Git Product home page Git Product logo

applied_sec_lab's Introduction

Build Status

Applied Security Laboratory - AS19

Certificate Authority

[...] the students will also perform a team project: based on a set of functional and security requirements, they will design and implement a prototypical IT system. In addition, they will conduct a thorough security analysis and devise appropriate security measures for their systems. Finally, they will carry out a technical and conceptual review of another team's system. All project work will be performed in teams and must be properly documented.

ETHZ - Applied Security Lab

The task description can be found under assignment. A description of our design can be found here.

Group Members

Requirements

  • VirtualBox
  • vagrant

Build

Create virtual machines and start them:

make build

Export virtual machines as .ova

make release

Assignment

The (fictional) company iMovies produces independent movies of various kind but with a focus on investigative reporting. Therefore, information exchanged within the company and with informants must be handled confidentially. To do so, iMovies wants to take its first steps towards PKI-based services. For this reason, a simple certificate authority (CA) should be implemented, with which employees can be provided with digital certificates. These certificates will be used for secure e-mail communication.

Functional Requirements

The entire functionality must be accessible to a remote client (outside the company’s network).

Certificate Issuing Process

The company already maintains a MySQL database in which all employees are listed, along with their personal data as well as a user ID and a password. This database is a legacy system, which cannot be migrated. The CA should verify authorized certificate requests on the basis of this database. The process of granting certificates should be as follows:

  1. The user logs in via a web form by entering his user ID and his password. The user ID and password are verified by consulting the information stored in the database. Alternatively, login using a valid certificate is also possible;
  2. The user is shown the user information stored in the database. If required, the user may correct this information and any changes will be applied to the database;
  3. A certificate is issued based on the (possibly corrected) user information from Step 2;
  4. The user is offered the possibility to download the new certificate, including the corresponding private key, in PKCS#12 format.

Certificate Revocation Process

Employees need the possibility to revoke certificates, for example, when their private key is compromised or lost. The process of revoking a certificate should be as follows:

  1. The affected user authenticates himself to a web application. Authentication can either be certificate-based client authentication over SSL/TLS (if the user still holds the certificate and the corresponding private key) or the user uses his user name and password stored in the database (if the user has lost the certificate or the corresponding private key);
  2. After successful authentication, the certificate in question (or all affected certificates of the affected user) will be revoked. Additionally, a new certificate revocation list will be generated and published on the web server. Make sure that login with revoked certificates is not possible.

CA Administrator Interface

Using a dedicated web interface, CA administrators (not necessarily system administrators!) can consult the CA’s current state. The interface provides at least the following information:

  1. Number of issued certificates;
  2. Number of revoked certificates;
  3. Current serial number. CA administrators authenticate themselves with their digital certificate.

Key Backup

A copy of all keys and certificates issued must be stored in an archive. The archive is intended to ensure that encrypted data is still accessible even in the case of loss of an employee’s certificate or private key, or even the employee himself.

System Administration and Maintenance

The system should provide appropriate and secure interfaces for remote administration from the internet. In addition, an automated back-up solution must be implemented, which includes configuration and logging information. Note that these interfaces do not need to be especially comfortable or user friendly. It is sufficient to provide suitable and simple interfaces with the help of standard protocols such as SSH and FTP.

Components to Be Provided

Web Server: User interfaces, certificate requests, certificate delivery, revocation requests, etc; Core CA: Management of user certificates, CA configuration, CA certificates and keys, functionality to issue new certificates, etc; MySQL Database: Legacy database with user data. The database specification can be found in Section 2.4; Backup: Backup of keys and certificates from the Core CA and of configuration and logging information. Client: Sample client system that allows one to test the CA’s functionality from outside the company’s network. The client system should be configured such that all functions can be tested. This includes the configuration of a special certificate to test the administrator interfaces. Describe exactly how these components are distributed on various computers and exactly what additional components are required to enforce the security measures. The implementation is left up to the project team. All systems must be built using VirtualBox, which defines the “hardware”. The software is freely choosable. However, the operating systems must be Linux variants, and the legacy database requires MySQL.

Security Requirements

The most important security requirements are:

  • Access control with regard to the CA functionality and data, in particular configuration and keys;
  • Secrecy and integrity with respect to the private keys in the key backup. Note that the protection of the private keys on users’ computers is the responsibility of the individual users;
  • Secrecy and integrity with respect to user data;
  • Access control on all components.

