Security in .Net Course Objectives
• To introduce the participants to Security architecture in .NET • To explain the Authentication and Authorization • To explain cryptography and xml encryption • To explain how to write secure coding • To discuss partial trust development and Code Access Security • To introduce to Windows CardSpace
ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Agenda
· IIS and ASP.Net Security · Authentication · Implementing Authorization · Cryptography · XML encryption · Secure Coding · Code Access Security · Windows CardSpace
ER/CORP/CRS/NE-PRBRIDGE-ED92/003
3 IIS and ASP.NET Security ASP.NET Security Architecture
· IIS is the gateway to ASP.NET · ASP.NET runs under the ASPNET account which has minimal privileges
Web Clients
ASP.NET Applications IIS
.NET Framework
Windows Server 2003 family operation Systems
ER/CORP/CRS/NE-PRBRIDGE-ED92/003
All Web clients communicate with ASP.NET applications through Microsoft Internet Information Services (IIS). IIS authenticates the request if required and then locates the requested resource (such as an ASP.NET application). If the client is authorized, the resource is made available. ASP.NET security settings are configured in the Machine.config and Web.config files. As with other configuration information, base settings and default settings are established in the Machine.config file in the Config subdirectory of the current .NET Framework installation.
5 Authentication Mechanisms with IIS & ASP.NET
• IIS Authentication: – Anonymous Login – Guest Login – Basic Authentication – Digest Authentication – Integrated Windows Authentication – Certificate based Authentication
• ASP.NET Authentication – Windows – Forms – Passport – None
ER/CORP/CRS/NE-PRBRIDGE-ED92/003
6 IIS Authentication - Anonymous
· Enables access to the public areas of a Web site without prompting users for a user name or password · No end-user authentication occurs in either IIS or ASP.NET · By default, the IUSR_computername account is used to allow anonymous access. · Works with all browsers · Gives highest performance, but lowest security · Pros ± Offers the best performance ± Does not require management of individual user accounts ± No browser restrictions
· Cons ± Does not authenticate clients on an individual basis, least secure
ER/CORP/CRS/NE-PRBRIDGE-ED92/003
With Anonymous authentication, the server does not request the client to send user credentials. It is a good choice when your site or service is publicly available and you do not need to know the identity of the caller. Additionally, there are typically no browser restrictions which stem from incompatibilities with supported authentication mechanisms. When a site is configured for Anonymous authentication, all users are allowed access. It is important to note that although you may have IIS configured for Anonymous authentication, you may be authenticating at the ASP.NET layer, which is not true Anonymous authentication. This section assumes that both IIS and the application do not require a logon. Pros Offers the best performance Does not require management of individual user accounts No browser restrictions Cons Does not authenticate clients on an individual basis, least secure Usage Good choice for publicly available web sites that do not require the identity of the caller The account used for Anonymous Authentication can be changed at the Web site, virtual directory or file level
7 IIS Authentication - Integrated Windows
· Uses either NTLM challenge/response or Kerberos to authenticate users with a Windows NT Domain or Active Directory account · A Hash of the credentials is sent, the password is not sent across the network · Delegation not possible with NTLM challenge/response
· Pros · Best suited for intranet · More secure since password is not sent across the network · Works out-of-the-box · Provides automatic logon/no logon dialog box
· Cons · Cannot be used on internet · Delegation possible only with Kerberos · Enterprise only ± does not work through Proxy Servers (keep-alive connection required) · Configured to be compatible with older clients
ER/CORP/CRS/NE-PRBRIDGE-ED92/003
Integrated Windows authentication (using either NTLM challenge/response or Kerberos) involves authenticating a user with a Windows NT Domain or Active Directory account. Unlike Basic and Digest authentication, the encrypted password is not sent across the network, which makes this method very secure. If Active Directory Services is installed on the server and the browser is compatible with the Kerberos V5 authentication protocol, both the Kerberos V5 protocol and the challenge/response protocol are used; otherwise only the challenge/response protocol is used. It is best suited for an intranet environment, where both user and Web server computers are in the same domain and where administrators can ensure that every computer is running Microsoft Internet Explorer version 3.01 or later.
