/passwords.briansimoni.com

Golang web application for password management

Primary LanguageJavaScript

CMSC 413 Final Project

Simoni Passwords

Simoni Passwords is a web application designed for secure storage of secret information, specifically passwords. At the time of this writing, the project is deployed to https://passwords.briansimoni.com/

Design Overview and architecture Diagram

architecture

Operating System

The application is cross platform ready, but the current production build is deployed on an Ubuntu 16 Linux instance on Amazon Web services Elastic Compute Cloud. Amazon is configured to block all traffic except for ports 443, 80, and 22. (http later is force upgraded to https). The application files themselves are protected with basic Linux file system permissions. The master key has a permissions of 400 and is owned by the “Jenkins” user.

Database

The database choice is MySQL and follows a fairly basic security setup. Remote connections are not allowed, and users have only the necessary permissions. Application code utilizes prepared statements to prevent SQL Injection

Web Server

Apache2 is used as the public facing web server. It will handle all of the connections to ports 80 and 443, and then act as a reverse proxy to the application running on port 8888. Apache also enforces https by automatically redirecting connections to port 80 to port 443.

Server Side Application Code

The application itself is written in Go (https://golang.org/) - an upcoming language created by Google. Go is a compiled, strongly typed language ideal for web, distributed, and concurrent applications. It is additionally garbage collected and safe from buffer overflow attacks since it performs bounds checking. When a user signs up for the application, the bcrypt library is utilized to hash the password with a random salt and add additional computational overhead to prevent viable computation of things like rainbow tables. When users try to authenticate, it will simply hash the provided password and compare the hash to the one stored in the database. Encryption is done with AES-256. Both the user’s application names and secrets are encrypted. At no point in time are secrets ever stored in plaintext on persistent storage. Sessions are also encrypted with the same algorithm.

Continuous Integration

To speed up the development process, the Jenkins continuous integration server is utilized for automatic deployments. Whenever a developer makes a code commit to the Github master branch, a new build is triggered. Jenkins will automatically fetch the latest code, compile, and run the application.

End user security and experience

The web application provides a sleek design that is responsive to both desktop and mobile phone screen sizes. Since it is on the public internet, it is always at a convenient location for users on any device. On the client side, there is basic form validation to prevent the user from submitting bad requests. It also enforces a strong password, and provides helpful messages when appropriate. All connections made are https to prevent eavesdropping attacks. When adding new passwords, users also have an option to automatically generate a strong password.

Local Application Setup

Requirements

  • Golang installed
  • MySQL installed locally o MySQL database created with the name SimoniPasswords and appropriate tables
  • Add a master password file

Once you have met the requirements, you can compile with either go build or go install

Recommendation for Grading

Since this project uses non-standard technologies and it may be difficult to compile and run locally, you can always access the source code at

https://github.com/briansimoni/passwords.briansimoni.com

and the application is

https://passwords.briansimoni.com/

You can email any questions to me at simonibc@vcu.edu