secure windows app development. authentication

32
Secure Windows App Development

Upload: pearl-bryan

Post on 18-Jan-2016

230 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Secure Windows App Development. Authentication

Secure Windows App Development

Page 2: Secure Windows App Development. Authentication

Age of cybercrime

Page 3: Secure Windows App Development. Authentication

Security across three stages

AuthenticationSecure authentication for usersPassword management is unwanted overhead

Secure data in flightSecure data transfer over networksServices exposed over Internet

Secure data at restWindows app modelSecure data storageData leak prevention

Page 4: Secure Windows App Development. Authentication

Authentication

Page 5: Secure Windows App Development. Authentication

Password authentication

********

username

ChallengesCredential theft

Credential reuse

Password complexity/expiration

Password-reset mechanisms

User password carelessness

Password management for IT

Page 6: Secure Windows App Development. Authentication

Web Authentication BrokerOAuth provider supportE.g. Facebook, Microsoft, Twitter, Google

“Outsourcing” authenticationUser controls their method of authenticationAuthorization controlled by app/service

User confidenceThe user interacts directly with the provider through web pagesThe app doesn’t need to collect or store the user’s credentials

Page 7: Secure Windows App Development. Authentication

Two-factor authentication

Benefits

Combining “something you know” with “something you have”

Mitigates most challenges with password authentication

Challenges

Complexity of implementation (incl. cost)

Difficulty of use for end-users

********

username

Page 8: Secure Windows App Development. Authentication

Azure Active DirectoryIdentity and Access managementSingle-factor authenticationMulti-factor authentication using mobile app, phone call or text message

Users sign in from any device using their existing username/password.

1 Users must also authenticate using their phone or mobile device before access is granted.

2User

AppsMicrosoft AzureActive Directory

Multi-FactorAuthenticatio

nServer

https://channel9.msdn.com/Events/Microsoft-Azure/AzureCon-2015/ACON312

Page 9: Secure Windows App Development. Authentication

Introducing Microsoft Passport and Windows Hello

Page 10: Secure Windows App Development. Authentication

Microsoft Passport & Windows HelloConvenient multi-factor authentication

Microsoft PassportEnterprise-grade two-factor authenticationDevice + biometric or PIN

Windows HelloEnd-user experience for authentication

Biometric framework supporting face, iris and fingerprint

Enterprise credential protectionusing Virtual Secure Mode (VSM)

Page 11: Secure Windows App Development. Authentication

Windows Hello enrollment in Windows 10During OOBE setup

Page 12: Secure Windows App Development. Authentication

Enabling Microsoft Passport in your app 1. Validate if the user has set up a PIN, and

optionally Windows Hello, on their deviceKeyCredentialManager.IsSupportedAsync

2. Create CredentialKey and attestation KeyCredentialManager.RequestCreateAsync

3. Register public key, attestation and user information with the server for validation on login

Page 13: Secure Windows App Development. Authentication

1. Application Start and request data from backend service

2. Server needs the user to authorize first and sends a challenge

3. App needs to sign the challenge with the private key.var signResult = await userKey.RequestSignAsync(message);

4. User is prompted for PIN or Biometric gesture

5. Challenge is signed and send back to the server

6. Server validates the signature with the public key from the user already stored

7. If valid, authorizes the user and returns the requested data

Microsoft Passport authentication

3 7 4 5 1

Page 14: Secure Windows App Development. Authentication

Demo Microsoft Passport andWindows Hello

Page 15: Secure Windows App Development. Authentication

Securing data in flight

Page 16: Secure Windows App Development. Authentication

Client/server to web services

Client/server Web services

Page 17: Secure Windows App Development. Authentication

Secure connections over HTTPSDetecting Message TamperingUsing hashes with Windows.Security.Cryptography.Core.HashAlgorithmProvider

Digital signatures with CryptographicEngine

SSL pinningEnsures message has been sent by the authorized server by verifying the server’s certificate

Easiest implementation is the evaluate of the certs the server returns in response to an HTTP request

This should be done before sending sensitive information in a request

Page 18: Secure Windows App Development. Authentication

SSL pinning in the app manifestCertificates declarationLimits HTTPS traffic to endpoints that have thisroot certificate present

Exclusive trustNo other HTTPS traffic allowed

Self-signedThis mechanism can be used to ensure secureconnections with using a self-signed certificate

