Je déteste les CAPTCHA. C’est comme de la mauvaise crypto.

Fondamentalement, le CAPTCHA ne fonctionne pas. La tâche d’analyse (le test de Turing) est complexe juste parce que personne ne s’est encore donné la peine d’écrire le code pour réussir. C’est aussi vrai pour la crypto classique, mais ces mathématiques sont soumises à des études formelles et continues. On sait à quoi s’en tenir : avec de la bonne crypto, on déplace le problème ailleurs (la gestion de clé, souvent). En intelligence artificielle, la segmentation est difficile, mais l’ordre de grandeur d’effort est à la portée des botnets actuels.

Trouver un éléphant ou un burger est faisable. Google ne trouve-t-il pas déjà les visages sur les photos ? La faiblesse de ce CAPTCHA, en particulier, c’est l’apprentissage (en supposant que l’implémentation est bonne). La mémoire d’un ordinateur est infinie. Il est possible d’avoir la base de données complète des images en relativement peu de temps. D’identifier ce qui s’y trouve et automatiser le tout. Bien sûr, il ne faut pas que l’image soit déjà dans l’index Google… Autre faiblesse, on sait toujours d’avance combien il y a de (chat-chien-burger-bébé-éléphant). Ça aide à prendre une décision automatisée.

Les attaques sur les CAPTCHA de Microsoft et Google a montré que l’analyse de CAPTCHA n’a pas un taux de succès de 100 %. Un petit pourcentage, multiplié par un bon botnet, ça fait beaucoup de captcha résolus!

On n’a qu’à ajouter de nouvelles images, non? Oui, mais combien coûtera toute cette mécanique, en développement mais surtout en entretien? Quel est le coût réel d’une utilisation abusive du service? Combien coutera l’analyse préalable des images, le classement en mots clés, etc.? On m’a demandé de compter 3 bébés, mais une image en contenait deux, faut-il filtrer ces images-là aussi?

Mais surtout, l’aspect économique de la sécurité est complètement évacué. Ce CAPTCHA est sur une page qui demande un numéro de carte de crédit, mais pas sur la page qui permet d’utiliser le service une seule fois, gratuitement. Et c’est sans compter qu’une ferme de Turing coute 8 $ pour 4000 CAPTCHA résolus. Combien coûte un client légitime dégoûté par toutes ces précautions?

Ce CAPTCHA est l’œuvre d’amateurs. Et j’ai même pas regardé l’implémentation des cookies, session, etc. En bref, implémenter correctement ce CAPTCHA par image coûte beaucoup trop cher.

Si j’étais forcé d’utiliser un CAPTCHA, j’utiliserais un simple encodage javascript des champs du formulaire, variable dans le temps, peut-être avec un hashcash en javascript aussi, et vraiment accolé au pied du mur, j’essaierais recaptcha. L’idée est de transformer tes utilisateurs en ta propre ferme de Turing. Pas fou!

• Strong cryptography
  Thank TrueCrypt for 256 bits AES in XTS mode. I think 256 bits is overkill, but 128 is not offered. I don’t see any performance hit on my modest, stock Fujitsu E8210 laptop.
• Need to know (reduced data exposure)
  Data is not available in clear text when I don’t need it. In other words, when I work, I have my files, when I play they stay encrypted
• Easy encrypted backup
  My backups are merely a copy to a file server.
• Single sign-on to any encrypted volume
  The pre-boot authentication password (or pass phrase, your call) is the only one you’ll ever have to enter, and yet, that password is never stored anywhere. Not even in encrypted memory. It’s only in your head.
• Supports encrypted USB drive
  USB drives get the same single sign-on, need to know and backup features. Doesn’t matter wheter you use file based or whole volume, although using a file based container allows you to store regular data on any computer, instead of carrying to drives.
• Platform independent
  Works on all platforms that TrueCrypt supports

It does not feature, but could be extended to :

• Plausible deniability
• Two factor authentication to encrypted files (TrueCrypt version 6.1 required)
• Step-up authentication to encrypted files
• Operating system logon integration (stay tuned for that one…)
• Full operating system backup

Here is a simplified view of my setup. A laptop, a usb drive and a simple NAS server (I have a Linksys NAS200, but any remote file share or ftp will do).

