Using cryptowallet
Download
1 / 31

Using CryptoWallet - PowerPoint PPT Presentation


  • 52 Views
  • Uploaded on

Using CryptoWallet. By Zed A. Shaw. Overview. Learning Objectives What is CryptoWallet How Is It Designed. Learning Objectives. Knowledge of CryptoWallet’s Design Understanding of how to use CryptoWallet How to apply CryptoWallet to different problems

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Using CryptoWallet' - ranger


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Using cryptowallet

Using CryptoWallet

By Zed A. Shaw


Overview
Overview

  • Learning Objectives

  • What is CryptoWallet

  • How Is It Designed


Learning objectives
Learning Objectives

  • Knowledge of CryptoWallet’s Design

  • Understanding of how to use CryptoWallet

  • How to apply CryptoWallet to different problems

  • Introduction to additional security problems with web applications


What is cryptowallet
What Is CryptoWallet?

  • An abstract secure object storage layer

  • Uses Password Based Encryption (PBE)

  • Stores Serializable objects to storage

  • Storage can be to disk or to RDBMS (soon).

  • Very simple API


How is it designed
How Is It Designed

  • Two main classes to deal with

    • WalletManager: Responsible for retrieving wallets from storage and saving wallets to storage.

    • Wallet: A stripped down Map interface that stores its contents encrypted.

  • Designed to be as simple as possible

  • Not specific to uPortal


First steps
First Steps

  • Acquiring Software

  • Installing Pre-Reqs

  • Compiling Source

  • Configuring Test Bed

  • Running Unit Tests


Acquiring the software
Acquiring The Software

  • Frequent releases available from the UBC Portal Enhancements site at:http://ubcpe.sourceforge.net/

  • Extensive documentation will be available also


Installing pre reqs
Installing Pre-Reqs

  • Install Jakarta Ant 1.4 AND Optionals

  • Get the release build from the UBC-PE site

  • Unzip the archive to a directory

  • Enter the directory to work with CryptoWallet

  • Make sure you add all ./lib/*.jar and the build directory to CLASSPATH


Compiling the source
Compiling The Source

  • Sometimes, Ant is stupid

    • Use provided ant.sh script to run Ant

  • Run “ant” to get it to build

    • If there are errors check for the jar files

  • If you use MacOSX, make sure Stuffit didn’t truncate file extensions (.class becomes .cla)


Configuring test bed
Configuring Test Bed

  • Extensive unit test through JUnit

  • Edit Logger.properties AND cryptowallet.properties

  • Make sure they are in your CLASSPATH!!!!

    • CryptoWallet loads the configuration out of the CLASSPATH

  • If you have problems, look at the log in logs


Running unit tests
Running Unit Tests

  • Really easy, just type “ant test”

  • Results are written in XML and HTML format to testresults directory

    • Open testresults/index.html in a browser

  • ALL tests should run

    • If any do not, then check Logger.properties and cryptowallet.properties


Using it
Using It

  • Installation

  • Verification


Installation
Installation

  • Package the classes into a jar

    • Probably want to remove everything but the ca.ubc.itservices.portal.cryptowallet.* package

  • Place jar file, Logger.properties, cryptowallet.properties into CLASSPATH

  • Edit as appropriate for new location


Verification
Verification

  • There are three things to verify it works:

    • Add JUnit tests to CLASSPATH temporarily and re-run (ant test)

    • Add WalletBrowser.class to CLASSPATH and interactively test it

    • Open wallet store directory and make sure files are there, and they are encrypted


Writing code
Writing Code

  • Accessing Wallets

  • Using Wallets

  • Saving Wallets


Accessing wallets
Accessing Wallets

// init the wallet manager, hopefully only once

WalletManager.init();

// get the wallet we want

Wallet mywallet = WalletManager.getWallet(uid.getBytes(), pw.getBytes);


Using wallets
Using Wallets

// we should already have the wallet

// get the “thing” we want

Object thing = mywallet.get(“thekey”);

// store foo into wallet

String foo = new String();

mywallet.put(“fookey”, foo);


Saving wallets
Saving Wallets

// very simple, just put wallet

WalletManager.put(uid.getBytes(), pw.getBytes(), mywallet);


Additional code samples
Additional Code Samples

  • JUnit Tests in source/under ca/ubc/itservices/portal/cryptowallet/tests/

  • WalletBrowser.java in source

  • JabberChannel which is coming soon


Security concerns
Security Concerns

  • Coding Safety

  • Controlling Access

  • Testing & Verification

  • Storage Medium


Coding safety
Coding Safety

  • There are a few additional security problems

  • Controlling Access

  • Testing & Verification

  • Storage Media

  • Other Web Application Security Problems


Controlling access
Controlling Access

  • You can use the Security Manager to prevent access

  • It involves a complicated configuration

  • Many different files with things in many different locations

  • Very difficult to setup

  • I’ll post a document to the UBC-PE site about this


Testing verification
Testing & Verification

  • Unit tests work well for this kind of verification

  • New tests should be written for each new storage medium used

  • Tests should also try to break things

  • See tests already written for samples


Storage medium
Storage Medium

  • Only file system storage is available

  • RDBMS is coming soon

  • File System has the advantage of Security Manager control

    • Can prevent unauthorized code from updating wallet store

  • RDBMS can be controlled through SQLPermission class


Other security problems
Other Security Problems

  • SQL Injection

  • Cross Site Scripting

  • Session Hi-jacking


Sql injection
SQL Injection

  • You have this:String SQL = “SELECT * FROM myTable WHERE blah=“ + formField;

  • I do this:

    • Find form where “formField” comes from

    • Read Oracle/DB2/MSSQL manual to find escape sequences

    • Post form with escape sequences to run “rm -rf /*.*” on SQL server in the “formField”

  • Use PreparedStatements to avoid this


Cross site scripting
Cross Site Scripting

  • You have a Forum or WebMail setup

  • You allow people to write HTML (because you are lazy)

    • Or, you try to escape all “<“ “>” sequences

  • I figure out what you are filtering

  • I use Unicode escapes to write “<script>” in a Unicode set your scanner does not grok

  • I send my code to everyone on the forum and hack their computers


Session hijacking
Session Hijacking

  • You use an application server that picks bad session IDs

  • The application server puts these IDs in cookies

  • I connect randomly until I find a valid session ID

  • I own the session now, no SSL decryption required (yeah!)


Getting more information
Getting More Information

  • These, and many other security problems, are available on:http://www.owasp.org/

  • There is a scanner in the works for most of these holes (which I’m working on) called WebScarab at http://www.owasp.org/webscarab/


Conclusion
Conclusion

  • Hopefully this helped

  • If you are still stuck, visit the UBC-PE site at http://ubcpe.sourceforge.net/ for more documentation

  • I’m always available at [email protected] and will help

  • Thanks for coming!



ad