DOCSLIB.ORG

Storing Secrets

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Storing Secrets C04623317.fm Page 71 Friday, August 25, 2006 3:37 PM Chapter 4 Storing Secrets In this chapter: Identifying Attacks and Attackers . .71 Cryptography to the Rescue?. .72 Hashing Data . .73 Storing Passwords . .75 Encrypting Data . .78 Using the Windows Data Protection API . .107 Protecting Configuration Data . .109 Protecting ViewState. .116 Summary . .119 In most applications, you have to deal with sensitive data. This often involves personal data (for example, postal addresses, telephone numbers, medical records, payroll data, and credit card or social security number information), intellectual property, passwords, or configuration data (for example, connection strings). These “secrets” are stored in various formats (for example, database entries or data or configuration files) and are transmitted by using several protocols (for example, HTTP, TDS, and LDAP). This chapter covers the various primitives of cryptography that enable you to secure sensitive data and shows the design and security implications of these approaches. It also covers the built-in protection mechanisms of the Microsoft .NET Framework such as the Data Protection API and the protected configuration feature. This chapter cannot give you a “proper” introduction to cryptography because that would be a book on its own. Nevertheless, I want to show you which technique to choose in which situation and the “gotchas” you can run into. For those who want to extend their crypto- knowledge beyond what’s presented in this chapter, I highly recommend Practical Cryptography by Niels Ferguson and Bruce Schneier (Wiley Publishing, Inc., 2003). Identifying Attacks and Attackers Data is probably the most precious asset that your company and your application deals with. There are various threats to this asset: ■ Disclosure Some data is highly confidential, such as credit card numbers and medical records, and should be viewable/editable only by authorized people. Data can be 71 C04623317.fm Page 72 Friday, August 25, 2006 3:37 PM 72 Developing More-Secure Microsoft ASP.NET 2.0 Applications disclosed in various ways. Code defects such as SQL injection and directory traversal can enable attackers to access data stored on hard disks or in databases. Data that is transmitted unprotected (for example, plain HTTP or nonsecure database connections) can be disclosed by eavesdropping. ■ Tampering Data tampering is often considered even more harmful than disclosure. If an attacker manages to sniff your five-book order at Amazon.com, it might be bad. But it is much worse if the attacker can modify this order to 50 books without someone noticing the manipulation. Sensitive data should always be stored in a way that only authorized persons or processes are allowed to modify. Furthermore, you should have a clear understanding of which types of attackers you want to protect your data against: ■ External attackers These attackers come from outside your firewall and exploit flaws in the application and network/operating system security configuration. Such flaws can be mitigated by writing robust code, doing proper input validation, and implementing a hardened operating system and network infrastructure. ■ Insiders These are people who work behind your firewall and who might have legitimate access to application files and data (for example, employees such as administrators or developers; contractors; or external consultants). It is especially hard to guard against this type of attacker because they can operate from parts of your network that are often considered trusted. And even if they don’t actively try to compromise your application, data such as payroll information in human resources systems should not be visible to anyone besides authorized personnel. Effectively securing such scenarios always involves introducing paper-security policies in addition to technical countermeasures. For example, the admin of a key store shouldn’t also be the admin of the store where encrypted data using that key is stored (this is called the segregation of duties principle). Cryptography to the Rescue? Cryptography is a technology based on mathematics that can help add the following “features” to data: ■ Confidentiality Data can be read only by the intended people or processes. ■ Integrity Data cannot be modified without notice. ■ Authenticity Who created or changed the data can be verified. It is very important to notice that most of the time, encryption does not eliminate your secrets, but it can reduce the problem of protecting big secrets, such as a data file, to one of protecting a small secret called a key. Your job is to securely generate, store, and transmit those keys. Insecure key management is far more often the weak spot in an application than cryptography is. C04623317.fm Page 73 Friday, August 25, 2006 3:37 PM Chapter 4 Storing Secrets 73 Furthermore, cryptography uses two independent primitives to achieve its goals: hashing and encryption. Hashing is used for integrity, encryption for confidentiality—for authenticity, you have to use a combination of the two. Throughout this chapter, I describe various