Derive the necessary security measures from a risk analysis. Use the methodology provided in the book, and justify your design choices using the security principles. Hint: avoid monolithic designs where many functionalities are clumped together on a single machine (why?).

Backdoors

You must build two backdoors into your system. Both backdoors should allow remote access to the system(s) and compromise its purpose. The reviewers of your system will later have to search for these backdoors. Design and implement a first backdoor so that it will be nontrivial but likely for the reviewers to find it. Give your best effort when it comes to the second backdoor! Try to hide it so well that the reviewers will not find it. Do not forget to hide your traces in the end (e.g., shell history).

applied_sec_lab's People

Contributors

eikendev avatar keyctl avatar liblor avatar miro-h avatar requestforcoffee avatar

Stargazers

avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

unnaturallog5

applied_sec_lab's Issues

Add firewalls

On recent Debian distributions, nftables is recommended instead of iptables.

Necessary ports in our system:

  • *
    • 22 TCP (internal)
  • aslans*
    • 22 TCP (external)
  • aslcert*
    • 443 TCP (internal)
  • asldb*
    • 3306 TCP (internal)
    • 4567 TCP, UDP (internal)
    • 4568 TCP (internal)
    • 4444 TCP (internal)
  • aslld*
    • 80 TCP (external)
    • 443 TCP (external)
  • asllog*
    • 10514 TCP (internal)
  • aslweb*
    • 80 TCP (internal)
    • 443 TCP (internal)

Create admin user

Add another user to the client machine that has can access the config server and from there (as a jump host) all other machines.

Do we accept the risk that if the config server is down, the admin has to physically go to the internal network to be able to fix something?

Ansible tasks for running service/system

  • replace certificates
  • update hosts (and reboot if the kernel is updated without downtime)
    ...

Since parts are used in the initial setup anyway we could use tags to limit tasks:
ansible-playbook site.yml -i production --tags update

Hand in system description and risk analysis, box images and source code

The deadline for the hand-in is 21.11.2019. The document must be submitted via e-mail to [email protected].

This issue shall list all important tasks for the final hand-in. For any other concerns, please add a comment below so this list can be updated accordingly.

  • Check if the document exceeds 30 pages
  • Check the log for missing references.
  • Check for duplicated words.
  • Hide the section about intentional backdoors (set showbackdoors to false).
  • Remove the hint about the page limitation.
  • Check the spelling (e.g. using Grammarly).

Can't rerun ansible because of "Transfer certificates to corresponding hosts"

When I rerun ansible I get the following error and ansible stops:

TASK [Transfer certificates to corresponding hosts] ******************************************************************************************************************************************************************************************
fatal: [aslweb01]: FAILED! => {"changed": false, "cmd": "/usr/bin/rsync --delay-updates -F --compress --archive --rsh=/usr/bin/ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null --rsync-path=sudo rsync --out-format=<<CHANGED>>%i %n%L /home/ansible/tls_certs/iMovies_aslweb01_tls.crt aslweb01:/etc/pki/tls/certs/", "msg": "Warning: Permanently added 'aslweb01,10.0.0.31' (ECDSA) to the list of known hosts.\r\nrsync: link_stat \"/home/ansible/tls_certs/iMovies_aslweb01_tls.crt\" failed: No such file or directory (2)\nrsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1207) [sender=3.1.3]\n", "rc": 23}
fatal: [aslcert01]: FAILED! => {"changed": false, "cmd": "/usr/bin/rsync --delay-updates -F --compress --archive --rsh=/usr/bin/ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null --rsync-path=sudo rsync --out-format=<<CHANGED>>%i %n%L /home/ansible/tls_certs/iMovies_aslcert01_tls.crt aslcert01:/etc/pki/tls/certs/", "msg": "Warning: Permanently added 'aslcert01,10.0.0.21' (ECDSA) to the list of known hosts.\r\nrsync: link_stat \"/home/ansible/tls_certs/iMovies_aslcert01_tls.crt\" failed: No such file or directory (2)\nrsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1207) [sender=3.1.3]\n", "rc": 23}
fatal: [asldb01]: FAILED! => {"changed": false, "cmd": "/usr/bin/rsync --delay-updates -F --compress --archive --rsh=/usr/bin/ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null --rsync-path=sudo rsync --out-format=<<CHANGED>>%i %n%L /home/ansible/tls_certs/iMovies_asldb01_tls.crt asldb01:/etc/pki/tls/certs/", "msg": "Warning: Permanently added 'asldb01,10.0.0.23' (ECDSA) to the list of known hosts.\r\nrsync: link_stat \"/home/ansible/tls_certs/iMovies_asldb01_tls.crt\" failed: No such file or directory (2)\nrsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1207) [sender=3.1.3]\n", "rc": 23}
fatal: [asldb02]: FAILED! => {"changed": false, "cmd": "/usr/bin/rsync --delay-updates -F --compress --archive --rsh=/usr/bin/ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null --rsync-path=sudo rsync --out-format=<<CHANGED>>%i %n%L /home/ansible/tls_certs/iMovies_asldb02_tls.crt asldb02:/etc/pki/tls/certs/", "msg": "Warning: Permanently added 'asldb02,10.0.0.24' (ECDSA) to the list of known hosts.\r\nrsync: link_stat \"/home/ansible/tls_certs/iMovies_asldb02_tls.crt\" failed: No such file or directory (2)\nrsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1207) [sender=3.1.3]\n", "rc": 23}
        to retry, use: --limit @/home/ansible/site.retry

