.NET news » Security

Windows Vista introduces a new cryptography API to replace the old CryptoAPI, which has its roots in the early versions of Windows NT and Windows 95. Cryptography Next Generation (CNG) is meant to be a long-term replacement for the CryptoAPI, providing substitutes for all of the cryptographic primitives it offered. CNG supports all of the algorithms provided by the CryptoAPI, but goes much further and includes many new algorithms and a much more flexible design, providing developers with greater control over how cryptographic operations are performed and how algorithms work together to perform various operations.

If you're not taking advantage of Active Directory, you should be. Learn the benefits from Keith Brown.

In part one of this two part article, you will learn about five of the top ten "worst offenders" of misconfigurations of application security that can cause overall problems for ASP.NET Web-based applications. Learn more about how to secure the Web.config files of an ASP.NET application.

The Cryptography API: Next Generation(CNG) is a new and agile framework in Windows Vista, which implements an extensible provider model that allows you to load a provider by specifying the required cryptographic algorithm rather than having to hardcode a specific provider.

The advantage is that an algorithm provider can be replaced or upgraded and you will not have to change your code in any way to use the new provider. Also, if some algorithm is determined to be unsafe in the future, a more secure version of that algorithm can be installed with no effect to your code. To facilitate this, you load a CNG provider by identifying the cryptographic algorithm that you require, not the specific provider. Most of the CNG APIs require a provider or an object created by a provider.

In this article, I try to describe the new security feature Cryptography API: Next Generation(CNG) and compare it with an RSA and AES samples, both managed and unmanaged, using "Crypto API" (CAPI before Vista) and how it can be implemented using CNG in Windows Vista. Managed version of CNG is yet to come, if you feel like you want more, wait for the next release of Visual Studio "Orcas".

Elliptic Curve cryptography is the current standard for public key cryptography, and is being promoted by the National Security Agency as the best way to secure private communication between parties. Microsoft has both good news and bad news when it comes to using Elliptic Curve encryption algorithms. The good news is that it is natively supported in the Vista operating system through CNG (Cryptography API Next Generation). The bad news is that a managed library for using EC will not be available until the release of Visual Studio Orcas, which is currently slated for the end of 2007 or the beginning of 2008.

The code in the attached project attempts to fill this gap by providing a wrapper class that will give you access to the underlying Vista Crypto API, as well as offer simple methods for leveraging the Elliptic Curve algorithms. It is intended for educational purposes only, however, and requires much more testing and refactoring before it can be used in any serious way. In other words, please play with it, copy it, and manipulate it in any way you like, but don't use it in its current form to lift any heavy machinery.

An easy solution to use certificates on Windows Communication Foundation, loading the certificates from files.

Bringing the Common Language Runtime (CLR) into SQL Server presents an entirely new set of challenges with regard to privilege and some of the rules that SQL Server developers are used to do not completely translate. Simple grant/deny/revoke logic still applies, but the CLR also brings its own set of specialized permissions, which require slightly different handling in order to properly manipulate.

By not carefully considering these issues when designing your SQLCLR code base, you may be allowing your code too much access.

This article focuses on what the SQLCLR permission sets do to control security and reliability, and what you need to understand when working with them in order to design a system that takes advantage of least privilege. By not carefully considering these issues when designing your SQLCLR code base, you may allow your code too much access, thereby creating potential vectors for security problems down the road..

This month Keith Brown digs into the new eventing system in Windows Vista, Windows Eventing 6.0.

The Local Security Authority, or LSA, has been included in the Windows operating systems since Windows 2000. LSA is responsible for account validation, management of local security policy, auditing, maintaining sessions and the generation of tokens for login and impersonation. At times you may want to determine what users are logged onto a machine, be it local, remote or system service accounts. LSA maintains a range of information, including usernames, domain information, login times, the authentication package used, SIDs and terminal services session information. Unfortunately, .NET doesn't provide a simple way to interact with LSA, so you have to Interop with the LSA functions directly to enumerate user sessions and extract data.

The article describes what is standardized in the PKCS (Public Key Cryptographic Standards) standards and their implementation in .NET 1.1 Framework.