Core Security Patterns Weblog

In a typical Single Sign-On (SSO)/Federation scenario using SAML, the Service Provider (SP) initiates the user authentication request using SAML AuthnRequest assertion with an Identity Provider (IDP). The IDP authenticates the principal and returns a SAML AuthnStatement assertion response confirming the user authentication. If the user is successfully authenticated, the SP is required to have the subject’s profile attributes of the authenticated principal for making local authorization decisions. To obtain the subject’s profile attributes (ex. organization, email, role), the SP initiates a SAML AttributeQuery request with the target IDP.  The IDP returns a response SAML AttributeStatement assertion listing the name of the attributes and the associated values.  Using the subject’s profile attributes, the SP can perform authorization operations.

Ofcourse, it looks simple…here is the complexity – Last two weeks I spent on building a Proof-of-Concept that conforms to HSPD-12 Back-end Attribute Exchange specifications and SAMLv2 Attribute Sharing Profile for X.509 Authentication based systems (Both specifications are mandated as part of Federal Identity, Credential and Access Management (ICAM) initiative of Federal CIO Council).  I had been experimenting with an Identity Federation scenario that makes use of Smartcard/PKI credentials – Card Authentication Key (CAK)/X.509 Certificate on a PIV card authenticates a PKI provider (using OCSP) and then using its X.509 credential attributes (Subject DN) for looking up off-card user attributes from an IDP (that acts as an Attribute Authority). The IDP provides the user profile attribute information to the requesting SP. In simpler terms, the SP initiated X.509 authentication directly  via OCSP request/response with a Certificate Validation Authority (VA) of a Certificate Authority (CA). Upon successful authentication, the SP  initiates a SAML AttributeQuery to the IDP (which acts as an Attribute Authority), the SAML AttributeQuery uses the SubjectDN of the authenticated principal from the X.509 certificate and requests the IDP to provide the subject’s user profile attributes.

Using Fedlet for SAML X.509 Authentication based Attribute Sharing

SAML Attribute Exchange for X.509 based Authentication

Fedlet is a lightweight SAMLv2 based Service Provider (SP) implementation (currently part of Sun OpenSSO 8.x and sooner to be available in Oracle Identity Federation) for enabling SAMLv2 based Single Sign-On environment. In simpler terms, Fedlet allows an Identity Provider (IDP) to enable an SP that need not have federation implemented. The SP plugs in the Fedlet to a Java/.NET web application and then ready to initiate SAML v2 based SSO authentication, authorization and attribute exchanges.  A Fedlet installed and configured with a SP can set up to use multiple IDPs where select IDPs can acts as Attribute Authorities. In this case, the Fedlet need to update its configuration with the IDP Metadata configuration (such as entity ID, IDP Meta Alias, Attribute Authority Meta Alias – same as IDP ). In addition, the Fedlets are capable of performing XML signature verification and decryption of responses from the IDP must identify the alias of signing and encryption certificates.

Here is the quick documentation, which I referred  for putting together the solution using Fedlets for SAMLv2 Attribute Sharing for X.509 based authentication scenarios. In case, if you want your Service Provider to use OpenSSO for PIV/CAC based certificate authentication, you may refer to my earlier entry on Smartcard/PKI authentication based SSO (Using OpenSSO). Besides that you should be good to test-drive your excercise. Ofcourse, you can use Fedlets for Microsoft .NET service providers but it was’nt in my scope of work !

In case of SP requiring to fetch multiple user profile attributes you may also choose to use SPML based queries (SPML Lookup/Update/Batch Request/Response) to an Identity Manager (acting as Attribute Authority) – assuming it facilitates an SPML implementation). If you are looking for a solution that requires user profile attributes after a single-user X.509 authentication, then SAML Attribute query should help fetching a single user profile of an authenticated principal !

Java EE 6 RI was released few weeks ago….I am bit late to have my first look   Without a doubt, the new Web container security enhancements are very compelling for any budding or experienced Java developer working on Web applications. The Java EE 6 has unveiled several new security features with ease of use and targetted for simplified Web application security deployments. Based on Servlet 3.0 specification, the Java EE 6 Web applications can take advantage of an enriched set of programmatic and declarative security features and Security annotations previously available to EJB 3.x applications. Also, the deployed Web applications/Web Services can use JSR-196 based pluggable authentication/authorization modules (based on SOAP Web Services) that can be configured as part of the Servlet container.

 Java EE 6 : Programmatic Security for Web Applications

The newly introduced Java EE 6 programmatic security features for Web applications are represented by the following methods of HttpServletRequest interface:

1. authenticate()

• This method helps to initiate authentication of the calling user by launching an authentication dialog for acquiring username/password and perform BASIC authentication by the container within an unconstrained request context.

