Summary: The concept of ASP.NET application security this paper introduces various security communication technology and compared.
Keywords: Safety Communication SSL IPSec RPC ASP.NET Web Application
1. Foreword Any successful application security policy is a solid-friendly authentication and authorization means, as well as secure communication for confidentiality and integrity of confidential data.
Many applications transmit confidential data between the layers of the application: from the database to the browser, or the opposite. Examples of confidential data include detailed information, credit card numbers, and salary data. In addition, when the login credentials are transmitted on the network, the application must ensure the security of the credential information.
2. Features of secure communication
2.. Privacy (Privacy) confidentiality is used to ensure the confidentiality of the data, and cannot be seen by those that may have a network monitoring software. Confidentiality is usually provided by encryption.
2.2 Integrity Secure Communication Channel must ensure that data will not be intentionally or unintentionally modified during transmission. Integrity is usually provided by the Message Verification Code (Mac, Message Authentication Code).
3. Safety Communication Technology
3.1 Secure Sockets Sacking Sack Tuning (Secure Sockets Layer) technology is most commonly used to protect the channel between the browser and the web server. However, it can also be used to protect database servers and web services messages and communications running to and from SQL Server 2000.
When using SSL, the client uses the HTTP protocol and specifies an HTTPS: // URL, and the server listens on TCP port 443.
After using SSL, since SSL encrypts and decrypts data using complex encryption, the performance of the application will affect, so you should optimize the page of the SSL.
When using basic authentication and form authentication, since the user name and password are passed in a clear text, SSL should be used. Generally speaking, not only should be used on the login page, but also SSL should be used on the subsequent pages.
3.2 Internet Protocol Security Internet Protocol Security (IPSec, Internet Protocol Security) provides a transport layer security communication solution that protects between two computers - for example, between an application server and a database server - back and forth data.
IPsec can be used:
The confidentiality of the message is provided by encrypting all the data sent back and forth in the two computers. Provide message integrity between the two computers (encrypted data). Provide mutual authentication between two computers (not the user). Limit which computers can communicate with each other. Communication can also be limited to the use of specific IP protocols and TCP / UDP ports.
3.3 Remote Procedure Call Encryption Remote Procedure Call Encryption, an authentication level provided by the RPC protocol used by distributed COM (DCOM), this level will make it transferred between clients and servers Each packet is encrypted.
4. Role authorization mode
ASP.NET application security scheme (1) - Authentication.
"ASP.NET application security scheme (2) - authorization.
