Transcript ContentServerPresentation - Networked Software Systems

Software System Laboratory
Department of Electrical Engineering
Technion - Israel Institute of Technology
Securing and Sharing Files
Over The Internet
(Content Server Security)
By
Amihay Schwarz
Instructor:
Viktor Kulikov
Motivation
The fast rate of growth in information
compels us to find ways to store and share
our files, sometimes sensitive files, with
others.
The most comfort way 2day to share files is
over the Internet. But the internet conceals
a lot of security holes. One's sensitive
information may reach unwanted hands.
The solutions in the project
•
•
•
•
•
One can store his files on a content server.
One can access his files from anywhere and anytime.
One can grant permission to others to fetch his files.
Only permitted persons can fetch one's files.
The storing and sharing process will be secured.
This project is also taking into account the commercial
aspect and provides commercials solutions.
Security
There are a number of overarching principles that apply in the
implementation. The following summarizes these principles:
•
•
•
•
•
•
•
•
•
•
•
Adopt the principle of least privilege.
Use defense in depth.
Don't trust user input.
Use secure defaults.
Don't rely on security by obscurity.
Check at the gate.
Assume external systems are insecure.
Reduce surface area.
Fail to a secure mode.
Remember you are only as secure as your weakest link.
If you don't use it, disable it.
Security
The solution is making use of four key security concepts:
•
•
•
•
Authentication. Positively identifying the clients of the
application.
Authorization. Defining what authenticated clients are
allowed to see and do.
Secure Communications. Ensuring that messages
remain private and unaltered as they cross networks.
Gate keepers. Ensuring that the network Entities can
be accessed only form allowed network elements.
The three layers model
Proxies
Layer
Global
Internet
Application
Layer
DB Layer
Gatekeeper 1 Cell Server
Gatekeeper 2
Gatekeeper 1
Web Server
Application Server
Gatekeeper 3
Data-Base Server
Project High Level Design
The project is divided to 4 entities.
• Web application, that receives requests from
the client and forward them to the "Brain"
• Application Server, that uses as the "Brain" of
the solution.
• Mail application, that is responsible to sending
mails.
• Data Base.
Interfaces
The 4 entities communicate using the
following interfaces:
•
•
•
•
FileManageIfc – store file, get files, send file…
UserProvisionigIfc – Register, login, Password
Recovery…
ServiceCredentialIfc – Serializeble class that holds the
service credentials that perform the request.
MailingIFC – send mail.
Technologies in use
•
•
•
•
•
•
Microsoft .Net
.Net Remoting
.Net Web application
.Net Windows application
SQL-Server 2005
Active directory
.Net Remoting
•
How does it work?
The .net Remoting give us abstraction for
RMI that we can use, first we need to
define the remote object we want to
invoke. Then we connect this object to
the Remoting by the Remoting APIs.
And the net abstraction does all the
work.
•
Transport channels
There are several transport channels:
•
HttpChannel. This channel is designed to be used when you host
a remote object in ASP.NET. This channel uses the HTTP protocol
to send messages between the client and the server.
•
TcpChannel. This channel is designed to be used when you host
a remote object in a Microsoft Windows operating system service
or other executable. This channel uses TCP sockets to send
messages between the client and the server.
•
Custom channels. A custom transport channel can use any
underlying transport protocol to send messages between the
client and server. For example, a custom channel may use named
pipes or mail slots.
I decided to use the TCPChannel because it’s the most reliable and it
can be easily secure.
Code securely
– The remote object binaries are located both
in the Proxies and in the Application layer.
•
•
In the front ends only the interface
declaration binaries are located and
therefore even if someone brake into the
front end he will not have the
implementation.
Only in the back ends the remote object
binaries contains the implementation.
Security
•
•
A lot of effort was invested in this project in order to make it
secured.
One of the project goals was to assimilate Microsoft technology in
security and work according to it guide lines.
As stated before the solution is making use of four key security
concepts:
•
Gate keepers. Ensuring that the network Entities can be
accessed only form allowed network elements.
•
Secure Communications. Ensuring that messages remain
private and unaltered as they cross networks
•
Authentication. Positively identifying the clients of the
application.
•
Authorization. Defining what authenticated clients are allowed to
see and do within the application.
Security - Content Web Site
1. Gate-keeper: Only Https transport
In
Out
IP
All
None
Port
HTTPS ( TCP 443)
None
2. Secure Communications
TLS transport
Server certificates
Security - Content Web Site cont`
3. Authentication
ASP.NET authentication modes include Windows, Forms, Passport and None.
• The solution uses Forms authentication as authentication mode for to following
reasons:
• Using windows or password authentication force us to provision the user to the AD or
to Microsoft Password accordingly. We want the user to use the provided service for
its provisioning.
• The authentication itself is done against the user's records in the Content Server
• The authentication uses basic authentication (compeering user name and password
against the DB)
• Because we are using TLS and all the data sent to the server is encrypted working
with basic authentication is allowed.
• User's Password is not stored explicitly on the DB. Instead a MD5 hash of the
password is stored there.
• Even if someone breaks into the DB, he will not be able to use the stolen passwords
because the FE sends to the content-server the hashed password.
