Browse by Tags
All Tags »
Security (
RSS)
As we all know it is simple to call a federated web site authenticated by AD FS 2.0 or any other identity provider using passive federation. The client is a browser that knows nothing about federation. All the browser knows is to send http requests and to submit html forms. It would be interesting to write a small library that will mimic the browser behavior and allow applications to call web sites using passive federation. such web sites can implement RESTful web services or any other http based...
Today I spoke about web identities and about Azure data sync. In the web identities talk I spoke about the identity concept and about the open ID, SAML and OAuth standards. In the Azure data sync talk I spoke about the value of sync, the Microsoft synchronization framework (MSF) and the Azure data sync service (which is based on MSF) Tomorrow I will speak about cryptography in .Net and explore different types of encryption algorithms and signing APIs. You can find the slide deck here: Web Idenytities...
Until recently, you could only sign up for a new Windows Azure subscription using your Microsoft account (LiveID) It means that your administration account is governed by a private user account. This is a major security threat. The account credentials are simple user name and password (which could be easily stolen) No “Multi factor authentication” is possible No policy and management is enforced on the administration identity All this is changing now with Windows Azure Active Directory ( WAAD ) Now...
It is common to upload / transfer certificates as base64 strings. A common example is Azure Management API Add Service Certificate . To encode a certificate all you have to do is simply encode the certificate file. var encodedClientCert = Convert .ToBase64String( File .ReadAllBytes( "Client.Cer" )); To create a certificate out of base64 string is as easy: string str = "base64string representing a certificate" ; string psw = "password for certificates with a private key"...
I wrote a nice helper class that helps me find certificates installed on my machine. Here is the code: Code Snippet public static class CertificateHelper { public static X509Certificate2 FindCertificateByThumbprint( string certificateThumbprint) { var res = FindCertificateByThumbprint(certificateThumbprint, new X509Store ( StoreName .My, StoreLocation .CurrentUser)) ?? FindCertificateByThumbprint(certificateThumbprint, new X509Store ( StoreName .My, StoreLocation .LocalMachine)); if (res == null...
Visual Studio has an Identity and Access tool extension which enables simple integration of claim based identity authentication into a web project (WCF and ASP.Net) It turns out that the tool depends on Windows Identity Framework (WIF) 4.5 which was integrated into the .Net framework and is not compatible with WIF 4.0. For .Net 4.5 only applications you will see the following when you right click the project. “ Enable Windows Azure Authentication ” integrate your project with Windows Azure Active...
Auditing is one of the main pillars of security policies. The question is how to do it wisely The infrastructure can log almost everything. For example access to files, registry keys databases etc. The problem is that the infrastructure has no knowledge about the application use cases. It means that the context for these logs is missing. Let us ask what is the purpose of auditing? The trivial reason is to collect information that will be useful in case of a problem, yet how do you know that there...
In the last two posts we showed how to use the Azure ServiceBus service bus REST API to send a message to a topic. In this post we will see how to listen on a topic and receive a message. There are two options: 1. Receive a message and delete it from the topic. Receive and Delete public static T ReceiveAndDeleteMessage<T>( string serviceNamespace, string topicName, string subscriptionName, string token) where T : class { var address = string .Format( "https://{0}.{1}/{2}/subscriptions...
In Claim based applications we use token to provide the application (Relying party) with details (a collection of claims) about the the authenticated identity. In ASP.net web sites and WCF SOAP services SAML tokens are used as a container for the claims. SAML is a standard that describe how token and claims are constructed and how they are cryptographically protected using digital signature and encryption. SAML tokens are powerful yet they are large. The size of the token is not a real issue in ASP...
I wrote a lot about claim based Identity and access control. One of the big challenges in claim based access control is the creation of the STS. Fortunately the Azure platform has an offering in this domain – ACS AppFabric ACS Access Control Service implements a full STS in the cloud. It is simple yet powerful. The team created great videos explaining ACS and their integration with WIF. Watch and start using ACS. Manu
Claim based identity is the future of identity management. It is simple, powerful and extensible but the most important reason to use it is the fact that it delegates identity management out of the application. WIF is Microsoft's infrastructure for using Claim Based Identity. (Similar to what is WCF for networking) Recently an excellent Training Kit was released about WIF and the integration of WIF with AppFabric Azure ACS. I strongly recommend to download read and learn. Manu
Few weeks ago a post about asymmetric encryption using RSACryptoServiceProvider . Asymmetric encryption is an expensive operation so it is not meant for very long data encryption. If you have an article or a book you should not encrypt it asymmetrically but what about a 200 byte long information? If you will try to encrypt 200 byte using RSACryptoServiceProvider you will get an exception. It seems that the longest data that can be encrypted using is RSACryptoServiceProvider is 80 bytes. I thinks...
Traditional symmetric cryptography is all about hiding a secret using an algorithm and a key. The same key is used for encryption and decryption. Asymmetric encryption does much more. In Asymmetric encryption there are two key: one is kept secret (private) and the other is distributed (public). Both keys are mathematically the same – What makes the public key public is the fact that it was distributed. To perform a full cycle both keys are required (i.e. encryption with one key and decryption with...
Application Security is a problematic subject. It is a non functional requirement so it cannot be presented to a customer and it is expensive. The management feels that money is being spent without tangible results and the developers feel that security is a pain so they will do anything to avoid it. When being asked "what is application security?" so many different answers are given … So how can application security be implemented? In this article I will show how the broad concept of application...
I am very often being asked how to use the certificate services of server 2003 I would like to recommend the following post: http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html Manu
More Posts
Next page »