Miguelat.epacios-ii

From jderobot
Jump to: navigation, search
Full System Architecture

This project intends to develop contents distribution platform and an application that allows the user to gain access to these contents in an easy manner. The information provided by the system will be contextual to the user's location and sometimes urgent to be distributed. This context is well-fitted in scenarios like an airport, train stations and bus exchangers, etc.

The system has been planned as a beacon deployment. These beacons make extensive use of wireless connectivity and can be controlled from a central system (aka a web server). The technology used to communicate with the server will be GPRS, allowing easy deployments for the beacons, not depending from a WiFi or Ethernet connection to the Internet.

The beacons, strategically set around the location to cover the full area, will be responsible for relaying the contents from the centralized web server to the final users, most commonly to their mobile phones and PDAs, using now the Bluetooth technology, free for the user and a broadly extended standard.

To make it easy to find this beacons and retrieve the data they provide, a simple and user-friendly Java application for mobile devices will be developed to take care automatically of the full process.


Contents

System Specs

Beacons

  • Bluetooth File Server
    • Multiple Bluetooth connections simultaneously. (Optional, depending on the underlying hardware)
    • Maximize bandwith.
  • Logs for connections and users.
  • Periodic contents updates.
  • Firmware Updates
  • Hour sync.
  • Security.
    • Internal file system encryption.
    • Secure wireless connections.

Client Application

  • Bluetooth file Client
    • Maximize bandwith..
  • Interface.
    • User Friendly
    • [1]: Fast, Responsive and Seamless.

Web Server

  • Beacon Monitor
    • Dynamic beacon configuration.
    • Dynamic beacon contents.
    • Firmware updates
    • Beacon groups synchronized with the same contents/configuration.
    • Logs
      • Beacons: Connections, downloads, updates...
      • Users: Statistics, downloads...
  • Security
    • User sessions.
    • Beacon connections.

Technology

Beacons

Módem GSM/GPRS MTX-65
  • Matrix Electronics GSM/GPRS Módem MTX65, using the Siemens TC65 module.
    • 3.0 firmware revision.
    • 1.7M Flash memory.
    • 400K RAM Memory.
    • Embedded Java applications.
    • Connectivity: GSM, GPRS, 2 serial ports, 1 USB, SPI, I2C, 1 DAC, 2 ADC, 4 GPIO
Módulo Bluetooth EZURIO BISM-II
  • Laird Bluetooth Intelligent Serial Module - BISM II
    • Bluetooth 2.0
    • Up to 250m in open space.
    • Up to 300kbps bandwith.
    • Low consumption, maximum at 65mA
    • SPP, OBEX FTP and OBEX PUSH Bluetooth profiles over serial interface.
    • Medical Device.
    • No PCB requirements.

Client Application

Web Server

Security

Beacons

Secure Data Transfer

  • Mode 1.
    • No examination of the server certificate takes place when setting up the connection. Theauthenticity of the server certificate is not verified.
Mode 1: Customer Root Certificate does not exist.
  • Mode 2.
    • Customer Root Certificate is inside of the module.
    • Command: Switch on Certificate Verification for HTTPS Connections was sent.
    • The server certificate is examined when setting up a connection. Two configurations are

valid. The server certificate is identical to the certificate in the module (both certificates are self signed root certificates) or the server certificate forms a chain with the certificate of the module. Thus the authenticity of the server certificate can be examined with the help of the certificate of the module.

Mode 2.1 - Server Certificate and Certificate into module are identical
Mode 2.2 - Server Certificate and Certificate into module are identical

Control de Ejecución

El entorno Java en el módulo soporta dos modos:

  • Modo Inseguro.
    • El dispositivo ejecuta cualquier aplicación Java (MIDlet).
  • Modo Seguro.
    • Necesita de la existencia de un certificado en el interior del módulo.
    • El módulo únicamente ejecuta aplicaciones firmadas por el propietario del certificado en su interior.
    • El módulo sólo acepta comandos Java Security si éstos vienen acompañados de la firma del dueño. El módulo comprueba cada comando con la clave pública contenida en el certificado.
    • Se habilita un modo de desconfianza para ejecutar aplicaciones sin firmar, pero con acceso limitado al API-Java.
Cómo activar el modo seguro

Protección de Datos y Aplicaciones

Además de las características que proporciona el entorno de seguridad de Java, es posible prevenir el uso del Módulo de Intercambio de Archivos (MES) e impedir así el acceso al sistema de ficheros. Para ello es necesario que exista un certificado X.509 en el módulo. Por defecto MES se encuentra activado y es necesario ejecutar un comando Java Security para su desactivación.

