|
CA (Certification Authority) utility, See also cryptography techniques
creating code-signing certificates, 175
digital certificates, defined, 173, 443
distributing root certificates, 175–177, 175–177
getting own certificates, 177–179, 178
making changes in, 175, 175
overview of, 173–174
viewing certificates, 174–175, 174
caching
affect on security, 271
credentials, 210–212, 312
Global Assembly Cache, 17, 17
caller zones. See zones
canonical representation issues, avoiding, 63–64
“Canonicalization Problems Using Deny” write-up, 97
CAs (Certificate Authorities), 99, 173, 441
CASPol (Code Access Security Policy) tool, See also code access security; policies
adding
assemblies, 116–117, 116
custom code groups, 120
groups, 111–112, 111–112
permissions, 113–116, 113, 115, 140
command-line switches, 108–109
defined, 108–109
listing assemblies with, 109–110, 110
listing security elements, 109–110, 110
versus .NET Framework Configuration Tool, 110, 111
removing
assemblies, 117
groups, 112–113, 113
permissions, 116
resolving errors in assemblies, 117–118, 117
undoing changes, 115
warning, 113
Web resources, 108, 109
Certificate dialog box, 197, 197
certificates, digital, See also CA
Certificate Authorities, 99, 173, 441
defined, 173
obtaining certificates for SSL, 294
obtaining client certificate info via SSL, 296–298, 298
channel data interception risk, 304
channel sinks, 279, 282
characters, unnecessary, avoiding, 57–59
checklists, 53, 65, 260–261
Class Library Comparison Tool, 367–369, 368
classes
cryptographic classes, 179–184, 182
evidence classes, 76
HTTP-specific classes, 244–245
in .NET Compact Framework, 367–369, 368
sorting unmanaged code into, 165
in System.Security.Cryptography namespace, 36
ClassInterface attribute, 214–215
CLR (Common Language Runtime)
defined, 441
evidence process, 71, 75–77
non-verifiable code, 75, 76
security requirements and, 73
verifiable code, 75–76
Win32 API and, 71
zones, 74–75
code access security, See also policies; role-based security; validation
using code groups
checking membership, 76–77, 121, 122
creating/editing, 88–90, 89–90
default/custom groups, 119–120, 119–120
defined, 108
defining components, 121–124
installing components, 124–125, 125
listing, 109–110, 110
overview of, 118–119
testing components, 125–127, 127
usefulness of, 120–121
warnings, 124, 127
declarative security
defined, 443
defining effectively, 92
implementing permissions, 136–137
managing access to AD, 353–354
overview of, 9, 19, 87
using Permission View Tool, 83–87, 86–87
reasons to use, 72, 73, 83, 92–93
defined, 5
digital signatures, 72–73, 99
evidence in
checking, 75–77
obtaining by reflection, 103–106, 106
Publisher evidence, 99
imperative security
accessing files, 9–11
checking permissions, 309–310, 310
defined, 447
defining effectively, 93
implementing permissions, 128–135, 135
managing AD access, 354–356, 356
overview of, 9, 19
Permission View Tool and, 85
modifying using CASPol tool. See CASPol
modifying using .NET Framework Configuration tool
adding configured applications, 92
creating permission sets, 90–91, 91, 141–142, 141–142
creating/editing code groups, 88–90, 89–90
defining policy assemblies, 91
installing code groups, 124–125, 125
overview of, 74, 87–88, 88
modifying using .NET Wizards, 118, 118
overview of, 12, 61–62, 70, 81
permissions
adding, 81, 128
creating, 128–137, 135, 140–142, 141–142
declarative implementation, 136–137
imperative implementation, 128–135, 135
listing via policies, 78–79
modifying, 81
obtaining via evidence, 79–80, 80
overview of, 77–78
standard, in .NET, 80
testing, 137–139
remoting problem, 281–282
versus role-based security
overview of, 71–72