8 IIS Authentication - Basic Authentication
· This slide left blank for notes continued from previous page
ER/CORP/CRS/NE-PRBRIDGE-ED92/003
When IIS is configured for Basic authentication, it instructs the browser to send the user's credentials over HTTP. Passwords and user names are encoded using Base64 encoding. Although the password is encoded, it is considered insecure due its ability to be deciphered relatively easily. The browser prompts the user with a dialog box, and then reissues the original anonymous request with the supplied credentials, including the user name and password. A pop-up logon dialog box may or may not be appropriate, depending on your user interface design requirements. Most Internet browsers support Basic authentication. Base64 encoding is the scheme used to transmit binary data. Base64 processes data as 24-bit groups, mapping this data to four encoded characters. Base64 encoding is sometimes referred to as 3-to-4 encoding. Each 6 bits of the 24-bit group is used as an index into a mapping table (the base64 alphabet) to obtain a character for the encoded data. The encoded data has line lengths that are limited to 76 characters. In the Default domain box, either type the domain name you want to use, or click Select to browse to a new default logon domain. If the Default domain box is filled in, the name is used as the default domain. If the Default domain box is left empty, IIS uses the domain of the computer that is running IIS as the default domain. However, the domain specified by DefaultLogonDomain is used only when a client does not specify a domain in the logon dialog box that appears on the client computer. Optionally, you can enter a value in the Realm box, which configures the value of the Realm Metabase Property. If the Realm property is set, its value appears on the client's logon dialog box, when Basic authentication is used. The value of Realm is sent to the client for informational purposes only, and is not used to authenticate clients using Basic authentication
9 IIS Authentication - Basic Authentication
· This slide is left blank for notes continued from previous page
ER/CORP/CRS/NE-PRBRIDGE-ED92/003
IIS Authentication - Basic Authentication: Authentication process: IIS instructs the browser to send the user's credentials over HTTP Browser prompts the user with a dialog box User name and password entered by the user are Base64 encoded (which is NOT secure) Most browsers support Basic authentication as it is a part of the HTTP 1.0 specification Delegation is possible using Basic authentication Combine Basic authentication with SSL to prevent passwords from being deciphered Pros Least common denominator: All HTTP clients support Basic authentication Makes it possible to track individual users Delegation of security credentials possible If IIS does not control the password, can access network resources Cons Is inherently insecure unless using SSL/TLS, which impacts performance Clear text password (Base64 Encoded) Over the wire and on the server Needs to be protected via SSL (continued on next slide)
10 IIS Authentication - Digest Authentication
· This slide is left blank for notes continued from previous page
ER/CORP/CRS/NE-PRBRIDGE-ED92/003
Usage Consider Basic authentication when you require: Users to have Windows NT Domain or Active Directory accounts Support for multiple browsers Support for authentication over the Internet Access to the clear text password in your application code Delegation Do not use Basic authentication when you require: Secure logon while not using a secure channel, such as Secure Sockets Layer (SSL) Storage of information in a custom database A customized form presented to the user as a logon page
IIS Authentication - Digest Authentication: New to Windows 2000 and IIS 5.0 (HTTP 1.1 specification) Digest authentication sends credentials across the network as a Message Digest 5 (MD5) hash. The actual password is never sent. Platform requirements for Digest authentication Clients: Internet Explorer 5.x (or later) Server: running Active Directory with user accounts configured for Digest authentication (continued on next slide)
11 IIS Authentication - Digest Authentication
· This slide is left blank for notes continued from previous page
ER/CORP/CRS/NE-PRBRIDGE-ED92/003
Password needs to be stored in clear text on separate server which is the biggest constraint Digest authentication is more secure than Basic authentication alone Pros More secure since password is not sent on network. Does not require SSL/TLS for the sake of password protection. Works through proxies Password is not known to IIS Cons Cannot delegate security credentials Is only supported by Internet Explorer 5.0 and later Passwords have to be stored in the AD using reversible encryption. Domain Controller has to be secured. Medium secure Supported by Internet Explorer 5 and higher Is subject to replay attacks unless you use SSL/TLS Usage Can be used as an alternative to Basic Authentication, when SSL/TLS cannot be used for protecting data traveling over the wire.
12 IIS Authentication Mechanisms - Comparison
Auth Met hod How Client Server Crosses Proxy Com m e nts ( Security Passw or d Require m ents Require m e Servers and Firew alls Level) Are Sent nts Anonym ous N/ A Any browser IUSR_com pu Yes Used for authentication ter nam e public areas (None) account of Internet web sites Basic Base64 HTTP 1.0 Valid dom ain Yes, but sending Clear Text authentication encoded com pliant accounts passwords across a Password, (Low) clear text browsers proxy server or firewall use only with in clear text is a SSL security risk because Base64 encoded clear text is not encrypted.
