SCAAS: A Secure Authentication and Access Control System for Web Application Development
Hwang, Drew, Wang, Wendy, Politte, Blake, Communications of the IIMA
User authentication and data access are becoming two of the most common areas for web attacks. Most security vulnerabilities occur in areas of coding where Web security has lapsed. This paper describes the design and development of a Secure Authentication and Access Control System (SCAAS) implemented as a reusable library that provides data driven and encryption based authentication and access control for the use with ASP.NET applications.
Web sites today face many threats to the confidentiality and integrity of the data used and the functionality provided by the application. This problem is compounded by the fact that Web developers are simply lack of either adequate knowledge and skills in writing secure Web application codes (Huang et al., 2005) or sufficient testing methodologies for the audit and control of Web development (Mansouir and Houri, 2006). Works in the design and implementation of security measures for Web applications are greatly in need.
User authentication and data access are becoming two of the most common areas for web attacks when procedures such as single sign-on and authentication delegation have become practically indispensable for e-business environment (Paulus, 2001). These two types of on-line vulnerability can be counterattacked by securing user account database that opens the gate of the application and by encrypting SQL connection that leads to the data store.
This paper describes the design and development of a Secure Authentication and Access Control System, herein referred to as SCAAS, implemented as a reusable library that provides data-driven and encryption-based authentication and access control for the use with ASP.NET applications. SCAAS employs Microsoft SQL Server to persist the security definitions that the SCAAS run-time system utilizes. The SCAAS database will be herein referred to as the SCAAS User Registry. The system also provides an ASP.NET based administration application that is used to maintain the data in the SCAAS User Registry.
SCAAS consists of four major components. Their definition and functionalities are described as follows:
This is the core of the SCAAS run-time application and a .NET library written in C#. Included in the namespace are four classes that make up the SCAAS Framework: SCAASManager, SCAASManagerHelper, SCAASDataProtector, and SCAASException. These classes will be further discussed in Section 3.
SCAAS User Registry
This is a Microsoft SQL database named UserAccounts that provides the basis for the SCAAS User Registry. The SCAAS Framework works closely with the UserAccounts database. Any connectivity between the SCAAS framework and the UserAccounts database is done securely with .NET enabled encryption and decryption procedures. The SCAAS User Registry can be updated through the SCAASAdmin ASP.net application included in the system.
SCAAS Admin ASP.NET Application
This is the ASP.NET application developed to update the SCAAS User Registry. This application utilizes the FormsAuthentication mode of the SCAAS Framework. Because of this, the application also serves as a good example of an implementation of the FormsAuthentication mode of the SCAAS framework.
DPAPIClientWeb ASP.NET Application
This is the utility application that is vital to get the SCAAS run-time to operate correctly. This ASP.NET application is used to generate encrypted connection strings used by both the SCAAS run-time as well as client applications that wish to use the SCAAS secure database connection management SCAAS API.
THE SCASS FRAMEWORK
The SCAAS framework is the core component of the SCAAS system and is based on Microsoft's Forms Authentication model for authentication and authorization of ASP.NET applications. Microsoft's Forms Authentication model is not a complete security solution but rather the bits and pieces required to be built upon. …