Xavier ecler cq FI 05

Computer Networks Study How to improve fencing using wireless networks, PDA and web technologies

US Fencing Association Colorado Springs, CO

Fr o m D ec em b e r th e 6th to F e b r ua r y t h e 1 3th 200 4 USFA Supervisor: Michael Massik Executive Director

ENIC Tutor: Ghislain Rocheteau

My project I.

Current situation, lacks and expectations Fencing explanation ......................................................................................3 Needs and improvements ..............................................................................4 II. My Technical Solution Main Choices................................................................................................5 Architecture.................................................................................................6 802.11 definitions.........................................................................................7 WiFi features ...............................................................................................8 PHP: Hypertext PreProcessor .........................................................................9 MySQL databases .........................................................................................9 The client .................................................................................................. 10

Code and Improvement I.

II. III.

IV.

V.

Current Code and Interface The pool sheet ........................................................................................... 12 The pool management page......................................................................... 13 Other implemented features ........................................................................ 14 Improvements before first version What needs to be done ............................................................................... 14 Next versions improvement Validation .................................................................................................. 15 Online features .......................................................................................... 15 Databases ................................................................................................. 15 Maintaining state with PHP4 sessions The concept ............................................................................................... 16 Session ID propagation ............................................................................... 17 The php.ini file ........................................................................................... 17 Schema..................................................................................................... 18 Security enhancement ................................................................................ 18 Wireless security: How to set up the WLAN Security Policy ........................................................................................... 19 Network configuration ................................................................................. 19 Access Point Configuration........................................................................... 20 PDA Configuration ...................................................................................... 21 Set up before the event .............................................................................. 22 During the event ........................................................................................ 22 Update ...................................................................................................... 22

MY PROJECT I.

Curr ent situation, lacks and expectati ons…

FFeenncciinngg eexxppllaannaattiioonn My main project during this placement has dealt with the improvement of the way to run the fencing competitions: in fact two programs can be used to manage the fencing events. The main one is French and called EnGarde, it is used for a lot of major events. The other one is American and is mostly used in the continent. These two programs work in the same way. To run an event a bout committee is needed to perform and complete some activities: First off all it has to check the fencers present in the event. The software generates a list of the present people and creates the pools. After this step you are ready to launch the first round of pools. A paper sheet is given to the referees to keep tracking the results.

A Pool Sheet

So each referee is in charge of a pool: he has to write the result on the paper at the end of the bout. When the pool ends the referee brings back the paper to the committee. Then someone has to input the data into the software and the program does the ranking and select fencers for the next step. Most of times a second round of pool is done with the same way before the direct elimination: after the pools the fencers advanced do an elimination table like in of others sports (table of 128, 64…). So one more time the bouts are printed on papers and given to the referees. They

16 People Elimination Table

write the score and bring it back when it’s done. Again someone has to input the data in the software before the next table and so until the end of the table.

3

N Neeeeddss aanndd iim mpprroovveem meennttss So, what can be done to improve the running of events? The key of a new architecture is getting the results quicker and store them in a database easily accessible.

If this objective is attained, it enables to: > Inform the fencers by projecting an accurate ranking. This could also be performed during the pools if we are able to get the results in real time. This feature would make fencing more interesting for non-fencer people: currently if you arrive in a fencing event during the pool round, you are not able to know who is winning or because no information is displayed. The only way to have information is asking the referee in charge of a pool to see the results. > Put the information immediately online and send automatic emails to the fencers’ family, coach, and friends… Since the results are available in a database, it’s fairly easy to use them to keep other people informed. > Run faster the competition: no more time would be wasted with input data. If the process could be automatic, it would be more reliable and avoid the time wasted due to human errors. > Give more information to the bout committee running the event by providing a complete overview of the competition completion. If real time results are available, the state of each bout (in a pool or during the direct elimination) is known.

4

II. My Technical Solution By providing a PDA for each referee, we would have the results safely stored in computer and avoid the manual input to the “main” software. These handheld devices would be linked with a wireless network (type 802.11); this enables to communicate with a central server recording the data. So since the referee has input data, it is stored in the server and accessible by the bout committee at any time.

