MEMBERSHIPREBOOT & THINKTECTURE:

THE PARADIGMS TO AUTHENTICATION & AUTHORIZATION

NUR FATIHAH BINTI MAT ALI

BACHELOR OF COMPUTER SCIENCE

(COMPUTER NETWORK SECURITY) WITH HONOURS

UNIVERSITI SULTAN ZAINAL ABIDIN

2019

MEMBERSHIPREBOOT & THINKTECTURE:

THE PARADIGMS TO AUTHENTICATION & AUTHORIZATION

NUR FATIHAH BINTI MAT ALI

BACHELOR OF COMPUTER SCIENCE

(COMPUTER NETWORK SECURITY) WITH HONOURS

FACULTY OF INFORMATICS AND COMPUTING

UNIVERSITI SULTAN ZAINAL ABIDIN

2019

DECLARATION

I hereby declare that this report is based on my original work except for quotations and

citations, which have been duly acknowledged. I also declare that it has not been previously

or concurrently submitted for any other degree at Universiti Sultan Zainal Abidin or other

institutions.

Name : NUR FATIHAH BINTI MAT ALI

Date : ……………………………………..

CONFIRMATION

This is to confirm that:

The research conducted and the writing of this report was under my supervision.

Name : DR.AHMAD FAISAL AMRI BIN

ABIDIN @ BHARUN

Date : ………………………………………

DEDICATION

Praise to Allah, the Most Gracious and the Most Merciful. Alhamdulillah, for blessing

me and giving me the opportunity to undergo and complete this final year project entitled

MembershipReboot & Thinktecture: The Paradigms Of Authentication & Authorization.

Foremost, my greatest appreciation to my loving family especially my beloved mother

that always giving me fully support as well encouragement throughout this project

Here, I would like to take this opportunity to express my heartiest appreciation and

gratitude to my versatile supervisor, Dr. Ahmad Faisal Amri Bin Abidin @ Bharun for the

encouragement, guidance, critics, motivation and also support. Without his continuing

support, this project would not have been the same as presented here. Thank you.

In addition, I would like to thank the panels during my final year project, Dr. Wan

Nor Syuhadah Binti Wan Nikband Dr. Nor Aida Binti Mahiddin for all supportive words,

guidance, advice as well as suggestion in order to make my project a better one. Thank you.

To Faculty of Informatics and Computing, and all lecturers in this faculty, I also

would like to thank you for the chance to expose and explore as a degree student with this

project Last but not least, I would take this chance to thank you to my fellow friends for

everything.

ABSTRACT

Overall, authentication and authorization are two closely related concepts, which are

used to build security mechanism in systems and applications. MembershipReboot is an

identity management library, which performs a large number of authentication-related

functions. As for the Thinktecture, I will use Thinktecture.IdentityModel which is a helper

library for identity and access control which suit the authorization. Its part is including

claims-based authorization which is an approach where the authorization decision to grant or

deny access is based on arbitrary logic that uses data available in claims to make the decision.

For MembershipReboot, an attacker will eventually compromise the database and that we

need to store passwords in a way to make it very hard for attackers to then extract the stored

passwords. For Thinktecture, while historically the solution to that problem has been either

Windows authentication or username/password, this might not hold true anymore. In the

distributed and mobile application landscape, passwords have become an anti-pattern, and

single sign-on, security token services and federation are the prevalent technologies to

achieve a seamless security experience for the users. A simulation on how

MembershipReboot and Thinktecture can be a help in authentication and authorization will

be shown throughout my project. By the end of my project, I will be able to validate and test

the authentication and give out permission right between the user and the service server

involved in a virtual environment.

ABSTRAK

Keseluruhannya, pengesahan dan pengesahan adalah dua konsep yang berkait rapat,

yang digunakan untuk membina mekanisme keselamatan dalam sistem dan aplikasi.

KeahlianReboot adalah perpustakaan pengurusan identiti, yang melakukan sejumlah besar

fungsi berkaitan pengesahan. Bagi Thinktecture, saya akan menggunakan

Thinktecture.IdentityModel yang merupakan perpustakaan pembantu untuk kawalan identiti

dan akses yang sesuai dengan kebenaran. Bahagiannya termasuk kebenaran berasaskan

tuntutan yang merupakan pendekatan di mana keputusan kebenaran memberikan atau

menafikan akses adalah berdasarkan logik sewenang-wenang yang menggunakan data yang

ada dalam tuntutan untuk membuat keputusan. Untuk MembershipReboot, penyerang

akhirnya akan berkompromi pangkalan data dan kami perlu menyimpan kata laluan dengan

cara untuk menjadikannya sangat sukar bagi penyerang untuk kemudian mengekstrak kata

laluan tersimpan. Untuk Thinktecture, sementara sejarah penyelesaian untuk masalah itu

sama ada Windows pengesahan atau nama pengguna / kata laluan, ini mungkin tidak berlaku

lagi. Dalam landskap aplikasi yang diedarkan dan mudah alih, kata laluan telah menjadi

anti-corak, dan satu tanda tangan, perkhidmatan token keselamatan dan persekutuan adalah

teknologi lazim untuk mencapai pengalaman keselamatan yang lancar untuk pengguna. Satu

simulasi bagaimana KeahlianReboot dan Thinktecture dapat membantu dalam pengesahan

dan kebenaran akan ditunjukkan sepanjang projek saya. Menjelang akhir projek saya, saya

akan dapat mengesahkan dan menguji pengesahan dan memberikan hak kebenaran antara

pengguna dan pelayan perkhidmatan yang terlibat dalam persekitaran maya.