NOTA: El elemento central de Java Security es la clave privada. Si se activa Java Security y se pierda esta clave, el módulo queda inutilizado y no existe posibilidad alguna de desactivar el entorno de seguridad o introducir nuevos MIDlets o ejecutar operaciones de Java Security. Para prevenir problemas se recomienda fuertemente asegurar la clave privada.

Creación Paso a Paso de un Entorno de Transmisión de Datos seguro

Los pasos descritos aquí hacen uso de las herramientas proporcionadas por el JDK de Java y el kit de herramientas de openssl. Para los usuarios de sistemas Windows la opción de utilizar Cygwin para la parte de openssl es perfectamente válida.

1.1) Crear un certificado de Autoridad Certificadora (Nosotros mismos en este caso).

  • Se necesitan certificados con firma SHA1, ya que es el único algoritmo soportado por Java Security. Por tanto es necesario añadir el parámetro "-sha1" al comando de la sección "Making CA certificate ..." en el fichero CA.pl (/usr/ssl/misc/CA.pl). CA.pl con la modificación.
  • Ejecutar una shell.
  • Ejecutar el comando: 
>perl CA.pl -newca

1.2) Convertir el certificado PEM a DER: 

>openssl x509 -in ./demoCA/cacert.pem
              -inform PEM
              -out ./demoCA/cacert.der
              -outform DER

1.3) Lo mismo para la clave privada: 

>openssl pkcs8 -in ./demoCA/private/cakey.pem
               -inform PEM 
               -out ./demoCA/private/cakey.der
               -outform DER 
               -nocrypt 
               -topk8

2) Crear el certificado de servidor y el Java Keystore: 

>keytool -genkey 
         -alias server
         -keypass keypass 
         -keystore ./demoCA/customer.ks 
         -storepass keystorepass
         -sigalg SHA1withRSA 
         -keyalg RSA

NOTA: El campo "nombre" del certificado es el nombre de dominio o la dirección IP del servidor.

3) Crear la petición de certificado para el certificado del servidor: 

>keytool -certreq 
         -alias server 
         -file ./demoCA/server.csr
         -keypass keypass 
         -keystore ./demoCA/customer.ks
         -storepass keystorepass

4.1) Firmado de la petición de certificado por la Autoridad de Certificación: 

>openssl ca -in ./demoCA/server.csr 
            -out ./demoCA/server.pem

4.2) Convertir formato de fichero de PEM a DER: 

>openssl x509 -in ./demoCA/server.pem 
              -inform PEM
              -out ./demoCA/server.der 
              -outform DER

5) Importar el certificado CA y la clave privada del CA a un Java Keystore. 

>java -jar setprivatekey.jar -alias dummyca
                             -storepass keystorepass 
                             -keystore ./demoCA/customer.ks
                             -keypass cakeypass
                             -keyfile ./demoCA/private/cakey.der 
                             -certfile ./demoCA/cacert.der

6) Exportar la clave privada del certificado del servidor, necesaria para la configuración de HTTPS en el servidor: 

>java -jar getprivatekey.jar -alias server
                             -keystore ./demoCA/customer.ks 
                             -storepass keystorepass
                             -keypass keypass 
                             -keyfile ./demoCA/server_privkey.der

7) Cambiar el formato de la clave privada de servidor a PEM. 

