Using cryptowallet
1 / 31

Using CryptoWallet - PowerPoint PPT Presentation

  • Uploaded on

Using CryptoWallet. By Zed A. Shaw. Overview. Learning Objectives What is CryptoWallet How Is It Designed. Learning Objectives. Knowledge of CryptoWallet’s Design Understanding of how to use CryptoWallet How to apply CryptoWallet to different problems

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Using CryptoWallet' - ranger

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Using cryptowallet

Using CryptoWallet

By Zed A. Shaw


  • Learning Objectives

  • What is CryptoWallet

  • How Is It Designed

Learning objectives
Learning Objectives

  • Knowledge of CryptoWallet’s Design

  • Understanding of how to use CryptoWallet

  • How to apply CryptoWallet to different problems

  • Introduction to additional security problems with web applications

What is cryptowallet
What Is CryptoWallet?

  • An abstract secure object storage layer

  • Uses Password Based Encryption (PBE)

  • Stores Serializable objects to storage

  • Storage can be to disk or to RDBMS (soon).

  • Very simple API

How is it designed
How Is It Designed

  • Two main classes to deal with

    • WalletManager: Responsible for retrieving wallets from storage and saving wallets to storage.

    • Wallet: A stripped down Map interface that stores its contents encrypted.

  • Designed to be as simple as possible

  • Not specific to uPortal

First steps
First Steps

  • Acquiring Software

  • Installing Pre-Reqs

  • Compiling Source

  • Configuring Test Bed

  • Running Unit Tests

Acquiring the software
Acquiring The Software

  • Frequent releases available from the UBC Portal Enhancements site at:

  • Extensive documentation will be available also

Installing pre reqs
Installing Pre-Reqs

  • Install Jakarta Ant 1.4 AND Optionals

  • Get the release build from the UBC-PE site

  • Unzip the archive to a directory

  • Enter the directory to work with CryptoWallet

  • Make sure you add all ./lib/*.jar and the build directory to CLASSPATH

Compiling the source
Compiling The Source

  • Sometimes, Ant is stupid

    • Use provided script to run Ant

  • Run “ant” to get it to build

    • If there are errors check for the jar files

  • If you use MacOSX, make sure Stuffit didn’t truncate file extensions (.class becomes .cla)

Configuring test bed
Configuring Test Bed

  • Extensive unit test through JUnit

  • Edit AND

  • Make sure they are in your CLASSPATH!!!!

    • CryptoWallet loads the configuration out of the CLASSPATH

  • If you have problems, look at the log in logs

Running unit tests
Running Unit Tests

  • Really easy, just type “ant test”

  • Results are written in XML and HTML format to testresults directory

    • Open testresults/index.html in a browser

  • ALL tests should run

    • If any do not, then check and

Using it
Using It

  • Installation

  • Verification


  • Package the classes into a jar

    • Probably want to remove everything but the ca.ubc.itservices.portal.cryptowallet.* package

  • Place jar file,, into CLASSPATH

  • Edit as appropriate for new location


  • There are three things to verify it works:

    • Add JUnit tests to CLASSPATH temporarily and re-run (ant test)

    • Add WalletBrowser.class to CLASSPATH and interactively test it

    • Open wallet store directory and make sure files are there, and they are encrypted

Writing code
Writing Code

  • Accessing Wallets

  • Using Wallets

  • Saving Wallets

Accessing wallets
Accessing Wallets

// init the wallet manager, hopefully only once


// get the wallet we want

Wallet mywallet = WalletManager.getWallet(uid.getBytes(), pw.getBytes);

Using wallets
Using Wallets

// we should already have the wallet

// get the “thing” we want

Object thing = mywallet.get(“thekey”);

// store foo into wallet

String foo = new String();

mywallet.put(“fookey”, foo);

Saving wallets
Saving Wallets

// very simple, just put wallet

WalletManager.put(uid.getBytes(), pw.getBytes(), mywallet);

Additional code samples
Additional Code Samples

  • JUnit Tests in source/under ca/ubc/itservices/portal/cryptowallet/tests/

  • in source

  • JabberChannel which is coming soon

Security concerns
Security Concerns

  • Coding Safety

  • Controlling Access

  • Testing & Verification

  • Storage Medium

Coding safety
Coding Safety

  • There are a few additional security problems

  • Controlling Access

  • Testing & Verification

  • Storage Media

  • Other Web Application Security Problems

Controlling access
Controlling Access

  • You can use the Security Manager to prevent access

  • It involves a complicated configuration

  • Many different files with things in many different locations

  • Very difficult to setup

  • I’ll post a document to the UBC-PE site about this

Testing verification
Testing & Verification

  • Unit tests work well for this kind of verification

  • New tests should be written for each new storage medium used

  • Tests should also try to break things

  • See tests already written for samples

Storage medium
Storage Medium

  • Only file system storage is available

  • RDBMS is coming soon

  • File System has the advantage of Security Manager control

    • Can prevent unauthorized code from updating wallet store

  • RDBMS can be controlled through SQLPermission class

Other security problems
Other Security Problems

  • SQL Injection

  • Cross Site Scripting

  • Session Hi-jacking

Sql injection
SQL Injection

  • You have this:String SQL = “SELECT * FROM myTable WHERE blah=“ + formField;

  • I do this:

    • Find form where “formField” comes from

    • Read Oracle/DB2/MSSQL manual to find escape sequences

    • Post form with escape sequences to run “rm -rf /*.*” on SQL server in the “formField”

  • Use PreparedStatements to avoid this

Cross site scripting
Cross Site Scripting

  • You have a Forum or WebMail setup

  • You allow people to write HTML (because you are lazy)

    • Or, you try to escape all “<“ “>” sequences

  • I figure out what you are filtering

  • I use Unicode escapes to write “<script>” in a Unicode set your scanner does not grok

  • I send my code to everyone on the forum and hack their computers

Session hijacking
Session Hijacking

  • You use an application server that picks bad session IDs

  • The application server puts these IDs in cookies

  • I connect randomly until I find a valid session ID

  • I own the session now, no SSL decryption required (yeah!)

Getting more information
Getting More Information

  • These, and many other security problems, are available on:

  • There is a scanner in the works for most of these holes (which I’m working on) called WebScarab at


  • Hopefully this helped

  • If you are still stuck, visit the UBC-PE site at for more documentation

  • I’m always available at [email protected] and will help

  • Thanks for coming!