securing smart client applications jørgen thyme developer & platform strategy group, microsoft...
TRANSCRIPT
Securing Smart Client Securing Smart Client ApplicationsApplications
Jørgen ThymeJørgen ThymeDeveloper & Platform Strategy Group, Developer & Platform Strategy Group, MicrosoftMicrosoft
[email protected]@microsoft.comwww.rolighed.net/weblogwww.rolighed.net/weblog
Today's AgendaToday's Agenda
Best practices for building well-designed, Best practices for building well-designed, secure, data-driven, smart client applicationssecure, data-driven, smart client applications
Session 1: Designing and building smart Session 1: Designing and building smart clientsclients
Patterns and practices for smart clients, IssueVision
Session 2: Securing smart client Session 2: Securing smart client applicationsapplications
Tips for secure data, CAS, encryption, and more
Session 3: The ins and outs of secure Session 3: The ins and outs of secure data accessdata access
Best practices for smart client data, offline data
Session 4: Deploying and maintaining Session 4: Deploying and maintaining smart clientssmart clients
Tips for deploying and updating apps to avoid “DLL Hell”
AgendaAgenda
Meet the Security Challenge Head-OnMeet the Security Challenge Head-On
Drill-Down: Design choices for securityDrill-Down: Design choices for securitySecure the databaseSecure the database
Protect secrets in your codeProtect secrets in your code
Encrypt offline dataEncrypt offline data
Control access to local resources Control access to local resources
Control access to Web services Control access to Web services
Protect Business LogicProtect Business Logic
Summary: Best Practices for SecuritySummary: Best Practices for Security
Meet Security Head-OnMeet Security Head-On
Adopt a structured approach to Adopt a structured approach to identifying, quantifying, and addressing identifying, quantifying, and addressing threatsthreats
Threat ModelingThreat ModelingSecurity ChecklistsSecurity Checklists
Best PracticeBest Practice: Make security reviews : Make security reviews part of development processpart of development process
Part of writing specifications and Part of writing specifications and designing designing Just like coding and testingJust like coding and testing
Threat ModelingThreat Modeling
Structured approach to:Structured approach to:Evaluate security threatsEvaluate security threatsIdentify countermeasures Identify countermeasures
DREAD helps rate riskDREAD helps rate riskDamage potentialDamage potentialReproducibilityReproducibilityExploitabilityExploitabilityAffected usersAffected usersDiscoverability Discoverability
More information in MSDN Patterns and More information in MSDN Patterns and PracticesPractices
http://msdn.microsoft.com/library/en-us/dnnetsec/http://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asphtml/ThreatCounter.asp
Threat Modeling ProcessThreat Modeling Process
1. Identify Assets
2. Create an Architectural Overview
3. Decompose the Application
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
MSDN Security ChecklistsMSDN Security ChecklistsGreat tool to identify threatsGreat tool to identify threats
http://msdn.microsoft.com/library/en-us/dhttp://msdn.microsoft.com/library/en-us/dnnetsec/html/CL_SecRevi.aspnnetsec/html/CL_SecRevi.asp
Drill-Down: Drill-Down: Design Choices for Design Choices for SecuritySecurity
Secure the databaseSecure the database Protect secretsProtect secrets Encrypt offline dataEncrypt offline data Control access to local Control access to local
resourcesresources Control access to Control access to
Web servicesWeb services
Secure the DatabaseSecure the Database
Use the least-privileged account possible to Use the least-privileged account possible to connect to the databaseconnect to the database
Limit access privileges to stored procedures Limit access privileges to stored procedures onlyonly
If stored procedures can’t be used, use type-safe If stored procedures can’t be used, use type-safe parameters to construct commandsparameters to construct commands
Protect connection strings as secretsProtect connection strings as secrets
Encrypt sensitive data to be retrieved from Encrypt sensitive data to be retrieved from the database using strong symmetric the database using strong symmetric encryptionencryption
Then, encrypt symmetric encryption keys with Then, encrypt symmetric encryption keys with DPAPI, and store these in a restricted registry key DPAPI, and store these in a restricted registry key
Tip: Different Logins by Tip: Different Logins by TaskTask
““sa” (or equivalent domain account)sa” (or equivalent domain account)Database server administratorDatabase server administratorUsed to create database onlyUsed to create database only
““dbo"dbo"Owner (dbo) for the application database Owner (dbo) for the application database Used for application development onlyUsed for application development only
Modify schema, creating stored proceduresModify schema, creating stored procedures
““IVUser“IVUser“Locked-down account Locked-down account Used by middle-tier components to access Used by middle-tier components to access the stored proceduresthe stored procedures
Protect Secrets & Offline Protect Secrets & Offline DataData
One-way hash functionsOne-way hash functionsEasy to compute, practically impossible Easy to compute, practically impossible reversereverse
You cannot recover the source data from just You cannot recover the source data from just its hash value!its hash value!
