VS2013, MVC5, VB
Many posts including here on SO state that claims can increase authorization granularity without incurring a large proliferation of roles. I hope I said that right.
Am I correct in thinking this is only accomplished by using the ClaimValue property?
Even if that's not correct, if the ClaimValue property is used, then some kind of scheme must be employed in assigning the ClaimValue. Are there standard or typical ways to use ClaimValue? Or do we just devise what we need for a given situation?
Addition to post: Regards the comment above about roles: I ask this question because many in the community use claims as roles but it seems that is not the initial/primary purpose for the development of claims in MVC5.
So I should add to my question also asking "Is the use of claims for roles OK?", or should I just be creating a permissions structure, leaving the MVC claims facilities for what seems to be its intended purpose, that of storing identity claims, as opposed to being used with regard to authorization.
An authority will "dictate" what each claim type's standard is (or should be) for the claim value but you don't have to follow them unless you are trying to play nice with something of theirs. Here's an example of one such authority
You can invent your own claim types (and claim value standards) or make up your own standard for one of the existing claim types. They are left ambiguous to be very flexible.
Really, the whole point of making a standard is interoperability. If you don't expect to ever need to do that then it's not a big issue when you don't follow an authority on claims.
You can see a nice list of some commons claims here. Note that one of these you can see is http://schemas.microsoft.com/ws/2008/06/identity/claims/role so trivially you can see that roles are ok.
Related
Can UUID on database level be used as a security measure instead of a true rights control?
Consider a web application where all servlets implements "normal" access control by having a session id connected to the user calling it (through the web client). All users are therefore authenticated.
The next level of security needed is if a authenticated user actually "owns" the data being changed. In a web application this could for example be editing some text in a form. The client makes sure a user, by accident, doesn’t do something wrong (JavaScript). The issue is of course is that any number of network tools could easily repeat the call made by the browser and, by only changing the ID, edit a different row in the database table behind the servlet that the user does not "own".
My question is if it would be sufficient to use UUID's as keys in the database table and thereby making it practically impossible to guess a valid ID (https://en.wikipedia.org/wiki/Universally_unique_identifier#Random_UUID_probability_of_duplicates)? As far as I know similar approaches is used in Google Photos (http://www.theverge.com/2015/6/23/8830977/google-photos-security-public-url-privacy-protected) but I'm not sure it is 100% comparable.
Another option is off cause to have every servlet verify that the user is only performing an action on its own data, but in a big application with 200+ servlets and 50-100 tables this could be a very cumbersome task where mistakes could easily happen. In my mind this weakens the security far more, but I'm not sure if that is true.
I'm leaning towards the UUID solution, but I'm also curious if there are other obvious approaches to this problem that I ought to consider.
Update:
I should probably have clarified that my plan would be to use UUIDv4 which is supposed to be random. I know that entropy comes in to play here in regards to how random the UUID's actually are, but as far as I have read then Java (which is the selected platform/language) uses SecureRandom which is supposed to be "cryptographically strong" (link).
And in that case wiki states (link):
In other words, only after generating 1 billion UUIDs every second for the next 100 years, the probability of creating just one duplicate would be about 50%.
Using UUIDs in this manner has two major issues:
If there are no additional authentication methods, any attacker could simply guess UUIDs until they find one belonging to someone else. Google Photos doesn't need to worry about this as much, because they only use UUIDs to obfuscate publicly-shared photo views; you still need to authenticate to modify the photos. This is especially dangerous because:
UUIDs are intended to be unique, not random. There are likely to be predictable patterns in your UUIDs that an attacker would be able to observe and take advantage of. In addition, even without a clear pattern, the number of UUIDs an attacker needs to test to find a valid one swiftly decreases as your userbase grows.
I will always recommend using secure, continuously-checked authentication. However, if you have a fairly small userbase, and you are only using this to obfuscate public data access, then using UUIDs in this manner might be alright. Even then, you should be using actual random strings, and not UUIDs.
Another option is off cause to have every servlet verify that the user
is only performing an action on its own data, but in a big application
with 200+ servlets and 50-100 tables this could be a very cumbersome
task where mistakes could easily happen. In my mind this weakens the
security far more, but I'm not sure if that is true.
With a large legacy application adding in security later is always a complex task. And you're right - the more complicated an application, the harder it is to verify security. Complexity is the main enemy of security.
However, this is the best way to go rather than by trying to obscure insecure direct object reference problems.
If you are using these UUIDs in the query string then this information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing direct object references into the URL increases the risk that they will be captured by an attacker. An existing user of the application that then has their access revoked to certain bits of data - they will still be able to access this data by using a previously bookmarked URL (or by using their browser history). Even where the ID is passed outside of the URL mechanism, a local attacker that knows (or has figured out) how your system works could have purposely saved IDs just for the occasion.
