This is how, within your organisation, you can protect the data, especially in a cloud-first, multi-tenant world. The source will provide you with the concepts around encrypting enterprise data, look at what you should encrypt, and cover robust patterns and practices you can follow in your organisation.
Enjoy.
To get a level of how many data breaches are happening Breach Level Index provides this information, along with many other statistics
Need to check if you have an email account that has been compromised in a data breach when check out Have I Been Pwned to check if you have been compromised and also Signup to get email notifications
For a collection of Cryptography APIs in one library
HSM hardware
Over the past week, I spent some time automating Azure App Service infrastructure with Azure Resource Manager (ARM) templates. I discovered a few tips and tricks along the way that I’ll describe in detail below…
Big thanks to David Ebbo’s talk at BUILD and his sample “WebAppManyFeatures” template; they are super handy resources for anyone who is working on writing their own ARM templates.
ARM templates are useful for creating the entire infrastructure for an application. Often this means creating infrastructure for each deployment environment (Dev, QA, Production, etc). Instead of passing in names for the service plans and web apps, I find it useful to pass in a name for the environment and use it as a suffix for all the names. This way we can easily use the same template to set up any environment.
{
// ...
"parameters": {
"environmentName": {
"type": "string"
}
},
"variables": {
"appServicePlanName":
"[concat('awesomeserviceplan-', parameters('environmentName'))]",
"siteName":
"[concat('awesomesite-', parameters('environmentname'))]"
}
// ...
}
In the above example, if we pass in “dev” as the,environmentName we get “awesomeserviceplan-dev” and “awesomesite-dev” as our resource names.
App settings and connection strings for a Web App slot can be marked as a “slot setting” (i.e., the setting is sticky to the slot). It’s not well documented how to specify sticky slot settings in an ARM template. It turns out we can do this using a config resource section called “slotconfignames” on the production site. Simply list the app setting and connection string keys that need to stick to the slot:
{
"apiVersion": "2015-08-01",
"name": "slotconfignames",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', variables('siteName'))]"
],
"properties": {
"connectionStringNames": [ "ConnString1" ],
"appSettingNames": [ "AppSettingKey1", "AppSettingKey2" ]
}
}
Here’s how it’ll look like in the portal:
Variables are not only useful for declaring text that is used in multiple places; they can be objects too! This is especially handy for settings that apply to multiple Web Apps in the template.
{
// ...
"variables": {
"siteProperties": {
"phpVersion": "5.5",
"netFrameworkVersion": "v4.0",
"use32BitWorkerProcess": false, /* 64-bit platform */
"webSocketsEnabled": true,
"alwaysOn": true,
"requestTracingEnabled": true, /* Failed request tracing, aka 'freb' */
"httpLoggingEnabled": true, /* IIS logs (aka Web server logging) */
"logsDirectorySizeLimit": 40, /* 40 MB limit for IIS logs */
"detailedErrorLoggingEnabled": true, /* Detailed error messages */
"remoteDebuggingEnabled": true,
"remoteDebuggingVersion": "VS2013",
"defaultDocuments": [
"index.html",
"hostingstart.html"
]
}
},
// ...
}
And now we can use the siteProperties variable for the production site as well as its staging slot:
{
"apiVersion": "2015-08-01",
"name": "[variables('siteName')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('siteLocation')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
],
"properties": {
"serverFarmId": "[variables('appServicePlanName')]"
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "web",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', variables('siteName'))]"
],
"properties": "[variables('siteProperties')]"
},
{
"apiVersion": "2015-08-01",
"name": "Staging",
"type": "slots",
"location": "[parameters('siteLocation')]",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', variables('siteName'))]"
],
"resources": [
{
"apiVersion": "2015-08-01",
"name": "web",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites/Slots', variables('siteName'), 'Staging')]"
],
"properties": "[variables('siteProperties')]"
}
]
}
]
}
There’s a little-known setting in Azure App Service that allows you to set the time zone on a per-app basis. It is done by creating an app setting called WEBSITE_TIME_ZONE in the portal. It means we can also do this in an ARM template:
{
"apiVersion": "2015-08-01",
"name": "appsettings",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', variables('siteName'))]"
],
"properties": {
"WEBSITE_TIME_ZONE": "Pacific Standard Time"
}
}
For more information on the time zone setting, check out this article.
Source code: WebAppManyFeatures.json
I did some quick research on the SQL Server Firewall “Allow Access to Azure Services” option in Azure today.
And I sorry to say that my fears were right, that by setting this option does pose a significant security risk and leaves the SQL Server vulnerable.
Here is the extract of the article I found from Gaurav Hind at Microsoft
Access within Azure: This can be toggled by “Allow access to Azure services” Yes/No button on the portal (Firewall settings page). Please note, enabling this feature would allow any traffic from resources/services hosted in Azure (not just your Azure subscription) to access the database.