1. A keyfile is stored on your encrypted partition.
   I generated a keyfile with cryptographic random noise. Let’s call it Entropy.dat. Your pre-boot password and operating system logon will give you access to that key file. It is used to single sing-on to any container. That keyfile is never backed up, excluded it from all your backups.
2. A volume header of your container (with password authentication) is backed up
   For any file based volume you create, backup a header that has a password authentication, no keyfiles. Write that password behind a picture of yourself with your kids and send it to your mother. It will be on the her fridge if ever you need it.
3. Backup a rescue disk ISO file
   This is regular TrueCrypt procedure for full disk encryption.

To set yourself up like this, follow these steps :

1. Follow TrueCrypt’s guidelines to enable full disk encryption.
2. Create a file based TrueCrypt volume, with a strong password that you will remember or write down.
3. Backup that volume header.
4. Select (or generate) a keyfile.
5. Change the volume password to      (nothing, leave the password field blank)
6. Select the keyfile of step 4 and click Ok

Repeat steps 4-5-6 for each file based container. Copy to that container the files you want to be able on a need to know basis. When you need the files, mount the container. I wrote a batch file that mounts a file based container and shows a popup with my Notifu utility (Windows only).

@echo off
REM Mounts a file based TrueCrypt container and displays a pop-up
"C:\Program Files\TrueCrypt\TrueCrypt.exe" /v C:\users\your_username\Clients.tc /l X /q /k "%USERPROFILE%\entropy.dat" /m ts
start "" notifu /m "TrueCrypt drive X was mounted successfully from file Clients.tc" /p "Secure drive mounted" /d 5000 /i "C:\Program Files\TrueCrypt\TrueCrypt.exe"
start "" /MIN "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q background

The batch is a little different for USB drives.

@echo off
REM Mounts a file based TrueCrypt container located on a USB drive and displays a pop-up
setlocal
REM I use this setup on many machines, and the USB drive is not
REM always given the same letter...
if exist f:\mobile.tc set TCFILE=f:\mobile.tc
if exist e:\mobile.tc set TCFILE=e:\mobile.tc
start "TrueCrypt" /MIN "C:\Program Files\TrueCrypt\TrueCrypt.exe" /v %TCFILE% /k "%USERPROFILE%\entropy.dat" /l U /a /q /m rm /m ts
start "" notifu /m "TrueCrypt drive U was mounted successfully from file %TCFILE%" /p "Secure drive mounted" /d 5000 /i "C:\Program Files\TrueCrypt\TrueCrypt.exe"
start "" /MIN "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q background
endlocal

Feel free to use it and adapt it to your needs !

I found a detailed explanation of the MSCASH format. Here is how you make your own MSCASH hashes to do close to reality benchmarks of your favourite password cracking tool.

The format is MD4(MD4(password) + username). password and username are in Unicode. In the explanation linked above, we have the classical "user" and "password" combination. Using notepad, type your password. Save the file using Unicode format. The first two bytes of the file will be FF and EF, a flag called the byte order mark (BOM). Delete them using an hexadecimal editor. It should look like this :

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00  p.a.s.s.w.o.r.d.

Now calculate the first hash with openssl, with a binary output :

openssl dgst -md4 -binary password.unicode.txt > md4.password

Type and save your user name in Unicode format, remove the BOM, and concatenate the Unicode user name to the first hash.

copy /b md4.password + user.unicode.txt md4.password.user

The file should look like this (the first 16 bytes is the md4 hash of the password) :

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  88 46 F7 EA EE 8F B1 17 AD 06 BD D8 30 B7 58 6C  ˆF÷êî.±...½Ø0·Xl
00000010  75 00 73 00 65 00 72 00                          u.s.e.r.

Now just hash that last file, again with openssl :

openssl dgst -md4 md4.password.user
MD4(md4.password.user)= 2d9f0b052932ad18b87f315641921cda

You can now use that MSCASH hash for your benchmarks. I hope you find it usefull. I might write a program in C to automate this, If I see good traffic on this post. Spread the word !

