing” we want Object thing = mywallet.get(“thekey”); // store foo into wallet String foo = new String(); mywallet.put(“fookey”, foo);

  18. Saving Wallets // very simple, just put wallet WalletManager.put(uid.getBytes(), pw.getBytes(), mywallet);

  19. Additional Code Samples • JUnit Tests in source/under ca/ubc/itservices/portal/cryptowallet/tests/ • WalletBrowser.java in source • JabberChannel which is coming soon

  20. Security Concerns • Coding Safety • Controlling Access • Testing & Verification • Storage Medium

  21. Coding Safety • There are a few additional security problems • Controlling Access • Testing & Verification • Storage Media • Other Web Application Security Problems

  22. Controlling Access • You can use the Security Manager to prevent access • It involves a complicated configuration • Many different files with things in many different locations • Very difficult to setup • I’ll post a document to the UBC-PE site about this

  23. Testing & Verification • Unit tests work well for this kind of verification • New tests should be written for each new storage medium used • Tests should also try to break things • See tests already written for samples

  24. Storage Medium • Only file system storage is available • RDBMS is coming soon • File System has the advantage of Security Manager control • Can prevent unauthorized code from updating wallet store • RDBMS can be controlled through SQLPermission class

  25. Other Security Problems • SQL Injection • Cross Site Scripting • Session Hi-jacking

  26. SQL Injection • You have this:String SQL = “SELECT * FROM myTable WHERE blah=“ + formField; • I do this: • Find form where “formField” comes from • Read Oracle/DB2/MSSQL manual to find escape sequences • Post form with escape sequences to run “rm -rf /*.*” on SQL server in the “formField” • Use PreparedStatements to avoid this

  27. Cross Site Scripting • You have a Forum or WebMail setup • You allow people to write HTML (because you are lazy) • Or, you try to escape all “<“ “>” sequences • I figure out what you are filtering • I use Unicode escapes to write “<script>” in a Unicode set your scanner does not grok • I send my code to everyone on the forum and hack their computers

  28. Session Hijacking • You use an application server that picks bad session IDs • The application server puts these IDs in cookies • I connect randomly until I find a valid session ID • I own the session now, no SSL decryption required (yeah!)

  29. Getting More Information • These, and many other security problems, are available on:http://www.owasp.org/ • There is a scanner in the works for most of these holes (which I’m working on) called WebScarab at http://www.owasp.org/webscarab/

  30. Conclusion • Hopefully this helped • If you are still stuck, visit the UBC-PE site at http://ubcpe.sourceforge.net/ for more documentation • I’m always available at zed.shaw@ubc.ca and will help • Thanks for coming!

  31. Questions?

More Related