Using client certificates in .NET part 1: introduction

January 11, 2016 1 Comment

Introduction

Digital certificates play a crucial role in web security. If you work as a web developer then you’ve probably come across at least some security related project where you had to deal with certificates in code.

Certificates come in a couple of different versions depending on their function, the most pervasive of which probably being server side ones for SSL connections. We’ve gone through server side certificates in some detail before on this blog starting here. In this series we’ll concentrate on client certificates and see what role they can play in web security. Most of the material on server side certificates, especially the first 2 posts are also relevant for this discussion.

It’s important to note already now that you can combine a number of security levels and solutions in your projects:

  • You can have the traditional forms based authentication. You can read about it on this blog here and here.
  • Custom authentication. Here‘s a series dedicated to custom auth in Web API 2 as an OWIN/Katana component
  • Server-side certificates, see the reference above
  • Client-side certificates, to be discussed in this series
  • Various techniques related to cryptography, such as asymmetric encryption. You can check out the section called “Security and cryptography” on this page for inspiration.

…and there are probably many more options not listed here. The point is that these techniques can be combined, you are not restricted to just using one of them.

Read more of this post

Filed under .NET, Security Tagged with , , , , ,

Wiring up a custom authentication method with OWIN in Web API Part 5: abstracting away the auth logic

November 30, 2015 2 Comments

Introduction

In the previous post we built the necessary OWIN components for our custom authentication logic: the middleware and the extension method that’s attached to the IAppBuilder object. We also diverged a little and discussed how to use the Use extension method to inject the necessary objects into the constructor of the middleware class.

In this post we’ll extend PinAuthenticationHandler so that the actual authentication logic can be easily changed.

Read more of this post

Filed under .NET, Security Tagged with , , , ,

Wiring up a custom authentication method with OWIN in Web API Part 4: putting the components to work

November 26, 2015 1 Comment

Introduction

In the previous post we built two important components around the custom authentication logic. First off, we wrote a very simple implementation of the abstract AuthenticationOptions class where we only declared the name of the authentication mode. You can anyway add any extra property and overloaded constructors as you wish to this class. Then we built the custom authentication handler, i.e. PinAuthenticationHandler which derives from the abstract AuthenticationHandler class.

In this post we’ll add a couple more components specifically to add our authentication handler to the OWIN chain. We’ll also test the authentication logic.

Read more of this post

Filed under .NET, Security Tagged with , , , ,

Wiring up a custom authentication method with OWIN in Web API Part 3: the components

November 23, 2015 Leave a comment

Introduction

In the previous post we looked at HTTP headers in code. We saw how to collect the headers from a request and a response and how to check for the presence of a certain header type. We also built a simple tester C# console application that sends a web request to our Web API controller and sets the necessary custom authentication header.

In this post we’ll start building the components necessary for the OWIN middleware.

Read more of this post

Filed under .NET, Security Tagged with , , , ,

Wiring up a custom authentication method with OWIN in Web API Part 2: the headers

November 19, 2015 1 Comment

Introduction

In the previous post we discussed the main topic of this series and started building a demo application with a single Customers controller. The goal of this series is to show how to register your custom authentication mechanism with OWIN as a Katana component.

In this post we’ll be concentrating on the request headers. We’ll also see a couple of functions that will later be part of the OWIN middleware when we’re ready to convert the code.

Read more of this post

Filed under .NET, Security Tagged with , , , ,

Wiring up a custom authentication method with OWIN in Web API Part 1: preparation

November 16, 2015 2 Comments

Introduction

There are a number of authentication types for a web project: basic -i.e. with username and password -, or token-based or claims-based authentication and various others. You can also have some custom authentication type that your project requires.

In this short series we’ll go through how to wire up a custom authentication method in a Web API project. We’ll see the classes that are required for such an infrastructure. We’ll also discuss how to wire up these elements so that the custom authentication mechanism is executed as part of the chain of Katana components.

Read more of this post

Filed under .NET, Security Tagged with , , ,

Encrypt and decrypt plain string with triple DES in C#

October 23, 2015 5 Comments

We looked at encryption mechanisms in details on this blog – refer to the link at the end of this post. This is only a quick extension showing how to encrypt a plain string using Triple DES.

Consider the following method which encrypts a plain string with a key a cipher mode ECB:

Read more of this post

Filed under .NET, Security Tagged with , ,

Handling claims transformation in an OWIN middleware in .NET MVC part 4

October 19, 2015 Leave a comment

Introduction

In the previous post we turned our claims transformation code into OWIN middleware. We went through the process of creating a component – the ClaimsTransformationComponent – and registering it with OWIN in Startup.cs. We set the current claims principal in our component which is then available within the controllers.

In this post which finishes this series we’ll diverge a little from our main topic and take a look at how we can add dependencies to an OWIN component.

Read more of this post

Filed under .NET, Security Tagged with , , ,

Handling claims transformation in an OWIN middleware in .NET MVC part 3

October 15, 2015 3 Comments

Introduction

In the previous post we built upon our MVC claims transformation demo. Specifically we saw how to take the incoming claims and add a couple of custom ones by pretending that we query some data store. We wired up all the demo code in the HomeController.

The goal of this closing post is to reorganise the claims-related code into OWIN middleware.

Read more of this post

Filed under .NET, Security Tagged with , , ,

Handling claims transformation in an OWIN middleware in .NET MVC part 2

October 12, 2015 2 Comments

Introduction

In the previous post we laid the foundations for this short series. We went through a refresher of claims and OWIN and started building a simple ASP.NET MVC web project to investigate what’s available about the user of the current thread in a controller. We saw that by default the only claim available about a user might be their name, unless they are anonymous of course.

In this post we’ll continue to explore claims of authenticated users.

Read more of this post

Filed under .NET, Security Tagged with , , ,

Older posts

Newer posts

Elliot Balynn's Blog

A directory of wonderful thoughts

Software Engineering

Web development

Disparate Opinions

Various tidbits

chsakell's Blog

WEB APPLICATION DEVELOPMENT TUTORIALS WITH OPEN-SOURCE PROJECTS

Once Upon a Camayoc

ARCHIVED: Bite-size insight on Cyber Security for the not too technical.