applications of cryptography to secure data, starting with the basic APIs for hashing and encryption and working through to higher level crypto- graphic application services such as the protected configuration feature of Microsoft .NET Framework version 2.0. Hashing Data Hashing is a deterministic mathematical one-way function used to create a cryptographically secure fingerprint of data. The properties of a hashing algorithm are the following: ■ Fixed-length output Hashing algorithms produce a fixed-length output regardless of the size of the input data. The output length differs with the algorithm used. ■ One-way function Hashes are easy to compute, but difficult to revert. The fixed-length output implies that data is lost during the hashing process (at least when the input data is bigger than the fixed-length output is). Of course, other attacks such as brute force or dictionary attacks recover the plain text. Depending on the probability distribution of the plain text, this is most likely infeasible. ■ Deterministic The hash output is always the same for a given input. ■ Collision free (almost) No feasible way to produce the same hash by using different input values should exist. Good hashing algorithms produce radically different output even if the input is changed only slightly. Hashing is often used to create fingerprints of data; for example, you can store the hash of data and later check whether the data was modified by comparing the stored hash to the current one. Hashing can also be used to provide a secret equivalent. For example, if someone has to prove knowledge of a secret, such as a password, you need only store the hash, not the actual secret. This is discussed in more detail in the section titled “Storing Passwords” later in this chapter. Hashing Algorithms Several hashing algorithms are out there; the most well-known probably are MD5 and SHA1. If you want an easy introduction to how they work internally, have a look at Practical Cryptography. All .NET classes that implement hashing algorithms are derived from HashAlgorithm and can be found in the System.Security.Cryptography namespace (see Figure 4-1). Weaknesses have been found in MD5, RIPEMD, and SHA1; if possible (for example, when building a new system that need not be compatible with other applications that use these algorithms), you should avoid using them. The currently recommended algorithms are SHA256–SHA512. (SHA384 does not really give you anything—most implementations C04623317.fm Page 74 Friday, August 25, 2006 3:37 PM 74 Developing More-Secure Microsoft ASP.NET 2.0 Applications internally create a SHA512 and throw away the unneeded bits.) The algorithms also differ in the output length: SHA1 produces 160 bits output, whereas SHA256 and SHA512 produce 256 and 512 bits, respectively. You can read more about recommended cryptography algorithms on the NSA home page (http://www.nsa.gov/ia/industry/crypto_suite_b.cfm). HashAlgorithm MD5 MD5CryptoServiceProvider RIPEMD160 RIPEMD160Managed SHA1 SHA1Managed SHA1CryptoServiceProvider SHA256 SHA256Managed SHA384 SHA384Managed SHA512 SHA512Managed Figure 4-1 Hashing algorithms in .NET More Info Class names that end with CryptoServiceProvider indicate that they are a wrapper around the native Microsoft Windows Crypto API, whereas those that end with Managed mean that the implementation is done in managed code. To avoid platform dependencies, choose the managed implementations. (The native ones are considerably faster, though.) Hashing in .NET Creating a hash is very straightforward. Create an instance of a class that implements the hashing algorithm and call the ComputeHash() method. The hash classes work on byte arrays as inputs and outputs. If you have to deal with string data, first you have to encode the string to a byte array. Classes in the System.Text namespace help you do that. Depending on the input character set, you should encode the string by using either UTF-8 or Unicode. string simpleHash(string data) { // Encode data to a byte array. byte[] dataBytes = Encoding.UTF8.GetBytes(data); // Create the hash. SHA256Managed sha = new SHA256Managed(); byte[] hashBytes = sha.ComputeHash(dataBytes); // Return base64-encoded string. return Convert.ToBase64String(hashBytes); } C04623317.fm Page 75 Friday, August 25, 2006 3:37 PM Chapter 4 Storing Secrets 75 This code example produces the following hash for the string hello: LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=
Load more

Recommended publications
  • Security Target
