Strong Password-protected authentication mechanisms have been missing for Web Form, Windows Forms, and Mobile & Smart Device applications, point-to-Point asymmetric message encryption and data content signature because of the lack of this trustworthy credential, it is always "the castle on the sand dune ", the certificate mechanism in the PKI environment may be a good choice to solve the above problems.
The latest issue of MSDN published a certificate protection. NET 2.0 application article, the article outline how to use the certificate, how to use the certificate to complete SSL, how to protect Web Service calls, how to code, Security Policy (. NET Framework and Active Directory), automatic delivery mechanism, Data signature support, and so on. For developers, this content should be very precious because it solves a dilemma in the application:
◆ For security and ease of implementation ,. NET applications often choose to integrate the Active Directory domain environment authentication (or mutual trust domain authentication) mode. This situation is generally found in enterprises with relatively good IT environments, especially for internal enterprise applications, employees of enterprise branches (Branch Offices) also access internal applications through packaged SSPI interfaces or integrated authentication. However, there may occasionally be access from users outside the trust domain. For security reasons, domain accounts cannot be opened to them, But creden; are required to access enterprise information resources;
◆ The application itself is located in an open Internet environment (cross-origin) and adopts the user name/password Forms authentication method, the authentication result is also "sneaked" to save a call context (Session, Cookie ). It would be okay if you do some irrelevant operations, but if you do some operations that may be "ulterior motives", such as account payment and medical information exchange, although it is not "streaking", it is no different from "wearing underwear and busy city. In these scenarios, both laws and regulations and user needs often lead Application designers to consider some strong identity measures across trust domains and asymmetric password processing based on these measures.
When "cross-origin", "security", and "simple" are combined, it seems that there are very few competent technical means. at the net framework level, the certificate mechanism may be the easiest way to implement. It is based on the PKI public key system and can provide strong password protection for the main security mechanisms. In addition, when SOA is widely used today, it seems that architects are more concerned about inter-communication and interoperation. What we often talk about is more about "mutual" refers to messages, however, it is often overlooked that it would be too far-fetched if both parties do not know each other, and the certificate mechanism is also suitable for this scenario. In addition, if the designer defines the security boundary to the Application Service Section, the content of the diplomatic account will not be limited to messages. Think about it:
◆ Does your application need to be updated? If an update is required, is the assembly and ActiveX that are delivered or called by the client application the version you want?
◆ Changing rule-based and hard-logical governance to policy-based governance is a trend, but the final release of this Policy (applicable to an application or a group of applications, even applications suitable for enterprise release) can be faithfully published to the user end and correctly interpreted during execution of the target application?
◆ In the WS-* protocol group, WS-sec and XML-signature seem to provide a very satisfactory web service security solution that is unrelated to applications, platform or development technology, but at best, he only talked about results and objects, and did not mention the subject of the process-"who ".
Data, components, security policies, Web service calls, and other things that can be exchanged with objects outside the boundary. If necessary, certificates can be used for all the objects that can use certificates, however, you must generate and distribute these certificates before.