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;

public class MyAuthServlet extends HttpServlet {

protected void processRequest(HttpServletRequest request, HttpServletResponse response)

                     throws ServletException, IOException {

            response.setContentType(“text/html;charset=UTF-8″);
            PrintWriter out = response.getWriter();

   try {

     //Launch the BASIC authentication dialog
                request.authenticate(response);
                     out.println(“Authenticate Successful”);

            } finally {

                          out.close();

         }

          public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

                   processRequest(request, response);

        }

           public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

                processRequest(request, response);

          }

}

2. login() and logout ()

• The login() method allows to programmatically collect with the provided username/password credentials (as an alternative to FORM-based authentication) and perform user authentication.
• The logout() method performs logging out the user and resets the context.

 
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;

public class MySecurityServlet extends HttpServlet {

protected void processRequest(HttpServletRequest request, HttpServletResponse response)

                                                   throws ServletException, IOException {

   response.setContentType(“text/html;charset=UTF-8″);
   PrintWriter out = response.getWriter();

   try {

              String myUsername = request.getParameter(“UserName”);
             String myPassword = request.getParameter(“Password”);

           try {

                 request.login(myUsername, myPassword);

                   } catch(ServletException ex) {

                            out.println(“Login Failed” + ex.getMessage());

              return;

     }

    }   catch (Exception e) {

                 throw new ServletException(e);

            } finally {

                request.logout();
              out.close();

             }

     }

      public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

             processRequest(request, response);

        }

      public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

              processRequest(request, response);

      }

}

The above code assumes the authentication is configured to BASIC by setting the login-config element in web.xml. If the authentication is the successful, the Web application can take advantage of the following methods in the HttpServletRequest interface to identify the remote user, role attributes and to perform business logic decisions.

3. getRemoteUser()

• Determines the authenticate username of the remote user associated with the request. If no authentication occured, it will return a null value.

4. IsUserInRole(..rolename..)

• Determines whether the authenticated user is in a specified security role. If the user is not authenticated, it returns false.

5. getUserPrincipal()

• Determines the principal name that represents the authenticated user entity (name of the remote user) and returns a java.security.Principal object corresponding to the user.

Here is my sample code that I tested it on Glassfish v3 (Developer Sample):

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.servlet.annotation.WebServlet;
import javax.annotation.security.DeclareRoles;

  //Annotation for defining the Servlet name and its URL pattern
  @WebServlet(name=”MySecurityServlet”, urlPatterns={“/MySecurityServlet”})

  // Annotation for declaring roles
   @DeclareRoles(“securityguy”)

public class MySecurityServlet extends HttpServlet {

              protected void processRequest(HttpServletRequest request, HttpServletResponse response) 

                                   throws ServletException, IOException {

                                     response.setContentType(“text/html;charset=UTF-8″);
                                     PrintWriter out = response.getWriter();

               try {

                                    String myUsername = request.getParameter(“UserName”);
                                    String myPassword = request.getParameter(“Password”);

              try {

                                   request.login(myUsername, myPassword);

                                  }      catch(ServletException ex) {

                                   out.println(“Login Failed” + ex.getMessage());

                                   return;

                   }

                                              out.println(“The authenticated user is in Role: ” + request.isUserInRole(“securityguy”));
                                              out.println(“The authenticated remote username: ” + request.getRemoteUser());
                                             out.println(“The authenticated Principal name: ” + request.getUserPrincipal());
                                             out.println(“The authentication type: ” + request.getAuthType());

                   } catch (Exception e) {

                                  throw new ServletException(e);

                }  finally {

                                request.logout();

                                out.close();

             }

   }

       public void doGet(HttpServletRequest request, HttpServletResponse response)  throws ServletException, IOException {

                    processRequest(request, response);

        }

        public void doPost(HttpServletRequest request, HttpServletResponse response)  throws ServletException, IOException {

                   processRequest(request, response);

      }

}
 

To test the code, it is assumed that you have the Java EE runtime deployment descriptor include the appropriate role mapping that associated the user with the specified role-name.

Security Annotations for the Web Applications

With Servlet 3.0 implementation, we would able to use standard Java annotations for declaring security constraints as equivalent to those defined in a standard Web deployment descriptor (web.xml). With Security annotation you should able to define roles, access control to HTTP methods, transport-layer protection (for enforcing SSL/TLS). To make use of security annotations in Servlets, Servlet 3.0 has introduced @ServletSecurity annotation to support defining security constraints.

