Secured Web Application

Kankan Kumar Roy, 2002

[I became aware of my insecurity with web in May of 2001. I was using an NT server to deploy some  Web Applications for testing. I was unaware of all the security holes IIS http server had. One fine morning, I found none of the web sites were working. One was greeted instead with some silly four letter filths. How could that be done remotely? Analysis of IIS log revealed that this invasion was taking  place for the second time. The first time was in March of 2001. Some one stole ( rather copied) then just developed EDMS. IP belonged to some software company. Our office enquired with them, only to be told that they knew about it. They informed that it was some person who was with them then was responsible and they had already informed FBI. We too posted complaint with NSA.] 

The security hole of IIS is simple, and surely similar security holes are there in each and every web server. All the IIS processes run in WinNT has a default user and is assigned access right to its directories. Some of the Web directories served by IIS may have execute rights. Executable programs may reside in it and be executed by IIS, the output from it sent to requestor as the document. One such directory is CGI-BIN. This directory is finite distance away from MS-DOS shell program which resides in System32, a subdirectory of WinNT. If IIS receives an HTTP request for CGI-BIN to start with but indirectly to MS-DOS shell program in System32, it shall execute the shell program with rest of the http message as its parameter. One can thus write small program remotely to be executed in your machine to change all the access rights of the server, locate TFTP program if any, else write a small script to upload TFTP to CGI-BIN and down load every thing from your WinNT without your knowledge. Further remove all the trace of all the bad deeds. 

[I could trace it because they did not bother to delete the IIS log which they could have done jolly well. Five months later, it was Nimda virus which broke down many sites had the same principle along with others for invading web sites.]  

Can one protect Information in one's Web Server? 

One has no option but must. One has to depend on some web server, some operating system - it so happens that all are distrust worthies. If OS writers wish, they can always down load from my system whenever they want and whatever they want. Any other program vendor also could do the same as long as you use their program and you are wired with internet. One can of course take all the packets going out of one's system through a packet analyzer but what purpose would it serve. Development Computers must not be wired with outside world! Alternatively there should be wrapper around TCP/IP. There should be fixed number of user determined sockets controlled and allocated by the user to its trusted processes. Any process before getting access must show its identity and procure one time use only ticket for the communication ride through a TCP/IP socket. The user should be physically able to monitor TCP/IP usage and log all communication. One learns hard way. It is possible to plug IIS hole. One would like to plug TCP/IP hole. Programs developed by one are one's own property and one may perhaps afford to lose but information one keeps on behalf of others are not one's property and that can not be lost( revealed) while existing in one's system or on its way because of some security holes in OS, TCP/IP, Web Server or DBMS. 

[The driver used for security and encryption function in Windows (95, 98, NT, 2000, ME, XP) is ADVAPI.DLL. This is plagued with controversies. CNN report. Techweb report. One may live in pseudo comfort of open system - the security of which may be breached by any device driver or program. Any program can download( or upload) any thing from an internet source (or the host machine) and execute without anyone's knowledge.]

I intended to develop algorithm for secured communication for web applications which do not involve any authority or certification. Algorithms and programs presented here are developed without using any known SDKs - PGP, CryptoApi, JSAFE or JCE. This should be Free (not necessarily without a price tag) development environment without any overseeing authority. This must offer digital security to all. I have developed some document management systems - distributed and otherwise and I wish to extend digital vault security in them. Individuals whoever be him, should be able to keep his document or money (for banks to implement ) secured which no one can ever steal. I wish to extend the technology to live audio video transmission which can be sent all over the world in real time and which no one can interpret except for those who are authorized by the transmitter. A free world society without any overseeing authority. Society as a whole so advanced that individual privacy is impossible to trespass. 

As long as factoring a number is computationally difficult task, asymmetric key encryption devised by Rivet, Shamir and Adelman shall remain popular. This gives independent ability to create asymmetric key by each communicating peer. Servers may store asymmetric key pairs of its clients; one key is encrypted by the client himself which he alone can access. The other key is shared with the Server and others selected by the client. Two un-trust-worthies may communicate via a go between (server perhaps) whom both mutually trust to share their revealed keys. The owner of an asymmetric key pair may reveal one of its keys to another (such as server) with whom he may like to communicate. But this second person does not share this revealed (not public) key with any other. That is a revealed key has to be revealed by its owner alone.

