Today's Agenda Best practices for building well-designed, secure, data-driven, smart client applications Session 1: Designing and building smart clients Session 1: Designing and building smart clients Patterns and practices for smart clients, IssueVision Session 2: Securing smart client applications Session 2: Securing smart client applications Tips for secure data, CAS, encryption, and more Session 3: The ins and outs of secure data access Best practices for smart client data, offline data Session 4: Deploying and maintaining smart clients Tips for deploying and updating apps to avoid “DLL Hell”
Agenda Meet the Security Challenge Head-On Drill-Down: Design choices for security Secure the database Protect secrets in your code Encrypt offline data Control access to local resources Control access to Web services Protect Business Logic Summary: Best Practices for Security
Meet Security Head-On Adopt a structured approach to identifying, quantifying, and addressing threats Threat Modeling Security Checklists Best Practice: Make security reviews part of development process Part of writing specifications and designing Just like coding and testing
Threat Modeling Structured approach to: Evaluate security threats Identify countermeasures DREAD helps rate risk Damage potential ReproducibilityExploitability Affected users Discoverability More information in MSDN Patterns and Practices http://msdn.microsoft.com/library/en- us/dnnetsec/html/ThreatCounter.asp http://msdn.microsoft.com/library/en- us/dnnetsec/html/ThreatCounter.asp Threat Modeling Process 1. Identify Assets 2. Create an Architectural Overview 3. Decompose the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats
MSDN Security Checklists Great tool to identify threats http://msdn.microsoft.com/library/en- us/dnnetsec/html/CL_SecRevi.asp http://msdn.microsoft.com/library/en- us/dnnetsec/html/CL_SecRevi.asp
Drill-Down: Design Choices for Security Secure the database Protect secrets Encrypt offline data Control access to local resources Control access to Web services
Secure the Database Use the least-privileged account possible to connect to the database Limit access privileges to stored procedures only If stored procedures can’t be used, use type-safe parameters to construct commands Protect connection strings as secrets Encrypt sensitive data to be retrieved from the database using strong symmetric encryption Then, encrypt symmetric encryption keys with DPAPI, and store these in a restricted registry key
Tip: Different Logins by Task “sa” (or equivalent domain account) Database server administrator Used to create database only “dbo" Owner (dbo) for the application database Used for application development only Modify schema, creating stored procedures “IVUser“ Locked-down account Used by middle-tier components to access the stored procedures
Protect Secrets & Offline Data One-way hash functions Easy to compute, practically impossible reverse You cannot recover the source data from just its hash value! Best for: storing user passwords or other data where comparing hash values is sufficient Strong encryption algorithms Ciphertext can be decrypted only if you know the encryption key Best for: protecting stored or transmitted data
Which Technique Should I Use? I want to…RecommendationAdvantagesLimitations Store a user password securely Salt + SHA1 (One- way hash) Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks. No keys to manage. Identical input yields identical hash values. Must store a salt to ensure unique cipher text for identical values.
Which Technique Should I Use? I want to…RecommendationAdvantagesLimitations Store a user password securely Salt + SHA1 (One- way hash) Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks. No keys to manage. Identical input yields identical hash values. Must store a salt to ensure unique cipher text for identical values. Protect local user data DPAPI (Encryption using keys derived from user credentials) DPAPI manages keys on behalf of the application. Data can’t be decrypted by other users, or on other machines.
Which Technique Should I Use? I want to…RecommendationAdvantagesLimitations Store a user password securely Salt + SHA1 (One- way hash) Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks. No keys to manage. Identical input yields identical hash values. Must store a salt to ensure unique cipher text for identical values. Protect local user data DPAPI (Encryption using keys derived from user credentials) DPAPI manages keys on behalf of the application. Data can’t be decrypted by other users, or on other machines. Encrypt data that will need to decrypted later Symmetric encryption algorithms (e.g. Rijndael) Data can be decrypted by other apps / machines that have the key. Application must manage keys and transmit them securely.
Encrypting User Passwords Goal: Keep user passwords safe, but usable Recommendation: Hash (Salt + Password) Storing a password: 1. Create a unique “salt” for the user Salt ensures same value will be encrypted differently 2. Prepend the salt to the password string 3. Encrypt using SHA1: SHA1.ComputeHash() 4. Store both salt and cipher text To verify, re-hash with salt and password
Data Protection API (DPAPI) Extends CryptoAPI Key is derived from current user credentials Uses TripleDES encryption Supports entropy Additional secret used to secure the data to a single application Best for: Protecting offline data Protecting user-specific configuration data Application DataProtection.vb CryptoAPI Crypt32.dll CryptoAPI Crypt32.dll DPAPI Local Security Authority (LSA) DPAPI Now is the time … Now qARD BsQE AtRD… AtRD… Local RPC Calls Plaintext data Operating System
Limit Access to Local Resources What is a local resource? Just about everything! Files and File System Registry Information User Interface elements Clipboard Network access (e.g. Web, sockets) Performance counters, event logs Printing, and more.NET controls access to local resources this with Code Access Security
Code Access Security Provides fine-grained access control to resources Applications can run with "just enough” permissions For example: Applications which don’t perform any File IO run without File IO Permission Grants access to resources based on the identity of the code, not the user Uses evidence to determine code identity Uses policy to evaluate the evidence to determine which permissions will be granted to the application.