Using @ServletSecurity

The @ServletSecurity annotation allows to define the security constraints as its fields:

1. @HttpConstraint  – Used as a field of @ServletSecurity to specify roles to all methods and ensure transport-layer security)
   • ex.  @ServletSecurity(@HttpConstraint(rolesAllowed={“customer”})) - Ensures all HTTP methods (GET, POST, TRACE) are protected and access is allowed to security role “customer”.
   • ex. @ServletSecurity(@HttpConstraint(transportGuarantee=ServletSecurity.TransportGuarantee.CONFIDENTIAL)) – Ensures all methods require SSL transport
2. @HttpMethodConstraint (Applied to define methods ex. GET, POST, TRACE)
   • ex. ServletSecurity(value=@HttpConstraint(httpMethodConstraints={ @HttpMethodConstraint(value=”POST”, transportGuarantee=ServletSecurity.TransportGuarantee.NONE, rolesAllowed={“customer”}) })  – Ensures only authenticated users with security role is allowed to access HTTP POST method and transport-layer security/SSL is supported but not required.
3. @DeclareRoles (Allows to define security roles)
4. @RoleAllowed (Allows to define authorized roles)

Here is a quick usage scenario of @ServletSecurity annotation (Developer Sample):

 import java.io.*;

 import javax.servlet.*;

 import javax.servlet.http.*;

 import javax.annotation.security.*;

 @DeclareRoles("customer","guest")

 @ServletSecurity(@HttpConstraint(rolesAllowed={"customer"}))

 public class MyHelloWorld extends HttpServlet {

     public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

    PrintWriter out = response.getWriter();

    out.println("Hello World");

  }

  public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

    response.setContentType("text/html");

    PrintWriter out = response.getWriter();

     out.println("Hello World");

     out.close();

  }

}  

Sometimes, it’s the small things that make even complex things much easier. Way to go…Java EE 6 ! 

Here is couple of references, you may consider to explore Java EE 6:

Java EE 6: New Enhancements

Glassfish v3/Java EE 6 Sample Applications

Enjoy

The untold reality is ….when your Web application on the DMZ hits the Internet… the colorful performance graphs/numbers does’nt mean anything !  Unless your performance guru in the lab captured the QoS requirements and realized it proactively and accounted its actual overheads associated with Security, Network bandwidth, High-availability and other mission-critical requirements.  Otherwise…performance is the nagging issue that every datacenter guy gnaws…. when an application bloats up with its cryptograhic shields such as SSL  and WS-Security and then goes into production.   If you are one of them in the datacenter, who is pulling the hair out on Security performance issues and compelled to meet the SLA including IT Security and compliance requirements mandating the use of cryptography for securing the exposed application layers  – transport, data and network – Then this Sun solution blueprint should help you for accelerating the real-world performance of Java EE based Web applications (especially Oracle Weblogic) delivering Security ground-up and all WITHOUT  your performance engineer help   :-)

No magic or surprises – The Sun CMT server features On-chip Cryptography and multi-threaded 10GbE networking out of the box – No kidding! If you are curious to know more or seize the power of your Sun CMT servers for security, take a look at the blueprint and also take a look at my previous post highlighting our presentation at Oracle Open World -  Wire-speed Cryptographic Acceleration for SOA and Java EE Security.

I admit that I am not a SOA expert or pretend to be one !  Lately, I had a chance to explore few security features intended for securing XML Web Services and Java EE applications. With my little knowledge to SOA, I found that XML Web services play a vital role in SOA to enable loosely-coupled services and ensuring interoperability. From a security perspective, the core foundation of securing SOA solutions  builds on XML Web Services Security standards and the underlying Java platform (unless you are using Microsoft .NET) . Last two weeks, Chad Prucha and I were test-driving SOA applications using Oracle Weblogic and Oracle Fusion Middleware on a Sun CMT server (T5440) particularly test driving SSL and WS-Security scenarios using WS-Policy/WS-SecurityPolicy standards.  Our primary aim was to take advantage of On-chip Cryptographic acceleration provided by the UltraSPARC T2 processors of the T5440 server supporting the cryptographic mechanisms/cipher suites used by SSL and WS-SecurityPolicy. Believe it or not, it worked as piece of cake…. and the performance numbers were stunningly amazing. The Sun CMT servers (using its on-chip crypto accelerators) cruised on SSL and WS-Security with its cryptographic performance….RSA, AES, SHA2…too long to list here.  If you consider yourself as a SOA enthusiast and have these following questions – Why should we care about Wire-speed Cryptographic acceleration for SOA or J2EE or XML Web Services performance ?  Why it should even be considered in first place ? Is there is any security benefits ?  If you do have those questions, then you may find this blog entry helpful otherwise please ignore.

