Thursday, September 6, 2007

Achieving IWA for Internet based web app

Here, I present you with a sample .NET application on how to authenticate users with your domain instead of application level user id and password. The benefit of doing is that all your internet based web apps can use the same mechanism and NOT store individual user ids & passwords in a seperate datastore (often times different for each app). This feature allows your administrators to control users enterprise-wide instead of worrying about controlling users at application level & making sure all company security guidelines are followed.

Environment : VS 2005, C# , IIS

Login.aspx is your application's start page in this example. If the user is not authenticated, he gets an error message, otherwise the user proceeds to default.aspx page of the app.

LoginPage.aspx:


LoginPage.aspx with Incorrect Password:


LoginPage.aspx with Correct Password:


Default.aspx after Authentication done:


You can use the following code to achieve this :

===================
LoginPage.aspx
===================
<%@ Page language="c#" Inherits="LogonUserCS.LoginPage" CodeFile="LoginPage.aspx.cs" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>LoginPage</title>
<meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
<meta name="CODE_LANGUAGE" Content="C#">
<meta name="vs_defaultClientScript" content="JavaScript">
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
</HEAD>
<body>
<FORM id="Form1" method="post" runat="server">
<TABLE id="Table1" cellSpacing="1" cellPadding="1" width="300" border="0">
<TR>
<TD><FONT face="Arial"><STRONG>Username:</STRONG></FONT></TD>
<TD>
<asp:TextBox id="txtUsername" runat="server" Width="150px">UserID</asp:TextBox><FONT face="Arial"></FONT></TD>
</TR>
<TR>
<TD><FONT face="Arial"><STRONG>Password:</STRONG></FONT></TD>
<TD>
<asp:TextBox id="txtPassword" runat="server" Width="150px" TextMode="Password">tryme</asp:TextBox><FONT face="Arial"></FONT></TD>
</TR>
<TR>
<TD colSpan="2"><FONT face="Arial">
<asp:CheckBox id="chkRemember" runat="server" Text="Remember login information"></asp:CheckBox></FONT></TD>
</TR>
</TABLE>
<P><FONT face="Arial" color="#ff0000"><STRONG>
<asp:Label id="lblError" runat="server" Visible="False">Login failed! Please try again.</asp:Label>
</STRONG></FONT></P>
<P>
<asp:Button id="cmdLogin" runat="server" Text="Login" onclick="cmdLogin_Click"></asp:Button><BR>
</P>
</FORM>
</body>
</HTML>


=======================
LoginPage.aspx.cs
=======================
using System;
using System.Collections;
using System.ComponentModel;
using System.Runtime.InteropServices;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.Security;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using System.Configuration;

namespace LogonUserCS
{
/// <summary>
/// Summary description for LoginPage.
/// </summary>
public partial class LoginPage : System.Web.UI.Page
{

#region Web Form Designer generated code
override protected void OnInit(EventArgs e)
{
//
// CODEGEN: This call is required by the ASP.NET Web Form Designer.
//
InitializeComponent();
base.OnInit(e);
}

/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
}
#endregion

// Declare the logon types as constants
const long LOGON32_LOGON_INTERACTIVE = 2;
const long LOGON32_LOGON_NETWORK = 3;

// Declare the logon providers as constants
const long LOGON32_PROVIDER_DEFAULT = 0;
const long LOGON32_PROVIDER_WINNT50 = 3;
const long LOGON32_PROVIDER_WINNT40 = 2;
const long LOGON32_PROVIDER_WINNT35 = 1;

[DllImport("advapi32.dll",EntryPoint = "LogonUser")]
private static extern bool LogonUser(
string lpszUsername,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);

/// <summary>
/// Validates the user based on the supplied credentials
/// </summary>
/// <param name="Username">The username to use when valdiating the user</param>
/// <param name="Password">The password to use when validating the user</param>
/// <param name="Domain">The account domain or machine name to use when validating the user</param>
/// <returns>Returns true if the credentials are valid, and false otherwise</returns>
private bool ValidateLogin(
string Username,
string Password,
string Domain)
{
// This is the token returned by the API call
// Look forward to a future article covering
// the uses of it
IntPtr token = new IntPtr(0);
token = IntPtr.Zero;

// Call the API
if (LogonUser(
Username,
Domain,
Password,
(int)LOGON32_LOGON_NETWORK,
(int)LOGON32_PROVIDER_DEFAULT,
ref token))
{
//' Since the API returned TRUE, return TRUE to the caller
return true;
}
else
{
//' Bad credentials, return FALSE
return false;
}
}

/// <summary>
/// Called when the user clicks on the Login button
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
protected void cmdLogin_Click(object sender, System.EventArgs e)
{
string Username = txtUsername.Text;
string Password = txtPassword.Text;
// Pull the domain out of the web.config file
string Domain = ConfigurationSettings.AppSettings["AccountDomain"];

if (ValidateLogin(Username,Password,Domain))
{
//' Since the credentials are valid,
//' redirect the user to the calling page
FormsAuthentication.RedirectFromLoginPage(Username,chkRemember.Checked);
}
else
{
//' Bad credentials, show an error message
lblError.Visible = true;
}

