SECURING YOUR AZURE WEB APP WITH ASP.NET CORE DATA PROTECTION
MICHAEL MELUSKY - @MRJAVASCRIPTOCTOBER 22, 2016 – PHILLY.NET 2016.2
AGENDA
• Discussing Windows encryption standards before ASP.NET core• Build a basic ASP.NET core MVC application• Introduce encryption using the new Data Protector framework• Obtain a free SSL certificate from Lets Encrypt!
ABOUT THE SPEAKER
• Michael Melusky • Software developer at Audacious Inquiry in Baltimore, MD• Adjunct instructor at Penn State University and Franklin and Marshall
College
CRYPTOGRAPHY PRIOR TO ASP.NET CORE
• Used machine key generation• For instance in web.config (system > configuration)• <machineKey validationKey="F5FBC9F875CF84173728F23325083E3D97CF9D17FCCA672AD310BE069361BD4C55C4627F0B6725322AB63EAA8F01D7DF72DE85DBC603567848EAF124D5C16BC7"decryptionKey="6F1070AC50E4EAA432120A4DA023BE64EB6BB450BDF6ECEEA9E59E40BA26475E" validation="SHA1" decryption="AES" />
PURPOSE OF MACHINE KEY
• Configures the algorithms and keys used for:• Encryption and decryption• Validation of forms-authentication data and view-state data• And also out of process session-state information
CONFIGURING MACHINE KEYS IN IIS7
CONFIGURING MACHINE KEYS IN IIS7
HOW DOES THIS RELATE TO MODERN APPLICATIONS TODAY?• Microsoft introduced the Data Protector framework with ASP.NET Core
1.0• Web applications need to store sensitive data• Windows provides DPAPI for desktop applications but it unsuitable for web
applications• The ASP.NET Core Data Protection stack provides an easy-to-use API
developers can use to protect data• Includes key management and rotation
ASP.NET CORE DATA PROTECTION
• *** DEMO: Build a basic ASP.NET Core MVC web application ***
ASP.NET DATA PROTECTION IN A NUTSHELL
• Create a data protector from a data protection provider• Call the Protect method to protect the data you want to protect• Call the Unprotect method on the data you want to turn back into
plaintext
ASP.NET CORE DATA PROTECTION
• *** DEMO: secure the sample ASP.NET web application ***
DATA PROTECTION PURPOSE STRINGS
• The purposes parameter is inherent to the security of the data protection system, as it provides isolation between cryptographic consumers, even if the root cryptographic keys are the same.
• When a consumer specifies a purpose, the purpose string is used along with the root cryptographic keys to derive cryptographic subkeys unique to that consumer
• This isolates the consumer from all other cryptographic consumers in the application: no other component can read its payloads, and it cannot read any other component’s payloads
• This isolation also renders infeasible entire categories of attack against the component
DATA PROTECTION PURPOSE STRINGS
DATA PROTECTION PURPOSE STRINGS
OTHER FEATURES OF ASP.NET CORE DATA PROTECTION• New libraries for password hashing:• using System.Security.Cryptography;
• using Microsoft.AspNetCore.Cryptography.KeyDerivation;
• // derive a 256-bit subkey (use HMACSHA1 with 10,000 iterations)
• string hashed = Convert.ToBase64String(KeyDerivation.Pbkdf2(
• password: password,
• salt: salt,
• prf: KeyDerivationPrf.HMACSHA1,
• iterationCount: 10000,
• numBytesRequested: 256 / 8));
• Console.WriteLine($"Hashed: {hashed}");
OTHER FEATURES OF ASP.NET CORE DATA PROTECTION• Timed Data Protector:
• developer wants to create a protected payload that expires after a set period of time
• Not recommended to use this for data which requires long-term or indefinite persistence
POTENTIAL SHORTCOMINGS
• Deployment to a server farm:• Want to synchronize:
• The application discriminator. This is a unique identifier for the application• The master encryption key. This is the closest thing to machine key in the new system• The encrypted set of session keys. This is a set of XML files that contain the valid session key(s)
that can be used to encrypt/decrypt state data
• Azure Web Apps is easier!• All applications are installed to the same location, so the application discriminator lines up.• Keys aren’t encrypted at rest, so there is no master encryption key.• The session keys are put in a special folder location that is “magically” synchronized across all
instances of the Azure Web App
ASP.NET CORE DATA PROTECTION - KEY MANAGEMENT• The system tries to detect its operational environment and provide good zero-configuration
behavioral defaults. The heuristic used is as follows.• If the system is being hosted in Azure Web Sites, keys are persisted to the “%HOME%\ASP.NET\
DataProtection-Keys” folder. This folder is backed by network storage and is synchronized across all machines hosting the application. Keys are not protected at rest.
• If the user profile is available, keys are persisted to the “%LOCALAPPDATA%\ASP.NET\DataProtection-Keys” folder. Additionally, if the operating system is Windows, they’ll be encrypted at rest using DPAPI.
• If the application is hosted in IIS, keys are persisted to the HKLM registry in a special registry key that is ACLed only to the worker process account. Keys are encrypted at rest using DPAPI.
• If none of these conditions matches, keys are not persisted outside of the current process. When the process shuts down, all generated keys will be lost.
ASP.NET CORE DATA PROTECTION - KEY LIFETIME• Keys by default have a 90-day lifetime. • When a key expires, the system will automatically generate a new key
and set the new key as the active key. • As long as retired keys remain on the system you will still be able to
decrypt any data protected with them.
ASP.NET CORE DATA PROTECTION - DEFAULT ALGORITHMS• The default payload protection algorithm used is AES-256-CBC for
confidentiality and HMACSHA256 for authenticity. • A 512-bit master key, rolled every 90 days, is used to derive the two
sub-keys used for these algorithms on a per-payload basis
CONFIGURING DATA PROTECTION
• public void ConfigureServices(IServiceCollection services)
• {
• services.ConfigureDataProtection(dp =>
• {
• dp.PersistKeysToFileSystem(new DirectoryInfo(@"c:\keys"));
• dp.SetDefaultKeyLifetime(TimeSpan.FromDays(14));
• });
DEPLOYMENT TO AZURE
• *** DEMO: deploy app to Azure ***
WHAT’S LEFT?
• SSL Certificate for the web site• Let’s Encrypt! - free, automated, and open certificate authority
brought to you by the non-profit Internet Security Research Group (ISRG).
LET’S ENCRYPT
• *** DEMO Let’s Encrypt on Azure ***
QUESTIONS?
• Thank you for coming• Michael Melusky - @mrjavascript
Top Related