jm4c / sec-file-server Goto Github PK

In fs-server.sec.filesystem.ImplementationBlockServer
line ~140

Currently, this DemoApp doesn't work for smartcards.
It would be nice to add support for these, but it might require some reading into how to safely swap smartcards (so far, every attempt at a solution results in a CKR_DEVICE_REMOVED exception)

I am leaving this as an enhancement, since time is off the essence, and there are more things to solve.

The second functionality will require you to add two new RPCs between the client
and the block/key server. The first RPC (called storePubKey) passes a digital
certificate as an argument and stores it in the key server, returning only an
acknowledgement. The second RPC (called readPubKeys) has no arguments and
returns a list of public keys present in the server.

Test for remote certificate.

eIDlib_PKCS11.isCertificateValid(X509Certificate) in fs-utils must throw ANY exception inside.

Not finding the certificate from the certification authority is acceptable.

Replicate the server, without implementing the algorithm from the book.
This will involve starting N server replicas instead of a single one, and replacing the client
to server communication with a loop that repeats each communication step N times.

Implement the protocol optimizations that reduce the number of replicas
required for content-hash blocks.

Same as in stage 1 of the project, except that the file is identified by a public key

Implement the appropriate replication protocol (from the book).

See TODO in file for more details

Alter FS_init( ) to register the public key certificate of the client (present in its smartcard), as stated in the project guide.

Create a protection against replay attacks.

Ideas: Use a challenge.

overleaf project
Write the final report, of up to 4,000 characters, addressing:

• brief outline of the stage 3 design
• explanation of any modifications to the protocols presented in the book, and the rationale behind those modifications
• careful explanation of the dependability guarantees provided, namely in which way and under which conditions can the final implementation of the file system not work as desired.

AS is, some of the code is a bit messy and knee-jerked.
Before the final delivery, it would be nice to try and improve the quality and cleanliness.

Use the following overleaf project as a base if possible, and add/remove content as needed.
https://www.overleaf.com/4748652kgkdrt

note: You don't need an account to edit the file, but one is always useful to save your projects for future use

The first RPC (called storePubKey) passes a digital certificate as an argument and stores it in the key server

As it stands, we are passing and storing Public Keys.
This should be changed before the second milestone

Needs to be created

Transcript from the FAQ:

Make sure the key was generated by a trusted authority. The information about these authorities can be stored in the blockserver.

https://pki.cartaodecidadao.pt/publico/certificado/cc_ec_cidadao/

You can use the Java Certification Path (JCP) library, which is included in the JSE (but there are many alternative libraries; another popular one is the Certification Path library).

Here you find the documentation of the whole JCP library:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/certpath/CertPathProgGuide.html

The most relevant classes are:

• The CertPath Class

• Certification Path Building Classes

• Certification Path Validation Classes

  Note that, to perform the validation, you should store the certificates of the "Entidade de Certificação do Cartão de Cidadão", which you can find here:

  https://pki.cartaodecidadao.pt/publico/certificado/cc_ec_cidadao/

  There are three certificates, which correspond to different versions of the Cartão de Cidadão.

Here you can find also the Certificate Revocation Lists:

https://pki.cartaodecidadao.pt/publico/lrc/

Some publicly available JAVA code examples:

• http://www.java2s.com/Tutorial/Java/0490__Security/Validatecertificate.htm (using the Java Certification Path library)
• http://www.nakov.com/blog/2009/12/01/x509-certificate-validation-in-java-build-and-verify-chain-and-verify-clr-with-bouncy-castle/ (using the Bouncy Castle library)

Implement the new set of dependability tests.

*This issue should be split up into multiple issues at a later date. *
(once we have a better idea of what tests are needed)

Improve the exception handling by:

• making sure to escalate all exception so that they are caught at the same level
• implement split catch rules for the diff. exceptions
• improve the error messages given to the user