using cryptowallet
Skip this Video
Download Presentation
Using CryptoWallet

Loading in 2 Seconds...

play fullscreen
1 / 31

Using CryptoWallet - PowerPoint PPT Presentation

  • Uploaded on

Using CryptoWallet. By Zed A. Shaw. Overview. Learning Objectives What is CryptoWallet How Is It Designed. Learning Objectives. Knowledge of CryptoWallet’s Design Understanding of how to use CryptoWallet How to apply CryptoWallet to different problems

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Using CryptoWallet' - ranger

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
using cryptowallet

Using CryptoWallet

By Zed A. Shaw

  • Learning Objectives
  • What is CryptoWallet
  • How Is It Designed
learning objectives
Learning Objectives
  • Knowledge of CryptoWallet’s Design
  • Understanding of how to use CryptoWallet
  • How to apply CryptoWallet to different problems
  • Introduction to additional security problems with web applications
what is cryptowallet
What Is CryptoWallet?
  • An abstract secure object storage layer
  • Uses Password Based Encryption (PBE)
  • Stores Serializable objects to storage
  • Storage can be to disk or to RDBMS (soon).
  • Very simple API
how is it designed
How Is It Designed
  • Two main classes to deal with
    • WalletManager: Responsible for retrieving wallets from storage and saving wallets to storage.
    • Wallet: A stripped down Map interface that stores its contents encrypted.
  • Designed to be as simple as possible
  • Not specific to uPortal
first steps
First Steps
  • Acquiring Software
  • Installing Pre-Reqs
  • Compiling Source
  • Configuring Test Bed
  • Running Unit Tests
acquiring the software
Acquiring The Software
  • Frequent releases available from the UBC Portal Enhancements site at:
  • Extensive documentation will be available also
installing pre reqs
Installing Pre-Reqs
  • Install Jakarta Ant 1.4 AND Optionals
  • Get the release build from the UBC-PE site
  • Unzip the archive to a directory
  • Enter the directory to work with CryptoWallet
  • Make sure you add all ./lib/*.jar and the build directory to CLASSPATH
compiling the source
Compiling The Source
  • Sometimes, Ant is stupid
    • Use provided script to run Ant
  • Run “ant” to get it to build
    • If there are errors check for the jar files
  • If you use MacOSX, make sure Stuffit didn’t truncate file extensions (.class becomes .cla)
configuring test bed
Configuring Test Bed
  • Extensive unit test through JUnit
  • Edit AND
  • Make sure they are in your CLASSPATH!!!!
    • CryptoWallet loads the configuration out of the CLASSPATH
  • If you have problems, look at the log in logs
running unit tests
Running Unit Tests
  • Really easy, just type “ant test”
  • Results are written in XML and HTML format to testresults directory
    • Open testresults/index.html in a browser
  • ALL tests should run
    • If any do not, then check and
using it
Using It
  • Installation
  • Verification
  • Package the classes into a jar
    • Probably want to remove everything but the ca.ubc.itservices.portal.cryptowallet.* package
  • Place jar file,, into CLASSPATH
  • Edit as appropriate for new location
  • There are three things to verify it works:
    • Add JUnit tests to CLASSPATH temporarily and re-run (ant test)
    • Add WalletBrowser.class to CLASSPATH and interactively test it
    • Open wallet store directory and make sure files are there, and they are encrypted
writing code
Writing Code
  • Accessing Wallets
  • Using Wallets
  • Saving Wallets
accessing wallets
Accessing Wallets

// init the wallet manager, hopefully only once


// get the wallet we want

Wallet mywallet = WalletManager.getWallet(uid.getBytes(), pw.getBytes);

using wallets
Using Wallets

// we should already have the wallet

// get the “thing” we want

Object thing = mywallet.get(“thekey”);

// store foo into wallet

String foo = new String();

mywallet.put(“fookey”, foo);

saving wallets
Saving Wallets

// very simple, just put wallet

WalletManager.put(uid.getBytes(), pw.getBytes(), mywallet);

additional code samples
Additional Code Samples
  • JUnit Tests in source/under ca/ubc/itservices/portal/cryptowallet/tests/
  • in source
  • JabberChannel which is coming soon
security concerns
Security Concerns
  • Coding Safety
  • Controlling Access
  • Testing & Verification
  • Storage Medium
coding safety
Coding Safety
  • There are a few additional security problems
  • Controlling Access
  • Testing & Verification
  • Storage Media
  • Other Web Application Security Problems
controlling access
Controlling Access
  • You can use the Security Manager to prevent access
  • It involves a complicated configuration
  • Many different files with things in many different locations
  • Very difficult to setup
  • I’ll post a document to the UBC-PE site about this
testing verification
Testing & Verification
  • Unit tests work well for this kind of verification
  • New tests should be written for each new storage medium used
  • Tests should also try to break things
  • See tests already written for samples
storage medium
Storage Medium
  • Only file system storage is available
  • RDBMS is coming soon
  • File System has the advantage of Security Manager control
    • Can prevent unauthorized code from updating wallet store
  • RDBMS can be controlled through SQLPermission class
other security problems
Other Security Problems
  • SQL Injection
  • Cross Site Scripting
  • Session Hi-jacking
sql injection
SQL Injection
  • You have this:String SQL = “SELECT * FROM myTable WHERE blah=“ + formField;
  • I do this:
    • Find form where “formField” comes from
    • Read Oracle/DB2/MSSQL manual to find escape sequences
    • Post form with escape sequences to run “rm -rf /*.*” on SQL server in the “formField”
  • Use PreparedStatements to avoid this
cross site scripting
Cross Site Scripting
  • You have a Forum or WebMail setup
  • You allow people to write HTML (because you are lazy)
    • Or, you try to escape all “<“ “>” sequences
  • I figure out what you are filtering
  • I use Unicode escapes to write “