Digest Hashed Internet Reversible Yes authentication Explorer 5 or later encryption in (High) AD
Integrated Hashed when Internet Valid dom ain No, unless used over a Used m ainly Windows NTLM is Explorer 2.0 or accounts PPTP connection for I ntranets authentication used; later for NTLM; (High) Kerberos Windows 2000 or ticket when later with internet Kerberos is Explorer 5 or later used. for Kerberos
ER/CORP/CRS/NE-PRBRIDGE-ED92/003
13 Authentication Mechanisms in ASP.Net
· Windows Authentication (via IIS) ± Basic, Digest, NTLM/ Kerberos, IIS Certificate Support
· Forms-based (Cookie) Authentication ± Application credential verification
· Microsoft® Passport Authentication
· To enable a specified authentication provider for an ASP.NET application, create an entry in the application©s configuration file as follows:
// web.config file ER/CORP/CRS/NE-PRBRIDGE-ED92/003 ASP.NET provides a number of declarative and programmatic authorization mechanisms that can be used in conjunction with a variety of authentication schemes. This allows you to develop an in depth authorization strategy and one that can be configured to provide varying degrees of granularity; for example, per-user or per-user group (role-based). 14 ASP.NET Authentication - Windows · The Windows authentication provider relies upon IIS to perform the required authentication of a client ± After IIS authenticates a client, it passes a security token to ASP.NET ± Based on the security token that it receives from IIS, ASP.NET then constructs and attaches an object to the application context · Pros ± Authenticates using Windows accounts, so you do not need to write any custom authentication code · Cons ± May require the use and management of individual Windows user accounts ER/CORP/CRS/NE-PRBRIDGE-ED92/003 15 ASP.NET Authentication - Forms · To configure Forms Authentication ± Set the authentication mode in Web.config to Forms ± Create a Web form to collect logon information ± Create a file or database to store user names and passwords ± Write code to add new users to the user file or database ± Write code to authenticate users against the user file or database /> ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Forms authentication generally refers to a system in which unauthenticated requests are redirected to an HTML form, using HTTP client-side redirection. Forms authentication is a good choice if your application needs to collect its own user credentials at logon time through HTML forms. The user provides credentials and submits the form. If the application authenticates the request, the system issues a cookie that contains the credentials or a key for reacquiring the identity. Subsequent requests are issued with the cookie in the request headers. The requests are authenticated and authorized by an ASP.NET event handler using whatever validation method the application specifies. Note that forms authentication is often used for personalization, where content is customized for a known user. In some of these cases, identification is the issue rather than authentication, so it is enough merely to store the user name in a durable cookie and use that cookie to access the user’s personalization information. 16 Forms Authentication ± Configuration This slide is left blank for notes continued from previous page ER/CORP/CRS/NE-PRBRIDGE-ED92/003 The following list highlights the key steps that you must perform to implement Forms authentication: 1. Configure IIS for anonymous access. 2. Configure ASP.NET for Forms authentication. 3. Create a logon Web form and validate the supplied credentials. 4. Retrieve a role list from the custom data store. 5. Create a Forms authentication ticket (store roles in the ticket). 6. Create an IPrincipal object. 7. Put the IPrincipal object into the current HTTP context. 8. Authorize the user based on user name/role membership. 17 Forms Authentication ± Configuration ·This slide is left blank for notes continued from previous page ER/CORP/CRS/NE-PRBRIDGE-ED92/003 protection Specifies the type of encryption, if any, to use for cookies. All Specifies that the application uses both data validation and encryption to help protect the cookie. This option uses the configured data validation algorithm (based on the If a browser that does not support cookies accesses the site, then forms authentication packages the authentication ticket on the URL This feature is controlled by the cookieless attribute of the forms element Attribute takes four parameters UseUri: Forces the authentication ticket to be stored in the URL. UseCookies: Forces the authentication ticket to be stored in the cookie (same as ASP.NET 1.0 behavior). AutoDetect: Automatically detects whether the browser/device does or does not support cookies. UseDeviceProfile: Chooses to use cookies or not based on the device profile settings from machine.config. 18 Forms Authentication ± Custom Validation • Users are configured in the database (or other Data Source) ER/CORP/CRS/NE-PRBRIDGE-ED92/003 ASP.NET membership The ASP.NET 2.0 includes new feature Membership which facilitates the creation and management of users. The Membership feature works in conjunction with another new feature called Role Manager. Role Manager provides the infrastructure for creating roles and assigning users to roles. When the Membership and Role Manager features are used in conjunction with Forms Authentication, ASP.NET 2.0 provides end-to-end support for creating, authenticating and authorizing users. - In ASP.NET 2.0 microsoft included membership provider along with other providers like profile,roles etc.Web developers will no longer need to write and re-write the code to store and validate credentials. Instead, ASP.NET 2.0 provides membership and role providers as secure and extensible implementations for managing roles and membership in our web applications.Membership providers provide the interface between ASP.NET’s membership service and membership data sources. 