Protocol for safe server-client (rather peer to peer) communication in the absence of Certification from any authority is needed. In other words, a protocol which is not https. Both have their asymmetric key pairs (private, revealed); both generate the symmetric keys for receiving encrypted messages during a session. All the keys remain in server yet not compromised. Passwords are never remembered in any digital store and never travel but remain with its owners physical possession. Session keys remain in Peers' machines during the session. The communication heavily depend on hashing for authentication. Message Hashed and encrypted with asymmetric private key of the message owner is the ownership acknowledgement of the message owner. Hashing algorithm developed may be extended at 32 bits increment whenever required. The hashing algorithm is one way function. This can be used with password to encrypt private key safe storage in server. It was also required to develop a good pseudo random generator which can be used any time and any where. Similarly, a good stream cipher, that can be used in any place and any where, was required to be developed. Symmetric key can be of any size but for no good reason it is not allowed to be greater than half the number of bits in asymmetric key in this test module. One would see later that even one byte symmetric key produces undecipherable message unless one is told before hand the size of the key. In this atmosphere, Bank and its customer are both peer. All this is to create One Free World of equals with freedom of expression, communication and privacy. No one can be exploited; one only gets paid what one deserves; one is allowed to steal but it is impossible to steal. Hopefully, there will be one central distributing agency for this technology. The technology will have distributable components which can run on most browser such as Internet Explorer, Netscape or Opera. Any one interested may license it from the Central agency and be independent there after. 

[Here is one stray thought, why browsers are not written to provide quarantine virtual machine for a session with limited resources (limited volatile memory, limited storage, limited CPU time) for distributable embedded component to execute in it. Component developers can then develop components in any language and translate them for different machines - Intel, Motorola, Alpha etc. Browser running in different machines get distributed component for that machine. Output from the component is the part of the document. The component is activated when the browser comes across it. Advantage is worth noting, it shall not have the disadvantage of slow execution and enormous resource requirement of a Java applet, nor shall it have the complexity of ActiveX COM object development, testing and deployment.]

World Wide Web is not limited by geographical territory. Any application written for World Wide Web can’t be dependent on authorities to provide certification since they necessarily belong to a geographical territory. Nor can that application be dependent on the browser to provide them with adequate security which application demands. The responsibility squarely lies with the application developer to ensure that there are no security holes. All applications developed for Internet today is full of security holes since they depend on browser and server to provide security. Security is demanded by both parties – providers as well as users, client as well as server. Application user would like to store private information and documents which he should be able to access from any where in the world and be assured that no other has access to them. He would like to send messages that no other but the person for whom it is meant can read. Application can be a World Wide Bank, Where users can keep money, withdraw money, transfer money and invest money. Bank would not know the user but the user alone can operate his account any time from any where in the world. The advantage is so over whelming that every bank that has geographical location would like to have World Wide Web Branch that has no location.

Currently, Web applications are designed where the user alone can lose. Hence so much distrust. Credit card details are so often stolen that having a credit card is a liability. There should be scheme where no information can ever be stolen. Secured Information travel within www as a triplet – encrypted information, certified by the owner, decipherable by a unique individual (owner or person identified by the owner). Before any secured information begins journey, the software to make this triplet should arrive at the information owner's site from the receiver (server). This software should be able to run in a browser. There after it can be used for secured communication for a session. Each of this security software should be application specific. Central provider generates this application specific security software for the application developer at his site.

There are two kinds of possible development activity - Security system and Secured application.

One may test out correctness of my algorithms. The result is produced in the next screen. Hash constructed is 160 bits. I may in future devise the algorithm to construct arbitrary number of bits length of Hash. Right now I have an algorithmic scheme to create hash of 32 bits increment. 

The first three metrics are length of message, length of zipped message and length of zipped encrypted message. Compression is done by PKZIP. The length of zipped encrypted message is about 50% higher than the size of zipped message. For the same message and same key length zipped encrypted message length varies about 20%. Increased key size does not necessarily give higher length of zipped encrypted message. Although I try with 189 other prime numbers before selecting 257 ( hex 101), I have not been successful in generating an 'e' of any revealed (public) asymmetric key which is not 257! In case Symmetric key length is 0, the message is encrypted and decrypted without a key!! Any application system can thus have its unique symmetric key encryption algorithm!!!

Please enter the following form