}
}
}

========================
default.aspx
========================
<%@ Page language="c#" Inherits="LogonUserCS.WebForm1" CodeFile="default.aspx.cs" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>WebForm1</title>
<meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
<meta name="CODE_LANGUAGE" Content="C#">
<meta name="vs_defaultClientScript" content="JavaScript">
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
</HEAD>
<body>
<FORM id="Form1" method="post" runat="server">
<FONT face="Arial">You are logged in as </FONT><FONT face="Arial"><STRONG>
<asp:Label id="lblUser" runat="server"></asp:Label></STRONG></FONT><FONT face="Arial">.</FONT>
</FORM>
</body>
</HTML>

============================
default.aspx.cs
============================

using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;

namespace LogonUserCS
{
/// <summary>
/// Summary description for WebForm1.
/// </summary>
public partial class WebForm1 : System.Web.UI.Page
{

protected void Page_Load(object sender, System.EventArgs e)
{
lblUser.Text = User.Identity.Name;
}

#region Web Form Designer generated code
override protected void OnInit(EventArgs e)
{
//
// CODEGEN: This call is required by the ASP.NET Web Form Designer.
//
InitializeComponent();
base.OnInit(e);
}

/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{

}
#endregion
}
}

========================
web.config
========================
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation defaultLanguage="C#" debug="true">
<compilers>
<compiler language="c#" type="Microsoft.CSharp.CSharpCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" extension=".cs" compilerOptions="/d:DEBUG;TRACE"/></compilers></compilation>
<customErrors mode="On"/>
<authentication mode="Forms">
<forms loginUrl="/LoginPage.aspx" name="LogonUserDemo" timeout="20" path="/" protection="All"/>
</authentication>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true"/>
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20"/>
<globalization requestEncoding="utf-8" responseEncoding="utf-8"/>
<xhtmlConformance mode="Legacy"/></system.web>
<appSettings>
<add key="AccountDomain" value="DomainName"/>
</appSettings>
</configuration>

Posted by Rajnish Bhatia at 4:35 PM 0 comments

Tuesday, September 4, 2007

Implementing Sun RSA CRT Security to secure data

Often times you need to encrypt/cipher data to keep in your datastores in a non human readable format. There are various ways to achieve this and one of the ways is to implement asymmetric encryption or commonly known as key/pair implementation. Key Pair term is used because this implementation involves a pair of distributable Public Keys and a secret Private key. Data Encrypted by your Public Key can only be decrypted by your Private Key. Longer Keys provide stronger encryption but it requires more computation and hence not appropriate for large amounts of data. You may use it to secure small but important data like credentials, social-security numbers etc. The algorithm used in this secure implementation is Chinese Remainder Theorem (CRT) and it is patented by RSA.

Here, I present you a way to implement this into your apps:

=================================================
KeyGen.java
=================================================

import java.security.KeyPair;
import java.security.KeyPairGenerator;

public class KeyGen {

public static void main(String[] args) throws Exception {
String algorithm = "RSA";
KeyPairGenerator generator = KeyPairGenerator.getInstance(algorithm);
generator.initialize(1024);
KeyPair keyPair = generator.generateKeyPair();
System.out.println(keyPair.getClass().getName());
System.out.println(keyPair.getPublic().getClass().getName());
System.out.println(keyPair.getPublic());
System.out.println(keyPair.getPrivate());
}

}
=========================
Results:
=========================
java.security.KeyPair

sun.security.rsa.RSAPublicKeyImpl


Sun RSA public key, 1024 bits
modulus: 98677203744446260465542414765650691002275163600893336774030639809055241671590316795866062624226355106366106365150146141568384880010496063021240945844297495973945754466316385920919706173968448314515263558835923413988948374505246140063606334219872299586481788510932872327106443573840159515004641256381252312213
public exponent: 65537


Sun RSA private CRT key, 1024 bits
modulus: 98677203744446260465542414765650691002275163600893336774030639809055241671590316795866062624226355106366106365150146141568384880010496063021240945844297495973945754466316385920919706173968448314515263558835923413988948374505246140063606334219872299586481788510932872327106443573840159515004641256381252312213
public exponent: 65537
private exponent: 66010151355116476266381509769151653939465423309378897073565730501377708014162855770748799174644973590768519601973656972282825907877079480277007252494924174792809949607545280699010499959716736392703906869830507078213365818919271289454064367852372369106548543273821152999734305850287488981430290809005791015693
prime p: 11233688489962973338844802243855066309619057073058245210667885044580710403537025877181943919444268451387897571270403920077238069995990276143846449096478403
prime q: 8784043089018529857113045198094546951702263784704005736527840877045442563172893548671083896835744209733189342603630638586802678054189266328008006731555271
prime exponent p: 8735389670346415723853835420469992359595440538279052938432591629795720945192088633183487587511158716749775486016789364404476959933101247430347784287573925
prime exponent q: 7568240491089313012675972506455997195093153895770273096400217632226802566063759511714930853086457002102541608853878078618832110395774159825400920214596333
crt coefficient: 7682099122771530487734293443893764412335043357041532111008506208973843014546928432001347862281087160360054782853678831202444919205277659896883572013566175

