Re: Secure single sign on/automatic login?

On 6 Feb, 12:04, Dominick Baier
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
you can leverage the built in Windows credential manager.

You have to P/Invoke CredUIPromptForCredentials and friends.

have a look atwww.pinvoke.net

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi guys!

I need your input on how to solve a problem that we have.
Our company provides a web-service, a SaaS.
Our idea is to create a destop appilication that can communicate with
the web service using https.
I have written a .net app in C#, and I need ideas on how I can login a
user without the user needing to type his username and password each
time.
The idea is that the user inputs his username and password once and
then checks the checkbox to automatically login. Now the user doesn't
need to input his login details each time the program restarts. My
criteria is that the client should never store the password (clear-
text or encrypted) on the local machine.
This is my idea for a solution.
User input the username and password on the desktop-client
The client sends the login details to the webserver, over ssl.
The server verifies the login details and sends back a challenge to
the client, if the username and password was correct.
The client then computes a static value using DAPI. This is how i do
it:
Code Snippet

private static RSA GetKey(DataProtectionScope scope)
{
switch (scope)
{
case DataProtectionScope.CurrentUser:
if (user == null)
{
CspParameters csp = new CspParameters();
csp.KeyContainerName = "DAPI";
user = new RSACryptoServiceProvider(1536,
csp);
}
return user;
default:
throw new CryptographicException("Invalid
scope.");
}
}
RSA rsaKey = GetKey(DataProtectionScope.CurrentUser); RSAParameters
keyParam = rsaKey.ExportParameters(true);

Then I use keyParam.P, which is the private key as the static value.
And this static value is dependent on the current user that is loged
in to the OS.
I use the static value and the challenged recieved from the server to
compute a hash value, H(keyParam.P, challenge).
The client send this value back to the server, and the server will use
this hash value in future authentication.
So from now on, the client needs to compute this hash value on
runtime, each time he wants to access the webservice.

I think this is strong enough for authentication. But the only problem
I see with this solution is that the server has no idea what
application is communicating with it. I want from the server only
allow application signed or certified by us to contact the server.
Because, the problem I see is that, an attacker can create an
imitation of my destop client and fetch information from the server,
if the user chooses to use "automatic login" feature.

I hope you guys understand my problem. Any replies will be deeply
appreciated!

Thank,
/SC

Thank you for your reply!

But, the idea is that the user shouldn't be requiried to authenticate
himself, if he has chosen the option "login automatically".
I want to achive authentication as described above. I think that the
authentication process is swcure. But the problem is that an attacker
can impersonate my desktop client, and thus have access to the
webservice using the real users acount (if the real user chose to
login automatically, when he got the login dialog).
So is there a way to be sure at the server side that the client
(application) that's trying to connect with the server is acctually
certified by the server. In other words, can we identify which
application is trying to connect to the web-service?

/SC
.

Relevant Pages

  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: SSPI Kerberos for delegation
    ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
    (comp.protocols.kerberos)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)
  • Re: Windows Authentication, Single sign on and Active Directory
    ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Directory Services, LDAP or similar
    ... In other projects, we managed the user authentication by creating tables that define all users and its allowed capacities, then the application queryies that data to verify if a user has access to some feature or not. ... The above ID and password are sent to the service at login time. ... They are using Novell eDirectory at the enterprise level; yes it's LDAP. ... We already do that for three different DB servers; ...
    (borland.public.delphi.non-technical)
Loading