If you have access to security.xml and need to know the passwords it contains, compile and run this tool. It supports :

• Encoded passwords on the command line (as many as you like)
• Passwords piped in (default if no arguments are passed)
• With or without the leading {xor}
• It builds with Visual C++ and GNU g++ (tested with mingw32 version only)
• A crude but working parsing so you can pipe the result of a grep, like this :
  grep -i password security.xml | waspass

You can get the source from my Subversion server with this command :

svn co http://src.paralint.com/spikes/waspass/trunk waspass

I am also posting the full source inline, just to show off that cool javascript code parser I just installed…

Update:With WebSphere v5, you can acheive the same result with IBM’s own classes

Eric Haszlakiewicz, of SwapSimple.com, found a way to acheive the same result with the server’s own Java classes. Here it is :

cd /opt/WebSphere/AppServer/lib

../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordEncoder secret
../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordDecoder '{xor}LDo8LTor'

#include <stdio.h>
#include <string.h>

// get those 2 functions from
// http://src.paralint.com/spikes/waspass/trunk/waspass/base64.c
extern "C" int base64_init(void);
extern "C" int base64_decode(char *d, unsigned dlen, const char *s);

int decode_password(char *encoded_password);

//Cass decode_password, reading from the command line or stdin
int main(int argc, char* argv[])
{
	printf("Reverses WebSphere XOR password encoding.\n");
	printf("http://www.paralint.com/\n\n");

	base64_init();

	//Should we parse stdin
	if(argc == 1)
	{
		char line[2048];
		while(!feof(stdin))
		{
			fgets(line, sizeof line, stdin);
			decode_password(line);
		}
	}
	//Or read encoded passwords from the command line ?
	else for(int i=1; i<argc; ++i)
	{
		decode_password(argv[i]);
	}

	return 0;
}

//Takes an encoded password like KzY4Oi0= and outputs the original password
//Supports minimal parsing: a password is the text between } and " (quote)
//either are optionnal and will be replaced by begining or end of line if
//missing
int decode_password(char *encoded_password)
{
	char *p;
	char encoded[1024];

	//naive remove the {xor} flag if present
	p = strchr(encoded_password, '}');
	if(p) ++p; else p = encoded_password;

	//naive truncate of the string
	strtok(p, "\"");

	printf("%s ", p);
	base64_decode(encoded, sizeof encoded, p);
	p = encoded;

	//stop at the trailing quote, allowing a brutal pipe from grep
	while(*p && (*p != '\"'))
	{
		putc(*p++ ^ '_', stdout);
	}

	printf("\n");

	return p - encoded;
}

A friend of mine wanted a special group of users to be able to unlock a workstation without losing any data. Putting those uses in the administrator groups was not a solution, because the default behaviour of Windows was to close or terminate every process and give the administrator a brand new session. Fast user switching added some tricks, but in the end there was no way to recover an open document with modifications in it from a locked Windows workstation.

The project has its own page now. If you are a computer historian, read on for the original first release.

He asked me if I could write a screen saver to do this, but the answer was a little deeper under the hood, and a lot more fun. I wrote a replacement Graphical Identification and Authentication DLL (GINA DLL) that hooks the standard Microsoft Windows Gina DLL of Windows XP and Windows Server 2003. It also supports Terminal services sessions. It allows you grant members of a group (any group) to unlock any user’s session. No need to be an administrator. Any user can unlock now (Aucun).

Microsoft replaced GINA DLLs with credentials providers (ICredentialProvider), somewhat like the Solaris pluggable authentication modules PAM. This Gina DLL will never work in Vista, by design.

Turns out it is pretty easy. You can get the source code and a compiled binary here. I recommend that you don’t trust me with your password and work with the source. Anonymous Subversion access with this command

svn co http://src.paralint.com/aucun/trunk aucun

I started with the Gina Hook sample from the SDK, and added support for terminal services. Then I stripped away all the unnecessary hooks and updated the dialog detection code. A few registry calls later and some basic group membership checking later was all that was needed.

To allow any user from any given group to unlock a Windows session, you have to:

1. Hook every function of the regular Gina, msgina.dll
2. Export every function yourself, forwarding them all to msgina.dll as is except for WlxNegotiate and WlxInitialize
3. In WlxInitialize, hook the Windows provided function WlxDialogBoxParam (so msgina.dll will call your DLL when it creates a dialog box)
4. In your version of WlxDialogBoxParam, let everything go through except requests to create the unlock dialog
5. Hook the DLGPROC and wait for WM_COMMAND with wParam == IDOK
6. Check the user’s password (LogonUser with LOGON32_LOGON_UNLOCK)
   • If it doesn’t match, let the call go through the regular GINA
   • If it matches, and the user is part of the group you want to be able to unlock (CheckTokenMembership), call EndDialog with IDOK
   • It it matches and the user is not in the group you want to be able to unlock, let the regular GINA handle it

That’s about it. The third bullet of item 6 is actually what will happen most of time. The same user that locked its station comes back and enters a password that matches, but that regular user is not part of the unlock group. MSGINA.DLL handles it and unlock the session as usual. (UPDATED january 8th 2008 ->) If you audit logon events, succesfull or failed, they will be logged under the name of the person unlocking the session, not the original user. It is a deterrent measure only, it will not give you non-repudiation of actions made after the session was unlocked.

