A Secure online Course Registration System

Group Member:

Steve Liu
Columbia University
New York, NY 10027 USA
sl387@columbia.edu

Abstract

This secure on-line registration system is implemented by integrating Apache httpd server(apache 1.2b10) with Eric Young's SSLeay(a free implementation of Netscape's Secure Socket Layer - the software encryption protocol behind the Netscape Secure Server and the Netscape Navigator Browser. See SSLeay and SSLapps FAQ for details), Netscape Browser and Sybase SQL database, where electronic signatures of instructors, etc. are used to replace the current handwritten approval signatures.

The system based on an Sybase database that checks student authorization for specific courses, tracks the number of credits taken, the number of students enrolled in a course and checks for time conflicts. Instructors will be presented with a list of students that require approval, with the ability to see the courses they have taken so far. The instructor is told by email that students await his/her approval. Instructors should also be able to check enrollment.

The system can be accessed by students and instructors via WWW and used to replace the current registration system. The system have the following functionalities:

For student:

To check his/her course information
To register new courses.
To drop registered courses.

For instructor:

To list the students information who are in my calss
To accept/reject a registration request
To grade a student at the end of the term

Instructor is told by email that students await his/her approval. The email will inform the instructor that the prerequired courses information if the student fail to take the prerequired courses before. Instructors are able to check the list of students that require registration approval, to track student course information, such as the other courses the student register for the current term and possible time conflicts, the number of students enrolled in his/her course. Student is informed by email about the status of their registration requests.

The application specifications are following:

Intranet level access;
Query and transaction combination;
Processing on both client and server side;
Security: passwords, permission, encryption.

Introduction:

Digital IDs use public key encryption techniques that use two related keys, a public key and a private key.

In public key encryption, the public key is made available to anyone who wants to correspond with the owner of the key pair. The public key can be used to verify a message signed with the private key or encrypt messages that can only be decrypted using the private key. The security of messages encrypted this way relies on the security of the private key, which must be protected against unauthorized use.

In a Digital ID, a key pair is bound to a user's name and other identifying information. When installed in a web browser, a Digital ID functions as electronic credentials that sites can check. This enables Digital IDs to be used in place of password dialogs for information or services that require membership or restrict access to particular users.

See following flow graph:

Tools

Sybase SQL server, Apache httpd 1.2b10 server, Netscape Browser(3.0 or higher version), SSLeay_0.6.6(the latest version), C.

Platform

The development was built to run on Soloris.

The Design Architechture

 HTTPS                     HTTPS                      DB
Client                     Server                    Server
------                     ------                    ------
|    |                     |    |                    |    |
|    |                     |    |                    |    |
|    | <-CGI-><- Network ->|    | <-CGI-> <-Network->|    |
|    |                     |    |                    |    |
|    |                     |    |                    |    |
|    |                     |    |                    |    |
------                     ------                    ------

This diagram assumes the HTTPS client and server are on different machines and the user is accessing the database from the client machine. Database querys transport across a network, submit to the database server by calling the Sybase Openclient API, retrieve the results, return the results across the network, and submit the results to CGI for return to the HTTP client. The network in this case are a TCP/IP network between UNIX boxes and an internet connection. The HTTP server must be configured to allow CGI access.

Implementation

Designed forms needed for interface according to application specification and database designing

Designed the needed database which should be consistent with the interface forms

There are four tables in this system. They are following:

CREATE TABLE
STUDENT (SName VARCHAR(26) NOT NULL,
 SID CHAR(9) NOT NULL,
  Passwd VARCHAR(11) NOT NULL,
   Dept CHAR(2),
    Email VARCHAR(30),
     PRIMARY KEY(SID) )

CREATE TABLE
PROFESSOR ( PName VARCHAR(26) NOT NULL,
    PID CHAR(9) NOT NULL,
        Passwd VARCHAR(11) NOT NULL,
	    Dept CHAR(2),
	        Email VARCHAR(30),
		    PRIMARY KEY(PID) )  

CREATE TABLE
COURSE ( CName VARCHAR(30) NOT NULL,
 CNo CHAR(11) NOT NULL,
  Pre_Req VARCHAR(42),
   Pts CHAR(3),
    Time VARCHAR(15),
     Profs CHAR(9),  
      PRIMARY KEY(CNo),
       FOREIGN KEY (Profs) REFERENCES PROFESSOR(PID) )

CREATE TABLE
SCourse ( SID CHAR(9) NOT NULL,
  CNo CHAR(11) NOT NULL,
    CName VARCHAR(30) NOT NULL,
      Pts CHAR(3),
        Grade CHAR(2),
	  PRIMARY KEY(SID, CNo), 
	    FOREIGN KEY (SID) REFERENCES STUDENT(SID))

Designed the gateway to connect web application to sybase SQL server

Patched SSLeay to apache http server, built the ssl web server wich is running on sherman.cs.columbia.edu:3456.

Related Work:

WDB: A Web interface to SQL database.

A gateway written in Perl which uses Form Definition Files (FDF) to define the tables and fields in a database. FDF's are generated by scripts that come with WDB. FDF's can be customized to use join conditions, hide fields, format output, etc. WDB comes with Perl extensions that support Sybase, Informix, and Mini SQL. Generates HTML query forms on the fly and formats the database results. There's also a version to use with Postgres95, but that's at another web page. The limitation for WDB is that it only provides the query functinality, don't support update capability. The WWW based Course Registration System provides an alternative for connecting a Web server to a Sybase SQL database server.

Reference:

Sybase Open Client-Server manual.

A tutorial of CGI security
CGI Security [NCSA]
CGI Security [Paul Phillips]
Accessing a Database Server via the World Wide Web

SSL Related

Apache-SSL
Thawte Consulting Home Page
Ready encrypted (Main Page)
Download Netscape Server Software
Netscape SSLRef 2.0
Pointers to Cryptographic Software
SSLeay: SSLeay and SSLapps FAQ
Yahoo! - Computers and Internet:Internet:World Wide Web:Security:Secure Sockets Layer (SSL) Protocol:SSL Challenge
Introduction to Digital IDs for Web and E-mail Clients
Welcome to VeriSign's Website
Apache HTTP Server Project
The Neverending Saga of Deploying a Free SSL Compliant Web Server
Does Sybase support any other SSL applications?