Post on 06-Mar-2020
MEMBERSHIPREBOOT & THINKTECTURE:
THE PARADIGMS TO AUTHENTICATION & AUTHORIZATION
NUR FATIHAH BINTI MAT ALI
BACHELOR OF COMPUTER SCIENCE
(COMPUTER NETWORK SECURITY) WITH HONOURS
UNIVERSITI SULTAN ZAINAL ABIDIN
2019
MEMBERSHIPREBOOT & THINKTECTURE:
THE PARADIGMS TO AUTHENTICATION & AUTHORIZATION
NUR FATIHAH BINTI MAT ALI
BACHELOR OF COMPUTER SCIENCE
(COMPUTER NETWORK SECURITY) WITH HONOURS
FACULTY OF INFORMATICS AND COMPUTING
UNIVERSITI SULTAN ZAINAL ABIDIN
2019
DECLARATION
I hereby declare that this report is based on my original work except for quotations and
citations, which have been duly acknowledged. I also declare that it has not been previously
or concurrently submitted for any other degree at Universiti Sultan Zainal Abidin or other
institutions.
Name : NUR FATIHAH BINTI MAT ALI
Date : ……………………………………..
CONFIRMATION
This is to confirm that:
The research conducted and the writing of this report was under my supervision.
Name : DR.AHMAD FAISAL AMRI BIN
ABIDIN @ BHARUN
Date : ………………………………………
DEDICATION
Praise to Allah, the Most Gracious and the Most Merciful. Alhamdulillah, for blessing
me and giving me the opportunity to undergo and complete this final year project entitled
MembershipReboot & Thinktecture: The Paradigms Of Authentication & Authorization.
Foremost, my greatest appreciation to my loving family especially my beloved mother
that always giving me fully support as well encouragement throughout this project
Here, I would like to take this opportunity to express my heartiest appreciation and
gratitude to my versatile supervisor, Dr. Ahmad Faisal Amri Bin Abidin @ Bharun for the
encouragement, guidance, critics, motivation and also support. Without his continuing
support, this project would not have been the same as presented here. Thank you.
In addition, I would like to thank the panels during my final year project, Dr. Wan
Nor Syuhadah Binti Wan Nikband Dr. Nor Aida Binti Mahiddin for all supportive words,
guidance, advice as well as suggestion in order to make my project a better one. Thank you.
To Faculty of Informatics and Computing, and all lecturers in this faculty, I also
would like to thank you for the chance to expose and explore as a degree student with this
project Last but not least, I would take this chance to thank you to my fellow friends for
everything.
ABSTRACT
Overall, authentication and authorization are two closely related concepts, which are
used to build security mechanism in systems and applications. MembershipReboot is an
identity management library, which performs a large number of authentication-related
functions. As for the Thinktecture, I will use Thinktecture.IdentityModel which is a helper
library for identity and access control which suit the authorization. Its part is including
claims-based authorization which is an approach where the authorization decision to grant or
deny access is based on arbitrary logic that uses data available in claims to make the decision.
For MembershipReboot, an attacker will eventually compromise the database and that we
need to store passwords in a way to make it very hard for attackers to then extract the stored
passwords. For Thinktecture, while historically the solution to that problem has been either
Windows authentication or username/password, this might not hold true anymore. In the
distributed and mobile application landscape, passwords have become an anti-pattern, and
single sign-on, security token services and federation are the prevalent technologies to
achieve a seamless security experience for the users. A simulation on how
MembershipReboot and Thinktecture can be a help in authentication and authorization will
be shown throughout my project. By the end of my project, I will be able to validate and test
the authentication and give out permission right between the user and the service server
involved in a virtual environment.
ABSTRAK
Keseluruhannya, pengesahan dan pengesahan adalah dua konsep yang berkait rapat,
yang digunakan untuk membina mekanisme keselamatan dalam sistem dan aplikasi.
KeahlianReboot adalah perpustakaan pengurusan identiti, yang melakukan sejumlah besar
fungsi berkaitan pengesahan. Bagi Thinktecture, saya akan menggunakan
Thinktecture.IdentityModel yang merupakan perpustakaan pembantu untuk kawalan identiti
dan akses yang sesuai dengan kebenaran. Bahagiannya termasuk kebenaran berasaskan
tuntutan yang merupakan pendekatan di mana keputusan kebenaran memberikan atau
menafikan akses adalah berdasarkan logik sewenang-wenang yang menggunakan data yang
ada dalam tuntutan untuk membuat keputusan. Untuk MembershipReboot, penyerang
akhirnya akan berkompromi pangkalan data dan kami perlu menyimpan kata laluan dengan
cara untuk menjadikannya sangat sukar bagi penyerang untuk kemudian mengekstrak kata
laluan tersimpan. Untuk Thinktecture, sementara sejarah penyelesaian untuk masalah itu
sama ada Windows pengesahan atau nama pengguna / kata laluan, ini mungkin tidak berlaku
lagi. Dalam landskap aplikasi yang diedarkan dan mudah alih, kata laluan telah menjadi
anti-corak, dan satu tanda tangan, perkhidmatan token keselamatan dan persekutuan adalah
teknologi lazim untuk mencapai pengalaman keselamatan yang lancar untuk pengguna. Satu
simulasi bagaimana KeahlianReboot dan Thinktecture dapat membantu dalam pengesahan
dan kebenaran akan ditunjukkan sepanjang projek saya. Menjelang akhir projek saya, saya
akan dapat mengesahkan dan menguji pengesahan dan memberikan hak kebenaran antara
pengguna dan pelayan perkhidmatan yang terlibat dalam persekitaran maya.
