[WCF Security Series] authentication and creden: User Name/password authentication and Windows Authentication

If you want to define authentication, my personal preference is that authentication is an action to determine whether the real identity of the authenticated party matches the identity of the authenticated party or her Claim (Claim. The authenticated party must provide the relevant proof of identity to identify whether the identity is consistent with the claimed identity. In computer languages, the Identity Authentication here has a proprietary name, namely, "Credential", User Credential, and Authentication Credential ).

I. creden attributes

The best design is to simulate realistic design as much as possible. There are countless examples of Security Authentication in real life. For example, if I say "I am Zhang San" to a person I don't know, how can the other Party believe that I am actually Zhang San, not Li Si? Although we may not all be identified, we are all identified by ID cards, which can prove our real identity. The ID card here is a typical credential. The authenticated party can identify the real identity of the other party based on the ID card provided by the authenticated party. three conditions must be met:

• The authenticated person claims to be the person indicated on the ID card;
• The ID card holder is the ID card owner;
• The ID card itself is legal and valid, that is, it is issued by the public security authority, rather than by dialing the "Certificate handling" phone.

The first problem is generally not a problem, because for a person with a slightly normal nerves, he will not prove that he is James with the ID card of Li Si; the second problem can be determined based on the photo above the ID card. The third problem depends on the anti-counterfeit identity of the ID card and the authentication capability of the authenticated party.

The preceding three conditions essentially reflect the attributes of the user creden。 in the authentication process and the relationship between the user creden。 and the authenticated person. That is:Consistency between creden and declarations,Ownership of the certificate by the authenticated person, AndValidity of the Credential. For simplicity, we can refer to the three attributes of user creden。 for short. The type of user creden。 determines the authentication method. WCF supports a series of different types of user creden。 to meet different authentication requirements. Next, we will briefly introduce several common creden。 and corresponding authentication methods.

Ii. User Name/Password Authentication

The most common authentication method we use is to verify the user name and password, so that we mention identity authentication, many people will think of a password. We may analyze the user name/password creden。 through the three attributes of the user creden。 we mentioned above.

The user name indicates the Identity declared by the authenticated party. The password is evidence that the holder is the legal owner of the credential. For the authenticated party, because the password corresponding to the account belongs to the private information of the account owner, if the authenticated Party can provide a password that matches the declared identity, it can prove that the other party is indeed the same person as he declares. First, the user name represents the identity (Identify). The consistency between the credential and the declaration means that the authenticated party declares the same identity as the user name. The authenticated person's possession of the certificate proves by password that the password belongs to absolute privacy information. If the authenticated person can provide a password that matches the declared identity, it can prove that he is the real owner of the Credential. Because the user name/password credential does not belong to the certificate-type credential, it does not need to be issued by a legal authority, but it is not legal.

In applications that adopt user name/password authentication, the authenticated party generally has a list of all user accounts and passwords. Of course, the absolute privacy of a password to the holder is limited in principle to the holder's own knowledge. No one else (including the authenticated Party) shall use technical means to obtain the password. If the validators maintain a list of usernames and passwords of all accounts under authentication, the hash value of the original password and the Key used for hashing are usually stored. Because the hash algorithm is irreversible, the original value cannot be obtained through the hash value and the corresponding Key, thus ensuring the security of the password. During authentication, you only need to find the corresponding Key based on the user name, and then use the Key to hash the password provided by the user using the same algorithm, the final calculation result is compared with the locally stored value to verify the authenticity of the password.

During project development, we also choose to encrypt and store the password provided during user registration, so that users can forget the original password, verify the real identity of the authenticated party, and allow the authenticated Party to return the original password through decryption. For the encrypted storage of passwords, whether symmetric or asymmetric encryption, we can obtain the original password through the corresponding decryption algorithm, So theoretically there is a security problem. However, when selecting a Password Storage Policy for a specific application, you can choose to hash or encrypt the original password Based on the required security level and whether to return the original password. However, plaintext storage of passwords is not allowed.

If you have selected a user name/password credential, WCF provides you with three authentication modes:

• Maps user names to Windows accounts and uses Windows authentication;
• Use the ASP. NET Membership Module
• User-Defined authentication is implemented by inheriting UserNamePasswordValidator.

Iii. Windows Authentication

It should be said that the degree of frequency adopted, Integrated Windows Authentication (IWA: Integrated Windows Authentication) is second only to the user name/password Authentication method. Especially for Intranet applications based on Windows Active Directory (AD: Active Directory), Windows authentication is the first choice. Almost all products or development platforms that need to be authenticated by Microsoft are integrated with Windows authentication, such as IIS, SQL Server, ASP. NET, and so on. Of course, WCF cannot be used as an exception.

Windows is the best way to achieve Single Sign-On (SSO: Single Sign-On. Whether it is in Domain mode or Workgroup mode, you will get a credential as long as you log on to a machine with a Windows account and password. Before the current session times out, you can carry the Windows credential and automatically log on to all applications integrated with the Windows authentication method without frequently entering the same Windows account and password. If the Logon account does not have the permission to operate the target application, you can normally re-enter the Windows Account and the corresponding password (if the current user has multiple Windows accounts) operate on the target application as another identity (this identity has the permission to operate on the target application.

For its implementation, Windows has two different authentication protocols: NTLM (nt lan Manager) and Kerberos. For the general principles of these two authentication mechanisms, refer to the two articles I have written:

How does Windows security authentication work? [Kerberos]
How does Windows security authentication work? [NTLM]

In the next article, we will focus on the certificate based on X.509 digital certificate.