YOU ARE DOWNLOADING DOCUMENT

Please tick the box to continue:

Transcript
Page 1: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.
Page 2: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Security for DevelopersSecurity for DevelopersProtecting Application DataProtecting Application Data

Steven Borg & Richard HundhausenSteven Borg & Richard HundhausenAccentient, IncAccentient, Inc

Page 3: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

AgendaAgendaOverviewOverview

Storing Private DataStoring Private DataUser PasswordsUser Passwords

Connection StringsConnection Strings

Local ResourcesLocal Resources

Isolated StorageIsolated Storage

Database SecurityDatabase SecuritySQL Server 2005 SecuritySQL Server 2005 Security

Wrap UpWrap Up

Page 4: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

AgendaAgendaOverviewOverview

Storing Private DataStoring Private DataUser PasswordsUser Passwords

Connection StringsConnection Strings

Local ResourcesLocal Resources

Isolated StorageIsolated Storage

Database SecurityDatabase SecuritySQL Server 2005 SecuritySQL Server 2005 Security

Wrap UpWrap Up

Page 5: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Protect Secrets & Offline DataProtect Secrets & Offline DataOne-way hash functionsOne-way hash functions

Easy to compute, practically impossible Easy to compute, practically impossible reversereverse

You cannot recover the source data from just its You cannot recover the source data from just its hash value!hash value!

Best for: storing user passwords or other Best for: storing user passwords or other data where comparing hash values is data where comparing hash values is sufficientsufficient

Strong encryption algorithmsStrong encryption algorithmsCiphertext can be decrypted only if you Ciphertext can be decrypted only if you know the encryption keyknow the encryption key

Best for: protecting stored or transmitted Best for: protecting stored or transmitted datadata

Page 6: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Which Technique Should I Use?Which Technique Should I Use?I want to… Recommendation Advantages Limitations

Store a user password securely

Salt + SHA1 (One-way hash)

Prepend random salt to the passwords before hashing.

No keys to manage.

Identical input yields identical hash values.

Must store the salt

Protect local user data

DPAPI (Encryption using keys derived from user credentials)

DPAPI manages keys on behalf of the application.

Data can’t be decrypted by other users, or on other machines.

Encrypt data that will need to decrypted later

Symmetric encryption algorithms (e.g. Rijndael)

Flexible: data can be decrypted by other apps / machines.

Application must manage keys and transmit them securely.

Page 7: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

AgendaAgendaOverviewOverview

Storing Private DataStoring Private DataUser PasswordsUser Passwords

Connection StringsConnection Strings

Local ResourcesLocal Resources

Isolated StorageIsolated Storage

Database SecurityDatabase SecuritySQL Server 2005 SecuritySQL Server 2005 Security

Wrap UpWrap Up

Page 8: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Securing DataSecuring DataUser PasswordsUser Passwords

Goal: Keep user passwords safe, but usableGoal: Keep user passwords safe, but usable

Recommendation: Hash (Salt + Password)Recommendation: Hash (Salt + Password)

Storing a password:Storing a password:

1. Create a unique “salt” for the user1. Create a unique “salt” for the user

2. Prepend the salt to the password string2. Prepend the salt to the password string

3. Encrypt using SHA1 / MD5: 3. Encrypt using SHA1 / MD5:

4. Store both salt and cipher text4. Store both salt and cipher text

To verify, re-hash with salt and passwordTo verify, re-hash with salt and password

Page 9: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Storing Login PasswordsStoring Login Passwords

FormatFormat CommentsComments

Plaintext passwordsPlaintext passwords Exposes entire application if database is Exposes entire application if database is compromisedcompromised

Encrypted passwordsEncrypted passwords Better than plaintext, but still vulnerable if Better than plaintext, but still vulnerable if decryption key is compromiseddecryption key is compromised

1-way password 1-way password hasheshashes

Better than encrypted passwords, but still Better than encrypted passwords, but still vulnerable to dictionary attacksvulnerable to dictionary attacks

Salted password Salted password hasheshashes Less vulnerable to dictionary attacksLess vulnerable to dictionary attacks