CONTENTS
Page
DECLARATION i
CONFIRMATION ii
DEDICATION iii
ABSTRACT iv
ABSTRAK v
CONTENTS vi
LIST OF TABLES vii
LIST OF FIGURES x
LIST OF ABBREVIATION xii
LIST OF APPENDICES xiii
CHAPTER I INTRODUCTION
1.1 Project Background 1
1.2 Problem Statement 2
1.3 Objectives 3
1.4 Scopes of Project 3
1.5 Activities and Milestones 5
1.6 Report Structure 6
CHAPTER II LITERATURE REVIEW
2.1 Introduction 7
2.2 Related Project on Authentication 8
2.2.1 URRSA (proxy-based) 9
2.2.2 LastPass (Password Manager) 10
2.2.3 Kerberos 12
2.2.4 Java 2 Platform Enterprise Edition (J2EE) 12
2.3 Related Project on Authorization 13
2.3.1 Virtual Organization Membership Service (VOMS) 15
2.3.2 Access Control List (ACL) 15
2.3.3 Kerberos 16
2.4 Expected Result 17
2.5 Summary 17
CHAPTER III METHODOLOGY
3.1 Introduction 19
3.2 Analysis Study of Process Model 19
3.3 Methodology Review 20
3.4 Requirement Analysis 23
3.4.1 Software Requirement 23
3.4.2 Hardware Requirement 24
3.5 System Design 24
3.5.1 Architecture of the MembershipReboot 24
And Thinktecture
3.5.2 Framework of the MembershipReboot 25
And Thinktecture
3.5.3 Data Model 27
3.5.4 Proof of Concept 30
3.6 Summary 33
REFERENCES 34
LIST OF TABLES
TABLE TITLE PAGE
2.1 Concern of each Authentication Technique 8
2.2 Concern of each Authorization Technique 13
LIST OF FIGURES
FIGURE TITLE PAGE
3.1 Flow of the Research (MembershipReboot) 20
3.2 Flow of the Research (Thinktecture) 22
3.3 Architecture of MembershipReboot and Thinktecture 25
3.4 Framework of how MembershipReboot and Thinktecture work 26
3.5 Data Model of Entities Involve 28
3.6 Sequence diagram of the authentication of MembershipReboot and the 29
authorization of Thinktecture
3.7 Create a new project in Visual Studio 30
3.8 Setup a NuGet to bring down MembershipReboot 30
3.9 SQL script to create our database (tables) 31
3.10 Hyperlink to navigate to Create New User 31
3.11 Action method 32
3.12 Override method CheckAccess 32
LIST OF ABBREVIATIONS/ TERMS/ SYMBOLS
ACL Access Control List
DLL Dynamic Link Library
J2EE Java 2Enterprise Edition
MVC Model View Controller
RP Resource Provider
SS Service Server
URL Uniform Resource Locator
VO Virtual Organization
VOMS Virtual Organization Membership Service
CHAPTER I
INTRODUCTION
1.1 Project Background
Computer network have been the target of malicious. And thus, the key of computer
networks for security is lying within its network design. It is vital for us to ensure that the
network design can secure the transmission of the data from being intercept and the data may
be compromise [27]. Based on the title of my Final Year Project, authentication and
authorization are two closely related concepts, which are used to build security mechanism in
systems and applications. Authentication is a concept to verify who you say you are? On the
other hand, authorization is to determine or decide whether you have any permission to
access the resources or not.
MembershipReboot is an identity management library, which performs a large
number of authentication-related functions. One of the main features is to manage, store and
validate passwords for user accounts. It also manages other account related data such as
username, email, mobile phone number, claims, certificates, and external identity providers
(such as Google and Facebook). MembershipReboot has a decoupled design of the security
code from the persistence of the account data. Hence, application developers can either use an
existing database implementation or build their own [7].
As for the Thinktecture, I will use Thinktecture.IdentityModel which is the successor
to the very popular Thinktecture.IdentityModel.45 repository. The new IdentityModel is a
helper library for identity and access control which suit the authorization. Its part is including
claims-based authorization which is an approach where the authorization decision to grant or
deny access is based on arbitrary logic that uses data available in claims to make the decision
[12].
1.2 Problem Statement
Most of the techniques used in authentication and authorization system will be able to
secure the data of the users very securely with many other functions that will surely enable
the users to manage their account with what they want. Thus, on the finding, most methods
used are unable to fulfil these requirements. Hence, this inability will be filling with as
follows:
MembershipReboot
i. An attacker will eventually compromise the database and that we need to store
passwords in a way to make it very hard for attackers to then extract the stored
passwords.
Thinktecture
i. While historically the solution to that problem has been either Windows
authentication or username/password, this might not hold true anymore. In the
distributed and mobile application landscape, passwords have become an anti-pattern,
and single sign-on, security token services and federation are the prevalent
technologies to achieve a seamless security experience for the users.
ii. User’s access rights/privileges to resources based on the authorization level.
1.3 Objectives
There are three objectives that need to be achieved in this project. The objectives are
as follows:
a) To study on MembershipReboot and Thinktecture as a paradigms of security in
authentication and authorization domains.
b) To configure and implement MembershipReboot as well as Thinktecture
IdentityModel accordingly in order to secure user’s data and connection.
c) To test the functionality of MembershipReboot and Thinktecture in computer system
settings.
1.4 Scopes pf Project
This project will focus more on configuring and implementing the network
authentication and authorization by using MembershipReboot and
Thinktecture.IdentityModel techniques. First, in the preliminary step for authentication, I will
be using Forms authentication. Thus, get started with MembershipReboot using ASP.NET
MVC 4 Web Application in the Visual Studio 2017. As MembershipReboot has a Nuget
package, use Nuget to bring down the MembershipReboot DLL. Besides, I will choose a
SQL Server 2014 database [19].
Next, to get started authorization with the Thinktecture.IdentityModel, I will bring
down it with the Nuget too [19]. For all of these, a strong wireless network or data
connectivity is needed in order to download all the requirement package installers into the
servers involved. After the implementation of the MembershipReboot and Thinktecture, the
authentication and the authorization will then be tested by using a sniffing tool such as
Wireshark and the result will be shown in order to achieve the objectives of the project.
i. Modify and implement MembershipReboot and Thinktecture techniques based on
computer system drafting.
ii. Integrating Membership Reboot and Thinktecture to function as the first defence
against a data breach.
iii. Develop a computer system such as a web application system which has integral part
of Thinktecture & Membership.
iv. To test the techniques by using hacking tools in live hacking demo.
1.5 Activities and Milestone
ACTIVITY/WEEK 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Topic Discussion &
Determination
Project Title
Proposal
Introduction
Literature Review
Presentation
Methodology
Draft Report
Submit Draft
Report
Seminar
Presentation &
Evaluation
Final Report FYP
Gantt chart 1.1: Activities and Milestones FYP 1
1.6 Project Structure
This thesis consists of five chapters. The first chapter focuses on the project
background, problem statements, objectives, scopes of project and activities and milestones.
Chapter two is a review of all related study regarding to this project. In chapter three, the
methodology will be discussed including the methods and techniques used for the developing
this application. In this chapter also will discuss the expected results through the data model
and design. In chapter four, will be explained about implementation and testing process that
has been run in this project. The last chapter is conclusion and results are presented.
CHAPTER II
LITERATURE REVIEW
2.1 Introduction
In the literature review, I will explore the current and past landscape of user
authentication and authorization on the web. I begin by considering the needs of key
stakeholders involved (such as users and service providers) as well as the attackers’
capabilities and the threat model they create. I demonstrate how providing usable and
practical authentication and authorization for users and service providers creates non-trivial
challenges in the face of trying to build security against attackers. I then analyse the merits
and shortcomings of a number of previous approaches for providing usable, practical, and
secure user authentication and authorization.
2.2 Related Project on Authentication
Table 2.1 shows the concern of different authentication techniques that already exists.
Technique Remarks Concern
URRSA (proxy-
based) [4] by Alexei Czeskis
- At registration time, the user prints out a
sheet of one-time-codes. The codes are the
passwords encrypted under the n different
keys.
- To authenticate to the proxy and to
indicate to which site the user wants to
authenticate, the user chooses the next
unused code off their sheet in the
appropriate group.
- If the proxy is
compromised, then
security for multiple
sites could be
compromised.
- If the proxy
becomes
unavailable, the
user is prevented
from accessing any
of his accounts.
LastPass (Password
Manager) [4] by Alexei
Czeskis
- Offers advanced options such as using
two-factor authentication mechanisms
(e.g., hardware tokens). –
- The ability to auto-generate passwords
during account creation on websites.
- Users are still
vulnerable to
phishing as
attackers can ask
users to copy paste
the password into a
web form. (user can
view password)
- master password
Java 2 Platform Enterprise
Edition (J2EE) [3] by Richard A.
Backhouse
− Asynchronous Java
Script and XML
(AJAX).
- Form-based authentication.
- To functionally execute the necessary
steps for redirecting an AJAX client
request to an authentication required
servlet, issuing an AJAX response to
the client, authenticate the user security
credentials, and process the client
request for secure data.
Kerberos [1] by S. P. Miller et al - To prevent fraudulent connection
requests.
- To support both one-way and mutual
authentication of principals to the
granularity of at least an individual
user and specific service instance.
-
Table 2.1: Concern of each Authentication Technique
2.2.1 URRSA (proxy-based)
With URRSA, each of the user’s passwords is stored n times, encrypted with n
different keys. At registration time, the user prints out a sheet of one-time-codes. The
codes are the passwords encrypted under the n different keys. The codes are organized
into groups — each group represents a username / password combination that the user
originally registered. In order to authenticate to the proxy and to indicate to which site
the user wants to authenticate, the user chooses the next unused code off their sheet in
the appropriate group. The proxy decrypts the code and then forwards the password to
the appropriate site
Analysis: This proxy-based approach does a good job of protecting users against
authenticating from untrusted devices. The proxy-based approach allows users to type
their passwords less often. However, with URRSA, users end up typing one-time
codes instead. Furthermore, if the proxy is compromised, then security for multiple
sites could be compromised. Since passwords are still used under the hood by the
proxy to authenticate to web services, this approach is still vulnerable to a man-in-the-
middle attacker between the proxy and the web service. This approach also creates a
single point of failure — if the proxy becomes unavailable, the user is prevented from
accessing any of his accounts. Furthermore, this approach changes the user experience
during the authentication flow. To our knowledge, neither proxy-based approach is
deployed on the general internet.
2.2.2 LastPass (Password Manager)
Password Managers help users overcome this usability barrier by (as their
name implies) storing and managing users’ passwords. Most major browsers (such as
Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer) offer to remember
and auto-complete user generated passwords [20, 21, 22]. Some browsers (e.g.,
Chrome and Firefox) support syncing password data across different computers,
allowing users to freely move between different devices without fear of losing access
to their passwords. The syncing is done through the service provider’s servers and
requires users to provide a “master” password. Additionally, browser-based password
managers allow users to view their stored passwords — a really useful feature as users
can forget their passwords since users no longer have to type them.
Besides in-browser password managers, several third-party password
managing applications exist — of which LastPass [23] is currently the most
prominent. LastPass supports installation on the top five browsers, across the three
most popular operating systems, and on all of the popular mobile phone platforms.
Like the in-browser password managers, LastPass records, auto-completes, and syncs
users’ passwords across devices. LastPass also offers advanced options such as using
two-factor authentication mechanisms (e.g., hardware tokens) and the ability to auto-
generate passwords during account creation on websites.
Analysis: Password managers help users with keeping track of all their passwords.
With the recent advances in cross-platform password syncing and storing passwords
in the cloud, users are no longer “locked out” of their accounts as they move from
device to device. Since password managers don’t change the low level way in which
users authenticate to web services (with passwords), they require no server-side
changes — making password managers very deployable.
However, user studies have shown that users are uncomfortable with
relinquishing control over their passwords [28]. Furthermore, since most password
managers allow users to view their passwords, users are still vulnerable to phishing as
attackers can ask users to copy paste the password into a web form. Password
managers that sync passwords through the cloud are secured using a master password.
If this password leaks, so do all of the users’ other passwords. Finally, password
managers do nothing to stop man-in-the-middle attacks.
2.2.3 Kerberos
The basic approach for Kerberos authentication is the following: to use a
service, a client must supply a ticket previously obtained from Kerberos. A ticket for a
service is a string of bits with the property that it has been enciphered using the
private key for that service. That private key is known only to the service itself and to
Kerberos. As a result of that property, the service can be confident that any
information found inside the ticket originated from Kerberos. As will be seen,
Kerberos will have placed the identity of the client inside the ticket, so the service that
receives a ticket has a Kerberos-authenticated opinion of the identity of the client. To
help ensure that one user does not steal and reuse another user’s tickets, the client
accompanies the ticket with an authenticator, explained later. (In addition, tickets
expire after a specified lifetime, which is usually on the order of several hours.)
The client obtains a ticket by sending a message to Kerberos naming the
principal identifier of the desired service, the principal identifier of the (alleged)
client, and mentioning the current time of day. Anyone could send such a message or
intercept its response; that response, however, is usable only to the client named in the
original request, because Kerberos seals the response by enciphering it in the private
key of that client. The response contains three parts: the ticket (which itself is further
sealed in the private key of the service), a newly-minted key for use in this client-
server session, and a timestamp issued by the Kerberos server.
2.2.4 Java 2 Platform Enterprise Edition (J2EE)
The apparatus for AJAX form-based authentication using J2EE is provided
with a plurality of modules configured to functionally execute the necessary steps for
redirecting an AJAX client request, issuing an AJAX response to the client,
authenticating the user security credentials, and processing the client request. These
modules in the described embodiments include a redirection module, a response
module, an authentication module, and a processing module.
The redirection module, in one embodiment, redirects an AJAX client request
to an authentication required servlet in response to detecting a client request for
secure data. Also, the response module may issue an AJAX response to the client, the
AJAX response directing the client to obtain user security credentials. In addition, the
client may prompt a user for the user security credentials independent of a server-
based security credential form. Also, the authentication module may authenticate the
user security credentials using a web container authentication service, the user
security credentials received by way of an AJAX form-based authentication request.
Finally, the processing module may process the client request for secure data in
response to a positive authentication of the user security credentials.
2.3 Related Project on Authorization
Table 2.2 shows the concern of different authorization techniques that already exists.
Technique Remarks Concern
Virtual Organization
Membership Service
(VOMS) [5] Alfieri R. et al
- Virtual Organization (VO): abstract
entity grouping Users, Institutions
and Resources (if any) in a same
administrative domain
- Resource Provider (RP): facility
- main difficulty is to
clearly separate these two
roles
offering resources (e.g. CPU,
network, storage) to other parties
(e.g. VO’s), according to specific
“Memorandum of Understanding”
Access Control List
(ACL) [2] Chate A. B et al
- To supervise all packets of
incoming and outgoing packets.
- May possibly permit users with
larger access control lists to still
make use of such devices
- size of access control lists
has developed noticeably
due to an augment in
Internet applications in
addition to an enhance in
identified vulnerabilities
and attacks
Kerberos [1] by S. P. Miller
et al
- To allow different services to
implement different authorization
models
- To allow those authorization models
to assume that authentication of user
identities is reliable.
Table 2.2: Concern of each Authorization Technique
2.3.1 Virtual Organization Membership Service (VOMS)
– Virtual Organization (VO): abstract entity grouping Users, Institutions and
Resources (if any) in a same administrative domain;
– Resource Provider (RP): facility offering resources (e.g. CPU, network, storage)
to other parties (e.g. VO’s), according to specific “Memorandum of
Understanding”.
From the authorization point of view, a grid is established by enforcing
agreements between RP’s and VO’s, where, in general, resource access is controlled
by both parties with different roles, and indeed the main difficulty is to clearly
separate these two roles. To solve this apparent dualism, we can classify the
authorization information into two categories:
i. General information regarding the relationship of the user with his VO: groups he
belongs to, roles he is allowed to cover and capabilities he should present to RP’s
for special processing needs;
ii. Information regarding what the user is allowed to do at a RP, owing to his
membership of a particular VO.
2.3.2 Access Control List (ACL)
Access control lists are organized at every points of entry connecting a
concealed network and the outside Internet to supervise all packets of incoming and
outgoing packets. A packet can be imagined as a tuple with a limited number of fields
for instance IP addresses and port numbers of source/destination, and the type of
protocol. In an access control list, each rule has a predicate over header fields of
several packets and a decision to be carried out upon the packets that equivalent the
predicate. A rule that scrutinizes fields of d-dimensional can be analyzed as a d-
dimensional entity. Real-life access control list are naturally four dimensional over
fields of four packets such as: IP address of source, destination, port number of
destination and type of protocol [26].
Several network products have solid constraints on the rules that they
hold up. Because access control lists are measured confidential due to concerns of
security, it is tricky to obtain an outsized sample of real-life access control lists [24].
Compression of access control lists may possibly permit users with larger access
control lists to still make use of such devices and this may turn out to be an
increasingly vital concern intended for many users as size of access control lists has
developed noticeably due to an augment in Internet applications in addition to an
enhance in identified vulnerabilities and attacks [25].
2.3.3 Kerberos
Authentication can imply a coarse-grained authorization—for instance; some
services may allow anyone who can be reliably authenticated by the local Kerberos to
use the service. In cases where more selective authorization is needed, the goal of
Kerberos is to allow different services to implement different authorization models,
and to allow those authorization models to assume that authentication of user
identities is reliable.
The Kerberos authentication model provides only a certification of the identity
of a requesting client; by itself it provides no information as to whether or not that
client is actually authorized to use the service. There are three forms in which
authorization could be integrated with the Kerberos authentication model:
i. The Kerberos database could also contain authorization information for each
service, and issue service tickets only to authorized users of each service.
ii. A separate authorization service could maintain authorization information by
keeping access lists for each service and allowing the client to obtain sealed
certification of list membership. The client would present that certification, rather
than a Kerberos ticket, to the ultimate service.
iii. Each service could maintain its own authorization information, with the optional
help of a service that stores shared public lists and provides certification of public
list membership.
2.4 Expected Result
i. The user’s credential is more secure (secure connection)
ii. The principle (user) will only get on resources based on what type of authorization he/she
have. (avoid data leaks)
2.5 Summary
Based on my reading towards some researches on the authentication and authorization
techniques, it can be said that a pragmatic way to secure the password authentication and data
authorization between entities involved is by using the MembershipReboot for authentication
and Thinktecture.IdentityModel for authorization. It is because MembershipReboot and
Thinktecture provide more advantages respectively, besides having the least drawbacks. To
summarize, the MembershipReboot and Thinktecture acts as two difference medium that
integrate together where both of this techniques provides the two factor authentication and
determine the authorization level of each user based on the claims.
CHAPTER III
METHODOLOGY
3.1 Introduction
This chapter covers the detail explanations on the methodology used in this project.
The methodology being used to ensure that the implementation of this project can fulfil the
objectives and thus make sure that the systems or techniques can be developed successfully.
Therefore, after considering pros and cons of several different system model or techniques
available, the iterative and incremental flow chart model have been choosing. The details
about this iterative model will be explained in this chapter.
3.2 Analysis Study of Process Model
The development and testing processes of the iterative methodology will be
completed on each stage. This model is less costly when it comes to changing the scopes and
requirements. By using this method, it will be easier to test and debug during small iterations.
3.3 Methodology Review
Figure 3.1: Flow of the Research (MembershipReboot)
Figure 3.1 shows roughly step-by-step to complete the authentication part, in this
mean part of the MembershipReboot. Firstly, installation of Microsoft Visual Studio 2017
and Microsoft SQL Server Database is a must as I will do the background work on both this
software. I need to make sure that both of this software is compatible with the device (laptop)
that I will be using.
After that, I will create a new project in Visual Studio 2017, using the project
template for an ASP.NET MVC 4 Web Application. As MembershipReboot has a Nuget
package, I will use it to bring down the MembershipReboot DLL, (.dll) file which contains a
library of functions and other information that can be accessed by a Windows program. When
Start
Installation of Microsoft Visual Studio 2017 and Microsoft SQL
Server 2014 databse
Create a new project in Visual Studio 2017, using the project template for an
ASP.NET MVC 4 Web Application
Use Nuget package to bring down the
MembershipReboot DLL.
Create tables in the Microsoft SQL
Server 2014 database by running the SQL
scripts in it.
Create a user using SQL stetements in front-end (perform the proper hashing
for password)
Configuring Web.config for
MembershipReboot
Set up the Session Authentication
Module (SAM) and add it into
Web.config
Continue to Thinktecture
a program is launched, links to the necessary .dll files are created. Then, have it referenced in
my project.
As I already install the Microsoft SQL Server database as my data store, I will create
tables in it as part of the database. To create those tables is by run the SQL scripts that then
will create two tables which are UserAccounts and UserClaims. Now, I need to add a user to
the database. To make sure that the user’s password is hashed properly, we need to create a
user using SQL statements in front-end. With a quick tour, I will complete the form to add
the user.
Now, I have create a SQL Server database and created an ASP.NET MVC 4 project
with the MembershipReboot library added to the solution via NuGet. Next, I need
configuring Web.config for MembershipReboot. So I need to configure the application to use
Form Authentication for authentication and configure MembershipReboot. First, remove the
default membership provider in the Web.config file. Second, I adding the ConnectingString
for the database to connect to the database I have created, to store the authentication
information. This configuring going until I configure the behaviour of the
MembershipReboot which has long list including allowAccountDeletion and
emailIsUsername.
Then, set up the Session Authentication Module (SAM) and add it into Web.config.
SAM enables us to persist the authentication credentials across http requests. After finishing
the authentication part, I will continue to authorization part with Thinktecture.
Figure 3.2: Flow of the Research (Thinktecture)
Figure 3.2 shows roughly step-by-step to complete the Thinktecture part for
authorization. Firstly, I need to bring down Thinktecture.IdentityModel using NuGet
package. Then, to demonstrate how I can externalise the authorization logic, I need to write a
class which inherits from ClaimsAuthorizationManager, which lives in the
System.Security.Claims namespace. There is a method called CheckAccess which need to
override. The advantage of this approach to authorization is that I can perform any kind of
checks I want. I can go to data store for data that determines the permission rights or access
control for a scenario.
After that, I will create a Messenger constant in a class called CustomClaimTypes
which has the following value: “http://dave.com/ws/identity/claims/messenger “. Just as i
making up the claim, I can make up URL. That is all the ClaimTypes constant resolve to
Continue from MembershipReboot
Use Nuget package to bring down the
Thinktecture.IdentityModel
Externalise the authorization logic: Write a class and override method
CheckAccess (in Web.config)
Create a Messenger constant in a class
CustomClaimTypes
Add that claim to the UserClaims tables in
the database.
Testing and evaluation of MembershipReboot and
Thinktecture will be done in the real world setting
End
(URL strings). So, now I need to that claim to the UserClaims table in the database created
earlier.
Lastly, the testing and evaluation of the MembershipReboot and Thinktecture will be
done in the real world settings. The testing will be done by using sniffing tool such as
Wireshark to try to intercept the transmission and gain the password.
3.4 Requirement Analysis
In making the development and implementation of my project become successful,
project analysis needs a few requirements. There are two main elements that are used in this
project which is software and hardware requirements.
3.4.1 Software Requirement
For this project, software requirements are as follows:
i. Microsoft Word 2010
ii. Microsoft Office PowerPoint 2010
iii. Windows 10
iv. Microsoft Visual Studio 2017
v. Microsoft SQL Server 2014 database
vi. NuGet package (MembershipReboot, Thinktecture.IdentityModel)
vii. Wireshark Window-64 bits version 2.2.5
3.4.2 Hardware Requirement
For this project, hardware requirements are as follows:
i. Laptop (Hewlett-Packard, 4GB RAM, CPU 1.60GHz, x64-based processor)
ii. Mouse
iii. Printer
3.5 System Design
In system design, all the process that defines the architecture and proof of concept for
the project development is explained to specify specified requirement. The framework of the
overall project is designed and defines them in specific model by using data model.
3.5.1 Architecture of the MembershipReboot and Thinktecture
The architecture of the MembershipReboot and Thinktecture below shown
that there are a few components that related to each other which were the Client
(User), MembershipReboot, Thinktecture, Databases and Service Server. Each of the
components has its own function.
Generally, the User is the client that needs to use the service for example the
File Server as the service server. The File server will act as the server that provides
services. For authentication phase, the MembershipReboot will authenticate the user
based on the information from Web.config, SQL Server Database and Windows
directory. Then, user will be authenticated. As for the authorization phase, the system
will create the cookie after user authenticated, and in the cookie itself will contain the
Claim Type, which consists of permission right or access control of the authenticated
user. The claim is made based on the information in the database. After that, the user
can now request for the service from the File server.
Figure 3.3: Architecture of MembershipReboot and Thinktecture
MembershipReboot
Web.config, SQL Server Database & Windows directory
Thinktecture File Server Client
3.5.2 Framework of the MembershipReboot and Thinktecture
Figure 3.4: Framework of how MembershipReboot and Thinktecture works
There are a few things to remember which are five parties will be involved in
this process overall. The five parties are the Client, MembershipReboot, Thinktecture,
databases and service server. By means, Client is the user who wants to access or
request the service, the MembershipReboot which used for the authentication, the
Thinktecture which used for the authorization, database which consists of
Web.config, SQL Server Database and Windows directory while the Service server is
the actual resource which we want to access,
10. Give service
9. Request Service
3. Confirm validation
2. Get validation 1. Get authentication
4. Client Authenticated
8. Access Control determined
6. Get Claim Type
5. Get Access Control
Client
Membership-Reboot
Thinktecture
Web.config
Windows Dir.
SQL Server Db
Service Server
7. Claim Type
On how the MembershipReboot and Thinktecture work, the Client will
be the first one to start the initiation. The Client wants to access the Service server in
the network, but he or she is not an authenticated user at first. Client will get or
request authentication by the MembershipReboot, by entering the username and
password. To authenticate the Client, Membership will validate the user credentials
based on UserAccounts in the databases. After MembershipReboot confirm the
validation, it will authenticate the Client.
The client then gets the access control or permission right from the
Thinktecture to do things after authenticated. Next the Thinktecture will get the Claim
Type for that client based on the table UserClaims in the database. After get the Claim
Type of the Client, Thinktecture will determine the access control of the Client. After
the Client gets both authentication and authorization, the Client then will request
service from the Service server and service server in return will grant the request.
3.5.3 Data Model
Sequence diagram is used to show the sequence overall of the project. The
process starts from the Client (User) which will be authenticated by the
MembershipReboot and will be authorized by the Thinktecture.IdentityModel based
on the information and claims from Web.config, SQL Server Database and Windows
directory before the transmission process to Service Server (SS). Figure 3.5 roughly
show the data model of entities involves besides the MembershipReboot and
Thinktecture while Figure 3.6 shows the sequence diagram of the MembershipReboot
and Thinktecture.
Figure 3.5: Data Model of Entities Involve
User enters userID
and password
Create a ticket User enters userID
and password
Web.config
Windows directory
SQL Server Database
Yes
1. Permission right determined
Validate user from:
No
MembershipReboot
Thinktecture
Service
Server
Is the user Valid?
Figure 3.6: Sequence diagram of the authentication of MembershipReboot and the
authorization of Thinktecture
Client MembershipReboot Thinktecture
SS
Web.config, SQL Server Database & Windows directory
Authenticate
Get Validation based
Confirm Validation Get
authenticated
Get Permission right Get Claim Type
Permission right determined
Service request
Service
Phase 1
Phase 2
Claim Type
3.5.4 Proof of Concept
Figure 3.7 shows the MVC (Model-View-Controller) architecture that I use in ASP.NET
Web Application to create a new project for MembershipReboot.
Figure 3.7: Create a new project in Visual Studio
Figure 3.8 shows the Web API to start setup NuGet to bring down the MembershipReboot as
I will not using the Membership provider provides in ASP.NET itself.
Figure 3.8: Setup a NuGet to bring down MembershipReboot
Figure 3.9 shows the first step in creating two tables which are UserAccounts and
UserClaims after installing the SQL Server Database.
Figure 3.9: SQL script to create our database (tables)
Figure 3.10 shows the codes to build URL which will navigate to Create New User after I run
it.
Figure 3.10: Hyperlink to navigate to Create New User
Figure 3.11 shows the codes in Action Method in ClaimsAspMvc that inherit from class in
MembershipReboot, where I will incorporate claims-aware authorization
Figure 3.11: Action method
Figure 3.12 shows the method called CheckAccess which I need to override so that I can
perform any kinds of checks I want.
Figure 3.12: Override method CheckAccess
3.6 Summary
In this chapter, the methodology of this project is explained. The flow of this project
is being shown in the framework and detailed view of how the whole system works is display
on the data model. Therefore, the requirements of the project are being shown in perfect order
and can carry out the minimum error.
REFERENCES
1. Kerberos Authentication and Authorization System (1988) by S. P. Miller , B. C.
Neuman , J. I. Schiller , J. H. Saltzer
2. Access Control List Provides Security in Network by Chate A. B , Chirchi V. R
3. Asynchronous java script and XML (AJAX) form-based authentication using java 2
platform enterprise edition (J2EE) by Richard A. Backhouse, Apex, NC (US)
4. Practical, Usable, and Secure Authentication and Authorization on the Web by Alexei
Czeskis, University of Washington (2013)
5. Alfieri R. et al. (2004) VOMS, an Authorization System for Virtual Organizations. In:
Fernández Rivera F., Bubak M., Gómez Tato A., Doallo R. (eds) Grid Computing.
AxGrids 2003. Lecture Notes in Computer Science, vol 2970. Springer, Berlin,
Heidelberg
6. Limitations of the Kerberos Authentication System S.M. Bellovin * smb@ulysses.att.
corn M. Merrit t mischu@allegra. att. corn AT&T Bell Laboratories Murray Hill,
New Jersey 07974
7. (https://github.com/brockallen/BrockAllen.MembershipReboot/wiki/General-Design)
Brock Allen, 2013.
8. (https://github.com/IdentityServer/IdentityServer3.MembershipReboot) Brock Allen,
2015.
9. Peter Mbanugo, 2016, https://www.pluralsight.com/guides/implementing-simple-
oauth-server-with-katana-and-membershipreboot
10. (https://cedric-dumont.com/tutorials/identityserver-v3-membershipreboot-angularjs
webapi-2-and-mvc-mix-it-introduction/identityserver-v3-membershipreboot-
angularjs-webapi-2-and-mvc-mix-it-part-1/) Cedric Dumont.
11. (https://www.techopedia.com/definition/342/authentication)
12. (https://github.com/IdentityModel/Thinktecture.IdentityModel) Dominick Baier, 2016
13. M. Reiter and S. Stubblebine. Authentication metric analysis and design. Trans. on
Inf. and Syst. Sec., 2(2), May 1999.
14. D.W. Davies and W.L. Price, Security for Computer Networks, John Wiley & Sons
(1989). Second Edition.
15. D. Davis and R. Swick, Workstation Services and Kerberos Authentication at Project
Athena, MIT Laboratory for Computer Science Technical Memorandum 424
(February 1990).
16. J. Kohl, B. Clifford Neuman, and J. Steiner, The Kerberos Network Authentication
Service, MIT Project Athena (November 6, 1989). Version 5, Draft 2
17. J. Steiner, C. Neuman, and J.I. Schiller, "Kerberos: An Authentication Service for
Open Network Systems, " in Proc. Winter USENIX Conference, Dallas (1988).
18. Andrew Bortz, Adam Barth, and Alexei Czeskis. Origin Cookies: Session integrity for
web applications. In Web 2.0 Security and Privacy (W2SP), 2011.
19. David Rogers Dev. 2013,Claim-Based Authentication and Authorization
20. Google Chrome. Manager your website passwords, 2013.
http://support.google.com/chrome/bin/answer.py?hl=en&answer=95606.
21. Microsoft Corporation. Fill in website forms and passwords automatically, 2013.
http://windows.microsoft.com/en-us/windows7/fill-in-websiteforms-and-passwords-
automatically
22. Mozilla Support. Password manager - remember, delete and change saved passwords
in Firefox, 2013. http://support.mozilla.org/en-US/kb/password-managerremember-
delete-change-passwords.
23. Last Pass. LastPass password manager homepage, 2013. https://lastpass.com.
24. Y.-W.E. Sung, X. Sun, S.G. Rao, G.G. Xie, and D. A. Maltz, “Towards Systematic
Design of Enterprise Networks,” IEEE Trans. Networking, vol. 19, no. 3, pp.695-708,
June 2011.
25. A.X. Liu and M.G. Gouda, “Complete Redundancy Detection in Firewalls,” Proc.
19th Ann. IFIP Conf. Data and Applications Security, pp. 196-209, Aug. 2005
26. A.X. Liu, Y. Zhou, and C.R. Meiners, “All-Match Based Complete Redundancy
Removal for Packet Classifiers in TCAMs,” Proc. IEEE INFOCOM, Apr. 2008.
27. M. W. Youssef et al. (March 2012), Securing Authentication of TCP/IP Layer Two
By Modifying Challenge-Handshake Authentication Protocol, Advanced Computing:
An International Journal (ACIJ), Vol 2 (2)