Download - Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc
Security for DevelopersSecurity for DevelopersProtecting Application DataProtecting Application Data
Steven Borg & Richard HundhausenSteven Borg & Richard HundhausenAccentient, IncAccentient, Inc
AgendaAgendaOverviewOverview
Storing Private DataStoring Private DataUser PasswordsUser Passwords
Connection StringsConnection Strings
Local ResourcesLocal Resources
Isolated StorageIsolated Storage
Database SecurityDatabase SecuritySQL Server 2005 SecuritySQL Server 2005 Security
Wrap UpWrap Up
AgendaAgendaOverviewOverview
Storing Private DataStoring Private DataUser PasswordsUser Passwords
Connection StringsConnection Strings
Local ResourcesLocal Resources
Isolated StorageIsolated Storage
Database SecurityDatabase SecuritySQL Server 2005 SecuritySQL Server 2005 Security
Wrap UpWrap Up
Protect Secrets & Offline DataProtect Secrets & Offline DataOne-way hash functionsOne-way hash functions
Easy to compute, practically impossible Easy to compute, practically impossible reversereverse
You cannot recover the source data from just its You cannot recover the source data from just its hash value!hash value!
Best for: storing user passwords or other Best for: storing user passwords or other data where comparing hash values is data where comparing hash values is sufficientsufficient
Strong encryption algorithmsStrong encryption algorithmsCiphertext can be decrypted only if you Ciphertext can be decrypted only if you know the encryption keyknow the encryption key
Best for: protecting stored or transmitted Best for: protecting stored or transmitted datadata
Which Technique Should I Use?Which Technique Should I Use?I want to… Recommendation Advantages Limitations
Store a user password securely
Salt + SHA1 (One-way hash)
Prepend random salt to the passwords before hashing.
No keys to manage.
Identical input yields identical hash values.
Must store the salt
Protect local user data
DPAPI (Encryption using keys derived from user credentials)
DPAPI manages keys on behalf of the application.
Data can’t be decrypted by other users, or on other machines.
Encrypt data that will need to decrypted later
Symmetric encryption algorithms (e.g. Rijndael)
Flexible: data can be decrypted by other apps / machines.
Application must manage keys and transmit them securely.
AgendaAgendaOverviewOverview
Storing Private DataStoring Private DataUser PasswordsUser Passwords
Connection StringsConnection Strings
Local ResourcesLocal Resources
Isolated StorageIsolated Storage
Database SecurityDatabase SecuritySQL Server 2005 SecuritySQL Server 2005 Security
Wrap UpWrap Up
Securing DataSecuring DataUser PasswordsUser Passwords
Goal: Keep user passwords safe, but usableGoal: Keep user passwords safe, but usable
Recommendation: Hash (Salt + Password)Recommendation: Hash (Salt + Password)
Storing a password:Storing a password:
1. Create a unique “salt” for the user1. Create a unique “salt” for the user
2. Prepend the salt to the password string2. Prepend the salt to the password string
3. Encrypt using SHA1 / MD5: 3. Encrypt using SHA1 / MD5:
4. Store both salt and cipher text4. Store both salt and cipher text
To verify, re-hash with salt and passwordTo verify, re-hash with salt and password
Storing Login PasswordsStoring Login Passwords
FormatFormat CommentsComments
Plaintext passwordsPlaintext passwords Exposes entire application if database is Exposes entire application if database is compromisedcompromised
Encrypted passwordsEncrypted passwords Better than plaintext, but still vulnerable if Better than plaintext, but still vulnerable if decryption key is compromiseddecryption key is compromised
1-way password 1-way password hasheshashes
Better than encrypted passwords, but still Better than encrypted passwords, but still vulnerable to dictionary attacksvulnerable to dictionary attacks
Salted password Salted password hasheshashes Less vulnerable to dictionary attacksLess vulnerable to dictionary attacks
Don't store passwords in login databasesDon't store passwords in login databases
Store password hashes for added Store password hashes for added securitysecurity
