authorization, authentication, and security
DESCRIPTION
Summary of research on AASTRANSCRIPT
-
ASP.NET Authentication,
Authorization, and Security
Lifespan Biotechnologies
-
Overview
General process of authentication and authorization for any user who wishes to access secure information.
Internet Information Server (IIS) is a tool for Windows servers used in Visual Basic that processes browser requests.
Web Application Programming Interface (Web API) includes the interfaces which houses the libraries which will be utilized to successfully authenticate and authorize users.
http://i2.asp.net/media/3994461/webapi_auth01.png?cdn_id=2013-05-10-001
-
Authentication
Knowing the identity of the user
Used to maintain privacy (as opposed to public viewing)
To authenticate is to cross-reference credentials by a user with existing credentials
What is it and why do we need it?
-
Authentication
Web API assumes that authentication occurs in the host server and utilizes HTTPModule
ASP.NET has several built-in authentication modules and also allows for custom-defined authorization (more on these later)
When host authenticates a user, it creates a principal IPrincipal object
Contains security information/context by which the program is running under
Host attaches principal to current thread by setting Thread.CurrentPrincipal
The principal contains an Identity object that contains information about the user
State of user authentication can be accessed by Identity.IsAuthenticated
Self-hosting is available as well, but is limited in functionality and impractical for this project
General Overview
-
Authentication
Basic Authentication
Forms Authentication
Passport Authentication
Integrated Windows Authentication
Custom Authentication
Type of Authentication
-
Authentication
1) If a request requires authentication, the server returns 401 (unauthorized) and indicates that the server supports basic authentication with a WWW-Authenticate header
2) Another request is sent with credentials in the Authorization header and is formatted in name:password in base64-encoding
a. Credentials are not encrypted
b. Base64 is an encoding and NOT en encryption, so quite easy to decipher
Basic Authentication
-
Authentication
Credentials are valid only in the realm defined by the server
Vulnerable to CSRF attacks an attack where a users credentials are sent to an external party (i.e. via a URI that is the same as the original website but is owned by that external party) which then uses that users credentials to authenticate and authorize itself to all the information that the user is allowed to access
Add [Authorize] to any controller/action that needs authenticating (i.e. changing user information)
Browser clients automatically set basic authentication but can be set using HttpClient and HttpClientHandler
Basic Authentication (cont.)
-
Authentication
1) A request for an authorized resource comes in
2) If user is not authenticated, the server returns HTTP 302 (Found) and redirects to the login page (while storing original request)
3) User enters credentials and submits the form
4) Server returns another HTTP 302 and redirects to original URI
The response includes an authentication cookie
5) Client requests resource again. Request includes cookie so access is granted
Forms Authentication
-
Authentication
Similar to Basic Authentication except that response includes a cookie which is evaluated for authentication and authorization
Still does not encrypt user credentials, so is still prone to CSRF attacks
More effective than Basic Authentication but must use Secure Socket Layers (SSL) for security (more later)
Forms Authentication (Cont.)
-
Authentication
Allows a single sign-in that uses information from a member site in order to login
Must register site with the Passport service and requires minor additional modifications in code
Leaves authentication for the passport website
Impractical for early stages of development (if we are storing information), but may be useful later when used in conjunction with other sites similar to this
Passport Authentication
-
Authentication
Integrated Windows Authentication
1) Client sends credentials to authentication service to check for authentication and is given a ticket in return
2) Client sends ticket to ticket granting service and receives a service ticket in return
3) The user is now authenticated
http://www.codeproject.com/KB/aspnet/ASPDOTNETauthentication/21.jpg
-
Authentication
Integrated Windows Authentication (Cont.)
Utilizes either Kerberos v5 or Windows NT LAN Manager (NTLM) authentication
Effective in terms of security
However, only limited to Windows accounts and is not supported by some browsers; therefore impractical
-
Authentication
We are allowed to create our own custom authentication modules within an ASP.NET project
Remember back to the principal objects with custom authentication, we must set two properties within project
Thread.CurrentPrincipal must be set to the given IPrincipal object
HttpContext.Current.User should also be set to the IPrincipal object, given that Httpcontext.Current exists (does not exist in self-hosting)
BUT ASP.NET already provides us with everything that we need (and MUCH more)!
Therefore, we do not have to worry about creating a custom authentication (but it is always nice to learn!)
Custom Authentication
-
Authentication
As mentioned briefly, cross-site reference forgery attacks are attacks in which an external party is able to send requests to and authorized site where a user is currently logged in to
Does this when user (unknowingly) requests a URI similar to the authorized site and sends credentials along with the request
The malicious site now has the users information and can see and access everything that the user can see and access!
