View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Securing and Sharing FilesOver The Internet
(Content Server Security)
ByAmihay Schwarz
Instructor:Viktor Kulikov
Software System LaboratoryDepartment of Electrical Engineering
Technion - Israel Institute of Technology
Motivation
The fast rate of growth in information compels us to find ways to store and share our files, sometimes sensitive files, with others.
The most comfort way 2day to share files is over the Internet. But the internet conceals a lot of security holes. One's sensitive information may reach unwanted hands.
The solutions in the project
• One can store his files on a content server.• One can access his files from anywhere and anytime.• One can grant permission to others to fetch his files.• Only permitted persons can fetch one's files.• The storing and sharing process will be secured.
This project is also taking into account the commercial aspect and provides commercials solutions.
SecurityThere are a number of overarching principles that apply in the
implementation. The following summarizes these principles:
• Adopt the principle of least privilege. • Use defense in depth. • Don't trust user input. • Use secure defaults. • Don't rely on security by obscurity. • Check at the gate. • Assume external systems are insecure. • Reduce surface area. • Fail to a secure mode. • Remember you are only as secure as your weakest link. • If you don't use it, disable it.
Security
The solution is making use of four key security concepts:
• Authentication. Positively identifying the clients of the application.
• Authorization. Defining what authenticated clients are allowed to see and do.
• Secure Communications. Ensuring that messages remain private and unaltered as they cross networks.
• Gate keepers. Ensuring that the network Entities can be accessed only form allowed network elements.
Gatekeeper 1
Gatekeeper 2 Data-Base ServerGatekeeper 3Application Server
Web Server
Gatekeeper 1 Cell Server
Global
Internet
Proxies
LayerApplication
Layer DB Layer
The three layers model
Project High Level Design
The project is divided to 4 entities.• Web application, that receives requests from
the client and forward them to the "Brain"• Application Server, that uses as the "Brain" of
the solution.• Mail application, that is responsible to sending
mails.• Data Base.
Interfaces
The 4 entities communicate using the following interfaces:
• FileManageIfc – store file, get files, send file…• UserProvisionigIfc – Register, login, Password
Recovery… • ServiceCredentialIfc – Serializeble class that holds the
service credentials that perform the request.• MailingIFC – send mail.
MalingIfc
MarshalByRefObject
Class
Methods
SendMail() : bool
ServiceCredentialsIfcClass
Fields
m_id : stringm_password : stringm_url : string
Properties
ID : stringPssword : stringURL : string
Methods
ServiceCredentialsIfc()
UserProvisioningIfc
MarshalByRefObject
Class
Methods
DoesUserRegister() : boolLogIn() : boolPasswordRecovery() : boolRegister() : bool
FilesManageIfc
MarshalByRefObject
Class
Methods
DeleteFile() : ResultGetFile() : ResultGetFileByToken() : ResultGetUsersFiles() : ResultSendFile() : ResultStoreFile() : Result
Nested Types
ResultEnum
OKFileNotFoundUserNotFoundUnKnownFailureForbiddenExpire
FileDetails
MarshalByRefObject
Class
Fields
length : longname : stringuploadedDate : DateTime
Properties
Length : longName : stringUploadDate : DateTime
Methods
FileDetails()
MarshalByRefObjectAbstract Class
Methods
CreateObjRef() : ObjRefGetLifetimeService() : objectInitializeLifetimeService() : objectMarshalByRefObject()MemberwiseClone() : MarshalByRefObject
Technologies in use
• Microsoft .Net
• .Net Remoting
• .Net Web application
• .Net Windows application
• SQL-Server 2005
• Active directory
.Net Remoting
• How does it work?
The .net Remoting give us abstraction for RMI that we can use, first we need to define the remote object we want to invoke. Then we connect this object to the Remoting by the Remoting APIs. And the net abstraction does all the work.
• Transport channelsThere are several transport channels:• HttpChannel. This channel is designed to be used when you host
a remote object in ASP.NET. This channel uses the HTTP protocol to send messages between the client and the server.