20 Login Controls introduced in ASP.NET 2.0 · Provide a standard set of controls that are well built, secure and easily reusable Control Name Description Login Provides the functionality for a user to login and logout of the application LoginView The LoginView control automatically detects a users authentication status CreateUserWizard Provides the standard registration page for a new user to register PasswordRecovery Provides a highly configurable control to perform a set of actions when the user forgets his password ChangePassword Provides a way for the users to change their passwords LoginName Provides the authenticated user's registered name, which can be displayed back to the user in the application LoginStatus Determines the authentication status of the user and can accordingly display the login or the logout link ER/CORP/CRS/NE-PRBRIDGE-ED92/003 LoginProvides :the functionality for a user to login and logout of the application CreateUserWizardProvides the standard registration page for a new user to register. The functionality can be easily extended. For instance a registration email with necessary information can be sent after the registration is completed PasswordRecoveryProvides a highly configurable control to perform a set of actions when the user forgets his password. The actions performed range from emailing a password reminder to sending the existing password itself in clear text. ChangePasswordProvides a way for the users to change their passwords. The MailDefinition property will notify the user once the password has been updated LoginNameProvides the authenticated user’s registered name, which can be displayed back to the user in the application LoginStatusDetermines the authentication status of the user and can accordingly display the login or the logout link LoginViewManages the view of the user depending on the role and privilege of the current user 21 Configuration File Encryption · Configuration File Encryption ± In the .NET Framework 2.0, developers will be able to encrypt sensitive parts of the web.config file using the aspnet_regiis utility. ± The decryption is done transparently ± The DPAPI protected configuration provider supports machine-level and user-level stores for key storage aspnet_regiis.exe -pef "connectionStrings" C:\VirtualDirectory\Path ER/CORP/CRS/NE-PRBRIDGE-ED92/003 In the .NET Framework 2.0, developers will be able to encrypt sensitive parts of the web.config file (if containing password or keys, for instance) using the aspnet_regiis utility. The decryption is done transparently. The DPAPI protected configuration provider supports machine-level and user-level stores for key storage. The choice of store depends largely on whether or not the application shares state with other applications and whether or not sensitive data must be kept private for each application. If the application is deployed in the Web farm scenario, developers should use RSAProtectedConfigurationProvider to leverage the ease with which RSA keys can be exported on multiple systems. It uses RSA public key cryptography to provide data confidentiality. DPAPI - Data Protection Application Programming Interface The DPAPI is a pretty well thought-out mechanism to allow any application to do simple and yet powerful encryption for its data. It has good recovery methods. 22 Web Site Administration Tool ± The ASP.NET Web Site Administration Tool allows you to view and manage Web site configuration through a simple Web interface. ± The Web Site Administration tool can be used to create new users and roles and control access to folders and individual pages of the Web application. ± The aspnet_regiis tool can be used to control access to the Web site administration tool ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Web Site Administration Tool—The ASP.NET Web Site Administration Tool allows you to view and manage your Web site configuration through a simple Web interface. The Web Site Administration tool can be used to create new users and roles and control access to folders and individual pages of the Web application. The aspnet_regiis tool can be used to control access to the Web site administration tool. One instance would be to only allow access to the administration tool on the local machine. 