Wire-speed Crypto Acceleration for SOA Security

Cryptographic operations plays a critical role in securing SOA application components particularly Java EE (formerly J2EE) applications and XML Web services supporting their transport-layer security (SSL) and message-layer security (WS-Security including XML Encryption, XML Digital Signature, WS-Policy, WS-SecurityPolicy) requirements. Adopting to cryptographic techniques helps IT organizations securing critical application infrastructures and adhere to industry-specific regulatory compliance mandates such as PCI DSS, HIPAA, FISMA and so forth.

But using Crypto for accomplishing SOA Message-level and Transport-level security induces significant performance degradation and taxes your CPU, Memory and Network bandwidth.  SOA security experts often resort to using dedicated XML security appliances for delegating CPU intensive cryptographic operations such as Public-key cryptography (ex.RSA, DSA) based encryption and digital-signature, Symmetric-key based encryption (ex. AES, 3DES) to dedicated hardware-based accelarators – Which helps freeing up the main CPU resources and resulting significant performance gains in overall application throughput.  In simpler terms, cryptographic accelerators and HSMs allows offloading computationally expensive  cryptographic functions to dedicated hardware that supports cryptographic algorithms and handle cryptographic operations. Under the hood, the cryptographic functions are usually pushed through PKCS#11 standard interfaces using Solaris Cryptographic Framework (On Solaris) and OpenCryptoki (On Linux), or CryptoAPI framework (CAPI/CNG) in the case of Microsoft Windows environment.  As a result, cryptographic accelerators proven to demonstrate significant gains in SOA application throughput and scalability by reducing the known CPU bottlenecks and related latency issues caused by cryptographic operations.

Over the past year I have become a big fan of Sun CMT Servers — and more specifically its Cryptographic capabilities, which makes it very compelling for delivering ultra-fast security for security sensitive SOA and Java EE applications.

On-chip Crypto Acceleration using Sun CMT Servers

Sun CMT servers are (Based On UltraSPARC T1/T2/T2Plus processors) based on Chip Multithreading Technology – CMT, which introduced on-chip cryptographic acceleration support through a dedicated cryptographic accelerator implemented on each core of the chip (8 Crypto Accelerators/Chip) – referred to as “Niagara Crypto Provider” (NCP). The introductory UltraSPARC T1 processor included a NCP implementation that facilitated public-key cryptographic mechanisms including RSA and DSA algorithms. The latest UltraSPARC T2 and T2+ processors extended more algorithms support by introducing symmetric-key based encryption/decryption mechanisms such as DES, 3DES, AES-128, AES-192, AES-256, RC4, Hashing operations such as MD5, SHA1, SHA256 and support for ECC algorithms (ECCp-160 and ECCb-163). In addition, the UltraSPARC T2 processors provides an on-chip Random Number Generator (N2RNG) to support random number generation operations intended for cryptographic applications. In practice, NCP makes use of Solaris Cryptographic Framework (SCF) for allowing user-level applications to offload their cryptographic operations and in effect the user applications can take advantage of NCP based on-chip cryptographic acceleration.

You had the gist of the story…now I am rushing out to catch the plane to Boston in an hour…… ! Yes, last three days I was attending  Oracle Open World and co-presented with Chad on topic  ”Wire Speed Cryptography for SOA and Java EE applications” - In our presentation, we put together all the concepts and  tried our best to illustrate the applied crypto mechanisms related to SOA security and the secret sauce configuration/deployment of Sun CMT based cryptographic acceleration for delivering wire-speed security performance for SOA and Java EE applications.  You may find the presentation is tailored to Oracle SOA and Weblogic but frankly speaking it applies well to all Java EE based SOA application deployments.

Click here to download the slides

Enjoy the slides for now ! Feel free to ping for questions………all I can promise now… is sooner you will see a detailed Sun Blueprint on this topic ! So please stay tuned.

Last few weeks, I have been pulled into an interesting gig for demonstrating security for _____  SOA/XML Web Services and Java EE applications…. so I had a chance to play with some untold security features of Solaris 10. KSSL is one of the unsung yet powerful security features of Solaris 10.  As the name identifies, KSSL is a Solaris Kernel Module that helps representing server-side SSL protocol to help offloading operations such as SSL/TLS based communication, SSL/TLS termination and reverse-proxying for enduser applications. KSSL takes advantage of Solaris Cryptographic Framework (SCF), to act as an SSL proxy server performing complete SSL handshake processing in the Solaris Kernel and also using the underlying hardware cryptographic providers (SSL accelerators, PKCS11 Keystores and HSMs) to enable SSL acceleration and supporting secure key storage.