High RAM usage

During development, the high RAM usage of our setup always kept me concerned as it monotonically increased. The further we advance in our setup, the more RAM we will need.

We should see if we're able to lower our requirements

  • to make it possible to run more machines during development and
  • to make sure other teams can run our setup.

nginx does not serve content over HTTPS.

We should configure all public nginx servers to serve encrypted content only. For doing so, we should introduce a trusted certificate which has to be installed on the client machine. Also, we should make sure that the TLS configuration nginx is hardened.

See the documentation of the Ansible nginx role fo further information on how to configure the deployment.
See Mozilla's SSL Configuration Generator for hints on how to configure TLS securely.

Enforce password policy

I'd propose we implement a simple password policy

  • checking that no weak passwords are used (checking against the rockyou password list [1])
  • Enforcing a minimal password length

@RequestForCoffee should we share this code between the webserver and the core ca or should I return a special error code if the password doesn't meet the policy?

[1] https://wiki.skullsecurity.org/Passwords

Incorporate two backdoors into the system.

According to the assignment, two backdoors have to be included in the system for other teams to find them.

You must build two backdoors into your system. Both backdoors should allow remote access to the system(s) and compromise its purpose. The reviewers of your system will later have to search for these backdoors. Design and implement a first backdoor so that it will be nontrivial but likely for the reviewers to find it. Give your best effort when it comes to the second backdoor! Try to hide it so well that the reviewers will not find it. Do not forget to hide your traces in the end (e.g., shell history).

Load Balancing

Current proposal for load balancing:

The client would connect to the load balancer and then be assigned to one of the web servers.

Pro:

  • Simplicity
  • Single failure tolerance (except load balancer)

Con:

  • If one machine per chain fails, we are unavailable
  • The load balancer is a single point of failure (for the improvement, see below)

A more complicated but more robust scheme would use two load balancers and DNS load balancing between the load balancers. This is an optional extension for now.

Open questions:

  • How does the load balancer learns that one chain is down?
    • A simple solution would be that the web server stops accepting traffic when the cert server fails (itself or because the DB is unavailable) and the balancer thus switches when one server is unreachable.
  • How are users with an active session migrated to the other chain?

Add 2FA for login via password.

To improve security, e.g. agains bruteforce attacks, we could require 2FA when a user wants to login via password authentication.

The assignments provides us with email addresses, which we could use in our network to implement a scheme like the one used by GitHub.

One thing to consider is how to handle a case where a user lost their certificates. That way, the user is not able to read encrypted emails, but they cannot login to our service as they have neither password nor certificate.

Display revoked certificates of user only

On the website, the list "Revoked Certificates" under "My Certificates" shows all revoked certificates instead of only displaying the revoked certificates of the current user.

Handle unavailable DB

What happens when the db server becomes unavailable or returns an error for a query?
e.g. if a new certificate is issued and the transaction fails for some reason, does the application crash?

Add backup solution

We need to backup essential data of our system.

Two ready solutions seem "practical".

Also, there exists Burp, which even supports pushing backups.
However, we might not need pushes for backups, if we manage to backup generated private keys separately.

Content of security alert email when new cert is issued

What should the email say? Should it have a link to a form where the employee can report malicious behaviour? Keep in mind that his/her old certificate has been revoked, and the employee can not send a signed & encrypted email to the administrators.

Regularly update hosts

We should install security patches regularily, so admins do not have to check manually. This is common practice on Debian servers.

See the wiki for more information.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.