23 Factors in Choosing an Authentication Method · Server and client operating systems · Client browser type · Number of users, location and type of user name and password database · Deployment considerations (Internet vs. intranet and firewalls) · Application type (interactive Web site or non-interactive Web service) · Sensitivity of data being protected · Performance and scalability factors · Application authorization requirements (all users, or restricted areas) ER/CORP/CRS/NE-PRBRIDGE-ED92/003 You should consider some or all of the following factors when choosing an authentication method: Server and client operating systems The client browser type The number of users, and the location and type of the user name and password database Deployment considerations, such as whether your application is Internet or intranet based and whether it is located behind a firewall The application type; for example, is it an interactive Web site or a non-interactive Web service Sensitivity of the data you are protecting Performance and scalability factors Application authorization requirements; for example, you may want your application to be available to all users, or you may need to restrict certain areas to registered users, and other areas to administrators only. 24 Implementing Authorization Authorization · What is Authorization? ± Defining what authenticated clients are allowed to see and do within the application. · Few important concepts ± Identities and Principal · .NET Framework uses identity and principal objects to represent users · They provide the backbone of .NET role-based authorization. ± Impersonation & Delegation · Techniques used by the server application to access resources on behalf of the client. ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Authorization - Defining what authenticated clients are allowed to see and do within the application. The .NET Framework uses identity and principal objects to represent users when .NET code is running and together they provide the backbone of .NET role-based authorization. 26 Identities and Principal .NET security is based on IPrincipal and IIdentity objects. Identities: · An identity represents a certain user · Identity is established through authentication · Processes run code under an identity · Use following code to get the username of the current user Response.Write (User.Identity.Name) Principal: · Describes a user and its role · Two Types: ± WindowsPrincipal (has UID and role info) ± GenericPrincipal (has UID and role info) ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Principal: Describes a user and its role Two Types: GenericPrincipal (has UID and role info) Wraps a GenericIdentity (has UID info only) Allows extensibility to non-Windows platforms and scenarios (eg: database centric credentials) WindowsPrincipal (has UID and role info) Wraps a WindowsIdentity (has UID info only) 27 .NET Framework classes · Use FCL classes or create custom implementation Identity class Principal class WindowsIdentity WindowsPrincipal GenericIdentity GenericPrincipal PassportIdentity FormsIdentity · Custom implementations should implement IIdentity and IPrincipal interfaces present in the System.Security.Principal namespace · Principal objects can be acquired in two ways ± WindowsIdentity.GetCurrent() method, then create WindowsPrincipal ± Thread.CurrentPrincipal property ± ASP.NET only: HttpContext.Current.User ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Identities and Principal The IPrincipal interface allows you to test role membership through an IsInRole method and also provides access to an associated IIdentity object The IIdentity interface provides additional authentication details such as the name and authentication type. public interface IPrincipal{ bool IsInRole( string role ); IIdentity Identity {get;} } public interface IIdentity{ string authenticationType {get;} bool IsAuthenticated {get;} string Name {get;} } ER/CORP/CRS/NE-PRBRIDGE-ED92/003 PrincipalPermission · Allows a check against the active principal using the language constructs defined for both declarative and imperative security actions · Since active Principal describes both Identity and Role information, we can demand either or both · Demands on PrincipalPermission can be made · Demands on the PrincipalPermission Declarative Demand [PrincipalPermission (SecurityAction.Demand,Role=@”BUILTIN\Administrators”)] Imperative Demand: PrincipalPermission p = new PrincipalPermission (null, “BUILTIN\Administrator”) p.Demand() ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Unlike most other permission objects, PrincipalPermission does not extend CodeAccessPermission. It does, however, implement the IPermission interface. This is because PrincipalPermission is not a code access permission, that is, it does not protect or control access to any system resource. Instead, it allows code to perform actions (Demand, Union, Intersect, and so on) against the current user identity in a manner consistent with the way those actions are performed for code access and code identity permissions. Manual role checks. For fine-grained authorization, you can call the IPrincipal.IsInRole method to authorize access to specific code blocks based on the role membership of the caller. Both AND and OR logic can be used when checking role membership. Declarative role checks (gates to your methods). You can annotate methods with the PrincipalPermissionAttribute class (which can be shortened to PrincipalPermission), to declaratively demand role membership. These support OR logic only. For example you can demand that a caller is in at least one specific role (for example, the caller must be a teller or a manager). You cannot specify that a caller must be a manager and a teller using declarative checks. Imperative role checks (checks within your methods). You can call PrincipalPermission.Demand within code to perform fine-grained authorization logic. Logical AND and OR operations are supported. 