Project 3 - Network Security

Due - Tuesday, December 20, 2005

For this project, you are going secure the communication between the Time/Date Client and Server you implemented for Project 1. To enable this functionality, you will implement a Certification Authority (CA) that will provide certificates to entities that can be authenticated using a password authentication scheme. Both your client and server will contact the CA, provide a password, and receive a certificate (if the password is correct). The certificates will then be used to perform mutual authentication between client and server and enable secure communication using SSL.

Algorithms

Following are the core pieces of the algorithms for the CA, Client, and Server. These fragments are meant to give you a base from which to work. However, they do not include many integral pieces such as the user interface or error checking.

CA Algorithm
  1. Accept secure connections from clients/servers -- do not require client authentication
  2. Authenticate client/server using password -- usernames/passwords can be sent in plaintext and compared against a hard-coded database
  3. Receive public key from client/server
  4. Generate certificate using public key and CA private key
  5. Return certificate to client
Server Algorithm
  1. Connect to trusted CA
  2. Send username/password to CA
  3. Send public key to CA
  4. Receive certificate from CA
  5. Wait for client to open secure connection
  6. Require client authentication
  7. Allow client to request time/date
  8. Send response
Client Algorithm
  1. Connect to trusted CA
  2. Send username/password to CA
  3. Send public key to CA
  4. Receive certificate from CA
  5. Request secure connection to server
  6. Request time/date
  7. Receive/display response
Offline Tasks
  1. Generate public/private keys for CA, Client, and Server
  2. Generate CA certificate and export to file
  3. Import CA certificate into keystore of Client and Server

Implementation Specifics

Following are the core pieces of Java you will need to use to implement this project. The Java API will undoubtedly be very helpful.

Tools Required
  1. BouncyCastle - You will need to download BouncyCastle from http://www.bouncycastle.org/latest_releases.html. Download bcprov-jdk15-130.jar and make sure this jar file is in your classpath.
  2. keytool - A command line tool used to generate keys and certificates and import certificates into keystores. You should use this tool for the offline tasks.
    Key Generation Example - keytool -genkey -alias CAcert -keyalg RSA -keysize 1024 -validity 9999 -keystore keystores/ca.ks
    Certificate Export Example - keytool -export -alias CAcert -keystore keystores/ca.ks -file keystores/exported.crt
    Certificate Import Example - keytool -import -keystore keystores/client.ks -alias CAcert -file keystores/exported.crt
    Note that once you export a certificate into a file (e.g., exported.crt), you can copy that file onto any computer and import it there using the -import flag.
Packages Required
  1. javax.net.ssl - secure socket classes
  2. java.security, java.security.spec, java.security.cert - security framework classes (keys, certificates, etc)
  3. org.bouncycastle.x509, org.bouncycastle.jce, org.bouncycastle.asn1 - implementation of certificate generation
Classes Required (not fully inclusive)
  1. KeyStore - load manually created keystore file into KeyStore object
  2. KeyManagerFactory - factory class initilized with the KeyStore, used to create KeyManagers
  3. KeyManager - manages key material used by sockets to authenticate local host to remote
  4. TrustManagerFactory - factory class initialized with KeyStore, used to create TrustManagers
  5. TrustManager - manages trust material used to decide whether remote host credentials (certificate) is trusted
  6. SSLContext - context initialized with appropriate Key/TrustManagers, used to create socket, use "TLSv1" as protocol
  7. SSLSocketFactory/SSLServerSocketFactory - factory, created from appropriate SSLContext, used to crate SSLSocket/SSLServerSocket
  8. SSLSocket/SSLServerSocket - socket used for secure communication
  9. PublicKey/PrivateKey - can be retrieved from Certificate
  10. Certificate - can be retrieved from KeyStore or generated using CertificateFactory
  11. CertificateFactory - generates a Certificate from an InputStream, use "X.509" as type
  12. X509Certificate - specific implementation
  13. SecureRandom - secure random number generator, use "SHA1PRNG" as algorithm
  14. Security - use addProvider to add the BouncyCastle provider
  15. X509EncodedKeySpec - used when generating PublicKey object from an array of bytes
  16. KeyFactory - used to generate a PublicKey object from an X509EncodedKeySpec, use "RSA" as algorithm
  17. X509V3CertificateGenerator - CA uses this class to create a certificate, example follows:
    //Assumes following variables:
    //name (String): distinguished name (DN) of requester, requester should retrieve DN from certificate and send to CA
    //cacert (X509Certificate): certificate of CA
    //pubkey (PublicKey): requester's public key
    //privkey (PrivateKey): CA's private key
    X509V3CertificateGenerator gen = new X509V3CertificateGenerator();
    gen.setSubjectDN(new X509Name(name));
    gen.setSerialNumber(new java.math.BigInteger("0"));
    gen.setIssuerDN(new X509Name(true, cacert.getIssuerDN().toString()));
    gen.setSignatureAlgorithm("MD5WithRSA");
    java.util.Date date = new java.util.Date();
    gen.setNotBefore(date);
    date.setTime(date.getTime() + 10L *365 *24*60*60*1000);
    gen.setNotAfter(date);
    gen.setPublicKey(pubkey);
    X509Certificate cert = gen.generateX509Certificate(privkey);
Note: setting the subject and issuer DNs is very tricky (especially using the BouncyCastle implementation). It seems to reverse the DN string unexpectedly. Make sure the name you pass in is in the correct order.

Following is an example -- a secure version of the TCPClient/Server from the text. This should get you started.SecureTCPClient.java SecureTCPServer.java readme.txt

Other Details

You may work in groups of 2-3. For full credit, each group must submit a design document and complete code, and will schedule a demonstration on or before December 20, 2005. Your demonstration will be part of your grade.

I recommend that you break this project into several steps. First, start by omitting the CA and focusing on steps 5-8 of the Server and 5-7 for the Client. You can do this by using keytool to manually generate, export, and import keys and certificates for your Client and Server. Once the certificates have been manually imported, sercuring communication should be easy. Once you complete this step, save a backup copy of your project. A project that implements only this functionality will be worth a maximum of 70% credit. For full credit, implement the CA and programmatically generate certificates according to the complete specification.

This material is based upon work supported by the National Science Foundation under Grant No. 0416481. Any opinions, findings and conclusions or recomendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF).

Sami Rollins