=================================================
PasswordEncrypt.java
=================================================

import java.math.BigInteger;
import java.security.PublicKey;

import javax.crypto.Cipher;

import org.apache.axis.encoding.Base64;

import sun.security.rsa.RSAPublicKeyImpl;

public class PasswordEncrypt {

private static BigInteger mod;
private static BigInteger pubExp;
private static PublicKey key;
private static Cipher cipher;

static
{
try
{
mod = new BigInteger("98677203744446260465542414765650691002275163600893336774030639809055241671590316795866062624226355106366106365150146141568384880010496063021240945844297495973945754466316385920919706173968448314515263558835923413988948374505246140063606334219872299586481788510932872327106443573840159515004641256381252312213", 10);
pubExp = new BigInteger("65537", 10);

key = new RSAPublicKeyImpl(mod, pubExp);
cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE, key);
}
catch(Exception e)
{
throw new RuntimeException(e);
}
}

public PasswordEncrypt()
{
super();
}

public static String encrypt(String password) throws Exception
{
// encrypt the password
byte[] data = password.getBytes();
data = cipher.doFinal(data);
return new String(Base64.encode(data));
}

public static void main(String[] args)
{
try{
System.out.println(encrypt("test"));
}catch(Exception ex){System.out.println(ex.getStackTrace());}
}
}

========================
Results:
========================

iMeOizw/O75tdjDSzXSlkUCGahuNYSvhc5oW/jKzV7+hS6eaxtWzbhcssgAd4ygxGbBL3gZxzxEVePRfLedFPqX/DAHMKSVbeCqbtE+1TtHjvIo46SReAahNANvDJnAXmCO2Bp4p+l4hGrTCAz9EXkhUQdel6AIc0DwJOSB0I+4=

=================================================
PasswordDecrypt.java
=================================================
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.spec.RSAPrivateCrtKeySpec;

import javax.crypto.Cipher;

import org.apache.axis.encoding.Base64;

public class PasswordDecrypt {

private static BigInteger mod;
private static BigInteger pubExp;
private static PrivateKey key;
private static RSAPrivateCrtKeySpec keySpec;
private static Cipher cipher;

static
{
try
{
// get out the parts of the private key
BigInteger privExp = new BigInteger("66010151355116476266381509769151653939465423309378897073565730501377708014162855770748799174644973590768519601973656972282825907877079480277007252494924174792809949607545280699010499959716736392703906869830507078213365818919271289454064367852372369106548543273821152999734305850287488981430290809005791015693");
BigInteger p = new BigInteger("11233688489962973338844802243855066309619057073058245210667885044580710403537025877181943919444268451387897571270403920077238069995990276143846449096478403");
BigInteger q = new BigInteger("8784043089018529857113045198094546951702263784704005736527840877045442563172893548671083896835744209733189342603630638586802678054189266328008006731555271");
BigInteger pExp = new BigInteger("8735389670346415723853835420469992359595440538279052938432591629795720945192088633183487587511158716749775486016789364404476959933101247430347784287573925");
BigInteger qExp = new BigInteger("7568240491089313012675972506455997195093153895770273096400217632226802566063759511714930853086457002102541608853878078618832110395774159825400920214596333");
BigInteger crtCoef = new BigInteger("7682099122771530487734293443893764412335043357041532111008506208973843014546928432001347862281087160360054782853678831202444919205277659896883572013566175");

// get the parts of the public key
mod = new BigInteger("98677203744446260465542414765650691002275163600893336774030639809055241671590316795866062624226355106366106365150146141568384880010496063021240945844297495973945754466316385920919706173968448314515263558835923413988948374505246140063606334219872299586481788510932872327106443573840159515004641256381252312213", 10);
pubExp = new BigInteger("65537", 10);

keySpec = new RSAPrivateCrtKeySpec(mod, pubExp, privExp, p,q, pExp, qExp, crtCoef);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
key = keyFactory.generatePrivate(keySpec);
cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.DECRYPT_MODE, key);
}
catch (Exception e)
{
throw new RuntimeException(e);
}
}

public PasswordDecrypt()
{
}

public static String decrypt(String dataString) throws Exception
{
// decode and decrypt the data
byte[] data = Base64.decode(dataString);
data = cipher.doFinal(data);
return new String(data);
}

public static void main(String[] args) throws Exception
{
System.out.println(decrypt("iMeOizw/O75tdjDSzXSlkUCGahuNYSvhc5oW/jKzV7+hS6eaxtWzbhcssgAd4ygxGbBL3gZxzxEVePRfLedFPqX/DAHMKSVbeCqbtE+1TtHjvIo46SReAahNANvDJnAXmCO2Bp4p+l4hGrTCAz9EXkhUQdel6AIc0DwJOSB0I+4="));
}
}


=============================
Results:
=============================
test



You can use this class to regenerate your new keys and secure your data. Simply replace the keys in the code and secure your data.

Happy Securing Data !!

Posted by Rajnish Bhatia at 10:44 PM 1 comments

Subscribe to: Posts (Atom)