30 Impersonation · Impersonation allows ASP.NET applications to execute with a client©s identity · By enabling impersonation, ASP.NET receives the security token to impersonate from IIS · Impersonation is configured in the Web.config file. There are 3 options for this setting: 1. Impersonation is disabled 2. Impersonation is enabled 3. Impersonation is enabled and a specific impersonation identity is specified ER/CORP/CRS/NE-PRBRIDGE-ED92/003 With impersonation, ASP.NET applications can optionally execute with the identity of the client on whose behalf they’re operating. Impersonation is usually performed for resource access control. You should carefully consider whether or not impersonation is required, because it consumes additional server resources. Delegation is a more powerful form of impersonation and allows remote resources to be accessed by the server process while acting as the client. If impersonation is enabled, ASP.NET will receive the token to impersonate from IIS. You have more granular control of impersonation in a Web application when using ASP.NET in comparison to traditional Active Server Pages (ASP). This is controlled by specifying a value in the application’s Web.config file. You have the following three options when specifying the required impersonation setting: Impersonation enabled. In this instance, ASP.NET will impersonate the token passed to it by IIS, which will either be an authenticated user or the anonymous Internet user account. 31 Delegation · In the Impersonation/Delegation Model the service or component impersonates the client's identity before it accesses the next downstream service. · If the next service in line is on the same computer, impersonation is sufficient. Delegation is required if the downstream service is located on a remote computer App Server Computer 1 (impersonating) Impersonation Delegation Computer 2 ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Impersonation and Delegation Below table shows the various IIS authentication types and indicates if the security context of the authenticated caller can be delegated Auth. Type Can Delegate Comment Anonymous Yes Use either domain account or mirrored local account Basic Yes Use either domain accounts or mirrored local accounts Integrated (NTLM) No Integrated Yes Both user account and server account must be (Kerberos) configured for delegation Client certificates Depends Can be delegated is used with IIS certificate mapping ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Kerberos delegation under Windows 2000 is unconstrained. A user may be able to make multiple network hops across multiple remote computers. To close this potential security risk, limit the scope of the domain account’s reach by removing the account from the Domain Users group and allow the account to be used only to log on to specific computers. 33 Authorization Strategies · Role Based ± Users are partitioned into application-defined, logical roles ± Members of a particular role share the same privileges within the application. ± Access to operations (typically expressed by method calls) is authorized based on the role-membership of the caller. ± Resources are accessed using fixed identities ± Eg: using .Net Roles, URL based authorization · Resource Based ± Individual resources are secured using Windows ACLs. ± The application impersonates the caller prior to accessing resources, which allows the operating system to perform standard access checks. ± Resources are accessed using the original caller's identity (using impersonation). ± Eg: File Authorization ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Using URL Authorization • Example: allow “Admins” or “WebServiceUsers” and deny all others • Example: deny anonymous users ER/CORP/CRS/NE-PRBRIDGE-ED92/003 URL Authorization. This is an authorization mechanism, configured by settings within machine and application configuration files. URL Authorization allows you to restrict access to specific files and folders within your application’s Uniform Resource Identifier (URI) namespace. For example, you can selectively deny or allow access to specific files or folders (addressed by means of a URL) to nominated users. You can also restrict access based on the user’s role membership and the type of HTTP verb used to issue a request (GET, POST, and so on). URL Authorization requires an authenticated identity. This can be obtained by a Windows or ticket-based authentication scheme. rolesIdentifies a targeted role for this element. The associated IPrincipal object for the request determines the role membership. You can attach arbitrary IPrincipal objects to the context for a given request and they can determine role membership in whatever way you like. For example, the default WindowsPrincipal class uses Microsoft Windows NT groups to determine role membership.usersIdentifies the targeted identities for this element.verbsDefines the HTTP verbs to which the action applies, such as GET, HEAD, and POST. To establish the conditions for access to a particular directory, you must place a configuration file that contains an 35 .Net Roles - Role based Authorization · .Net Roles is a typical usage if Role based authorization · Revolve around IPrincipal objects that contain the list of roles that an authenticated identity belongs to. · Ways to perform authorization using .Net roles ± declaratively, using PrincipalPermission demands ± programmatically, using imperative PrincipalPermission demands or the IPrincipal.IsInRole method. · .Net Roles can be used with ± Windows authentication ± Non-Windows authentication ER/CORP/CRS/NE-PRBRIDGE-ED92/003 .Net Roles with Windows Authentication: ASP.NET automatically constructs a WindowsPrincipal that is attached to the context of the current Web request (using HttpContext.User). After the authentication process is complete and ASP.NET has attached to object to the current request, it is used for all subsequent .NET role-based authorization. .Net Roles with Non-Windows authentication - write code to create a GenericPrincipal object (or a custom IPrincipal object) and populate it with a set of roles obtained from a custom authentication data store such as a SQL Server database. The custom IPrincipal object (containing roles obtained from a custom data store) is attached to the current request context (using HttpContext.User), basic role-checking functionality is ensured. 