Salt hashes to impede dictionary attacksSalt hashes to impede dictionary attacks
Generate a Hash using FormsAuthenticationGenerate a Hash using FormsAuthentication
Generating Password HashesGenerating Password Hashes
string hash = FormsAuthentication. HashPasswordForStoringInConfigFile(password, "SHA1"));
Generate a Hash using FormsAuthenticationGenerate a Hash using FormsAuthentication
Generating Password HashesGenerating Password Hashes
string hash = FormsAuthentication. HashPasswordForStoringInConfigFile(password, "SHA1"));
// create a stronger hash for more securitybyte[] myHash = new SHA256Managed().ComputeHash(data);
NO! Use a SHA-256 for more securityNO! Use a SHA-256 for more security
Securing DataSecuring DataConnection StringsConnection Strings
Storing plaintext database connection Storing plaintext database connection strings in Web.config is riskystrings in Web.config is risky
Vulnerable to file disclosure attacksVulnerable to file disclosure attacks
Storing encrypted database connection Storing encrypted database connection strings increases securitystrings increases security
Encrypting connection strings is easyEncrypting connection strings is easySystem.Security.Cryptography classesSystem.Security.Cryptography classes
Key management is notKey management is notWhere do you store the decryption key?Where do you store the decryption key?
Data Protection API (DPAPI)Data Protection API (DPAPI)Extends CryptoAPIExtends CryptoAPI
Key is derived from Key is derived from current user credentialscurrent user credentialsUses TripleDES Uses TripleDES encryptionencryption
Supports entropySupports entropyAdditional secret used Additional secret used to secure the data to a to secure the data to a single applicationsingle application
Best for:Best for:Protecting offline dataProtecting offline dataProtecting user-Protecting user-specific configuration specific configuration datadata
ApplicationApplication
DataProtection.vbDataProtection.vb
CryptoAPICrypt32.dll
CryptoAPICrypt32.dll
DPAPI
Local SecurityAuthority (LSA)Local SecurityAuthority (LSA)
DPAPI
Now is theNow is thetime for alltime for allgood…good…
Now is theNow is thetime for alltime for allgood…good…
qANQR1DqANQR1DBAsUHIsQBAsUHIsQEA…EA…
qANQR1DqANQR1DBAsUHIsQBAsUHIsQEA…EA…
Local RPC Calls
Plaintext data
Operating System
Data Protection API (DPAPI)Data Protection API (DPAPI)
Present in Windows 2000 and higherPresent in Windows 2000 and higher
Provides strong encryption, automatic Provides strong encryption, automatic key generation, and secure key storagekey generation, and secure key storage
Triple-DES encryptionTriple-DES encryption
PKCS #5 key generationPKCS #5 key generation
Two “stores”:Two “stores”:User store – Per-user keys based on User store – Per-user keys based on profilesprofiles
Machine store – Per-machine keys with Machine store – Per-machine keys with optional entropy valuesoptional entropy values
Building a DPAPI LibraryBuilding a DPAPI Library
.NET FCL 1.x doesn't wrap DPAPI.NET FCL 1.x doesn't wrap DPAPI
See “How to Create a DPAPI Library” See “How to Create a DPAPI Library” for instructions on creating your own for instructions on creating your own librarylibrary
Or download from http://blog.accentient.comOr download from http://blog.accentient.com
Managed wrapper around DPAPIManaged wrapper around DPAPIHandles interop and marshaling for youHandles interop and marshaling for you
Features DataProtector class with simple Features DataProtector class with simple methods named Encrypt and Decryptmethods named Encrypt and Decrypt
Supports machine store and user storesSupports machine store and user stores
Securing Connection StringsSecuring Connection Strings
DescriptionDescription SecuritySecurity
Store encrypted connection strings in Web.configStore encrypted connection strings in Web.config
Store key in ACLed registry entryStore key in ACLed registry entry GoodGood
Store encrypted connection strings in Web.configStore encrypted connection strings in Web.config
Let DPAPI perform key managementLet DPAPI perform key management BetterBetter
Store encrypted connection strings in ACLed Store encrypted connection strings in ACLed registry keyregistry key