As said by other answers, GUIDs/UUIDs are not meant to be unguessable, they are just meant to be unique. Granted, the Java implementation does actually generate cryptographically secure random numbers. However, what if this implementation changes in future releases, or what if your system is ported elsewhere where this functionality is different? If you're going to do this, you might as well generate your own cryptographically secure random numbers using your own implementation to use as identifiers. If you have 128bits of entropy in your identifiers, it is completely infeasible for anyone ever to guess them (even if they had all of the world's computing power).
However, for the above reasons I recommend you implement access checks instead.
You are trying to bypass authorisation controls by hoping that the key is unguessable. This is a security no-no. Depending on whom you ask, they may refer to it as an insecure direct object reference or a violation of the complete mediation principle.
As noted by F. Stephen Q, your assumption that UUIDs are unique does not imply that they are not predictable. The threat here is that if a user knows a few UUIDs, say his own, does that allow him to predict other peoples' UUIDs? This is a very real threat, see: Cautionary note: UUIDs generally do not meet security requirements. Especially note what the UUID RFC says:
Do not assume that UUIDs are hard to guess; they should not be used as
security capabilities (identifiers whose mere possession grants
access), for example.
You can use UUIDs for keys, but you still need to do authorisation checks. When a user wants to access his data, the database should identify the owner of the data, and the server logic needs to enforce that the current user is the same as the database claims the owner is.
I am researching security frameworks for an ASP.NET MVC3 application that would have some pretty complex authorization rules in terms who can see data, who can create and edit it. Rules such as
- I can only see clients that are part of my company or branch.
- If I am out 15 or less days from the day the record was created and my role is of super user then only I can edit all but two fields on that record. After 16 days or more I can only edit two fields.
My initial thought was to use the Enterprise Security Block and just add customized authorizers, but after reading more about the native support for membership based security in ASP.NET, I am not so sure if Enterprise Security Block is necessary. I have not use neither of the frameworks in a real-world application so looking for some collective wisdom on the topic.
This is the problem with complex field level security. There is no real framework to help you with it, because everything is so custom. The best you can do is extract this into some kind of lookup table, and assign each field a custom identifier in the table, then have a set of columns that indicate each security level. Then, you build your business logic so that you pass in a field and conditions, and it simply responds back whether or not to allow it.
THen you have to figure out what "allow" means in your interface. Disable it? Hide it? ignore it?
I don't envy you.
You might find this semi-interesting.
http://bartreyserhove.blogspot.com/2008/12/field-level-security-using-aspnet-mvc.html
You can use Azman - Microsoft Authorization Manager and its related APIs.
It provides you with roles, actions, permissions and many more configurable options.
Azman uses AD to store most of this. It also provides options to store using local XML and/or configuration files.
You are crossing into more than just direct security concerns here but actually authorization rules AND edit rules. Your auth rules sound quite custom and I feel that you may need to process these rules in your own custom code and then include these Attributes in your own view models.
Im not aware of any frameworks that will give you this by default as these are very custom editing rules. You could call these claims and when you login go against a claims based framework such as windows identity foundations (WIF) but you will still need custom IF stmts to allow editing in your view based on properties you set in your ViewModel such as CustomerViewModel.AllowAddressEdit. Your view needs to then check this property to display DisplayFor or EditorFor. However you should also check these values on postback to ensure a user hasn't just injected values to hack your app.
You can use asp.net security for basic authentication to the site, and you can use it for basic role membership. But since these are site-wide permissions, you will need your own logic to segment users into organizational permissions.
What I've done in the past is use the asp.net membership logic to handle the basic auth stuff, but then keep another structure in your database that maps the user id's to other parameters - like the mentioned organizational level membership, or especially access rights for data-driven structures.
I'm actually surprised there aren't better solutions already built out there for handling more complext membership/permissions situations that many apps need.
I am working on a project with very detailed security requirements. I would honestly not be surprised if the model proposed was as complex as for any intelligence/security agency. Now I've read that incorporating security with business logic is a mixing of concerns and thus a practice to be avoided.
However, all attempts at abstracting security have either failed or created "abstractions" as messy as before. Is it possible for security to be so specific that it becomes part of business rules? In some situations violating security, only masks the data, whereas in other situations will terminate the session, and at others time it will trigger default values to be used instead. The are many requirements that respond to security priveleges.
My fundamental question is: could I be in an exceptional case (i.e. one where incorporating security is sound) or am I not understanding something fundamental about abstracting security?