36 .Net Roles · Using Windows Authentication ± ASP.NET constructs a WindowsPrincipal object and the Windows group membership of the user determines the associated role set. · Using Non-Windows Authentication ± Capture the user's credentials. ± Validate the user's credentials against a custom data store such as a SQL Server database. ± Retrieve a role list, construct a GenericPrincipal object and associate it with the current Web request. ± Replace HttpContext.User with custom IPrincipal or GenericPrincipal ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Using Windows Authentication - ASP.NET constructs a WindowsPrincipal object and the Windows group membership of the user determines the associated role set. Using Non-Windows Authentication – Capture the user’ s credentials. Validate the user’ s credentials against a custom data store such as a SQL Server database. Retrieve a role list, construct a GenericPrincipal object and associate it with the current Web request. Replace HttpContext.User with custom IPrincipal or GenericPrincipal The Principal object (Windows or Generic) which represents the authenticated user can be used for subsequent .Net Role checks Manual : By calling the IPrincipal.IsInRole method Declarative role checks – using the PrincipalPermission Imperative role checks - using the PrincipalPermission 37 Cryptography Cryptography helps protect data from being viewed or modified and helps provide a secure means of communication over otherwise insecure channels Cryptography is used to provide the following: · Confidentiality · Data integrity · Authentication ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Cryptography helps protect data from being viewed or modified and helps provide a secure means of communication over otherwise insecure channels Cryptography is used to provide the following: Confidentiality. To ensure data remains private. Confidentiality is usually achieved using encryption. Data integrity. To ensure data is protected from accidental or deliberate (malicious) modification. Integrity is usually provided by hashes. Authentication. To assure that data originates from a particular party. Digital certificates are used to provide authentication. The System.Security.Cryptography namespace in .Net provides cryptographic services, including secure encoding and decoding of data, hashing, random number generation, and message authentication 38 Cryptography (Contd) · This slide is left blank for notes continued from previous page ER/CORP/CRS/NE-PRBRIDGE-ED92/003 Encryption - Process of transforming information so that it is unintelligible to anyone but the intended recipient. Decryption - Process of transforming encrypted information so that it is intelligible again. Cipher text :Encrypted messages are called cipher text. Cryptographic Algorithm - also called a cipher, is a mathematical function used for encryption or decryption like RSA. Symmetric Key Encryption – Same key is used to encrypt and decrypt Asymmetric Key Encryption - Two keys are used. One for encryption and the other for decryption. Any one can be used to encrypt or decrypt. If one encrypts, only the other key can decrypt. Hashing Algorithm – Is a mathematical function, when acted upon a text(message) will produce a hash, which is supposed to be unique. IV (used as salt) : Takes Input Block size and Generates SHA-1 hashed value by taking system time and a randomly selected number input (a random number to make it a little harder to fin dout when the IV was generated). A plain random number doesn't contain letters, so a hash i preferre d as a pseudorandom generator. Output: Returns the number of chars as blocksize 39 Symmetric Cryptography Overview Same key used to encrypt and decrypt data Problem: exchanging keys Encryption Decryption Your Data Binary “ ciphertext” (byte array/stream) Encode Decrypt Key Binary “plaintext” Binary “plaintext” (byte array/stream) (byte array/stream) Encrypt Decode Binary “ciphertext” Your Data (byte array/stream) ER/CORP/CRS/NE-PRBRIDGE-ED92/003 System.Security.Cryptography namespace provides classes for the below Symmetric Algorithm implementation. DES (Data Encryption Standard) System.Security.Cryptography.DES Triple DES (aka “3DES”) System.Security.Cryptography.TripleDES Modified DES with 3x key size (key size = 56 bits) RC2 (“Ron’ s Code 2” — Ron Rivest of RSA) System.Security.Cryptography.RC2 Intended as replacement for DES Rijndael (“rhine doll”) System.Security.Cryptography.Rijndael Official (in US) successor to DES Reportedly around 3 times faster than 3DES 40 Asymmetric Cryptography Overview ¡ Key pair ± one key used to encrypt, other to decrypt ¡ Solves key exchange problem ¡ Can be used for both encryption and digital signatures Encryption Decryption Your Data Binary “ ciphertext” (byte array/stream) Encode Decrypt Key Binary “ plaintext” Private Binary “ plaintext” (byte array/stream) (byte array/stream) ey Encrypt Public K Decode Binary “ ciphertext” Your Data (byte array/stream) ER/CORP/CRS/NE-PRBRIDGE-ED92/003 System.Security.Cryptography namespace provides classes for the below Asymmetric Algorithm implementation. Asymmetric Algorithms RSA – Signature and Encryption System.Security.Cryptography.RSA DSA – Signature only System.Security.Cryptography.DSA 41 XML Encryption in .Net · XML Encryption allows to encrypt arbitrary data · This feature is driven through the new EncryptedXml class. · There are three approaches to Xml Encryption ± Encrypt the xml using symmetric encryption only ± Encrypt the xml using a combination of asymmetric and symmetric encryption ± Encrypt the xml using a X.509 Certificate ER/CORP/CRS/NE-PRBRIDGE-ED92/003 One of the new features being introduced with the Whidbey version of the .Net framework is XML encryption. XML Encryption allows you to encrypt arbitrary data, and have the result be an XML element. Much as XML digital signatures are driven through the SignedXml class, this feature is driven through the new EncryptedXml class. In order to allow this feature to work well with XML digital signatures, there is a special transform included with the framework, that allows the digital signature engine to decrypt the encryption document, and compute the signature over only that portion. There are three approaches to Xml Encryption. 1. Encrypt the xml using symmetric encryption only Only one session key is used and it’ s the same key that encrypts the xml which is used to decrypt it. The key is not stored with the encrypted xml and so the key needs to be loaded during the process and protected when stored. 2. Encrypt the xml using a combination of asymmetric and symmetric encryption The dual approach requires a symmetric session key to encrypt the data and an asymmetric key to protect the session key. Both the encrypted session key and the encrypted data are stored together in the xml document. The public asymmetric key is used to encrypt the session key while the private asymmetric key is used to decrypt the key. 3. Encrypt the xml using a X.509 Certificate This approach uses a X.509 certificate as the symmetrical key. X.509 certificates are provided by a third party vendor such as VeriSign. 42 XML Encryption in .Net //The XML Document ER/CORP/CRS/NE-PRBRIDGE-ED92/003 One of the new features being introduced with the Whidbey version of the .Net framework is XML encryption. XML Encryption allows you to encrypt arbitrary data, and have the result be an XML element. Much as XML digital signatures are driven through the SignedXml class, this feature is driven through the new EncryptedXml class. In order to allow this feature to work well with XML digital signatures, there is a special transform included with the framework, that allows the digital signature engine to decrypt the encryption document, and compute the signature over only that portion. 43 XML Encryption in .Net //The XML Document after encryption ER/CORP/CRS/NE-PRBRIDGE-ED92/003 One of the new features being introduced with the Whidbey version of the .Net framework is XML encryption. XML Encryption allows you to encrypt arbitrary data, and have the result be an XML element. Much as XML digital signatures are driven through the SignedXml class, this feature is driven through the new EncryptedXml class. In order to allow this feature to work well with XML digital signatures, there is a special transform included with the framework, that allows the digital signature engine to decrypt the encryption document, and compute the signature over only that portion. 44 Secure Coding Security Attacks and Vulnerabilities • Buffer Overruns – The most common and dangerous security risk ,primarily a C/C++ issue – Occurs when data exceeds the expected size and overwrites other values – Use managed codeand use /GS compile option in Microsoft Visual C++® .NET with existing C and C++ code • Cross-Site Scripting – Cross-site scripting allows hackers to execute arbitrary script in a client’s Web browser – Any Web site that renders dynamic HTML based on content that users submit is susceptible – Hackers can steal Web session information and modify what is displayed on the user’s screen ER/CORP/CRS/NE-PRBRIDGE-ED92/003 1. During normal execution, when a procedure is called, a return address that marks the location of the calling code is placed on the stack. As a result, when the procedure finishes executing, control returns to the original location. 2. With buffer overruns, there is not a strict limit on the amount of data that can be placed on the buffer. Hackers can overwrite nearly anything on the stack. To make matters worse, the hacker can control the values that are placed on the stack, like the return address. 3. This is very dangerous, because if the return address is overwritten with the address of a malicious procedure, that procedure executes with the same privileges as the original program. · Cross-site scripting involves Web applications that dynamically generate HTML pages. If these applications embed user input in the pages they generate, hackers can manipulate them to include content in the pages that allows malicious script to be executed in client browsers. · This is not a vendor-specific issue. It affects every Web server and browser currently on the market. There is no single patch to fix it. · Scripting tags that can be embedded in this way include