Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun.

Published byStephany Tucker Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun."— Presentation transcript:

1 Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun

2 Content –Designing an online banking application; –Setting up the keys and certificates; –Configuring the database; –Building a database access tier; –Developing a web tier; –Constructing a client application; –Looking at areas for improvements.

3 Online banking –Main features: Accept credit cards to open accounts; Allow users to view their own account; Allow finance agent to view all credit card data. –Web Interface: Entry Register Balance

4 Network topology

5 Network connections –Customer to web server: Most dangerous; Using SSL with authentication. –Web server to middleware: RMI over SSL. –Middleware to database: RMI over SSL. –Credit card viewer to middleware: Using SSL with authentication.

6 Application security –Database: Encrypt credit card numbers by public key; Run secure JDBC driver on the database. –Middleware (Bank): Only allow connections from web server and credit card client. –Credit card client: Decrypt and view credit cards

7 Application security (cont.) –Web server: Block access to most ports with a firewall. –Web browser: Using client authentication; The browser protects the private key with password-based encryption;

8 Setting up the keys -Relationship between Components

9 Generate the keys –Using default Java keystore to handle trust and authentication; –Create private and public keys for each component; –Create truststores for each component that contain the appropriate public keys; –Get a key from Thawte for web browser; –Using keytool to create the rest of the keys and certificates for credit card client, middleware, and database. (Page 366)

10 Export/ Import the certificates –In order to establish trust, we need to export all the certificate that need to be trusted: c:\> keytool -export -keystore bankKeyStore - file bank.cer –Set up trust by creating trust store: Web Server: need to trust a number of certificates Certificate Recognition in Internet Explorer: Page 367.

11 The Database –MySQL: Cross- platform and freely available for non- commercial use; –Tables: Accounts: ID, name, balance, certificate serial number. Credit_card: account_id, session_key, cc_number. –The database driver: secureDriver_config.xml; SecureDriver.policy.

12 The Middleware - The Bank –Creating an interface for clients to use; –Building data objects to enable items to be stored in the database; –Creating an RMI object to connect the interface to the data objects; –Constructing a way of starting the middleware; –Configuring the middleware.

13 The Bank Interface –Four methods contained in the Bank class: register(): register a new account given basic user information. getAccount(): find the account for a given client certificate serial number. getCreditCardDBO(): fetch the encrypted credit card information for a given account ID. getAllCreditCardAccountIDs(): get a list of all the account Ids in the database.

14 Data objects –Account class: Hold information, which is not encrypted; Contains accountID, balance, customer name, certificate serial number; –RegistrationInformation class: Wrap up all of the user-entered information; Contains credit card number, balance, name, certificate serial number; –CreditCardDBO class:

15 Data objects (cont.) –DatabaseOperations class: Class for performing database operations; Use the JDBC proxy to encrypt the connection using RMI over SSL; Store CreditCardDBO object and Account object in the database separately; Use the BASE64 encoder and decoder classes;

16 Bank Implementation –Creating an RMI object: BankImpl to connect the interface to the data objects; –Extend UnicastRemoteObject so that it can be used over RMI; –Important methods: BankImpl (); register (); getAccount (); getAllCreditCardAccountIDs (); getCreditCardDBO ();

17 Starting the Bank –The BankInit class: Construct a BankImpl object with a Properties object that we read off the file system; Commond-line argument indicates the properties file to read; Call Naming.rebind () on it so that it becomes available for RMI client; A bug in JSSE v.1.0.2 and earlier.

