Understanding Security

Lesson 6

Objective Domain Matrix

Skills/Concepts MTA Exam Objectives

Understanding theSystem.Security Namespace

Understand the SystemSecurity namespace (5.1)

Understanding Authentication and Authorization

Understand authentication and authorization(5.2)

Understanding Cryptography Understand the SystemSecurity namespace (5.1)

Understanding Code Access Security

Understand authenticationand authorization (5.2)

Authentication

• Authentication refers to the process of obtaining credentials from a user and verifying his or her identity.• The process of authentication validates the user’s credentials against

some authority.• When using Windows authentication the WindowsPrincipal object

represents the security context and WindowsIdentity object has authentication information for a user.

Using Windows Authentication

Authorization

• Authorization is the process of determining whether an authenticated identity is allowed to perform a requested action.• Authentication and authorization often work together. Applications

will first use authentication to verify the user’s identity and then use the identity information to determine the actions that a user is authorized to perform.

The WindowsPrincipal.IsInRole Method

• The IsInRole method of the WindowsPrincipal object can be used to determine whether the current user is in a specific windows group.

Cryptography

• Cryptography helps protects data by:• Encrypting the data so that it cannot be viewed by unauthorized users• Detecting whether the data has been modified. • Establishing the identity of the sender so you can trust that a message is

actually coming from the claimed sender.

Encryption and Decryption

• One of the major goals of cryptography is to protect data by encrypting it. Encrypted data can be decrypted only by someone with a key.• The .NET Framework provides two types of encryption algorithms:

• Secret-key encryption• Public-key encryption

Secret-Key Encryption

• The sender encrypts the message before sending it across and the receiver uses the same key to decrypt the message.• Also known as symmetric encryption because the same key is used

for both encryption and decryption.• The secret key must be protected from unauthorized use.

Secret-Key Algorithms

• The .NET Framework’s classes for secret key encryption and decryption:• AesManaged• DESCryptoServiceProvider• HMACSHA1• RC2CryptoServiceProvider• RijndaelManaged• TripleDESCryptoServiceProvider

• AesManaged and RijndaelManaged provide the highest-level of encryption.

Public-Key Encryption

• Public-key encryption protects data by using a set of two cryptographically paired keys. • One key is called a private key and it is known only to its owner. • The other key is called a public key and as the name suggests, it can

be made public to anyone.• The private key can also be used for digital signatures.

Public-Key Algorithms

• The .NET Framework provides the following classes to implement the public-key encryption algorithms:• DSACryptoServiceProvider• RSACryptoServiceProvider• ECDiffieHellmanCng• ECDsaCng

Code Access Security

• Code access security (CAS) defines what the code running on a computer system is allowed to do.• CAS enforces that the code originating from unknown or untrusted

source runs with added protection.• CAS helps reduce the chances that your code is misused by malicious

code to perform unintended operations.

.NET Framework 4.0 Security Transparency

• Transparency is a security enforcement mechanism that separates code that can do privileged things (critical code), such as calling native code, and code that cannot (transparent code).• Transparent code can execute commands within the bounds of the

permission set it is operating in, but cannot execute, derive from, or contain critical code.

Transparency Level-2 Categories

Managing Permissions

• Permissions refer to the actions that a code is allowed to or not allowed to perform.• Permission sets are a predefined collection of permissions that are

applied together.• The System.Security.Permissions namespace defines the classes that

specify the permissions you can apply to an assembly declaratively or programmatically.

Access Control

• Access control refers to security features that control who can access resources such as files or directories in the operating system. • Applications call access control functions to check or set who can

access specific resources.• There are two parts to the acess control model: access tokens and

security descriptors.

Access Tokens and Security Descriptors

• An access token contains security identifiers that identify the user’s account. The system uses this information to identify the user when a process perform a task that requires secure privileges.• A security descriptor identifies the object’s owner and the object’s

access control list (ACL). The ACL contain information about the users allowed or denied access to the object.

Hands-On

• Use Authentication – Page 128• Use Authorization – Page 129• Use PrincipalPermission class to implement Authorization – Page 130• Use Secret Key Encryption – Page 132• Use Public Key Encryption – Page 135• Explore Code Access Security Settings Page 137• Manage Permissions for Partially Trusted Code – Page 140• Antoine.Victor@ProDataMan.com• www.ProDataMan.com• www.FaceBook.com/ProDataMan• www.YouTube.com/ProDataManTrains• http://www.linkedin.com/in/antoinevictor/

Antoine's Contact Info

• Antoine.Victor@ProDataMan.com• www.ProDataMan.com• www.FaceBook.com/ProDataMan• www.YouTube.com/ProDataManTrains• http://www.linkedin.com/in/antoinevictor/

Recap

• Authentication• Authorization• Cryptography• Encryption and Decryption• Secret-Key Encryption• Public-Key Encryption• Code Access Security• Permissions• Access Control