The big question now is how do you plug this gap in the firewall? One possible solution is to build a virtual network within Azure or Filter network traffic with network security groups, this is beyond the scope of this article.
After writing about SecureStrings, you soon come to realise that holding the secret information you are going to have to make some comparisons at some point. For example, if you need to check a password.
The important thing to remember is not to expose the password as text or hold it in memory for anyone or anything to sniff it out.
This code snippet does the job, but it what it does expose is a Timing Attack, but we will deal with that issue another day.
public static bool IsEqualTo(this SecureString ss1, SecureString ss2)
{
if (ss1 == null)
throw new ArgumentNullException("s1");
if (ss2 == null)
throw new ArgumentNullException("s2");
if (ss1.Length != ss2.Length)
return false;
IntPtr bstr1 = IntPtr.Zero;
IntPtr bstr2 = IntPtr.Zero;
try
{
bstr1 = Marshal.SecureStringToBSTR(ss1);
bstr2 = Marshal.SecureStringToBSTR(ss2);
int length1 = Marshal.ReadInt32(bstr1, -4);
for (int x = 0; x < length1; ++x)
{
byte b1 = Marshal.ReadByte(bstr1, x);
byte b2 = Marshal.ReadByte(bstr2, x);
if (b1 != b2) return false;
}
return true;
}
finally
{
if (bstr2 != IntPtr.Zero) Marshal.ZeroFreeBSTR(bstr2);
if (bstr1 != IntPtr.Zero) Marshal.ZeroFreeBSTR(bstr1);
}
}
When comparing two MACs or hashes (also password hashes) for equality you would first think a simple comparison would be okay? Think again as they are susceptible to timing attacks.
In cryptography, a timing attack is a side channel attack in which the attacker attempts to compromise a cryptosystem by analysing the time taken to execute cryptographic algorithms.
If you want to read more about this take a look at this article.
if ($hash1 == $hash2) {
//mac verification is Okay
return "hashs are equal"
} else {
//something happened
return "hashs verification failed!";
}
Okay, so what is wrong with this?
Both arguments must be of the same length to be compared successfully. When arguments of differing length are supplied, FALSE is returned immediately and the length of the known string may be leaked in the case of a timing attack. It is done by timing the amount of time it takes to compare a known string length with the HASH, and as you will then find the length of the string based on the time it takes during the comparison.
Compares two-byte arrays in length-constant time. This comparison method is used so that password hashes cannot be extracted from on-line systems using a timing attack and then attacked off-line.
private static bool SlowEquals(byte[] a, byte[] b)
{
uint diff = (uint)a.Length ^ (uint)b.Length;
for (int i = 0; i < a.Length && i < b.Length; i++)
diff |= (uint)(a[i] ^ b[i]);
return diff == 0;
}
What does the line diff |= (uint)(a[i] ^ b[i]); do?
This sets diff based on whether there’s a difference between a and b.
It avoids a timing attack by always walking through the entirety of the shorter of the two of a and b, regardless of whether there’s a mismatch sooner than that or not.
The diff |= (uint)(a[i] ^ (uint)b[i]) takes the exclusive-or of a byte of a with a corresponding byte of b. That will be 0 if the two bytes are the same, or non-zero if they’re different. It then ors that with diff.
Therefore, diff will be set to non-zero in an iteration if a difference was found between the inputs in that iteration. Once diff is given a non-zero value at any iteration of the loop, it will retain the non-zero value through further iterations.
Therefore, the final result in diff will be non-zero if any difference is found between corresponding bytes of a and b, and 0 only if all bytes (and the lengths) of a and b are equal.
Unlike a typical comparison, however, this will always execute the loop until all the bytes in the shorter of the two inputs have been compared to bytes in the other. A typical comparison would have an early-out where the loop would be broken as soon as a mismatch was found:
Microsoft provides a SecureString to hold sensitive data, and this uses a generic method Equals(Object), which determines whether the specified object is equal to the current object. There is no information saying that Equals method protects against Timing Attacks. Therefore we can only conclude that it is not safe for this operation.
I would suggest research into writing our own String Compare that is protected against Timing Attacks.
I’m not sure about all of this and further research is required, I did find this article which would be worth considering:
Setting up Azure Key Vault for use within a .NET application is not an easy process, as it is a secure environment and security is required to gain access, which involved the Active Directly Application registrations and Access Policies.
I’ve created a quick setup guide based on the Azure Portal that is available at the time of setting up this article.
I’ve come across a class in the System.Security namespace that is often overlooked. The class is SecureString. In this post, I will go over what SecureString is and why it is needed.
Have you ever come across these scenarios before?
Do you know how to avoid all these problems? SecureString. It makes sure you don’t make silly mistakes as such. How does it avoid it? By making sure that password is encrypted in unmanaged memory and the real value can be only accessed when you are 90% sure what you’re doing.