Best for: storing user passwords or other Best for: storing user passwords or other data where comparing hash values is data where comparing hash values is sufficientsufficient
Strong encryption algorithmsStrong encryption algorithmsCiphertext can be decrypted only if you Ciphertext can be decrypted only if you know the encryption keyknow the encryption key
Best for: protecting stored or transmitted Best for: protecting stored or transmitted datadata
Which Technique Should I Use?Which Technique Should I Use?
I want to… Recommendation Advantages LimitationsStore a user password securely
Salt + SHA1 (One-way hash)
Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks.
No keys to manage.
Identical input yields identical hash values.
Must store a salt to ensure unique cipher text for identical values.
Which Technique Should I Use?Which Technique Should I Use?
I want to… Recommendation Advantages LimitationsStore a user password securely
Salt + SHA1 (One-way hash)
Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks.
No keys to manage.
Identical input yields identical hash values.
Must store a salt to ensure unique cipher text for identical values.
Protect local user data
DPAPI (Encryption using keys derived from user credentials)
DPAPI manages keys on behalf of the application.
Data can’t be decrypted by other users, or on other machines.
Which Technique Should I Use?Which Technique Should I Use?I want to… Recommendation Advantages Limitations
Store a user password securely
Salt + SHA1 (One-way hash)
Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks.
No keys to manage.
Identical input yields identical hash values.
Must store a salt to ensure unique cipher text for identical values.
Protect local user data
DPAPI (Encryption using keys derived from user credentials)
DPAPI manages keys on behalf of the application.
Data can’t be decrypted by other users, or on other machines.
Encrypt data that will need to decrypted later
Symmetric encryption algorithms (e.g. Rijndael)
Data can be decrypted by other apps / machines that have the key.
Application must manage keys and transmit them securely.
Encrypting User Encrypting User PasswordsPasswords
Goal: Keep user passwords safe, but Goal: Keep user passwords safe, but usableusable
Recommendation: Hash (Salt + Recommendation: Hash (Salt + Password)Password)
Storing a password:Storing a password:1. Create a unique “salt” for the user1. Create a unique “salt” for the user
Salt ensures same value will be encrypted Salt ensures same value will be encrypted differentlydifferently
2. Prepend the salt to the password string2. Prepend the salt to the password string
3. Encrypt using SHA1: 3. Encrypt using SHA1: SHA1.ComputeHash()SHA1.ComputeHash()
4. Store both salt and cipher text4. Store both salt and cipher text
To verify, re-hash with salt and To verify, re-hash with salt and passwordpassword
Data Protection API Data Protection API (DPAPI)(DPAPI)
Extends CryptoAPIExtends CryptoAPIKey is derived from Key is derived from current user current user credentialscredentials
Uses TripleDES Uses TripleDES encryptionencryption
Supports entropySupports entropyAdditional secret Additional secret used used to secure the data to to secure the data to a single applicationa single application
Best for:Best for:Protecting offline Protecting offline datadata
Protecting user-Protecting user-specific configuration specific configuration datadata
ApplicationApplication
DataProtection.vbDataProtection.vb
CryptoAPICrypt32.dll
CryptoAPICrypt32.dll
DPAPI
Local SecurityAuthority (LSA)Local SecurityAuthority (LSA)
DPAPI
Now Now is theis thetime …time …
Now Now is theis thetime …time …
qARDqARDBsQEBsQEAtRD…AtRD…
qARDqARDBsQEBsQEAtRD…AtRD…
Local RPC Calls
Plaintext data
Operating System
Limit Access to Local Limit Access to Local ResourcesResources
What is a local resource?What is a local resource?Just about everything!Just about everything!
Files and File SystemFiles and File SystemRegistry InformationRegistry InformationUser Interface elementsUser Interface elementsClipboardClipboardNetwork access (e.g. Web, sockets)Network access (e.g. Web, sockets)Performance counters, event logsPerformance counters, event logsPrinting, and morePrinting, and more
.NET controls access to local resources .NET controls access to local resources this with Code Access Securitythis with Code Access Security
Code Access SecurityCode Access Security
Provides fine-grained access control to Provides fine-grained access control to resourcesresources
Applications can run with "just enough” Applications can run with "just enough” permissionspermissions
For example: Applications which don’t For example: Applications which don’t perform any File IO run without File IO perform any File IO run without File IO PermissionPermission
Grants access to resources based on Grants access to resources based on the the identity of the codeidentity of the code, not the user, not the user
Uses Uses evidenceevidence to determine code identity to determine code identity
Uses policy to evaluate the evidence to Uses policy to evaluate the evidence to determine which permissions will be determine which permissions will be granted to the application.granted to the application.