Edit:
tl;dr (of answers as I understand them): authentication (who are you) is very much a cross cutting concern and should be abstracted, whereas authorization (what can you do) is business logic. Lacking that vocabulary and having only the term "security" (or perhaps failing to appreciate the distinction between the two) lead to my confusion.
Security is split into two parts; authentication and authorization. Authentication is a pretty specific use case. How do you determine that a user is trusted out of a set of untrusted users. I think this is cross cutting; you need to keep unauthenticated users out of your system, or a subset of your system.
Authorization (can the user do something) is very much a business rule. It can (and often is) very specific and different to each use case. Who determines what roles can do what? Well, the business does. No one else can answer that for you.
In the Csla.Net 4 framework, that's exactly how authorization is treated; as a specialized business rule. You're not even limited to "user is in role" or "user has permission." You can make more complex rules "user can edit this field if workflow step has not past this particular step."
I suppose an exceptional case would be if your business logic IS security services of some kind then yes. However I think your problem may be that you are confusing user authorization with authentication.
Certainly Authentication should have a set of rules associated with it but the end result should be, identification of the user and creation of the session.
Authorization would be seperate from that where we determine the user role, and what privileges are laid out by that role.
A typical example would be that Authentication returns a User object and stores it in session. The User has 1 to many roles. A role may have 1 to many privileges. A business logic method might be sendEmail. This method queries the User object for a specific privilege, if it exists do something, if not do something else.
EDIT: Security in my opinion should always be a cross cutting concern when it comes to the user, however if your business logic involves properties of objects that are not the user, CRUD of those objects, or administering other users then it falls in line with your business requirements and thus is Business Logic.
Stack Overflow is obviously a great example of really successfull implementation of OpenID, but let's be honest - it's a little easier when your target user base is geeks like us! I'm really interested to hear people's experiences of implementing OpenID outside hi-tech websites.
What kind of responses have you got from
a) users?
b) statistics?
with regards to the user experience of OpenID 'login with..' login systems?
With a universe of undergraduate university students, I had a positive experience. OpenID was required for them to register in an event. Beware the sample was small (around 150 persons) and of a narrow scope (undergraduates). Also note that OpenID was required, so they maybe they were willing to spend some extra effort.
Login with is essential and you need to add a small set of instructions, telling them to click a provider or to enter an OpenID address, and that they may have to register e.g. with myOpenId. Except for an audience of programmers, virtually no one is going to enter an address of his own the first time (some tried to enter their e-mail or their name, but then they eventually got it -- maybe they read the text). After registering with myOpenID, one or two entered their claimed identifier directly.
I showed only three possibilities: Gmail, Yahoo and myOpenID. For myOpenID, I used IDENTIFIER_SELECT (I didn't tell them to enter their username and use that to build the URL, like SO does). Around 80% used their gmail account, Yahoo accounts comprised little above 5% and the rest registered with myOpenID.
I only got two support e-mails where the users had made logins with two different identifiers and therefore weren't being associated with their previous login. The first case was a bug in the normalization phase of my OpenID implementation (a problem with trailing spaces). The second one was caused by the mandatory (per the spec) distinction between http://www.example.com/path and https://www.example.com/path. I think one should consider to disregard that part of the spec.
In my experience, the use of OpenID by your average home user is low to non-existent. I guess they are either uninformed about the existence, or scared to use it. On a local news site, where commenting can be done by logging in with OpenID, statistics show less than 1% usage. Most of these users have no problem logging in with their (social site of choice) credentials, which they also support. Use of these types of login are very common.
In my experience, I notice a difference more with age-groups, than with techie/non-techie status. I guess you could look at that in general terms of younger folks being more "techie" than older folks, but I wouldn't go so far as to call them "high-tech" -- they're just more comfortable with computers/internet because it's always been part of their lives.
The younger my customers are, the less concerned they seem to be with privacy / sharing their information with a "service" on the web, be it OpenID, Google, Facebook, or what have you. They also don't seem to mind having 2, 3 or even more email accounts with different providers.
The older my customers are, the less comfortable they become putting their info online (e.g.: even the bare minimum required to get an OpenID). There are enough horror stories in the news about privacy-related issues -- be it advertisers, hackers, or government subpoenas getting a hold of their information, etc. It isn't that they know something bad will happen -- it's that they know they have no idea how to spot a fraudulent service, evaluate risks or protect themselves -- it all seems so complicated, so they make the conservative choice not to put their information "out there" at all. Some of my older customers will give it a go, but even then, I also see a lot of reluctance in this group to setup more than one email account -- they use the one that their ISP provides, and won't use anything else.
Anyway -- those comments are just about who is more or less willing to use something like OpenID. Of those who are willing (of my users, I'd say about 85% below age 40 will use it; I can count on about 60-70% of my working-adult customers in general to use it; And my retiree users are at about 20%). I have only a few complaints in the "willing" groups about usability.
