Download - Asp.Net Security
Asp.Net SecurityAsp.Net SecurityJim FawcettJim FawcettCSE686 – Internet ProgrammingCSE686 – Internet ProgrammingSummer 2005Summer 2005
Security ModelSecurity Model AuthenticationAuthentication
Who do you say you are?Who do you say you are? User id User id Do you have proof?Do you have proof? Password Password
AuthorizationAuthorization Do you have the priviledges to do a Do you have the priviledges to do a
requested action?requested action?
Asp.Net AuthenticationAsp.Net Authentication Asp.Net directly supports three models:Asp.Net directly supports three models:
Authentication mode = NoneAuthentication mode = None Application supplied securityApplication supplied security
Authentication mode = WindowsAuthentication mode = Windows Based on Windows AccountsBased on Windows Accounts Suitable only for local networkSuitable only for local network
Authentication mode = FormsAuthentication mode = Forms Manged by application with support for redirection Manged by application with support for redirection
and accessing identities provided by Asp.Netand accessing identities provided by Asp.Net Authentication mode = PassPortAuthentication mode = PassPort
Authentication credentials stored on Microsoft serverAuthentication credentials stored on Microsoft server Sites license the serviceSites license the service
No Asp Supplied No Asp Supplied AuthenticationAuthentication
Asp.Net allows all users access to all asp Asp.Net allows all users access to all asp pagespages
It is up to the application to provide It is up to the application to provide authentication and authorizationauthentication and authorization
Authentication and Role-based access Authentication and Role-based access provided by user control(s).provided by user control(s). Application uses session to tell if user is logged Application uses session to tell if user is logged
in.in. User signs in and is assigned roles from User signs in and is assigned roles from
database by user control.database by user control. Access to pages based on roles.Access to pages based on roles. No help from Windows doing this.No help from Windows doing this.
No AuthenticationNo Authentication Virtual directory allows anonymous accessVirtual directory allows anonymous access Web.Config file specifies:Web.Config file specifies:
<authentication mode=“None”/><authentication mode=“None”/> <authorization><authorization>
<allow users=“*”/> <allow users=“*”/></authorization></authorization>
Its up to application to provide Its up to application to provide authenticationauthentication
CSE686 Labs have encouraged you to CSE686 Labs have encouraged you to build authenticating control and provide build authenticating control and provide your own redirections.your own redirections.
Security Settings for Security Settings for NoneNone
Windows AuthenticationWindows Authentication Uses custom socket ports, as well as port Uses custom socket ports, as well as port
80, so won’t go through firewalls.80, so won’t go through firewalls. Requires all users to have Windows Requires all users to have Windows
accounts on server.accounts on server. Suitable only for site serving a local Suitable only for site serving a local
network.network. Remote access requires operation in a Remote access requires operation in a
domain or Active Directory with Kerberos:domain or Active Directory with Kerberos:http://support.microsoft.com/default.aspx?scid=kb;en-us;324276http://support.microsoft.com/default.aspx?scid=kb;en-us;324276http://support.microsoft.com/default.aspx?scid=kb;en-us;810572http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
Windows AuthenticationWindows Authentication The major advantage of Windows The major advantage of Windows
Integrated Authentication is that you Integrated Authentication is that you can use all of the Windows role-based can use all of the Windows role-based security mechanisms.security mechanisms.
It’s easy to restrict access to a page It’s easy to restrict access to a page to one or more roles and roles can be to one or more roles and roles can be configured with specific permissions.configured with specific permissions.
Security Settings for IWASecurity Settings for IWA
Forms AuthenticationForms Authentication Application provides login page.Application provides login page. Asp.Net takes care of redirections.Asp.Net takes care of redirections. Application provides id and password Application provides id and password
storage and retrieval.storage and retrieval. Almost no help with role-based access.Almost no help with role-based access. Can configure directories, using web.config Can configure directories, using web.config
files to accept or deny non-authenticated files to accept or deny non-authenticated users:users: <deny users=‘?’/> // anonymous users<deny users=‘?’/> // anonymous users <allow users=‘*’/> // allow all others<allow users=‘*’/> // allow all others
Forms AuthenticationForms Authentication Virtual directory allows anonymous accessVirtual directory allows anonymous access Web.Config file specifies:Web.Config file specifies:
<authentication mode=“Forms”/><authentication mode=“Forms”/> <forms loginUrl=“login.aspx”> <forms loginUrl=“login.aspx”> <credentials … /> <credentials … /> </forms> </forms></authentication></authentication>
<authorization><authorization> <deny users=“?”/> <deny users=“?”/></authorization></authorization>
Application provides login.aspx which uses Application provides login.aspx which uses System.Web.Security.FormsAuthentication to System.Web.Security.FormsAuthentication to redirect after authentication. redirect after authentication.
