net passport security framework
play

.NET Passport Security Framework CPSC 328 Spring 2009 UDDI Review - PDF document

Sep 05, 2022 •576 likes •671 views

.NET Passport Security Framework CPSC 328 Spring 2009 UDDI Review Publish/Find functionality Yellow Pages businessService White Pages businessEntity Green Pages bindingTemplate tModel

  1. .NET Passport Security Framework CPSC 328 Spring 2009 UDDI Review  Publish/Find functionality  Yellow Pages  businessService  White Pages  businessEntity  Green Pages  bindingTemplate  tModel  publisherAssertion  operationalInfo 1

  2. Cross Site Request Forgery (CSRF)  Quite similar, yet different from XSS  Malicious script or link involved  Exploits trust  XSS - exploit user’s trust in the site  CSRF - exploit site’s trust in the user’s browser  CSRF relies on browser automatically sending authentication/session data  Very difficult to detect  Server side: looks like legitimate request from user  Client side: never know you just sent something Simple Example  Code snippet from evil.mel.com <html> <body> <html> <img src="http://www.example.com/transfer.do? <body> frmAcct=document.form.frmAcct& <img src=“http://foo.bar.com/logout.php”> toAcct=4345754&toSWIFTid=434343&amt=3434.43"> </body> </body> </html> </html>  How can this work?  Reliant upon browser automatically sending still-current session data  GET vs POST 2

  3. Simple Example  So lets only use POST. Fixed, right? <html> <body onload="document.getElementById('f').submit()"> <form id="f" action="http://foo.com/logout" method="post"> <input name="Log Me Out" value="Log Me Out" /> </form> </body> </html>  Not exactly!  Automatically POSTs form after page loaded (via javascript)  Again, cookie sent implicitly by browser CSRF: Protection  How can we prevent it?  Check the referrer <form action="/transfer.do" method="post"> <input type="hidden" name="8438927730" value="43847384383"> </form>  Hidden fields  Hash of timestamp, userID, & nonce  ASP.NET: ViewStateUserKey  Double cookies  Re-authenticate if important  Don’t use GET  But don’t rely on POST!  Clients, don’t use “remember me” 3

  4. .NET & Passport  MS foray into single sign-on  Began as MS Passport  Became MS .NET Passport  Now Windows Live ID  Access to federation of sites/services once authenticated by one member  Hotmail, MSNBC, Xbox Live, MSN, … Single Sign-On: Kerberos  Developed @ MIT  Distributed authentication system  Don’t need full trust in client  Tickets  TGT  TGS  Finite life  Encrypted Source: www.xml-dev.com/blog/ 4

  5. Passport  Functions very similar to kerberos  Authenticate once to server  Use services of several hosts  Application & Authentication Servers exchange secret key (out of band)  Happens before system can be used  Keys must be protected (no expiration)  Once completed, users can log in & use service Passport Login Process  User visits site  Site redirects user to Passport Server  User authenticates to server  Server returns user to site with cookies Source: microsoft.com 5

  6. Passport Cookies  MSPAuth  Ticket: user ID  Timestamps  MSPProf  User profile information  MSPSec  Ticket Granting Cookie  Cookies support claim of authentication  Communicated to application server through client browser Passport Attacks  Steal username & password?  Replay cookies?  Steal profile info?  Username/passwd not stored/collected on partner sites  Cookies have timestamps  Cookies are encrypted  Profile info not enough to gain credentials  Privacy is still a concern 6

  7. Web Services & .NET  .NET & CLR provide functionality similar to Java & JVM  Managed code provides safety features  Sandboxing execution  Compiled to MSIL (similar to java bytecode)  Unmanaged code does not  Overflows, privilege escalation, etc…  Security defined in terms of  Role-based  Code Access  Evidence-Based Role-Based Security  A.K.A. User-Based Security  Traditional model  Permission defined by account or role  Security Identifier tracks user  Checked before resource use 7

  8. Code Access Security  Access permissions assigned based on trust in code  Can assign range of trust  Similar to IE’s trust zones  Allows finer degree of control than role-based  Controls assigned at various levels  Application  Class  Module, library, … Evidence Based  Trust zones defined based on  Digital signature  URL of origin  Zone  Notion of code groups 8

  9. .NET Vulnerabilities  Standard concerns w/Web Services  Input validation  SQL Injection  Solution?  Stored procedures (good & bad)  Known-good validation only! Discard all else  Minimal error handling  Non-descript error messages Hardening .NET Server The standard fare:  Web root on separate volume (not w/OS)  Disable unused ISAPI filters  Don’t allow outbound originating traffic from IIS  Incoming traffic only on ports 80 & 443  Penetration testing  Remove development/installation files!  Accounts & passwords! (on DB, too) 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IoT Passport: A Blockchain-Based Trust Framework for Collaborative Internet-of-Things Bo Tang ,

