This repository contains documentation and source code for the Network and Computer Security (SIRS) project.

The REPORT document provides a detailed overview of the key technical decisions and various components of the implemented project. It offers insights into the rationale behind these choices, the project's architecture, and the impact of these decisions on the overall functionality and performance of the system.

This document presents installation and demonstration instructions.

To see the project in action, it is necessary to set up a virtual environment, with 3 networks and 5 machines.

The following diagram shows the networks and machines:

The following table shows the network topology configuration:

All virtual machines are based on: Linux 64-bit, Kali 2023.3

Download and install a virtual machine of Kali Linux 2023.3.

The base machine will be used as a base for the other machines.

Begin by attaching a Bridged Adapter to Adapter 1.

Boot up the machine and update the apt mirrors:

$ sudo apt update

Use git to obtain a copy of the T52 GrooveGalaxy Project. Notice that you have to set up a personal access token in order to clone the repository.

$ git clone https://github.com/tecnico-sec/t52-andre-pedro-goncalo.git

Our repository has the necessary scripts to set up each machine. Notice that the setup of the application, database and client machines has to be done in parallel, as these entities have to exchange certificates to set up TLS/HTTPS.

Link clone this VM as needed to create new machines. Don't forget to select the option Generate new MAC addresses for all network adapters, under MAC Address Policy.

The setup of the client machine has to be done in parallel with the setup of the database and application machines. Please refer to the application and client configuration sections.

This machine runs the database server (PostgreSQL 16.1).

Boot up the machine.

If you cloned this machine from the Base VM, the system already has the project repository.

Start by running the installation script at the root of the project repository:

# Run the installation script
$ cd database
$ chmod +x setup.sh
$ sudo ./setup.sh

Refer to the Database, Application and Client Machines section for the rest of the configuration.

Shutdown the machine.

Before booting up the virtual machine again, replace the current Adapter 1 with an Internal Network named sw-1.

Boot up the virtual machine and verify that the configuration was successful by checking the following:

Running hostnamectl | grep 'hostname' should reveal the hostname database.

Running ip a should reveal IP 192.168.0.1 under the eth0 interface.

Running sudo nmap localhost should reveal the following open ports:

PORT     STATE SERVICE
5432/tcp open  postgresql

The following lines should be present in the file /etc/postgresql/16/main/postgresql.conf:

listen_addresses = '*'
port = 5432
ssl = on
ssl_cert_file = '/etc/ssl/certs/database.crt'
ssl_key_file = '/etc/ssl/private/database.key'

A line similar to the following should be present in the file /etc/postgresql/16/main/pg_hba.conf:

hostssl groove postgres 192.168.0.0/24 md5

The setup of the application server has to be done in parallel with the setup of the database and client machines. Please refer to the database and client configuration sections.

This machine runs the application server (Java 17 / Spring Boot 2.4.1).

Give this machine at least 2GB of RAM and boot it up.

If you cloned this machine from the base machine, the cloned repository is under the t52-andre-pedro-goncalo folder.

Start by running the installation script at the root of the project repository:

# Run the installation script
$ cd application
$ chmod +x setup.sh
$ sudo ./setup.sh

Refer to the Database, Application and Client Machines section for the rest of the configuration.

After concluding the parallel configuration, the maven dependencies need to be downloaded and installed.

Run the following commands in the root of the project repository:

# Download and install maven dependencies
$ cd crypto
$ mvn install
$ cd ../application
$ mvn clean spring-boot:run

The expected output should include the output from the apt package manager and the output from mvn downloading the required dependencies. The output should terminate with a BUILD FAILURE message, as the backend can't yet connect to the PostgreSQL database server.

Shutdown the machine.

Before booting up the virtual machine again, replace the current Adapter 1 with an Internal Network named sw-1.

Boot up the virtual machine and verify that the configuration was successful by checking the following:

Running hostnamectl | grep 'hostname' should reveal the hostname application.

Running ip a should reveal IP 192.168.0.2 under the eth0 interface.

To start the application, run the following command in the application folder of the cloned repository:

mvn clean spring-boot:run

The setup of the client machine has to be done in parallel with the setup of the database and application machines. Please refer to the application and client configuration sections.

This machine acts as a client by interacting with the application with a terminal user interface.

Boot up the machine.

If you cloned this machine from the Base VM, the system already has the project repository.

Start by running the installation script at the root of the project repository:

# Run the installation script
$ cd client
$ chmod +x setup.sh
$ sudo ./setup.sh

Refer to the Database, Application and Client Machines section for the rest of the configuration.

Run the following commands in the root of the project repository:

$ cd crypto
$ mvn install
$ cd ../client
$ mvn compile exec:java -Dexec.mainClass="pt.tecnico.Client"

The expected output should include the output from the apt package manager and the output from mvn downloading the required dependencies. You should then be greeted with the client's TUI prompt.

Shutdown the machine.

Before booting up the virtual machine again, replace the current Adapter 1 with an Internal Network named sw-3.

Boot up the virtual machine and verify that the configuration was successful by checking the following:

Running hostnamectl | grep 'hostname' should reveal the hostname client.

Running ip a should reveal IP 192.168.2.1 under the eth0 interface.

The setup of the database, application and client machines has to be done in parallel, as these entities have to exchange certificates to set up TLS/HTTPS.

Only refer to this section after having completed the first configuration step of the database, application and client machines.

The application and client machines will prompt you for two passwords each. One for the private key and the other for the keystore. Pick each one of the passwords, entering them followed by the Enter key.

For the application to sign the database and client certificates, those need to be copied from the respective machines to the application machine. Each one of the three machines should prompt you to do this. The ssh service has been enabled on the application machine for you to copy the certificates.

