Secure Login example

The Secure Login example demonstrates use of the Information Obscurity pattern. This example demonstrates the capability to transmit critical system information through an untrusted environment.

Example architecture

The untrusted environment in this example is a web server that serves requests from users of an IoT device. Practical experience has shown that this kind of web server is easy to detect and frequently attacked successfully because IoT devices do not have built-in tools for protection against intrusion and other attacks. Obviously, encryption algorithms must be used in this type of untrusted environment to protect data from being compromised.

In terms of the architecture in these systems, the following objects can be distinguished:

• Data source: user's web browser.
• Point of communication with the device: web server.
• Subsystem for processing information from the user: authentication subsystem.

To employ cryptographic protection, the following steps must be completed:

1. Generate a shared secret between the data source and the information processing subsystem.
2. Use this secret to encrypt information on the data source side and to decrypt the information on the information processing subsystem side.

Naturally, information protected in this way cannot be compromised at the point of communication.

The Secure Login example contains two entities:

• The WebServer entity is an instance of the Civetweb web server accessible from the host machine at the address localhost:1106.
• The AuthService entity is a trusted component responsible for user authentication.

The user authentication process occurs as follows:

1. The user opens the page localhost:1106 in their web browser.
2. The Civetweb web server running in the WebServer entity displays the index.html page containing an authentication prompt.
3. The user clicks the Log in button.
4. The WebServer entity calls the AuthService entity via IPC to get the page containing the user name and password input form.
5. The AuthService entity does the following:
   • Uses the Diffie-Hellman protocol to create encryption keys.
   • Creates the auth.html page containing the user name and password input form, and the public encryption key.
   • Transfers the received page to the WebServer entity via IPC.
6. The Civetweb web server running in the WebServer entity displays the auth.html page containing the user name and password input form.
7. The user completes the form and clicks the Submit button.
8. The code in the auth.html page is executed on the browser side and encrypts data using the XOR cipher.
9. The WebServer entity calls the AuthService entity via IPC to get the page containing the authentication result by transferring the encrypted data.
10. The AuthService entity decrypts the data and returns either the result_err.html page or the result_ok.html page depending on the authentication result.

This way, confidential data is transmitted only in encrypted form through the web server. Data transfer occurs through IPC interactions controlled by the Kaspersky Security Module.

Building the example

The example is built using the CMake build system that is included in KasperskyOS Community Edition.

Files containing the code of the example and build scripts are available at the following path:

/opt/KasperskyOS-Community-Edition-<version>/examples/secure_login

To build and run the example, run the following script:

/opt/KasperskyOS-Community-Edition-<version>/examples/secure_login/cross-build.sh

In this section Description files in the Secure Login example Header files of the AuthService entity in the Secure Login example Implementation of the AuthService entity in the Secure Login example Header files of the WebServer entity in the Secure Login example Implementation of the WebServer entity in the Secure Login example Common header files in the Secure Login example

Page top