18 Configuration –config.properties: define JDBC configuration and the location of the public key; –BankInit.policy: start up the bank; –Collecting the files: SecureDriverClient.jar; Bank.jar; Associated data: keystore/ truststore/ creditcard.cer –Running the Bank:

19 The Web Server –Main functions: Registration; Account viewing. –Using SSL client authentication to identify users; –Build the servlets and JSPs for the web tier; –Look at packaging the web application and deploying to Tomcat; –Run the application;

20 Servlets and JSPs Diagram index.html invalidLogin.html register.html alreadyRegistered.html RegisterServlet BalanceServlet balance.jsp

21 Servlets and JSPs –HTMLs: Register: sends data to RegisterServlet; Login: takes users to the BalanceServlet; –Servlets: RegisterServlet: handles creating account; BalanceServlet: loads account information, and sends it to a JSP for display AbstractEcommerceServlet: –init(); –getCertificate(); –getRedirectURL(); –balance.jsp:

22 Packaging the web application –Policy file for Tomcat: tomcat.policy –Modifying web.xml; –Build the WAR file; –Copy the WAR file into Tomcat; –Delete other Webapps and Add the BankApp; –Enable SSL; –Enable policy support; –Add support file –Edit web server startup scripts

23 Start the application –Start the RMI registry on the database server; –Start the database driver; –Start the RMI registry on the bank; –Start the bank; –Start the web server.

24 Credit Card Client –Allows a user to view all of the credit cards in the database, decrypting them with the private key; –Modifications on Chapter 10 example: The GUI for password instead of setting the keystore password on the command line; Adding support for RMI: CreditCardClient class: –decryptCreditCardDBO(); –main(); –getPassword();

25 Credit Card Client (Cont.) –Credit card client policy file: CreditCardClient.policy (Page 409); –Packaging the credit card client: create a JAR file, CreditCardClient.jar; create a directory for the credit card client; –Running the credit card client:

26 Possible Modifications –Logging: –Using SSL: –Web browser authentication: –The database: –Encrypting SSL keys:

27 Reference –Jess Garms, Daniel Somerfield-- Professional Java Security; –http://www.wrox.com; –http://xml.apache.org/xerces-j/index.html; –http://jakarta.apache.org/tomcat/index.html; –http://www.mysql.com –http://www.thawte.com/certs/personal –http://www.bouncycastle.org

Download ppt "Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun."

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Ordering Stones on the Senior Sidewalk of Kansas State University Under the guidance of Dr. Daniel Andresen (Major Professor) Dr. Gurdip Singh Dr. Mitchell.

Ordering Stones on the Senior Sidewalk of Kansas State University Under the guidance of Dr. Daniel Andresen (Major Professor) Dr. Gurdip Singh Dr. Mitchell.
Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.

Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.
Gem Cluster Freelancer Network Sosuke Tokunaga CS491b Fall 2004.

Gem Cluster Freelancer Network Sosuke Tokunaga CS491b Fall 2004.
SSL Man in the Middle Proxy Srinivas Inguva Dan Boneh Ian Baker Stanford University.

SSL Man in the Middle Proxy Srinivas Inguva Dan Boneh Ian Baker Stanford University.
Web Site Security Representation and Management of Data on the Web.

Web Site Security Representation and Management of Data on the Web.
Tomcat Configuration A Very, Very, Very Brief Overview.

Tomcat Configuration A Very, Very, Very Brief Overview.
Julien Thibault / Phil Brewster / Kristina Doing-Harris

Julien Thibault / Phil Brewster / Kristina Doing-Harris
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Understanding and Managing WebSphere V5

Understanding and Managing WebSphere V5
Amazon EC2 Quick Start adapted from EC2_GetStarted.html.

Amazon EC2 Quick Start adapted from EC2_GetStarted.html.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
8/19/20151 Securing a Database Based on notes by Fei Li and Hong Li.

8/19/20151 Securing a Database Based on notes by Fei Li and Hong Li.
Chapter 10 EJB Concepts of EJB Three Components in Creating an EJB Starting/Stopping J2EE Server and Deployment Tool Installation and Configuration of.

Chapter 10 EJB Concepts of EJB Three Components in Creating an EJB Starting/Stopping J2EE Server and Deployment Tool Installation and Configuration of.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
E.halFILE 2.2 New Application Features Session II.

E.halFILE 2.2 New Application Features Session II.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

Similar presentations

Ads by Google