Don't store passwords in login databasesDon't store passwords in login databases

Store password hashes for added Store password hashes for added securitysecurity

Salt hashes to impede dictionary attacksSalt hashes to impede dictionary attacks

Page 10: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Generate a Hash using FormsAuthenticationGenerate a Hash using FormsAuthentication

Generating Password HashesGenerating Password Hashes

string hash = FormsAuthentication. HashPasswordForStoringInConfigFile(password, "SHA1"));

Page 11: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Generate a Hash using FormsAuthenticationGenerate a Hash using FormsAuthentication

Generating Password HashesGenerating Password Hashes

string hash = FormsAuthentication. HashPasswordForStoringInConfigFile(password, "SHA1"));

// create a stronger hash for more securitybyte[] myHash = new SHA256Managed().ComputeHash(data);

NO! Use a SHA-256 for more securityNO! Use a SHA-256 for more security

Page 12: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Securing DataSecuring DataConnection StringsConnection Strings

Storing plaintext database connection Storing plaintext database connection strings in Web.config is riskystrings in Web.config is risky

Vulnerable to file disclosure attacksVulnerable to file disclosure attacks

Storing encrypted database connection Storing encrypted database connection strings increases securitystrings increases security

Encrypting connection strings is easyEncrypting connection strings is easySystem.Security.Cryptography classesSystem.Security.Cryptography classes

Key management is notKey management is notWhere do you store the decryption key?Where do you store the decryption key?

Page 13: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Data Protection API (DPAPI)Data Protection API (DPAPI)Extends CryptoAPIExtends CryptoAPI

Key is derived from Key is derived from current user credentialscurrent user credentialsUses TripleDES Uses TripleDES encryptionencryption

Supports entropySupports entropyAdditional secret used Additional secret used to secure the data to a to secure the data to a single applicationsingle application

Best for:Best for:Protecting offline dataProtecting offline dataProtecting user-Protecting user-specific configuration specific configuration datadata

ApplicationApplication

DataProtection.vbDataProtection.vb

CryptoAPICrypt32.dll

CryptoAPICrypt32.dll

DPAPI

Local SecurityAuthority (LSA)Local SecurityAuthority (LSA)

DPAPI

Now is theNow is thetime for alltime for allgood…good…

Now is theNow is thetime for alltime for allgood…good…

qANQR1DqANQR1DBAsUHIsQBAsUHIsQEA…EA…

qANQR1DqANQR1DBAsUHIsQBAsUHIsQEA…EA…

Local RPC Calls

Plaintext data

Operating System

Page 14: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Data Protection API (DPAPI)Data Protection API (DPAPI)

Present in Windows 2000 and higherPresent in Windows 2000 and higher

Provides strong encryption, automatic Provides strong encryption, automatic key generation, and secure key storagekey generation, and secure key storage

Triple-DES encryptionTriple-DES encryption

PKCS #5 key generationPKCS #5 key generation

Two “stores”:Two “stores”:User store – Per-user keys based on User store – Per-user keys based on profilesprofiles

Machine store – Per-machine keys with Machine store – Per-machine keys with optional entropy valuesoptional entropy values

Page 15: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Building a DPAPI LibraryBuilding a DPAPI Library

.NET FCL 1.x doesn't wrap DPAPI.NET FCL 1.x doesn't wrap DPAPI

See “How to Create a DPAPI Library” See “How to Create a DPAPI Library” for instructions on creating your own for instructions on creating your own librarylibrary

Or download from http://blog.accentient.comOr download from http://blog.accentient.com

Managed wrapper around DPAPIManaged wrapper around DPAPIHandles interop and marshaling for youHandles interop and marshaling for you

Features DataProtector class with simple Features DataProtector class with simple methods named Encrypt and Decryptmethods named Encrypt and Decrypt

Supports machine store and user storesSupports machine store and user stores

Page 16: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Securing Connection StringsSecuring Connection Strings

DescriptionDescription SecuritySecurity

Store encrypted connection strings in Web.configStore encrypted connection strings in Web.config

Store key in ACLed registry entryStore key in ACLed registry entry GoodGood

Store encrypted connection strings in Web.configStore encrypted connection strings in Web.config

