This portfolio page serves to document my contributions during the development of SecureIT, a desktop application to enhance data security.

About the project

I, together with 4 other software engineering students, was tasked to enhance an existing command-line-based desktop addressbook application for our Software Engineering project. We decided to morph it into a confidential information management system called SecureIT. It enables employees to safely keep their confidential data, including passwords, files, cards, and notes, at their workplaces.

My role was to design and implement general data encryption and the file management feature. This is what the file management mode looks like:

FileManagerOverview

The following sections illustrate my contributions, including the documentation I have added in the user and developer guides.

Note the following symbols and formatting used in this document:

tip

This symbol indicates some useful tips that help you understand the features.
warning

This symbol indicates important information that you have to take note of.

encrypt

Monospaced font indicates that this is a command that can be inputted into the command box and executed.

EncryptedFile

Bolded monospaced font indicates a component, class or object in this application.

Summary of Contributions

This section shows a summary of my coding, documentation, and other helpful contributions to the team project.

Enhancement added: I added the ability to encrypt data with a master password and to manage encrypted files

  • What it does: The master password converts the app’s data into an encrypted format which is not readable by others. The app can also encrypt external files and manage them.

  • Justification: The data of small-to-medium enterprises are often stored as files and are vulnerable to cyberattacks. Hence, a mechanism has to be in place to protect the data.

  • Highlights: The encryption works seamlessly with existing and future commands. The file manager allows users to preview encrypted files without decrypting them in the file system. It can be expanded in future to allow edit of encrypted files.

  • Credits: The encryption relies on Java’s build-in Cipher class without the need to implement encryption algorithms. Preview of PDF and Word documents relies on third-party libraries, Apache PDFBox and Apache POI, respectively.

Code Contributed: Please click the link to see a sample of my code: [Code on RepoSense]

Other Contributions:

  • Project management:

    • Managed release versions 1.1, 1.2.1, and 1.3 (3 releases) on Github.

  • Other enhancements:

    • Added goto command which allows users to switch between different modes: #39

    • Designed and implemented the dialogs which allow users to create and validate their master passwords: #36 #171

  • Documentation:

    • Designed the initial UI mock-up: #5

    • Updated the README page: #11

    • Updated the UML diagram for Storage to include newly added components: #55

  • Community:

    • Reported bugs and offered suggestions for other team members: #81 #83 #86

  • Tools:

    • Integrated third-party libraries to the project: #180

Contributions to the User Guide

The following excerpt from our User Guide shows the usage of the file manager. Please note that not all commands are shown. Refer to the User Guide for a complete list.

File Manager

SecureIT has a file manager which helps you keep confidential files that you do not wish others to see. Using your master password, SecureIT converts your files into an encrypted format which cannot be read by other applications.

To access the file manager, simply type goto file in the command box and press Enter.

GotoFile

Encrypting a file : encrypt

You can encrypt a local file using its file path. You may also tag the file at the same time for easy reference later on.

Format: encrypt FILEPATH [t/TAG]…​

Example:
Let’s say that you have been tasked to keep your company’s reports. With every detail about the company’s operation, the reports are highly confidential and you wish to prevent information leaks. Here is how you can protect your data!

  1. Type encrypt in the command box, followed by a space. Do not press Enter yet.

    EncryptSpace

  2. Drag and drop the file that you wish to encrypt into the command box.

    DragAndDrop

  3. The file path should appear in the command box. Press Enter to execute the command.

    EncryptFilePath

  4. The result box displays the message "File encrypted: …​" You can see that the information of the encrypted file appears in the list.

    FileEncrypted

  5. Encrypted files have the prefix [LOCKED] in their file names. You can verify that the file has been encrypted.

    CannotOpenFile
tip

Tip

  • The app does not support encryption of files larger than 2GB.

  • If you are using Windows, please close the file before encryption.

warning

Warning

  • The app may freeze for some time if the file to be encrypted is large. Please do not force exit the app during encryption.

  • The encrypt command keeps your information secret but others/malware may still change or delete your file. If you wish to prevent malicious alteration or deletion, please set up additional access rights in your file system.

Decrypting a file : decrypt

You can decrypt a local file using its displayed index number.

Format: decrypt INDEX

Example:
Let’s say that your colleague requests a copy of one of the reports kept by you. Before sending them the report, you need to decrypt it first. Here is how you can do it.

  1. Type decrypt in the command box, followed by a space and the index number of the file that you wish to decrypt. Press Enter.

    DecryptFour

  2. The result box displays the message "File decrypted…​" and the file record is gone from the list.

    FileDecrypted
tip

Tip

  • If you notice that the file decryption fails, it may be because you have renamed or moved the file without using SecureIT (for example, in your operating system).