    Acronis SCS Acronis Cyber Backup 12.5 SCS Hardened Edition Server v12.5 Security Target Document Version: 0.14 Prepared for: Prepared by: Acronis SCS Corsec Security, Inc. 6370 E. Thomas Road, Suite 250 13921 Park Center Road, Suite 460 Scottsdale, AZ 85251 Herndon, VA 20171 United States of America United States of America Phone: +1 781 782 9000 Phone: +1 703 267 6050 www.acronisscs.com www.corsec.com Security Target, Version 0.14 August 19, 2020 Table of Contents 1. Introduction .......................................................................................................................................................4 1.1 Purpose .....................................................................................................................................................4 1.2 Security Target and TOE References .........................................................................................................4 1.3 Product Overview ......................................................................................................................................5 1.3.1 Product Components........................................................................................................................5 1.4 TOE Overview ............................................................................................................................................6 1.4.1 TOE Environment..............................................................................................................................7 1.5
    [Show full text]
  • Microsoft Windows Common Criteria Evaluation Security Target
    Microsoft Common Criteria Security Target Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 version 1809 (October 2018 Update) Microsoft Windows Server 2019 (October 2018 Update) Security Target Document Information Version Number 0.05 Updated On June 18, 2019 Microsoft © 2019 Page 1 of 126 Microsoft Common Criteria Security Target Version History Version Date Summary of changes 0.01 June 27, 2018 Initial draft 0.02 December 21, 2018 Updates from security target evaluation 0.03 February 21, 2019 Updates from evaluation 0.04 May 6, 2019 Updates from GPOS PP v4.2.1 0.05 June 18, 2019 Public version Microsoft © 2019 Page 2 of 126 Microsoft Common Criteria Security Target This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs- NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
    [Show full text]
  • Microsoft Windows Vista and Windows Server 2008 EAL1 Security Target
    Microsoft Windows Vista and Windows Server 2008 EAL1 Security Target Version 1.0 August 14, 2008 Prepared For: Microsoft Corporation Corporate Headquarters One Microsoft Way Redmond, WA 98052-6399 Prepared By: Science Applications International Corporation Common Criteria Testing Laboratory 7125 Gateway Drive Columbia, MD 21046-2554 Version 1.0, 8/14/2008 This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd- nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
    [Show full text]
  • Ways to a Better Password Management
    St at e of IT Changes Survey Result s + Infographic Tips for a Bet t er Passw ord Securit y Policy Dat a Governance: The Key t o Com pliance Basic Rules How -t o: Ways t o a Bet t er Det ect ing Passw ord Changes in Act ive oPf aWsisnwdoowrds Server Direct ory SMecaunriatygem ent Contents Nine St eps t o a Bet t er Passw ord Managem ent 3 by Richard Muniz Why You Need t o Ensure Adm inist rat ors 5 Change Passw ords Regularly by Orin Thomas How t o St ore and Ret rieve Passw ords Securely 7 w it h Pow erShell by Adam Bertram 3 Ways t o Prot ect t he Keys t o Your Kingdom - 11 Dom ain Adm inist rat or Credent ials by Russell Smith June 2015 SysAdmin Magazine St at e of IT Changes Survey 2015: 13 Docum ent ing and Audit ing Dat a Governanm e: The Key t o Com pliance 16 by Deb Shinder Internet Usage Policy against Inappropriate 18 Content by Richard Muniz How to Detect Password Changes 20 in Active Directory June 2015 SysAdmin Magazine Nine Steps to a Better Passw ord Managem ent by Richard Muniz 20+ years in IT industry, a practicing systems administrator and a teacher Passwords remind me a bit of the Coyote. Not Monde and right on the background, taped to the one that chases the Road Runner, but the the wall, is a list of passwords (and you thought one that lives in my native South-West and howls you had it rough with people taping them under at the moon.
    [Show full text]
  • Encryption Enterprise Advanced Installation Guide V10.0 Notes, Cautions, and Warnings
    Dell Encryption Enterprise Advanced Installation Guide v10.0 Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2012-2018 Dell Inc. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.Registered trademarks and trademarks used in the Dell Encryption, Endpoint Security Suite Enterprise, and Data Guardian suite of documents: Dell™ and the Dell logo, Dell Precision™, OptiPlex™, ControlVault™, Latitude™, XPS®, and KACE™ are trademarks of Dell Inc. Cylance®, CylancePROTECT, and the Cylance logo are registered trademarks of Cylance, Inc. in the U.S. and other countries. McAfee® and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. in the US and other countries. Intel®, Pentium®, Intel Core Inside Duo®, Itanium®, and Xeon® are registered trademarks of Intel Corporation in the U.S. and other countries. Adobe®, Acrobat®, and Flash® are registered trademarks of Adobe Systems Incorporated. Authen tec® and Eikon® are registered trademarks of Authen tec. AMD® is a registered trademark of Advanced Micro Devices, Inc. Microsoft®, Windows®, and Windows Server®, Internet Explorer®, Windows Vista®, Windows 7®, Windows 10®, Active Directory®, Access®, BitLocker®, BitLocker To Go®, Excel®, Hyper-V®, Outlook®, PowerPoint®, Word®, OneDrive®, SQL Server®, and Visual C++® are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.
