Scribd Logo
Upload

Welcome to Scribd!

  • 15 - Lesson 5C

    Uploaded by

    ajay_anav
    17 views19 pages

    Original Title

    15_Lesson 5C

    Copyright

    © © All Rights Reserved

    Available Formats

    PPS, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views19 pages

    15 - Lesson 5C

    Uploaded by

    ajay_anav

    Copyright:

    © All Rights Reserved
    Download as PPS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    Collaborate

    Knowledge Byte
    In this section, you will learn about:

    • Authenticode signing
    • Microsoft Passport Service

    ©NIIT Collaborate Lesson 5C / Slide 1 of 19


    Collaborate

    Authenticode Signing
    • There are two important issues in making the Internet a reliable source for
    software distribution:
    • Authenticity: User must be assured about the source of the code.
    • Integrity: User must also be assured that code is unaltered since its
    publication.
    • Authenticode signing technology makes it possible to check the authenticity
    and integrity of software.
    • This technology uses digital signatures and digital certificates for securing
    the authenticity and integrity of software.

    ©NIIT Collaborate Lesson 5C / Slide 2 of 19


    Collaborate

    Digital Signatures
    • Digital Signatures:
    • Can be used to distribute data securely
    • Assure the receiver about the source of data
    • Are validated when the recipient of the data wants to verify whether
    the data has come from the correct source
    • Does not change the data but it just encloses the data in the form of a
    digital signature string
    • Are generated using public key signature algorithm
    • This algorithm uses two types of keys:
    • Private key
    • Public key

    ©NIIT Collaborate Lesson 5C / Slide 3 of 19


    Collaborate

    Digital Signatures (Contd.)


    • The following steps show how digital signatures are used to safeguard the
    authenticity and integrity of a document:
    1.   A hash of the document is generated.
    2. The hash is encrypted using the private key.
    3. The encrypted hash is attached to the document before it is transmitted.
    4. The receiver produces a hash of the document after it is received from

    the sender.
    5. The receiver then decrypts the encrypted hash using sender’s public key.
    6. If sender’s hash is same as the receiver’s hash, then the document is
    authenticate and has not been tampered with.

    ©NIIT Collaborate Lesson 5C / Slide 4 of 19


    Collaborate

    Digital Certificates
    • Digital certificate:
    • Is a set of data having the information required to ensure the identity of
    an individual or an organization
    • Ensures that public key in the certificate is the same as that of the person
    to whom the certificate is being issued
    • Are issued by Certification Authorities
    • Enclose the following information:
    • Serial number for digital certificate
    • Public Key of the owner
    • Name of the owner
    • Name of the certification authority that issued the certificate
    • Digital signature of certification authority
    • Date of expiry of digital certificate

    ©NIIT Collaborate Lesson 5C / Slide 5 of 19


    Collaborate

    Microsoft Passport Services


    • The Microsoft Passport service:
    • Is used for authentication
    • Provides a single sign-in technology for the various Web sites
    • Allow users to log on to the passport Data Center to gain access to all
    passport enabled Web sites
    • Provides the following benefits to organizations signed up with it:
    • Easy access to the Web site
    • Less resources needed to create an authentication system
    • Privacy of an organization’s customer data
    • Increase customer loyalty

    ©NIIT Collaborate Lesson 5C / Slide 6 of 19


    Collaborate

    Working of Passport Authentication


    • Passport authentication:
    • Is Single Sign-In authentication using Microsoft passport services.
    • User credentials are transmitted over a Secure Sockets Layer (SSL)
    connection.
    • SSL is a secure transport layer protocol that provides secure
    transmission of data on the Internet.
    • Is based on forms.
    • If a user wants access to a protected Web site which implements Passport
    authentication, that Web server checks whether the user has a valid passport
    or not.
    • Authentication information is incorporated in the query string in the redirect
    message.
    • As an alternative to re-directing the user to the Passport Data Center, another
    method called in-line signing can be implemented.

    ©NIIT Collaborate Lesson 5C / Slide 7 of 19


    Collaborate

    Implementing Passport Authentication


    • To implement Passport authentication in ASP.NET applications, you need to
    install the Passport Software Development Kit (SDK).
    • The common method to deploy passport authentication service in an ASP.NET
    application is as follows:
    • Register the application with Microsoft Passport service by paying a
    licensing fee to Microsoft.
    • Install and configure the Passport SDK after downloading it from the
    Microsoft site.
    • In the application configuration file, set up Passport as the authentication
    mode using the following code:
    <authentication mode= "Passport">
    </authentication>
    • Test your site using a Preproduction Passport account.

    ©NIIT Collaborate Lesson 5C / Slide 8 of 19


    Collaborate

    From the Expert’s Desk


    • This section will introduce the following:

    • Best Practices implementing security in Web applications


    • FAQs

    ©NIIT Collaborate Lesson 5C / Slide 9 of 19


    Collaborate

    Best Practices
    Implementing Security in Web Applications
    • For more security for your Web applications:
    • Use NTFS file system in place of FAT32.
    • If there are various applications running on a server and many configuration
    options need to be shared between them, then:
    • Place the shared configuration settings in the machine.config and any
    application specific setting in individual web.config files.
    • While distributing your application:
    • Distribute only the .msi file and not the setup.exe file

    ©NIIT Collaborate Lesson 5C / Slide 10 of 19


    Collaborate

    FAQs
    • How does IIS support an “anonymous user”?