Before I jump into how to use KSSL for offloading SSL operations, here is some compelling aspects you may want to know:

1. Helps non-intrusively introduce an SSL proxy server for Web servers, Java EE application servers and also applications that does’nt implement SSL.
2. KSSL proxy listens to all secured requests on the designated SSL port (ex. HTTPS://:443)  and renders a cleartext traffic via reverse proxy (ex. HTTP://:8080) port for the underlying Web or application server. All SSL operations including the SSL handshake and session state are performed asynchronously in the Solaris Kernel and without the knowledge of the target application server.
3. KSSL automatically uses SCF for offloading operations to underlying hardware cryptographic providers with no extra effort needed.
4. Manages all the SSL certificates independently supporting most standard formats (ex. PKCS12, PEM),  the key artifacts can be stored in a flatfile or a PKCS11 conformant keystore (If you are worried about loosing the private key).
5. Supports the use Solaris zones, where each IP identified zone can be configured with a KSSL proxy
6. Delivers 25% – 35% faster SSL performance in comparison with traditional SSL configurations of most popular Web servers and Java EE application servers.
7. KSSL can be used to delegate Transport-layer security and the applications may choose to implement WS-Security mechanisms for message-layer security.

Those are some compelling aspects of KSSL that are hard to ignore…. if you really understand the pain from performance overheads associated with SSL/TLS   As I verified, KSSL works well with most common Web servers and Java EE applications servers.

Try it yourself

Certainly it is worth a try…and you should able to do it very quickly than configuring SSL for your web sever !

• Obtain your server SSL and CA certificates. If you just want to test-drive KSSL and considering to using a self-signed OpenSSL certificate.. just follow the example commands and make sure that your web server hostname is correct. If you choose to use a flatfile based SSL keystore, KSSL requires to have all your certificate artifacts (including private key and certificates) in a single file.  If you need more OpenSSL help, read my earlier post.

          Ex. To create a self-signed server certificate using OpenSSL (in PEM format).

    openssl req -x509 -nodes  -days 365 -subj

     "/C=US/ST=Massachusetts/L=Burlington/CN=myhostname"

    -newkey rsa:1024  -keyout myServerSSLkey.pem -out mySelfSSLcert.pem

           Ex.  Concatenate the server certificates in a single file.

    cat mySelfSSLcert.pem myServerSSLkey.pem > mySSLCert.pem

• Configure the KSSL proxy service,  assuming the secured requests are forwarded to an SSL port (ex. 443) and the reverse-proxy of your backend Web server listens to a non-SSL port (ex. 8080). Use -f option to identify the certificate fomat, to represent PEM (-f pem) and to represent PKCS12 (-f pk12).  If the certificates are located in a HSM/PKCS11 Keystore, use -f pkcs11 to identify the token directory, -T to identify the token label and -C to identify the certificate_subject.

          Ex. To configure the KSSL proxy service with SSL Port 443 and reverse-proxy port is 8080 using PEM based certificates and the passphrase stored in file (ex. password_file).

           ksslcfg create -f pem -i mySSLCert.pem -x 8080 -p password_file webserver_hostname 443

• Verify the KSSL proxy service under Solaris Service Management Framework (SMF) controls, the KSSL services is identified with FMRI svcs:/network/ssl/proxy.

                    svcs - a | grep "kssl"

•  Assuming your webserver in the backend listens at port 8080, you should able to test the SSL configuration provided by the KSSL proxy.  Open your browser, goto https://webserver_host:443/ you should be prompted by the SSL dialog warning to accept a self-signed certificate.

• More importantly, if your Solaris host is a Sun CMT server (based on UltraSPARC T1/T2 processor), KSSL automatically takes advantage of the cryptographic acceleration and no additional configuration is necessary.

Here is an unofficial benchmark that highlights performance comparisons with KSSL and other SSL options.  The following shows the latency of an Web application running on Oracle Weblogic server using different SSL configurations (Certificate using RSA 1024) on a Sun CMT server (T5440) – To interpret the graph, make a note “Smaller the Latency means Faster”.

Adopting to Sun CMT servers (based on UltraSPARC T1/T2 processors) helps delivering on-chip cryptographic acceleration for supporting SSL/TLS and its cryptographic functions. With KSSL based SSL deployment, you will atleast get an additional 30% performance advantage while comparing with other Web server based SSL deployments. I heard that Intel Nehalem EX processors are expected to provide similar on-chip crypto capabilities, not sure !  Either way, using KSSL is a no brainer and it works.  If you are itching the head to provide transport-layer security for your applications, this could be easiest way to go !  Ofcourse, it can help you score some points in those IT infrastructure security assessment checklists verifying for PCI-DSS, FISMA, HIPPA and/or similar regulatory/industry compliance mandates !  :-)