CONTENTS

Page

DECLARATION i

CONFIRMATION ii

DEDICATION iii

ABSTRACT iv

ABSTRAK v

CONTENTS vi

LIST OF TABLES vii

LIST OF FIGURES x

LIST OF ABBREVIATION xii

LIST OF APPENDICES xiii

CHAPTER I INTRODUCTION

1.1 Project Background 1

1.2 Problem Statement 2

1.3 Objectives 3

1.4 Scopes of Project 3

1.5 Activities and Milestones 5

1.6 Report Structure 6

CHAPTER II LITERATURE REVIEW

2.1 Introduction 7

2.2 Related Project on Authentication 8

2.2.1 URRSA (proxy-based) 9

2.2.2 LastPass (Password Manager) 10

2.2.3 Kerberos 12

2.2.4 Java 2 Platform Enterprise Edition (J2EE) 12

2.3 Related Project on Authorization 13

2.3.1 Virtual Organization Membership Service (VOMS) 15

2.3.2 Access Control List (ACL) 15

2.3.3 Kerberos 16

2.4 Expected Result 17

2.5 Summary 17

CHAPTER III METHODOLOGY

3.1 Introduction 19

3.2 Analysis Study of Process Model 19

3.3 Methodology Review 20

3.4 Requirement Analysis 23

3.4.1 Software Requirement 23

3.4.2 Hardware Requirement 24

3.5 System Design 24

3.5.1 Architecture of the MembershipReboot 24

And Thinktecture

3.5.2 Framework of the MembershipReboot 25

And Thinktecture

3.5.3 Data Model 27

3.5.4 Proof of Concept 30

3.6 Summary 33

REFERENCES 34

LIST OF TABLES

TABLE TITLE PAGE

2.1 Concern of each Authentication Technique 8

2.2 Concern of each Authorization Technique 13

LIST OF FIGURES

FIGURE TITLE PAGE

3.1 Flow of the Research (MembershipReboot) 20

3.2 Flow of the Research (Thinktecture) 22

3.3 Architecture of MembershipReboot and Thinktecture 25

3.4 Framework of how MembershipReboot and Thinktecture work 26

3.5 Data Model of Entities Involve 28

3.6 Sequence diagram of the authentication of MembershipReboot and the 29

authorization of Thinktecture

3.7 Create a new project in Visual Studio 30

3.8 Setup a NuGet to bring down MembershipReboot 30

3.9 SQL script to create our database (tables) 31

3.10 Hyperlink to navigate to Create New User 31

3.11 Action method 32

3.12 Override method CheckAccess 32

LIST OF ABBREVIATIONS/ TERMS/ SYMBOLS

ACL Access Control List

DLL Dynamic Link Library

J2EE Java 2Enterprise Edition

MVC Model View Controller

RP Resource Provider

SS Service Server

URL Uniform Resource Locator

VO Virtual Organization

VOMS Virtual Organization Membership Service

LIST OF APPENDICES

APPENDIX TITLE PAGE

1.1 Gantt chart: Activities and Milestone FYP 1 5

CHAPTER I

INTRODUCTION

1.1 Project Background

Computer network have been the target of malicious. And thus, the key of computer

networks for security is lying within its network design. It is vital for us to ensure that the

network design can secure the transmission of the data from being intercept and the data may

be compromise [27]. Based on the title of my Final Year Project, authentication and

authorization are two closely related concepts, which are used to build security mechanism in

systems and applications. Authentication is a concept to verify who you say you are? On the

other hand, authorization is to determine or decide whether you have any permission to

access the resources or not.

MembershipReboot is an identity management library, which performs a large

number of authentication-related functions. One of the main features is to manage, store and

validate passwords for user accounts. It also manages other account related data such as

username, email, mobile phone number, claims, certificates, and external identity providers

(such as Google and Facebook). MembershipReboot has a decoupled design of the security

code from the persistence of the account data. Hence, application developers can either use an

existing database implementation or build their own [7].

As for the Thinktecture, I will use Thinktecture.IdentityModel which is the successor

to the very popular Thinktecture.IdentityModel.45 repository. The new IdentityModel is a

helper library for identity and access control which suit the authorization. Its part is including

claims-based authorization which is an approach where the authorization decision to grant or

deny access is based on arbitrary logic that uses data available in claims to make the decision

[12].

1.2 Problem Statement

Most of the techniques used in authentication and authorization system will be able to

secure the data of the users very securely with many other functions that will surely enable

the users to manage their account with what they want. Thus, on the finding, most methods

used are unable to fulfil these requirements. Hence, this inability will be filling with as

follows:

MembershipReboot

i. An attacker will eventually compromise the database and that we need to store

passwords in a way to make it very hard for attackers to then extract the stored

passwords.

Thinktecture

i. While historically the solution to that problem has been either Windows

authentication or username/password, this might not hold true anymore. In the

distributed and mobile application landscape, passwords have become an anti-pattern,

and single sign-on, security token services and federation are the prevalent

technologies to achieve a seamless security experience for the users.

ii. User’s access rights/privileges to resources based on the authorization level.

1.3 Objectives

There are three objectives that need to be achieved in this project. The objectives are

as follows:

a) To study on MembershipReboot and Thinktecture as a paradigms of security in

authentication and authorization domains.

b) To configure and implement MembershipReboot as well as Thinktecture

IdentityModel accordingly in order to secure user’s data and connection.

c) To test the functionality of MembershipReboot and Thinktecture in computer system

settings.

1.4 Scopes pf Project

This project will focus more on configuring and implementing the network

authentication and authorization by using MembershipReboot and

Thinktecture.IdentityModel techniques. First, in the preliminary step for authentication, I will

be using Forms authentication. Thus, get started with MembershipReboot using ASP.NET

MVC 4 Web Application in the Visual Studio 2017. As MembershipReboot has a Nuget

package, use Nuget to bring down the MembershipReboot DLL. Besides, I will choose a

SQL Server 2014 database [19].

Next, to get started authorization with the Thinktecture.IdentityModel, I will bring

down it with the Nuget too [19]. For all of these, a strong wireless network or data

connectivity is needed in order to download all the requirement package installers into the

servers involved. After the implementation of the MembershipReboot and Thinktecture, the

authentication and the authorization will then be tested by using a sniffing tool such as

Wireshark and the result will be shown in order to achieve the objectives of the project.

i. Modify and implement MembershipReboot and Thinktecture techniques based on

computer system drafting.

ii. Integrating Membership Reboot and Thinktecture to function as the first defence

against a data breach.

iii. Develop a computer system such as a web application system which has integral part

of Thinktecture & Membership.

iv. To test the techniques by using hacking tools in live hacking demo.

1.5 Activities and Milestone

ACTIVITY/WEEK 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Topic Discussion &

Determination

Project Title

Proposal

Introduction

Literature Review

Presentation

Methodology

Draft Report

Submit Draft

Report

Seminar

Presentation &

Evaluation

Final Report FYP

Gantt chart 1.1: Activities and Milestones FYP 1

1.6 Project Structure

This thesis consists of five chapters. The first chapter focuses on the project

background, problem statements, objectives, scopes of project and activities and milestones.

Chapter two is a review of all related study regarding to this project. In chapter three, the

methodology will be discussed including the methods and techniques used for the developing

this application. In this chapter also will discuss the expected results through the data model

and design. In chapter four, will be explained about implementation and testing process that

has been run in this project. The last chapter is conclusion and results are presented.

CHAPTER II

LITERATURE REVIEW

2.1 Introduction

In the literature review, I will explore the current and past landscape of user

authentication and authorization on the web. I begin by considering the needs of key

stakeholders involved (such as users and service providers) as well as the attackers’

capabilities and the threat model they create. I demonstrate how providing usable and

practical authentication and authorization for users and service providers creates non-trivial

challenges in the face of trying to build security against attackers. I then analyse the merits

and shortcomings of a number of previous approaches for providing usable, practical, and

secure user authentication and authorization.

2.2 Related Project on Authentication

Table 2.1 shows the concern of different authentication techniques that already exists.

Technique Remarks Concern

URRSA (proxy-

based) [4] by Alexei Czeskis

- At registration time, the user prints out a

sheet of one-time-codes. The codes are the

passwords encrypted under the n different

keys.

- To authenticate to the proxy and to

indicate to which site the user wants to

authenticate, the user chooses the next

unused code off their sheet in the

appropriate group.

- If the proxy is

compromised, then

security for multiple

sites could be

compromised.

- If the proxy

becomes

unavailable, the

user is prevented

from accessing any

of his accounts.

LastPass (Password

Manager) [4] by Alexei

Czeskis

- Offers advanced options such as using

two-factor authentication mechanisms

(e.g., hardware tokens). –

- The ability to auto-generate passwords

during account creation on websites.

- Users are still

vulnerable to

phishing as

attackers can ask

users to copy paste

the password into a

web form. (user can

view password)

- master password

Java 2 Platform Enterprise

Edition (J2EE) [3] by Richard A.

Backhouse

− Asynchronous Java

Script and XML

(AJAX).

- Form-based authentication.

- To functionally execute the necessary

steps for redirecting an AJAX client

request to an authentication required

servlet, issuing an AJAX response to

the client, authenticate the user security

credentials, and process the client

request for secure data.