Cross-Site Request Forgery Attacks
-
Authentication
Use anti-forgery tokens (require that the server request verification tokens) 1) Client requests a page that requires authentication and contains a form 2) Server includes tokens in response. One is a cookie and one is placed in a hidden form field. Both are
randomly generated so third-parties cannot guess value 3) When client submits form, the client must send both tokens back. The form token in the form field is
automatically sent with cookie 4) If request foes not include both items, server rejects request
Effective because malicious pages can only send requests but cannot see users tokens due to
same-origin policies
This method should be used with any authorization protocol that silently sends credentials after user logs in
Should be used with requests that access nonsafe methods (actions that change data) such as POST, PUT, and DELETE, and the coder should confirm that safe methods are indeed safe
To include in project, use HtmlHelper.AntiForgeryToken helper method or can be randomly generated using AntiForgery.GetTokens if request is not HTML form data (tokens must then be separately extracted and validated)
Preventative Measures Against CSRF Attacks
-
Authentication
SSLs can be implemented for these aforementioned security practices
1) Create or get a certificate for SSL in IIS
2) Add an HTTPS binding (the appended S stands for Secure)
May allow some requests to be available as HTTP while others require SSL
Use action filter [RequireHttps] for these particular requests that require additional security
SSL provides authentication by Public Key Infrastructure (PKI) certificates
More secure than user/password and provides a complete, secure channel with authentication, message integrity and message encryption
However, must obtain and manage a PKI certificate and client must support SSL client certificate
Must configure IIS to accept client certificates
Obtain client certificate using GetClientCertificate, which returns X509Certificate2 typed object, which can then be used for authentication and authorization
Secure Sockets Layer (SSL)
-
Summary of Authentication
Authentication is a means of determining whether the user exists on the server, via credentials provided by the user
ASP.NET supports several forms of authentication, including built-in authentications (Basic, Forms, and Passport), Integrated Windows Authentication, and Custom (Coder-Defined) Authentication
A common attack on servers is a cross-site request forgery attack. These can be prevented by using anti-forgery tokens and Secure Sockets Layer
-
Authorization
Decides whether a user is permitted to perform a particular action, changing a password or editing personal account information
Happens later in the process pipeline, closer to the controller, as opposed to authorization
Is a user authorized to perform this action (does the user have the appropriate credentials)?
What is it and why do we need it?
-
Authorization
Authorization filters run before a controller action
If a request is not authorized, the filter will return an error response and the action is not invoked
Within a controller action, the authorization information of the user/principal can be accessed by the ApiController.User property
ASP.NET uses a built-in authorization filter, AuthorizeAttribute, that utilizes [Authorize] (this should look familiar)
-
Authorization
When filter is evaluated against credentials, it returns HTTP status code 401 (Unauthorized; this should again seem familiar) when credentials do not satisfy and does not invoke the action
Located in System.Web.Http for Web API and System.Web.Mvc for non-compatible controllers
This filter can be applied at the global level (applies to the Web API and thusly every controller class), at the controller level (applies to every defined within that controller), or at the action level (applies to everything within that particular action)
An [AllowAnonymous] filter can also be applied if the server wishes to allow public access. If this filter is found inside of an [Authorize] filter, public access has precedence
Filters can also be applied to specific users or roles by defining these variables within the filter declaration *Authorize (Users = praymond,jcary)+ would allow users praymond and jcary access this info
*Authorize (Roles = Administrator,Technician)+ would allow users with the roles Administrator or Technician to access this info
[Authorize] and [AllowAnonymous] filter
-
Authorization
Custom authorization filters can be defined instead and are derived from one of the following types:
AuthorizeAttribute performs authorization logic based on user and role
AuthorizationFilterAttribute performs synchronous authorization logic that is not necessarily based on user or role
IAuthorizationFilter performs asynchronous authorization logic
Custom Authorization Filters
-
Authorization
Allows authorization based on role or user (as shown previously in filter arguments)
Roles are not predefined in program, so it must be added additionally into database properties
Available roles checks that are available:
Manual Role Check utilizes the IPrincipal.IsInRole method to check role
Declarative Role Check utilizes PrincipalPermissionAttribute class to demand role membership (only supports logical OR and not logical AND)
Imperative Role Check utilizes PrincipalPermission.Demand within methods to perform authorization check
Match the data against the current Web requestor (HttpContext.User)
Role-Based Authorization
-
Summary of Authorization
Determines if a user is permitted to perform a particular action and is checked closer to the controller action
Utilizes [Authorize] and [AllowAnonymous] filters applied at the global, controller, and/or action level
Filters are defined by ASP.NET, or can be custom-defined using AuthorizeAttribute, AuthorizationFilterAttribute, and IAuthorizeFilter
Most practical form of authorization for this project, which allows users to define roles at registration, will be a role-based authorization
-
Additional Comments
Security will be particularly important and should be as secure as possible if we store sensitive information such as personal patient information, customer credit card information, etc.
Mashups a webpage or web application that uses and combines data, presentation,
or functionality from two or more sources to create new services. Main characteristics are combination, visualization and aggregation.
Useful if we wish to combine a large amount of information from various sources
Allows us to reuse existing data, rather than rewriting from scratch
i.e. integrating Google Map to find help clinics local to particular address
OAuth 2.0, another authorization/authentication method that utilizes accounts from other servers but limits resources, was omitted due to the current scale of the project but can be considered for later versions
-
Questions?