Académique Documents
Professionnel Documents
Culture Documents
A Practice School-II Station of BIRLA INSTITUTE OF TECHNOLOGY & SCIENCE ,PILANI (December 2011)
Prepared in partial fulfillment of the Practice School Course No. BITSC412/BITSC413/BITSG639 AT CMC Limited, Mumbai
A Practice School-II Station of BIRLA INSTITUTE OF TECHNOLOGY & SCIENCE ,PILANI (December 2011)
ACKNOWLEDGEMENTS
We would like to acknowledge the support of our Project Manager , Mrs. Nayana Vaidya , who guided us throughout the duration of the project and also for proof reading the report. We would like to thank our PS Faculty Mr . P. Vijay Bhasker Reddy for regularly keeping an update on our work and for providing us with the necessary documents required for completing the mid semester report . We would also like to acknowledge the guidance provided by Mr. R . Mahesh who guided us during our research on Public Key Infrastructure .We would also like to thank all the employees of CMC Ltd. For providing us with all the technical help needed for completing the project . We are also grateful to Mr.Bhagwan Das for mentoring and guiding us while the development of the project . We would like to thank Mr.Gurmeet Singh, Mr JJ Kulkarni and Mr.Deodhar of the Bhabha Atomic Research Centre for giving us the opportunity to visit BARC and understand the PKI implemented there.
Name of expert: Mr. Bhagwan Das Designation : Senior IT Engineer Name of PS Faulty- P. Vijay Bhasker Reddy Keywords PKI , BARC , Security, Shell scripting , SpringRoo , JAVA ,JDBC Project Area(s)- Computer Science/Cryptography
Abstract -This project of BARC undertaken by CMC involves developing web based applications for the Account Management system.This project is currently being developed at the CMC office at World Trade Centre,Cuffe Parade,Mumbai under the supervision of Mrs.Nayana Vaidya. The work includes shell scripting in Spring Roo for the development of the web pages . The PKI part of the project includes understanding of the existing PKI project at BARC and application of the same in the project being developed here. The entire project is to be developed using open source softwares.
Tables of Contents 1. Introduction 1.1 About the Company 1.2 About the Project WebPage Develpoement Using Spring Roo 2.1 Open Source Software Used 2.1.1 Spring Source 2.1.2 Spring Roo 2.1.3 PostGRE SQL 2.2 Steps Involved in Development 2.2.1 Shell Scripting 2.2.2 Creating the project by Running Scripts 2.2.3 Building and Running Project What is PKI? 3.1 How Public and Private Key Cryptography Works 3.2 Who Provides the Infrastructure? 3.3 Pretty Good Privacy 3.4 The PKI certificate (Digital Certificate) 3.5 Controlling Key Usage 3.6 PKI methods for storing Public Keys and Private Keys Application of PKI in the project SSL and TLS Protocols OpenSSL 6.1 Generating a Certificate 6.2 Key Generation Application provided by BARC 7.1 PKI Module Integration 7.2 RPGServer 7.3 RPGPKIAdmin 7.4 RPGWeb and RPGApplet Functionality of the Project Test Spring Source Project Conclusion 6 6
2.
7 7 8 8 9 10 12 12 13 14 15 15 15 17 17 18 19 20 20 23 23 24 25 26 28 30
3.
4. 5. 6.
7.
8. 9. 10.
1.
INTRODUCTION
1.1 About the company CMC Limited is a leading systems engineering and integration company in India, offering application design, development, testing services and asset-based solutions in niche segments through turnkey projects of national importance. A subsidiary of Tata Consultancy Services Limited (TCS Ltd), one of the world's leading information technology consulting, services and business process outsourcing organizations. CMC Limited is an end-to-end IT solutions provider with capabilities straddling the entire information technology spectrum: IT architecture; hardware; software (including systems and application software, development or implementation, maintenance, and frameworks); network consulting; and IT-enabled processing services . CMC was incorporated on December 26, 1975, as the 'Computer Maintenance Corporation Private Limited'. The Government of India held 100 per cent of the equity share capital. On August 19, 1977, it was converted into a public limited company. It was subsequently bought by the TATAs. Guiding CMC's quest for excellence and global expansion is its eminent board of directors, headed by Chairman, Mr S Ramadorai. Its Managing Director, Mr R Ramanan, who is also the Chief Executive Officer, directs CMCs day-to-day operations. CMC has around 7,396 employees. Some of CMCs clients include Bombay Stock Exchange , National Stock Exchange , Bhabha Atomic Research Centre , Indian Railways , Indian Air Force , Parle , PepsiCo. Etc.