Let DPAPI perform key managementLet DPAPI perform key management BetterBetter

Store encrypted connection strings in ACLed Store encrypted connection strings in ACLed registry keyregistry key

Let DPAPI perform key managementLet DPAPI perform key managementBetterBetter

Store encrypted connection strings in ACLed Store encrypted connection strings in ACLed registry keyregistry key

Let DPAPI perform key managementLet DPAPI perform key management

Use entropy values to harden DPAPI encryptionUse entropy values to harden DPAPI encryption

Store entropy values in ACLed registry keyStore entropy values in ACLed registry key

BestBest

Page 17: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Encrypting Connection Strings Encrypting Connection Strings

<configuration> <appSettings> <add key="ConnectionString" value="AQNCMnd8BFdERjHoAwE/Cl+sBAAAA..." /> </appSettings></configuration>

DataProtector dp = new DataProtector (DataProtector.Store.USE_MACHINE_STORE);string val = ConfigurationSettings.AppSettings ["ConnectionString"];byte[] data = Convert.FromBase64String (val);string connect = Encoding.ASCII.GetString (dp.Decrypt (data, null));

Page

Web.config

Page 18: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Encrypting and ACLing Encrypting and ACLing Connection StringsConnection Strings

DataProtector dp = new DataProtector (DataProtector.Store.USE_MACHINE_STORE);RegistryKey key = Registry.LocalMachine.OpenSubKey ("SOFTWARE\\MyWebApp");string val = (string) key.GetValue ("ConnectionString");byte[] data = Convert.FromBase64String (val);string connect = Encoding.ASCII.GetString (dp.Decrypt (data, null));

Page

Registry

Admins: FullSYSTEM: FullASP.NET: Read

Page 19: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Securing a Connection Securing a Connection StringString

Page 20: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Securing DataSecuring DataLocal ResourcesLocal Resources

What is a local resource?What is a local resource?Files and File SystemFiles and File SystemRegistry InformationRegistry InformationUser Interface elementsUser Interface elementsClipboardClipboardNetwork access (e.g. Web, sockets)Network access (e.g. Web, sockets)Performance counters, event logsPerformance counters, event logsPrinting, and morePrinting, and more

Windows controls access using ACLsWindows controls access using ACLs.NET controls access with Code Access .NET controls access with Code Access SecuritySecurity

Page 21: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Code Access SecurityCode Access SecurityProvides fine-grained access control to Provides fine-grained access control to resourcesresources

Applications can run with "just enough” Applications can run with "just enough” permissionspermissions

For example: Applications which don’t perform For example: Applications which don’t perform any File IO run without File IO Permissionany File IO run without File IO Permission

Grants access to resources based on Grants access to resources based on the the identity of the codeidentity of the code, not the user, not the user

Uses Uses evidenceevidence to determine code identity to determine code identity

Uses policy to evaluate the evidence to Uses policy to evaluate the evidence to determine which permissions will be determine which permissions will be granted to the application.granted to the application.

Page 22: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Evidence + Policy = PermissionsEvidence + Policy = Permissions

Load Assembly

Gather Evidence

HashStrong namePublisherZone URL

EnterpriseMachine

UserAppDomain

Grant Permission Sets

(yielding permissions)

permissiongranted?

Demand Permission

Assembly performs privileged operation

Continue with

Privileged Operation (or access resource)

Yes

Throw Security Exception

No

Page 23: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

AgendaAgendaOverviewOverview

Storing Private DataStoring Private DataUser PasswordsUser Passwords

Connection StringsConnection Strings

Local ResourcesLocal Resources

Isolated StorageIsolated Storage

Database SecurityDatabase SecuritySQL Server 2005 SecuritySQL Server 2005 Security

Wrap UpWrap Up

Page 24: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Isolated StorageIsolated Storage

Provides a virtual file systemProvides a virtual file system

Allows quotasAllows quotas

Implements file system Implements file system isolation based on:isolation based on:

Application identityApplication identity

User identityUser identity

IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForAssembly();

Page 25: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Isolated StorageIsolated StorageApps often need to write some data locally, Apps often need to write some data locally, and, perhaps, even leave it thereand, perhaps, even leave it there

What should we use?What should we use?Registry? No.Registry? No.

