標籤彙整: Security

Network Security Access Restrictions in Silverlight

Reference from

[1]http://msdn.microsoft.com/en-us/library/cc645032(VS.95).aspx

[2]http://msdn.microsoft.com/en-us/library/cc197955%28VS.95%29.aspx

[3]http://blogs.msdn.com/b/silverlightws/archive/2008/03/30/some-tips-on-cross-domain-calls.aspx


What kind of classes require access permission?

WebClient and HTTP classes in System.Net namespace

Sockets classes in System.Net.Sockets namespace

UdpAnySourceMulticastClient and UdpSingleSourceMulticastClient class in System.Net.Sockets namespace

Why is there network security access restriction?

It provides extra security since it prevent Silverlight applications from initiating unauthorized connections. These conenctions may favour Denial of Service(DoS) attacks, DNS Rebinding attacks and Reverse tunnel attack.

What is used to enforce sercurity policy system in Silverlight?

Silverlight supports two types of security policy files:

  Flash policy file Silverlight policy file
Origin Adobe Flash Microsoft Silverlight
Classes that can use this file WebClient and HTTP classes in System.Net namespace WebClient and HTTP classes in System.Net namespace
Sockets classes in System.Net.Sockets namespace
File name crossdomain.xml clientaccesspolicy.xml

Either of the files should be placed at the root of the domain where the service is hosted.

HTTP redirects for the policy file are not allowed. A redirect for a policy file will result in a SecurityException of access denied.[1]

For the format of the policy file, please visit http://msdn.microsoft.com/en-us/library/cc645032(VS.95).aspx

Computer Security–Comparisons - 1

Compare Password with Fingerprint Authentication

Password authentication uses “a secret only you know” while fingerprint authentication uses “who you are”, i.e. biometric schemes, to authenticate your identity.

Besides, when the system checks your password, it will give you a binary decision only. However, in fingerprint authentication, the authentication is based on the similarity between the stored template and the user input. False positive and false negative are possible in fingerprint authentication.

Moreover, fingerprint is something you cannot change while password can be changed very frequently.

Fingerprint is also unique for every user while password can be the same for different users.

Fingerprint, unlike the password, can be found everywhere, which is not a secret.

Compare block cipher with stream cipher

Block cipher process the message block by block. Each block goes through multiple rounds of permutation and substitution. It has a complex key scheduling.

Stream cipher processes the message bit by bit/byte by byte. Typically have a (pseudo) random stream key.

Compare the difference when computing MAC to provide message authentication using conventional encryption with hash function.

When using conventional encryption, only sender and receivers share the keys. A nonce should be included to prevent replay attack. Some message structures should be imposed to identify the garbage.

MAC can be computed using a one way hash function and it is appended at the end of the message.

Using hash function is faster than using encryption. It is also cheaper in terms of hardware cost. It will not subject to US export control and be covered by patents.

Compare MD5 with HMAC-MD5.

MD5 is a hash algorithm processes input as 512-bit blocks and generate a 128bits hash code. HMAC-MD5 is MAC derived from a cryptographic hash codes. It uses MD5 in generating the digest from a secure key and the message. It is more secure than MD5.