TLS 1.2, AES-GCM and .NET network trace


The next exercise on our path to better understand TLS will be a decryption of a network trace collected from a .NET console application. In the last post we examined a simple TLS 1.0 session. Today I would like to focus on the latest version (1.2) of the TLS protocol. The changes introduced by this version (defined in RFC 5246) included: support for authenticated encryption, PRF simplification and removal of all hard-coded security primitives.

Continue reading

Manually decrypting an HTTPS request


Recently I have spent some time on learning the internals of HTTPS. I wanted to know what makes it secure and how the communication actually looks like. Today I would like to show you the steps required to decrypt a sample HTTPS request. Imagine you got a .pcap file recorded by one of your company clients who complains that your application returned 500 HTTP status code with a strange error message. The client forgot to copy the error message but luckily had a Wireshark instance running in the background (I know it’s highly hypothetical, but just close your eyes to that :)) and he/she sent you the collected traces. Let’s then assume that your server has a certificate with a public RSA key and you are in possession of its private key. Finally the client was using a slightly outdated browser which supports TLS 1.0 (though I will inform you what would have been different if it had been TLS 1.2) and does not use ephemeral keys. My main point in writing this post is to present you the steps of the TLS communication. This post is not a guidance on how to create a secure TLS configuration, but a walk-through on how this protocol works and I will purposely use less secure ciphers to make things easier to explain.

Continue reading

Decrypting ASP.NET Identity cookies


I decided recently I need to learn Python. It’s a great scripting language, often used in forensics, diagnostics and debugging tools. There is even a plugin for windbg that allows you to script this debugger in Python language, but it’s a subject for another post. Moving back to learning Python – as an exercise I wrote a simple tool to decrypt ASP.NET Identity cookies and ASP.NET Anti-Forgery tokens. You may find it useful in situations when you need to diagnose why one of your users can’t sign in into your applications or is not authorize to access one of its parts. It does not perform validation but only decrypts the content using 256-bit AES (let me know in comments if you need some other decryption algorithm to be implemented). Adding validation logic shouldn’t be a big deal and the nist library (which I used for cryptographic operations) provides all the necessary functions.

Continue reading

Common authentication/authorization between .NET4.0 and .NET4.5 web applications


ASP.NET Identity is a big step forward and we should profit from its features, such as: two-step authentication, support for OpenId providers, stronger password hashing and claims usage. One of its requirements is .NET4.5 which might be a blocker if you have in your farm legacy Windows 2003 R2 servers still hosting some of your MVC4 (.NET4.0) applications. In this post I would like to show you how you may implement common authentication and authorization mechanisms between them and your new ASP.NET MVC5 (and .NET4.5) applications deployed on newer servers. I assume that your apps have a common domain and thus are able to share cookies.

Continue reading

ASP.NET Anti-Forgery Tokens internals


Anti-Forgery Tokens were introduced in ASP.NET in order to prevent Cross-Site Request Forgeries. There are many sites which describe how to use and configure those tokens in your application. But in this post I’m going to show you what exactly those tokens contain, where they are generated and how to customize them.

Let’s start our journey from a sample Razor HTTP form:

...
@using (Html.BeginForm()) {
    @Html.AntiForgeryToken()
    @Html.TextBoxFor(m => m.Name)<br />
    @Html.TextBoxFor(m => m.FullName)<br />
    <br />
    <input type="submit" value="Test" />
}
...

Continue reading

NullReferenceException and MachineKey.Decode


In my recent project I had to sign a http cookie in order to disallow any unauthorized changes to its content. I didn’t want to reinvent the wheel but use something already implemented in ASP.NET – for instance mechanism that is used to sign ViewState content. After some research I found promising methods: System.Web.Security.MachineKey.Encode/Decode (I’m using .NET4, in 4.5 these method are obsolete and new methods: Protect/Unprotect were introduced to replace them). Let’s first look at an example how to use those methods. The below code snippet retrieves content of a signed cookie or prints information that the cookie was tampered:

Continue reading

Configuring ASP.NET authentication log


Some time ago I wrote about ASP.NET Health Monitoring – a logging infrastructure provided by the .NET framework, easily configurable through web.config. In that post I was presenting heart beat and error events. Today I would like to show you how to collect ASP.NET authentication audit logs. There are special events groups registered in the global web.config for this purpose:

        <healthMonitoring>
            ...
            <eventMappings>
                ...
                <add name="All Audits" type="System.Web.Management.WebAuditEvent,System.Web,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
                    startEventCode="0" endEventCode="2147483647" />
                <add name="Failure Audits" type="System.Web.Management.WebFailureAuditEvent,System.Web,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
                    startEventCode="0" endEventCode="2147483647" />
                <add name="Success Audits" type="System.Web.Management.WebSuccessAuditEvent,System.Web,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
                    startEventCode="0" endEventCode="2147483647" />
            </eventMappings>
        </healthMonitoring>

Though, using the All Audits set will cause your application to generate an audit event for each served request. If we then would store those events in a SQL Server database we might put a heavy load on the server. In this post I will show you how to reduce the number of audit events to login attempts and then store them safely in a database.

Continue reading