Kerberos [1] by S. P. Miller et al - To prevent fraudulent connection

requests.

- To support both one-way and mutual

authentication of principals to the

granularity of at least an individual

user and specific service instance.

-

Table 2.1: Concern of each Authentication Technique

2.2.1 URRSA (proxy-based)

With URRSA, each of the user’s passwords is stored n times, encrypted with n

different keys. At registration time, the user prints out a sheet of one-time-codes. The

codes are the passwords encrypted under the n different keys. The codes are organized

into groups — each group represents a username / password combination that the user

originally registered. In order to authenticate to the proxy and to indicate to which site

the user wants to authenticate, the user chooses the next unused code off their sheet in

the appropriate group. The proxy decrypts the code and then forwards the password to

the appropriate site

Analysis: This proxy-based approach does a good job of protecting users against

authenticating from untrusted devices. The proxy-based approach allows users to type

their passwords less often. However, with URRSA, users end up typing one-time

codes instead. Furthermore, if the proxy is compromised, then security for multiple

sites could be compromised. Since passwords are still used under the hood by the

proxy to authenticate to web services, this approach is still vulnerable to a man-in-the-

middle attacker between the proxy and the web service. This approach also creates a

single point of failure — if the proxy becomes unavailable, the user is prevented from

accessing any of his accounts. Furthermore, this approach changes the user experience

during the authentication flow. To our knowledge, neither proxy-based approach is

deployed on the general internet.

2.2.2 LastPass (Password Manager)

Password Managers help users overcome this usability barrier by (as their

name implies) storing and managing users’ passwords. Most major browsers (such as

Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer) offer to remember

and auto-complete user generated passwords [20, 21, 22]. Some browsers (e.g.,

Chrome and Firefox) support syncing password data across different computers,

allowing users to freely move between different devices without fear of losing access

to their passwords. The syncing is done through the service provider’s servers and

requires users to provide a “master” password. Additionally, browser-based password

managers allow users to view their stored passwords — a really useful feature as users

can forget their passwords since users no longer have to type them.

Besides in-browser password managers, several third-party password

managing applications exist — of which LastPass [23] is currently the most

prominent. LastPass supports installation on the top five browsers, across the three

most popular operating systems, and on all of the popular mobile phone platforms.

Like the in-browser password managers, LastPass records, auto-completes, and syncs

users’ passwords across devices. LastPass also offers advanced options such as using

two-factor authentication mechanisms (e.g., hardware tokens) and the ability to auto-

generate passwords during account creation on websites.

Analysis: Password managers help users with keeping track of all their passwords.

With the recent advances in cross-platform password syncing and storing passwords

in the cloud, users are no longer “locked out” of their accounts as they move from

device to device. Since password managers don’t change the low level way in which

users authenticate to web services (with passwords), they require no server-side

changes — making password managers very deployable.

However, user studies have shown that users are uncomfortable with

relinquishing control over their passwords [28]. Furthermore, since most password

managers allow users to view their passwords, users are still vulnerable to phishing as

attackers can ask users to copy paste the password into a web form. Password

managers that sync passwords through the cloud are secured using a master password.

If this password leaks, so do all of the users’ other passwords. Finally, password

managers do nothing to stop man-in-the-middle attacks.

2.2.3 Kerberos

The basic approach for Kerberos authentication is the following: to use a

service, a client must supply a ticket previously obtained from Kerberos. A ticket for a

service is a string of bits with the property that it has been enciphered using the

private key for that service. That private key is known only to the service itself and to

Kerberos. As a result of that property, the service can be confident that any

information found inside the ticket originated from Kerberos. As will be seen,

Kerberos will have placed the identity of the client inside the ticket, so the service that

receives a ticket has a Kerberos-authenticated opinion of the identity of the client. To

help ensure that one user does not steal and reuse another user’s tickets, the client

accompanies the ticket with an authenticator, explained later. (In addition, tickets

expire after a specified lifetime, which is usually on the order of several hours.)

The client obtains a ticket by sending a message to Kerberos naming the

principal identifier of the desired service, the principal identifier of the (alleged)

client, and mentioning the current time of day. Anyone could send such a message or

intercept its response; that response, however, is usable only to the client named in the

original request, because Kerberos seals the response by enciphering it in the private

key of that client. The response contains three parts: the ticket (which itself is further

sealed in the private key of the service), a newly-minted key for use in this client-

server session, and a timestamp issued by the Kerberos server.

2.2.4 Java 2 Platform Enterprise Edition (J2EE)

The apparatus for AJAX form-based authentication using J2EE is provided

with a plurality of modules configured to functionally execute the necessary steps for

redirecting an AJAX client request, issuing an AJAX response to the client,

authenticating the user security credentials, and processing the client request. These

modules in the described embodiments include a redirection module, a response

module, an authentication module, and a processing module.

The redirection module, in one embodiment, redirects an AJAX client request

to an authentication required servlet in response to detecting a client request for

secure data. Also, the response module may issue an AJAX response to the client, the

AJAX response directing the client to obtain user security credentials. In addition, the

client may prompt a user for the user security credentials independent of a server-

based security credential form. Also, the authentication module may authenticate the

user security credentials using a web container authentication service, the user

security credentials received by way of an AJAX form-based authentication request.

