- Essential .NET Security.
- Examine security features of the .NET platform.
- Public Key Cryptography and SSL.
- Securing System.Runtime.Remoting.
- Attacker finds a way to gain more privileges on the system – the ultimate goal is to gain administrative privileges.
- Use WinXP and .NET Server’s built in low-privilege accounts – NT Authority \ LocalService.
- Conventional crypto from .NET.
- Encrypting static data – generate a random key – encrypt the data.
- System.Security.Cryptography doesn’t expose them at all.
- The .NET Framework classes automate this.
- Encrypting data in .NET.
- Algorithms and implementations in .NET.
- Decrypting data in .NET.
- create a CryptoStream object based on your key – pump data through the stream to decrypt it.
- Passwords or phrases can be turned into conventional keys – variable length passphrase converted into a fixed length key – hash of password produces fixed length key.
- To authenticate with some other server – server doesn’t know client’s password – this is more complex.
- session key is sent to client encrypted with client’s master key.
- Authority gives the client a “ticket” to send to the server.
- client’s name.
- Is a ticket enough to prove the client’s identity?.
- Client needs to prove knowledge of the session key – remember, the authority “whispered” this to the client – only someone with the client’s master key could have.
- .NET Framework currently has no official wrappers for SSPI – but a sample written by the .NET remoting team provides this – http://msdn.microsoft.com/library/en-us/dndotnet/html/remsspi.asp.
- Using SSPI from .NET (initial authentication).
- server code to look at client’s name WindowsIdentity clientIdentity.
- Using SSPI from .NET (protecting the channel).
- The .NET Framework has great support for cryptography.
- Currently no support for raw Kerberos in .NET Framework.
- Public Key Cryptography and Authentication.
- Public key cryptography.
- Using public keys from the .NET Framework.
- Origins of public key cryptography.
- Keys are generated in pairs – public key.
- plaintext encrypted with the public key.
- ciphertext decrypted with the corresponding private key – much, much slower than conventional cryptography!.
- public key encrypt.
- we use a public key to encrypt the session key.
- Public key cryptography is not a silver bullet!.
- Certificate couples a name with a public key.
- authority’s public key is well-known.
- Bob’s public key Bob.
- Public key encryption in the .NET Framework.
- Using CAPICOM from .NET.
- session key encrypted with the public key of recipient 1.
- session key encrypted with the public key of recipient 2.
- authority X asserts that this is subject Y’s public key.
- ASP.NET web applications have IIS as a front end – web services have IIS as a front end.
- secure .NET remoting uses IIS as a front end.
- Public key cryptography is used to create signatures and encrypt keys.
- Certificates help authenticate public key material.
- CAPICOM can be used from the .NET Framework.
- A whirlwind tour of operating system security concepts on the .NET Platform.
- The TCB is a theoretical boundary – the TCB must enforce security policy.
- The .NET Framework abstracts this with two interfaces.
- using System.Security.Principal;.
- server looks at client token to make security decisions – can check client’s groups via IsInRole, for example.
- This is key to “Role Based Security” infrastructure in .NET.
- Thread.CurrentPrincipal is simply for application bookkeeping – the operating system doesn’t ever see or use this information – we’ll talk about impersonation in the next module….
- using System.Threading;.
- Thread.CurrentPrincipal = client;.
- using System.Security.Permissions;.
- Thread.CurrentPrincipal.
- Continuing our whirlwind tour of operating system security concepts on the .NET Platform.
- After authentication, the server can do two things with the client’s token.
- place the client’s token on the server’s thread and call out to some other secure resource manager.
- Console.WriteLine("Client name is {0}", client.Name);.
- slap the client’s token on this thread temporarily WindowsImpersonationContext ctx = client.Impersonate();.
- remove client’s token from this thread.
- ASP.NET thread (MTA).
- elevation of privilege vulnerability in ASP.NET when calling.
- impersonate temporarily to access external resources as client – stop impersonating immediately.
- Thread.CurrentPrincipal).
- using System.IO;.
- temporarily impersonate the client to access a file WindowsImpersonationContext ctx = client.Impersonate();.
- authentication helped to verify the client’s credentials, but most likely did not transmit them to the server.
- It’s expensive (infeasible, really) to discover groups manually – need to visit both client’s and server’s authorities.
- but this required the server to know the client’s password – example: IIS certificate mapping or basic authentication.
- Protocol transition allows trusted servers to obtain tickets on a client’s behalf.
- without knowing the client’s password.
- Securing mobile code in the .NET Framework Part 1: motivation, permissions, and policy.
- native code in the COM era – assembly in the .NET era.
- your company’s intranet – the public Internet.
- The .NET assembly loader and trust levels.
- Each .NET assembly may run with different privileges – explicitly installed code usually trusted.
- assembly loader gathers evidence like source and public key – security policy used to evaluate evidence.
- The .NET loader, illustrated.
- FCL supplies classes used to represent evidence – in System.Security.Policy namespace.
- in System.Security.Permissions namespace DBDataPermission.
- Framework supplies policy classes – System.Security.Policy namespace.
- View/edit using .NET Framework Configuration MMC snapin.
- C:\>permview \windows\microsoft.net\...\mscorlib.dll minimal permission set:.
- <PermissionSet class="System.Security.PermissionSet".
- <IPermission class="System.Security.Permissions.SecurityPermission".
- Extracting a public key into a byte array.
- Microsoft (R) .NET Framework SecUtil 1.0.3705.0.
- Public Key.
- using System.Security;.
- Console.WriteLine(".NET Code Access Security is currently {0}", SecurityManager.SecurityEnabled ? "enabled".
- CAS is the .NET security model for dealing with mobile code.
- Securing mobile code in the .NET Framework.
- At runtime, the .NET Framework classes demand permissions before performing sensitive operations