Let DPAPI perform key managementLet DPAPI perform key managementBetterBetter
Store encrypted connection strings in ACLed Store encrypted connection strings in ACLed registry keyregistry key
Let DPAPI perform key managementLet DPAPI perform key management
Use entropy values to harden DPAPI encryptionUse entropy values to harden DPAPI encryption
Store entropy values in ACLed registry keyStore entropy values in ACLed registry key
BestBest
Encrypting Connection Strings Encrypting Connection Strings
<configuration> <appSettings> <add key="ConnectionString" value="AQNCMnd8BFdERjHoAwE/Cl+sBAAAA..." /> </appSettings></configuration>
DataProtector dp = new DataProtector (DataProtector.Store.USE_MACHINE_STORE);string val = ConfigurationSettings.AppSettings ["ConnectionString"];byte[] data = Convert.FromBase64String (val);string connect = Encoding.ASCII.GetString (dp.Decrypt (data, null));
Page
Web.config
Encrypting and ACLing Encrypting and ACLing Connection StringsConnection Strings
DataProtector dp = new DataProtector (DataProtector.Store.USE_MACHINE_STORE);RegistryKey key = Registry.LocalMachine.OpenSubKey ("SOFTWARE\\MyWebApp");string val = (string) key.GetValue ("ConnectionString");byte[] data = Convert.FromBase64String (val);string connect = Encoding.ASCII.GetString (dp.Decrypt (data, null));
Page
Registry
Admins: FullSYSTEM: FullASP.NET: Read
Securing a Connection Securing a Connection StringString
Securing DataSecuring DataLocal ResourcesLocal Resources
What is a local resource?What is a local resource?Files and File SystemFiles and File SystemRegistry InformationRegistry InformationUser Interface elementsUser Interface elementsClipboardClipboardNetwork access (e.g. Web, sockets)Network access (e.g. Web, sockets)Performance counters, event logsPerformance counters, event logsPrinting, and morePrinting, and more
Windows controls access using ACLsWindows controls access using ACLs.NET controls access with Code Access .NET controls access with Code Access SecuritySecurity
Code Access SecurityCode Access SecurityProvides fine-grained access control to Provides fine-grained access control to resourcesresources
Applications can run with "just enough” Applications can run with "just enough” permissionspermissions
For example: Applications which don’t perform For example: Applications which don’t perform any File IO run without File IO Permissionany File IO run without File IO Permission
Grants access to resources based on Grants access to resources based on the the identity of the codeidentity of the code, not the user, not the user
Uses Uses evidenceevidence to determine code identity to determine code identity
Uses policy to evaluate the evidence to Uses policy to evaluate the evidence to determine which permissions will be determine which permissions will be granted to the application.granted to the application.
Evidence + Policy = PermissionsEvidence + Policy = Permissions
Load Assembly
Gather Evidence
HashStrong namePublisherZone URL
EnterpriseMachine
UserAppDomain
Grant Permission Sets
(yielding permissions)
permissiongranted?
Demand Permission
Assembly performs privileged operation
Continue with
Privileged Operation (or access resource)
Yes
Throw Security Exception
No
AgendaAgendaOverviewOverview
Storing Private DataStoring Private DataUser PasswordsUser Passwords
Connection StringsConnection Strings
Local ResourcesLocal Resources
Isolated StorageIsolated Storage
Database SecurityDatabase SecuritySQL Server 2005 SecuritySQL Server 2005 Security
Wrap UpWrap Up
Isolated StorageIsolated Storage
Provides a virtual file systemProvides a virtual file system
Allows quotasAllows quotas
Implements file system Implements file system isolation based on:isolation based on:
Application identityApplication identity
User identityUser identity
IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForAssembly();
Isolated StorageIsolated StorageApps often need to write some data locally, Apps often need to write some data locally, and, perhaps, even leave it thereand, perhaps, even leave it there
What should we use?What should we use?Registry? No.Registry? No.