    [Show full text]
  • Security Best Practices for Developing Windows Azure Applications
    Security Best Practices For Developing Windows Azure Applications Authors Andrew Marshall (Senior Security Program Manager, Security Engineering) Michael Howard (Principal Security Program Manager, Security Engineering) Grant Bugher (Lead Security Program Manager, OSSC) Brian Harden (Security Architect, OSSC) Contributors Charlie Kaufman (Principal Architect) Martin Rues (Director, OSSC) Vittorio Bertocci (Senior Technical Evangelist, Developer and Platform Evangelism) June 2010 (REVISION 2) The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
    [Show full text]
  • Smarx OS Compendium 2020 for the CRYPTO-BOX
    2020 EDITION Smarx® Compendium d s p . ) r e v o C _ n a M x r a m S ( a s 2 1 v o N 7 2 - www.marx.com 0 2 We highly appreciate and value your comments and suggestions! Suggestions for improvements will be honored with: • Free Business Support for 6 months • Enrollment in our BE !" ester program Software security is a growing challenge and requires constant improving " be part of the process! $lease send sugestions and error report to: • $$%& software/hardware in general and documentation (including this Compendium*: support@mar,.com • WEB and online ordering system related: webmaster+mar,.com Smar, .S )ompendium November 2020 )opyright 1 2002, 2020 2!345 )ryptoTech 6$ 7 Table of Contents 8. What is this Compendium !bout?--------------------------------------------------------------------------------: 8-8. ;ntroduction--------------------------------------------------------------------------------------------------------: 8.2. What is /ew9-------------------------------------------------------------------------------------------------------: 8-7. What to Find Where in this )ompendium--------------------------------------------------------------< 8-=. $rofessional Software $rotection Secures 3evenue----------------------------------------------< 8->. he )3?$ ."BO45@ardware-----------------------------------------------------------------------------88 8->-8. )3?$ ."BOX 2odels--------------------------------------------------------------------------------88 8->.2. echnical Features of the )3?$ ."BO45----------------------------------------------------88
    [Show full text]
  • Invisimole: the Hidden Part of the Story Unearthing Invisimole’S Espionage Toolset and Strategic Cooperations
    ESET Research white papers TLP: WHITE INVISIMOLE: THE HIDDEN PART OF THE STORY UNEARTHING INVISIMOLE’S ESPIONAGE TOOLSET AND STRATEGIC COOPERATIONS Authors: Zuzana Hromcová Anton Cherepanov TLP: WHITE 2 InvisiMole: The hidden part of the story CONTENTS 1 EXECUTIVE SUMMARY � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 4 2 ATTACKS AND INVESTIGATION � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 4 2.1 InvisiMole’s toolset ������������������������������������������������������������������������������������������������������������������������ 5 2.2 Cooperation between InvisiMole and Gamaredon . 5 3 BUILDING BLOCKS � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 6 3.1 Structure ������������������������������������������������������������������������������������������������������������������������������������������6 3.1.1 InvisiMole blobs . 6 3.1.2 Execution guardrails with DPAPI ���������������������������������������������������������������������������������7 3.2 Payload ��������������������������������������������������������������������������������������������������������������������������������������������8 3.2.1 TCP downloader ��������������������������������������������������������������������������������������������������������������9 3.2.2 DNS downloader . 9 3.2.3 RC2CL backdoor �������������������������������������������������������������������������������������������������������������13
    [Show full text]
  • Dell Data Protection | Encryption Enterprise Edition Advanced Installation Guide V8.13 Notes, Cautions, and Warnings
    Dell Data Protection | Encryption Enterprise Edition Advanced Installation Guide v8.13 Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2017 Dell Inc. All rights reserved.Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. Registered trademarks and trademarks used in the Dell Data Protection Encryption, Endpoint Security Suite, Endpoint Security Suite Enterprise, and Dell Data Guardian suite of documents: DellTM and the Dell logo, Dell PrecisionTM, OptiPlexTM, ControlVaultTM, LatitudeTM, XPS®, and KACETM are trademarks of Dell Inc. Cylance®, CylancePROTECT, and the Cylance logo are registered trademarks of Cylance, Inc. in the U.S. and other countries. McAfee® and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. in the US and other countries. Intel®, Pentium®, Intel Core Inside Duo®, Itanium®, and Xeon® are registered trademarks of Intel Corporation in the U.S. and other countries. Adobe®, Acrobat®, and Flash® are registered trademarks of Adobe Systems Incorporated. Authen Tec® and Eikon® are registered trademarks of Authen Tec. AMD® is a registered trademark of Advanced Micro Devices, Inc. Microsoft®, Windows®, and Windows Server®, Internet Explorer®, MS-DOS®, Windows Vista®, MSN®, ActiveX®, Active Directory®, Access®, ActiveSync®, BitLocker®, BitLocker To Go®, Excel®, Hyper-V®, Silverlight®, Outlook®, PowerPoint®, OneDrive®, SQL Server®, and Visual C++® are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.
