Asp.Net SecurityAsp.Net SecurityJim FawcettJim FawcettCSE686 – Internet ProgrammingCSE686 – Internet ProgrammingSummer 2005Summer 2005

Security ModelSecurity Model AuthenticationAuthentication

Who do you say you are?Who do you say you are? User id User id Do you have proof?Do you have proof? Password Password

AuthorizationAuthorization Do you have the priviledges to do a Do you have the priviledges to do a

requested action?requested action?

Asp.Net AuthenticationAsp.Net Authentication Asp.Net directly supports three models:Asp.Net directly supports three models:

Authentication mode = NoneAuthentication mode = None Application supplied securityApplication supplied security

Authentication mode = WindowsAuthentication mode = Windows Based on Windows AccountsBased on Windows Accounts Suitable only for local networkSuitable only for local network

Authentication mode = FormsAuthentication mode = Forms Manged by application with support for redirection Manged by application with support for redirection

and accessing identities provided by Asp.Netand accessing identities provided by Asp.Net Authentication mode = PassPortAuthentication mode = PassPort

Authentication credentials stored on Microsoft serverAuthentication credentials stored on Microsoft server Sites license the serviceSites license the service

No Asp Supplied No Asp Supplied AuthenticationAuthentication

Asp.Net allows all users access to all asp Asp.Net allows all users access to all asp pagespages

It is up to the application to provide It is up to the application to provide authentication and authorizationauthentication and authorization

Authentication and Role-based access Authentication and Role-based access provided by user control(s).provided by user control(s). Application uses session to tell if user is logged Application uses session to tell if user is logged

in.in. User signs in and is assigned roles from User signs in and is assigned roles from

database by user control.database by user control. Access to pages based on roles.Access to pages based on roles. No help from Windows doing this.No help from Windows doing this.

No AuthenticationNo Authentication Virtual directory allows anonymous accessVirtual directory allows anonymous access Web.Config file specifies:Web.Config file specifies:

<authentication mode=“None”/><authentication mode=“None”/> <authorization><authorization>

<allow users=“*”/> <allow users=“*”/></authorization></authorization>

Its up to application to provide Its up to application to provide authenticationauthentication

CSE686 Labs have encouraged you to CSE686 Labs have encouraged you to build authenticating control and provide build authenticating control and provide your own redirections.your own redirections.

Security Settings for Security Settings for NoneNone

Windows AuthenticationWindows Authentication Uses custom socket ports, as well as port Uses custom socket ports, as well as port

80, so won’t go through firewalls.80, so won’t go through firewalls. Requires all users to have Windows Requires all users to have Windows

accounts on server.accounts on server. Suitable only for site serving a local Suitable only for site serving a local

network.network. Remote access requires operation in a Remote access requires operation in a

domain or Active Directory with Kerberos:domain or Active Directory with Kerberos:http://support.microsoft.com/default.aspx?scid=kb;en-us;324276http://support.microsoft.com/default.aspx?scid=kb;en-us;324276http://support.microsoft.com/default.aspx?scid=kb;en-us;810572http://support.microsoft.com/default.aspx?scid=kb;en-us;810572

Windows AuthenticationWindows Authentication The major advantage of Windows The major advantage of Windows

Integrated Authentication is that you Integrated Authentication is that you can use all of the Windows role-based can use all of the Windows role-based security mechanisms.security mechanisms.

It’s easy to restrict access to a page It’s easy to restrict access to a page to one or more roles and roles can be to one or more roles and roles can be configured with specific permissions.configured with specific permissions.

Security Settings for IWASecurity Settings for IWA

Forms AuthenticationForms Authentication Application provides login page.Application provides login page. Asp.Net takes care of redirections.Asp.Net takes care of redirections. Application provides id and password Application provides id and password

storage and retrieval.storage and retrieval. Almost no help with role-based access.Almost no help with role-based access. Can configure directories, using web.config Can configure directories, using web.config

files to accept or deny non-authenticated files to accept or deny non-authenticated users:users: <deny users=‘?’/> // anonymous users<deny users=‘?’/> // anonymous users <allow users=‘*’/> // allow all others<allow users=‘*’/> // allow all others

Forms AuthenticationForms Authentication Virtual directory allows anonymous accessVirtual directory allows anonymous access Web.Config file specifies:Web.Config file specifies:

<authentication mode=“Forms”/><authentication mode=“Forms”/> <forms loginUrl=“login.aspx”> <forms loginUrl=“login.aspx”> <credentials … /> <credentials … /> </forms> </forms></authentication></authentication>

<authorization><authorization> <deny users=“?”/> <deny users=“?”/></authorization></authorization>

Application provides login.aspx which uses Application provides login.aspx which uses System.Web.Security.FormsAuthentication to System.Web.Security.FormsAuthentication to redirect after authentication. redirect after authentication.