Page 19: Secure Windows App Development. Authentication

SSL pinning in code

// Send a get request to BingHttpClient client = new HttpClient();Uri bingUri = new Uri("https://www.bing.com");HttpResponseMessage response = await client.GetAsync(bingUri); // Get the list of certificates that were used to validate the server's identityIReadOnlyList<Certificate> serverCertificates = response.RequestMessage.TransportInformation.ServerIntermediateCertificates;

More control over validationCan validate certificate chain

Custom logic for multiple domains/root CAs

Page 20: Secure Windows App Development. Authentication

SSL pinning in code (cont.)// Perform validation: in this example, we iterate through the certificates and check that the chain contains one specific certificate we are expectingfor(int i=0; i<certs.Count; i++){ byte[] thumbprint = certs[i].GetHashValue(); // Check if the thumbprint matches whatever you are expecting byte[] expected = new byte[] { 212, 222, 32, 208, 94, 102, 252 }; // Do byte comparison on thumbprint if (ThumbprintMatches(thumbprint, expected)) { // Validation successful }}

Page 21: Secure Windows App Development. Authentication

Demo SSL Pinning

Page 22: Secure Windows App Development. Authentication

API publishing challengesExposing API across the web

Easy and secure access to API

Authorizing access to specific APIs

Controlling scale and performance

v

Page 23: Secure Windows App Development. Authentication

AZURE API MANAGEMENT

Can be hosted anywhere and

authored in any language on any

platform.

API

Proxy

Developer PortalDevelopers

Apps

Publisher/Admin Publisher portal

https://channel9.msdn.com/events/Microsoft-Azure/AzureCon-2015/ACON313

Page 24: Secure Windows App Development. Authentication

Securing data at rest

Page 25: Secure Windows App Development. Authentication

Windows app model“Jail” for apps (not a “castle”)UWP apps can’t access data of other appsAttack surface reductionDevice Guard in Windows can help further limit this access

User consent and controlUser is in control to provide consent to use hardware and capabilities

App lifecycle managementLimited background execution and OS resource managementCradle to the grave definition: installation, runtime environment, resource management, updates, and uninstallation

Page 26: Secure Windows App Development. Authentication

Securing stored credentialsCredential lockerSecure storage of user credentials

Managed by Windows (versus app) for user, access limited to calling app

Multiple credentials for a particular app/user combination can be stored

var vault = new Windows.Security.Credentials.PasswordVault();

vault.Add(new Windows.Security.Credentials.PasswordCredential("My App", username, password));

Page 27: Secure Windows App Development. Authentication

Securing stored dataEncryption APIsSupport for symmetric and asymmetric encryption

Windows.Security.Cryptography.Core.CyptographicEngine supports encryption, decryption, and signing of content, as well as verification of digital signatures

Windows.Security.Cryptography.DataProtection.DataProtectionProvider supports encryption and decryption of data by using device and user information

Page 28: Secure Windows App Development. Authentication

Data leak preventionData separation and containmentFile level encryption for corporate apps

Seamless platform integrationNo need to switch modes, move to secure locations, use containers, or special apps to protect data Apps can use APIs to optimize UX, but don’t have to

IT managedIT has full control over keys and dataCan remote wipe corporate data on demand

Enterprise data protection

Page 29: Secure Windows App Development. Authentication

Enterprise data protection API’sProtect a filewait FileProtectionManager.ProtectAsync(m_file, “contoso.com”);

Revoke permissionsProtectionPolicyManager.ProtectedContentRevoked += ProtectedContentRevoked;

Check if network is personalresourceIdentity = await ProtectionPolicyManager. GetPrimaryManagedIdentityForNetworkEndpointAsync(new HostName(resourceUri.Host));// if resourceIdentity is empty or null, then it is considered personalif (!string.IsNullOrEmpty(resourceIdentity)){ context = ProtectionPolicyManager.CreateCurrentThreadNetworkContext(resourceIdentity);}

Page 30: Secure Windows App Development. Authentication

Secure Windows app development summary

AuthenticationAzure Active Directory for two-factor authenticationMove from passwords to Microsoft Passport

Secure data in flightSend data over SSL and verify server certificatesExpose APIs securely with Azure App Service

Secure data at restStore credentials securely with Credential lockerEncrypt data stored on the deviceUse enterprise data protection to prevent data leaks

Page 31: Secure Windows App Development. Authentication

[email protected]

@rajen_k

@WindowsDev

thank you

</ >Additional Resourceshttp://dev.windows.com/

Page 32: Secure Windows App Development. Authentication

© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.