Finally, the processing module may process the client request for secure data in

response to a positive authentication of the user security credentials.

2.3 Related Project on Authorization

Table 2.2 shows the concern of different authorization techniques that already exists.

Technique Remarks Concern

Virtual Organization

Membership Service

(VOMS) [5] Alfieri R. et al

- Virtual Organization (VO): abstract

entity grouping Users, Institutions

and Resources (if any) in a same

administrative domain

- Resource Provider (RP): facility

- main difficulty is to

clearly separate these two

roles

offering resources (e.g. CPU,

network, storage) to other parties

(e.g. VO’s), according to specific

“Memorandum of Understanding”

Access Control List

(ACL) [2] Chate A. B et al

- To supervise all packets of

incoming and outgoing packets.

- May possibly permit users with

larger access control lists to still

make use of such devices

- size of access control lists

has developed noticeably

due to an augment in

Internet applications in

addition to an enhance in

identified vulnerabilities

and attacks

Kerberos [1] by S. P. Miller

et al

- To allow different services to

implement different authorization

models

- To allow those authorization models

to assume that authentication of user

identities is reliable.

Table 2.2: Concern of each Authorization Technique

2.3.1 Virtual Organization Membership Service (VOMS)

– Virtual Organization (VO): abstract entity grouping Users, Institutions and

Resources (if any) in a same administrative domain;

– Resource Provider (RP): facility offering resources (e.g. CPU, network, storage)

to other parties (e.g. VO’s), according to specific “Memorandum of

Understanding”.

From the authorization point of view, a grid is established by enforcing

agreements between RP’s and VO’s, where, in general, resource access is controlled

by both parties with different roles, and indeed the main difficulty is to clearly

separate these two roles. To solve this apparent dualism, we can classify the

authorization information into two categories:

i. General information regarding the relationship of the user with his VO: groups he

belongs to, roles he is allowed to cover and capabilities he should present to RP’s

for special processing needs;

ii. Information regarding what the user is allowed to do at a RP, owing to his

membership of a particular VO.

2.3.2 Access Control List (ACL)

Access control lists are organized at every points of entry connecting a

concealed network and the outside Internet to supervise all packets of incoming and

outgoing packets. A packet can be imagined as a tuple with a limited number of fields

for instance IP addresses and port numbers of source/destination, and the type of

protocol. In an access control list, each rule has a predicate over header fields of

several packets and a decision to be carried out upon the packets that equivalent the

predicate. A rule that scrutinizes fields of d-dimensional can be analyzed as a d-

dimensional entity. Real-life access control list are naturally four dimensional over

fields of four packets such as: IP address of source, destination, port number of

destination and type of protocol [26].

Several network products have solid constraints on the rules that they

hold up. Because access control lists are measured confidential due to concerns of

security, it is tricky to obtain an outsized sample of real-life access control lists [24].

Compression of access control lists may possibly permit users with larger access

control lists to still make use of such devices and this may turn out to be an

increasingly vital concern intended for many users as size of access control lists has

developed noticeably due to an augment in Internet applications in addition to an

enhance in identified vulnerabilities and attacks [25].

2.3.3 Kerberos

Authentication can imply a coarse-grained authorization—for instance; some

services may allow anyone who can be reliably authenticated by the local Kerberos to

use the service. In cases where more selective authorization is needed, the goal of

Kerberos is to allow different services to implement different authorization models,

and to allow those authorization models to assume that authentication of user

identities is reliable.

The Kerberos authentication model provides only a certification of the identity

of a requesting client; by itself it provides no information as to whether or not that

client is actually authorized to use the service. There are three forms in which

authorization could be integrated with the Kerberos authentication model:

i. The Kerberos database could also contain authorization information for each

service, and issue service tickets only to authorized users of each service.

ii. A separate authorization service could maintain authorization information by

keeping access lists for each service and allowing the client to obtain sealed

certification of list membership. The client would present that certification, rather

than a Kerberos ticket, to the ultimate service.

iii. Each service could maintain its own authorization information, with the optional

help of a service that stores shared public lists and provides certification of public

list membership.

2.4 Expected Result

i. The user’s credential is more secure (secure connection)

ii. The principle (user) will only get on resources based on what type of authorization he/she

have. (avoid data leaks)

2.5 Summary

Based on my reading towards some researches on the authentication and authorization

techniques, it can be said that a pragmatic way to secure the password authentication and data

authorization between entities involved is by using the MembershipReboot for authentication

and Thinktecture.IdentityModel for authorization. It is because MembershipReboot and

Thinktecture provide more advantages respectively, besides having the least drawbacks. To

summarize, the MembershipReboot and Thinktecture acts as two difference medium that

integrate together where both of this techniques provides the two factor authentication and

determine the authorization level of each user based on the claims.