when to use, 73–74
where to use, 74
why to use, 72–73
securing the registry
locking, 97
overview of, 93
problems with, 97
using RegistryPermission class, 94–97
in Win32 API, 97
using StrongNameIdentityPermission class
checking credentials, 101–102
defined, 98
extracting public keys, 101, 101
versus Publisher evidence, 99
signed client example, 99–101
testing, 103
using System.Reflection.Assembly.Evidence property, 103–106, 106
turning on, 121
warning, 121
zones and, 73, 74–75
Code Access Security Policy. See CASPol
The Codebreakers: The Comprehensive History of… (Kahn), 172
The Code Project site, 27
COM+ (Component Object Model), See also DCOM; LAN security
adding role-based security to, 225–229, 225–228
attributes, 214–215
creating COM+ components, 221–223
overview of, 220–221
SecurityCallContext class, 223–225
warning, 228
using as Web service, See also Web services security
adding SOAP support to, 326–328, 326–328
creating Web reference to, 328–329, 329
IWAM and, 332
overview of, 325–326
testing SOAP calls, 329–332
verifying safety of, 332, 332
COM Programming with .NET (Mueller), 220
comments in IL files, 151–152, 152
CompareValidator, 267–268
components, 381
CORBA (Common Object Request Broker Architecture), 301, 441
cracker exploits, See also errors; troubleshooting
apparent communication errors, 258
bad password attempts, 237
buffer overruns, 60
classifying, 249
cracking
Data Encryption Standard, 185–186
Telnet connections, 208–209, 208
validation checks, 152–153, 155–156
DDOS attacks, 253–255, 444
defined, 24
researching, 260
in SQL Server, 265
tampering, 258
tricking forms, 260, 267
crackers, See also security risks
absurd methods of, 235
defined, 4, 441–442
overview of, 260
port preferences, 376
credentials, See also authentication; validation
caching, 210–212, 312
checking, 101–102, 265
CryptoAPI technology, 36, 37
cryptography techniques, 172–201
asymmetric algorithms
cracking, 186
defined, 185
DSA, 36, 185, 186, 443
overview of, 184
RSA, 36, 184–185, 186, 279
asymmetric cryptography
algorithms, 184–185, 186
creating key pairs, 189–193, 193
decrypting files, 187, 193, 194–195
encrypting files, 187, 193–194, 193
extracting public keys with SecUtil, 101, 101
problems securing key pairs, 151, 155, 173
securing Web data, 278–279
using Certification Authority utility
creating code-signing certificates, 175
digital certificates, defined, 173, 443
distributing root certificates, 175–177, 175–177
getting own certificates, 177–179, 178
making changes in, 175, 175
overview of, 173–174
viewing certificates, 174–175, 174
defined, 6, 36, 172, 442
encrypting and decrypting files
using asymmetric cryptography, 189–195, 193, 278–279
deriving keys from passwords, 195–196
overview of, 187
using symmetric cryptography, 187–189, 189
Web data, 278–279, 282–292
using hash algorithms, 184, 199–200
managing cryptographic classes
choosing creation methods, 179–180
mapping algorithms to, 180–182, 182
mapping OIDs to, 183–184
overview of, 179
overview of, 169, 200–201
passwords and, 172–173
securing Web data
using asymmetric encryption, 278–279
using channel sinks, 279, 282
using internal encryption, 282
laws about, 282
overview of, 278–279
in remoting clients, 288–292
in remoting components, 283–286
symmetric algorithms
defined, 184
DES, 36, 185–186, 442
Rijndael, 185, 186
TripleDES, 185, 186
symmetric cryptography
algorithms, 184–186
decrypting files, 187, 189
encrypting files, 187–189, 189
warning, 188
System.Security.Cryptography namespace, 35–39, 38–39
System.Security.Cryptography.X509Certificates namespace, 196–199, 197
Web sites, 172
CSPs (Cryptographic Service Providers), 178, 179, 191–192, 442
CustomValidator, 269
|