1

I am writing line of business software for a company, and we want to authenticate users, so we can manage workflow and do some auditing. Basically my employers don't want me to piggyback off of windows authentication because of certain network restrictions (I really don't want to get into it but its a mixture of poor network setup and bosses wanting to know if there is another way to do it)

I am using c#, wpf, MVVM, PRISM

I've read a bit about hashing passwords, salting, etc and the more I read the more I realise that I really should not be writing the security section of this program, as I am basically faaaaaaar from qualified.

Eric Lippert has a very good basic intro into security, in which he warns the reader at the beginning that you should not be designing your own security system as you do not know enough.

I want to know, what are the alternatives?

Seeing as I'm not supposed to write it myself, I would like to know where should I get it from?

Do I hire security experts to write it with?

Is there a third party security program I should interface with?

Do I outsource the design but implement it myself?

Who is the big player in this industry that I should look at?

(I have created this question here on IT Security Exchange but I wondered SO had anything to say about it, seeing as it is programming)

EDIT

I have made some adjustments to my IT Security Exchange question in order to answer some questions people raised there. Check it out if you want more info.

Community
  • 1
  • 1
Jason Ridge
  • 1,868
  • 15
  • 27

3 Answers3

1

I think you should have a look at remoting security - even you are not going to use remotinng, the principles are good. See .NET Remoting Security Solution Part I and ".NET Remoting Security Solution Part II. This could help you build a SSO (single sign-on) solution. Or ask user to re-enter password using Windows build-in credential box: Show Authentication dialog in C# for windows Vista/7

Community
  • 1
  • 1
Catalin Serafimescu
  • 369
  • 1
  • 5
  • That SSPI stuff is really interesting and I may end up using it, but my question said that I can't really use Windows Logins, because the way the network was set up. This SSPI stuff seems to use the windows logins to encrypt messages (and allows impersonation for remote use). However what I need is a new username and password server which can handle other logins and passwords securely so that my program can just tell this server the password and it handles the encryption, storage and access. All i have to do is some garbage collection. I really don't think I should be building my own system. – Jason Ridge May 23 '12 at 09:36
  • I might misread your requirements. See if Kerberos procedure helps you. Be warned, it's not nice, it will be a lot of work if you don't use Windows build in architecture. Have you tought to use WCF ? It has built in security. – Catalin Serafimescu May 23 '12 at 09:52
  • I haven't done anything with WCF so it did not come to mind. This seems like it could be used to communicate to a server side app that I design to handle the UserNames and Passwords, but my point really is that I don't think I have the skills to design this server side app either. It will prolly have all sorts of weaknesses that I have never heard of, let alone know how to protect against. Eric Lippert says you should not design your own system, and I kinda believe him. I was wondering what the alternatives to designing my own system are. Is there some 3rd party software available etc. – Jason Ridge May 23 '12 at 10:53
  • The problem isn't *just* securing the communication, but I also need to be secure on the server side. Some program that handles the accesses to the database, authenticates and allows the user to log on. Sure i need to encrypt the messages, but I also need to handle the login attempts in a secure way that is resistant to certain attacks. What do people do? Am I bound to windows authentication? – Jason Ridge May 23 '12 at 10:56
  • Send me your requirements and restrictions by email and I will think about it. catalin.serafimescu@gmail.com – Catalin Serafimescu May 23 '12 at 12:20
1

Caveat: some shameless self-promotion included in the following:

What it sounds like you're looking for is standard license management, either for a SaaS type application or desktop. The basic functionality you are looking for is to create and manage lists of users and have the application automagically adhere to that list. Depending on the confidentiality or significance of the app to internal business processes, you might want to think about your specific requirements.

As soon as you start controlling access (to anything) there are potential fallouts that are unpleasant: either keeping legit users from access or security holes that allow for non-legit users (for example, a simple named user/password challenge & response system allows for account sharing--either intentional or inadvertent).

If you're trying to audit, you need to know the system is reliable enough to provide accurate data.

Our company makes a great license management solution; there are other choices as well. A good system should (once setup and integrated) allow you to easily set business rules for individual users or groups--for example, perhaps you want to allow a group of 20 people to run 5 instances of the application at any one time, but not 6. Or perhaps you want to provide a temporary user with a temporary account that expires on a certain date. Rolling these capabilities yourself can be hard but a good LM system should make it completely effortless.

I guarantee you that using a solid 3rd party solution will (both short- and long-term) be less expensive that building and maintaining your own code.

John Browne
  • 700
  • 4
  • 6
  • Thanks for the link. I thought 3rd party is the way to go because I ___know___ that I won't be able to secure it properly myself. Thinking about it from a licensing perspective is very interesting because it is kind of the same thing (authenticating a user and then providing them functionality based off of what is allowed to that user type). However I have 2 questions: (see comments below) – Jason Ridge May 24 '12 at 07:35
  • Question 1: How secure is it? I imagine top software companies like Adobe have very good licensing systems, yet their software gets cracked all the time, so I'm wondering how this is different. We would not want to limit a user to one pc, but the dongle approach doesn't seem very secure. What option would work that would be secure and pc-independent? – Jason Ridge May 24 '12 at 07:37
  • Question 2: How does this interface with the program we write? How does it control what functionality is available? How do I change my code to work with this system? Is there a setup kind of thing or is there an API that I use or do I expose properties/interfaces that allow your system to pick up how the licensing works. We want certain roles and rights for certain types of users, and there will be web users later on down the line who will have a second seperate set of abilities. How complex does the licencing go and how heavy is the cost of integration? – Jason Ridge May 24 '12 at 07:40
  • Ok, sorry not to answer sooner. Q1: how secure. Adobe and Microsoft use basic software activations schemes. These can vary from terrible to very good but all share in common the idea that they bind to machine characteristics (such as MAC address, HD serial number, etc). The problem is those characteristics have to be determined by OS calls and so the binding can be circumvented via patching the OS (ie outside your application). However, software activations can keep honest people honest. They won't completely stop knowledgeable crackers though. – John Browne Jun 12 '12 at 15:08
  • For more security you need a crypto device (aka dongle). For maximum security it needs to be SmartCard based and should offer encrypted communication with the OS/App. It should not be used as part of a challenge/response authentication, because that's easy to crack. It should be used as a key storage for decrypting the application on starup. – John Browne Jun 12 '12 at 15:09
  • Finally Q2: Some systems require a lot of source code changes, others (ours, for example) do not. For access control the hardware dongle is used to provide a private/public key exchange with the server, this is external to Windows or AD. Please see http://www.wibu.us/solutions/access-control.html or PM me for more info. – John Browne Jun 12 '12 at 15:12
0

I think we have resolved the issue for now. SteveS posted on my IT Security Exchange question with a nice idea about using WCF, WIF and ASP.NET Membership Provider. It's not ideal seeing as I'll be writing some of the code, so it's prolly gonna be insecure.

However it seems like the best option as its leveraging security technology built by Microsoft, and I'm just sewing it all together.

I'm just worried about the seams.

Community
  • 1
  • 1
Jason Ridge
  • 1,868
  • 15
  • 27