Re: Security for grades stored online

[Aarón Mizrachi <unmanarc () gmail com>]

On Wednesday 09 December 2009 11:57:58 Eitan Adler wrote:
> I will be coding a system for a university in which teachers will be
> able to enter grades into a web based form. The grades will then be
> stored in a database and used by the university to supply the final
> transcript.
> This system is obviously a target for people wishing to change their
> grades. While I intend on coding securely and keeping the servers
> secure (no access from the internet and such) I (and the university)
> would like security a guarantee that is similar to that of teachers
> manually handing in grades. My thought was to create a hash of the
> names & grades which the teacher could print out and hand in to the
> main office. This hash (one per class) could be verified against the
> hash that is generated when the grades are viewed by the
> administration. This reduces the amount of work required to verify
> that the grades have not been changed and (I think) without reducing
> the security of the grades.
>
> Is this true? Can you find any flaws or implementation "gotchas" that
> I should be aware of?
Hi Eitan.

I think that is a good idea, but, one of the main problems with the hashes is 
the generation and comparison. A hacker could carry out some types of attacks:

- Generation: Changing the source code that usually make the hash to print an 
invalid hash when inserting scores.
- Comparison: Changing the source code that generates the hash to make the 
hash pre-printed, but with a different grade.

This can be done in two ways:
- Man in the middle attack (network access required)
- Modifying the source code (requires access to operating system)

Additionally, another factor to be considered is the possibility for a hacker 
to destroy the data.

-----------------

Prevent data modification between the server and the teacher eyes, is a very 
difficult task.  

-----------------------------------------------

PKI could be the solution.

for example, you could install one digital certificate per-teacher, and write 
an application resident on the teacher computer to digitally sign the grades.

This application sends the grades to a webservice and saves it with his 
digital signature in a database.

Validation may occur at the end point ( think on firegpg ;-) or similar ), and 
if someone changes something (hash or data) in the network, or in the 
database, the digital signature will not be ok.

Furthermore, you can improve it with:

- Save data in a non-rewritable media, in addition to the database (eg a 
multisession DVD or/and printer attached to the server)
- Security Hardening on the operating system and the source code
- Security Hardening on teacher computers... (Very important). For extreme 
security you can deploy an encrypted live cd per-teacher with his certificate 
and his application in order to prevent certificate stealing and/or application 
hacking.
- Declaring immutable and read-only web related files (php, asp, jsp, 
whatever).
- Securing web services connections with SSL... SSL must have a valid digital 
certificate for server and clients. 

------------------

I understand that live cd's does not automatic updates on the operating 
system, but the most of attacks will be prevented with a minimalistic OS 
Installation, strong security policies, and periodic updates each time that a 
serious security vulnerability affects libraries involved on data communication 
( Eg. libssl vulns, kernel tcp stack vuln, ... ).


> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
>  certificate.  We look at how SSL works, how it benefits your company and
>  how your customers can tell if a site is secure. You will find out how to
>  test, purchase, install and use a thawte Digital Certificate on your
>  Apache web server. Throughout, best practices for set-up are highlighted
>  to help you ensure efficient ongoing management of your encryption keys
>  and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f72
> 7d1
>  ------------------------------------------------------------------------

-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
T: + 58 416-6143543
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.