Chapter 10: .NET and Passport | Web Services Security

Overview

Secure applications strive to provide integrity, confidentiality, and authentication. Data integrity is important to users because it protects their information from being modified or indicates that data has been modified. For example, an application can track a file’s digital signature to ensure that it has not been corrupted. The confidentiality of information is important to Internet users. After all, there are several reasons to protect your e-mail address, home address, password, and credit card number. Encryption prevents malicious users from eavesdropping on connections. Authentication identifies that you are who you say you are. It usually involves a shared secret (often based on a password) between you and the server. As long as you are the only one who knows the password, you can be uniquely identified by the server.

Microsoft has brought several technologies to the Web Services arena in order to provide integrity, confidentiality, and authentication to the Internet experience. First, we’ll take a look at the Kerberos protocol. Kerberos is a distributed authentication protocol designed to protect users’ credentials from interception. Next, we’ll take a look at Microsoft’s Passport technology. Passport functions as a single sign-on technology, very much like Kerberos, but does not currently have the benefit of being a standard. As a result, Passport’s application infrastructure is being migrated to Kerberos 5. Finally, we’ll peruse the .NET framework and see the contributions Microsoft is making to Web Services security.

Throughout this chapter, we’ll focus on Security, capital S. Just because there is a .NET function to encrypt a data stream with Triple-DES, doesn’t mean the application is secure. Malicious users can attack the Web server itself through buffer overflows

or exploits downloaded from well-known Internet sites. They can also attack the application’s session management, cookies, database connectivity, and code. Obviously, it’s important to know what features of Passport and .NET provide security, what their limitations are, and what types of attacks will always exist.