In this post, I will go over a few things that application developers should keep in mind as they develop cloud applications using Access Control Service v2. In order for applications to be more secure, everything from your application’s interaction with the user to the data in the backend needs to be more secured. If security is lacking or weak in any one place, the data can be compromised thus rendering the remaining security work futile.

I am presenting below some of the threats that developers need to consider for their applications using the STRIDE methodology.

Threats

Threats related to ACS v2 categorized using STRIDE:

• Identity Spoof. The identity can be stolen as a result of poor credentials management, insecure transfer over the wire, accepting untrusted tokens, or tampering the token.
• Tampering with the token. This can lead to materialization of other threats such as Identity Spoof, Elevation of Privileges, or Denial of Service can be result of failure to tamper proof tokens by, for example, signing them.
• Repudiation. This is the case when user denies action he performed. Can be result of poor logging practices and failure to securely transfer the identity, the token.
• Information Disclosure. In the context of ACS v2, if the information transferred in the tokens considered confidential depending on business requirements then it might be exposed as a result of transferring tokens in clear text over clear unprotected communications, storing tokens on persistent storage in clear or for prolonged period of time to allow brute force attacks to crack the cryptography.
• Denial of Service. One example of denial of service might be the case when the application uses Error URL feature and the error handling page is configured to require authorization – this will result into infinite redirect loop.
• Elevation of Privileges. ACS v2  issues tokens to successfully authenticated users/requests. The token include claims that can be used for authorization. If the claims can be easily tampered the attacker could elevate his privileges.

Following are key security countermeasures that should improve security for your ACS v2 implementation and rise the security bar.

Credentials Protection

For Web applications credentials are usually Username/Password pair. For WCF Services ACS v2 uses the notion or entity of Service Identities which can be either Username/Password, Symmetric key, or X509 Certificate. To learn more consider reading the following resource:

• Service Identities Explained
• How To: Add Service Identities with X509 Certificate, Password, or Symmetric Key

No matter what credentials type you use to authenticate your users/callers there are several guidelines you should consider to follow:

• Do not store credentials.
• If you need to store your credentials – store them encrypted. In case of X509 certificates consider storing them in certificates stores vs. as files.
• Never send credentials over unencrypted traffic, use SSL/HTTPS to protect credentials over the wire.
• Set aggressive but reasonable time-outs for the tokens. The time-outs can be configured when setting Relying party. Consider reviewing Token lifetime section in Relying Party Applications Explained.

Notice though that any communications to and from ACS v2 are performed over SSL/HTTP traffic, but it is solely under your or your identity provider control how the credentials transferred between end users and the identity providers.

Tokens Tamper Proof

Tokens issued by ACS v2 are sent over SSL/HTTPS and also signed either by Keys or X509 Certificates. Consider the following tamper proof measures:

• Token signing
  • Add an X.509 certificate signing credential if you are using the Windows Identity Foundation (WIF) in your relying party application.
  1. Add a 256-bit symmetric signing key if you are building an application that uses OAuth WRAP.
• Token encryption
  • Optionally, Access Control Service can encrypt any SAML 1.1 or SAML 2.0 token issued to a relying party application. Note that encryption is not supported for SWT token types. Access Control Service encrypts tokens using an X.509 certificate containing a public key (.cer file). The token is then decrypted using a private key possessed by the relying party application.
  • ACS can accept encrypted tokens from AD FS 2.0 identity providers. In this scenario, the X.509 certificate with the private key is hosted by Access Control Service. An AD FS 2.0 identity provider then receives the public key for encryption when it imports the WS-Federation metadata from Access Control Service. For more information, see help on Active Directory Federation Services 2.0.

Consider reading the following resources for more information:

• Certificates and Keys Explained
• How To: Configure Trust Between ACS and ASP.NET Web Applications Using X.509 Certificates
• How To: Configure Trust Between ACS and WCF Service Using Symmetric Keys

Also consider reviewing the following resource focusing on security countermeasures for Windows Identity Foundation (WIF):

• Windows Identity Foundation (WIF) Security for ASP.NET Web Applications – Threats & Countermeasures

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

Related Info

• ACS Error Codes
• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Videos: Windows Azure Security Essentials For Decision Makers, Security Architecture, Access, and Secure Development
• Video: What’s Windows Azure AppFabric Access Control Service (ACS) v2?
• Video: What Windows Azure AppFabric Access Control Service (ACS) v2 Can Do For Me?
• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Key Components and Architecture
• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Prerequisites

The information in this post is based on Windows Identity Foundation Config.xml file that ships with WIF SDK.

<cookieHandler>

<cookieHandler> controls the CookieHandler, which is responsible for reading and writing raw cookies at the HTTP protocol level.

SessionAuthenticationModule uses the cookieHandler to read and write cookies.

MODES:

• Default (default). The same as Chunked.
• Chunked. Uses an instance of the ChunkedCookieHandler class. This cookie handler ensures that individual cookies do not exceed a set maximum size. It accomplishes that by potentially "chunking" one logical cookie into a number of on-the-wire cookies.
• Custom. Uses an instance of a custom CookieHandler-derived class, referenced by the <customCookieHandler> element.

ATTRIBUTES:

• domain. String, default is "".  The domain value for any cookies written.
• hideFromScript. Boolean, default is true. Controls whether the "HttpOnly" flag is emitted for any cookies written. Certain web browsers honor this flag by keeping client-side script from accessing the cookie value.
• name. String, default "FedAuth". Controls the base name for any cookies written.
• path. String, default is HttpRuntime.AppDomainAppVirtualPath. Controls the path value for any cookies written.
• requireSsl. Boolean, default is false. Controls whether the "Secure" flag is emitted for any cookies written. If this value is set, the sign-in session cookies will only be available over HTTPS.
• persistentSessionLifetime. The lifetime of persistent sessions in days. If Zero, transient sessions are always used. Tickets for persistent sessions are stored in file-based cookies, meaning that the sign-in session may continue after the web browser is closed and reopened. The default value is null.

Example:

        <cookieHandler mode="Custom"

                       domain=".example.com"

                       hideFromScript="true"

                       name="FedAuth"

                       path="/"

                       requireSsl="true"

                       persistentSessionLifetime="60">

<chunkedCookieHandler>

<chunkedCookieHandler> may only be present if the cookieHandler/@mode   is Default or Chunked. It controls the ChunkedCookieHandler.

ATTRIBUTES:

• chunkSize. Int32, default is 2000. The maximum size in characters of the HTTP cookie data for any one HTTP cookie. Care must be taken when adjusting the chunk size. Web browsers have different limits on the size of cookies and number per domain. The original Netscape specification stipulated these limits: 300 cookies total, 4096 bytes per cookie header (including  metadata, not just the cookie value), and 20 cookies per domain.

Example:

<chunkedCookieHandler chunkSize="2000" />

<customCookieHandler>

<customCookieHandler> may only be present if the cookieManager/@mode is Custom. It references a custom type which must be derived from CookieHandler. See the comments before the <configuration> element on custom type references.

Example:

<customCookieHandler type="MyNamespace.CustomCookieHandler, MyAssembly" />

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

Related Info

• Windows Identity Foundation (WIF) Configuration – Part I
• Windows Identity Foundation (WIF) Questions & Answers - Vol. 1
• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Windows Identity Foundation (WIF) Fast Track
• Windows Identity Foundation (WIF) Code Samples
• Windows Identity Foundation (WIF) SDK Help Overhaul