1 / 47

Enterprise Library Cryptography Application Block

Enterprise Library Cryptography Application Block. Scott Densmore Software Design Engineer Ron Jacobs Product Manager Microsoft Corporation. D. A. D. I. A. D. I. patterns & practices Architecture Guidance for the Enterprise. Proven Based on field experience

erica
Download Presentation

Enterprise Library Cryptography Application Block

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise LibraryCryptography Application Block Scott Densmore Software Design Engineer Ron Jacobs Product Manager Microsoft Corporation

  2. D A D I A D I patterns & practicesArchitecture Guidance for the Enterprise ProvenBased on field experience Authoritative Offer the best advice availableAccurateTechnically validated and testedActionableProvide the steps to success RelevantAddress real-world problems based on customer scenarios Available online: www.microsoft.com/practices Books available: www.amazon.com/practices Patterns Application Blocks Reference Architectures Atomic solutions to recurring problems Sub-system-level guidance for common services System-level guidance for common customer scenarios D A D I D A D I A A D D I I Guides Guidance for broad horizontal topics such as security, performance, deployment and operations

  3. Agenda • Overview • What you must know to use the application block • Defining your configuration • Creating an instance of the security provider objects • Executing the methods • Getting beyond the surface • Selecting the right options for security • For really advanced users • Key extensibility points

  4. Sound Familiar? • The need for developers to write application code specific for the security mechanisms of the deployment environment • Having to change application code to test in a simplified security environment

  5. Security Needs • A simple way of authenticating a user • The ability to determine what roles a user is in, and determining if the user is authorized to perform a task • The ability to read and write profile information for a user • The ability to write the same application code for different security providers • An easy way to adjust and validate the security configuration settings

  6. Security Application Block • Provides a consistent way to implement common security scenarios for authentication, authorization, roles and profiles irrespective of the underlying security mechanism • Provider model makes it adaptable to specific platform or security infrastructure systems • Supports the Configuration Console, allowing easy configuration modifications and validation

  7. Enterprise Library v1 Caching Exceptions Legend Security Data Access Logging Dependency Plug-in Crypto Configuration Config Tool

  8. What you must know ...in 3 easy steps

  9. Step 1: Define your configuration • You will need an app.config (or web.config) file for your application • Use the Enterprise Library Configuration tool to create the configuration for the Security Application Block • Use a post-build step to copy config files to the runtime directory • See http://www.ronjacobs.com/TipPostBuild.htm

  10. Step 2: Create an Instance of Security Provider • Enterprise Library Security Application Block uses the Plugin [Fowler] pattern to create providers. • Allows us to support AD, Database, AzMan and other providers • ' Create the default authentication provider instance • Dim authProvider As IAuthenticationProvider = AuthenticationFactory.GetAuthenticationProvider() • ' Use a named instance to map to configuration • Dim authProvider As IAuthenticationProvider = AuthenticationFactory.GetAuthenticationProvider("Authentication Provider")

  11. Authentication Authenticate Cache identity Expire a session Authorization Determine if user is authorized to perform a task Roles Determine what roles a user is in Profiles Read and write profile information Step 3: Executing Security Provider Commands NamePasswordCredential credentials = new NamePasswordCredential(username, password); bool authenticated = authProvider.Authenticate(credentials, out identity);

  12. View/Application Share: Demonstration of Security Block • [Live Meeting View/Application Share. Use Live Meeting > Edit Slide Properties... to edit.]

  13. Going deeper... ...this is where it gets interesting

  14. Authentication • Authentication is the process of determining caller identity. There are three aspects to consider: • Identify where authentication is required in your application. It is generally required whenever a trust boundary is crossed. Trust boundaries usually include assemblies, processes, and hosts. • Validate who the caller is. Users typically authenticate themselves with user names and passwords. • Identify the user on subsequent requests. This requires some form of authentication token.

