Abstract
The Easy-Learning platform is a system of online education developed as an original product of the Department of Applied Electronics and Information Engineering from the University Politehnica of Bucharest. The platform has undergone many changes over the years, from a simple project and becoming a complex and efficient work in virtual learning environment. At this time, the platform has achieved a high degree of maturity, obtained using Symfony's framework, which simplifies many repetitive tasks, enables automatic generation entities and networking with other technologies currently used. To design and implement version 2.0 of the Easy-Learning platform the following technologies were used: PHP5, JavaScript, HTML5, CSS3, MariaDB database management system (compared to MySQL in previous versions), RESTful Web services, Android, Apache (as Web server) and methodologies for securing the communication between an application server and a client application. Due to technology and security issues that arise in older versions of each framework, it was decided rewriting the PHP code of the platform in order to use the Symfony 2 framework. Accessing the interfaces for administrator, tutor and student is a secure action using a user name and password so that access is not allowed to unauthenticated users. On a server running MariaDB multiple users may be defined. For security reasons, the root user should be used only for administrative purposes. For each user to use the system, it must establish an individual account, which corresponds to a user name and password. They must not be identical usernames and passwords outside MariaDB system (for example, user names and passwords for UNIX and NT). Like MySQL, MariaDB has a complex system of privileges. A privilege is the right to perform a particular action on an object and is associated with a particular user. The concept is very similar to permissions on files. When creating users in MariaDB, it is assigned a set of privileges to specify the actions they can perform in the system. JavaScript scripts are limited by severe restrictions imposed by web browsers. For security reasons, JavaScript can not read, write, create and delete files on your hard disk. In terms of security, PHP provide developers a flexible and efficient set of safety measures. Developing of open-source PHP caused its rapid adaptation to the Web needs, and an efficient and secure code. PHP 5.5 (2013) and 5.6 (2014) are stable versions, including solving security issues. Twig is a templating system that supports PHP. Among the advantages of its use it is the security function. Twig has a sandbox mode used to evaluate the code. Twig can be used as a templating language where users are allowed to execute design actions. Among the recent improvements made to the Easy-Learning platform are rewriting PHP code, so that the Symfony 2 framework structure can be used, and securing authentication forms and private sections using an SSL certificate. Symfony 2 allows passwords to be encrypted using different algorithms, such as MD5, SHA1, SHA512 and bcrypt. The bcrypt algorithm is a function of a key derivation for passwords based on the Blowfish cipher. Besides that has defined a leap to protect against a dictionary-based attacks prefilled with different values, it is an adaptive function: in time, the number of iterations can be increased to make it more difficult to decrypt password. The bcrypt encryption algorithm used for passwords in Symfony 2 is presented. Because the platform works with personal data is needed as they are sent to the server through a secure protocol to prevent attacks like Man in the Middle or data theft. To demonstrate the implementation of this requirement, SSL (Secure Sockets Layer) certificates generated on the server development were used. This means that accessing the Easy-Learning platform browser will display a warning message indicating that the SSL certificate was not issued by an authority. The operation of porting the new version of the platform to the production server introduced a valid certificate. Sections that were considered opportune to introduce the HTTPS protocol are: login page, admin interface, tutor interface and student interface. Communication via HTTPS is done using the (public key, private key) pair. Thus, the data entered in the form is encrypted using a public key and sent to server. The server, using the private key, can decrypt and extract the contents of the data sent. The procedures for securing a specific page in Symfony 2 and the entire admin interface are presented. In order to test platform vulnerabilities, Acunetix Web Vulnerability Scanner 8 was used. With this tool, were tested vulnerabilities as: SQL Injection, XSS, Trojan Script, Week_Password_Basic_Auth, CRLF Injection, PHP Code Injection and CSRF. The results obtained by running this toll are presented. The recent contributions to the Easy-Learning platform includes creating a RESTful web service that can be used by external applications to access public and private information, based on a token generated for each student using its authentication service. In perspective, it is intended to add an external caching system such as Varnish. |