Enter the following commands, replacing <user> and <IP> by the username and IP of the application machine, respectively. You can get the IP of the application machine by running ip a.

# Enter this command in the database machine (in the root of the cloned repository)
$ cd database
$ scp database.csr <user>@<IP>:~/t52-andre-pedro-goncalo/application

# Enter this command in the client machine (in the root of the cloned repository)
$ cd client
$ scp client.csr <user>@<IP>:~/t52-andre-pedro-goncalo/application

After successfully executing this commands, press any key to proceed with the installation in all the three machines.

After the application machine has signed the database and client certificates, these need to be copied back to the respective machines, along with the application certificate.

Enter the following commands, in the application machine, replacing <user>, <IP-DATABASE> and <IP-CLIENT> by the username, IP of the database machine and IP of the client machine, respectively.

# Enter this command in the application machine (in the root of the cloned repository)
$ cd application
$ scp application.crt database.crt <user>@<IP-DATABASE>:~/t52-andre-pedro-goncalo/database
$ scp application.crt client.crt <user>@<IP-CLIENT>:~/t52-andre-pedro-goncalo/client

After successfully executing the commands, press any key to proceed with the installation in all the three machines.

After the application machine has added the client certificate to its trusted keystore, the keystore needs to be copied to the client machine.

Enter the following command, in the application machine, replacing <user>, <IP-CLIENT> by the username and IP of the client machine, respectively.

# Enter this command in the application machine (in the root of the cloned respository)
$ cd application
$ scp application.p12 <user>@<IP-CLIENT>:~/t52-andre-pedro-goncalo/client

After successfully executing the commands, press any key to proceed with the installation in the application and client machines.

Continue now with the Second Step Installation on the database, application and client machines.

This machine acts as a firewall between the internal network and the DMZ, using iptables to manage the firewall rules.

Boot up the machine.

If you cloned this machine from the Base VM, the system already has the project repository.

Run the following commands in the root of the project repository:

$ cd firewall-1
$ chmod +x setup.sh
$ sudo ./setup.sh
$ shutdown now

The script should have no output and exit code 0.

Before booting up the machine, replace the current Adapter 1 with an Internal Network named sw-1.

Add a new Adapter 2 with an Internal Network named sw-2.

Boot up the virtual machine and verify that the configuration was successful by checking the following:

Running hostnamectl | grep 'hostname' should reveal the hostname firewall-1.

Running ip a should reveal IP 192.168.0.254 and IP 192.168.1.254 under the eth0 and eth1 interfaces, respectively.

This machine acts as a firewall between the DMZ and the external network, using iptables to manage the firewall rules.

Boot up the machine.

If you cloned this machine from the Base VM, the system already has the project repository.

Run the following commands in the root of the project repository:

$ cd firewall-2
$ chmod +x setup.sh
$ sudo ./setup.sh
$ shutdown now

The script should have no output and exit code 0.

Before booting up the machine, replace the current Adapter 1 with an Internal Network named sw-2.

Add a new Adapter 2 with an Internal Network named sw-3.

Boot up the virtual machine and verify that the configuration was successful by checking the following:

Running hostnamectl | grep 'hostname' should reveal the hostname firewall-2.

Running ip a should reveal IP 192.168.1.253 and IP 192.168.2.254 under the eth0 and eth1 interfaces, respectively.

Now that all the networks and machines are up and running, this section will go through a short demonstration of the application.

Begin by starting the application. This can be done by running the following commands at the root of the project repository:

$ cd application
$ mvn clean spring-boot:run

After the application has loaded, start the client with the following commands at the root of the repository, start the client with the following commands at the root of the repository:

$ cd client
$ mvn compile exec:java

You are now greeted with the client's login screen. Login in with a user of your choice.

After a successful login, you're now welcomed by the main menu of the client application. Here you can select all the available commands.

Now that you're logged in, create and get a key for the user. Select the first option, Create User Key.

The operation should be successful and the user now has a new (temporary) key to decipher the songs. Press Enter to go back to the main menu.

You can now get a song by selecting option 2, Get User Song. You will now be presented with a list of all the songs owned by the user. Choose a song. The lyrics will be printed on the screen and the song is saved to a file under the resources folder, as indicated in the output.

Go back to the main menu.

You can now add a user to the logged-in user's family. Begin by choosing option 4, Add User to Family. You will be shown a list of available user to add to the family. Pick a user other than yourself and go back to the main menu.

You can now see who is part of your family by choosing option 3, Get User Family. Go back to the main menu.

To listen to the same songs as a family, it is necessary to generate and get a family key. This can be done by choosing option 6, Get User Family Key. Go back to the main menu.

If you select option 2, Get User Song, you will not only have your songs to listen to, but also the songs of your family members. Select one of the songs and go back to the main menu.

It is also possible to remove a user from the family, by choosing option 5, Remove user from family. The list of current family members will be shown, and you can pick a user to remove. Select a user other than yourself. Go back to the main menu and generate a new user key.

Selecting option 2, Get User Song, only lists the current user's songs.

This concludes the demonstration.

Due to the implemented secure channel solution, listening to the network with a packet sniffer only allows the attacker to capture encrypted traffic. This happens in the communications between the database and the application, protected by TLS, and between the application and the client, protected by HTTPS.

A port scan on the database and application servers doesn't reveal any open port. The firewall configuration along with the individual firewall rules implemented in each one of the servers makes it hard for the attacker to exploit processes running on any other ports.

• Java 17.0.8
• Maven 3.8.7
• PostgreSQL 16.1
• Spring Boot 2.4.1

We use SemVer for versioning.

This project is licensed under the MIT License - see the LICENSE.txt for details.

END OF README