Java Card technology has been a passion of mine for so long and I always tried my best to keep updated on Smart card technologies…… not just because of my role at Sun, I did get several opportunities to work closely with citizen-scale Java Card deployments with multiple National ID, eID/ICAO, US DoD/CAC, PIV/FIPS-201 cards and related Identity management projects.  It is always been quite adventurous everytime to experience a card issuance architecture and deployment scenario – right from applicant enrollment, demographic data provisioning, Biometrics/PKI credentialing, adjudication/background checks, post-issuance maintenance including card authentication/verification/usage and final retirement/termination.  In the early 2000′s, I even had an opportunity to write couple of Java Card applets for a big 5 financial organization using Java Card 2.x and it is still exists on production (No kidding! one of them may be in your wallet). With all those experiences, I did have my own stumbling issues with programming Smartcards, where I pulled my hair-out on understanding those evil ”Application Protocol Data Units” (APDU) based commands and responses. In my opinion, APDUs are quite complex to understand when you jump in unless you read the docs in-and-out beforehand and then test-driving APDUs are even more hard unless you have the luxury of having a debugging environment –  seriously, you may not want to experience those pains.  Havingsaid, now we can breathe a sigh of relief – I am bit late to experience the newer features of Java Card 3.0 -  It has introduced “network-centric” and “Java/J2EE developer” friendly features that radically changed the way we originally designed, developed, deployed, and integrated Smartcard applications.  Interestingly, there are very compelling aspects about Java Card 3.0 technology -  As I digged with my little experience… here is my observations.  

Understanding Java Card 3.0  

1. A Smartcard can act as a ”Personal Web Application Server”  or an user-centric miniature Java EE application server on a network.  Java Card 3.0 has introduced a Servlet container environment referred to as “Connected Edition” – which allows the smartcard applications can built as Java servlets (Web applications) using Servlet 2.4 APIs and deployed as a “WAR” file to the Web container running on a Java Card 3.0 compliant Smart card. This Servlet based deployment is an addition to existing Java card applet deployment model referred to as Classic Edition (exists with Java card 2.2.x). The Java Card clients access the applications using a Web browser (ex. http://localhost:8019/myJavaCardServlet).   
   

   Java Card Platform - Architecture

2. Java Card 3.0 supports 32-bit processor based Smartcards and handles more memory – upto 128k.
3. Enough with pain of understanding/testing APDUs, now you can readily develop Java Servlet 2.4 API compliant Web applications and deploy them to a Smart card.
4. With Java Card 3.0, we can perform interact with using standards based communication with the card using HTTP/HTTPS and also its supporting XML based protocols such as SOAP, REST etc.
5. Support for Java crypto APIs and additionally you can enable access control with the card similiar to performing container-managed authentication in Java EE – using SSL/TLS mechanisms.     
   

   Java card 3.0 - Communication Protocols

    

    

6. Java Card 3.0 based Web applications can be developed, debugged and deployed using Netbeans 6.7.1 and up.
7. Smart card issuance (for Card holders) and updates using GCF can be done through Web based deployment model (via HTTP, TCP) – using both contact and contactless communication interfaces.
8. Other features include full Java language support (Java 1.6 features) including all data types (except float and double), multi-threading, garbage collection, XML parsing/generation capabilities etc.
9. Allows Java developers to explore Java Card platform easily with strong potential for deploying security applications intended for National ID card schemes, passports and simplifying deployment of  ”Match-to-card Biometrics”, “On-card” credential persistence and secure transaction based applications.

Try it yourself

If you are curious to test drive Java Card 3.0 reference implementation especially using its “Connected Edition” to deploy Java Servlet based application to Smart card - Before you begin, make sure you obtain the list of pre-requistes :

1. Java Card Connected Development Kit 3.0.1
2. Netbeans 6.7.1

and then proceed with the following steps for deploying a “Hello World” Web application – creating Java card applications can’t get easier than this :

1. Install the Java Card 3.0 plugins for Netbeans 6.7.1 – Go to Tools, Plugins and search for card to select plugins for “Java Card Projects” and “Java Card Console”.  

   

   Installing Java Card plugins for Netbeans

    

2.  Go to Netbeans IDE,  Choose Project – “Java Card” and select Projects type “Web Project”. 
   

   Creating a Java Card "Web project"

3.  Assign Project name/location/folder and then select “Manage Platforms” to assign the Java Card 3.0 runtime environment.   

    

    

   

   Assigning Java Card Runtime Info

    

    

4.  To assign the Java Card runtime info, select “Manage Platforms” and choose “Platform type” to Java Card Platform.  
   

   Choosing Java Card as runtime

5.  Select the location of your ”Java Card 3.0 Connected Edition Dev kit” installation. 

     

    

   

   Select "Java Card 3.0" Connected Edition

    

6.  Define the default device (assuming your Smartcard) attributes and press “Finish”: 
   

   Select your "Java Card"

    

7.  As a result, you should see the Netbeans console showing your “Java Card Platform” environment for test-driving your applications.     
8. With above steps complete, now you are ready to develop/debug/deploy your Java Card web applications…. here is my first “Hello World” Java Card Web application excercise.       
9.  Compile the application -  In the Projects window, right-click the project node and choose Build to build the project.     
10. To deploy and run the Web application from your target Smartcard device (in my case the JavaCard RI), In the Projects window, right-click the project node and choose Load/Create Instance or just Run to run the application.  Netbeans will launch the browser, displaying the Hello world application prompting for your name….  and push the button to see – what happens !    