    [Show full text]
  • Sari Haj Hussein Master's Thesis
    Double SSO – A Prudent and Lightweight SSO Scheme Master of Science Thesis in the Programme Secure and Dependable Computer Systems SARI HAJ HUSSEIN Chalmers University of Technology University of Gothenburg Department of Computer Science and Engineering Göteborg, Sweden, November 2010 The Author grants to Chalmers University of Technology and University of Gothenburg the non-exclusive right to publish the Work electronically and in a non-commercial purpose make it accessible on the Internet. The Author warrants that he/she is the author to the Work, and warrants that the Work does not contain text, pictures or other material that violates copyright law. The Author shall, when transferring the rights of the Work to a third party (for example a publisher or a company), acknowledge the third party about this agreement. If the Author has signed a copyright agreement with a third party regarding the Work, the Author warrants hereby that he/she has obtained any necessary permission from this third party to let Chalmers University of Technology and University of Gothenburg store the Work electronically and make it accessible on the Internet. Double SSO – A Prudent and Lightweight SSO Scheme SARI HAJ HUSSEIN © SARI HAJ HUSSEIN, November 2010. Examiner: DAVID SANDS Chalmers University of Technology University of Gothenburg Department of Computer Science and Engineering SE-412 96 Göteborg Sweden Telephone + 46 (0)31-772 1000 Cover: Stage A of Double SSO, see Chapter 5 Department of Computer Science and Engineering Göteborg, Sweden November 2010 Abstract User authentication means the verification of a user identity in a computer system. In a typical scenario, users in an organization have access to several independent services, each of them requires separate credentials (e.g., user name and password) for user authentication.
    [Show full text]
  • Notes on Cloud Computing Syllabus
    Notes on Cloud Computing Syllabus Understanding Cloud Computing: Introduction to cloud computing, are you Chapter 1 ready for cloud computing? Surveying the Role of Cloud Computing, developing the cloud services. Understanding Windows Azure Platform Architecture: The Windows Azure Developer Portal, Creating and running Projects in the Azure Development Platform, Chapter 2 Using Azure Application Templates for Visual Studio 2008, Taking advantage of Auxiliary Cloud Services, Deploying Application and Services to the Azure Cloud. Analyzing the Windows Azure Operating System: The Lifecycle, Securing Chapter 3 and Isolating Services and Data, Assuring Fabric Controller Availability, Virtualizing Windows Server for Azure. Scaling Azure Table and Blob Storage: Creating Storage Accounts, Using or Chapter 4 Wrapping the Azure Storage Services’ REST APIs, Understanding Azure Table Storage, Storing and retrieving Blobs Minimizing Risk When Moving to the Azure Cloud Service: Bypassing the Barrier to Cloud Computing, Implementing the Secure Sockets Layers Chapter 5 Transmission, Encryption for Web Roles, Encrypting Personal Information in Azure Storage Services, Auditing Conformance to Regulatory and Industry Standards. Authenticating and Authorizing Service User: Taking Advantage of ASP.NET Membership Services, Adapting ASP.NET Authentication and Role Management to Windows Azure Web Role, Analyzing the AspProviders Chapter 6 Library’s Classes, Moving the AspProvidersDemo’s Data Source to the Cloud, Integrating Membership Services with an Azure Service, Authenticating users with Windows Live ID. Optimizing the Scalability and Performance of Azure Tables: Assigning Primary Key Values to Entities, Handling Associated Entities, Taking Advantage Chapter 7 of Entity Group Transactions, Uploading the table data, Displaying the Data from Heterogeneous Tables in Grids. Massaging with Azure Queues: Creating and Processing Azure Queues and Chapter 8 Messages, Enhancing the Thumbnails.sin Sample Solution.
    [Show full text]
  • Security Policy for FIPS 140-2 Validation
    Enhanced Cryptographic Provider Security Policy for FIPS 140‐2 Validation Microsoft Windows 8 Microsoft Windows Server 2012 Microsoft Windows RT Microsoft Surface Windows RT Microsoft Surface Windows 8 Pro Microsoft Windows Phone 8 Microsoft Windows Storage Server 2012 Enhanced Cryptographic Provider (RSAENH.DLL) DOCUMENT INFORMATION Version Number 1.2 Updated On December 17, 2014 © 2014 Microsoft. All Rights Reserved Page 1 of 25 This Security Policy is non‐proprietary and may be reproduced only in its original entirety (without revision). Enhanced Cryptographic Provider The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs- NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
    [Show full text]