80 likes | 207 Views
What the $#*! IS my password?. Secure Online Password Storage Lon Smith Aaron Gremmert. Who Has a Password?. Who has 10? 50? 100? Must be changed every 3 months? Can’t use previous 3 passwords? And must be: at least 8 chars long include A-Z and a-z and 0-9 and !@#$%^&*...
E N D
What the $#*! IS my password? Secure Online Password Storage Lon Smith Aaron Gremmert
Who Has a Password? • Who has 10? 50? 100? • Must be changed every 3 months? • Can’t use previous 3 passwords? • And must be: • at least 8 chars long • include A-Z and a-z and 0-9 and !@#$%^&*... • can’t be any part of your username • ....
Concept Requirements • The Big Idea • To create an online secure resource for storing and accessing sensitive data. • Essential Concept Requirements • Secure : durable encryption and user identification schemes. • Accessible : from any internet connection. • User Friendly : intuitive forms for finding and modifying data, and a friendly sign in process.
System Architecture : Overview The database stores encrypted information and fulfills web service requests. Server DB Server The web service works with the DB to provide a uniform secure interface for client applications. Web Service Client applications allow the user to securely view / modify their account, through the common web service interface. Web Site Desktop App WEP / Palm Client
System Architecture : The Server • The Database • Could be one of many available technologies (e.g. mySQL) • Adhere to a strict XML schema for modeling the data and relations. • Play nice with its friend, the web service, communication through a number of stored procedures. • The Web Service • Could be developed with Java/.net platforms. • Works with the db to process validated requests from the client, and to encrypt/decrypt data as needed.
System Architecture : The Client • The Web Application • Could be developed with the Java/.net platform. • Provide user friendly web forms for creating a new account, signing in, viewing and editing data. • Sign in would include a typical user name / password form, and a second “image based password”, to validate the users identity. • Desktop and Mobile Apps • Likely to be beyond the scope of the quarter. But… • is certainly within range once the web service / db are in place. Both Java/.net have tools to play with.
Feasibility Rationale • Two key assumptions: • Feasibility of encrypted communication between server and client. • Technology platform that will support database server and web client interaction. • Both address the core functionality of the system • Without these, the system isn’t useful.