December 31, 2018
Why is Kerberos Terrible?
August 21, 2018
On Token Binding
If you haven’t heard we’re lighting up Token Binding on all our important services. Azure AD is one of the first to take advantage of this. Check out what Alex and Pamela have to say on the topic. One of the most important of these improvements is the Token Binding family of specifications which is now well on its way towards final ratification at the Internet Engineering Task Force (IETF). (If you want to learn more about token binding, watch this great presentation by Brian Campbell.) At Microsoft, we believe that the Token Binding can greatly improve the security of…
October 15, 2017
Creating Custom Windows Credential Providers in .NET
If you’ve ever had an experience with Credential Providers in the past, you may think the title of this post is insane — it’s not. I recently came across an interesting Github project that showed it was theoretically possible. I wanted to see if I could replicate the results myself without digging too deeply into how they did it. As it happens, I could. I created a sample project that outlines how you can do it on Github: CredProvider.NET Historically, Credential Providers have been complex components to write because they’re COM-based, and because they have weird restrictions you have to…
September 1, 2017
Backing Enclave.NET with Azure Key Vault
Recently I created the Enclave.NET project, and it shipped with a simple in-memory storage service. It’s not particularly useful in it’s current form, so I created a sample a couple weeks ago that used Azure Key Vault as the storage and crypto service. But Why? Of course, you might be wondering why you’d want to use Enclave.NET this way, since Key Vault already provides isolation given that it’s hosted far away from your service. The obvious answer is that maybe you wouldn’t use it this way — it IS isolated enough. That said, this does provide you with some extra…
August 29, 2017
Creating Authority-Signed Certificates using PowerShell
Recently I came across an interesting parameter of the New-SelfSignedCertificate PowerShell cmdlet — the -Signer parameter. This parameter allows you to provide a reference to an already-existing certificate that can be used to sign the newly-created certificate. This turns out to be an extremely useful little feature because sometimes you just need chained certificates to test stuff (so much so that I wrote a library that does this for me). Not surprisingly, this cmdlet is much easier to use. $ca = New-SelfSignedCertificate -DnsName “My Certificate Authority” -CertStoreLocation “cert:\LocalMachine\My” New-SelfSignedCertificate -DnsName “child.domain.com” -CertStoreLocation “cert:\LocalMachine\My” -signer $ca And voilà.
August 21, 2017
Enclave.NET: A Secure-ish Crypto Execution Module
There’s a common problem that many applications run in to when executing cryptographic operations, and that’s the fact that the keys they use tend to exist within the application itself. This is problematic because there’s no protection of the keys — the keys are recoverable if you get a dump of the application memory, or you’re able to execute arbitrary code within the application. The solution to this problem is relatively straightforward — keep the keys out of the application. In order for that to be effective you need to also move the crypto operations out of the application too….
August 18, 2017
Setting Build Versions for Visual Studio Online
Earlier we looked at how to build and package and then deploy nuget packages. One thing (of many) I glossed over was that whole version thing. It turns out versioning is really difficult to do. It’s kind of like naming things. There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors. — Leon Bambrick (@secretGeek) January 1, 2010 I’m not going to go into the virtues of one method (like semantic versioning) over others, but really just going to show how I set it up so my silly little project always has an incrementing version…
August 18, 2017
Automated Package Deployments using Visual Studio Online
Earlier we looked at the automated building and packaging of Kerberos.NET using VS Online. At this point the only thing we get out of it in this state is knowing the code compiles and any tests pass — which I suppose is actually quite a feat on it’s own considering I had no indicator of either when I started. We can, of course, do better! The last piece we need is automated publishing of the final nuget package to the feed for others to consume. As it turns out this is relatively straightforward to do. The process is: Defining artifacts…