M Maaiinn C Chhooiicceess Language Type

Classic (C, C++, Java, Corba) or Web (PHP, ASP, Perl)

> Web languages are easier to use if you interact with web, mail or ftp servers. Connections with other computers are in general easier so there is no need to use sockets or to manage the connections in general. PHP, ASP, JSP, CGI

Web Languages

> PHP is a free, C derivated web language, used in a lot online shops. It is reliable and trustable (its has to deal credit card information) It can also handle all types of databases Databases

Access, MSSQL, PostgreSQL, MySQL, Oracle

> MySQL is the most used database online because handling MySQL is really easy. It’s also free and very reliable because it’s maintained by a lot of contributors. Handheld Devices

PalmPowered, PocketPC or Linux powered

> No concern about the OS, because it’s a web interface, the client only needs a web browser Wireless Network

802.11x or Bluetooth

> Latest devices have an embedded network card compatible with 802.11b. But new technologies are coming such as secure 802.11i or Ultra WideBand

5

A Arrcchhiitteeccttuurree The best architecture for the project, regarding the choice make below would be: Network architecture during a fencing event

6

880022..1111 ddeeffiinniittiioonnss Wireless LANs are based on the IEEE 802.11 standard, which the IEEE first developed in 1997. The IEEE designed 802.11 to support medium-range, higher data rate applications, such as Ethernet networks, and to address mobile and portable stations. 802.11 is the original WLAN standard, designed for 1 Mbps to 2 Mbps wireless transmissions. It was followed in 1999 by 802.11a, which established a high-speed WLAN standard for the 5 GHz band and supported 54 Mbps. Also completed in 1999 was the 802.11b standard, which operates in the 2.4 - 2.48 GHz band and supports 11 Mbps. The most spread norm is the 802.11b. It is also know as WiFi for Wireless Fidelity. This norm has really spread around and is now integrated in many devices like the Intel Centrino chip or the handheld devices (i.e. Pocket Pc or Palm powered devices). Because the 802.11b standard has been so widely adopted, the security weaknesses in the standard have been exposed. Key Characteristics of 802.11 WLAN Direct Sequence Spread Spectrum (DSSS), Frequency Hopping Spread Physical Layer

Spectrum (FHSS), Orthogonal Frequency Division Multiplexing (OFDM), infrared (IR).

Frequency Band Data Rates

2.4 GHz (ISM band) and 5 GHz. 1 Mbps, 2 Mbps, 5.5 Mbps (11b), 11 Mbps (11b), 54 Mbps (11a) , 108 Mbps (Netgear only)

Data and

RC4-based stream encryption algorithm for confidentiality, authentication,

Network

and integrity. Limited key management. (AES is being considered for

Security

802.11i.)

Operating Range Positive Aspects Negative Aspects

Up to 150 feet indoor and 1500 feet outdoors. Ethernet speeds without wires; many different products from many different companies. Wireless client cards and access point costs are decreasing. Poor security in native mode; throughput decrease with distance and load.

7

W WiiFFii ffeeaattuurreess Privacy and Security: First of all there is the SSID that identifies the Access point (AP). It can be broadcast in the air but it’s not secure. By the way, it can be read in connection packets (called beacon packets). Another way to secure a WiFi network is using a list of MAC addresses authorized on the network but these are broadcasted and can be spoofed. There is also an encryption key called WEP. If this feature is off, the traffic is transmitted in clear text so no security is provided. Otherwise a WEP key of 64/128 bits can be shared between AP and clients. WEP: Wired Equivalent Privacy definitions This is a shared 40 or 104 bits length key with a 24 bits length Initialization Vector (IV) generated for each emitted packet. On this 64/128 is applied the RC4 algorithm to generates the stream 1. A CRC32 is added to the clear text packet to obtain the stream 2. The Initialization Vector (IV) is emitted and followed by (stream 1 XOR stream 2). The receiver generates stream 1 on his own and finds back the packet in clear text by applying XOR between the crypt stream and the stream 1. WEP: vulnerabilities and possible attacks The weakness of IV:

Denial of Service Attacks

IV space is very small: 224 possibilities

Wireless Attacks

so there are 50% chance of collision

Passive Attacks

Active Attacks

after only 4823 packets and 99% collision after 12,430 packets. This is only 3 seconds in 11 Mbps traffic. It

Eavesdropping

key streams. Some software such as Kismet, Airsnort, NetStumbler available online detect and crack the key for you.

Man In The Middle

Replay

Message

Denial Of

Modification

Service

Taxonomy of WiFi Attacks

means that after only a few hours of observation, you can recover all 224

Traffic Analysis

DoS attacks can lead to disconnections between client and AP. A fake AP well placed with a higher emission power than the legitimate one can also create a DoS.