Application uses database to store and retreive Application uses database to store and retreive user ids and passwords.user ids and passwords.

Can logout using FormsAuthentication.SignOut();Can logout using FormsAuthentication.SignOut();

Security Settings for Security Settings for FormsForms

Passport AuthenticationPassport Authentication Fee-based service provided by Fee-based service provided by

MicrosoftMicrosoft Won’t be discussed furtherWon’t be discussed further

Role-Based Security without Role-Based Security without WindowsWindows

Public web sites will almost certainly use Public web sites will almost certainly use Application supplied or Forms based Application supplied or Forms based authentication.authentication.

Clients will not have a user account on the Clients will not have a user account on the server, so Windows role-based security is server, so Windows role-based security is no help.no help.

The site may need to define at least simple The site may need to define at least simple roles:roles: New userNew user Registered userRegistered user Premium memberPremium member

Role-Based AuthorizationRole-Based Authorization So how do So how do youyou provide role-base access? provide role-base access?

At login, retrieve user’s roles from db and store At login, retrieve user’s roles from db and store in session.in session.

Provide control on each page that specifies Provide control on each page that specifies allowed roles.allowed roles.

OnPageLoad, check user roles from session OnPageLoad, check user roles from session against allowed roles from control.against allowed roles from control.

Probably easiest to do this with custom Probably easiest to do this with custom authentication but workable with Forms Auth.authentication but workable with Forms Auth.

Would help to have an administrator’s page to Would help to have an administrator’s page to add users and define roles and role membership.add users and define roles and role membership.

Security IssuesSecurity Issues AuthenticationAuthentication √√

Who are you?Who are you? AuthorizationAuthorization√√

What are you allowed to access?What are you allowed to access? ConfidentialityConfidentiality

Hiding content in volatile environmentHiding content in volatile environment IntegrityIntegrity

Detecting modificationDetecting modification

Encrypted Channel with Encrypted Channel with SSLSSL

Secure Sockets Layer provides an Secure Sockets Layer provides an encrypted channel for transmitting encrypted channel for transmitting sensitive data.sensitive data. Recognized by most browsers.Recognized by most browsers. Used by all the major sites: Amazon, …Used by all the major sites: Amazon, … Uses 128 bit encryption.Uses 128 bit encryption.

Secure Sockets Layer Secure Sockets Layer (SSL)(SSL)

Requires third party certificateRequires third party certificate You generate a certificate request file using You generate a certificate request file using

web server certificate wizard.web server certificate wizard. Send to certificate authority, Verisign, … along Send to certificate authority, Verisign, … along

with a check for $349 (renewed each year for with a check for $349 (renewed each year for $249).$249).

Wait for about three weeks.Wait for about three weeks. Install the certificate using the web server Install the certificate using the web server

certificate wizard.certificate wizard. You can generate certificates used only for You can generate certificates used only for

development.development.

Requiring SSLRequiring SSL SSL is invoked SSL is invoked

whenever the whenever the url prefix is url prefix is https.https.

You can force You can force users to use SSL users to use SSL by setting by setting directory directory properties.properties.

Virtual directory properties page allows you to require SSL if you have installed a certificate.

Using .Net EncryptionUsing .Net Encryption You may need to encrypt password You may need to encrypt password

files or other sensitive information files or other sensitive information stored on your site.stored on your site.

System.Security.CryptographySystem.Security.Cryptography Public Key (asymmetric) algorithmsPublic Key (asymmetric) algorithms

DSA – DSACryptoServiceProviderDSA – DSACryptoServiceProvider RSA – RSACryptoServiceProviderRSA – RSACryptoServiceProvider

Private Key (symmetric) algorithmsPrivate Key (symmetric) algorithms DES – DESCryptoServideProviderDES – DESCryptoServideProvider Triple DES, RC2, RijndaelTriple DES, RC2, Rijndael

Using .Net HashingUsing .Net Hashing You may need to ensure that You may need to ensure that

messages or files have not been messages or files have not been tampered with.tampered with.

System.Security.CryptographySystem.Security.Cryptography 128 Bit Hash128 Bit Hash

MD5 – MD5CryptoServiceProvider class.MD5 – MD5CryptoServiceProvider class. 160 Bit Hash160 Bit Hash

SHA1 – SHA1CryptoServiceProviderSHA1 – SHA1CryptoServiceProvider

ReferencesReferences Asp Applications & AuthenticationAsp Applications & Authentication

Programming .Net, Jeff Prosise, Microsoft Programming .Net, Jeff Prosise, Microsoft Press, 2002Press, 2002

Applications, Authentication, SSLApplications, Authentication, SSL ASP.NET Unleased, Second Edition, ASP.NET Unleased, Second Edition,

Stephen Walther, SAMS, 2004Stephen Walther, SAMS, 2004