  15. Strong Account Management Policies • Does your application enforce strong passwords? • Do you restrict the number of failed login attempts? • Do you reveal too much information in the event of failure? • Do you enforce a periodic change of passwords? • Can you quickly disable accounts in the event of compromise? • Does your application record login attempts? Improving Web Application SecurityThreats and Countermeasures Chapter 4 – Design Guidelines for Secure Web Applications http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

  16. Authentication Database Provider • Uses Data Access Application Block for database access • SQL script included for required schema • Uses Cryptography Application Block for hashing passwords • Required if using supplied profile or roles database provider

  17. Configuring the Authentication Database Provider Using the Configuration Console Configured database instance Configured hash provider

  18. Authenticating the User Create authentication provider IAuthenticationProvider authenticationProvider = AuthenticationFactory.GetAuthenticationProvider(“MyProvider"); Create NamePasswordCredentials NamePasswordCredential credentials = new NamePasswordCredential(“JohnS”, “MyPassword”); Call Authenticate IIdentity identity; bool authenticated = authenticationProvider.Authenticate(credentials, out identity);

  19. Authorization • Authorization determines what the authenticated identity can do and the resources that can be accessed. Improper or weak authorization leads to information disclosure and data tampering. Defense in depth is the key security principle to apply to your application’s authorization strategy

  20. Authorizing End Users • Do you use a defense in depth strategy? • Which gatekeepers are used? • Do you use a role-based approach? • Do your roles provide adequate privilege separation? Improving Web Application SecurityThreats and Countermeasures Chapter 5 – Architecture and Design Review for Security http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

  21. Authorization Providers • AzMan (Authorization Manager) • Requires Microsoft® Windows® 2000™ Server with Service Pack 4, Microsoft Windows Server 2003, or Windows XP SP1 with Windows Server 2003 Administration Tools Pack • Authorization Rule • Allows you to create simple rules that are evaluated at runtime • Configuration Console provides a rule expression editor • Rules are named and stored in the configuration file

  22. Authorization Rules • Identities • Specific (for example, “Bob”) • Anonymous (?) • Any (*) • Roles • Specific (for example, “Managers”) • Any (*) • Operators • AND, OR, NOT and ()

  23. Authorization Rules • I:Bob • Only a user with the identity Bob is authorized • ((R:HumanResources OR R:GeneralManagers) AND (NOT R:HRSpecialist)) • Only users that are either in the HumanResources or GeneralManagers roles and not in the HRSpecialist role are authorized

  24. Configuring the Authorization Rule Provider Using the Configuration Console Rule expression Rule name

  25. View/Application Share: Demonstration of Rule Expression Editor • [Live Meeting View/Application Share. Use Live Meeting > Edit Slide Properties... to edit.]

  26. Authorizing the User IAuthorizationProvider ruleProvider= AuthorizationFactory.GetAuthorizationProvider("RuleProvider") Create authorization provider • Call Authorize • Accepts an IPrinciple and a rule name bool authorized = this.ruleProvider.Authorize(principal, “Hire Employee”);

  27. Roles • The two basic authorization strategies are: • Role based. Access to operations (typically methods) is secured based on the role membership of the caller. Roles are used to partition your application’s user base into sets of users who share the same security privileges within the application. • Resource based. Individual resources are secured using Windows ACLs. The application impersonates the caller prior to accessing resources, which allows the operating system to perform standard access checks.