2. WEB PAGE DEVELOPMENT USING SPRING ROO 2.1 Open Source Softwares Used 2.1.1 SpringSource
SpringSource provides an application framework in the Java space called Spring. It offers commercial support subscriptions and added value software for the Spring Framework and many other products in the Spring Portfolio.
The Spring Framework and related products are used by a majority of all enterprise Java developers. Companies like JP Morgan, HSBC, Orbitz, Accenture, and Cap Gemini all use Spring to build highly scalable and mission-critical systems.
During the course of the project done so far , Spring Source is used as the main JAVA Development Platform for writing the codes , compiling them , running them and seeing the generated output . Spring Source has an in built sever which is used for hosting web pages when they are created using Spring Source Tool Suite. Spring Source Tool Suite forms the heart and soul of the BARC project undertaken by CMC Ltd.
Use the Spring Framework to develop Java applications Test JAVA-based applications Set up Spring configuration using XML, annotations, and Java configuration Use Hibernate and JDBC with Spring to access relational databases
The main methodology used by Spring Roo includes writing the codes in a Spring Roo Shell. These shells are later developed into web pages containing the JAVA classes ,when the project is build using Spring Source Suite . The JAVA classes get automatically built and the user can later modified the JAVA classes by editing the source code according to his needs.
As the user goes about editing code in a normal way, Roo keeps an eye on your project files and automatically modifies them in response to your actions. Depending on the Roo add-ons you
have running, Roo can help you with different types of files.
The first step involved in developing the required web pages containing the JAVA classes is Scripting. This includes writing the commands in a Roo shell . For the project, the allotted module was the Material Management System (MMS) module . For the MMS modules , scripting for the following was to be done : 1.Master Script 2.Purchase Script 3.Payment Script 4.Disposal Script 5.Inventory Script Spring Roo's main user interface is a command-line shell. The shell provides both a command-line interface and also a mechanism to host plug-ins . The following is an example of the shell roo scripting that was done as a part of the project :
In the above figure , the script when run creates a JAVA class named itemCategory and creates web page having field names as mentioned and connects it to the database used.
2.2.2 Creating the Project and Running the Scripts The next step involves the creation of Roo project in the Spring Source Tool Suite and running the scripts which had been previously written. Upon running the scripts , Spring Roo writes the JAVA code corresponding to the various classes which mentioned in the script . The scripts are run using the following command which builds the Roo project . Roo> persistence setup provider HIBERNATE database PostGRES Here ,Hibernate is the object-relational mapping (ORM)-provider. Hibernate is one of three ORM
providers which Roo currently offers. The command also connects Spring Source with the database, in this case PostGRES.
2.2.3 Building and Running the Project The next step involves building the project and then running it on a server using the internal server provided by the Spring Suite Tool . The step converts the Java Classes into web pages , containing the required fields . Each of these web pages is connected to the database and whatever data is entered into the web page gets stored in the database and can be subsequently viewed.
3. What is PKI?
A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. Meanwhile, an Internet standard for PKI is being worked on.
The public key infrastructure assumes the use of public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted. For this reason, public key cryptography and the public key infrastructure is the preferred approach on the Internet. (The private key system is sometimes known as symmetric cryptography and the public key system as asymmetric cryptography.) A public key infrastructure consists of: A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key A registration authority (RA) that acts as the verifier for the certificate
To do this Send an encrypted message Send an encrypted signature Decrypt an encrypted message Decrypt an encrypted signature
Use whose Use the receiver's Use the sender's Use the receiver's Use the sender's
Kind of key Public key ate key Private key Public key
GTE CyberTrust, which provides a PKI implementation methodology and consultation service that it plans to vend to other companies for a fixed price Xcert, whose Web Sentry product that checks the revocation status of certificates on a server, using the Online Certificate Status Protocol (OCSP) Netscape, whose Directory Server product is said to support 50 million objects and process 5,000 queries a second; Secure E-Commerce, which allows a company or extranet manager to manage digital certificates; and Meta-Directory, which can connect all corporate directories into a single directory for security management
b) The Private Key used for Decryption A private key is used to decrypt information that has been encrypted using its corresponding public key. The person using the private key can be certain that the information it is able to decrypt must have been intended for them, but they cannot be certain who the information is from. Note: In normal practice the private key is used to decrypt the session key, and that key is used to decrypt the actual information rather than the private key decrypting all the information.