IoT Passport: A Blockchain-Based Trust Framework for Collaborative Internet-of-Things Bo Tang ,

IoT Passport: A Blockchain-Based Trust Framework for Collaborative Internet-of-Things Bo Tang , Hongjuan Kang, Jingwen Fan Qi Li Ravi Sandhu Information Security Laboratory, Institute for Network Institute for Cyber Security and Sichuan

1.24k views • 16 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
Asia Region Funds Passport Summary Context Comparison with other regional initiatives

Asia Region Funds Passport Summary Context Comparison with other regional initiatives

Introducing the framework for Asia Region Funds Passport Summary Context Comparison with other regional initiatives What is the Passport? Objectives Who regulates what? Other host economy laws and regulations Passport

149 views • 10 slides
Your Passport To Future Horizons Your Passport To Future Horizons Your Passport To Future

Your Passport To Future Horizons Your Passport To Future Horizons Your Passport To Future

Your Passport To Future Horizons Your Passport To Future Horizons Your Passport To Future Horizons Your Passport To Future Horizons Making Sense Of The Industry Tea Leaves ! The Economy ! ! ! ! ! ! ! Fab Capacity ! Unit Demand !

174 views • 15 slides
E-Passport: The Global Traceability or How to Feel Like an UPS Package Dario Carluccio, Kerstin

E-Passport: The Global Traceability or How to Feel Like an UPS Package Dario Carluccio, Kerstin

E-Passport: The Global Traceability or How to Feel Like an UPS Package Dario Carluccio, Kerstin Lemke-Rust, Christof Paar, and Ahmad-Reza Sadeghi Horst-Grtz Institute for IT Security July, 14th 2006 Workshop on RFID Security Electronic

209 views • 18 slides
The IHI Passport Program: The Quality Champions Improvement Toolkit As a Passport member,

The IHI Passport Program: The Quality Champions Improvement Toolkit As a Passport member,

The IHI Passport Program: The Quality Champions Improvement Toolkit As a Passport member, everyone in our organization can have access to Expeditions Leading Quality Improvement: Essentials for Managers Passport Members-Only

234 views • 10 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
CISV PASSPORT for Active Global Citizenship The Passport provides a summary of CISVs

CISV PASSPORT for Active Global Citizenship The Passport provides a summary of CISVs

CISV PASSPORT for Active Global Citizenship The Passport provides a summary of CISVs approach to Peace Education. It is a practical guide to what we do and why we do it, and can be used as a handbook for CISV training. We hope you enjoy

1.06k views • 26 slides
OMS OMS Passport Education Support Kitty Petty, M.A., M.Ed., LMHC Educational Consultant

OMS OMS Passport Education Support Kitty Petty, M.A., M.Ed., LMHC Educational Consultant

OMS OMS Passport Education Support Kitty Petty, M.A., M.Ed., LMHC Educational Consultant Neurology Department Boston Childrens Hospital OMS MEDICAL PASSPORT The purpose of a medical passport is to allow adolescents/young adults/adults

652 views • 24 slides
WeClimbUK Passport Presentation &amp; discussion by the Project Board 27 th July 2019 Session

WeClimbUK Passport Presentation &amp; discussion by the Project Board 27 th July 2019 Session

WeClimbUK Passport Presentation &amp; discussion by the Project Board 27 th July 2019 Session objectives 1. Brief you on progress with the Passport The business case for such a scheme Our vision for the Passport Progress to

406 views • 28 slides
The Passport Difference: Working Together for a Healthier Kentucky The Advisory Council for

The Passport Difference: Working Together for a Healthier Kentucky The Advisory Council for

The Passport Difference: Working Together for a Healthier Kentucky The Advisory Council for Medical Assistance May 23, 2019 1 Passport Health Plan: A Leader in Medicaid for 20+ Years 21 YEARS 318K Provider- Non-profit and Nationally

473 views • 22 slides
Passport to IHI Training The IHI Membership Guiding Your Improvement Journey Informational Call

Passport to IHI Training The IHI Membership Guiding Your Improvement Journey Informational Call

November 14, 2016 www.IHI.org/Passport Passport to IHI Training The IHI Membership Guiding Your Improvement Journey Informational Call 2 WebEx Quick Reference Welcome to todays session! Raise your hand Please use chat to All

545 views • 29 slides
the different continents of the world. Each passport has a series of steps based on recall of

the different continents of the world. Each passport has a series of steps based on recall of

Every child has been given a passport for the different continents of the world. Each passport has a series of steps based on recall of mental maths number facts. These steps are taken from the current National Curriculum and are the key

