Security Educational Workshop - Authentication Explained
I just finished building another security workshop that covers authentication and identity technologies implemented by MS products. The workshop is targeted to developers and not IT folks. It is common practice (or should I call it anti-practice) that development projects re-invent the wheel and build again and again custom authentication or identity flow mechanisms which are surest recipe for disaster from security perspective. There is plenty of reasons why and one of them is that development teams do not have solid understanding of what MS technologies offer out-of-the-box with regards to authentication.
I have divided the workshop into four major parts:
- Authentication premier. It covers general concepts of network authentication. It covers common threats (the only reason of security existence, no threat – drop security) and countermeasures (best practices). I call it authentication dissected. Here are some of help materials I used:
- Implementations. This part goes over different types of authentication from NTML, Kerb, Certs, Protocol transition to CardSpace and even assemblies Evidence which is the special sort of authentication between components. It discusses the implementation for each mechanism, cons and pros. Here are some materials I used:
- Scenarios. This part talks about how to use the implementation for common scenarios like ASP.NET to SQL Server in intranet or ASP.NET to Web Services in Internet scenario. Here are some materials I used:
- Anti-Patterns (Hacking Exposed). This part tries to draw the punch line for the three above and demonstrates how authentication anti-patterns can be subverted by an attacker and what impact it can cause.
- There is enough of such stuff on the net - just submit some search criteria and you got plenty :)
I call it educational workshop influenced by what I was discussing in Security Workshops. This workshop explains what MS offers and when to use. It does not train the participants how to use it in depth assuming after completing the workshop participants will be able to deepen their knowledge after picking proper technology.
Related posts:
- Authentication Hub
- .Net Assembly Spoof Attack
- How To Hack WCF - New Technology, Old Hacking Tricks
- Creating a Parameterized Query In Visual Studio
- SOA, Kerberos, IIS, and Security Best Practices
- Password Cracking Tools For SQL Server
Comments
Anonymous
May 31, 2007
Great set of links. Thanks for sharing. Wondering if it would be possible for you to address the "Trusted Subsystem Model" in WCF under IIS hosting using BasicHttpBinding. We have a lot of 1.1 clients but want to move to WCF for the Services layer. It is quite easy with ASMX to set up an <authorization .../> element in the Web.config file to set up the Trusted Subsytem model, but it is getting a bit tricky to do this in WCF under IIS. Would appreciate if you could share your thoughts on this.Thanks.Anonymous
May 31, 2007
Kris, happy you liked the links. Funny you mention WCF authorization, it is something i planned to work on for nearst term. After i get my hands dirty with it i will post my thoughts on this for sure I think you want to take a look at these first: http://blogs.msdn.com/amitlale/archive/2007/05/21/hosting-wcf-service-in-iis.aspx http://msdn.microsoft.com/msdnmag/issues/07/04/Identity/default.aspx http://msdn2.microsoft.com/en-us/library/ms731181.aspx http://blogs.msdn.com/suwatch/archive/2007/04/06/x509-and-wcxf-security.aspx http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel http://msdn2.microsoft.com/en-us/library/bb417064.aspxAnonymous
June 22, 2007
החודש פגשתי את אליק לוין ממיקרוסופט ישראל לשיחה קצרה. עם המון התלהבות ממה שהוא עושה ועם חיוך תמידי עלAnonymous
July 04, 2007
I was delivering "Authentication Explained" session for Security User Group. First of - thanks for attending