c) The Private Key for Signature If the sender wishes to prove to a recipient that they are the source of the information (perhaps they accept legal responsibility for it) they use a private key to digitally sign a message (a digital signature). Unlike the handwritten signature, this digital signature is different every time it is made. A unique mathematical value, determined by the content of the message, is calculated using a 'hashing' or 'message authentication' algorithm, and then this value is encrypted with the private key - creating the digital signature for this specific message. The encrypted value is either attached to the end of the message or is sent as a separate file together with the message. The public key corresponding to this private key may also be sent with the message, either on its own or as part of a certificate.
Note: Anyone receiving information protected simply by a digital signature can check the signature and can read and process the information. Adding a digital signature to information does not provide confidentiality.
d) The Public Key for Signature The receiver of a digitally signed message uses the correct public key to verify the signature by performing the following steps. A non-technical example is given after these steps. 1. The correct public key is used to decrypt the hash value that the sender calculated for the information 2. Using the hashing algorithm (where certificates are in use it will be stated in the public key certificate sent with the message), the hash of the information received is calculated 3. The newly calculated hash value is compared to the hash value that the sender originally calculated. This was found in step 1 above. If the values match, the receiver knows that the person controlling the private key corresponding to the public key sent the information. They also know that the information has not been altered since it was signed 4. If a public key certificate was sent with the information it is then validated with the CA that issued the certificate to ensure that the certificate has not been falsified and therefore the identity of the controller of the private key is genuine 5. Finally, if one is available, the revocation list for the CA is checked to ensure that the certificate has not been revoked, or if it has been revoked, what the date and time of revocation were. e) Signing the Hash Function A hash function H is a transformation that takes a variable-size input m and returns a fixed-size string, which is called the hash value h (that is, h = H(m)). Hash functions with just this property have a variety of general computational uses, but when employed in cryptography the hash functions are usually chosen to have some additional properties. The hash value represents concisely the longer message or document from which it was computed; one can think of a message digest as a "digital fingerprint" of the larger document. Examples of well-known hash functions are MD2 and MD5 and SHA. Perhaps the main role of a cryptographic hash function is in the provision of digital signatures. Since hash functions are generally faster than digital signature algorithms, it is typical to compute the digital signature to some document by computing the signature on the document's hash value, which is small compared to the document itself. Additionally, a digest can be made public without revealing the contents of the document from which it is derived. This is important in digital timestamping where, using hash functions, one can get a document timestamped without revealing its contents to the timestamping service.
3.4
In the section on public and private keys, references were made to certificates. A certificate is information referring to a public key, that has been digitally signed by a Certification Authority (CA). The information normally found in a certificate conforms to the ITU (IETF) standard X.509 v3. Certificates conforming to that standard include information about the published identity of the owner of the corresponding private key, the key length, the algorithm used, and associated
hashing algorithm, dates of validity of the certificate and the actions the key can be used for. A certificate is not essential to operating a PKI, however, some scheme is necessary to locate information about the controller of a private key, and the X.509 certificate is the most commonly implemented scheme.
3.6 PKI methods for storing Public Keys and Private Keys
a) Digital certificates Public keys are stored within digital certificates along with other relevant information (user information, expiration date, usage, who issued the certificate etc.). The CA enters the information contained within the certificate when it is issued and this information cannot be changed. Since the certificate is digitally signed and all the information in it is intended to be publicly available there is no need to prevent access to reading it, although you should prevent other users from corrupting, deleting or replacing it. b) Protection If someone gains access to your computer they could easily gain access to your private key(s). For this reason, access to a private key is generally protected with a password of your choice. Private key passwords should never be given to anyone else and should be long enough so that they are not easily guessed. This is the same as looking after your ATM CARD and its PIN. If someone manages to get hold of your card then the only thing that prevents him or her using it is the PIN (password) protecting it. If someone has your PIN then they can take your money and you can't stop them. Different vendors often use different and sometimes proprietary storage formats for storing keys.For example, Entrust uses the proprietary .epf format, while Verisign, GlobalSign, and Baltimore, to name a few, use the standard .p12 format. signs (stamps) the certificate to prevent modification of the details contained in the certificate.
