ict.ken.be

 

Posts in Category: Security

To SSL or not to SSL 

Categories: IIS mojoPortal Security

To SSL or not to SSL, that is the question.
We are not running a bank, so my business doesn't need that. Does it?

Ano 2013, still millions of sites on the internet are running insecurely over http port 80 and who can blame them. Switching your site to https puts more pressure on your web server, makes your ranking in the SERP drop and on top of that it is a pain to get a good certificate working. Or so they say...

Graph of website hits after switching to ssl

So, let's check this out.

  1. yes, you will lose money while transfering serp ranking, it takes on average around one and a half month to transfer it. More of an issue is the fact that adsense doens't support https... yes dumb very dumb... you can change the protocol but then you do not comply with the agreement... yes, can't understand this one either. 
  2. difference in speed is only a few miliseconds, so no problem there
  3. yes, it is not easy to set up correctly when it is your first time

And last but not least, yes you should put your whole site on ssl. Well actually tls. And this means everything, not just parts of it or your users will get sslstripped away... so educate your users.

And then my checklist, the reason I am posting it here.

Testing with a self-signed certificate

Types:

  • Basic : one ip, one domain
  • Wildcard : one ip, one domain + subdomains
  • SAN aka UCC : one ip, multiple domains
  • SNI : multiple certificates on one ip (eg. not supported on IE for XP)

Requesting a certificate

  • Lot of personal details + calls
  • DNS records should match your personal details 

Import certificate and trust intermediate certificates

  • Especially Firefox doesn't like it, if you forget to trust the intermediates

IIS Settings

  • Bindings
  • Use an astriks * in front of the friendly name, so you can use the GUI to set the hostnames 
  • OR use appcmd set site /site.name:"<IISSiteName>" /+bindings. [protocol='https',bindingInformation='*:443:<hostHeaderValue>']
  • Rewrite with 301 (do not use 302)
  • Add strict security headers for HTST, and use chrome://net-internals to check if they are correct. (Strict-Transport-Security / max-age=16070400; includeSubDomains)

Additional settings for mojoPortal

  • SSLAvailable on true
  • SSLIsRequiredByWebserver (web.config) & Require SSL on All Pages (admin ui -> will update cannonical)
  • SSLCookies in two places + different cookie name
  • Robots file for ssl, you probably need same as default one
  • Test also for page that doesn't exists
  • If using paypal, make sure your update your url protocols

Update your content

  • <link rel='canonical' href='https...
  • using // for img and javascript
  • update your own links to https where posible
  • hopefully you don't use third party that doesn't support https
  • recommend and social links: point an og:url meta tag for both URLs to the https one

Update your webmaster tools

  • http and https are seen as different sites

more on https:

update (aug 2014)

Today google announced to take https into account for their search ranking. I hope they also do something about the adsense, but at least it is a step in the right direction. Read more at http://googlewebmastercentral.blogspot.be/2014/08/https-as-ranking-signal.html.

Comments 

Win 7 setup outbound firewall rules 

Categories: Security Windows

Enable Notifications

  • Local Group Policy Editor (gpedit.msc) > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit object access on Failure
  • Event Viewer (eventvwr.msc) > Windows Logs > Security
  • Local Security Policy (secpol.msc) > Advanced Audit Policy Configuration > Object Access > Disable Audit Handle Manupulation

Protocol Numbers

  • 1: ICMPv4
  • 2: IGMP
  • 6: TCP
  • 17: UDP
  • 41: IPv6
  • 43: IPv6-Route
  • 44: IPv6-Frag
  • 47: GRE
  • 58: ICMPv6
  • 59: IPv6-NoNxt
  • 60: IPv6-Opts
  • 112: VRRP
  • 113: PGM
  • 115: L2TP

Before Win 7 this was needed:

  • auditpol /set /SubCategory:"MPSSVC Rule-Level Policy Change","Filtering Platform Policy Change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:disable /failure:enable
  • net stop MPSSVC
  • net start MPSVC
Comments 

OAuth 2.0 Vocabulary 

Categories: Security

by Ryan Boyd

Why not username & password?