Netbeans does all the magic for you – if something not working, no worries ! Like implementing anyother Web application in IDE,  it is now easy for you to painlessly debug and redeploy the application – I am sure, you’ll find deploying applications on Java Card is nolonger a mystery.

With Billions+ Java Cards already in use and so much demand for the Smartcard technology,  Java Card 3.0 promises beyond citizen IDs and can potentially act as your “Personal Web application server” on your wallet.

Thanks to Anki Nelaturu and Saqib Ahmad who introduced me to Java Card 3 with their JavaOne ’09 sessions. After playing with my first excercise on Java Card 3.0 RI, now I am chasing my friendly Smartcard vendors to loan me couple of Java Card 3.0 cards

Access control exploits, user credential exposures and related security compromises are becoming increasingly common in Web 2.0 world ! Most of these issues pertain to broken or insufficient authentication controls and flawed credential management that allows attackers to compromise vulnerable applications by stealing or manipulating credentials such as passwords, keys, session cookies and/or impersonating another user through forged or guessed credentials.  Any such access control failure leads to unauthorized access and disclosure of underlying application databases, user accounts and stored data.  Most access control related vulnerabilities are due to the inherent application-specific weakness and failure to enforce authentication mechanisms, verify authentication credentials, lack of policy enforcement prior to granting or denying access to the underlying database.

This is my second installment of work exploring MySQL security features to enforce stronger authentication controls and defend against unauthorized disclosure of user account credentials and application-related database tables.  In simpler terms, I will be uncovering a set of MySQL security mechanisms intended for the following:

1. X.509 certificate-based  MySQL authentication
2. Enabling host verification to cease access from untrusted hosts
3. Restricting remote access to MySQL database
4. Disable unauthorized access to local files
5. Securing MySQL user accounts, passwords and access privileges
6. Data encryption using AES

X.509 Certificate based MySQL authentication

Enforcing X.509 v3 Certificate authentication allows clients to authenticate the MySQL database server using X.509 certificates and its attributes. To enable certificate based authentication,  the MySQL  GRANT statement allows to limit user access to request X.509 certificate by specifying a set of options.  To connect the client must specify the certificates using  –ssl-ca  (CA certificate),  –ssl-cert (Client certficate) and -ssl-key (Client key).

a)  The REQUIRE X509  option allows user to provide a valid X.509 certificate, where the signing authority should be verifiable using the CA certificate. 

mysql>  GRANT  ALL PRIVILEGES  ON  test.*  TO ‘ramesh’@'localhost’  IDENTIFIED  BY  ‘password’  REQUIRE  X509;

b) The REQUIRE SUBJECT  ..  AND ISSUER  .. option allows the user to provide a valid X.509 certificate containing the subject information of the user and the certificate issued by a specific CA  as defined in the GRANT statement. The user’s certificate and the specified SUBJECT and ISSUER attributes are verified against the information provided with GRANT statement.

mysql>  GRANT  ALL PRIVILEGES  ON  test.*  TO ‘ramesh’@'localhost’  IDENTIFIED  BY  ‘password’  REQUIRE SUBJECT  ‘/C=US/ST=Massachusetts/L=Burlington/O=Sun Microsystems/CN=Ramesh Nagappan/Email =Ramesh.Nagappan@mysqltest.com’  AND ISSUER ‘/C=US/ST=Massachusetts/L=Burlington/O=Sun Microsystems/CN=SunTest CA’;

c) In addition to SUBJECT and ISSUER, the user’s certificate can be identified with the specific CIPHER .  The REQUIRE CIPHER option allows to specify the required algorithm to grant access to the database.

mysql>  GRANT  ALL PRIVILEGES  ON  test.*  TO ‘ramesh’@'localhost’  IDENTIFIED  BY  ‘password’  REQUIRE SUBJECT  ‘/C=US/ST=Massachusetts/L=Burlington/O=Sun Microsystems/CN=Ramesh Nagappan/Email =Ramesh.Nagappan@mysqltest.com’  AND ISSUER ‘/C=US/ST=Massachusetts/L=Burlington/O=Sun Microsystems/CN=SunTest CA’   AND  CIPHER ”DHE-RSA-AES256-SHA’;

d)  To allow access to user with SSL-enabled connection.

