Remotely authenticating against the Service Framework.

Slides:

Advertisements

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

Advertisements

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Digital Signatures and Hash Functions. Digital Signatures.

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Core Web Service Security Patterns

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

WEB2P security Java web application security Dr Jim Briggs.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

CSCI 6962: Server-side Design and Programming

Chapter 31 Network Security

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Session 11: Security with ASP.NET

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

BetterAuth: Web Authentication Revisited Martin Johns, Sebastian Lekies, Bastian Braun, Benjamin Flesch In ACSAC /01/08 A.C. ADL.

Chapter 21 Distributed System Security Copyright © 2008.

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

Strong Security for Distributed File Systems Group A3 Ka Hou Wong Jahanzeb Faizan Jonathan Sippel.

Department of Computer Science & Engineering San Jose State University

Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.

Csci5233 computer security & integrity 1 Cryptography: an overview.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

By Sandeep Gadi 12/20/  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between.

Web2.0 Secure Development Practice Bruce Xia

Securing Angular Apps Brian Noyes

Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.

COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.

WEB-API & MVC5 - Identity & Security Mait Poska & Andres Käver, IT Kolledž 2014.

9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

Secure Instant Messenger in Android Name: Shamik Roy Chowdhury.

#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

Cryptography CSS 329 Lecture 13:SSL.

CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.

Web Applications Security Cryptography 1

Phil Hunt, Hannes Tschofenig

Secure Sockets Layer (SSL)

WEB-API & MVC5 - Identity & Security

An Introduction to Web Application Security

Office 365 Development.

CS5220 Advanced Topics in Web Programming Secure REST API

Presentation transcript:

Remotely authenticating against the Service Framework

Cathal Connolly Senior Engineer DNN Corporation Head of the security team Asp.net MVP

What’s available today? DNN offer authentication via MessageHandlers

What’s a message handler? A message handler is a class that receives an HTTP request and returns an HTTP response. Message handlers derive from the abstract HttpMessageHandler class. Typically, a series of message handlers are chained together. The first handler receives an HTTP request, does some processing, and gives the request to the next handler. At some point, the response is created and goes back up the chain. This pattern is called a delegating handler.

Authentication Handlers Immediately after the context is determined the various authentication message handlers run. If the request is already authenticated the subsequent handlers each short circuit and do nothing. If a valid web forms cookie is present in the request then ASP.Net will have already authenticated the request before any of the WebAPI handlers runs. The order of the handlers is not particularly important as long as the WebFormsAuthMessageHandler always runs last. (this handler does a MembershipModule.AuthenticateRequest which completes the authentication within the DNN framework. There is no short circuit for this handler and it will always run.

Basic Authentication

Basic - How it works? HTTP Basic authentication implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifier or login pages. HTTP Basic authentication uses static, standard HTTP headers which means that no handshakes have to be done in anticipation. There are some browser extensions to invalidate requests – but not reliable.

Basic Authentication DEMO

Basic - Pro’s and Con’s Pro’s Simple to implement Works with anything that “talks” HTTP Con’s Requires username and password in calling application Unprotected unless under TLS

Digest Authentication

Digest - How it works? Digest authentication is an application of MD5 cryptographic hashing with usage of nonce values to prevent replay attacks. Designed to be stronger than Basic as it doesn’t send the password in plain text, but rather a hash that is compared on the server end Sent as a customer authentication header, the values are parsed and verified and if valid the user is logged on.

Digest- Pro’s and Con’s Pro’s Better than basic as only a password digest is passed Simple to invoke from client script as javascript can generate MD5 Con’s Requires retrievable passwords so wont work in default DNN (unless passwordFormat changed) Wont work in FIPS environment MD5 is easily crackable Username is still clear Really needs TLS to be viable

WebForms Authentication The standard forms authentication cookie based authentication. Also act’s to correctly “login” authenticated principles Note: remote client’s can utilise this by storing cookies in a container and “scraping” the relevant page to ensure event validation is in place.

What’s coming in now uses WebAPI 2.1 which allows us to utilise Authentication Attributes will ship with two new ones HMAC OAUTH 2.0 An easy extension point for new authentication methods. As authentication happens before authorization, it can reuse existing authorization attributes (where applicable to auth scheme)

HMAC Authentication

HMAC- How it works? Mechanism for calculating a MAC using a hash function with a shared “secret” key. In cryptography, a keyed-hash message authentication code (HMAC) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authentication of a message.

HMAC –integrity & authenticity An altered message can cause the message recipient to behave in an unintended and undesired way. The message recipient should verify that the incoming message has not been tampered with. An attacker could pose as a legitimate sender and send falsified messages. The message recipient should verify that incoming messages originated from a legitimate sender. Due to requests being verifiable there is no need to worry about cross-site request forgery.

HMAC- How it works? We use a symmetric signature i.e. a single shared “secret” key, rather than an asymmetric signature (which would require a public/private key pair)

HMAC- How it works? Add a custom authorization header that contains the AppID, message signature, nonce and timestamp. The nonce is a unique value and specifically to stop replay attacks (unlike digest where it may be a simple timestamp). DNN will cache this nonce value for 5 minutes and any attempt to replay a request with a previously used nonce will fail. The timestamp is a unix timestamp is generated and used as part of the key. The server evaluates when it is processing it that it is within a predetermined timeframe. The AppId will be used to look up the AppSecret associated with that account and attempt to parse/validate the signature.

HMAC- Pro’s and Con’s Pro’s No requirement for TLS No sensitive data is viewable Mechanism also verifies integrity as well as authentication. Choice of hashing algorithm (MD5, SHA1, SHA256) – DNN’s implementation is SHA256 to maximise security and allow it to work in a FIPS environment Con’s Requires AppId and AppSecret to be generated and added to the remote application

HMAC Authentication DEMO

OAUTH Authentication Not OAUTH Client support – this already exists and is leveraged by a number of authentication providers will be adding OAUTH Server support.

Authorization Code Grant flow The authorization code grant type is the most commonly used because it is optimized for server-side applications, where source code is not publicly exposed, and Client Secret confidentiality can be maintained. This is a redirection-based flow, which means that the application must be capable of interacting with the user-agent (i.e. the user's web browser) and receiving API authorization codes that are routed through the user-agent.

Implicit Grant flow The implicit grant type is used for mobile apps and web applications (i.e. applications that run in a web browser), where the client secret confidentiality is not guaranteed. The implicit grant type is also a redirection-based flow but the access token is given to the user-agent to forward to the application, so it may be exposed to the user and other applications on the user's device. Also, this flow does not authenticate the identity of the application, and relies on the redirect URI (that was registered with the service) to serve this purpose

OAUTH Authentication NO DEMO – hopefully CTP3

Questions?