>openssl pkcs8 -in ./demoCA/server_privkey.der
               -inform DER 
               -out ./demoCA/server_privkey.pem
               -outform PEM 
               -nocrypt


Signed MIDlets

Use the tool “jadtool.jar” to sign a Java MIDlet. This program is in the folder “wkt\bin”. 

java -jar jadtool.jar 
              -addjarsig 
              -jarfile helloworld.jar
              -inputjad helloworld.jad
              -outputjad helloworld.jad
              -alias keyname 
              -storepass keystorepassword
              -keypass keypassword -keystore customer.ks
              -encoding UTF-8
Firmado de MIDlets

Mobile Application

The application must not make uso of any restricted resource as file system, external GPRS connections, etc. The only external connections will be those based in Bluetooth, user transparently, making no question to the user about passphrases or PIN numbers.

Web Server

The web server will keep secure connections using SSL/TSL for the data transfers with the beacons, so it will be mandatory to create a proper certificate for this communications environment.

On the other side, there must be a correct tracking for all the sessions in the system, managing properly the autorization and authentication process. Because of this, the mechanisms provide by the ASP.Net environment will be used, which simplifies the work.

Developing Process Quality

Tools

SVN Version Control

MediaWiki Collaborative Documentation

TRAC Bugs and Issue Tracking

Product Quality

Tools

Software

Beacon MTX-65

V0.0.1

svn co http://jde.gsyc.es/users/miguelat/pfc-ii/software/BeaconMTX/tags/V0.0.1/
  • Java driver for EZURIO BISM
  • Bluetooth spam engine implementation.

V0.1

svn co http://jde.gsyc.es/users/miguelat/pfc-ii/software/BeaconMTX/tags/V0.1/
  • XML Configuration files.
  • Web server synchronization.
  • Spammer with statistics.

V0.2

svn co http://jde.gsyc.es/users/miguelat/pfc-ii/software/BeaconMTX/tags/V0.2/
  • Fully compatible with Server V0.2
  • Fully implemented spammer.
  • Software architecture improved.
  • Idle beacon mode implemented.
  • Dynamic friendly name.
  • Dynamic bluetooth engine.

Prototype

svn co http://jde.gsyc.es/users/miguelat/pfc-ii/software/BeaconMTX/trunk
  • File Server.
  • Hot Sites engine.
  • Bluetooth Stats.

DisAids Java App

Prototype

svn co http://jde.gsyc.es/users/miguelat/pfc-ii/software/DisAidsJava/trunk

Working on release 0.1

DisAids Windows CE App

Prototype

svn co http://jde.gsyc.es/users/miguelat/pfc-ii/software/DisAidsCE/trunk

Not started yet.

Museums Java App

Prototype

svn co http://jde.gsyc.es/users/miguelat/pfc-ii/software/MuseumsJava/trunk

Working on release 0.1

Museums Windows CE App

V0.1

svn co http://jde.gsyc.es/users/miguelat/pfc-ii/software/MuseumsCE/tags/V0.1
  • Uses the InTheHand 32Feet.Net bluetooth library.
  • Scans for beacons and shows some text, image and media attached whenever a system beacon is found.

Prototype

svn co http://jde.gsyc.es/users/miguelat/pfc-ii/software/MuseumsCE/trunk

Stopped

Web Server

V0.1

svn co http://jde.gsyc.es/users/miguelat/pfc-ii/software/WebServer/tags/V0.1/
  • Site's Master Page.
  • ASP.Net user database over MySQL.
  • Secure sessions.
  • Contents downloads.
  • Firmware Downloads.
  • Configuration sync with beacons.
    • XML parsing and building.

V0.2

svn co http://jde.gsyc.es/users/miguelat/pfc-ii/software/WebServer/tags/V0.2/
  • Fully compatible with Beacons V0.2
  • Major interface implementation for basic tasks.
  • BUG: File uploads first try don't work because of bad AJAX usage in ASP.Net. After that, everything goes fine.

Prototype

svn co http://jde.gsyc.es/users/miguelat/pfc-ii/software/WebServer/trunk/
  • Redesign database to add statistics.
  • Add Hot Sites support.

Reference

MTX65 GSM/GPRS Modem

Laird BISM-II Bluetooth Module

Java / JSP

C# / ASP

Additional Software

Artículos

Retrieved from "http://www.jderobot.org/index.php?title=Miguelat.epacios-ii&oldid=3251"
Personal tools