Evidence + Policy = Evidence + Policy = PermissionsPermissions
Load Assembly
Gather Evidence
HashStrong namePublisherZone URL
EnterpriseMachine
UserAppDomain
Grant Permission Sets
(yielding permissions)
permissiongranted?
Demand Permission
Assembly performs
privileged operation
Continue with
Privileged Operation (or access resource)
Yes
Throw Security Exception
No
Preconfigured Policies by Preconfigured Policies by ZoneZone
Permission Capability Local Intranet
Internet
File Dialog Open and save files via file dialog box Yes No
File Dialog Open files via file dialog box Yes Yes
Isolated Storage File
Storage is isolated by user, application domain and assembly
Yes Yes
Printing Printing only via a restricted dialog box Yes Yes
Security Execute Yes YesSecurity Call unmanaged code Yes NoUI Unrestricted Yes No
UI Draw message boxes and dialogs Yes Yes
Web Connect=https to originating site Yes Yes
Seven Types of EvidenceSeven Types of EvidenceStrong-naming the assembly is an easy Strong-naming the assembly is an easy and robust method to establish code and robust method to establish code identityidentity
Evidence Description
Application directory Where the application is installed
Hash Cryptographic hash that determines assembly differences regardless of version number
PublisherSoftware publisher signature
Site Site of origin, such as http://www.microsoft.com
Strong Name Cryptographically strong name of the assembly
URL Originating URL
Zone Zone of origin, such as Internet Zone
Strong Naming An Strong Naming An AssemblyAssembly
Strong name identifies your code and Strong name identifies your code and helps prevents tamperinghelps prevents tampering
Strong name includes:Strong name includes:The simple text name of the assembly The simple text name of the assembly
The version number of the assembly The version number of the assembly
The culture code (if any) of the assembly The culture code (if any) of the assembly
Verified by a digitally signed hash of the Verified by a digitally signed hash of the assembly bytesassembly bytes
Generate a key pair and use in Generate a key pair and use in application:application:
sn -k sn -k IssueVision.snkIssueVision.snk<Assembly: AssemblyKeyFile("..\..\IssueVision.snk")><Assembly: AssemblyKeyFile("..\..\IssueVision.snk")>
Tools to Set Up SecurityTools to Set Up Security
Strong namingStrong namingSN.exe SN.exe
Generates a strong name key pair to sign .NET Generates a strong name key pair to sign .NET assembliesassemblies
General strong name signing toolGeneral strong name signing tool
Change security policyChange security policy.NET Configuration tool.NET Configuration tool
.NET Wizards.NET Wizards
CasPol.exe command line toolCasPol.exe command line tool
Make changes carefullyMake changes carefully!!Grant the smallest number of permissions needed Grant the smallest number of permissions needed to runto run
Deploying Security Deploying Security PoliciesPolicies
Deploy policies using SMS or Group Deploy policies using SMS or Group PolicyPolicy
Deploy with the application in the Deploy with the application in the installation packageinstallation package
MSI created using .NET Configuration MSI created using .NET Configuration snap-insnap-in
System.Security.Policy namespace System.Security.Policy namespace includes methods to add policies includes methods to add policies programmaticallyprogrammatically
<configuration> <mscorlib> <security> <policy> <PolicyLevel version="1"> <SecurityClasses> <SecurityClass Name="AllMembershipCondition“ ...
