Skip to content

Implementation

Jump to bottom
David Fialho edited this page Jan 4, 2017 · 18 revisions

What did we use to implement Group Bank and why?

Web Technologies

Group Bank is a web application developed using the Django Web framework. We chose Django for four reasons: first, easy of development, we were already familiar with the framework and we felt very comfortable using it; second, its extensive and detailed documentation; third, it is fast; and fourh, security, Django provides some functions that help developers avoid many common security mistakes, such as SQL injection, cross-site scripting, cross-site request forgery and clickjacking. In part we also chose Django because we wanted to develop with Python and Django is the de facto standard Web framework for Python. Python is a very articulated language that allows for easy development and quick deployment.

Security technologies

Our communication protocol is based on two standard technologies: RSA and TLS. RSA is used to authenticate the users and to sign records such as an Invite or an UOMe. TLS is used to encrypt the communication between each component in the system. Since all communication is made using the HTTP protocol, we may refer to the pair as HTTPS.

TLS/HTTPS

HTTPS is the standard protocol used in every web application.

RSA (Rivest-Shamir-Adleman)

RSA is an asymmetric cryptosystem. It uses two different but mathematically linked keys, one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. In RSA cryptography, both the public and the private keys can encrypt a message; the opposite key from the one used to encrypt a message is used to decrypt it. This attribute is one reason why RSA has become the most widely used asymmetric algorithm: It provides a method of assuring the confidentiality, integrity, authenticity and non-reputability of electronic communications and data storage. Here we use RSA for two different purposes: authentication and non-repudiation.

RSA signing and verifying

Used cryptographic protocols

  • HTTPS: all the involved communications use HTTPS to encrypt the traffic. In this way, confidentiality of the exchanged information is ensured and man-in-the-middle attacks are prevented. HTTPS provides also protection against replay attacks (TODO: all kind of replay attacks? Should I describe the mechanisms used? Can't find any information)
  • RSA: algorithm used to generate asymmetric key pairs of 2048 bits. Asymmetric keys are used for authenticating messages sent by the involved entities by means of signatures. To protect the integrity of the signatures an hashing algorithm (TODO: SHA2?) is used to hash the signed message.

As mention in the Protocol the communication between the client an both the group and main servers is always secured using HTTPS. section

  • Django
  • Python
    • memory safe
  • RSA
    • cryptographic library
    • how do we sign
  • Desktop application
    • native application
    • removes all security issues relative to javascript and a browser
  • HTTPS
  1. Problem and Solution Concept
  2. Introduction
  3. Usage Scenario
  4. What are groups?
  5. Architecture
  6. Goals and Principals
  7. Keeping Information Private
  8. User Authentication
  9. Non-Repudiation
  10. Protocol
  11. User Registration
  12. Group Server Registration
  13. Managing UOMes
  14. Other Requests
  15. Implementation
  16. Web Technologies
  17. SQL Injection
  18. Security Technologies
  19. TLS/HTTPS
  20. RSA
  21. Client application
  22. Request Formats
  23. Main/Group Server Setup
  24. Proxy Server Setup
Clone this wiki locally