507 views • 15 slides
MHIRT: what to expect Preparing for Your Trip Packing List: Documents Copies of: Passport &amp;

MHIRT: what to expect Preparing for Your Trip Packing List: Documents Copies of: Passport &amp;

MHIRT: what to expect Preparing for Your Trip Packing List: Documents Copies of: Passport &amp; visa Passport &amp; visa Yellow fever vaccination paper Vaccinations Ticket / boarding pass Student ID ~$500 USD for exchanging** Drivers

408 views • 18 slides
(USPVS) Nalini Rangaraju Electronic application to verify Passport information Developed

(USPVS) Nalini Rangaraju Electronic application to verify Passport information Developed

US Passport Verification Service (USPVS) Nalini Rangaraju Electronic application to verify Passport information Developed in 2010 with funding from DHS to support REAL ID 17 jurisdictions in production (6 additional jurisdictions

454 views • 12 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
Detecting Attacks, Part 2 CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe,

Detecting Attacks, Part 2 CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe,

Detecting Attacks, Part 2 CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ April 14, 2011 Announcements Talk of possible interest next Monday:

492 views • 23 slides
Access Control &amp; Video Intercom PRODUCT PROMOTION 2020 International Product Marketing

Access Control &amp; Video Intercom PRODUCT PROMOTION 2020 International Product Marketing

Access Control &amp; Video Intercom PRODUCT PROMOTION 2020 International Product Marketing Department Part.01 Video Intercom Products CONTENTS Part.02 Access Control Products Part.01 Video Intercom Product System DS-KB8112-IM

492 views • 35 slides
Toward the IPv6 Mobile Internet The 7th TWNIC IP OPM November 23, 2006 Keiichi Shima

Toward the IPv6 Mobile Internet The 7th TWNIC IP OPM November 23, 2006 Keiichi Shima

Toward the IPv6 Mobile Internet The 7th TWNIC IP OPM November 23, 2006 Keiichi Shima &lt;keiichi@iijlab.net&gt; Internet Initiative Japan Inc. / WIDE Project PROJECT Background Widely deployed Internet Available in

658 views • 34 slides
WELCOME TO THE SPRING 2012 MAX ALL HANDS MEETING Mid-Atlantic Crossroads May 22 th , 2012

WELCOME TO THE SPRING 2012 MAX ALL HANDS MEETING Mid-Atlantic Crossroads May 22 th , 2012

WELCOME TO THE SPRING 2012 MAX ALL HANDS MEETING Mid-Atlantic Crossroads May 22 th , 2012 Agenda 8:15am 9:00am Breakfast 9:00am 9:15am Welcome 9:15am 10:00am MAX Updates (Administrative, Production, and Research)

702 views • 56 slides
Reliably Determining the Outcome Reliably Determining the Outcome of Computer Network Attacks of

Reliably Determining the Outcome Reliably Determining the Outcome of Computer Network Attacks of

Reliably Determining the Outcome Reliably Determining the Outcome of Computer Network Attacks of Computer Network Attacks th Annual FIRST Conference 18 th Annual FIRST Conference 18 Capt David Chaboya Dr Richard Raines, Dr Rusty Baldwin, Dr

447 views • 34 slides
PRO-CO W: Proto col Compli ance on the W eb Bala chander Krishnamur thy Mar tin

PRO-CO W: Proto col Compli ance on the W eb Bala chander Krishnamur thy Mar tin

PRO-CO W: Proto col Compli ance on the W eb Bala chander Krishnamur thy Mar tin Arlitt bala@resea rch.att.com a rlitt@hpl.hp.com A T&amp;T Labs - Resea rch HP Labs Bala chander Krishnamur thy 1 State of the W eb

535 views • 15 slides
Trusted Components Reuse, Contracts and Patterns Prof. Dr. Bertrand Meyer Dr. Karine Arnout

Trusted Components Reuse, Contracts and Patterns Prof. Dr. Bertrand Meyer Dr. Karine Arnout

1 Last update: 19 October 2004 Trusted Components Reuse, Contracts and Patterns Prof. Dr. Bertrand Meyer Dr. Karine Arnout Trusted Components: Reuse, Contracts and Patterns - Lecture 17 Chair of Softw are Engineering 2 Lecture 17:

430 views • 39 slides
Security Jerry den Hartog Room: MF 6.063 http://www.win.tue.nl/~jhartog/CourseSecurity/ What is

Security Jerry den Hartog Room: MF 6.063 http://www.win.tue.nl/~jhartog/CourseSecurity/ What is

(An Introduction to Computer) Security Jerry den Hartog Room: MF 6.063 http://www.win.tue.nl/~jhartog/CourseSecurity/ What is Security? Lets start with some free association Course rse O Overvi rview Goal Challenge IT Infrastructures

720 views • 51 slides

More recommend