Security Educational Workshop - Authentication Explained

I just finished building another security workshop that covers authentication and identity technologies implemented by MS products. The workshop is targeted to developers and not IT folks. It is common practice (or should I call it anti-practice) that development projects re-invent the wheel and build again and again custom authentication or identity flow mechanisms which are surest recipe for disaster from security perspective. There is plenty of reasons why and one of them is that development teams do not have solid understanding of what MS technologies offer out-of-the-box with regards to authentication.

I have divided the workshop into four major parts:

• Authentication premier. It covers general concepts of network authentication. It covers common threats (the only reason of security existence, no threat – drop security) and countermeasures (best practices). I call it authentication dissected. Here are some of help materials I used:
  • How To: Create a Threat Model for a Web Application at Design Time
• Implementations. This part goes over different types of authentication from NTML, Kerb, Certs, Protocol transition to CardSpace and even assemblies Evidence which is the special sort of authentication between components. It discusses the implementation for each mechanism, cons and pros. Here are some materials I used:
  • Windows Authentication in ASP.NET 2.0
  • How To: Use Impersonation and Delegation in ASP.NET 2.0
  • Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
• Scenarios. This part talks about how to use the implementation for common scenarios like ASP.NET to SQL Server in intranet or ASP.NET to Web Services in Internet scenario. Here are some materials I used:
  • Whiteboard Solutions
• Anti-Patterns (Hacking Exposed). This part tries to draw the punch line for the three above and demonstrates how authentication anti-patterns can be subverted by an attacker and what impact it can cause.
  • There is enough of such stuff on the net - just submit some search criteria and you got plenty :)

I call it educational workshop influenced by what I was discussing in Security Workshops. This workshop explains what MS offers and when to use. It does not train the participants how to use it in depth assuming after completing the workshop participants will be able to deepen their knowledge after picking proper technology.

Related posts:

• Authentication Hub
• .Net Assembly Spoof Attack
• How To Hack WCF - New Technology, Old Hacking Tricks
• Creating a Parameterized Query In Visual Studio
• SOA, Kerberos, IIS, and Security Best Practices
• Password Cracking Tools For SQL Server