Convert SAML token to SWT token using ACS

יום רביעי, נובמבר 16, 2011

In Claim based applications we use token to provide the application (Relying party) with details (a collection of claims) about the the authenticated identity. In ASP.net web sites and WCF SOAP services SAML tokens are used as a container for the claims. SAML is a standard that describe how token and claims are constructed and how they are cryptographically protected using digital signature and encryption. SAML tokens are powerful yet they are large. The size of the token is not a real issue in ASP.Net web sites as well as in SOAP WCF services but for REST web services...
no comments

ACS Academy Videos

יום שני, מאי 9, 2011

I wrote a lot about claim based Identity and access control. One of the big challenges in claim based access control is the creation of the STS. Fortunately the Azure platform has an offering in this domain – ACS AppFabric ACS Access Control Service implements a full STS in the cloud. It is simple yet powerful. The team created great videos explaining ACS and their integration with WIF. Watch and start using ACS. Manu
no comments

Claim Based Identity Tutorial

יום שלישי, מרץ 8, 2011

Claim based identity is the future of identity management. It is simple, powerful and extensible but the most important reason to use it is the fact that it delegates identity management out of the application. WIF is Microsoft's infrastructure for using Claim Based Identity. (Similar to what is WCF for networking) Recently an excellent Training Kit was released about WIF and the integration of WIF with AppFabric Azure ACS. I strongly recommend to download read and learn. Manu
no comments

Asymmetric Encryption of Long Data

יום ראשון, ינואר 16, 2011

Few weeks ago a post about asymmetric encryption using RSACryptoServiceProvider. Asymmetric encryption is an expensive operation so it is not meant for very long data encryption. If you have an article or a book you should not encrypt it asymmetrically but what about a 200 byte long information? If you will try to encrypt 200 byte using RSACryptoServiceProvider you will get an exception. It seems that the longest data that can be encrypted using is RSACryptoServiceProvider is 80 bytes. I thinks that there are many scenarios where it makes to encrypt few hundreds bytes long data asymmetrically and...
tags: ,
one comment

Asymmetric Encryption with RSACryptoServiceProvider

יום ראשון, ינואר 9, 2011

Traditional symmetric cryptography is all about hiding a secret using an algorithm and a key. The same key is used for encryption and decryption. Asymmetric encryption does much more. In Asymmetric encryption there are two key: one is kept secret (private) and the other is distributed (public). Both keys are mathematically the same – What makes the public key public is the fact that it was distributed. To perform a full cycle both keys are required (i.e. encryption with one key and decryption with the other). There are two possible scenarios: ...
one comment

Practical Application Security

יום ראשון, אוגוסט 9, 2009

Application Security is a problematic subject. It is a non functional requirement so it cannot be presented to a customer and it is expensive. The management feels that money is being spent without tangible results and the developers feel that security is a pain so they will do anything to avoid it. When being asked "what is application security?" so many different answers are given … So how can application security be implemented? In this article I will show how the broad concept of application security can be translated into simple tangible tasks. Application security...
no comments

Claim Base Authorization – Next Generation Identity management

יום שני, אפריל 13, 2009

  Claim Base Authorization - Next Generation Identity management Identity is one of the most popular challenges applications face today. Almost every application has to know who it is talking to and needs to do something about it. Unfortunately we know that identity is poorly handled as Identity theft is one of the world's greatest problems today. What is identity after all? After decades of working with Identity we finally understand that identity is nothing more that some information that describes an entity. It turns out that entities have multiple identities each relevant on a different context of execution. For instance...
tags:
15 comments

Creating X.509 Certificates using makecert.exe

יום שלישי, אפריל 8, 2008

  Creating x.509  certificates is a very common task. Unfortunately the knowledge how to do it is quite rare. If you want a certificate that the whole world would trust you need to buy one, but if you need it for your own use you can create it using a tool called MakeCert.exe After downloading the tool you have to perform the following procedure: Creating a Root Certificate Authority makecert.exe -n "CN=My Root CA,O=Organization,OU=Org Unit,L=San Diego,S=CA,C=US" -pe -ss my -sr LocalMachine -sky exchange -m 96 -a sha1 -len 2048 -r My_Root_CA.cer Import Root Certificate Authority Certificate into Trusted Root Store certutil.exe -f -addstore Root...
78 comments

Threat Modeling summary

יום שבת, מרץ 1, 2008

Threat modeling is the heart of any application securuty design. I am often being asked about threat modeling so I wanted to write about it: Enjoy:    Threat Modeling Goal: Describe what  is threat modeling, and how it should be implemented. Terms: Attacker - Someone who could do harm to a system Threat - An attacker goal Vulnerability - A flaw in the system that could help an attacker realize a threat Mitigation - Something to do to protect against a threat. Attack - The process in which attackers takes advantage of a vulnerability Asset - Something of value to valid users vendors and attackers   Background: Application security is...
no comments