http://blogs.msdn.com/alikl/archive/2007/04/11/authentication-hub.aspxWindows Authentication Identity Flow Through Physical Tiers Identity Flow Through Physical Tiers - Impersonation Identity Flow Through Physical Tiers - Delegation Identity Flow Through Physical Tiers - Protocol Transition Certificates Different Ways Toen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/alikl/archive/2007/04/11/authentication-hub.aspx#2093772Thu, 12 Apr 2007 04:12:32 GMT91d46819-8472-40ad-a661-2c78acb4018c:2093772Anatoly Lubarsky<p>Hi Alik</p> <p>Regarding SOA - currently only WSE (imho) gives complete solution because it implements oasis completely.</p> <p>The solution mentioned is not complete since it does not protect against replay attacks and http proxy interception and changing message.</p>http://blogs.msdn.com/alikl/archive/2007/04/11/authentication-hub.aspx#2095198Thu, 12 Apr 2007 07:02:13 GMT91d46819-8472-40ad-a661-2c78acb4018c:2095198alikl<p>Anatoly, good points!</p> <p>The goal of &quot;SOA..&quot; post was not to present complete solution rather show Authentication (context 1) in internet scenario (another narrowing context 2)</p> <p>Complete solution is too broad statement so use above contexts to narrow.</p> <p>Re WSE - today i try to stay away from it since WCF replaces it</p> <p>Re replay attacks - Client certs are one of the strongest authentication mechanisms available</p> <p>Re proxies and tampering - countermeasure for these would be - input validation.</p> <p>imagie that i create proxy inside the WSE pipeline, or remoting pipeline like here</p> <p><a rel="nofollow" target="_new" href="http://blogs.microsoft.co.il/blogs/alikl/archive/2006/11/25/App-Architecture-with-Security-in-mind-_2D00_-Video_2C00_-Part-II.aspx">http://blogs.microsoft.co.il/blogs/alikl/archive/2006/11/25/App-Architecture-with-Security-in-mind-_2D00_-Video_2C00_-Part-II.aspx</a></p> <p>or WCF pipeline like here</p> <p><a rel="nofollow" target="_new" href="http://blogs.msdn.com/alikl/archive/2007/03/04/how-to-hack-wcf-new-technology-old-hacking-tricks.aspx">http://blogs.msdn.com/alikl/archive/2007/03/04/how-to-hack-wcf-new-technology-old-hacking-tricks.aspx</a></p> <p>So no signature would help to counter these but good input validation</p> <p>the full story is here <a rel="nofollow" target="_new" href="http://msdn.com/SecurityEngineering">http://msdn.com/SecurityEngineering</a></p> http://blogs.msdn.com/alikl/archive/2007/04/11/authentication-hub.aspx#2338667Mon, 30 Apr 2007 15:14:29 GMT91d46819-8472-40ad-a661-2c78acb4018c:2338667alik levin's<p>patterns &amp;amp; practices Security How To's Index ASP.NET 2.0 Security Questions and Answers Tamper detection</p>http://blogs.msdn.com/alikl/archive/2007/04/11/authentication-hub.aspx#2972711Tue, 29 May 2007 21:04:17 GMT91d46819-8472-40ad-a661-2c78acb4018c:2972711alik levin's<p>To quickly set lab environment I use VPC 2007 ( free download ). It really saves me lots of time. For</p>http://blogs.msdn.com/alikl/archive/2007/04/11/authentication-hub.aspx#3011761Thu, 31 May 2007 22:08:24 GMT91d46819-8472-40ad-a661-2c78acb4018c:3011761alik levin's<p>I just finished building another security workshop that covers authentication and identity technologies</p>http://blogs.msdn.com/alikl/archive/2007/04/11/authentication-hub.aspx#4169343Wed, 01 Aug 2007 17:35:19 GMT91d46819-8472-40ad-a661-2c78acb4018c:4169343alik levin's<p>My answer is &quot;no&quot; . I am working on solution where there is no Windows Active Directory Domain so we</p>http://blogs.msdn.com/alikl/archive/2007/04/11/authentication-hub.aspx#6701114Sat, 08 Dec 2007 08:55:44 GMT91d46819-8472-40ad-a661-2c78acb4018c:6701114alik levin's<p>Revealing clear text passwords in memory seems to be a trivial task. This post describes how to reveal</p> http://blogs.msdn.com/alikl/archive/2007/04/11/authentication-hub.aspx#6701519Sat, 08 Dec 2007 09:45:44 GMT91d46819-8472-40ad-a661-2c78acb4018c:6701519Noticias externas<p>Revealing clear text passwords in memory seems to be a trivial task. This post describes how to reveal</p>