CHAPTER III

METHODOLOGY

3.1 Introduction

This chapter covers the detail explanations on the methodology used in this project.

The methodology being used to ensure that the implementation of this project can fulfil the

objectives and thus make sure that the systems or techniques can be developed successfully.

Therefore, after considering pros and cons of several different system model or techniques

available, the iterative and incremental flow chart model have been choosing. The details

about this iterative model will be explained in this chapter.

3.2 Analysis Study of Process Model

The development and testing processes of the iterative methodology will be

completed on each stage. This model is less costly when it comes to changing the scopes and

requirements. By using this method, it will be easier to test and debug during small iterations.

3.3 Methodology Review

Figure 3.1: Flow of the Research (MembershipReboot)

Figure 3.1 shows roughly step-by-step to complete the authentication part, in this

mean part of the MembershipReboot. Firstly, installation of Microsoft Visual Studio 2017

and Microsoft SQL Server Database is a must as I will do the background work on both this

software. I need to make sure that both of this software is compatible with the device (laptop)

that I will be using.

After that, I will create a new project in Visual Studio 2017, using the project

template for an ASP.NET MVC 4 Web Application. As MembershipReboot has a Nuget

package, I will use it to bring down the MembershipReboot DLL, (.dll) file which contains a

library of functions and other information that can be accessed by a Windows program. When

Start

Installation of Microsoft Visual Studio 2017 and Microsoft SQL

Server 2014 databse

Create a new project in Visual Studio 2017, using the project template for an

ASP.NET MVC 4 Web Application

Use Nuget package to bring down the

MembershipReboot DLL.

Create tables in the Microsoft SQL

Server 2014 database by running the SQL

scripts in it.

Create a user using SQL stetements in front-end (perform the proper hashing

for password)

Configuring Web.config for

MembershipReboot

Set up the Session Authentication

Module (SAM) and add it into

Web.config

Continue to Thinktecture

a program is launched, links to the necessary .dll files are created. Then, have it referenced in

my project.

As I already install the Microsoft SQL Server database as my data store, I will create

tables in it as part of the database. To create those tables is by run the SQL scripts that then

will create two tables which are UserAccounts and UserClaims. Now, I need to add a user to

the database. To make sure that the user’s password is hashed properly, we need to create a

user using SQL statements in front-end. With a quick tour, I will complete the form to add

the user.

Now, I have create a SQL Server database and created an ASP.NET MVC 4 project

with the MembershipReboot library added to the solution via NuGet. Next, I need

configuring Web.config for MembershipReboot. So I need to configure the application to use

Form Authentication for authentication and configure MembershipReboot. First, remove the

default membership provider in the Web.config file. Second, I adding the ConnectingString

for the database to connect to the database I have created, to store the authentication

information. This configuring going until I configure the behaviour of the

MembershipReboot which has long list including allowAccountDeletion and

emailIsUsername.

Then, set up the Session Authentication Module (SAM) and add it into Web.config.

SAM enables us to persist the authentication credentials across http requests. After finishing

the authentication part, I will continue to authorization part with Thinktecture.

Figure 3.2: Flow of the Research (Thinktecture)

Figure 3.2 shows roughly step-by-step to complete the Thinktecture part for

authorization. Firstly, I need to bring down Thinktecture.IdentityModel using NuGet

package. Then, to demonstrate how I can externalise the authorization logic, I need to write a

class which inherits from ClaimsAuthorizationManager, which lives in the

System.Security.Claims namespace. There is a method called CheckAccess which need to

override. The advantage of this approach to authorization is that I can perform any kind of

checks I want. I can go to data store for data that determines the permission rights or access

control for a scenario.

After that, I will create a Messenger constant in a class called CustomClaimTypes

which has the following value: “http://dave.com/ws/identity/claims/messenger “. Just as i

making up the claim, I can make up URL. That is all the ClaimTypes constant resolve to

Continue from MembershipReboot

Use Nuget package to bring down the

Thinktecture.IdentityModel

Externalise the authorization logic: Write a class and override method

CheckAccess (in Web.config)

Create a Messenger constant in a class

CustomClaimTypes

Add that claim to the UserClaims tables in

the database.

Testing and evaluation of MembershipReboot and

Thinktecture will be done in the real world setting

End

(URL strings). So, now I need to that claim to the UserClaims table in the database created

earlier.

Lastly, the testing and evaluation of the MembershipReboot and Thinktecture will be

done in the real world settings. The testing will be done by using sniffing tool such as

Wireshark to try to intercept the transmission and gain the password.

3.4 Requirement Analysis

In making the development and implementation of my project become successful,

project analysis needs a few requirements. There are two main elements that are used in this

project which is software and hardware requirements.

