Chris’s Top Ten Chris’s Top Ten Security TipsSecurity Tips
Chris SearyChris SearyCISSPCISSPMVPMVP
MeMe
Securing large enterprise Securing large enterprise applicationsapplications
DeveloperDeveloper
ISO 27001 Lead AuditorISO 27001 Lead Auditor
10.What is an X509 10.What is an X509 certificate?certificate?
10.What is an X509 10.What is an X509 certificate?certificate?
Message
Message
Jhbsx^8
Encrypt
Decrypt
10.What is an X509 10.What is an X509 certificate?certificate?
Message
Message
Jhbsx^8
Encrypt
Decrypt
Public
Private
10.What is an X509 10.What is an X509 certificate?certificate?
Message
Message
Jhbsx^8
Encrypt
Decrypt
Public
Private
Usually includes encryption of symmetric key!
10.What is an X509 10.What is an X509 certificate?certificate?
Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..
Certificate
10.What is an X509 10.What is an X509 certificate?certificate?
Certificate store
Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..
Certificate
Private key
10.What is an X509 10.What is an X509 certificate?certificate?
Certificate store
Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..
Certificate
Private key
Private key is the essential component!
10.What is an X509 10.What is an X509 certificate?certificate?
Local machineLocal machine– Certificates used by systemCertificates used by system
Demo uses Network ServiceDemo uses Network Service
Current userCurrent user– Logged on userLogged on user
Permissions have to be granted for other Permissions have to be granted for other users to access private keysusers to access private keys
9.What is a PKI?9.What is a PKI?
9.What is a PKI?9.What is a PKI?
Brad Jennifer
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
Kvhdxa6e6t4g
Encryptsmessage
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
Kvhdxa6e6t4g
Messagesent
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
MessageStuff
Brad’s privatekey
Decrypts
9.What is a PKI?9.What is a PKI?
Brad Jennifer
AngelinaMan in the middle attack
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickey
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickey
Gvvwh336fwd
Encryptsmessage
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickey
Gvvwh336fwd
Sendsmessage
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickeyDecrypts
message
Messagestuff
Angelina’s privatekey
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickeyChanges
message
MessageNew
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickeyEncrypts
Using Brad’spublic key
Hjbsxa687svscv
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickeySends message
Hjbsxa687svscv
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
AngelinaMan in the middle attack
Angelina’s publickey
Brad decryptsUsing hisPrivate key
MessageNew
9.What is a PKI?9.What is a PKI?
Brad Jennifer
CA
Brad’s publickey
9.What is a PKI?9.What is a PKI?
Brad Jennifer
CA
Brad’s publickey
Digitallysigns
9.What is a PKI?9.What is a PKI?
Brad Jennifer
CA
Brad’s publickey
Digitallysigns
CA certPlaced incert store
CA certPlaced incert store
Trust Trust
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
CA
9.What is a PKI?9.What is a PKI?
Brad Jennifer
Brad’s publickey
CA
ChecksSignatureOn certAgainstCA certPublickey
Definitely Brad!
8. Best way to 8. Best way to implement cryptographyimplement cryptography Don’t write your own algorithmDon’t write your own algorithm Use policy where possibleUse policy where possible
– WS-SecurityWS-Security Use configuration where possibleUse configuration where possible
– IIS and SSLIIS and SSL Use simple APIs that perform crypto in one Use simple APIs that perform crypto in one
stepstep– CAPICOMCAPICOM– Enterprise librariesEnterprise libraries
7.How do we store 7.How do we store secrets?secrets? Encryption!Encryption!
But……But……
How do we store the encryption key?How do we store the encryption key?
7.How do we store 7.How do we store secrets?secrets? DPAPIDPAPI
– Get from nuggetGet from nugget
6. what’s the one hop 6. what’s the one hop problem?problem? I can authenticate to the web serverI can authenticate to the web server
I can’t authenticate to the database I can’t authenticate to the database on another serveron another server
Webserver
SQL
6. what’s the one hop 6. what’s the one hop problem?problem?
Webserver
SQL
UsernamePassword
6. what’s the one hop 6. what’s the one hop problem?problem?
Webserver
SQL
UsernamePassword
NTLMauth
6. what’s the one hop 6. what’s the one hop problem?problem?
Webserver
SQL
DigestAD certmapping
6. what’s the one hop 6. what’s the one hop problem?problem?
Webserver
SQL
Null session
DigestAD certmapping
6. what’s the one hop 6. what’s the one hop problem?problem?
Webserver
SQL
Null session
DigestAD certmapping
6. what’s the one hop 6. what’s the one hop problem?problem?
Protocol transitionProtocol transition– KerberosKerberos– Protocol transitionProtocol transition
6. what’s the one hop 6. what’s the one hop problem? Solution!problem? Solution!
Webserver
SQL
Any IISauthenticationMethod:BasicCertsDigest
6. what’s the one hop 6. what’s the one hop problem? Solution!problem? Solution!
Webserver
SQL
Any IISauthenticationMethod:BasicCertsDigest
Kerberosauth
6. what’s the one hop 6. what’s the one hop problem? Solution!problem? Solution!
Patterns and Practices ‘Web Service Patterns and Practices ‘Web Service Security: Scenarios, Patterns and Security: Scenarios, Patterns and Implementation Guidance for Web Implementation Guidance for Web Services Enhancements (WSE) 3.0’Services Enhancements (WSE) 3.0’– From MSDNFrom MSDN
6. what’s the one hop 6. what’s the one hop problem? Solution!problem? Solution!
5.ACL, DACL and SACL – 5.ACL, DACL and SACL – wossat?wossat?
4.Validation, validation, 4.Validation, validation, validationvalidation CICOCICO Crap In Crap OutCrap In Crap Out
4.Validation, validation, 4.Validation, validation, validationvalidation White list validationWhite list validation
– Check for what you will allowCheck for what you will allow RegexRegex
– Many functions available on netMany functions available on net Replace bad inputReplace bad input
– Escape charactersEscape characters HTMLEncode outputHTMLEncode output
– Not a cure, but a patchNot a cure, but a patch Negotiate acceptable input with business Negotiate acceptable input with business
when gathering requirementswhen gathering requirements
3.Warning, Will 3.Warning, Will Robinson!Robinson!
2.Using SQL2.Using SQL
Run downRun down
10. what is an X509 cert?10. what is an X509 cert? 9.What is a PKI?9.What is a PKI? 8.Best way to implement cryptography8.Best way to implement cryptography 7.How do we store secrets?7.How do we store secrets? 6.What’s the one hop problem?6.What’s the one hop problem? 5.ACL, DACL and SACL5.ACL, DACL and SACL 4.Validation, validation, validation4.Validation, validation, validation 3.Warning, Will Robinson!3.Warning, Will Robinson! 2.Using SQL2.Using SQL
1.Don’t develop as 1.Don’t develop as admin!admin!