• TcpChannel. This channel is designed to be used when you host a remote object in a Microsoft Windows operating system service or other executable. This channel uses TCP sockets to send messages between the client and the server.
• Custom channels. A custom transport channel can use any underlying transport protocol to send messages between the client and server. For example, a custom channel may use named pipes or mail slots.
I decided to use the TCPChannel because it’s the most reliable and it can be easily secure.
Code securely
– The remote object binaries are located both in the Proxies and in the Application layer.
• In the front ends only the interface declaration binaries are located and therefore even if someone brake into the front end he will not have the implementation.
• Only in the back ends the remote object binaries contains the implementation.
Security
• A lot of effort was invested in this project in order to make it secured.
• One of the project goals was to assimilate Microsoft technology in security and work according to it guide lines.
As stated before the solution is making use of four key security concepts:
• Gate keepers. Ensuring that the network Entities can be accessed only form allowed network elements.
• Secure Communications. Ensuring that messages remain private and unaltered as they cross networks
• Authentication. Positively identifying the clients of the application.
• Authorization. Defining what authenticated clients are allowed to see and do within the application.
Security - Content Web Site
1. Gate-keeper: Only Https transport
In Out
IP All None
Port HTTPS ( TCP 443) None
2. Secure CommunicationsTLS transport
Server certificates
Security - Content Web Site cont`
3.AuthenticationASP.NET authentication modes include Windows, Forms, Passport and None.• The solution uses Forms authentication as authentication mode for to following
reasons: • Using windows or password authentication force us to provision the user to the AD or
to Microsoft Password accordingly. We want the user to use the provided service for its provisioning.
• The authentication itself is done against the user's records in the Content Server• The authentication uses basic authentication (compeering user name and password
against the DB)• Because we are using TLS and all the data sent to the server is encrypted working
with basic authentication is allowed. • User's Password is not stored explicitly on the DB. Instead a MD5 hash of the
password is stored there.• Even if someone breaks into the DB, he will not be able to use the stolen passwords
because the FE sends to the content-server the hashed password.• If the user is not active for 5 min his session will be expires and he will redirect to the
login page.
Security - Content Web Site cont`
4. Authorization
• The user is only authorized to use the main page for manipulating his files only after his authentication.
• In each transaction triggered by the user the web site gets the encrypted user id from his session cookie and decrypt it - this way we can rest sure that the user real credential are used.
Security - Application server
1. Gate-keeper: only allowed services.In Out
IP Front ends list Mail Server IP
Port TCP 8987 8987
2. Secure Communications
The solution uses the .net Remoting security.
Security - Application server
3. Authentication• In this stage we authenticate the service that reform the action. The client
authentication is done in his login phase.• Each Remote method that the Application Server expose receives a
ServiceCredentialsIfc argument. In it the service put his service-id and password.
• The Application server authenticates the service by Basic Authentication against Data Base records.
4. Authorization • Service authorization
– Once the service is authenticate its authorized to perform actions on the remote interface
• User authorization– The user is only authorized to perform actions on his files. Authorization to get
others files is checked against invitations from others.
Security – Data Base
1. Gate keeper
In Out
IP Application server none
Port TCP 1433 none
2. Secure Communications• No need because it's in internal network
Security – Data Base cont`
3. Authentication
• An DB user will be added. The user will be the user that is running the application server, so the authentication is done by LDAP.
4. Authorization • This user will only be authorized to
perform logic actions on the schema.