File system? Maybe for documents.File system? Maybe for documents.

Isolated storage? Yes!Isolated storage? Yes!

Isolated Storage allows a trusted assembly to Isolated Storage allows a trusted assembly to store data on a client machinestore data on a client machine

Standard file IO operations are not usedStandard file IO operations are not used

Permission to access the local file system not Permission to access the local file system not requiredrequired

Page 26: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Isolated StorageIsolated StorageA virtual file systemA virtual file system

May have its own folder structureMay have its own folder structure

Files may have data of almost any kindFiles may have data of almost any kind

Data is kept in a “Store”Data is kept in a “Store”

Stores are isolated by scopeStores are isolated by scopeCan be by assembly, domain, user…Can be by assembly, domain, user…

Size may be limited by setting a quota Size may be limited by setting a quota

Physical location is managed by the system Physical location is managed by the system and depends on OS, but typically:and depends on OS, but typically:

Documents and Settings or Profiles etc. foldersDocuments and Settings or Profiles etc. folders

If you have roaming profiles, Isolated Storage will If you have roaming profiles, Isolated Storage will roam with the user to each computer they accessroam with the user to each computer they access

Page 27: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Isolated Storage PracticesIsolated Storage PracticesUse isolated storage to store:Use isolated storage to store:

User settingsUser settings

Data cachesData caches

Queued information waiting for a connection to Queued information waiting for a connection to submit to a web servicesubmit to a web service

Do not use isolated storage for:Do not use isolated storage for:User documents that they may need to find with User documents that they may need to find with Windows Explorer. Windows Explorer.

Secret information. Isolated storage is not Secret information. Isolated storage is not encrypted, so don't store plain text passwords. encrypted, so don't store plain text passwords.

Page 28: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Isolated StorageIsolated Storage

Page 29: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

AgendaAgendaOverviewOverview

Storing Private DataStoring Private DataUser PasswordsUser Passwords

Connection StringsConnection Strings

Local ResourcesLocal Resources

Isolated StorageIsolated Storage

Database SecurityDatabase SecuritySQL Server 2005 SecuritySQL Server 2005 Security

Wrap UpWrap Up

Page 30: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Secure the DatabaseSecure the Database

Use the least-privileged account possibleUse the least-privileged account possible to to connect to the databaseconnect to the database

Limit access privileges to stored procedures Limit access privileges to stored procedures onlyonly

If stored procedures can’t be used, use type-safe If stored procedures can’t be used, use type-safe parameters to construct commandsparameters to construct commands

Protect connection strings as secretsProtect connection strings as secrets

Encrypt sensitive data to be retrieved from Encrypt sensitive data to be retrieved from the database using strong symmetric the database using strong symmetric encryptionencryption

Then, encrypt symmetric encryption keys with Then, encrypt symmetric encryption keys with DPAPI, and store these in a restricted registry key DPAPI, and store these in a restricted registry key

Page 31: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Tip: Different Logins by TaskTip: Different Logins by Task

““sa” (or equivalent domain account)sa” (or equivalent domain account)Database server administratorDatabase server administratorUsed to create database onlyUsed to create database only

““dbo"dbo"Owner (dbo) for the application database Owner (dbo) for the application database Used for application development onlyUsed for application development only

Modify schema, creating stored proceduresModify schema, creating stored procedures

““IVUser“IVUser“Locked-down account Locked-down account Used by middle-tier components to access Used by middle-tier components to access the stored proceduresthe stored procedures

Page 32: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

SQL Server 2005 SecuritySQL Server 2005 Security

Many security improvementsMany security improvementsUser PasswordsUser Passwords

Key ManagementKey Management

Encryption / DecryptionEncryption / Decryption

SchemasSchemas

Page 33: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

User PasswordsUser Passwords

User passwords can be forced to abide User passwords can be forced to abide by the Active Directory password by the Active Directory password strength rulesstrength rules

