Chapter 5: Design and implement security

Configure authentication

• Authenticating users

  • IIS authentication

    • Anonymous
    • ASP.net impersonation
    • Basic
      
      transmit username/password between client/server in Base64 encoded but not encrypted.
    • Digest
      
      username/password are encrypted
    • Forms
      
      1: without using built-in windows security system
      
      2: use FormsAuthentication.SetAuthCookie to make authentication token available for the rest of the session.
    • Windows
      
      supported only in microsoft browser
      
      use NTLM/Kerberos
      
      straightforward and easy to implement, especially on intranet.
    • ASP.net impersonation authentication
      
      independent of authentication mode configured in Web.config file

  • System.Security.Principal.IPrincipal / System.Security.Principal.IIdentity

  • WindowsIdentity/WindowsPrincipal
  • FormsIdentity/GenericPrincipal
  • GenericIdentity/GenericPrinciapl

  use AuthorizeAttribute to enforce authentication

  • Form authentication + SimpleMembership + WebSecurity
    
    Windows authentication
    • use Active directory to manage users
    • all users are members of your domain
    • require users to use IE or Microsoft browser
      
      Form authentication
    • use standard ASP.net membership provider db schema or your own
      
      Custom authentication
    • create a custom provider by implementing IIdentity or IPrincipal to interact with underlying authentication mechanism

• Manage user session by cookies

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(
1,
userName,
DateTime.Now,
DateTime.Now.AddDays(90),
createPersistentCookie, // a Boolean indicating whether a cookie
// should be created on the user's machine
String.Join(";",rolesArr) //user's roles
);
// add cookie to response stream
string encTicket = FormsAuthentication.Encrypt(authTicket);
System.Web.HttpCookie authCookie = new System.Web.HttpCookie(FormsAuthentication.
FormsCookieName, encTicket);
System.Web.HttpContext.Current.Response.Cookies.Add(authCookie);

• Configuring membership providers

  • use SimpleMembershipProvider/WebSecurity helper classes

• Creating custom membership providers

  • ActiveDirectoryProvider for app use windows authentication
  • SqlMembershipProvider for form authentication

Configure and apply authorization

• create roles
• configure roles
  
  configure a SQL membership role provider in Web.config file
  
  use InitializeDatabaseConnection(...) for SimpleMembershipProvider with SimpleRole.
• Authorizing roles programmatically
  • applying Authorize attribute
  • check in code via followings
    
    *RoleProvider.GetRolesForUser, RoleProvider.IsUserInRole, HttpContext.User.IsInRole
    
    *WebSecurity.RequireRoles(...)
• creating custom role providers
• Implementing WCF service authorization

Design and implement claims-based authentication across federated identity stores

• Implementing federated authentication by using Windows Azure Access Control Service (ACS)
  
  ACS features includes:
  • integrates with Windows Identity Foundation (WIF)
  • support well-known identity providers such as Facebook, Microsoft account, Yahoo and Google
  • support Active Directory Federation Services (ADFS) 2.0
  • support OAuth 2.0, WS-Trust and WS-Federation protocols
  • support various token formats, include JSON Web Token (JWT), Security Assertion Markup Language (SAML) and Simple Web Token (SWT)
  • provides a web-based management portal

• Creating a custom security token by using WIF
• Handling token formats for SAML and SWT tokens

Manage data integrity

• encryption terminology

  • Encryption: DES, AES
  • Hashing: MD5, SHA
  • Salting

• Applying encryption to application data

  • Symmetric: AES, DES, RC2, Rijindael, TripleDES
  • Asymmetric: DSA, ECDiffieHellman, ECDsa, RSA

using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
{
// assumes that the key and initialization vectors are already configured
CryptoStream crypoStream = new CryptoStream(myManagedStream, rijndaelManaged.
CreateEncryptor(),CryptoStreamMode.Write);
};

using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
{
// assumes that the key and initialization vectors are already configured
CryptoStream crypoStream = new CryptoStream(myManagedStream, rijndaelManaged.
CreateDecryptor(),CryptoStreamMode.Read);
};

• Applying encryption to the configuraion sections of an application

  • DPAPIProtectedConfigurationProvider
  • RsaProtectedConfigurationProvider: allow export/import of the keys used for encryption/decryption
  • use aspnet_regiis to encrypt/decrypt sections of the Web.confg file.

• Signing application data to prevent tampering

// create the hash code of the text to sign
SHA1 sha = SHA1.Create();
byte[] hashcode = sha.ComputeHash(TextToConvert);
// use the CreateSignature method to sign the data
DSA dsa = DSA.Create();
byte[] signature = dsa.CreateSignature(hashcode);

// create the hash code of the text to verify
SHA1 sha = SHA1.Create();
byte[] hashcode = sha.ComputeHash(TextToVerify);
// use the VerifySignature method to verify the DSA signature
DSA dsa = DSA.Create();
bool isSignatureValid = dsa.VerifySignature(hashcode, signature);

Implement a secure site with ASP.NET

• Securing communication by applying SSL/TLS certificates
  
  setup site with certificate and https

• Salt and hash passwords for storage

• Using HTML encoding to prevent cross-site scripting attacks (AntiXSS Library)

  • use @Html.Encode()
  • encode the data before saving to db
  • use AntiXSS library from NuGet

• Implementing deferred validation and handle unvalidated requests

• Preventing SQL injection attacks by parameterizing queries

• Preventing cross-site request forgeries (XSRFs)

[RequireSession]
[AcceptVerbs(HttpVerbs.Post)]
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Login(string username, string password, string remember, string deviceToken, string apid)
{
}

@using (Html.BeginForm("Login", "Authorize"))
{
@Html.AntiForgeryToken();
}

internally cookie is used for XSRF validation.