  • Trust
  • Decreased user sensitivity to phising
  • Expand access & risk
  • Limited reliability
  • Revocation challenges
  • Passwords become required
  • Difficulty implementing stronger authentication

Authentication & Authorization

  • Authentication: verify the identity of the user
  • Federated Authentication: rely on other services to do the authentication (openID connect on top of OAuth 2.0)
  • Authorization: right to perform some action
  • Delegated authorization: granting access to another person or application to perform actions on your behalf

Roles

  • Resource server: server containing the protected data
  • Resource owner: user that has ability to grant access to the server
  • Client: application making api requests to perform actions on server
  • Authorization server: gets consent from resource owner and issues access tokens to clients for accessing protected resources
Comments 

Introduction to OAuth2, OpenID Connect and JSON Web Tokens (JWT) 

Categories: Security

By Dominick Baier

Enterprise security 

  • Kerberos/LDAP (intranet)
  • SOAP WS*, XML SAML (internet)

OAuth2 (Authorization Server)

  • Request token for backend consumption
  • Forward token to backend (webapi)

OpenID Connect (Authentication Server)

  • Request token for client consumption
  • Parse and validate token

Security Tokens

  • Security tokens are (protected) data structures
  • Contains information about issuer and subject (claims)
  • signed (tamper proof & authenticity)
  • typically contain an expiration time
  • A client requests a token
  • An issuer issues a token
  • A resource consumes a token (has a trust relationship with the issuer)

SAML 1.1/2.0

  • XML based
  • many encryption & signature options
  • very expressive

Simple Web Token (SWT)

  • Form/URL encoded
  • symmetric signatures only

JSON Web Token (JWT)

  • JSON encoded
  • symmetric and asymmetric signatures (HMAC-SHA256-384, ECDSA, RSA)
  • symmetric and asymmetric encryption (RSA, AES/CGM)
  • http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html

Header: metadata, algorithms & keys used
Claims: Issuer (iss), Audience (aud), IssuedAt (iat), Expiration (exp), Subject (sub), ... application defined claims, Signature

Header.Claims.Signature
{ "typ":"JWT", "alg":"HS256" }
{ "iss":"https://myIssuer", "exp":"1340819380", "aud":"https://myResource", "sub":"alice", "client":"xyz", "scope":["read", "search"]}

http://nuget.org/packages/Microsoft.IdentityModel.Tokens.JWT
SEND: var tokenString = new JWTSecurityTokenHandler().WriteToken(new JWTSecurityToken(...))
RECEIVE: principal = new JWTSecurityTokenHandler().ValidateToken(token, validationParams);

The OAuth 2.0 Authorization Framework (October 2012 - RFC6749, RFC6750)

  • Resource Server, Client, Resource Owner = User, Authorization Server
  • Valet Parking Key Analogy
  • Main goal is to assume the client is not trusted

Authorization Code Flow

  • Resource Owner -> Web Application -> Resource Server
  • 0. Client registers at authorization server 
  • 1a. Owner to AS: GET /authorize?client_id=webapp&scope=resource
  • &redirect_uri=https://webapp/cb&response_type=code&state=123
  • http://zachholman.com/2011/01/oauth_will_murder_your_children/
  • 1b. Owner to client: GET /cb?code=xyz&state=123
  • 2a. WebApp to AS: POST /token Authorization: Basic (client_id:secret) 
  • grant_type=authorization_code&authorization_code=xyz &redirect_uri=https://webapp/cb
  • 2b. AS to WebApp: token response access_token and refresh_token
  • 3. WebApp to Resource Server: GET /Resource
  • 4. send refresh tokens

Implicit Flow

  • 1a. Owner to AS: GET /authorize?client_id=webapp&scope=resource &redirect_uri=https://webapp/cb&response_type=token&state=123
  • 1b. AS to Client: GET /cb#access_token=abc&expires_in=3600&state=123
  • 3. GET /resource

