secure windows app development. authentication
TRANSCRIPT
Secure Windows App Development
Age of cybercrime
Security across three stages
AuthenticationSecure authentication for usersPassword management is unwanted overhead
Secure data in flightSecure data transfer over networksServices exposed over Internet
Secure data at restWindows app modelSecure data storageData leak prevention
Authentication
Password authentication
********
username
ChallengesCredential theft
Credential reuse
Password complexity/expiration
Password-reset mechanisms
User password carelessness
Password management for IT
Web Authentication BrokerOAuth provider supportE.g. Facebook, Microsoft, Twitter, Google
“Outsourcing” authenticationUser controls their method of authenticationAuthorization controlled by app/service
User confidenceThe user interacts directly with the provider through web pagesThe app doesn’t need to collect or store the user’s credentials
Two-factor authentication
Benefits
Combining “something you know” with “something you have”
Mitigates most challenges with password authentication
Challenges
Complexity of implementation (incl. cost)
Difficulty of use for end-users
********
username
Azure Active DirectoryIdentity and Access managementSingle-factor authenticationMulti-factor authentication using mobile app, phone call or text message
Users sign in from any device using their existing username/password.
1 Users must also authenticate using their phone or mobile device before access is granted.
2User
AppsMicrosoft AzureActive Directory
Multi-FactorAuthenticatio
nServer
https://channel9.msdn.com/Events/Microsoft-Azure/AzureCon-2015/ACON312
Introducing Microsoft Passport and Windows Hello
Microsoft Passport & Windows HelloConvenient multi-factor authentication
Microsoft PassportEnterprise-grade two-factor authenticationDevice + biometric or PIN
Windows HelloEnd-user experience for authentication
Biometric framework supporting face, iris and fingerprint
Enterprise credential protectionusing Virtual Secure Mode (VSM)
Windows Hello enrollment in Windows 10During OOBE setup
Enabling Microsoft Passport in your app 1. Validate if the user has set up a PIN, and
optionally Windows Hello, on their deviceKeyCredentialManager.IsSupportedAsync
2. Create CredentialKey and attestation KeyCredentialManager.RequestCreateAsync
3. Register public key, attestation and user information with the server for validation on login
1. Application Start and request data from backend service
2. Server needs the user to authorize first and sends a challenge
3. App needs to sign the challenge with the private key.var signResult = await userKey.RequestSignAsync(message);
4. User is prompted for PIN or Biometric gesture
5. Challenge is signed and send back to the server
6. Server validates the signature with the public key from the user already stored
7. If valid, authorizes the user and returns the requested data
Microsoft Passport authentication
3 7 4 5 1
Demo Microsoft Passport andWindows Hello
Securing data in flight
Client/server to web services
Client/server Web services
Secure connections over HTTPSDetecting Message TamperingUsing hashes with Windows.Security.Cryptography.Core.HashAlgorithmProvider
Digital signatures with CryptographicEngine
SSL pinningEnsures message has been sent by the authorized server by verifying the server’s certificate
Easiest implementation is the evaluate of the certs the server returns in response to an HTTP request
This should be done before sending sensitive information in a request
SSL pinning in the app manifestCertificates declarationLimits HTTPS traffic to endpoints that have thisroot certificate present
Exclusive trustNo other HTTPS traffic allowed
Self-signedThis mechanism can be used to ensure secureconnections with using a self-signed certificate
SSL pinning in code
// Send a get request to BingHttpClient client = new HttpClient();Uri bingUri = new Uri("https://www.bing.com");HttpResponseMessage response = await client.GetAsync(bingUri); // Get the list of certificates that were used to validate the server's identityIReadOnlyList<Certificate> serverCertificates = response.RequestMessage.TransportInformation.ServerIntermediateCertificates;
More control over validationCan validate certificate chain
Custom logic for multiple domains/root CAs
SSL pinning in code (cont.)// Perform validation: in this example, we iterate through the certificates and check that the chain contains one specific certificate we are expectingfor(int i=0; i<certs.Count; i++){ byte[] thumbprint = certs[i].GetHashValue(); // Check if the thumbprint matches whatever you are expecting byte[] expected = new byte[] { 212, 222, 32, 208, 94, 102, 252 }; // Do byte comparison on thumbprint if (ThumbprintMatches(thumbprint, expected)) { // Validation successful }}
Demo SSL Pinning
API publishing challengesExposing API across the web
Easy and secure access to API
Authorizing access to specific APIs
Controlling scale and performance
v
AZURE API MANAGEMENT
Can be hosted anywhere and
authored in any language on any
platform.
API
Proxy
Developer PortalDevelopers
Apps
Publisher/Admin Publisher portal
https://channel9.msdn.com/events/Microsoft-Azure/AzureCon-2015/ACON313
Securing data at rest
Windows app model“Jail” for apps (not a “castle”)UWP apps can’t access data of other appsAttack surface reductionDevice Guard in Windows can help further limit this access
User consent and controlUser is in control to provide consent to use hardware and capabilities
App lifecycle managementLimited background execution and OS resource managementCradle to the grave definition: installation, runtime environment, resource management, updates, and uninstallation
Securing stored credentialsCredential lockerSecure storage of user credentials
Managed by Windows (versus app) for user, access limited to calling app
Multiple credentials for a particular app/user combination can be stored
var vault = new Windows.Security.Credentials.PasswordVault();
vault.Add(new Windows.Security.Credentials.PasswordCredential("My App", username, password));
Securing stored dataEncryption APIsSupport for symmetric and asymmetric encryption
Windows.Security.Cryptography.Core.CyptographicEngine supports encryption, decryption, and signing of content, as well as verification of digital signatures
Windows.Security.Cryptography.DataProtection.DataProtectionProvider supports encryption and decryption of data by using device and user information
Data leak preventionData separation and containmentFile level encryption for corporate apps
Seamless platform integrationNo need to switch modes, move to secure locations, use containers, or special apps to protect data Apps can use APIs to optimize UX, but don’t have to
IT managedIT has full control over keys and dataCan remote wipe corporate data on demand
Enterprise data protection
Enterprise data protection API’sProtect a filewait FileProtectionManager.ProtectAsync(m_file, “contoso.com”);
Revoke permissionsProtectionPolicyManager.ProtectedContentRevoked += ProtectedContentRevoked;
Check if network is personalresourceIdentity = await ProtectionPolicyManager. GetPrimaryManagedIdentityForNetworkEndpointAsync(new HostName(resourceUri.Host));// if resourceIdentity is empty or null, then it is considered personalif (!string.IsNullOrEmpty(resourceIdentity)){ context = ProtectionPolicyManager.CreateCurrentThreadNetworkContext(resourceIdentity);}
Secure Windows app development summary
AuthenticationAzure Active Directory for two-factor authenticationMove from passwords to Microsoft Passport
Secure data in flightSend data over SSL and verify server certificatesExpose APIs securely with Azure App Service
Secure data at restStore credentials securely with Credential lockerEncrypt data stored on the deviceUse enterprise data protection to prevent data leaks
@rajen_k
@WindowsDev
thank you
</ >Additional Resourceshttp://dev.windows.com/
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.