File system? Maybe for documents.File system? Maybe for documents.
Isolated storage? Yes!Isolated storage? Yes!
Isolated Storage allows a trusted assembly to Isolated Storage allows a trusted assembly to store data on a client machinestore data on a client machine
Standard file IO operations are not usedStandard file IO operations are not used
Permission to access the local file system not Permission to access the local file system not requiredrequired
Isolated StorageIsolated StorageA virtual file systemA virtual file system
May have its own folder structureMay have its own folder structure
Files may have data of almost any kindFiles may have data of almost any kind
Data is kept in a “Store”Data is kept in a “Store”
Stores are isolated by scopeStores are isolated by scopeCan be by assembly, domain, user…Can be by assembly, domain, user…
Size may be limited by setting a quota Size may be limited by setting a quota
Physical location is managed by the system Physical location is managed by the system and depends on OS, but typically:and depends on OS, but typically:
Documents and Settings or Profiles etc. foldersDocuments and Settings or Profiles etc. folders
If you have roaming profiles, Isolated Storage will If you have roaming profiles, Isolated Storage will roam with the user to each computer they accessroam with the user to each computer they access
Isolated Storage PracticesIsolated Storage PracticesUse isolated storage to store:Use isolated storage to store:
User settingsUser settings
Data cachesData caches
Queued information waiting for a connection to Queued information waiting for a connection to submit to a web servicesubmit to a web service
Do not use isolated storage for:Do not use isolated storage for:User documents that they may need to find with User documents that they may need to find with Windows Explorer. Windows Explorer.
Secret information. Isolated storage is not Secret information. Isolated storage is not encrypted, so don't store plain text passwords. encrypted, so don't store plain text passwords.
Isolated StorageIsolated Storage
AgendaAgendaOverviewOverview
Storing Private DataStoring Private DataUser PasswordsUser Passwords
Connection StringsConnection Strings
Local ResourcesLocal Resources
Isolated StorageIsolated Storage
Database SecurityDatabase SecuritySQL Server 2005 SecuritySQL Server 2005 Security
Wrap UpWrap Up
Secure the DatabaseSecure the Database
Use the least-privileged account possibleUse the least-privileged account possible to to connect to the databaseconnect to the database
Limit access privileges to stored procedures Limit access privileges to stored procedures onlyonly
If stored procedures can’t be used, use type-safe If stored procedures can’t be used, use type-safe parameters to construct commandsparameters to construct commands
Protect connection strings as secretsProtect connection strings as secrets
Encrypt sensitive data to be retrieved from Encrypt sensitive data to be retrieved from the database using strong symmetric the database using strong symmetric encryptionencryption
Then, encrypt symmetric encryption keys with Then, encrypt symmetric encryption keys with DPAPI, and store these in a restricted registry key DPAPI, and store these in a restricted registry key
Tip: Different Logins by TaskTip: Different Logins by Task
““sa” (or equivalent domain account)sa” (or equivalent domain account)Database server administratorDatabase server administratorUsed to create database onlyUsed to create database only
““dbo"dbo"Owner (dbo) for the application database Owner (dbo) for the application database Used for application development onlyUsed for application development only
Modify schema, creating stored proceduresModify schema, creating stored procedures
““IVUser“IVUser“Locked-down account Locked-down account Used by middle-tier components to access Used by middle-tier components to access the stored proceduresthe stored procedures
SQL Server 2005 SecuritySQL Server 2005 Security
Many security improvementsMany security improvementsUser PasswordsUser Passwords
Key ManagementKey Management
Encryption / DecryptionEncryption / Decryption
SchemasSchemas
User PasswordsUser Passwords