Windows RT - WebAuthenticationBroker.AuthenticateAsync

Resource Owner Credential Flow

  • For trusted applications and devices
  • 1a. Client to AS: POST /token grant_type=password &scope=resource&user_name=owner&password=password
  • 1b. Token response, you should store the token and refresh token, not the credentials
  • Resource owner credentials are exposed to client
  • User should not become accustomed to typing in credentials everywhere

Client Credential Flow

  • No human involved at all
  • POST /token grant_type=client_credentials&scope=resource

OAuth2 abused for authentication by getting userinfo

Client to AS: GET /authorize?client_id=nativeapp&redirect_uri=http://localhost/cb&scope=signin&response_type=token&state=123
AS to Client: GET /CB?access_token
Client to Resource server: GET /userinfo

The Problem
1. User logs into maliciousapp that steals token
2. Malicious developer uses stolen access token in legitimate app (impersonated)

So we now have to write custom code for each provider (https://OAuth.io)

OpenID Connect (on top of OAuth2)

ID Token, UserInfo endpoint, discovery & dynamic registration, session management
Identity Provider, Authorization Endpoint, Token Endpoint, UserInfo Endpoint

  • 1a. user agent to ae: GET /autorize ... scope=openid profile

profile claims: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at
email claims: email, email_verified
address: address
phone: phone_number, phone_number_verified
offline_access: requests refresh token

  • 1b. user agent to IP
  • 2b. token endpoint will return id_token on top of access_token

Client must validate the ID token (especially the audience must be himself)

  • 3a. UserInfo Request

Goal is to allow a client use an arbitrary OpenId Connect provider without code modifications

Eran Hammer (OAuth2 issues)

Protocol vs Framework (over 69 choices), so you can not implement the specification cause you need to build your own protocol.

  • RCF 6749 The OAuth2 Authorization Framework 
  • RFC 6750 OAuth2 Bearer Token Usage
  • RFc 6819 Threat Model and Security Considerations

Bearer Token
A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can. Using a bearer token does not require a bearer to prove possession of cryptographic key material (proof-of-possession). -> so everything depends on the safety of the transport layer, where plenty of developers ignore ssl certificate errors. (ServicePointManager)

Security Theater (Bruce Schneier)

  • Does the webview redirecting make sense?
  • Wouldn't it be better to let the application handle it all?

OAuth2 attack surface everywhere

Facebook Hacks

Specifications needs some refinement (basic profile, MAC tokens, ...)
Current implementations are lacking even by the big guys, let alone the myriad of DIY implementations

Very good & balanced view

Resources

Comments 

Identity and Access Control in ASP.NET 4.5 

Categories: Security

By Dominick Baier

  • Authentication: Windows, Forms, Federated
  • Authorization: Roles, Claims

ASP.Net security pipeline

  • Request -> BeginRequest -> AuthenticateRequest
  • Look for credential
  • Set Principal (Thread.CurrentPrincipal = authUser; HttpContext.Current.User = authUser;) -> PostAuthenticateRequest
  • Add claims to principal -> AuthorizeRequest 
  • Determine if user is allowed to access resource -> ExecuteHandler 
  • Resource Rendering -> EndRequest
  • Post-processing (error codes, redirect) -> Response

Recommended way to get user is ClaimsPrincipal.Current (instead of Thread.CurrentPrincipal, HttpContext.Current.User, User)

Windows Authentication (Kerberos)

  • Server 2012 allows for additional claims configuration
  • Combination of IIS and ASP.Net settings
<system.webserver>
 <security>
 <authentication>
 <anonymousAuthentication enabled="false" />
 <windowsAuthentication enabled="true" />
 </authentication>
 </security>
</system.webserver>

<authentication mode="Windows" />

Claims: Name, PrimarySid, GroupSid, DenyOnlySid

whoami /groups /fo list
whoami /claims (windows server 2012) ad://ext/...