Having made the project requirement clear,the course of action before visiting BARC has been set to create a set of classes separately and then merging them into an example of a bank transaction which would prove to be our POC. Below are some classes and their outcomes:-
6. OpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available. Versions are available for most Unix-like operating systems, OpenVMS and Microsoft Windows. IBM provides a port for the System i (OS/400). OpenSSL is based on SSLeay by Eric A. Young and Tim Hudson, development of which unofficially ended around December 1998, when Young and Hudson both started to work for RSA Security.
Generating a certificate.
2. Key Generation:
In OpenSSL, asymmetric keys can be generated using different algorithms like RSA and DSA.
7.
As a part of the project, cryptography and security of the transactions is vital and the computer division at BARC in its document briefly explaining their needs, as cited the use of PKI. The document from the Computer Division of BARC states that the classes for almost all of the above mentioned processes would be provided and then,as we perceive it, we would be required to merge the below mentioned project into the aaiis and mms project .
certificates that are present in the crypto token and makes it ready for fresh use. For Initialization: 1. Open SafeNet Token Utilities. 2. Go to the token option in the top-left corner, select Initialize token and press OK. The PIN of the token is automatically saved as Password#1 after initialization.
There are 5 Java projects that have been provided by BARC 1.RPGPKIServer 2.RPGPKIAdmin 3.RPGTest 4.RPGWeb 5.RPGApplet
7.2 RPGServer:
By running the RPGServer we establish the connection with PostGRE SQL database. This is called the PKI SERVER. It contains DBConnection.java and PKIServlet.java DBConnection.java : It contains the specifications of the database to which the server is to be connected. The specifications include the name of the schema, defined user and the password of the selected database. To change the server and connect it to another database the getconnection() method in this file has to be edited and the .jar file of the specified database has to be added to the library of the project. PKIServlet.java : It contains all the queries of the methods defined in RPGPKIAdmin. The queries have been made by following PostGRE structure. This is a servlet type java file and takes the inputs given by keyboard and helps in storing them to the specified table in the database. If the database is to be changed, the queries have to be changed according to the specifies DBs syntax. The syntax for PostGRE DB have been taken from the internet.
7.3 RPGPKIAdmin:
The RPGPKIAdmin project is run to access the crypto token and register, update certificates of the defined users. Methods defined as Admin Tasks are: 1. Generate Keypair 2. View Token Certificate 3. Register Employee 4. Update Certificate 5. Get List of Employee 6. View Certificate by EmpNo 7. View Certificate by CertSno Generate Keypair : This method generates an asymmetric keypair and stores them in the crypto token that has been inserted. It generates the Keypair using the RSA Algorithm. These RSA Algorithm methods are
defined in the Java made class file named RSATool.java. The public key in the asymmetric key is derived from the private key generated. As the system being followed by BARC is not approved by any Certifying Authority (CA), the certificate of the generated keypair is also made by including the information of the employee and its expiry date. View Token Certificate: This method helps in viewing the present certificate in the crypto token. The method makes connection with the inserted crypto token, and displays the certificate of the owner of the crypto token.
Register Employee: All the employees who have crytpo tokens have to be first registered to the emp_cert table of the database. The employee name and number are added in the database and all the other fields like Certificate, CertSno, Date of expiry, etc. are left null in the initial stage. The Administrator of the PKI Server has to register the employees before giving them their crypto tokens. After registering he generates the keypair for the given employee and his certificate is generated.
Update Certificate: After Registering the Employee, his certificate is to be stored in the database for reference. This is done by the Update Certificate button of PKI Admin. It asks for your Emp.no and then updates the certificate present in your crypto token as the present certificate in the table emp_cert .The previous certificate is transferred to an other database old_cert and stored there with the serial number so that it can be viewed when required. This is done because the certificate of an old key can be used in the future for verification even after the certificate has been expired. The main reference with which these archived certificates can be viewed is the certificate Serial Number which is unique for all the certificates. The Serial Numbers are matched with the Employee Number of the Token Holder so that there is no mismatch.
