Estimated reading time: 3 minutes

Backing Enclave.NET with Azure Key Vault

Recently I created the Enclave.NET project, and it shipped with a simple in-memory storage service. It’s not particularly useful in it’s current form, so I created a sample a couple weeks ago that used Azure Key Vault as the storage and crypto service. But Why? Of course, you might be wondering why you’d want to use Enclave.NET this way, since Key Vault already provides isolation given that it’s hosted far away from your service. The obvious answer is that maybe you wouldn’t use it this way — it IS isolated enough. That said, this does provide you with some extra…

Estimated reading time: 1 minute

Creating Authority-Signed Certificates using PowerShell

Recently I came across an interesting parameter of the New-SelfSignedCertificate PowerShell cmdlet — the -Signer parameter. This parameter allows you to provide a reference to an already-existing certificate that can be used to sign the newly-created certificate. This turns out to be an extremely useful little feature because sometimes you just need chained certificates to test stuff (so much so that I wrote a library that does this for me). Not surprisingly, this cmdlet is much easier to use. $ca = New-SelfSignedCertificate -DnsName “My Certificate Authority” -CertStoreLocation “cert:\LocalMachine\My” New-SelfSignedCertificate -DnsName “” -CertStoreLocation “cert:\LocalMachine\My” -signer $ca And voilà.

Estimated reading time: 5 minutes

Enclave.NET: A Secure-ish Crypto Execution Module

There’s a common problem that many applications run in to when executing cryptographic operations, and that’s the fact that the keys they use tend to exist within the application itself. This is problematic because there’s no protection of the keys — the keys are recoverable if you get a dump of the application memory, or you’re able to execute arbitrary code within the application. The solution to this problem is relatively straightforward — keep the keys out of the application. In order for that to be effective you need to also move the crypto operations out of the application too….

Estimated reading time: 3 minutes

Setting Build Versions for Visual Studio Online

Earlier we looked at how to build and package and then deploy nuget packages. One thing (of many) I glossed over was that whole version thing. It turns out versioning is really difficult to do. It’s kind of like naming things. There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors. — Leon Bambrick (@secretGeek) January 1, 2010 I’m not going to go into the virtues of one method (like semantic versioning) over others, but really just going to show how I set it up so my silly little project always has an incrementing version…

Estimated reading time: 5 minutes

Automated Package Deployments using Visual Studio Online

Earlier we looked at the automated building and packaging of Kerberos.NET using VS Online. At this point the only thing we get out of it in this state is knowing the code compiles and any tests pass — which I suppose is actually quite a feat on it’s own considering I had no indicator of either when I started. We can, of course, do better! The last piece we need is automated publishing of the final nuget package to the feed for others to consume. As it turns out this is relatively straightforward to do. The process is: Defining artifacts…

Estimated reading time: 9 minutes

Automated Builds of Kerberos.NET Using Visual Studio Online

The next logical step for the Kerberos.NET project is setting up automated builds and releases. What exactly does this entail? Basically, I want a build to kick off any time changes are committed to the main repo, and automatically generate a production-ready Nuget package that is available to upload if deemed worthy of release. If you’ve done any sort of build automation or release management before, you’ve got a pretty good idea of how to make this work. For a given build service do the following: Observe changes to repo Pull down changes Build project(s) Package the packages Artifact the…

Estimated reading time: 7 minutes

Porting Kerberos.NET to .NET Core

I started the Kerberos.NET project with a simple intention: be able to securely parse Kerberos tickets for user authentication without requiring an Active Directory infrastructure. This had been relatively successful so far, but one major milestone that I hadn’t hit yet was making sure it worked with .NET Core. It now works with .NET Core. Porting a Project There is no automated way to port a project to .NET Core. This is because it’s a fundamentally different way of doing things in .NET and things are bound to break (I’m sure that’s not actually the reason). There is documentation available,…

Estimated reading time: 5 minutes

Active Directory Claims and Kerberos.NET

Active Directory has had the ability to issue claims for users and devices since Server 2012. Claims allow you to add additional values to a user’s kerberos ticket and then make access decisions based on those values at the client level. This is pretty cool because you normally can only make access decisions based on group membership, which is fairly static in nature. Claims can change based on any number of factors, but originate as attributes on the user or computer object in Active Directory. Not so coincidentally, this is exactly how claims on the web work via a federation…

Estimated reading time: 4 minutes

Kerberos.NET and the KeyTab File

Kerberos requires the use of shared secrets to validate tickets. These secrets need to be stored somewhere. Windows stores them in the registry — the Security hive specifically. Other platforms store them in keytab files. Keytab files are useful because they’re a well known construct and are supported by many platforms. What’s interesting about them is that they store the derived value used to encrypt the ticket, and not the real secret. This means you don’t need to worry about how the salt is derived, and can just use the value without having to know how to manipulate the underlying…

Estimated reading time: 11 minutes

On Adding AES Support to Kerberos.NET

It’s been a few months since there’s been any public activity on the project but I’ve quietly been working on cleaning it up and there’s even been a PR from the community (thanks ZhongZhaofeng!). Part of that clean up process has been adding support for AES 128/256 tokens. At first glance you might think it’s fairly trivial to do — just run the encrypted data through an AES transform and you’re good to go — but let me tell you: it’s not that simple. On Securing Shared Secrets There’s primarily one big difference between how RC4 and AES are used in…