• If the user is not active for 5 min his session will be expires and he will redirect to the
login page.
Security - Content Web Site cont`
4. Authorization
•
•
The user is only authorized to use the
main page for manipulating his files only
after his authentication.
In each transaction triggered by the user
the web site gets the encrypted user id
from his session cookie and decrypt it this way we can rest sure that the user
real credential are used.
Security - Application server
1. Gate-keeper: only allowed services.
In
Out
IP
Front ends list
Mail Server IP
Port
TCP 8987
8987
2. Secure Communications
The solution uses the .net Remoting security.
Security - Application server
3. Authentication
•
In this stage we authenticate the service that reform the action. The client
authentication is done in his login phase.
Each Remote method that the Application Server expose receives a
ServiceCredentialsIfc argument. In it the service put his service-id and
password.
The Application server authenticates the service by Basic Authentication
against Data Base records.
•
•
4. Authorization
•
Service authorization
–
•
Once the service is authenticate its authorized to perform actions on the
remote interface
User authorization
–
The user is only authorized to perform actions on his files. Authorization to get
others files is checked against invitations from others.
Security – Data Base
1. Gate keeper
In
Out
IP
Application server
none
Port
TCP 1433
none
2. Secure Communications
•
No need because it's in internal network
Security – Data Base cont`
3. Authentication
• An DB user will be added. The user will
be the user that is running the application
server, so the authentication is done by
LDAP.
4. Authorization
• This user will only be authorized to
perform logic actions on the schema.
Application Server Class Diagram
DB Tables Relations
ServiceCredentials
ServiceID
ServicePass
Files
Email
FileName
FileContent
FileDate
FileSize
Downloads
owner
Users
downloader
UserName
Token
Email
Expiry
Password
FileName
U.Cs Diagrams
1. Client connection negotiation
client
Web server IIS
Http GET
ICMP destination unreachable
HTTPS GET
SSL negotiation
«requirement»
client try to access port 80
1. Client connection negotiation
cont`
Taken from
http://conferences.codegear.com/article/images/32136/1348c.jpg
2. Client accessing web server
Start
Client access the
main.aspx page
Client access the
login.aspx page
Server replay with login form
ASP check if client has
authenticated cookie in his
session
No
Server send
redirect to
login.aspx
Client fill the login
form
No
yes
Was session
accessed in the last
5 min?
Client credentials
ok?
No
Yes
yes
Server update
timestamp for
cookie expiry
Create HttpCookie
and store it in
client session
Redirect to main.aspx
Server send main
page
Client continue to
work
3.New Client Registration
Global
Internet
Proxies
Layer
Client
Browser
Applications
Layer
Web Server
DB Layer
Application Server
Mail Server
DB
fill in registration form
click submit
fields validation
validation error: error message validation ok: POST Form
UserProvisioningIfc::Register()
CheckCredentials()
Does User exist
True: error
False: Generate password
Insert
CheckCredentials()
Insert
MalingIfc::SendMail()
Send mail with pasword
Welcome message
redirect to login page
4. Uploading files
Global
Internet
Proxies
Layer
Client
Browser
Applications
Layer
Web Server
DB Layer
Application Server
DB
Select a file to upload
click submit
POST Form
Get encrypted usr name drom session cookie
Decrypt user name
FilesManageIfc::StoreFile()
CheckCredentials()
Insert
CheckCredentials()
Store
5. Deleting files
Global
Internet
Proxies
Layer
Client
Browser
Applications
Layer
Web Server
DB Layer
Application Server
DB
Select a file to delete
click submit
POST Form
Get encrypted usr name drom session cookie
Decrypt user name
FilesManageIfc::DeleteFile()
CheckCredentials()
Does File exist
Delete
CheckCredentials()
Delete
6. Downloading a file
Global
Internet
Proxies
Layer
Client
Browser
Applications
Layer
Web Server
DB Layer
Application Server
DB
Select a file to download
click submit
POST Form
Get encrypted usr name drom session cookie
Decrypt user name
FilesManageIfc::GetFile()
CheckCredentials()
Does File exist
Select
CheckCredentials()
Select
Return file
Return file
Push back file in response
7. Send file download invitation
Global
Internet
Proxies
Layer
Browser
Client
Applications
Layer
Web Server
DB Layer
Application Server
DB
Mail Server
Select a file to send
click submit
POST Form
Get encrypted usr name drom session cookie
Decrypt user name
FilesManageIfc::SendFile()
CheckCredentials()
Does File exist
Generate download key
Set download expiration time
Insert
CheckCredentials()
Insert
Does recipient registered
Prepare mail
MailingIfc::SendMail()
Send Mail
Recipient
8. Download a file from a friend
Global
Internet
Client
Browser
Proxies
Layer
Applications
Layer
Web Server
Application Server
DB Layer
DB
fill all fields
click submit
POST Form
Get encrypted usr name drom session cookie
Decrypt user name
FilesManageIfc::GetFileByToken()
CheckCredentials()
is b4 experation date
False: return error
error message
Get
CheckCredentials()
Select
Return file
Return file
Push back file in response
Thank you.