| Number | Name | User | |
|---|---|---|---|
| 99276 | Marta Félix | https://github.com/martafelix13 | marta.felix@tecnico.ulisboa.pt |
| 110859 | Luis Marques | https://github.com/oCaramelo | luis.caramelo.marques@tecnico.ulisboa.pt |
| 99221 | Francisco Gil Mata | https://github.com/franciscogmata | francisco.gil.mata@tecnico.ulisboa.pt |
*
This repository contains documentation and source code for the Network and Computer Security (SIRS) project.
The REPORT document provides a detailed overview of the key technical decisions and various components of the implemented project. It offers insights into the rationale behind these choices, the project's architecture, and the impact of these decisions on the overall functionality and performance of the system.
This document presents installation and demonstration instructions.
To see the project in action, it is necessary to setup a virtual environment, with 2 networks and 4 machines.
The following diagram shows the networks and machines:
All the virtual machines are based on: Linux 64-bit, Kali 2023.3
- Download VirtualBox at Virtual Box official website;
- Install VirtualBox following instructions from the manual;
- Create a new Virtual Machine following the Kali inside VirtualBox tutorial;
- Install Kali Linux inside the VM, following the Kali Setup tutorial.
Clone the base machine to create the other machines.
- Make sure that the machine about to be cloned is powered off
- Select the machine with the right button of your mouse and click Clone
- Select the name you want to give to the new machine (we suggest using the names gives above to simplify the experience)
- MAC Adress Policy: Generate new MAC addresses for all network adapters
- Select Linked Clone
| # Interface | Subnet | Adapter | Adapter name | Gateway | |
|---|---|---|---|---|---|
| API | |||||
| 1 | 192.168.0.100 | eth0 | sw-0 | 192.168.0.10 | |
| 2 | 192.168.1.100 | eth1 | sw-1 | - | |
| DMZ | |||||
| 1 | 192.168.0.10 | eth0 | sw-0 | - | |
| 2 | 192.168.2.10 | eth1 | sw-2 | - | |
| 3 | 192.168.3.10 | eth2 | sw-3 | - | |
| 4 | INTERNET | eth3 | - | - | |
| DB: | |||||
| 1 | 192.168.1.101 | eth0 | sw-1 | - | |
| 2 | 192.168.3.101 | eth1 | sw-3 | 192.168.3.10 | |
| Client: | |||||
| 1 | 192.168.2.11 | eth0 | sw-2 | - |
The promiscuous mode of the internal networks should be changed to 'Allow VMs'.
Note: The DB machine has a default gateway only for bootstrap purposes.
For each machine, there is an initialization script located within the folder named 'setup'. The script is named with the machine's name, prefixed with 'set_' and suffixed with '.sh'. This script installs all the necessary packages and performs all required configurations on a clean machine.
To the VMs where it is necessary to define firewall rules, there is a file inside the 'setup' folder named 'set_firewall.sh'.
Inside each machine, use Git to obtain a copy of all the scripts and code.
As the 'DB' machine does not have internet access by default, it is necessary to copy the repository into this machine. To install its dependencies, the default gateway for this machine is set as the DMZ machine, which has a NAT adapter. Once the dependencies are installed, we remove the gateway with '$ sudo route del default'.
Some machines need the DMZ machine to access the internet, so it should be the first one to be configured.
Since adding firewall rules may result in some VMs losing internet access, it is suggested to perform the setup on all machines first and only then run the 'set_firewall.sh' file.
$ git clone https://github.com/tecnico-sec/a34-francisco-marta-luis.gitBefore running remember to install the SecureDocument library
$ mvn clean installNext we have custom instructions for each machine.
The Database Machine serves as the host for the SQLite database and operates a Java program with a socket that listens for incoming requests from the API Machine. The Java program processes these requests, interacts with the SQLite database, and sends formatted responses back through the same socket channel.
To setup the machine:
Navigate to the root of the project
$ cd a34-francisco-marta-luisAccess the 'setup' folder
$ cd setupGrant permission for the .sh files to be executed
$ chmod +x set_db.sh$ chmod +x set_firewall.shExecute the setup file
$ sudo ./set_db.sh meditrack.sql$ sudo ./set_firewall.shCopy the database to the source (root)
$ cp setup/meditrack.db src/main/java/pt/tecnico/meditrack/Start the Database (root)
$ mvn clean install$ cd Database$ mvn compile exec: javaThe server machine is central to processing client requests, converting them into database queries, ensuring secure communication via client-side secure sockets, and managing HTTPS interactions with the Client, through the DMZ. It handles decryption of incoming client requests, encrypts responses, and employs RSA-based authentication. The software stack includes secure sockets, HTTPS communication, request decryption, response encryption, and robust authentication.
To setup the machine:
Navigate to the root of the project
$ cd a34-francisco-marta-luisAccess the 'setup' folder
$ cd setupGrant permission for the .sh files to be executed
$ chmod +x set_api.sh$ chmod +x set_firewall.shExecute the setup file
$ sudo ./set_api.sh$ sudo ./set_firewall.shStart the Api (root)
$ mvn clean install$ cd ApiMeditrack$ mvn compile exec: javaNote: In the API VM, activating firewall rules restrict communication with the DB. Therefore, it is recommended not to execute the "setup_firewall.sh" file for the API.
To setup the machine:
Navigate to the root of the project
$ cd a34-francisco-marta-luisAccess the 'setup' folder
$ cd setupGrant permission for the .sh files to be executed
$ chmod +x set_dmz.sh$ chmod +x set_firewall.shExecute the setup file
$ sudo ./set_dmz.sh$ sudo ./set_firewall.shThe client machine initiates requests to the server and processes encrypted responses. Its software encompasses a client-side application responsible for sending requests, decrypting received data, and providing users with an interactive experience for request processing and authentication. This introduces an abstraction and a security layer to enhance the project.
To setup the machine:
Navigate to the root of the project
$ cd a34-francisco-marta-luisAccess the 'setup' folder
$ cd setupGrant permission for the .sh files to be executed
$ chmod +x set_client.shExecute the setup file
$ sudo ./set_client.shStart the Client (root)
$ mvn clean install$ cd Client$ mvn compile exec: javaThis is list of usernames in the database for testing functionalities. Note: The input is case-sensitive
-
Patients
- Bob
- Alice
- Charlie
-
Doctors
- Dr.Smith
- Dr.Martins
- Dr.Johnson
- Dr.White
- Dr.Davis
- Dr.Brown
- Dr.Lee
Now that all the networks and machines are up and running, let's go through that main features of the MediTrack Platform
1- First exectute the java script on each machine (Database, Api and Client)
$ mvn compile exec: java2- On the Client Machine you should see this Menu
3- Select what type of Client are you (Patient or Doctor)
4- Enter the name of your Client and the authentication process begins:
-4.1 The Api send the Client and encrypted challenge, with the Client's Public Key
-4.2 The Client recive the and decrypts it with his Private Key
-4.3 The Api check if the challenge was corrected decrypted and authenticates the Client
5- Select and option on the Client Menu and see the results pulled from the database
6- All the communications are protected and unprotected using the Secure Documents Library
This concludes the demonstration.
We use SemVer for versioning.
This project is licensed under the MIT License - see the LICENSE.txt for details.
END OF README