Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India.

Similar presentations


Presentation on theme: "Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India."— Presentation transcript:

1

2 Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India

3 Agenda CLR Enhancements Protecting Data (DPAPI) System.Security.SecureString Access Control Lists XML Encryption Configuration file encryption ASP.NET Security ClickOnce Security Summary

4 Data Protection API (DPAPI) OS Level Data Protection Service Available on Windows 2000, XP, 2003 Password based service Tied to the user login credentials DPAPI does not store protected data There was no out of the box support for DPAPI calls in Framework 1.0 and 1.1 CryptProtectData and CryptUnProtectData

5 Data Protection API byte[] rawData = System.Text.UTF8Encoding.UTF8.GetBytes("My test"); byte[] cipherData = ProtectedData.Protect( rawData, null, DataProtectionScope.CurrentUser); rawData = ProtectedData.Unprotect( cipherData, null, DataProtectionScope.CurrentUser); Console.WriteLine( System.Text.UTF8Encoding.UTF8.GetString(rawData));

6 System.Security.SecureString Managed Strings – A Bad Place to Store Secrets There is no way to erase them GC doesn’t zero out old memory. GC compaction is NOT deterministic GC might move strings around and create several instances of the secret. Used for confidential text Content is encrypted Deleted when no longer needed Class not visible to COM Based on DPAPI Supported methods Insert, Append, Remove and Clear MakeReadOnly for lockdown No methods to inspect, compare or convert content

7 SecureString Example // Create a SecureString SecureString ss = new SecureString(); // Add characters and lock the string ss.AppendCharacter('a');ss.AppendCharacter('b');ss.MakeReadOnly(); // Retrieve content IntPtr uniString = Marshal.SecureStringToGlobalAllocUni(ss); Marshal.SecureStringToGlobalAllocUni(ss); String s = Marshal.PtrToStringUni(uniString); Console.WriteLine("String is '{0}'", s); // Zero and free Marshal.ZeroFreeGlobalAllocUni(uniString);

8 Access Control Lists (ACLs) Until now required P/Invoke The framework now models Windows security descriptors ! Programmatically read and modify access control lists (ACL) Supports objects and hierarchies Take ownership of objects Supports Auditing operations

9 Access Control Lists (ACLs) FileSecurity sec = new AccessControlSections.All); Console.WriteLine("owner = " + sec.GetOwner(typeof(NTAccount))); foreach (FileSystemAccessRule r in sec.GetAccessRules(true, true, typeof(NTAccount))) { Console.WriteLine(r.AccessControlType); Console.WriteLine(r.IdentityReference); Console.WriteLine(r.InheritanceFlags); Console.WriteLine(r.IsInherited); Console.WriteLine(r.PropagationFlags); Console.WriteLine(r.FileSystemRights); Console.WriteLine(""); } // foreach

10 XML Encryption W3C Compliant Implementation Will be able to exchange data with other implementations XML Output Does not have to be XML Input Can encrypt portions of an XML document Can encrypt different portions of the same document with different keys

11 XML Encryption Several types of encryption Triple DES AES 128 AES 192 AES 256 RSAX509CertificateEx Driven through System.Security.Cryptography.Xml.EncryptedXml Class Integration with XML Digital Signature XmlDecryptionTransform

12 Configuration File Encryption Used for configuration files in ASP.NET and Winforms DPAPI for Local, RSA for web farms Decryption is automatic Console.WriteLine(ConfigurationSettin gs.AppSettings["MySecret"]);

13 Configuration File Encryption (app.config) AQAA...C5L+4zzo8=

14 CLR Enhancements

15 Agenda Protecting Data (DPAPI) System.Security.SecureString Access Control Lists XML Encryption Configuration file encryption ASP.NET Security ClickOnce Security Summary

16 What's New in ASPNET Security Membership service Service for managing users and credentials Provider-based for flexible data storage Login controls Controls for logging in, creating new users, recovering lost passwords, and more Role Management service Combine forms authentication and role- based authorization without writing code!

17 Login Controls ControlDescription LoginUI for entering and validating user names and passwords LoginNameDisplays authenticated user names LoginStatusUI for logging in and logging out LoginViewDisplays different views based on login status and roles PasswordRecoveryUI for recovering forgotten passwords CreateUserWizardUI for creating new user accounts ChangePasswordUI for changing passwords

18 Membership Service Service for managing users and credentials Declarative access via Web Site Admin Tool Programmatic access via Membership and MembershipUser classes Membership class provides base services MembershipUser class represents users and provides additional services Provider-based for flexible data storage

19 Membership Schema Membership API Membership Data Access Other Data Stores Controls Login LoginStatus LoginView AccessMembershipProvider Other Membership Providers Other Membership Providers Membership Providers Membership MembershipUser SqlMembershipProvider SQL Server Other Login Controls Other Login Controls

20 Role Management Schema Roles API Roles Data Access Other Data Stores Controls Login LoginStatus LoginView AccessRoleProvider Other Role Providers Role Providers Roles SqlRoleProvider SQL Server Other Login Controls Other Login Controls

21 Login Controls

22 Agenda CLR Enhancements Protecting Data (DPAPI) System.Security.SecureString Access Control Lists XML Encryption Configuration file encryption ASP.NET Security ClickOnce Security Summary

23 Introduction To ClickOnce The Best of the Client and the Web WebClickOnce MSI Client Reach “No Touch” Deployment Low System Impact Install and Run per User Rich and Interactive Offline Access Windows Shell Integration Per-Computer and Shared Components Unrestricted Installation

24 Security Secure Execution Environment (Sandbox) ClickOnce applications run in a sandbox by default Permissions are based on origin Internet, Intranet, or Full Trust Internet, Intranet, or Full Trust Ensures that applications are safe to run Similar to Microsoft Internet Explorer and JavaScript Applications often need higher trust Call unmanaged code Access the file system or the registry Connect to a database Consume Web services

25 Security Determining Permission Requirements Security pane of Project Designer Use to manually configure permissions Permissions Calculator Calculates the least-required permissions Debug in the sandbox Debug applications with partial trust Exception Assistant Microsoft Intellisense® in the sandbox Filtered based on the security context

26 Click Once

27 Better Security Error Information Expanded SecurityException Type Now possible to tell precisely what failed and why Includes Failed Assembly information Including failed assemblies’ permission set grant Security Action that failed The permission set that was checked Deeply integrated into the VS IDE (Debug in Zones)

28 COOL

29 Further Exploring… System.Security.SecurityContextSystem.Security.PrincipleSystem.DirectoryServicesSystem.Diagnostics Code Coverage Static Analysis – PreFast and FxCop Application Verifier And More…

30 Your Feedback is Important! Please Fill Out the feedback form

31 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.


Download ppt "Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India."

Similar presentations


Ads by Google