Presentation is loading. Please wait.

Presentation is loading. Please wait.

Remotely authenticating against the Service Framework.

Published byAdelia Dennis Modified over 8 years ago

Similar presentations

Presentation on theme: "Remotely authenticating against the Service Framework."— Presentation transcript:

1 Remotely authenticating against the Service Framework

2 Cathal Connolly Senior Engineer DNN Corporation Head of the security team Asp.net MVP

3 What’s available today? DNN 6.2.0-7.4.1 offer authentication via MessageHandlers

4 What’s a message handler? A message handler is a class that receives an HTTP request and returns an HTTP response. Message handlers derive from the abstract HttpMessageHandler class. Typically, a series of message handlers are chained together. The first handler receives an HTTP request, does some processing, and gives the request to the next handler. At some point, the response is created and goes back up the chain. This pattern is called a delegating handler.

5 Authentication Handlers Immediately after the context is determined the various authentication message handlers run. If the request is already authenticated the subsequent handlers each short circuit and do nothing. If a valid web forms cookie is present in the request then ASP.Net will have already authenticated the request before any of the WebAPI handlers runs. The order of the handlers is not particularly important as long as the WebFormsAuthMessageHandler always runs last. (this handler does a MembershipModule.AuthenticateRequest which completes the authentication within the DNN framework. There is no short circuit for this handler and it will always run.

6 Basic Authentication

7 Basic - How it works? HTTP Basic authentication implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifier or login pages. HTTP Basic authentication uses static, standard HTTP headers which means that no handshakes have to be done in anticipation. There are some browser extensions to invalidate requests – but not reliable.

8 Basic Authentication DEMO

9 Basic - Pro’s and Con’s Pro’s Simple to implement Works with anything that “talks” HTTP Con’s Requires username and password in calling application Unprotected unless under TLS

10 Digest Authentication

11 Digest - How it works? Digest authentication is an application of MD5 cryptographic hashing with usage of nonce values to prevent replay attacks. Designed to be stronger than Basic as it doesn’t send the password in plain text, but rather a hash that is compared on the server end Sent as a customer authentication header, the values are parsed and verified and if valid the user is logged on.

12 Digest- Pro’s and Con’s Pro’s Better than basic as only a password digest is passed Simple to invoke from client script as javascript can generate MD5 Con’s Requires retrievable passwords so wont work in default DNN 7.0.0+ (unless passwordFormat changed) Wont work in FIPS environment MD5 is easily crackable Username is still clear Really needs TLS to be viable

13 WebForms Authentication The standard forms authentication cookie based authentication. Also act’s to correctly “login” authenticated principles Note: remote client’s can utilise this by storing cookies in a container and “scraping” the relevant page to ensure event validation is in place.

14 What’s coming in 8.0 8.0.0 now uses WebAPI 2.1 which allows us to utilise Authentication Attributes 8.0.0 will ship with two new ones HMAC OAUTH 2.0 An easy extension point for new authentication methods. As authentication happens before authorization, it can reuse existing authorization attributes (where applicable to auth scheme)

15 HMAC Authentication

16 HMAC- How it works? Mechanism for calculating a MAC using a hash function with a shared “secret” key. In cryptography, a keyed-hash message authentication code (HMAC) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authentication of a message.

17 HMAC –integrity & authenticity An altered message can cause the message recipient to behave in an unintended and undesired way. The message recipient should verify that the incoming message has not been tampered with. An attacker could pose as a legitimate sender and send falsified messages. The message recipient should verify that incoming messages originated from a legitimate sender. Due to requests being verifiable there is no need to worry about cross-site request forgery.

18 HMAC- How it works? We use a symmetric signature i.e. a single shared “secret” key, rather than an asymmetric signature (which would require a public/private key pair)

19 HMAC- How it works? Add a custom authorization header that contains the AppID, message signature, nonce and timestamp. The nonce is a unique value and specifically to stop replay attacks (unlike digest where it may be a simple timestamp). DNN will cache this nonce value for 5 minutes and any attempt to replay a request with a previously used nonce will fail. The timestamp is a unix timestamp is generated and used as part of the key. The server evaluates when it is processing it that it is within a predetermined timeframe. The AppId will be used to look up the AppSecret associated with that account and attempt to parse/validate the signature.

20 HMAC- Pro’s and Con’s Pro’s No requirement for TLS No sensitive data is viewable Mechanism also verifies integrity as well as authentication. Choice of hashing algorithm (MD5, SHA1, SHA256) – DNN’s implementation is SHA256 to maximise security and allow it to work in a FIPS environment Con’s Requires AppId and AppSecret to be generated and added to the remote application

21 HMAC Authentication DEMO

22 OAUTH Authentication Not OAUTH Client support – this already exists and is leveraged by a number of authentication providers. 8.0.0 will be adding OAUTH Server support.

23 Authorization Code Grant flow The authorization code grant type is the most commonly used because it is optimized for server-side applications, where source code is not publicly exposed, and Client Secret confidentiality can be maintained. This is a redirection-based flow, which means that the application must be capable of interacting with the user-agent (i.e. the user's web browser) and receiving API authorization codes that are routed through the user-agent.

24 Implicit Grant flow The implicit grant type is used for mobile apps and web applications (i.e. applications that run in a web browser), where the client secret confidentiality is not guaranteed. The implicit grant type is also a redirection-based flow but the access token is given to the user-agent to forward to the application, so it may be exposed to the user and other applications on the user's device. Also, this flow does not authenticate the identity of the application, and relies on the redirect URI (that was registered with the service) to serve this purpose

25 OAUTH Authentication NO DEMO – hopefully CTP3

26 Questions?

Download ppt "Remotely authenticating against the Service Framework."

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Core Web Service Security Patterns

Core Web Service Security Patterns
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming

Similar presentations

Ads by Google