OpenID can be implemented on the client site in different ways and that affects how likely it is to be used on any given site.
I think StackOverflow does a very good job and you just click on your provider and it redirects and you can authenticate. I've seen other sites that just give you a text input that say "OpenID" and it's not clear what they want you to type in; not nearly as easy to use. Zendesk is one example:
https://support.zendesk.com/access/unauthenticated?return_to=https%3A%2F%2Fsupport.zendesk.com%2Flogin
I'd say that the rising popularity of Facebook as a single login is going to drastically change how people feel about logging in using OpenID, provided you make the process entirely invisible. Look at the login page for FriendFeed, for example, which promotes "one click" joining/logging in. They actually appear to be using a combo of OpenID and OAuth but the user experience is largely the same.
Now that Facebook uses OAuth, it's fairly simple to login via Twitter, Facebook, or any OpenID provider by simple implementing login for OpenID and OAuth. I actually would recommend against implementing OpenID alone as it's not much more difficult to add-on OAuth and once added provides you with the BIG THREE: Facebook, Twitter, and Google along with Yahoo, MySpace, and all the other OpenID providers that are out there.
Most of the literature on security talks about the importance of defining a security policy before starting to workout on the mechanisms and implementation. While this seems logical, it is quite unclear as to what defining a security policy really means.
Has anyone here had any experience in defining a security policy, and if so:
1) What is the outcome of such a definition? Is the form of such a policy, for say distributed system, a document containing a series of statements on the security requirements (what is allowed and what is not) of the system?
2) Can the policy take the a machine readable form (if that makes sense) and if so how can it be used?
3) How does one maintain such a policy? Is policy maintained as documentation (as with all the rest of the documentation) on the system?
4) Is is necessary to make references to the policy document in code?
Brian
You should take one of the standard security policies and work from there. The one that is most common is PCI compliance (Payment Card Industry). It's very well thought out and except for a few soft spots, generally good. I've never heard of a machine readable policy except for a Microsoft Active Directory definition or a series of Linux iptables rules.
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
EDIT:
Check out SE Linux policies also:
http://en.wikipedia.org/wiki/Security-Enhanced_Linux
The Open Web Application Security Project OWASP is a language-agnostic project to educate about security and provide tools to test and support software. While it is web-centric, many of the core ideas are widely applicable. The website is geared towards both software engineers as well as management.
When people talk about "security policy", they might be referring to two different types of security policy.
One of them are high level ones, usually defined by managements. This security policy's primary readers are human. It is a document defining the goal, context, expectations, and requirements of security in the management's mind. Languages used inside this policy could be vague, but it's the elementary "law" of security in the applying context. Everyone involved should follow such policy.
1) The outcome of such policy is the clearly defined security requirements from the management. With this polices, everyone involved can understand the management's expectation and make security-related judgment accordingly when necessary.
2) As the primary readers of such security policies are human, and the statements are usually very general, it may not be in machine readable form. However, there may be a couple of documents defined base on the policy, namely security guidelines, procedures, and manuals. They are in the order of increasing level of details on how security should actually be implemented. For example, the requirements defined in the security policy may be realized into hardening manuals for different OS, so that the Administrators and Engineers can perform hardening tasks efficiently without spending too much time interpretation the management's thoughts. The hardening manuals may then be turned into a set of machine readable configurations (e.g. min password length, max failure login count before locking the account, etc) automating the hardening tasks.
3) The document should be made accessible to everyone involved, and regularly reviewed by management.
4) Practically it might be hard to make such references. Security policies might be updated from time to time, and you will probably not want to recompile your program if the policy changes just affect some parameters. However, it's nice to reference the policy in development documents like design sepc.
Another type of "security policies" might just refer to those sets of parameters intake be security programs. I found that some security programs really like to use the word "policy" to make their configurations more organized and structures. But anyway, these "security policies" are really just values and/or instructions for security programs to follow. For example, Windows has its own set of "security policies" for user to configure audit loggings, user rights and etc. This type of "security policies" (parameters for programs) is actually defined based on the 1st type of "security policies" (requirements from management) as mentioned above.
I might be writing too much on this. Hope it helps.
If you have to design a security policy, why not think about users and permissions?
So, let's say you have an API to something. Consider some arrangement of users that divides them in what they want to do and what minimum permissions they need to do it. So if someone only has to read documents from a database, the API itself won't let the user do something else.
Imagine this is a web JSON API. The user clicks a button and JS processes a request, and sends it. Normally it works fine, but if someone tampers the request, the server simply returns some error code because it is whitelisting just a few actions the user can do.
So I think it all boils down to users and permissions.