Application uses database to store and retreive Application uses database to store and retreive user ids and passwords.user ids and passwords.
Can logout using FormsAuthentication.SignOut();Can logout using FormsAuthentication.SignOut();
Security Settings for Security Settings for FormsForms
Passport AuthenticationPassport Authentication Fee-based service provided by Fee-based service provided by
MicrosoftMicrosoft Won’t be discussed furtherWon’t be discussed further
Role-Based Security without Role-Based Security without WindowsWindows
Public web sites will almost certainly use Public web sites will almost certainly use Application supplied or Forms based Application supplied or Forms based authentication.authentication.
Clients will not have a user account on the Clients will not have a user account on the server, so Windows role-based security is server, so Windows role-based security is no help.no help.
The site may need to define at least simple The site may need to define at least simple roles:roles: New userNew user Registered userRegistered user Premium memberPremium member
Role-Based AuthorizationRole-Based Authorization So how do So how do youyou provide role-base access? provide role-base access?
At login, retrieve user’s roles from db and store At login, retrieve user’s roles from db and store in session.in session.
Provide control on each page that specifies Provide control on each page that specifies allowed roles.allowed roles.
OnPageLoad, check user roles from session OnPageLoad, check user roles from session against allowed roles from control.against allowed roles from control.
Probably easiest to do this with custom Probably easiest to do this with custom authentication but workable with Forms Auth.authentication but workable with Forms Auth.
Would help to have an administrator’s page to Would help to have an administrator’s page to add users and define roles and role membership.add users and define roles and role membership.
Security IssuesSecurity Issues AuthenticationAuthentication √√
Who are you?Who are you? AuthorizationAuthorization√√
What are you allowed to access?What are you allowed to access? ConfidentialityConfidentiality
Hiding content in volatile environmentHiding content in volatile environment IntegrityIntegrity
Detecting modificationDetecting modification
Encrypted Channel with Encrypted Channel with SSLSSL
Secure Sockets Layer provides an Secure Sockets Layer provides an encrypted channel for transmitting encrypted channel for transmitting sensitive data.sensitive data. Recognized by most browsers.Recognized by most browsers. Used by all the major sites: Amazon, …Used by all the major sites: Amazon, … Uses 128 bit encryption.Uses 128 bit encryption.
Secure Sockets Layer Secure Sockets Layer (SSL)(SSL)
Requires third party certificateRequires third party certificate You generate a certificate request file using You generate a certificate request file using
web server certificate wizard.web server certificate wizard. Send to certificate authority, Verisign, … along Send to certificate authority, Verisign, … along
with a check for $349 (renewed each year for with a check for $349 (renewed each year for $249).$249).
Wait for about three weeks.Wait for about three weeks. Install the certificate using the web server Install the certificate using the web server
certificate wizard.certificate wizard. You can generate certificates used only for You can generate certificates used only for
development.development.
Requiring SSLRequiring SSL SSL is invoked SSL is invoked
whenever the whenever the url prefix is url prefix is https.https.
You can force You can force users to use SSL users to use SSL by setting by setting directory directory properties.properties.
Virtual directory properties page allows you to require SSL if you have installed a certificate.
Using .Net EncryptionUsing .Net Encryption You may need to encrypt password You may need to encrypt password
files or other sensitive information files or other sensitive information stored on your site.stored on your site.
System.Security.CryptographySystem.Security.Cryptography Public Key (asymmetric) algorithmsPublic Key (asymmetric) algorithms
DSA – DSACryptoServiceProviderDSA – DSACryptoServiceProvider RSA – RSACryptoServiceProviderRSA – RSACryptoServiceProvider
Private Key (symmetric) algorithmsPrivate Key (symmetric) algorithms DES – DESCryptoServideProviderDES – DESCryptoServideProvider Triple DES, RC2, RijndaelTriple DES, RC2, Rijndael
Using .Net HashingUsing .Net Hashing You may need to ensure that You may need to ensure that
messages or files have not been messages or files have not been tampered with.tampered with.
System.Security.CryptographySystem.Security.Cryptography 128 Bit Hash128 Bit Hash
MD5 – MD5CryptoServiceProvider class.MD5 – MD5CryptoServiceProvider class. 160 Bit Hash160 Bit Hash
SHA1 – SHA1CryptoServiceProviderSHA1 – SHA1CryptoServiceProvider
ReferencesReferences Asp Applications & AuthenticationAsp Applications & Authentication
Programming .Net, Jeff Prosise, Microsoft Programming .Net, Jeff Prosise, Microsoft Press, 2002Press, 2002
Applications, Authentication, SSLApplications, Authentication, SSL ASP.NET Unleased, Second Edition, ASP.NET Unleased, Second Edition,
Stephen Walther, SAMS, 2004Stephen Walther, SAMS, 2004