Forms Authentication

  • Produces only a Name Claim, but you can add additional claims using the Role Manager.
<system.webserver>
 <security>
 <authentication>
 <anonymousAuthentication enabled="true" />
 </authentication>
 </security>
</system.webserver>
<system.web>
 <authentication mode="Forms">
 <forms loginUrl="~/Account/Login" timeout="2880" />
 </authentication>
</system.web>
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string returnUrl)
{
 if (ModelState.IsValid)
 {
 var success = ValidateUser(model.UserName, model.Password);
 if (success)
 {
 FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
 return RedirectToLocal(returnUrl);
 }
 }
 
 ModelState.AddModelError("", "Username or password wrong.");
 return View(model);
}

Membership & Role Manager

  • Lots of methods on the interface you probably don't need.
  • <roleManager cacheRolesInCookie="true" />
  • Limited support for claims

Claims Transformation & Session Management

  • to validate incoming identity data
  • allows adding application specific claims to the principal
public class ClaimsTransformer : ClaimsAuthenticationManager
{
 public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
 {
 if (incomingPrincipal.Identity.IsAuthenticated)
 {
 return TransformClaims(incomingPrincipal);
 }
 return incomingPrincipal;
 }
}
  • ClaimsAuthenticationManager needs to be called after the authentication stage eg. PostAuthenticateRequest or using a HTTP module (WS-Federation plumbing) 

Session security token

  • var sessionToken = new SessionSecurityToken(principal, TimeSpan.FromHours(8));
<module runAllManagedModulesForAllRequests="true">
 <add name="SessionAuthenticationModule" type="...System.IdentityModel.Services.SessionAuthenticationModule" :>
 </modules>
  • FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
  • FederatedAuthentication.SessionAuthenticationModule.SignOut();

Events Pipeline

  • SecurityTokenReceived
  • SessionSecurityTokenCreated
  • SignedIn/SignedOut
  • SignOutError

Sliding Expiration

  • use e.SessionToken to inspect session details in Received handler
if (extendSession)
 {
 var sam = sender as SessionAuthenticationModule;
 e.SessionToken = sam.CreateSessionSecurityToken(...);
 e.ReissueCookie = true;
 }

Cookie Handling

  • Chunked at 2KB
  • DPAPI and machine key based protection
  • web farms need shared key material
<securityTokenHandlers> 
 <remove type="... SessionSecurityTokenHandler ..." />
 <add type="... MachineKeySessionSecurityTokenHandker ..." />
 </securityTokenHandlers>

Server Side Caching

  • only session token identifier gets serialized into a cookie
  • needs server side (distributed) caching infrastructure
var sessionToken = new SessionSecurityToken(principal, TimeSpan.FromHours(8))
 {
 IsPersistent = false,
 IsReferenceMode = true // cache on server
 }
  • Provide your own implementation of SessionSecurityTokenCache for appFabric or memCached.

 

ClaimsAuthenticationManager

  • reject request based on missing identity information
Only authenticated users
 <system.web>
 <authorization>
 <deny users="?" />
 </authorization>
 </system.web>

Users in role Marketing only
 <location path="customers">
 <system.web>
 <authorization>
 <allow roles="Marketing" />
 <deny users="*" />
 </authorization>
 </system.web>
 </location>

ClaimsAuthorizationManager
<modules runAllManagedModulesForAllRequests="true">
<add name="ClaimsAuthorizationModule" type=" ... " />
</modules>

<system.identityModel>
 <identityConfiguration>
 <claimsAuthorizationManager type=" ... " />
 </identityConfiguration>
 </system.identityModel>

Intra-app Authorization (preferred)

[PrincipalPermission(SecurityAction.Demand, Roles="Marketing"]
 public ActionResult AddCustomer() { ... }
 
 [ClaimsPrincipalPermission(SecurityAction.Demand, Resource = "Customer", Operation = "Add")]
 public ActionResult AddCustomer() { ... }