Application Server Class Diagram
FilesManageIfcIml
FilesManageIfc
Class
Fields
m_downloads_DAm_files_DAm_UserProvisioningIfcImp
Methods
DeleteFileFilesManageIfcImlGetFileGetFileByTokenGetUsersFilesSendFileStoreFile
HelperClass
Fields
instancem_connectionString
Properties
ConnectionStringInstance
Methods
getMd5HashGetPasswordGetTokenHelperRandomNumberRandomString
ProgramClass
Methods
InitClientInterfacesInitServerInterfacesMain
ServiceCredentialsManagerClass
Fields
instancem_servce_cr
Properties
Instance
Methods
CheckCredentialsServiceCredentialsManager
UserProvisioningIfcImp
UserProvisioningIfc
Class
Fields
m_users_DA
Methods
DoesUserRegisterLogInPasswordRecoveryRegisterUserProvisioningIfcImp
UserProvisioningIfc
MarshalByRefObject
ClassFilesManageIfc
MarshalByRefObject
Class
MarshalByRefObjectAbstract Class
DB Tables Relations
UsersUserName
Password
FilesEmail
FileName
FileContent
FileDate
FileSize
ServiceCredentialsServiceID
ServicePass
Downloadsowner
downloader
Token
Expiry
FileName
U.Cs Diagrams
1. Client connection negotiation
client Web server IIS
Http GET
ICMP destination unreachable
HTTPS GET
«requirement»client try to access port 80
SSL negotiation
1. Client connection negotiation cont`
Taken from http://conferences.codegear.com/article/images/32136/1348c.jpg
2. Client accessing web server
Client access the login.aspx page
Client fill the login form
Server replay with login form
Client credentials ok?
No
Yes
Create HttpCookie and store it in client session
Server send main page
Redirect to main.aspx
Client access the main.aspx page
ASP check if client has authenticated cookie in his
session
Server send redirect to login.aspx
No
Start
yes
Server update timestamp for cookie expiry
Was session accessed in the last
5 min?
yes
No
Client continue to work
3.New Client Registration
Browser Web Server Application Server Mail ServerClient
click submit
fill in registration form
fields validation
validation error: error message validation ok: POST Form
UserProvisioningIfc::Register()
CheckCredentials()
Global Internet
Proxies Layer
Applications Layer
Does User exist
True: error
DB
DB Layer
CheckCredentials()
Insert
Insert
False: Generate password
MalingIfc::SendMail()
Welcome message
redirect to login page
Send mail with pasword
4. Uploading filesGlobal Internet
Proxies Layer
Applications Layer
DB Layer
Browser Web Server Application Server DBClient
click submit
Select a file to upload
POST Form
FilesManageIfc::StoreFile()
CheckCredentials()
Get encrypted usr name drom session cookie
Decrypt user name
Insert
CheckCredentials()
Store
5. Deleting filesGlobal Internet
Proxies Layer
Applications Layer
DB Layer
Browser Web Server Application Server DBClient
click submit
Select a file to delete
POST Form
FilesManageIfc::DeleteFile()
CheckCredentials()
Get encrypted usr name drom session cookie
Decrypt user name
Delete
CheckCredentials()
Delete
Does File exist
6. Downloading a file Global Internet
Proxies Layer
Applications Layer
DB Layer
Browser Web Server Application Server DBClient
click submit
Select a file to download
POST Form
FilesManageIfc::GetFile()
CheckCredentials()
Get encrypted usr name drom session cookie
Decrypt user name
Select
CheckCredentials()
Select
Does File exist
Return file
Return file
Push back file in response
7. Send file download invitationGlobal Internet
Proxies Layer
Applications Layer
DB Layer
Browser Web Server Application Server DBClient
click submit
Select a file to send
POST Form
FilesManageIfc::SendFile()
CheckCredentials()
Get encrypted usr name drom session cookie
Decrypt user name
Does File exist
Generate download key
Set download expiration time
Insert
CheckCredentials()
Insert
Does recipient registered
Prepare mail
MailingIfc::SendMail()
Mail Server Recipient
Send Mail
8. Download a file from a friendGlobal Internet
Proxies Layer
Applications Layer
DB Layer
Browser Web Server Application Server DBClient
click submit
fill all fields
POST Form
FilesManageIfc::GetFileByToken()
CheckCredentials()
Get encrypted usr name drom session cookie
Decrypt user name
is b4 experation date
Get
CheckCredentials()
Select
False: return error
error message
Return file
Return file
Push back file in response
Thank you.