Using cryptowallet
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

Using CryptoWallet PowerPoint PPT Presentation


  • 35 Views
  • Uploaded on
  • Presentation posted in: General

Using CryptoWallet. By Zed A. Shaw. Overview. Learning Objectives What is CryptoWallet How Is It Designed. Learning Objectives. Knowledge of CryptoWallet’s Design Understanding of how to use CryptoWallet How to apply CryptoWallet to different problems

Download Presentation

Using CryptoWallet

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Using cryptowallet

Using CryptoWallet

By Zed A. Shaw


Overview

Overview

  • Learning Objectives

  • What is CryptoWallet

  • How Is It Designed


Learning objectives

Learning Objectives

  • Knowledge of CryptoWallet’s Design

  • Understanding of how to use CryptoWallet

  • How to apply CryptoWallet to different problems

  • Introduction to additional security problems with web applications


What is cryptowallet

What Is CryptoWallet?

  • An abstract secure object storage layer

  • Uses Password Based Encryption (PBE)

  • Stores Serializable objects to storage

  • Storage can be to disk or to RDBMS (soon).

  • Very simple API


How is it designed

How Is It Designed

  • Two main classes to deal with

    • WalletManager: Responsible for retrieving wallets from storage and saving wallets to storage.

    • Wallet: A stripped down Map interface that stores its contents encrypted.

  • Designed to be as simple as possible

  • Not specific to uPortal


First steps

First Steps

  • Acquiring Software

  • Installing Pre-Reqs

  • Compiling Source

  • Configuring Test Bed

  • Running Unit Tests


Acquiring the software

Acquiring The Software

  • Frequent releases available from the UBC Portal Enhancements site at:http://ubcpe.sourceforge.net/

  • Extensive documentation will be available also


Installing pre reqs

Installing Pre-Reqs

  • Install Jakarta Ant 1.4 AND Optionals

  • Get the release build from the UBC-PE site

  • Unzip the archive to a directory

  • Enter the directory to work with CryptoWallet

  • Make sure you add all ./lib/*.jar and the build directory to CLASSPATH


Compiling the source

Compiling The Source

  • Sometimes, Ant is stupid

    • Use provided ant.sh script to run Ant

  • Run “ant” to get it to build

    • If there are errors check for the jar files

  • If you use MacOSX, make sure Stuffit didn’t truncate file extensions (.class becomes .cla)


Configuring test bed

Configuring Test Bed

  • Extensive unit test through JUnit

  • Edit Logger.properties AND cryptowallet.properties

  • Make sure they are in your CLASSPATH!!!!

    • CryptoWallet loads the configuration out of the CLASSPATH

  • If you have problems, look at the log in logs


Running unit tests

Running Unit Tests

  • Really easy, just type “ant test”

  • Results are written in XML and HTML format to testresults directory

    • Open testresults/index.html in a browser

  • ALL tests should run

    • If any do not, then check Logger.properties and cryptowallet.properties


Using it

Using It

  • Installation

  • Verification


Installation

Installation

  • Package the classes into a jar

    • Probably want to remove everything but the ca.ubc.itservices.portal.cryptowallet.* package

  • Place jar file, Logger.properties, cryptowallet.properties into CLASSPATH

  • Edit as appropriate for new location


Verification

Verification

  • There are three things to verify it works:

    • Add JUnit tests to CLASSPATH temporarily and re-run (ant test)

    • Add WalletBrowser.class to CLASSPATH and interactively test it

    • Open wallet store directory and make sure files are there, and they are encrypted


Writing code

Writing Code

  • Accessing Wallets

  • Using Wallets

  • Saving Wallets


Accessing wallets

Accessing Wallets

// init the wallet manager, hopefully only once

WalletManager.init();

// get the wallet we want

Wallet mywallet = WalletManager.getWallet(uid.getBytes(), pw.getBytes);


Using wallets

Using Wallets

// we should already have the wallet

// get the “thing” we want

Object thing = mywallet.get(“thekey”);

// store foo into wallet

String foo = new String();

mywallet.put(“fookey”, foo);


Saving wallets

Saving Wallets

// very simple, just put wallet

WalletManager.put(uid.getBytes(), pw.getBytes(), mywallet);


Additional code samples

Additional Code Samples

  • JUnit Tests in source/under ca/ubc/itservices/portal/cryptowallet/tests/

  • WalletBrowser.java in source

  • JabberChannel which is coming soon


Security concerns

Security Concerns

  • Coding Safety

  • Controlling Access

  • Testing & Verification

  • Storage Medium


Coding safety

Coding Safety

  • There are a few additional security problems

  • Controlling Access

  • Testing & Verification

  • Storage Media

  • Other Web Application Security Problems


Controlling access

Controlling Access

  • You can use the Security Manager to prevent access

  • It involves a complicated configuration

  • Many different files with things in many different locations

  • Very difficult to setup

  • I’ll post a document to the UBC-PE site about this


Testing verification

Testing & Verification

  • Unit tests work well for this kind of verification

  • New tests should be written for each new storage medium used

  • Tests should also try to break things

  • See tests already written for samples


Storage medium

Storage Medium

  • Only file system storage is available

  • RDBMS is coming soon

  • File System has the advantage of Security Manager control

    • Can prevent unauthorized code from updating wallet store

  • RDBMS can be controlled through SQLPermission class


Other security problems

Other Security Problems

  • SQL Injection

  • Cross Site Scripting

  • Session Hi-jacking


Sql injection

SQL Injection

  • You have this:String SQL = “SELECT * FROM myTable WHERE blah=“ + formField;

  • I do this:

    • Find form where “formField” comes from

    • Read Oracle/DB2/MSSQL manual to find escape sequences

    • Post form with escape sequences to run “rm -rf /*.*” on SQL server in the “formField”

  • Use PreparedStatements to avoid this


Cross site scripting

Cross Site Scripting

  • You have a Forum or WebMail setup

  • You allow people to write HTML (because you are lazy)

    • Or, you try to escape all “<“ “>” sequences

  • I figure out what you are filtering

  • I use Unicode escapes to write “<script>” in a Unicode set your scanner does not grok

  • I send my code to everyone on the forum and hack their computers


Session hijacking

Session Hijacking

  • You use an application server that picks bad session IDs

  • The application server puts these IDs in cookies

  • I connect randomly until I find a valid session ID

  • I own the session now, no SSL decryption required (yeah!)


Getting more information

Getting More Information

  • These, and many other security problems, are available on:http://www.owasp.org/

  • There is a scanner in the works for most of these holes (which I’m working on) called WebScarab at http://www.owasp.org/webscarab/


Conclusion

Conclusion

  • Hopefully this helped

  • If you are still stuck, visit the UBC-PE site at http://ubcpe.sourceforge.net/ for more documentation

  • I’m always available at [email protected] and will help

  • Thanks for coming!


Questions

Questions?


  • Login