[Authorize(Roles = "Sales")] // mvc not in unit tests, no exception, limited to roles
public ActionResult AddCustomer() { ... }

[ClaimsAuthorize("Add", "Customer")] // Thinktecture.IdentityModel, also exists for webapi
public ActionResult AddCustomer() { ... }

var allowed = ClaimsAuthorization.CheckAccess("Get","Customer", id.ToString());
 if (allowed) { ... }

[AllowAnonymous]

RegisterGlobalFilters

  • filters.Add(new HandleErrorAttribute());
  • filters.Add(new ClaimsAuthorizeAttribute());

-> don't mix authorization & business logic

External Authentication using WS-Federation

<authentication mode="None" />
 <modules>
 <add name="WSFederationAuthenticationModule" ... />
 <add name="SessionAuthenticationModule" ... />
 </modules>
  • Testing with Idenity & Access visual studio extension (no jwt)
  • WS-Federation allows to separate application from authentication which removes complexity from application
  • Security token service responsible for authenticating user, authorization and emitting token + claims
<wsFederation passiveRedirectEnable="true" issuer="https://idsrv/issue/wsfed" realm="http://myapp" />
 
 <issuerNameRegistry type="... ConfigurationBasedIssuerNameRegistry ...">
 <trustedIssuers>
 <add thumbprint="..." name="STS" />
 </trustedIssuers>
 </issuerNameRegistry>
<certificateValidation certificateValidationMode="ChainTrust" revocationMode="Online" />
 
 <audienceUris>
 <add value="http://myapp" /> 
 </audienceUris>
  • Most configuration can be derived from federation metadata (https://idsrv/FederationMetadata/2007-06/FederationMetadata.xml)

Dynamic Configuration

  • Application_Start: FederationAuthentication.FederationConfigurationCreated += FederationAuthentication_FederationConfigurationCreated;

WS-Federation Events

  • SecurityTokenReceived
  • SecurityTokenValidated
  • SessionSecurityTokenCreated
  • SignedIn/SignedOut
  • SignInError/SignOutError
  • RedirectingToIdentityProvider 
var signIn = new SignInRequestMessage(
 new Uri("https://idsrv/issue/wsfed"), "http://fooRealm");
 var url = signIn.WriteQueryString();
  • FederatedAuthentication.WSFederationAuthenticationModule.SignOut(); -> does not sign-out the user at the token service
  • Server-side Session Caching & Sliding Expiration
  • SessionSecurityTokenCreated: e.SessionToken.IsReferenceMode = true;

Advanced Federation Patterns

Single Sign-On

  • identity provider establishes a logon session with user
  • identity provider is shared across multiple applications

Single Sign-Out

  • /wsfed?wa=wsignout1.0
  • page back to browser that clears out all rps
  • <img src="https://rp1/?wa=wsignoutcleanup1.0" />
public ActionResult SignOut()
 {
 var fam = FederatedAuthentication.WSFederationAuthenticationModule;
 
 //clear local cookie
 fam.SignOut(isIPRequest: false);

//initiate a federated sign out request to the sts.
 var signOutRequest = new SignOutRequestMessage(
 new Uri(fam.Issuer), fam.Realm
 );

 return new RedirectResult(signOutRequest.WriteQueryString());
 }

Federating with multiple Identity Providers

  • Relying party only "knows" about the R-STS (Resource-STS)

Logical Model

  1. user connects to his identity provider
  2. sends token to resource sts (which trusts identity provider)
  3. user gets transformed token back
  4. user uses token with relying party (which trusts the R-sts)

Physical Model (Home Realm Discovery HRD)

  • user logs into relying party, so browser has to show a selection UI and afterwards remember the decision
  • the whr parameter in WS-Federation allows to pre-select the identity provider
  • https://idsrv/issue/hrd/?wa=wsignin1.0&wtrealm=https://www.myapp.com&whr=[identifier_of_external_idp]
  • <wsFederation homeReal="web" />
Comments 
Page 2 of 3 << < 1 2 3 > >>