tags:

views:

289

answers:

8
Q: 

Enabling authentication between applications

I have a set of .NET applications running in a public web environment which connect to a centralized component made up of web pages and web services.

Is there any way to implement a security feature to make the centralized web pages be sure of the caller applications identity? Making a post and supplying a querystring parameter stating the caller application is a naive solution, someone can manually change it.

Any ideas? Tks in advance.

A: 

Take a look at this post. Good place to start. Another option, perhaps have you look at OpenID?

Jimmy Chandra  2009-07-07 15:11:46
That's not really what I need. I need in application 'C' to know if an http post was generated from application 'A' or 'B'. How do I create a trust relation from the client application to the server application? Tokens and an issuer would not solve the problem, I think.
Dante  2009-07-07 15:21:59
Sorry didn't get what you meant in the original post. Is this to prevent CSRF attack? See this blog post by Phil Haack: http://haacked.com/archive/2009/04/02/csrf-webforms.aspxHe got link to Dino Esposito's article and Hanselman's as well on the topic.
Jimmy Chandra  2009-07-07 16:12:29
Going to read it. Thanks for the links.
Dante  2009-07-08 09:41:01
+2  A: 

Assign secret keys to each client-server pair and use them to sign messages passed between client and server (using HMAC for example).

mrk  2009-07-13 20:24:04
A: 

If you communicate with the web services and web pages using http post, you avoid putting the info in a query string.

Send the data over https so that it cannot be tappered with.

You then need to make sure that the call is coming from your public web environment. One way of doing this is to use windows authentication, based on the identity of the application pool.

EDIT 1

Take a look at this link: http://www.codeproject.com/KB/WCF/WCFBasicHttpBinding.aspx

It shows how to set up windows authentication for WCF basic http binding.

Shiraz Bhaiji  2009-07-13 20:32:39
I didn't get this part: "One way of doing this is to use windows authentication, based on the identity of the application pool"
Dante  2009-07-14 09:10:12
A: 

The current situation:

Servers A, B, and C are trusted and controlled by you. A visitor comes to site A and views a page that sends data to site C, and the data contains something like "origin=A". We're concerned that the user will change that to "origin=B".

A simple fix:

You control all three servers, so let them communicate to verify incoming data. For example, A will change "origin=A" to "origin=A&token=12345", where the token value is random. The user tries to tamper with it and sends "origin=B&token=12345" to server C. C makes a trusted connection to B, saying "Did you send someone to me with token 12345?" B says "Nope" and C knows to reject the request.

This can be arbitrarily elaborate, depending on your needs and whether you're using https. Maybe tokens expire after a certain time period. Maybe they're tied to IP address. The point is that server C verifies any information that comes from the end user with servers A and B.

Iceman  2009-07-13 21:44:41
The correct way to generate such a token is to use something like HMAC. A random value can be guessed, and even if you ask the server "did you send someone with token 12345", how do you know that the attacker didn't just get lucky? Also, it is a bad idea to base authentication on IP addresses. Why needlessly open yourself up to the possibility of spoofing attacks?Tokens are a good way to solve this issue, so long as they are strong in the crypto sense.
Voltaire  2009-07-13 22:59:57
I wasn't advocating using IP address solely; I was saying to only trust a token when it's submitted by the same IP address it was issued to. That's not opening yourself up to spoofing, it's preventing session hijacking. As far as an attacker making a lucky guess against a random token, that's a threat with HMAC as well [FIPS 198a, appendix B], and in both cases is mitigated by choosing a sufficient token length.
Iceman  2009-07-14 14:39:39
A: 

Maybe look at the HTTP REFERER field. Under certain conditions this may be treated as reliable. In particular: An A mimic site won't send users from A to C according to HTTP REFERER.

Joshua  2009-07-13 21:53:44
You can always modify HTTP Referrer request header, right?
Adrian Godong  2009-07-13 21:57:34
As I said, this answer depends on a particular set of conditions. There are two or three interpretations of the question and this answer is only valid for one of them: a framing or XSS kind of attack.
Joshua  2009-07-14 01:12:15
I'm currently using Http Referrer but I'm looking for a secure way of doing so, therefore my question.
Dante  2009-07-14 09:01:04
A: 

Are you asking about single-sign-on? (i.e. someone authenticated on AppA should also be able to use AppB and AppC without re-authenticating)

You can do this by configuring the machineKey for your apps so they can share asp.net authentication tokens.

ninj  2009-07-13 22:23:33
Yes I am, this is all to implement cross domain SSO. I cannot see this technique working on cross domain applications as a single cookie is issued to all applications. And I don't want to share machine keys because in the future there may appear a client application running out of my control, not trusted.
Dante  2009-07-14 09:06:22
A: 

The company I work for currently uses shared forms authentication cookies across the enterprise by using the same machine keys on each web server. However, this is not ideal if you wish to SSO across different domains and it's not very neat for windows app that need to come into the web farm to use the web service methods...

So, where we have to do this we are using SAML

But to clean this all up and make it more unified and more secure we are beginning to implement Geneva

Chris Simpson  2009-07-13 22:43:23
+1  A: 

TLS/SSL/HTTP. You just need to enable client authentication. SSL is usually only used in the scenario where the server needs to be authenticated. But the server end can be configured to authenticate the client also. Digital certs need to be installed on both ends. This then uses all the appropriate crypto to do the job, ie. public authentication, establishment of secure channel, using Diffie-Hellman, RSA, AES/3DES, whatever you configure.

Conor OG  2009-07-14 14:59:02
Other answers may also contain valid solutions but this seems to be the best one for my scenario. I already have SSL, it's a small step to implement client authentication with a client certificate.
Dante  2009-07-15 12:36:52

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication