Is there any internal configs in CAS for client-side encryption on login or a addon for this function
Tried searching in https://apereo.github.io/cas/
Found some configs to encrypt password in property files only but not the credentials on form submit
Related
I know about ASP.NET Authentication mode (Form, Windows and Passport) and we have used mostly Form based authentication for our web applications. I want to know how IIS takes part in authentication, does it pre-authenticates the request before passing it to the ASP.NET. How can I configure IIS authentication ?
Very broad topic, but essentially, IIS does not authenticate if anonymous authentication is enabled. This relies on the application to do any required authentication (such as Forms, as you mentioned)
If anonymous is turned off, IIS can authenticate using the following methods:
Basic: credentials passed as http header with each request
Digest: sort of a more-secure basic; the password is hashed
Windows: uses client's windows credentials to authenticate
Certificate: requires a specific x509 certificate to be sent by the client
More details: http://technet.microsoft.com/en-us/library/cc733010(v=ws.10).aspx
Suppose I have a login web form like the following:
UserId: testuser
Password: ThisIsStrongPwd
[LOGIN] (button)
Now, all I want to do is encrypt the password (using an industry-accepted secure measure) when the user clicks the [LOGIN] button.
I know that SSL will encrypt the entire POST, right?
The steps will be something like:
User types id and password.
User clicks [LOGIN] button Info is posted securely to web server. --- How?
Server-side checks the pwd the user posted against the (hashed) one in the database.
Server returns to user their default.aspx page or index.htm page or whatever on an UNencrypted (non-SSL) URL.
There is no need for the rest of the session to be encrypted -- and possibly slow.
How would you do this using ASP.NET for example? or ASP.NET MVC?
..all I want to do is encrypt the password (using an industry-accepted secure measure) ..
For your use case, SSL is the only industry-accepted secure measure. There are ways to encrypt and send a form data from the browser without requiring ssl, such as jCryption. But they are not a replacement for SSL. read this Javascript Cryptography Considered Harmful
SSL is used to encrypt the transport layer, it's not a tool to encrypt specific values. All requests and responses for the page is encrypted, which is the point of having the page secure.
You can only send data securely from a page that is secure. If you would only encrypt data one way, you would be sending the data from an unsecure page. Someone could have intercepted the page and added code to it that steals the password before it's encrypted.
This is not possible in an application where you will accept users you (the server) do not otherwise know. The foundational problem you have is the requirement to share a secret that will enable you to encrypt and decrypt information that no one else can read.
Without a process to negotiate that secret, you cannot communicate securely. Negotiating that secret is one of the key features of SSL/TLS.
It will likely be useful to read up on the history and implementation of TLS to understand why it is necessary to have a fully secure channel. You may also be interested to learn about session jacking, a mechanism by which a third-party can "steal" a login token that is exposed outside of an SSL session.
I want to make my ASP.Net site authentication seamless using Ajax call.
So I consider using client side authentication service of microsoft that should be used via HTTPS because it sends username and password in plain-text format.
And the problem is that I can't use SSL in my site.
So I found a way to hash data before passing to web service that is described here
but the problem is there is a salt in DB that should passed to client for creating hashed password (that equals to DB saved password). and this is not safe.
Is there a better way for doing that?
I found a way.
We will use RSA for encrypting username ans password.
in summery I'll have a web service that creates RSA keypair and save it (this key will be regenerated every day to be more secure).
I will have a textbox or hidden field that calls this service and get the public key.
the for encrypt username and password with jCryption library client side and pass this to my authentication service using ajax call.
so the server will decrypt them with private key and the authenticate user.
I found a way.
Check this out: Secure AJAX Authentication without SSL
Just in case you were looking for an ASP.NET version of jCryption for bi-directional communication, which you mentioned you tried, you can find one on GitHub here: jCryptionNET
I intend to use SSL on the login form so that the username and password is encrypted during user login.
But, after the user has been authenticated, if I return to HTTP, the Autentication Cookie will be passed from client to server on each request. How safe is this? Obviously i'll use SSL on pages where the user is entering sensitive information, but for most of the time, for performance reasons, i'll just want them to remain authenticated and use HTTP.
I note that if I set RequiresSSL="True" in my forms authentication section in web.config then the authentication cookie is not passed if I use HTTP so I cannot identify the current user.
I guess my question is:
"Is it bad practice to set RequiresSSL="false" and allow the Authentication cookie to pass over HTTP"?
The forms authentication cookie is encrypted and checksumed with the machine key for your server if you set protection="All", so it's not particularly bad to drop back to HTTP.
Is it possible to programatically authenticate a user using NTLM (on asp.net)?
I would like to have control over the look and feel of the website where I would have a form that users enter their username/password. I would then query NTLM to validate the provided information and if valid, redirect them to a virtual directory?
NTLM is the protocol the web browser would talk directly to the web server (e. g. IIS) to authenticate the user, without your application being involved. That's what you want to avoid, because you want to present a "nice" logon form.
So what you need to do is: prompt for user name and password in a form, and validate these credentials against Active Directory yourself. Here is a Microsoft article describing how to do it in ASP.NET: http://support.microsoft.com/kb/326340/en-us
However please remember a few points:
Don't forget that, unlike in case of NTLM, user's passwords will be transmitted in clear text unless you use SSL to publish the web site. You never should users allow to enter their AD password on an unencrypted web site.
If some of your users were automatically authenticated (transparent login, no prompt for password at all) before, which should be the default behavior in an Intranet scenario, these users won't like your login form, no matter how nice it looks...
The default behavior in IIS6 would be that only pages generated by ASP.NET would be protected; as you would have to configure IIS to allow anonymous requests to the applications, static files could be requested by any user.