I insists there is no need for the users to be members of the administrators group for this to work. With my implementation, you merely set a registry key with the name of the group you want to use. Add any user(s) or group(s) to this group.

HKEY_LOCAL_MACHINE\SOFTWARE\Paralint.com\Aucun"GroupName"="paralint.com\DG_SESSION_UNLOCKERS"

I might add a blacklist feature, so that members of the the administrative group can never be unlocked. It is not hard to do. If I see interest in this project, I write it happen.

The code is all plain old, good old C. Function pointers, hooked procedures. All the fun stuff .Net hides from you Remember: Gina were introduced in Windows NT 3.51, some 15 years ago. And yes, I was already a Windows programmer back then…

No mapping between account names and security IDs was done

It would have happened with a Windows Station handle (HWINSTA) also. It turns out there is a sensible and documented reason for that. But since I had to found out the hard (as in fun) way, I am posting it here.

If you are familiar with the ways SID (security identifiers) are handed out when you logon, here is the reason straight up :

The SID associated with desktops and window stations is not the SID of the logged on user, but the logon SID, a SID generated at logon time that identifies exactly and only this logon session. No account name is mapped to this transient SID, hence the error message.

Still confused ? Read on.

Security descriptor crash course

Consider this : you open a remote desktop connection (terminal server) to a server and log in. You have a logon session on that machine. Keeping that session alive, you walk up to the server and log-in again, interactively. You now have 2 logon sessions on that machine. How does windows prevents one session from interfering with the other?

Well, security is always about assigning security descriptor (SECURITY_DESCRIPTOR) to things. A security descriptor is a discretionary access control list (DACL) made up of access control entries. Each ACE is a combination of allowed or denied access rights for a SID. A System Access Control list (SACL) that controls auditing and a few flags are also present, but it doesn’t matter to us now. So each desktop and window station (and any other object for that matter) are assigned something like this :

So we have a security descriptor, what will we use to authenticate against ? Our process or thread token, of course.

You are your logon session (any of them)

A token is like a conceptual pointer to a logon session. That logon session contains a unique logon identifier (LUID), the users SID and another SID, generated on the fly, that uniquely identifies a particular logon session. Here is a schematic view of the logon sessions and their SID:

You can see that the user SID is the same in the two logon sessions, but the Logon SID is different. Only the User SID is mapped to the principal (Alice in this example).

Keith Brown has a tool that lets view and change the security descriptor of the current window station and desktop. Running this tool (in the logon session with logon SID S-1-5-5-0-218443) shows this:

To prevent one window station from interfering with the other, Windows uses the granularity of the security API to its advantage (who wouldn’t?). Processes and threads from each logon have a token pointing back to the logon session they were started from. The desktop and window station are assigned a security descriptor that doesn’t grant or deny any rights to the users SID. Rights are granted to the logon SID.

What about my 0×534 error code?

For a reason I don’t really understand, the logon SID is not granted any name. When you crawl you way from a HDESK or (HWINSTA) handle, using GetUserObjectInformation and LookupAccountName, you will get error 0×534. It says "No mapping between account names and security IDs was done" because there never was a mapping of the logon SID with a name to begin with!

Start by reading the exam blueprint here. All the links below are shown in hyperlink and in full text, so you can study with only a printed version of this page.

This page is probably not enough to pass the test. You won’t get by just by learning everything here by heart. But it will help you get your study started and quickly find the areas you need to focus on.

There are topics I do not cover. It’s not because they are not important, it’s just that I skipped over the stuff I was most familiar with. It doesn’t mean it’s not important !