Page 34: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Key managementKey managementEncryption keys can be stored in the Encryption keys can be stored in the databasedatabase

symmetric keyssymmetric keys

asymmetric keysasymmetric keys

Encryptions keys used forEncryptions keys used fordata encryption - symmetric keysdata encryption - symmetric keys

validation of unsafe assemblies - validation of unsafe assemblies - asymmetric keysasymmetric keys

MASTER KEY must be defined before MASTER KEY must be defined before symmetricsymmetric

used to encrypt other symmetric keysused to encrypt other symmetric keys

Page 35: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Encryption and decryptionEncryption and decryption

SQL Server 2005 improves encryption SQL Server 2005 improves encryption and decryptionand decryption

can encrypt by certificatecan encrypt by certificate

can encrypt by keycan encrypt by key

can encrypt by pass phrasecan encrypt by pass phrase

Encryption can be used to secure Encryption can be used to secure column valuescolumn values

e.g. credit card numberse.g. credit card numbers

Page 36: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

SchemasSchemas

SQL Server 2005 allows multiple SQL Server 2005 allows multiple schemas in databaseschemas in database

schemas exist independent of usersschemas exist independent of users

Schema name can be substituted for Schema name can be substituted for user name in objectuser name in object

eases database management when eases database management when personnel changespersonnel changes

Objects in schema cannot be Objects in schema cannot be "inventoried" by public"inventoried" by public

names are secure; prevent typical step in names are secure; prevent typical step in compromisecompromise

Page 37: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Create schema with nameCreate schema with name

CREATE SCHEMA CREATE SCHEMA namename creates a creates a schemaschema

has name that is stored in sys.schemashas name that is stored in sys.schemas

like other DDL permission required to like other DDL permission required to useuse

Example: Research.ScientistExample: Research.Scientist

Like other objects schema has owner Like other objects schema has owner (AUTHORIZATION)(AUTHORIZATION)

owner can be user, role, or approleowner can be user, role, or approle

Page 38: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

SQL Server permissionsSQL Server permissionsUsers that are not schema owner must have Users that are not schema owner must have permissionspermissions

permissions granted to user, role, or approlepermissions granted to user, role, or approle

can use GRANT, REVOKE, DENY DDL verbscan use GRANT, REVOKE, DENY DDL verbs

Permission can be granted to use DDLPermission can be granted to use DDLCREATE, GRANT with GRANT optionCREATE, GRANT with GRANT option

Permissions can be granted to objects Permissions can be granted to objects directlydirectly

SELECT, INSERT, UPDATE, DELETESELECT, INSERT, UPDATE, DELETE

Permissions can be granted to code that Permissions can be granted to code that accesses objectsaccesses objects

Page 39: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

SQL Server 2005 SQL Server 2005 SecuritySecurity

Page 40: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

AgendaAgendaOverviewOverview

Storing Private DataStoring Private DataUser PasswordsUser Passwords

Connection StringsConnection Strings

Local ResourcesLocal Resources

Isolated StorageIsolated Storage

Database SecurityDatabase SecuritySQL Server 2005 SecuritySQL Server 2005 Security

Wrap UpWrap Up

Page 41: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Wrap UpWrap UpHash passwords for storageHash passwords for storage

Don’t be afraid of DPAPIDon’t be afraid of DPAPINCrypto from SourceForgeNCrypto from SourceForge

Use ACLs to control access to local Use ACLs to control access to local resourcesresources

Use Isolated Storage Use Isolated Storage For partially trusted code (i.e., Web)For partially trusted code (i.e., Web)

For user convenience and light securityFor user convenience and light security

Use database security best practicesUse database security best practices

Page 42: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

ResourcesResources

Steve’s Blog: http://blog.accentient.com

Rich’s Blog: http://blog.hundhausen.com

Security Book / Wiki: http://www.winsecguide.net

DPAPI: http://sourceforge.net/projects/ncrypto/

SQL Server 2005: http://www.microsoft.com/sql/2005/default.asp

Page 43: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

Your FeedbackYour Feedbackis Important!is Important!

Please Fill Out a Survey forPlease Fill Out a Survey forThis Session on CommNetThis Session on CommNet

Page 44: Security for Developers Protecting Application Data Steven Borg & Richard Hundhausen Accentient, Inc.

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.