User passwords can be forced to abide User passwords can be forced to abide by the Active Directory password by the Active Directory password strength rulesstrength rules
Key managementKey managementEncryption keys can be stored in the Encryption keys can be stored in the databasedatabase
symmetric keyssymmetric keys
asymmetric keysasymmetric keys
Encryptions keys used forEncryptions keys used fordata encryption - symmetric keysdata encryption - symmetric keys
validation of unsafe assemblies - validation of unsafe assemblies - asymmetric keysasymmetric keys
MASTER KEY must be defined before MASTER KEY must be defined before symmetricsymmetric
used to encrypt other symmetric keysused to encrypt other symmetric keys
Encryption and decryptionEncryption and decryption
SQL Server 2005 improves encryption SQL Server 2005 improves encryption and decryptionand decryption
can encrypt by certificatecan encrypt by certificate
can encrypt by keycan encrypt by key
can encrypt by pass phrasecan encrypt by pass phrase
Encryption can be used to secure Encryption can be used to secure column valuescolumn values
e.g. credit card numberse.g. credit card numbers
SchemasSchemas
SQL Server 2005 allows multiple SQL Server 2005 allows multiple schemas in databaseschemas in database
schemas exist independent of usersschemas exist independent of users
Schema name can be substituted for Schema name can be substituted for user name in objectuser name in object
eases database management when eases database management when personnel changespersonnel changes
Objects in schema cannot be Objects in schema cannot be "inventoried" by public"inventoried" by public
names are secure; prevent typical step in names are secure; prevent typical step in compromisecompromise
Create schema with nameCreate schema with name
CREATE SCHEMA CREATE SCHEMA namename creates a creates a schemaschema
has name that is stored in sys.schemashas name that is stored in sys.schemas
like other DDL permission required to like other DDL permission required to useuse
Example: Research.ScientistExample: Research.Scientist
Like other objects schema has owner Like other objects schema has owner (AUTHORIZATION)(AUTHORIZATION)
owner can be user, role, or approleowner can be user, role, or approle
SQL Server permissionsSQL Server permissionsUsers that are not schema owner must have Users that are not schema owner must have permissionspermissions
permissions granted to user, role, or approlepermissions granted to user, role, or approle
can use GRANT, REVOKE, DENY DDL verbscan use GRANT, REVOKE, DENY DDL verbs
Permission can be granted to use DDLPermission can be granted to use DDLCREATE, GRANT with GRANT optionCREATE, GRANT with GRANT option
Permissions can be granted to objects Permissions can be granted to objects directlydirectly
SELECT, INSERT, UPDATE, DELETESELECT, INSERT, UPDATE, DELETE
Permissions can be granted to code that Permissions can be granted to code that accesses objectsaccesses objects
SQL Server 2005 SQL Server 2005 SecuritySecurity
AgendaAgendaOverviewOverview
Storing Private DataStoring Private DataUser PasswordsUser Passwords
Connection StringsConnection Strings
Local ResourcesLocal Resources
Isolated StorageIsolated Storage
Database SecurityDatabase SecuritySQL Server 2005 SecuritySQL Server 2005 Security
Wrap UpWrap Up
Wrap UpWrap UpHash passwords for storageHash passwords for storage
Don’t be afraid of DPAPIDon’t be afraid of DPAPINCrypto from SourceForgeNCrypto from SourceForge
Use ACLs to control access to local Use ACLs to control access to local resourcesresources
Use Isolated Storage Use Isolated Storage For partially trusted code (i.e., Web)For partially trusted code (i.e., Web)
For user convenience and light securityFor user convenience and light security
Use database security best practicesUse database security best practices
ResourcesResources
Steve’s Blog: http://blog.accentient.com
Rich’s Blog: http://blog.hundhausen.com
Security Book / Wiki: http://www.winsecguide.net
DPAPI: http://sourceforge.net/projects/ncrypto/
SQL Server 2005: http://www.microsoft.com/sql/2005/default.asp
Your FeedbackYour Feedbackis Important!is Important!
Please Fill Out a Survey forPlease Fill Out a Survey forThis Session on CommNetThis Session on CommNet
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.