Good luck …

UPDATE : I passed the exam, I am a certified GIAC Secure Software Programmer for Java ! That means that I have more letters to put after my name than my name contains

Task 1 : Input Handling

1.1.1 Input Validation Principles

That one is easy : trust no one. Any data has to go through some verification before it trusted to move along. The close you get to core, the more check should be applied. It’s better to do a little verification, each adding more trust to the input, all the way down to the core of your application (like the database).

1.1.2 Input Validation Sources

1.1.3 Input Validation Techniques

Regular expressions : http://java.sun.com/docs/books/tutorial/essential/regex/char_classes.html

Quantifiers apply to single characters, character classes (including predefined ones) and capturing groups.

Task 2 : Authentication & Session Management

1.2.1 When to Authenticate

1.2.2 Authentication Protection

1.2.3 Session Protection

1.2.4 Authentication Techniques

JAAS : Try the book Core Security Patterns, from page 197

JAAS Defines a Subject (javax.security.auth.Subject) that is a container for one or more Principals (java.security.Principal). A principal is a name that is bound to a Subject. JAAS handles authentication. It can also handle authorization.

JAAS is three things :

1. Common classes (Subject and Principal),
2. Authentication classes (LoginContext, LoginModule, Configuration and CallbackHandler),
3. Authorization classes (Policy and a few others).

A client will instanciate a LoginContext. That LoginContext will read the configuration and instanciate the required LoginModules (more on that next). Each LoginModule will create a set of callbacks used to interact with the user (through the CallbackHandler). Here is a collaboration diagram that helped me. It shows a configuration with only one username-password logon module.

The method Subject.doAs will associate the Subject and the Action with the current access control context. Subject.doAsPriviledge will associate the Subject and the Action to a specific access control context.

The LoginContext enforces the required, requisite, sufficient and optional flags assigned to each LoginModule in the configuration file. It will process them according to their authentication flags, as describe in this table :

1.2.5 Authentication responsibilities

I wasn’t sure where to put the web.xml stuff. It’s on the exam, since this section talks about maximum session length, it thought this would be the place for it. Here is a hierarchy of the security related tags in web.xml

WEB.XML : http://edocs.bea.com/wls/docs61/webapp/web_xml.html

security-constraint
pattern
method
auth-constraint
role
user-data-constraint
NONE, CONFIDENTIAL or INTEGRAL. (None is nothing, the other two will get you SSL)
login-config
auth-method (BASIC, FORM, CLIENT-CERT)
real-name (optionnal)
form-login-config
security-role (just a name a description)

What’s wrong with BASIC authentication ?

• The password is in the clear (actually, base 64 encoded)
• There is no way to log out !

Even if you did log out the user by destroying its session, it would be recreated at the next call because the browser caches the credentials and sends them with every request.

By default, the session never times out. You need to set it (in seconds) in the session-config/session-timeout tag

Always specify CONFIDENTIAL or INTEGRAL if your auth-method is CLIENT-CERT. The latter will get you HTTPS for authentication only. But if you HTTP server can serve content to/from your application and you forgot to set this, you might get redirected to a regular HTTP session where your session cookie could be stolen.

Task 3 : Access Control (Authorization)

1.3.1 Restricting Access To Resources

1.3.2 Restricting Access To Functions

1.3.3 Declarative Access Control

A full fledge J2EE application will have these configuration files for security : application.xml, web.xml, ejb-jar.xml and ra.xml. An EAR file can contain any number of those, and each can be package on its own. Most (if not all) implementation will have another xml file alongside the standard files to do implementation specific stuff.

1.3.4 Programmatic Access Control

There are two things you can do and to ways to get them depending on the context (web application or enterprise java bean) you are in. This table sums it up :

Remember that when you get to those methods, the Subject has already been authenticated (by whatever means). So get the identity of the caller has nothing to do with authentication. At this point, it’s identification.

1.3.5 JAAS

It’s already covered in section 1.2.4 !

Task 4 : Java types & JVM Management

1.4.1 java.lang.String

String literals : http://www.janeg.ca/scjp/lang/strLiteral.html

1.4.2 Integer and Double overflow

Integer overflows : http://www.phrack.org/archives/60/p60-0x0a.txt
Double overflows : http://www.javacoffeebreak.com/books/extracts/javanotesv3/c9/s1.html (scroll down, its at the bottom)

Integers wrap to negative values if they are signed, or to 0 if they are unsigned. Having an integer wrap around could cause anything from a array out of bounds exception to allowing a runtime access check to succed.