  • In that case, use remove command to remove the file from the list first, and then use add command to add the renamed/moved file. Please refer to the remove and add commands for detailed instructions.

Contributions to the Developer Guide

The following section shows my contributions to the Developer Guide.

General Data Encryption

Initialization and Validation

We encrypt all the data files of SecureIT with a master password set by the user. The initialization and validation of the master password are handled by TestStorage.

The following diagram shows how the master password is initialized when the user uses the app for the first time and validated for subsequent uses of the app.

InitPasswordActivityDiagram

Note that to protect users' data, the main components of the app (Storage, Ui, Logic, Model) can only be initialised with a correct master password.

Also, the app does not store the master password itself. Instead, during initialization, the app encrypts a magic word using the password and stores it in the file system. For validation, the app tries to decrypt the stored magic word using the password given and checks if the original word is obtained. If the password given is correct, the original magic word should be obtained.

Encryption Method

The following sequence diagram explains how the EncryptionUtil class encrypts an input byte array using a password.

EncryptionUtilSequenceDiagram

The process of encrypting a byte array is outlined as follows:

Step 1. A key (SecretKey key) is generated from the password string (pwd) and a specified encryption method (PBEWithMD5AndTripleDES) via a utility class (SecretKeyFactory).

Step 2. A set of parameter specification (PBEParameterSpec paramSpec) is generated with hardcoded parameters (SALT, ITERATION). Hardcoded parameters ensure that the same password can always be correctly validated at different times.

Step 3. A Cipher class is constructed with the same encryption method specified above (PBEWithMD5AndTripleDES) and initialised with the key and the set of parameter specifications.

Step 4. The doFinal method conducts the actual encryption on the input array and returns the encrypted byte array.

The decryption process is similar to the encryption process, except that the ENCRYPT_MODE is changed to DECRYPT_MODE. The same password is necessary to decrypt an encrypted byte array to its original content.

File Management

SecureIT does not store users' encrypted files directly. Instead, it reads the files' data, carries out the encryption, and replaces the original files with encrypted ones in users' file system. Meanwhile, it also maintains records of files that it encrypts, represented by EncryptedFile class, in an internal data structure, FileBook.

The following diagram illustrates how the record of an encrypted file is represented internally.

Diagram

The FileBook, managed by the app’s ModelManager, keeps a UniqueFileList. The list encapsulates an internal mechanism to prevent file duplication. Each entry in the list represents a record of an encrypted file.

An EncryptedFile must have the following attributes: a FileName, a FilePath, and a FileStatus. While the first two attributes allow the app to locate the file, the file status provides users with an indication of the current state of the file. It defaults to ACTIVE for newly encrypted/added files.

Two timestamps, EncryptedAt and ModifiedAt, provide users with more details about the file. These two attributes may not always be available. For example, encrypted files added with add command do not contain this information.

Lastly, while a ViewableFile contains the file’s content for preview. It is a generic class which is extendable to accommodate even more file types in future. The FilePreviewPanel, which is a UI component, depends on ViewableFile to render the preview.

Logic

The user can perform the following operations: encrypt, decrypt, add, remove, move, rename, and preview. There are two differences between the commands of the file manager and those of the address book. First, some file commands require a password for execution. Second, most file commands involve interaction with the external file system.

The solution to the first difference is a FileCommandParser class which is similar to the Parser class, but it packages the password within the commands during parsing. It is illustrated in the class diagram below:

FileCommandParserClassDiagram

To address the second difference, we separate the access to the file system from the parser. For example, during encryption, at the parsing stage, an EncryptedFile toAdd is created without the knowledge of the actual file. Both the validation and encryption are carried out only at the execution stage. This is illustrated in the following sequence diagram:

EncryptSequenceDiagram

Design Considerations

Below is a summary of my considerations and analysis while developing the file manager:

  1. When to do file validation with the file system

    Alternative 1: When a command is parsed
    Pros: There is no need to construct EncryptedFile objects for invalid files.
    Cons: Both the command parsing and execution require interaction with the file system. Parser violates the single responsibility principle.

    Alternative 2: When a command is executed
    Pros: Interaction with the file system only occurs during execution. Easier to debug.
    Cons: Need to construct EncryptedFile when file information is not yet available. Cannot initialise ModifiedAt in the constructor.

    We choose alternative 2 because according to single responsibility principle, Parser should only convert user input to correct command format, without the knowledge of files.

  2. How to implement the file preview feature

    Alternative 1: UI components read file content
    Pros: There is no need to create extra classes in Model, such as ViewableFile.
    Cons: UI components have to interact directly with the file system.

    Alternative 2: Read file content during command execution
    Pros: File system access is limited to command execution time only.
    Cons: Need to pass the file content to the UI components via CommandResult.

    We choose alternative 2 because it is better to keep all access to file system in one place.