GRANT  ALL PRIVILEGES  ON  test.*  TO ‘ramesh’@'localhost’  IDENTIFIED  BY  ‘password’  REQUIRE SSL;

Trusted Host Verification

Host identification helps to allow the user requests initiated from the specified host only. If the user and hostname doesnot match the specified host the server will deny access to the database.  To enable host verification, the MySQL  CREATE USER and GRANT statements allows to specify the user assigned with a target hostname.

a)  The CREATE USER allows to specify the user assigned to a specific hostname. The user will be allowed access only if the request orginated from the specified hostname.

mysql>   CREATE  USER  ‘ramesh’@'localhost’  IDENTIFIED BY ‘some_password’;

 The above statement creates an user ‘ramesh’ assigned to hostname ‘localhost’.  This means ‘ramesh’@'localhost’ account can be used only when connecting from the localhost. 

b)  The GRANT statement allows to define user privileges on a database table only when the user is accessed from a specified host.  If the user connected from a different host the access will be denied.

mysql>   GRANT SELECT,INSERT,UPDATE  ON  test.*  TO  ‘ramesh’@'east.sun.com’;

Disabling Remote Access from Network 

If the MySQL database is accessed locally by the coexisting appplications, remote access from the network can be disabled.  To disable remote access via network,  you may add skip-networking under the [mysqld] section of my.cnf or start mysqld using the –skip-networking option.  To enable MySQL listen to a specific host IP address, you need to set the following attribute in the [mysqld] section of my.cnf  as follows:

bind-address=Host-IP-address

Disabling unauthorized access to Local files

To disable unauthorized access or reading of local files, particularly to prevent applications access local files using SQL injection attacks – you may add the set-variable=local-infile=0 under the [mysqld] section of my.cnf .

Also, run MySQL as run as an user with minimized privileges so that any potential attacks does not result in damages to the operating system and other processes. 

Securing MySQL User Accounts, Passwords and Privileges

a) To prevent unauthorized and anonymous access to the server,  first remove the test database and all user accounts (with the exception of root account).

mysql> drop database test;
mysql> use mysql;
mysql> delete from db;
mysql> delete from user where not (host=”localhost” and user=”root”);
mysql> flush privileges;

mysql> quit;

b)  Change the MySQL root password and make sure the password is done via mysql> command line.  It is a bad practice, to change passwords via mysqladmin – u root password as the password can be accessed via “ps -aef”  (Solaris) “ps -aux” (Linux) command or by reviewing the Unix command history files. 

c)  Passwords are usually visible as plain text in SQL statements especially while executing CREATE USER, GRANT and SET PASSWORD statements. If the MySQL server is logging the SQL events and action to tables, then make sure those tables are protected from unauthorized users.

d) Change the default administrator account name from ‘root’ to a harder to guess ‘username’.  This would help defend against hackers performing dictionary/brute-force guessing attacks for administrator credentials.

mysql>  update user set user=”mysqlgeek’ where user=”root”;
mysql> flush privileges;

e) MySQL stores user accounts and its passwords in mysql.user table. Disable access to this table for any non-administrator users.

f)  Enforce the ‘principle of least privileges’ by granting minimum privileges for performing the required actions especially for user accounts that connects to the MySQL database from external applications. Do not grant privileges at the database level, MySQL allows to define privileges as required at the Table and Column level.

    grant <privileges> <column> on <database>.<table> to <login-name>@<FQDN-or-IP> identified by <password>;

Data Encryption using AES

MySQL supports data encryption functions by providing support for AES (Advanced Encryption Standard) and DES (Triple-DES) algorithms.  It is important to note, the encryption function return binary strings as BLOBS, so you may need to store the encrypted data in columns of BLOB or VARBINARY data types. MySQL provides AES_ENCRYPT( ) and AES_DECRYPT ( )  to facilitate AES based encryption and decryption  and DES_ENCRYPT( ) and DES_DECRYPT ( )  to facilitate Triple-DES based encryption and decryption  operations.

For example:

mysql>  insert into mytable (username, password)  VALUES (‘nramesh’,  AES_ENCRYPT(‘g01ns@n3′, ‘myaeskey’));

mysql>  select username, AES_DECRYPT(password, ‘myaeskey’) from mytable;

+——–+————————————-+
| username | des_decrypt(password, ‘myaesencryptionkey’)  |
+——–+————————————-+
| nramesh | g01ns@n3 | 
| bobama | s@v3u5a |
+——–+———————————+

It is important to note, the encryption KEY must be provided by the application user to MySQL. It means that MySQL does’nt provide mechanisms for generating the keys. Also it is critical to store the key for supporting further decryption operations.

That’s all folks. I will revisit again on my next MySQL security project …till then let me practice wearing an Oracle shirt