Java Double does not “wrap around” to negative values. Instead, they are represented by special values that have no numerical equivalent. The values Double.POSITIVE_INFINITY and Double.NEGATIVE_INFINITY represent numbers outside the range of legal values

1.4.4 ArrayList vs Vector

I will have to check this one out myself… It boils down to this, but apart from the first item (synchronization), opinions differs.

1. Arraylist is not synchronized while vector is.
2. Arraylist increment it’s size by half the initial capacity, Vector increments by the full capacity each time.
3. Arraylist can be seen directly without any iterator while vector requires an iterator to display all it’s content. (not very sure).
4. Vector works with a 1.1 JVM.

1.4.5 Class security

Accessibility Modifiers : http://java.sun.com/docs/books/tutorial/java/javaOO/accesscontrol.html

That’s rather easy… And its a duplicate of topic 1.9.1 !

Serialization : http://www.onjava.com/pub/a/onjava/excerpt/JavaRMI_10/index.html?page=3, http://java.sun.com/developer/technicalArticles/ALT/serialization/

It has be done properly. It can be abused to get around a Singleton requirement, clone an object that refuses to be cloned or to get to private data inside a class.

Fields with the transient keyword will not be serialized. But you can control what will be serialized with ObjectStreamField. It takes precedence over transient fields.

Cloning : http://java.sun.com/javase/6/docs/api/java/lang/Object.html#clone()

That’s straight from the horse’s mouth, as my mother used to say. Clone does only a shallow copy.

Inner classes : http://www.cs.umd.edu/~pugh/java/SecureInnerClasses.pdf

Inner classes are not supported (or understood if you prefer) by the JVM. It was to allow for a JVM 1.0 to work with code that had inner classes. The problem is that inner classes are given package level visibility. Inner classes are just a compile time trick. If you add a malicious class to the package (see 1.9.2), it can call private methods on your inner class.

1.4.6 Code Privileges

Policy file : http://java.sun.com/j2se/1.4.2/docs/guide/security/PolicyFiles.html#FileSyntax

Before performing a sensitive operation, the SecurityManager determines the operation’s identity and whether it can be performed in its security context.

The SecurityManager is enable by specifying -Djava.security.manager on the JVM command line (it may be buried deep down in your J2EE application server). It is not enabled by default, except for applets or web start applications.

The class loader is responsible for locating and fetching the class file, consulting the security policy, and defining the class object with the appropriate permissions. There is by default a single system-wide policy file, and a single (optional) user policy file. You always get a union of all the policy, unless you specify a policy file with == (instead of =).

Code security is based on protection domains. A protection domain is the combination of classes, grants and permissions. There are two types of protection domains :

• System domain : files, sockets and everything having a foot in the native world
• Application domain : classes and objects (instances of classes)

The ClassLoader puts classes it loads in a protection domain and it stays there. You cannot change protection domains at runtime.

A SecurityManager uses a policy file, that has grant entries based on any combination of codebase, signed by or Principal. If there are multiple principals on a single grant entry, a Subject must have every principal.

Task 5 : Application Faults & Logging

1.5.1 Exception Handling

1.5.2 Logging

1.5.3 Configuration of Error Handling

Error pages : http://edocs.bea.com/wls/docs61/webapp/web_xml.html#1017571

In WEB-INF\web.xml file, you can configure what page is used when an error occurs, like 404 (not found) or 500 (Server Error) or a specific Exception bubbles back up to the web container. The location of the page is relative to the root of your web application.

   <error-page>
      <error-code>404</error-code>
      <location>/404error.html</location>
   </error-page>
   <error-page>
      <error-code>500</error-code>
      <location>/500error.html</location>
   </error-page>
   <error-page>
      <exception-type>javax.servlet.ServletException</exception-type>
      <location>/ExceptionHandler.jsp</location>
   </error-page>

Task 6 : Encryption Services

1.6.1 Communications Encryption

You configure SSL (JSSE) using a keystore. Both the client and the server have their own, independent keystores (assuming their both written in Java). They also have another keystore, called a truststore, that holds the public key certificates of any number of trusted root certificate authorities (root CA). Messing up the truststore will get you the dreaded pop-up saying the certificate cannot be trusted.