Web Services SecurityWeb Services Security
Most Web services use authenticationMost Web services use authenticationPrevents anonymous use of web service Prevents anonymous use of web service
For some services, also:For some services, also:AuthorizationAuthorization
Ensures the user has permission to perform Ensures the user has permission to perform the requested actionthe requested action
EncryptionEncryptionPrevents malicious data manipulationPrevents malicious data manipulation
Authentication ChoicesAuthentication Choices
Windows auth (NTLM)Windows auth (NTLM)Easy choice for intranet applicationsEasy choice for intranet applications
Roll-your-ownRoll-your-ownRecommended for interop with non-WS-Recommended for interop with non-WS-Security platformsSecurity platforms
Common path before WSE 2.0Common path before WSE 2.0
Web Services Enhancements (WSE) 2.0 Web Services Enhancements (WSE) 2.0 Cross-platform, evolving standardCross-platform, evolving standard
Uses standard SOAP header to transmit Uses standard SOAP header to transmit caller’s credentialscaller’s credentials
WSE Security TokensWSE Security TokensA token is a collection of “claims”A token is a collection of “claims”
Name, identity, PrivilegesName, identity, PrivilegesMay or may not prove the identity of the senderMay or may not prove the identity of the sender
Tokens support role-based securityTokens support role-based securityPrincipal object gives access to the IsInRole Principal object gives access to the IsInRole methodmethod
Security Token Description
UsernameToken Simple username and password
X509SecurityToken X.509 certificate
KerberosToken Integrated Windows security, requires Windows Server 2003 or Windows XP with Service Pack 1
DerivedKeyToken Generates a one-time key for the each message; used in conjunction with other tokens to enhance app security
SecurityContextToken
Used to sign and encrypt an entire SOAP conversation
Authenticate()Authenticate()
Web ServiceWeb Service
IssueVisionPolicy.xmlIssueVisionPolicy.xml
UsernameTokenManagerUsernameTokenManager
WSE Username WSE Username AuthenticationAuthentication
ClientWeb Services Layer
ClientWeb Services Layer
Username TokenUsername Token
Adds custom soap header to message
serversdesktop client
SecurityContextTokenSecurityContextToken
<wsse:UsernameToken wsu:Id="SecurityToken-daf1041f-e18e-45db-9d59-59ec11ba2def"> ...</wsse:UsernameToken>
<wsse:UsernameToken wsu:Id="SecurityToken-daf1041f-e18e-45db-9d59-59ec11ba2def"> ...</wsse:UsernameToken>
Token Issuing Services Token Issuing Services
WSE 2.0 Version of WSE 2.0 Version of IssueVisionIssueVision
IssueVision 1.0 uses “roll your own” and IssueVision 1.0 uses “roll your own” and SSLSSL
Check here for an updated IssueVision Check here for an updated IssueVision 1.1 that uses WSE 2.0:1.1 that uses WSE 2.0:
msdn.microsoft.com/webservices/devdaysmsdn.microsoft.com/webservices/devdays20042004
Protecting Business LogicProtecting Business Logic
Problem: .NET code can be decompiled Problem: .NET code can be decompiled to reveal business logic, proprietary to reveal business logic, proprietary algorithmsalgorithmsSolution: ObfuscationSolution: Obfuscation
Renames symbols in .NET assemblies, Renames symbols in .NET assemblies, making it significantly more difficult to making it significantly more difficult to disassembledisassemble
ToolsToolsPreEmptive's Dotfuscator Community PreEmptive's Dotfuscator Community Edition is integrated into Microsoft's Visual Edition is integrated into Microsoft's Visual StudioStudio®® .NET 2003 to get you started .NET 2003 to get you started
Dotfuscator will help to thwart reverse Dotfuscator will help to thwart reverse engineering attempts on your .NET codeengineering attempts on your .NET code
Best Practices for SecurityBest Practices for Security
Adopt a structured approach to assessing Adopt a structured approach to assessing threats, and make it part of your development threats, and make it part of your development processprocess
Access data with the lowest possible Access data with the lowest possible permissionpermission
Don’t run as DB Admin!Don’t run as DB Admin!
Execute code with the least possible Execute code with the least possible permissionspermissions
Don’t run as Admin! Don’t run as Admin!
Encrypt secrets, and store them in a safe Encrypt secrets, and store them in a safe place place
Sign your assemblies with a strong name Sign your assemblies with a strong name
Use WS-Security with Web services to Use WS-Security with Web services to authenticate callersauthenticate callers
ResourcesResourcesThreat IdentificationThreat Identificationmsdn.microsoft.com/library/en-us/dnnetsec/htmsdn.microsoft.com/library/en-us/dnnetsec/html/CL_SecRevi.aspml/CL_SecRevi.asp
Microsoft Security UpdatesMicrosoft Security Updateswww.microsoft.com/security/security_bulletinswww.microsoft.com/security/security_bulletins/alerts2.asp/alerts2.asp
PSS Support CenterPSS Support Centersupport.microsoft.com/default.aspx?prsupport.microsoft.com/default.aspx?pr=security=security
Related ResourcesRelated Resourcesmsdn.microsoft.com/library/en-us/dnnetsec/htmsdn.microsoft.com/library/en-us/dnnetsec/html/THReltdRes.aspml/THReltdRes.asp
Resources (continued)Resources (continued)TechNet: Product and Technology TechNet: Product and Technology Security Centers Security Centers www.microsoft.com/technet/security/prodtechwww.microsoft.com/technet/security/prodtech/default.asp/default.asp TechNet: Security TopicsTechNet: Security Topicswww.microsoft.com/technet/security/topics/dewww.microsoft.com/technet/security/topics/default.aspfault.asp
Solutions at a Glance Solutions at a Glance msdn.microsoft.com/library/en-us/dnnetsec/htmsdn.microsoft.com/library/en-us/dnnetsec/html/THCMGlance.aspml/THCMGlance.asp