3.4.1 Software Requirement

For this project, software requirements are as follows:

i. Microsoft Word 2010

ii. Microsoft Office PowerPoint 2010

iii. Windows 10

iv. Microsoft Visual Studio 2017

v. Microsoft SQL Server 2014 database

vi. NuGet package (MembershipReboot, Thinktecture.IdentityModel)

vii. Wireshark Window-64 bits version 2.2.5

3.4.2 Hardware Requirement

For this project, hardware requirements are as follows:

i. Laptop (Hewlett-Packard, 4GB RAM, CPU 1.60GHz, x64-based processor)

ii. Mouse

iii. Printer

3.5 System Design

In system design, all the process that defines the architecture and proof of concept for

the project development is explained to specify specified requirement. The framework of the

overall project is designed and defines them in specific model by using data model.

3.5.1 Architecture of the MembershipReboot and Thinktecture

The architecture of the MembershipReboot and Thinktecture below shown

that there are a few components that related to each other which were the Client

(User), MembershipReboot, Thinktecture, Databases and Service Server. Each of the

components has its own function.

Generally, the User is the client that needs to use the service for example the

File Server as the service server. The File server will act as the server that provides

services. For authentication phase, the MembershipReboot will authenticate the user

based on the information from Web.config, SQL Server Database and Windows

directory. Then, user will be authenticated. As for the authorization phase, the system

will create the cookie after user authenticated, and in the cookie itself will contain the

Claim Type, which consists of permission right or access control of the authenticated

user. The claim is made based on the information in the database. After that, the user

can now request for the service from the File server.

Figure 3.3: Architecture of MembershipReboot and Thinktecture

MembershipReboot

Web.config, SQL Server Database & Windows directory

Thinktecture File Server Client

3.5.2 Framework of the MembershipReboot and Thinktecture

Figure 3.4: Framework of how MembershipReboot and Thinktecture works

There are a few things to remember which are five parties will be involved in

this process overall. The five parties are the Client, MembershipReboot, Thinktecture,

databases and service server. By means, Client is the user who wants to access or

request the service, the MembershipReboot which used for the authentication, the

Thinktecture which used for the authorization, database which consists of

Web.config, SQL Server Database and Windows directory while the Service server is

the actual resource which we want to access,

10. Give service

9. Request Service

3. Confirm validation

2. Get validation 1. Get authentication

4. Client Authenticated

8. Access Control determined

6. Get Claim Type

5. Get Access Control

Client

Membership-Reboot

Thinktecture

Web.config

Windows Dir.

SQL Server Db

Service Server

7. Claim Type

On how the MembershipReboot and Thinktecture work, the Client will

be the first one to start the initiation. The Client wants to access the Service server in

the network, but he or she is not an authenticated user at first. Client will get or

request authentication by the MembershipReboot, by entering the username and

password. To authenticate the Client, Membership will validate the user credentials

based on UserAccounts in the databases. After MembershipReboot confirm the

validation, it will authenticate the Client.

The client then gets the access control or permission right from the

Thinktecture to do things after authenticated. Next the Thinktecture will get the Claim

Type for that client based on the table UserClaims in the database. After get the Claim

Type of the Client, Thinktecture will determine the access control of the Client. After

the Client gets both authentication and authorization, the Client then will request

service from the Service server and service server in return will grant the request.

3.5.3 Data Model

Sequence diagram is used to show the sequence overall of the project. The

process starts from the Client (User) which will be authenticated by the

MembershipReboot and will be authorized by the Thinktecture.IdentityModel based

on the information and claims from Web.config, SQL Server Database and Windows

directory before the transmission process to Service Server (SS). Figure 3.5 roughly

show the data model of entities involves besides the MembershipReboot and

Thinktecture while Figure 3.6 shows the sequence diagram of the MembershipReboot

and Thinktecture.

Figure 3.5: Data Model of Entities Involve

User enters userID

and password

Create a ticket User enters userID

and password

Web.config

Windows directory

SQL Server Database

Yes

1. Permission right determined

Validate user from:

No

MembershipReboot

Thinktecture

Service

Server

Is the user Valid?

Figure 3.6: Sequence diagram of the authentication of MembershipReboot and the

authorization of Thinktecture

Client MembershipReboot Thinktecture

SS

Web.config, SQL Server Database & Windows directory

Authenticate

Get Validation based

Confirm Validation Get

authenticated

Get Permission right Get Claim Type

Permission right determined

Service request

Service

Phase 1

Phase 2

Claim Type

3.5.4 Proof of Concept

Figure 3.7 shows the MVC (Model-View-Controller) architecture that I use in ASP.NET

Web Application to create a new project for MembershipReboot.

Figure 3.7: Create a new project in Visual Studio

Figure 3.8 shows the Web API to start setup NuGet to bring down the MembershipReboot as

I will not using the Membership provider provides in ASP.NET itself.

Figure 3.8: Setup a NuGet to bring down MembershipReboot

Figure 3.9 shows the first step in creating two tables which are UserAccounts and

UserClaims after installing the SQL Server Database.

Figure 3.9: SQL script to create our database (tables)

Figure 3.10 shows the codes to build URL which will navigate to Create New User after I run

it.