A server-side keystore (the end that waits for a SSL connection, like a HTTPS web server would). :

• Has at least one private key, protected by a password
• The password can be in a configuration file or entered at startup (that’s implementation dependent)
• The private key is used to issue a server certificate, from which a certificate signing request is generated and sent to a root CA the client trusts (although you will much likely trust it yourself).
• The CA signs the server certificate and it is installed in the keystore

A client-side keystore is used to hold a private key that could be used to authenticate with a server. It is optional and rarely used for end users. For this to work, you must have :

• In the client keystore a certificate corresponding to the private key you hold.
• That certificate issued by a root CA the server trusts (although you will much likely trust it yourself).
• The password (or other authentication) to decrypt that private key you hold.

About truststores : Java comes with a keystore called cacerts that contains public key certificates of all the major root CA in the world, and then some. So having a client root CA trusted by the server (or vice-versa) is rather easy if you’re willing to spend the money. If not, you can set up your own root CA and add that CA’s certificate to the truststore at both end.

The following table summarize what goes on at both ends of an SSL connection programmatically, with or without a client certificate.

1.6.2 Encryption of Data at Rest

There is two API, because of extensibility and export regulation. Every Java installation has the Java Cryptography Architecture (JCA). Not to be confused with the Java Connector Architecture, also referred to as JCA. The Java Cryptography Architecture contains classes able to do the following :

• Message Digest algorithm (MD5 and SHA-1)
• Key pair generation (for DSA only)
• Key store manipulation (JKS only)
• Digital signature (again, for DSA only)
• Cryptographic strength random number generator

Pretty much everything else is in JCE. You can have has many providers as you like, of any algorithm you like that can perform these cryptographic operations :

• Symmetric key generation
• Symmetric key encryption (from weak like DES to unlimited AES-256 and up)
• Password based encryption (PBE or sometimes PBKDF2)
• Message authentication codes (MAC, a symmetric key signature)
• PKCS11 support (hardware cryptographic device such as smart cards)

The graphic below is taken from the book Core Security Patterns.

You can serialize an object in an encrypted form, you create a CipherOutputStream and use it with a ObjectOutputStream.

Task 7 : Concurrency and Threading

1.7.1 Race Conditions

1.7.2 Singletons & Shared resources

Singleton pattern : http://www.javacoffeebreak.com/articles/designpatterns/index.html

A singleton is any regular class that has these particular implementation features

• It has an empty, private constructor
• It has a public static synchronized method that returns the unique instance of the object (say MyClass.getSingleInstance())
• It creates an instance of itself on the first call to the accessor method (MyClass.getSingleInstance())
• Implements a clone() method that always throw a CloneNotSupportedException

But you can bypass a singleton class by serializing the object to a temporary stream and back to another instance of it. See 1.4.5

Task 8 : Connection Patterns

1.8.1 Parameterized Queries/Prepared Statements

1.8.2 Output Encoding

HTML Output Encoding : http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java

There is no standard way to do HTML output encoding. The characters to watch out for are < > / ‘ &, but OWASP suggest to encode everything that is not a a letter or digit.

Use output encoding when you are sending back data you got from a client, even if you validated it on its way in. There were double decode bugs in the past…

Task 9 : Miscellaneous

1.9.1 Class/Package/Method Access Modifiers

Accessibility Modifiers : http://java.sun.com/docs/books/tutorial/java/javaOO/accesscontrol.html

Here is the duplicate of topic 1.4.5 !

1.9.2 Class File Protection

JAR sealing : http://java.sun.com/developer/JDCTechTips/2001/tt0130.htmlg

JAR sealing prevents classes defined anywhere other than the original JAR to see public methods of that original JAR. Someone could create a class with the same package name as yours and call your public methods and break things.

• Sealing is off by default (packages are not secured by default)
• You can apply RuntimePermissions to a policy file with accessClassInPackage and defineClassInPackage, but default classloaders don’t enforce them !
• In java.security (located in ${JAVA_HOME}/jre/lib/security) you can protect classes with package.access and package.definition
• Class visibility is package by default
• java.* has its seal hardcoded in the classloader.
• You put the Sealed: true directive in the manifest (META-INF/MANIFEST.MF)

1.9.3 JAVA EE Filters

Writing servlet filters : http://javaboutique.internet.com/tutorials/Servlet_Filters/index.html
The essentials of Filters : http://java.sun.com/products/servlet/Filters.html

A J2EE Filter is applied to a servlet, not an Enterprise Java Bean (EJB).

