260 likes | 270 Views
Learn to secure a large web application for online banking, covering key setup, database configuration, and web tiers for optimal protection. Discover main features and relevant security measures.
E N D
Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun Revised by A. Yang
Content • Designing an online banking application; • Setting up the keys and certificates; • Configuring the database; • Building a database access tier; • Developing a web tier; • Constructing a client application; • Looking at areas for improvements.
Online banking • Main features: • Accept credit cards to open accounts; • Allow users to view their own account; • Allow finance agent to view all credit card data. • Web Interface: Register Entry Balance
Connections Network topology • Customer to web server: • Most dangerous; • Using SSL with mutualauthentication • Web server to middleware: • RMI over SSL • Middleware to database: • RMI over SSL • Credit card viewer to middleware: • Using SSL with authentication
Application security • Database: • Encrypt credit card numbers by public key; • Run secure JDBC driver on the database. • Middleware (Bank): • Only allow connections from web server and credit card client. • Credit card client: • Decrypt and view credit cards
Application security (cont.) • Web server: • Block access to most ports with a firewall. • Web browser: • Using client authentication; • The browser protects the private key with password-based encryption;
Generate the keys • Using default Java keystore to handle trust and authentication; • Create private and public keys for each component; • Create truststore for each component that contain the appropriate public keys; • Get a key from Thawte for web browser; • Using keytool to create the rest of the keys and certificates for credit card client, middleware, and database. (Page 366)
Export/ Import the certificates • In order to establish trust, we need to export all the certificates that need to be trusted: • c:\> keytool -export -keystore bankKeyStore -file bank.cer • Set up trust by creating trust store: • Web Server: need to trust a number of certificates • Trusted certificates in Internet Explorer
The Database • MySQL: • Cross-platform and freely available for non- commercial use; • Tables: • Accounts: ID, name, balance, certificate serial number. • Credit_card: account_id, session_key, cc_number. • The database driver: • secureDriver_config.xml – config. Info for the secure driver • secureDriver.policy – grant permissions to connect, etc.
The Middleware - The Bank • Creating an interface for clients to use; • Building data objects to enable items to be stored in the database; • Creating an RMI object to connect the interface to the data objects; • Constructing a way of starting the middleware; • Configuring the middleware.
The Bank Interface • Four methods contained in the Bank class: • register(): register a new account given basic user information. • getAccount(): find the account for a given client certificate serial number. • getCreditCardDBO(): fetch the encrypted credit card information for a given account ID. • getAllCreditCardAccountIDs(): get a list of all the account Ids in the database.
Data objects • Account class: • Hold information, which is not encrypted; • Contains accountID, balance, customer name, certificate serial number; • RegistrationInformation class: • Wrap up all of the user-entered information; • Contains credit card number, balance, name, certificate serial number; • CreditCardDBO class:
Data objects (cont.) • DatabaseOperations class: • Class for performing database operations; • Use the JDBC proxy to encrypt the connection using RMI over SSL; • Store CreditCardDBO object and Account object in the database separately; • Use the BASE64 encoder and decoder classes;
Bank Implementation • Creating an RMI object: BankImpl to connect the interface to the data objects; • Extend UnicastRemoteObject so that it can be used over RMI; • Important methods: • BankImpl (); • register (); • getAccount (); • getAllCreditCardAccountIDs (); • getCreditCardDBO ();
Starting the Bank • The BankInit class: • Construct a BankImpl object with a Properties object that we read off the file system; • Commond-line argument indicates the properties file to read; • Call Naming.rebind () on it so that it becomes available for RMI client; • A bug in JSSE v.1.0.2 and earlier.
Configuration • config.properties: define JDBC configuration and the location of the public key; • BankInit.policy: start up the bank; • Collecting the files: • SecureDriverClient.jar; • Bank.jar; • Associated data: keystore/ truststore/ creditcard.cer • Running the Bank:
The Web Server • Main functions: • Registration; • Account viewing. • Using SSL client authentication to identify users; • Build the servlets and JSPs for the web tier; • Look at packaging the web application and deploying to Tomcat; • Run the application;
Servlets and JSPs Diagram index.html balance.jsp BalanceServlet invalidLogin.html register.html RegisterServlet alreadyRegistered.html
Servlets and JSPs • HTMLs: • Register: sends data to RegisterServlet; • Login: takes users to the BalanceServlet; • Servlets: • RegisterServlet: handles creating account; • BalanceServlet: loads account information, and sends it to a JSP for display • AbstractEcommerceServlet: • init(); • getCertificate(); • getRedirectURL(); • balance.jsp:
Packaging the web application • Policy file for Tomcat: tomcat.policy • Modifying web.xml; • Build the WAR file; • Copy the WAR file into Tomcat; • Delete other Webapps and Add the BankApp; • Enable SSL; • Enable policy support; • Add support file • Edit web server startup scripts
Start the application • Start the RMI registry on the database server; • Start the database driver; • Start the RMI registry on the bank; • Start the bank; • Start the web server.
Credit Card Client • Allows a user to view all of the credit cards in the database, decrypting them with the private key; • Modifications on Chapter 10 example: • The GUI for password instead of setting the keystore password on the command line; • Adding support for RMI: CreditCardClient class: • decryptCreditCardDBO(); • main(); • getPassword();
Credit Card Client (Cont.) • Credit card client policy file: CreditCardClient.policy (Page 409); • Packaging the credit card client: • create a JAR file, CreditCardClient.jar; • create a directory for the credit card client; • Running the credit card client:
Possible Modifications • Logging: • Using SSL: • Web browser authentication: • The database: • Encrypting SSL keys:
Reference • Jess Garms, Daniel Somerfield-- Professional Java Security; • http://www.wrox.com; • http://xml.apache.org/xerces-j/index.html; • http://jakarta.apache.org/tomcat/index.html; • http://www.mysql.com • http://www.thawte.com/certs/personal • http://www.bouncycastle.org