In the sense, SecureString works pretty easily:
What if the user has access to your computer? Would a virus be able to get access to all the SecureStrings? Yes. All you need to do is hook yourself into RtlEncryptMemory then decrypt the memory, and you will get the location of the unencrypted memory address, and read it out. Voila! In fact, you could make a virus that will continuously scan for usage of SecureString and log all the activities with it. I am not saying it will be an easy task, but it can be done. As you can see, the “powerfulness” of SecureString is completely gone once there’s a user/virus on your system.
You have few points in your post. Sure, if you use some of the UI controls that hold “string password” internally, using actual SecureString is not that useful.
The bottom line is; if you have sensitive data(passwords, credit cards, ..), use SecureString. This is what C# Framework is following. For example, NetworkCredential class stores password as SecureString. If you look this, you can see over ~80 different usages in .NET framework of SecureString.
There are many cases when you have to convert SecureString to string because some API expects it.
The usual problem is either:
You raised a good point: what happens when you convert SecureString to a string? That can only happen because of the first point. Eg the API does not know that it’s sensitive data. I have personally not seen that happening. Getting string out of SecureString is not that simple.
It’s not simple for a simple reason; it was never intended to let the user convert SecureString to string, as you stated: GC will kick in. If you see yourself doing that, you need to step back and ask yourself: Why am I even doing this, or do I need this, why?
You can always extend the SecureString class with an extension method, such as ToEncryptedString(__SERVER__PUBLIC_KEY), which gives you a string instance of SecureString that is encrypted using server’s public key. The only server can then decrypt it. Problem solved, GC will never see the “original” string, as you never expose it in managed memory. This is precisely what is being done in PSRemotingCryptoHelper (EncryptSecureStringCore(SecureString secureString)).
And as something very almost-related: Mono SecureString does not encrypt at all. The implementation has been commented out because ..wait for it. “It somehow causes nunit test breakage”, which brings to my last point:
Not supported everywhere is SecureString. If the platform/architecture does not support SecureString, you’ll get an exception. The recommended list of deployment platforms is documentation.
The standard System.String class has never been a very secure solution for storing sensitive strings such as passwords or credit card numbers. Using a string for this purposes has numerous problems including it’s not pinned, so the garbage collector can move it around and will leave several copies in memory, it’s not encrypted, so anyone who can read your processor’s memory will be able to see the values of the string easily. Also, if your process gets swapped out to disk, the unencrypted contents of the string will be sitting in your swap file. And it’s not mutable, so whenever you need to modify it there will be an old version and the new version both in memory.
Since it’s not mutable, there’s no effective way to clear it out when you’re done using it. Secure strings are held in encrypted memory by the CLR using the Data Protection API, or DPAPI, and they’re only unencrypted when they are accessed. This limits the amount of time that your string is in plain text for an attacker to see.
The garbage collector will not move the encrypted string around in memory, so you never have to worry about multiple copies of your string sitting in your address space, unless you make copies of those.
SecureString also implements IDisposable, and when it’s disposed of or finalised if you forget to dispose of it, the memory that was used to hold your encrypted string will be zeroed out.
They also provide a feature that lets you lock them down as read only preventing other code from modifying your string.
You can create a secure string with a pointer to a character array and a length of that array. When constructed this way, the secure string will make a copy of your array, allowing you to zero out your insecure copy.
A secure string can also be constructed without an existing character array, and the data can be copied in one character at a time.
One important thing to note though is that SecureString shouldn’t be used as a blanket replacement for System.String, it should only be used in places where you need to store sensitive information that you do not want to spread around in memory for longer than is required.
To add data or modify data in your string, standard operations are provided. For instance, you’ll find an AppendChar, InsertAt, RemoveAt, and SetAt methods. MakeReadOnly and IsReadOnly allows you to lock down the secure string. Clear, Dispose, and the finaliser takes care of removing any trace of the safe string from memory.
The main idea with SecureString is that you would never store a password or other textual secret in plain text. Unfortunately, SecureString was introduced into the framework only after plenty of APIs were built and shipped using passwords stored in a string, such as the System.Net.NetworkCredential. So any application that must use these APIs had no option but to convert secure strings to strings.
However, the SecureString class itself doesn’t provide any method to get back a plain string with its content, precisely to discourage this type of usage. What a developer has to do is use functions from the System.Runtime.InteropServices.Marshal to get a native buffer with the plain string, marshal a value into managed string, and then very importantly free the native buffer. The best implementation to get a string out of a secure string is to use a try/finally block to free the native buffer.
Here is a sample application showing how you can use SecureString, please remember in production do not use the SecureString to String as this just does not make sense and would make it insecure.
Here is a short method to convert a string to a SecureString
public static SecureString ToSecureString(this string source)
{
if (string.IsNullOrWhiteSpace(source))
return null;
else
{
SecureString result = new SecureString();
foreach (char c in source.ToCharArray())
result.AppendChar(c);
return result;
}
}