8

P PH HP P:: H Hyyppeerrtteexxtt P PrreeP Prroocceessssoorr The PHP language has been created in 1994 by Rasmus Lerdorf, in order to create some home pages, manage his resume. By this time PHP meant " Personal Home Page ". The HTML code is easily embedded in the PHP file. This language was interpreted (PHP3) and now compiled (PHP4) on the server side. This language is a derivative of C and Perl languages. The biggest advantage is the extension thanks to a lot of modules and the source code is also open. Because it’s a native web language and it’s free, his popularity has grown quickly. Since 1997 has become a collective project and has also changed his named in Hypertext PreProcessor. Parser The parser sends The server sends the PHP-

HTML code back

generated HTML code back

The web server relays the query

If needed the parser interact

The client asks for a web page

M MyyS SQ QLL ddaattaabbaasseess MySQL is a Relational Database Management System very fast and reliable. It stores the data in separate tables rather than putting all the data in one area. These tables are linked by defined relations making it possible to combine data from several tables upon request. It is using 'SQL' stands for "Structured Query Language", the most common standardized language used to access databases. It is also Open Source and therefore freely accessible. MySQL is used to access databases on the Internet due to its connectivity, speed and security.

9

TThhee cclliieenntt This is the main interesting part of

the

project:

updating

the

Acer

Nec

results of the competition in real time using handheld devices also

Asustek

Packard Bell

Dell

Palm

Fujitsu Siemens

Qtek

Handspring

Sony

HP/Compaq

Toshiba

Mitac

Viewsonic

called Personal Digital Assistant. The

interface

used

in

these

devices should be easy to use and reliable because the referees who are going to use it are not supposed to know how it works. I

have

chosen

a

lightweight

interface in order to make this project

portable

handheld

on

different

platforms.

architecture

of

the

The project

The main current PDAs suitable with the project

requires using a web browser and that’s all. That means we can use any PDA

This portability is a major advantage

from

any

because when the project will be ready

operating system. The only concerns

to be run for an official tournament we

we

will be in a very interesting commercial

any have

suppliers are

the

using (online)

web

browser and not a browser for off

position:

line pages such as AvantGo. We also

manufacturer to sponsor the event (and

need a PDA with a wireless network

also become an Olympian sponsor) by

card

supplying the PDAs.

compatible

with

the

WLAN

asking

the

main

PDA

standards.

10

Screenshots from Palm Devices powered with PalmOS

The configurations of current Pocket PCs are very interesting: They are using processors cadenced at 400MHz. They are integrating 802.11b wireless technology, 128MB of RAM and also 64MB for ROM. The display is 3.5" QVGA TFT color 16 bit, touch sensitive and it has a resolution of 320*240. These handheld devices also integrate Secure Digital / SDIO / Multi Media Card slots to provide expansion for peripherals or memory. They are running the windows mobile operating system that includes the online web browser. It also includes Messenger, the famous software to chat online. It’s very interesting because we can use this software to communicate with the referees during the event and without using microphone… (this software can be configured to run only in a close area and nowhere outside (i.e. Internet)

Screenshots of Pocket Internet Explorer on Pocket PC

11

CODE A ND IMPROVEMEN T I.

Curr ent Code and Inter face

TThhee ppooooll sshheeeett This page will be seen on the handheld device to the referees. The most interesting feature of this page is the way to load it, using the address bar: you can switch from pool to pool just by changing the parameter pool_load_id. In one hand it’s the best system because one page fits for all the referees/pools. On the other hand, more security shoud be applied to the system. To do that some code should be added to this page, verifying that the referee is really in charge of the pool he is asking for, and grant the access.

The title of the page is generated: there is also some information in it. The page is loaded through a database: to generate the other pools you just need to change the value of pool_load_id in the address bar.

This table is generated with the corresponding data table: all the information comes from it (pool_1).

This is the bouts order: the last done was 1 against 4 and the current one is 5 against 3. So the 5th box on the 3rd line and the 3rd box on the 5th line will receive the next data.

These are the entry box: they are just fields, as part of a web form.

This is the submit button: it sends the data put in the field to the web server to be stored in the database.

12

TThhee ppooooll m maannaaggeem meenntt ppaaggee This page is one of the main interesting features in the project because it enables one to see what’s happening during a round of pools. This page should be only accessible by the bout committee.