    • An "Anonymous user" is one who has no authentication credentials. In this


    scenario, the server on which IIS is running has an extra Windows user
    defined on it, with a user name IUSR_<machinename>. This user
    account is typically defined with very restricted access rights. When IIS
    gets a request from an unknown user, IIS turns around and makes the
    request to Windows using the credentials assigned to the
    IUSR_<machinename>. That is, IIS impersonates the anonymous users
    for purposes of accessing the resource

    ©NIIT Collaborate Lesson 5C / Slide 11 of 19


    Collaborate

    FAQs (Contd.)
    • Does IIS support Web-standard basic authentication model?

    • Yes, IIS supports the Web-standard basic authentication model. In


    this model, users without credentials are prompted to supply a user
    name and password. These are returned to IIS where they become
    available to the application. Basic authentication provides a useful
    way to provide restricted access in a public Web application. However,
    because the user passes a user name and password to IIS as clear
    text, it is not secure.

    ©NIIT Collaborate Lesson 5C / Slide 12 of 19


    Collaborate

    FAQs (Contd.)
    • Does ASP.NET protect configuration files from outside access?

    • Yes, ASP.NET protects configuration files from outside access by configuring


    Internet Information Services (IIS) to prevent direct browser access to
    configuration files. HTTP access error 403 (forbidden) is returned to any
    browser attempting to request a configuration file directly.

    • How does ASP.NET incorporate new configuration settings on affected Web


    resources?
    • ASP.NET detects changes to configuration files and automatically applies
    new configuration settings to Web resources affected by the changes. The
    server does not have to be restarted for the changes to take effect.
    Hierarchical configuration settings are automatically recalculated and
    reached whenever a configuration file in the hierarchy is changed. The
    <processModel> section is an exception.

    ©NIIT Collaborate Lesson 5C / Slide 13 of 19


    Collaborate

    FAQs (Contd.)
    • What are the advantages of Configuration files?

    • There are several advantages of using configuration files. Configuration


    files provide single reference point for configuration; configuration
    options are cached and loaded quickly. Additionally, some options
    available within configuration files are not available within the
    applications. For example, compilation options are available with
    configuration files only.

    ©NIIT Collaborate Lesson 5C / Slide 14 of 19


    Collaborate

    Challenge
    1. You create an ASP.NET application for tracking the Projects in Neo Solutions Inc. a
    solution provider firm. You use Microsoft Windows authentication for securing the
    Web application.
    Project Managers working on the different projects are members of a group
    named Managers, and Project Executives are members of a group named
    Executives.
    The root folder for the Web application is named Projects. The Projects folder
    displays information about the different projects being developed at Neo Solutions
    Inc. The Projects folder has a subfolder named Budget. Both the Managers and
    the Executives can access pages in Projects whereas only Managers can access
    pages in the Budget folder. You create the following entries in the Web.config file
    for Projects folder (Line numbers in the code snippet have been included for
    reference only).

    ©NIIT Collaborate Lesson 5C / Slide 15 of 19


    Collaborate

    Challenge (Contd.)
    1 <authentication mode=“Windows” />
    2 <authorization>
    3 <allow roles=“Executives, Managers” />
    4 <deny users=”*” />
    5 </authorization
    You create the following entries in the Web.config file for Budget folder.
    (Line numbers in the code snippet have been included for reference only.)
    1 <authentication mode=“Windows” />
    2 <authorization>
    3 <allow roles=“Executives, Managers” />
    4 <deny users=“*” />
    5 </authorization>

    ©NIIT Collaborate Lesson 5C / Slide 16 of 19


    Collaborate

    Challenge (Contd.)
    When Managers try to access pages in the Budget folder, they receive an error
    message that reads in part:
    “An error occurred during the processing of a configuration file required to
    service this request.”
    You need to ensure that Managers can access pages in the Budget folder. What
    should you do to solve this error?
    a. Remove line 1 in the Web.config file in Budget.
    b. Modify line 4 in the Web.config file in Budget as follows:
    <allow users=“*” />
    c. Add the following line between line 1 and line 2 in the Web.config file in
    Projects:
    <identity impersonate=“true” />
    d. Add the following line between line 1 and line 2 in the Web.config file in
    Budget:
    <identity impersonate=“true” />

    ©NIIT Collaborate Lesson 5C / Slide 17 of 19


    Collaborate

    Challenge (Contd.)
    e. Add the following line between line 1 and line 2 in the Web.config file in
    Budget:
    <identity impersonate=“false” />

    ©NIIT Collaborate Lesson 5C / Slide 18 of 19


    Collaborate

    Solutions
    1. a. Remove line 1 in the Web.config file in Budget.

    ©NIIT Collaborate Lesson 5C / Slide 19 of 19

    You might also like