##A33 Smart Home System Security Project
- 85720 - Robert-Octavian Popescu
- 85884 - Torben Lammers
- 85885 - Mathias Meuleman
###Acronyms:
- SHS - Smart Home System
- SHD - Smart Home Device
- GW - Gateway (contains a web server)
###Platform and tools used:
- Java 8
- Intellij IDEA Ultimate Edition
- Apache Tomcat 9
- Oracle Virtual Box
- Windows
- CentOS
- fwbuilder
###Security components (src/pt.ulisboa.ist.sirs.project.securesmarthome/): Check + Explain better ! ! !
- AESSecretKeyFactory - provides AES-128b key
- Cryptography - encrypt/decrypt with AES-128b in CBC/ECB mode
- DHKeyAgreement - Diffie-Hellman key exchange algorithm
- SecurityManager - check timestamp for freshness
- GatewaySecurity - authenticate SHD and send IV (encrypted with AES-128b in ECB mode) for CBC encrypt/decrypt
- SHDSecurity - authenticate GW
- Web Application + Authentication + SSL\TLS with Self-signed Certificate (in webserver/)
###GW (src/pt.ulisboa.ist.sirs.project.securesmarthome.gateway/):
- GW will act as server, which will open a socket and wait for a connection
- Setup: Run > Edit configurations > (+)Add new configuration > Application > Main class:
pt.ulisboa.ist.sirs.project.securesmarthome.gateway.GatewayMain
Set -> Program arguments: ABCDEFGHIJKLMNOP
Rename it -> Name: GW
###SHD (src/pt.ulisboa.ist.sirs.project.securesmarthome.smarthomedevice/):
- SHD will act as client, which will connect to the GW socket start communication
- Setup: Run > Edit configurations > (+)Add new configuration > Application > Main class:
pt.ulisboa.ist.sirs.project.securesmarthome.gateway.SHDMain
Set -> Program arguments: lightBulb
Rename it -> Name: SHD
###TEST GW <-> SHD in Intellij IDEA (having done the above setup for both the GW and SHD):
- Run GW application (this will wait for a client - SHD to connect to it)
- Run SHD application (will connect to the socket open by the gateway) as a light bulb (configure arguments properly)
- The key agreement and authentication should be done before data is transmitted over the channel
###TEST GW <-> SHD using the jars (CMD - Windows machine):
- Run GW.jar with apriori key of the light bulb:
java -jar GW.jar ABCDEFGHIJKLMNOP
- Run SHD.jar simulating a light bulb:
java -jar SHD.jar lightBulb
###Web Application Module (webserver/):
- Install apache server
- I got this one: 32-bit/64-bit Windows Service Installer
- After install add it to Intellij: Settings > Application Servers (choose path where installed)
- Run > Edit configurations > (+)Add new configuration > Tomcat Server > Local
- Fix artifacts: In the same window go to Deployment > (+)Press Add > Artifact...
- In Server window in On "Update" action > Update classes and resources
###TEST User <-> GW <-> SHD:
- At the moment this feature is not implemented (time consuming to implement the connection)
- Main idea of the implementation would be that:
-> User inputs and adds on web interface SHD's name (lightBulb) and apriori key ('ABCDEFGHIJKLMNOP')
-> JavaScript will invoke a method from the Gateway jar with SHD's apriori key
-> JavaScript will invoke a method from the SHD jar with SHD's name
-> The incoming data from SHD to the GW will be displayed on the web interface -> User can interact with the SHD through the GW
###Authentication on Web Application:
- Check authentication servlet class: AuthServlet
- Configure\Copy tomcat-users.xml in:
C:\Program Files\Apache Software Foundation\Tomcat 9.0\tomcat-users.xml - Configure web.xml to invoke servlet (Already in project, no need to copy in tomcat path)
- Run the server: You will be prompted for user and password (use one in tomcat-users.xml)
###SSL/TLS with Self-Signed Certificate:
- Generated a self-sign certificate using java keytool (generated .keystore)
- Copy .keystore in your user home path:
C:\Users\YourUserName - Configure\Copy server.xml in:
C:\Program Files\Apache Software Foundation\Tomcat 9.0\server.xml - Configure the server before running:
Run > Edit configurations > Tomcat Server > Tomcat Server > Server:
-> Open browser: https://localhost:8443/
-> HTTPs port: 8443 - Run the server: Because it is a self-signed certificate it will say that is not secure. Problem will be solved if the certificate is signed by a certified authority.
###Firewall (firewall/):
- group33-firewall.fwb has been created using fwbuilder in CentOS.
- Contains rules for resolving DoS attacks such as: TCP SYN flooding, TCP "Christmass Tree" packets, IP Fragments packets.
- Moreover, it has rules regarding remote access to the GW and SHDs.
- The firewall is intended to be installed on the router in our SHS, meaning that it has not been tested.
###Conclusion: The security components developed in this project cover several aspects of the course. Some components specified in the proposal (e.g. NIDS) may not have been implemented. Additionally, some of the components have been implemented and tested on virtual machines in Oracle Virtual Box, but not included in this submission.