Figure 3.10: Hyperlink to navigate to Create New User

Figure 3.11 shows the codes in Action Method in ClaimsAspMvc that inherit from class in

MembershipReboot, where I will incorporate claims-aware authorization

Figure 3.11: Action method

Figure 3.12 shows the method called CheckAccess which I need to override so that I can

perform any kinds of checks I want.

Figure 3.12: Override method CheckAccess

3.6 Summary

In this chapter, the methodology of this project is explained. The flow of this project

is being shown in the framework and detailed view of how the whole system works is display

on the data model. Therefore, the requirements of the project are being shown in perfect order

and can carry out the minimum error.

REFERENCES

1. Kerberos Authentication and Authorization System (1988) by S. P. Miller , B. C.

Neuman , J. I. Schiller , J. H. Saltzer

2. Access Control List Provides Security in Network by Chate A. B , Chirchi V. R

3. Asynchronous java script and XML (AJAX) form-based authentication using java 2

platform enterprise edition (J2EE) by Richard A. Backhouse, Apex, NC (US)

4. Practical, Usable, and Secure Authentication and Authorization on the Web by Alexei

Czeskis, University of Washington (2013)

5. Alfieri R. et al. (2004) VOMS, an Authorization System for Virtual Organizations. In:

Fernández Rivera F., Bubak M., Gómez Tato A., Doallo R. (eds) Grid Computing.

AxGrids 2003. Lecture Notes in Computer Science, vol 2970. Springer, Berlin,

Heidelberg

6. Limitations of the Kerberos Authentication System S.M. Bellovin * smb@ulysses.att.

corn M. Merrit t mischu@allegra. att. corn AT&T Bell Laboratories Murray Hill,

New Jersey 07974

7. (https://github.com/brockallen/BrockAllen.MembershipReboot/wiki/General-Design)

Brock Allen, 2013.

8. (https://github.com/IdentityServer/IdentityServer3.MembershipReboot) Brock Allen,

2015.

9. Peter Mbanugo, 2016, https://www.pluralsight.com/guides/implementing-simple-

oauth-server-with-katana-and-membershipreboot

10. (https://cedric-dumont.com/tutorials/identityserver-v3-membershipreboot-angularjs

webapi-2-and-mvc-mix-it-introduction/identityserver-v3-membershipreboot-

angularjs-webapi-2-and-mvc-mix-it-part-1/) Cedric Dumont.

11. (https://www.techopedia.com/definition/342/authentication)

12. (https://github.com/IdentityModel/Thinktecture.IdentityModel) Dominick Baier, 2016

13. M. Reiter and S. Stubblebine. Authentication metric analysis and design. Trans. on

Inf. and Syst. Sec., 2(2), May 1999.

14. D.W. Davies and W.L. Price, Security for Computer Networks, John Wiley & Sons

(1989). Second Edition.

15. D. Davis and R. Swick, Workstation Services and Kerberos Authentication at Project

Athena, MIT Laboratory for Computer Science Technical Memorandum 424

(February 1990).

16. J. Kohl, B. Clifford Neuman, and J. Steiner, The Kerberos Network Authentication

Service, MIT Project Athena (November 6, 1989). Version 5, Draft 2

17. J. Steiner, C. Neuman, and J.I. Schiller, "Kerberos: An Authentication Service for

Open Network Systems, " in Proc. Winter USENIX Conference, Dallas (1988).

18. Andrew Bortz, Adam Barth, and Alexei Czeskis. Origin Cookies: Session integrity for

web applications. In Web 2.0 Security and Privacy (W2SP), 2011.

19. David Rogers Dev. 2013,Claim-Based Authentication and Authorization

20. Google Chrome. Manager your website passwords, 2013.

http://support.google.com/chrome/bin/answer.py?hl=en&answer=95606.

21. Microsoft Corporation. Fill in website forms and passwords automatically, 2013.

http://windows.microsoft.com/en-us/windows7/fill-in-websiteforms-and-passwords-

automatically

22. Mozilla Support. Password manager - remember, delete and change saved passwords

in Firefox, 2013. http://support.mozilla.org/en-US/kb/password-managerremember-

delete-change-passwords.

23. Last Pass. LastPass password manager homepage, 2013. https://lastpass.com.

24. Y.-W.E. Sung, X. Sun, S.G. Rao, G.G. Xie, and D. A. Maltz, “Towards Systematic

Design of Enterprise Networks,” IEEE Trans. Networking, vol. 19, no. 3, pp.695-708,

June 2011.

25. A.X. Liu and M.G. Gouda, “Complete Redundancy Detection in Firewalls,” Proc.

19th Ann. IFIP Conf. Data and Applications Security, pp. 196-209, Aug. 2005

26. A.X. Liu, Y. Zhou, and C.R. Meiners, “All-Match Based Complete Redundancy

Removal for Packet Classifiers in TCAMs,” Proc. IEEE INFOCOM, Apr. 2008.

27. M. W. Youssef et al. (March 2012), Securing Authentication of TCP/IP Layer Two

By Modifying Challenge-Handshake Authentication Protocol, Advanced Computing:

An International Journal (ACIJ), Vol 2 (2)