Evidence + Policy = Permissions Load Assembly Gather Evidence Hash Strong name Publisher Zone URL Enterprise Machine User AppDomain Grant Permission Sets (yielding permissions) permission granted? Demand Permission Assembly performs privileged operation Continue with Privileged Operation (or access resource) Yes Throw Security Exception No
Preconfigured Policies by Zone PermissionCapability Local Intranet Internet File Dialog Open and save files via file dialog box YesNo File DialogOpen files via file dialog boxYes Isolated Storage File Storage is isolated by user, application domain and assembly Yes Printing Printing only via a restricted dialog box Yes SecurityExecuteYes SecurityCall unmanaged codeYesNo UIUnrestrictedYesNo UI Draw message boxes and dialogs Yes Web Connect=https to originating site Yes
Seven Types of Evidence Strong-naming the assembly is an easy and robust method to establish code identity EvidenceDescription Application directoryWhere the application is installed Hash Cryptographic hash that determines assembly differences regardless of version number Publisher Software publisher signature SiteSite of origin, such as http://www.microsoft.com Strong NameCryptographically strong name of the assembly URLOriginating URL ZoneZone of origin, such as Internet Zone
Strong Naming An Assembly Strong name identifies your code and helps prevents tampering Strong name includes: The simple text name of the assembly The version number of the assembly The culture code (if any) of the assembly Verified by a digitally signed hash of the assembly bytes Generate a key pair and use in application: sn -k IssueVision.snk
Tools to Set Up Security Strong naming SN.exe Generates a strong name key pair to sign.NET assemblies General strong name signing tool Change security policy.NET Configuration tool.NET Wizards CasPol.exe command line tool Make changes carefully! Grant the smallest number of permissions needed to run
Deploying Security Policies Deploy policies using SMS or Group Policy Deploy with the application in the installation package MSI created using.NET Configuration snap-in System.Security.Policy namespace includes methods to add policies programmatically
"name": "Deploying Security Policies Deploy policies using SMS or Group Policy Deploy with the application in the installation package MSI created using.NET Configuration snap-in System.Security.Policy namespace includes methods to add policies programmatically
Web Services Security Most Web services use authentication Prevents anonymous use of web service For some services, also: Authorization Ensures the user has permission to perform the requested action Encryption Prevents malicious data manipulation
Authentication Choices Windows auth (NTLM) Easy choice for intranet applications Roll-your-own Recommended for interop with non-WS-Security platforms Common path before WSE 2.0 Web Services Enhancements (WSE) 2.0 Cross-platform, evolving standard Uses standard SOAP header to transmit caller’s credentials
WSE Security Tokens A token is a collection of “claims” Name, identity, Privileges May or may not prove the identity of the sender Tokens support role-based security Principal object gives access to the IsInRole method Security TokenDescription UsernameTokenSimple username and password X509SecurityTokenX.509 certificate KerberosTokenIntegrated Windows security, requires Windows Server 2003 or Windows XP with Service Pack 1 DerivedKeyTokenGenerates a one-time key for the each message; used in conjunction with other tokens to enhance app security SecurityContextTokenUsed to sign and encrypt an entire SOAP conversation
Authenticate() Web Service IssueVisionPolicy.xml UsernameTokenManager WSE Username Authentication Client Web Services Layer Client Web Services Layer Username Token Adds custom soap header to message serversdesktop client SecurityContextToken...... Token Issuing Services
WSE 2.0 Version of IssueVision IssueVision 1.0 uses “roll your own” and SSL Check here for an updated IssueVision 1.1 that uses WSE 2.0: msdn.microsoft.com/webservices/devdays2004
Protecting Business Logic Problem:.NET code can be decompiled to reveal business logic, proprietary algorithms Solution: Obfuscation Renames symbols in.NET assemblies, making it significantly more difficult to disassemble Tools PreEmptive's Dotfuscator Community Edition is integrated into Microsoft's Visual Studio ®.NET 2003 to get you started Dotfuscator will help to thwart reverse engineering attempts on your.NET code
Best Practices for Security Adopt a structured approach to assessing threats, and make it part of your development process Access data with the lowest possible permission Don’t run as DB Admin! Execute code with the least possible permissions Don’t run as Admin! Encrypt secrets, and store them in a safe place Sign your assemblies with a strong name Use WS-Security with Web services to authenticate callers
Resources Threat Identification msdn.microsoft.com/library/en- us/dnnetsec/html/CL_SecRevi.asp msdn.microsoft.com/library/en- us/dnnetsec/html/CL_SecRevi.asp msdn.microsoft.com/library/en- us/dnnetsec/html/CL_SecRevi.asp Microsoft Security Updates www.microsoft.com/security/security_bulletins/alerts 2.asp www.microsoft.com/security/security_bulletins/alerts 2.asp www.microsoft.com/security/security_bulletins/alerts 2.asp PSS Support Center support.microsoft.com/default.aspx?pr=security support.microsoft.com/default.aspx?pr=security Related Resources msdn.microsoft.com/library/en- us/dnnetsec/html/THReltdRes.asp msdn.microsoft.com/library/en- us/dnnetsec/html/THReltdRes.asp msdn.microsoft.com/library/en- us/dnnetsec/html/THReltdRes.asp
Resources (continued) TechNet: Product and Technology Security Centers www.microsoft.com/technet/security/prodtech/default.asp www.microsoft.com/technet/security/prodtech/default.asp www.microsoft.com/technet/security/prodtech/default.asp TechNet: Security Topics www.microsoft.com/technet/security/topics/default.as p www.microsoft.com/technet/security/topics/default.as p www.microsoft.com/technet/security/topics/default.as p Solutions at a Glance msdn.microsoft.com/library/en- us/dnnetsec/html/THCMGlance.asp msdn.microsoft.com/library/en- us/dnnetsec/html/THCMGlance.asp msdn.microsoft.com/library/en- us/dnnetsec/html/THCMGlance.asp