• They are configured in web.xml.
• They can read, modify or block requests and responses to/from a servlet.
• They cannont filter arbiratry request (for example, a request to an image).
• Any number of filters can be applied to any number of servlets
• Security roles do not apply to Filters

But I have an assignment where the client configuration cannot be changed. The client rejects certificates from non-trusted CA and I cannot add Portswigger’s certificate to the trusted roots. I went looking for an open source HTTPS mitm proxy, hoping I could recompile it to use a trusted certificate that I have in hand.

Paros proxy fits the bill. Here is how you can change Paros proxy’s man-in-the-middle certificate for your own using keytool, openssl, and jar.

First of all, Paros certificate is the file ./resource/paroskey. It is a JKS keystore and it’s password is “!@#$%^&*()”, without the quotes (the password is in the source code, I am not revealing any secrets). Extract it with this command :

jar xvf paros.jar resource/paroskey

You can view the certificate using this command (you might have to escape some characters for it to work on your platform) :

keytool -list -v -keystore resource/paroskey -storepass "!@#$%^&*()"

If something goes wrong, you can type that command and compare the original and the new certificate. Run it from after each keytool operations if you want to follow what is going on in there.

To keep it as simple as possible, I will simply replace the paroskey file with my own certificate, using the same alias and password that is hardcoded. It will allow you to do the same without the need to use the java SDK. Ok, maybe just keytool.

Now, you have to get your hand on a certificate. I suggest using your own certificate authority (CA) to start and play with the proxy right away. This page is perfect for this. It even works well on Windows with cygwin. A better setup would be to have a test CA in your company or lab that would sign your certificates. I also packaged the two sample certificate files I refer two in this article in a zip file.

So if you have your CA public key in a file named ca-cert.pem, copy it to the local directory and import it in your brand new keystore with this command :

keytool -import -trustcacerts -alias "my-ca" -file ca-cert.pem -keystore resource/paroskey -noprompt -storepass "!@#$%^&*()"

Now you must choose the hostname of your proxy. It doesn’t have to match any DNS record, but if you want your setup to be warning-free, make them match. I choose mitm.paralint.com, and I delete the old certificate and generate a new private key with those two commands :

keytool -delete -alias paros -keystore resource/paroskey -storepass "!@#$%^&*()"

keytool -genkey -keyalg RSA -alias paros -keystore resource/paroskey -storepass "!@#$%^&*()" -keypass "!@#$%^&*()" -dname "CN=mitm.paralint.com" -validity 720

Adjust the validity period to your needs, but do not change the alias or passwords. Now create a certificate signing request with this command :

keytool -certreq -v -alias paros -keystore resource/paroskey -storepass "!@#$%^&*()" -file mitm.paralint.com.csr

Hand over the mitm.paralint.com.csr file to your CA. If you are using the CA suggested above, initialize it with make init, copy the csr file in that same directory as the makefile and type make sign.

Your CA will send you back a signed certificate (mitm.paralint.com.cert). It must be in DER format to be imported in the JKS keystore. If it is not (like if you are using the CA mentionned above), type this command to convert it :

openssl x509 -in mitm.paralint.com.cert -out mitm.paralint.com.der -outform DER

Now import that DER encoded certificate in a JKS keystore with this keytool command :

keytool -import -v -alias paros -file mitm.paralint.com.der -keystore resource/paroskey -storepass "!@#$%^&*()" -storetype JKS

All this work has got you a certificate with a hostname you selected, in a keystore that can be used as a drop-in replacement for Paros built-in hardcoded keystore. Use your favorite tool for this or keep reading if all you have is the jar utility.

Replace the old keystore with the new one in paros.jar with this command (backup paros.jar before, just in case…) :

jar uvf paros.jar resource\paroskey

That’s all there is to it ! Your Paros proxy will now show mitm.paralint.com as it’s hostname. Remember that to be completely warning free, you must trust the root CA. If it’s not already there, import the root CA public key certificate in your browser.

So I made one. I tested on a Windows Server 2003 with ASP.NET version 2.0. I used wfecth as client to be sure of what was going on. Not every configuration makes sense in real life, but I included it for completeness. HTH !

ps : Actually, NETWORK_SERVICE is the account the application pool is running under.