The interesting features on this page are: › All the basic information is available in one page: the strip (the place where fencing takes place), number of fencers by pool, the round, creation, start and end time are also available. › One user-friendly interface is also present on this page. It enables one to assign a referee and a strip to the pool. This interface can also be used to change a referee or a strip if needed. (The list of free ref/strip is built dynamically when the page loads) › The most interesting feature is the advancement: In real time, the bout committee is able to know what the percentage of bouts done in each pool. That means that is a pool if too slow, there is probably an issue and it can be decided to assign a second referee and also a second strip to this pool to accelerate the process.

13

O Otthheerr iim mpplleem meenntteedd ffeeaattuurreess › Management of the online registration (This requires conversion of the old AS400 databases into SQL database and also to implement encryption for credit card number using https). › Manage the checking just before the competition. › Create automatically the pools with 4,5,6,7 or 8 fencers in. › Generate live ranking even if the round of pools isn’t done. › Manage a Direct Elimination bout TOUCH by TOUCH › Validate the DE bout and advance the winner to the next bout › Show the DE table on screen

II.

Improvements before first version

W Whhaatt nneeeeddss ttoo bbee ddoonnee › Manage several events in one time. › Move fencers between pools to avoid people from the same club. › Create some output file automatically (html + pdf) › Mail the results to the fencers and to the people they want (“send to a friend” field with the online registration) › Upload the result live to the website using ftp functions in PHP. › Manage the assignment of pool/DE bout to the referee and secure it (see next part: maintaining state with PHP) › Find a technical sponsor (Dell would be very interesting because it can supply all the technical equipment from PDA to networks equipment and server…) › Update the results straight at the end of the competition, so there is no need anymore to wait a week to get the results.

14

III. Next versions improvements V Vaalliiddaattiioonn Find the best way to validate the results because the fencers currently sign the paper at the end of the pool or the DE bout. It could be personal code given during the online registration or during checking (easy to implement but not really user friendly because people won’t remember it after fencing). The fingerprint recognition can also be a solution: some handheld devices such as the Hewlett-Packard iPAQ Pocket PC h5550 have a fingerprint recognition module embedded in. One another solution would be to record a digital signature and upload it to the server.

O Onnlliinnee ffeeaattuurreess There is a lack of online information during the major event such as world cup for example. The idea is develop and improve some online features including obviously live results. Then the project can use Voice over IP to bring live the referee comments to the web. Technically it doesn’t require a lot of equipment (the microphone is always embedded in the handheld device), just a streaming server to send the multimedia flow (using real player for example). That could be really fun because it would enable people to be at home and to listen to the referee explanations about the bout.

D Daattaabbaasseess There is not a real database with the results and the background of each fencer. So with this software, it could be interesting to build a massive database, which would record everything about each competition in order to then build statistics and follow automatically the top athletes. This can also be put online for media information.

15

IV. Maintaini ng s tate wi th PHP 4 sessions A fundamental characteristic of the http protocol is the stateless interaction between browsers and web servers. For example, a web server sends out a page to someone ordering from an online shop, and then forgets all about it. A few second later, the same person sends another request, ordering another item. As far as the web server is concerned, it could be an entirely different person. So to secure the interface between the users and the web server, to ensure that the right person is working on the right bout, we need to maintain the state. The best way to do it is suing the built-in PHP functions available since version 4.

TThhee ccoonncceepptt Due to the needed security the system needs to know which user (referee) is making specific requests. It means to ensure that a referee is not updating some result on a bout, which he is not in charge of. This feature simplifies also the use of the handheld devide: the referees will have to log in and then they will load a default page such as “mybout.php” (the same for everyone) and thanks to the session, the web server will be able to personalize the page sent (pool 1 for referee x, pool 2 for referee y…). So since users have logged in, they wouldn’t get lost amongst pages and links. PHP4 session management method 1. When a referee signs in the website using his handheld device, a unique key is

given

to

him:

it’s

called

Session

ID

and

looks

like

"d08c33e1f1050c3913e38f86a9b" (md5 algorithm can be used). 2. At the same time, a file with the same name as the session ID (prefixed by "sess_ ") is created in a temporary folder not accessible by the browser. 3. As long as the referee is connected, we are able to save some information about him in this file. Since the Session ID is sent with the HTTP request, the variables stocked in the temporary file are directly accessible in the pages.

16

S Seessssiioonn IID D pprrooppaaggaattiioonn The session ID should be included in each link that the user can find. There is a short

word

to

include

the

session

id

in

the

link:



like: