Web API Security

Web API Security

1. Working with SSL in Web API (HTTPS):

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

SSL Client Certificates :
  • SSL provides authentication by using Public Key Infrastructure certificates. The server must provide a certificate that authenticates the server to the client. It is less common for the client to provide a certificate to the server, but this is one option for authenticating clients. To use client certificates with SSL, you need a way to distribute signed certificates to your users.

Advantages
Disadvantages
- Certificate credentials are stronger than username/password. - SSL provides a complete secure channel, with authentication, message integrity, and message encryption.
- You must obtain and manage PKI certificates. - The client platform must support SSL client certificates.


SAML VS OAuth 
Reference:https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/

SAML (Security Assertion Mark-up Language) is an umbrella standard that covers federation, identity management and single sign-on (SSO). In contrast, the OAuth (Open Authorisation) is a standard for authorisation of resources. Unlike SAML, it doesn’t deal with authentication.




2. External Authentication Services with ASP.NET Web API  (Google,FaceBook,Microsoft Account ,Twitter)

The user agent (or web browser in this example) makes a request to a web application, which redirects the web browser to an external authentication service. The user agent sends its credentials to the external authentication service, and if the user agent has successfully authenticated, the external authentication service will redirect the user agent to the original web application with some form of token which the user agent will send to the web application. The web application will use the token to verify that the user agent has been successfully authenticated by the external authentication service, and the web application may use the token to gather more information about the user agent. Once the application is done processing the user agent's information, the web application will return the appropriate response to the user agent based on its authorization settings.

3. OWIN -Open Web Interface for.NET

OWIN defines a standard interface between .NET Web applications and Web servers, which is used for decoupling server and application

  • Token BaseAuthentication:
    In simple explanation token authentication is a 2 step process.
  • Initially user pass his credentials (UserName +Password)  to the Authorization server
  • Authorization server returns security token if credentials are correct
    4. Anti-Forgery Tokens
To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called request verification tokens.
  • The client requests an HTML page that contains a form.
  • The server includes two tokens in the response. One token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values.
  • When the client submits the form, it must send both tokens back to the server. The client sends the cookie token as a cookie, and it sends the form token inside the form data. (A browser client automatically does this when the user submits the form.)
  • If a request does not include both tokens, the server disallows the request.
    5. Enabling Cross-Origin Requests
Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to let a user agent gain permission to access selected resources from a server on a different origin (domain) than the site currently in use.A user agent makes a cross-origin HTTP request when it requests a resource from a different domain, protocol, or port than the one from which the current document originated.
The CORS mechanism supports secure cross-domain requests and data transfers between browsers and web servers

6. Basic Authentication with IIS(Window Authentication)


7. Forms Authentication

  • If the user is not authenticated, the server returns HTTP 302 (Found) and redirects to a login page.
  • The user enters credentials and submits the form.
  • The server returns another HTTP 302 that redirects back to the original URI. This response includes an authentication cookie.
  • The client requests the resource again. The request includes the authentication cookie, so the server grants the request.


Cryptography Technique:

Public-key cryptography:

Public key cryptography, or asymmetrical cryptography, is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This accomplishes two functions: authentication, where the public key verifies a holder of the paired private key sent the message, and encryption, where only the paired private key holder can decrypt the message encrypted with the public key
Digital signature : A digital signature (not to be confused with a digital certificate) is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document .


Hash-based message authentication code : HMAC

Hash-based message authentication code (HMAC) is a mechanism for calculating a message authentication code involving a hash function in combination with a secret key. This can be used to verify the integrity and authenticity of a a message.

































Comments

Post a Comment

Popular posts from this blog

Chat Bot

Image
How Chatbot work? https://docs.microsoft.com/en-us/azure/bot-service/bot-builder-basics?view=azure-bot-service-4.0&tabs=csharp Azure Bot Channel regisration: 1. Create resource group 2. Create Microsoft id and Password for Bot manualy and update in appsetting.json. 3. Rezgister the bot channel and set https url. Passing Custom parameter Jquery to chat bot framework: Jquery Code: <html> <head>       <title>GeniEbix</title>      <script src="https://cdn.botframework.com/botframework-webchat/master/webchat.js"></script>     <style>         html, body {             height: 100%         }         body {             margin: 0         }         #webc...
Read more

Entity Framework

Image
Entity Framework is an object-relational mapper (O/RM) that enables .NET developers to work with a database using .NET objects. It eliminates the need for most of the data-access code that developers usually need to write. It  automate all these database related activities for your application. Entity Framework is an open-source  ORM framework  for .NET applications supported by Microsoft. It enables developers to work with data using objects of domain specific classes without focusing on the underlying database tables and columns where this data is stored. Entity Framework Features Cross-platform:  EF Core is a cross-platform framework which can run on Windows, Linux and Mac. Modelling:  EF (Entity Framework) creates an EDM (Entity Data Model) based on POCO (Plain Old CLR Object) entities with get/set properties of different data types. It uses this model when querying or saving entity data to the underlying database. Querying:  EF allows us t...
Read more

Microsoft Enterprise Library-Data Access Application Block for for .Net Core & .Net Standard

Ref: https://www.nuget.org/packages/EnterpriseLibrary.Data.NetCore/ The Enterprise Library Data Access Application Block simplifies the development of tasks that implement common data access functionality. Applications can use this application block in a variety of situations, such as reading data for display, passing data through application layers, and submitting changed data back to the database system. This library contains a class library that targets .Net Core 2.0 & .Net Standard 2.0 Install-Package EnterpriseLibrary.Data.NetCore -Version 6.0.1313
Read more