  28. Roles • In the vast majority of .NET Web applications where scalability is essential, a role-based approach to authorization represents the best choice. For certain smaller scale intranet applications that serve per-user content from resources (such as files) that can be secured with Windows ACLs against individual users, a resource-based approach may be appropriate. Building Secure Microsoft ASP.NET Applications Chapter 3 – Authentication and Authorization http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp

  29. Roles Providers • Active Directory® • Database • Uses Data Access Application Block for database access • SQL script included for required schema • Out-of-box requires using supplied authentication database provider (roles are tied to a userid in the Users table)

  30. Configuring the Roles Database Provider Using the Configuration Console Configured database instance

  31. Determining the Roles a User is In IRolesProvider rolesProvider = RolesFactory.GetRolesProvider("Roles Provider"); Create roles provider Get the Principal Call IsInRoles IPrincipal principal = rolesProvider.GetRoles(this.identity); bool isManager = principal.IsInRole(“Manager”);

  32. Profiles • A profile is a flexible application defined container for associating application specific information with a user identity.  A profile can be any or all of the following: • A simple string or primitive type • A serializable object • A dictionary of primitives and serializable objects.  (all values are stored as strings in the database).

  33. Configuring the Profile Database Provider Using the Configuration Console Configured database instance

  34. Writing Profile Information IProfileProvider profileProvider = ProfileFactory.GetProfileProvider(); Create profile provider • Call SetProfile • Pass IIDentity of existing user • Pass object with profile information (e.g., serializable class) profileProvider.SetProfile(identity, profile);

  35. Reading Profile Information • Call GetProfile • Pass IIDentity of existing user • Returns object with profile information ProfileInformation userProfile = profileProvider.GetProfile(identity) as ProfileInformation;

  36. The Security Cache • The application block allows you to cache the security-related information • The cached information is identified by a token (you can specify, or the block will generate it) • An example of when you might want to obtain a temporary token for an authenticated user is when you want to improve the performance of your application, by passing the token instead of frequently authenticating the same token during a single user session

  37. Configuring the Security Cache Using the Configuration Console Configured cache manager

  38. Obtaining a Temporary Token Create security cache ISecurityCacheProvider cache = SecurityCacheFactory.GetSecurityCacheProvider(“MyCacheProvider"); • Call SaveIdentity • Pass IIDentity of existing user • Returns a token IToken token = cache.SaveIdentity(this.identity)

  39. Authenticating using a Token • Call GetIdentity • Pass token returned by SaveIdentity • Returns IIDentity or null IIdentity savedIdentity = cache.GetIdentity(token); if (savedIdentity != null) { // user is authenticated } else { // user not authenticated }

  40. Expiring a Token • Call ExpireIdentity • Pass token returned by SaveIdentity cache.ExpireIdentity(token);

  41. Key Extensibility Points • Custom security providers • Enhancing/expanding database providers • Plus… • Anything and everything – you have the source code! • Please post extensions and suggestions to the community • http://workspaces.gotdotnet.com/entlib

  42. Session Summary • Overview • What you must know to use the application block • Defining your configuration • Creating an instance of the security provider objects • Executing the methods • Getting beyond the surface • Selecting the right options for security • For really advanced users • Key extensibility points

  43. Additional Resources • Improving Web Application Security http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp • Improving .NET Application Performance and Scalability http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag/html/scalenet.asp • Application Architecture for .NET http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/distapp.asp • PatternShare.org • Enterprise Library Communityhttp://go.microsoft.com/fwlink/?linkid=39209&clcid=0x09 • www.ronjacobs.com • Slides • Tech Tips • Podcasts

  44. Announcing: Enterprise Library 1.0 Download it Today! http://www.microsoft.com/practices

  45. Patterns and Practices Live! • Slides, Hands On Labs, On Demand Webcasts • Upcoming Live Webcasts • 3/28 Building your own block • 3/31 Enterprise Library Applied • 4/12 Global Bank Baseline Architecture • 4/14 Updater Application Block v2 http://www.pnplive.com

  46. Questions and Answers • Submit text questions using the “Ask a Question” button. • Don’t forget to fill out the survey. • For upcoming and previously live webcasts: www.microsoft.com/webcasts • Got webcast content ideas? E-mail us at: http://go.microsoft.com/fwlink/?LinkId=41781 • Today's webcast was presented using Microsoft Office Live Meeting. Get a free 14 day trial http://www.microsoft.com/presentlive

More Related