PKI Web Authentication and digital signature without saving the PKCS # 12 file

Each business Web application is faced with determining the identity of the user who wants to work with the application. PKI solution consists of entering a password to unlock the user’s private key that is located in the file that corresponds to the PKCS # 12 standard. We use the key to sign some data. On the server side, the system then validate that signature by using the user certificate.
PKCS # 12 files can be stored on the card, in which case it is not accessible to third parties, but it increases the price of the entire IT solution. In another case, when the file is stored on local disk or USB memory, there is a risk that a third party copy that file and afterwards try to break the password.
Presented solution eliminates the aforementioned shortcomings in the way that files are transferred from server to client memory from which is then used. Upon completion of the signing that memory is erased. The file is smaller than 4 KB, and therefore does not represent a burden on the client / server communication.

The solution is based on client certificates stored on the application server and digitally signed Java applet which transmits a random number generated on the server. Applet on the client system runs the command “whoami”, withdrawing from the server associated PKCS # 12 file and sign to give a random number that is then, together with the name of the user, forwards to the server where it decrypts with corresponding user’s certificate and compares with the generated number. The client is authenticated if the numbers match.
In the case of authentication we sign obtained number, but instead (or with it) we can digitally sign any other information (web forms) that are transfered in the applet by its parameters. Windows Resporce Protection (WRP) prevents overwriting system files that are part of the operating system. None other than Microsoft (even Administrator) may not alter or replace a protected Windows files, which means that the applet can be trusted that “whoami” returns a valid user on the console.
On Linux platforms, we can perform integrity check by calling SHA1SUM command / usr / bin / whoami, and only if the hash is correct to call itself whoami command.

 

clip_image002

1. Authentication JSP page 1 (main.jsp) serves to transfer the applet to the client:

<%@page contentType=”text/html” pageEncoding=”UTF-8″ import=”java.util.*” %>
<% Random generator=new Random();
int rnd=generator.nextInt();
session.setAttribute(“rnd”, rnd); %>
<html><body>
<applet code=”AuthorizationApplet.class” archive=”signed.jar” width=0 height=0>
<param name=”sid” value=”<%=session.getId()%>”/>
<param name=”rnd” value=”<%=rnd%>”/>
</applet>
Please Wait…
</body></html>

2. A digitally signed Java applet 2 (AuthorizationApplet.java) is used to take over the name of active user and for transfering PKCS # 12 in memory:

public class AuthorizationApplet extends Applet {
private String encrypt(String user,String text) throws Exception {
URL url=new URL(getDocumentBase()+”/../getp12.jsp”);
String data = “user=”+user;
HttpURLConnection con=(HttpURLConnection)url.openConnection();
con.setDoOutput(true);
OutputStreamWriter wr = new OutputStreamWriter
(con.getOutputStream());
wr.write(data);
wr.flush();
JPasswordField pwd = new JPasswordField(10);
Object[] obj = {“Please enter the password:\n\n”, pwd};
Object stringArray[] = {“OK”,”Cancel”};
int result=JOptionPane.showOptionDialog(null, obj,
“PKI Authentication”, JOptionPane.YES_NO_OPTION,
JOptionPane.QUESTION_MESSAGE, null, stringArray, obj);
if (result != JOptionPane.YES_OPTION) return “”;
KeyStore ks = KeyStore.getInstance(“pkcs12”);
ks.load((InputStream)con.getContent(), pwd.getPassword());
String alias = (String)ks.aliases().nextElement();
PrivateKey key = (PrivateKey)ks.getKey(alias, pwd.getPassword());
Cipher cipher = Cipher.getInstance(“RSA/ECB/PKCS1Padding”);
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] encrypted=cipher.doFinal(text.getBytes());
sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
String encoded = encoder.encodeBuffer(encrypted);
return encoded;
}

public void start() {
String sid=getParameter(“sid”); String user=””;
ProcessBuilder pb = new ProcessBuilder
(“c:/windows/system32/whoami”);
Process p;
try { p = pb.start();
BufferedReader b=new BufferedReader(
new InputStreamReader(p.getInputStream()));
String line= b.readLine().toLowerCase();
b.close();
user=line.substring(line.indexOf(‘\\’)+1);
String rnd=””; URL link=null;
try {rnd=encrypt(user,getParameter(“rnd”));
} catch(Exception ex)
{ ex.printStackTrace();
link=new URL(getDocumentBase() + “/../invalid.html”);}
if(link==null) link=new URL(getDocumentBase()
+ “/../main1.jsp;jsessionid=”+ sid + “?rnd=”
+ URLEncoder.encode(rnd,”UTF-8″)
+ “&user=”+URLEncoder.encode(user,”UTF-8”));
getAppletContext().showDocument(link, “_top”);
} catch(Exception ex) {ex.printStackTrace();}
}
}

3. JSP page for transfering PKCS # 12 file (getp12.jsp):

<%@page trimDirectiveWhitespaces=”true” import=”java.io.*” %>
<% String user=request.getParameter(“user”);
File file=new File(“C:/Security/”+user+”.p12″);
FileInputStream fis=new FileInputStream(file);
int length=(int)file.length();
response.setHeader(“Content-Type”, “application/octet-stream”);
response.setHeader(“Content-Length”, String.valueOf(length));
byte[] content = new byte[length];
fis.read(content);
fis.close();
OutputStream o = response.getOutputStream();
o.write(content);
o.flush();
o.close();
%>

4. The main application JSP page (main1.jsp):

<%@page contentType=”text/html” pageEncoding=”UTF-8″ import=”java.net.*”%>
<jsp:useBean id=”utils” scope=”application” class=”tmilinovic.hr.UtilsBean” />
<% String requestURL=request.getRequestURL().toString();
String user=request.getParameter(“user”);
try { String rnd=utils.decrypt(“C:/Security/”+user+”.cer”,
request.getParameter(“rnd”));
int rnd_request=Integer.parseInt(rnd);
int rnd_session=((Integer)session.getAttribute(“rnd”)).intValue();
if(user==null || session.isNew() || rnd_request!=rnd_session)
{ URL responseURL=new URL(requestURL+”/../invalid.html”);
response.sendRedirect(responseURL.toExternalForm());
return;
}
} catch(Exception ex)
{ URL responseURL=new URL(requestURL+”/../main.jsp”);
response.sendRedirect(responseURL.toExternalForm());
return;
}
//AUTHENTICATED

%>

Oglasi
Ovaj unos je objavljen u Nekategorizirano. Bookmarkirajte stalnu vezu.

Komentiraj

Popunite niže tražene podatke ili kliknite na neku od ikona za prijavu:

WordPress.com Logo

Ovaj komentar pišete koristeći vaš WordPress.com račun. Odjava / Izmijeni )

Twitter picture

Ovaj komentar pišete koristeći vaš Twitter račun. Odjava / Izmijeni )

Facebook slika

Ovaj komentar pišete koristeći vaš Facebook račun. Odjava / Izmijeni )

Google+ photo

Ovaj komentar pišete koristeći vaš Google+ račun. Odjava / Izmijeni )

Spajanje na %s