Alik Levin's

Clarity, Technology, and Solving Problems | PracticeThis.com

Authentication Hub

  • Hi Alik

    Regarding SOA - currently only WSE (imho) gives complete solution because it implements oasis completely.

    The solution mentioned is not complete since it does not protect against replay attacks and http proxy interception and changing message.

  • Anatoly, good points!

    The goal of "SOA.." post was not to present complete solution rather show Authentication (context 1) in internet scenario (another narrowing context 2)

    Complete solution is too broad statement so use above contexts to narrow.

    Re WSE - today i try to stay away from it since WCF replaces it

    Re replay attacks - Client certs are one of the strongest authentication mechanisms available

    Re proxies and tampering - countermeasure for these would be - input validation.

    imagie that i create proxy inside the WSE pipeline, or remoting pipeline like here

    http://blogs.microsoft.co.il/blogs/alikl/archive/2006/11/25/App-Architecture-with-Security-in-mind-_2D00_-Video_2C00_-Part-II.aspx

    or WCF pipeline like here

    http://blogs.msdn.com/alikl/archive/2007/03/04/how-to-hack-wcf-new-technology-old-hacking-tricks.aspx

    So no signature would help to counter these but good input validation

    the full story is here http://msdn.com/SecurityEngineering

  • patterns & practices Security How To's Index ASP.NET 2.0 Security Questions and Answers Tamper detection

  • To quickly set lab environment I use VPC 2007 ( free download ). It really saves me lots of time. For

  • I just finished building another security workshop that covers authentication and identity technologies

  • My answer is "no" . I am working on solution where there is no Windows Active Directory Domain so we

  • Revealing clear text passwords in memory seems to be a trivial task. This post describes how to reveal

  • Revealing clear text passwords in memory seems to be a trivial task. This post describes how to reveal

Page 1 of 1 (8 items)