Get List of Employee: This Button displays all the employees that have been registered in the PKI Server. The details that are displayed about the registered employees are Employee name, Employee Number, Certificate Serial Number and the Certificate. View Certificate by Employee Number and Cert Sno: These buttons Download the specified certificate from the database using EmployeeNo and CertSno respectively. The certificates viewed by using EmpNo are the current certificates being
used by the employee. By using CertSno we can view both present and archived certificates. When we run the PKI Admin, a Java Applet is created. All the functions that are called in the applet are defined in the PKIServlet.java file present in the source package of the PKI Server project. The queries in all these methods have been changed as per PostGRE SQL instead of MySQL. The .jar file of PostGRE was added too. These changes have already been mentioned.
Use Generate Key and other methods to generate and store the key in Crypto token, and Register Employee and Update Certificate to store the certificate in the database. For Sign-verify and Encrypt-Decrypt: For running the project, run the RPG server first. Then run RPG web. This will open a java applet which will have a text field and various buttons corresponding to various applications. Give the employee ID in the text field and then you can sign or verify. There are two methods viz. signVerifyData and signVerifyFile. To sign the data the method uses getBytes method on a field of database to convert the string into array of bytes and it is fed into the class. To sign a file the method has the path of the file given within the code. This path can be changed as per the file to be signed. The encryption decryption works the same way as the signVerifyFile. The path of the file to be encrypted is given to a function in the code and the path of the encrypted file is given in the decrypt function.
After making the Netbeans IDE project provided by BARC fully functional , a new Maven project was created called pki . An applet called HelloApplet was created ,which contained the SignVerify applet of the project . This project was then exported into the applets of Maven project pki. 2. Running the pki project If signing and verification have to be performed ,then PKIServer has to be run because while signing and verifying database is accessed. Presently , Hypersonic database is being used . It has to be changed to POSTGRE sql . This can be done by making changes in the databaseproperties file in the pki project. 3. Functioning of the pkiproject Upon running the project, a graphic user interface appears , where user enters his employee number, employee name and date of birth. On clicking on the Next button, the data entered by him is redisplayed . Clicking on the Next button ,takes him to a page where he has the option of Digital Signature and Digital Verification On clicking on the Digital Signature ,the data entered by the user gets signed. The parameters stay on the browser .
10. CONCLUSION:
As a part of the PS2, we worked with the team responsible for developing web applications for BARC. During the initial phase of the project, shellscripting was done for creating web pages using Spring Roo.These web pages will be further integrated into the main project where interlinking of different modules will be done. As the project progressed , we worked on an independent project based on the implementation of PKI for approval and dissapproval during transactions .As a part of the PKI project sufficient research was done for the PKI implementation and success was obtained in encrypting, decrypting files and generating certificates using the OpenSSL tool. Two visits were made to BARC to understand the client requirements and study the project which was impelmented there . Non-fucntional PKI based JAVA projects and crypto-tokens were obtained from BARC and succesfully developed into a functioning project which performs the function of signing and verification . This project was in Netbeans and was converted into a Maven project ,consistent with the project being developed by CMC . The project was then handed over to other employees of CMC through a systematic procedure .
from now on will be authenticated (and encrypted, if encryption was negotiated)." The server sends its authenticated and encrypted Finished message. The client performs the same decryption and verification. 4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be authenticated and optionally encrypted exactly like in their Finished message. Otherwise, the content type will return 25 and the client will not authenticate. Thus, a secure connection is established between client and server to transfer secure data.
independent entity (VeriSign). d) Verifying certificates The public key certificate is signed by the CA to prevent its modification or falsification. This signature is also used when checking that the public key is still valid. The signature is validated against a list of 'Root CAs' contained within various 'PKI aware' applications (e.g. your browser). Some CA certificates are called 'Root Certificates' as they form the root of all certificate validation. Certificate validation occurs automatically using the appropriate public certificate contained within the root CA list.
REFERENCES
1.www.springsource.com/Documentation 2.www.openssl.org 3.www.madboa.com/geek/openssl 4.Richard E. Smith, "Internet Cryptography",Pearson Publication,1996 5.B. Schneier, Applied Cryptography, Second Edition (John Wiley & Sons, 1996) 6.D.R. Stinson, Cryptography: Theory and Practice (CRC Press, 1995) 7.www.wikipedia.org