Saturday, February 23, 2008

The Root and Top-Level Nameservers

I was reading: Web Security, Privacy & Commerce by Simson Garfinkel and it was interesting to know that there are only 13 DNS root servers on the internet that are responsible for resolving the IP addresses to the top level domains (e.g: .com, .org, .net). For example, when you write unesco.org on the address bar of your browser, the address will be resolved from right to left. The client computer will ask one of these 13 root servers to resolve the address of .org server which accordingly will be responsible to fetch the address of the unesco.org. The address formats of the root servers is: X.ROOT-SERVERS.NET where X ranges from A to M.

You may have an initial guess that most of these servers exist in the United States. But actually this not correct. Most of the physical root-servers are outside the United States and distributed in multiple locations in different continents. Check the full list here: root-servers.org

The root-servers are completely transparent to the internet users. It's the hidden side of the internet. They are definitely critical zones in the network. This is why they are carefully watched and monitored. As the whole traffic depends on these 13 servers, any crash or unexpected behavior happened in these servers, the internet users will have to memorize the IP addresses to be able to navigate on the internet. Needless to mention that any referral, ads or even bookmarks will be unreachable without the existence of these 13 servers.


Saturday, February 16, 2008

Securing Configurations

Have you ever wanted to provide a level of protection to your values in the configuration files? aspnet_regiis will help you in encrypting the configuration section(s) in your config files. The executable resides in: "<windows_root>\Microsoft.NET\Framework\<framework_version>" and it was common to be used in installing ASP.NET on IIS. However, you can use it as well in encrypting/decrypting the configuration files.

Here is the command line used for encrypting a section in the web.config of SecureWebProj application:

aspnet_regiis.exe -pe connectionStrings -app /SecureWebProj

-pe attribute is used to tell the executable to encrypt the specified section. You can also use -pd attribute instead of -pe if you want to restore or decrypt the section to its original values. -app attribute is for specifying the application virtual path.

After encrypting the connectionStrings section, the web.config will look like that:

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>j2E3lO/bMp8ljiDFKhRJu33zVD0mrXD7k5WV4nQ5uNJEav7cKcjhtO1ztCfxJw7ZE5uNdj+THVwJroZBoPEhtPAISPH75Zq
5C1G+5WOLcBwBBzbcp7C6i6U7+/IWmThTNFRAEdQp/lHryDkapep4MNUCGNZlcVLlmX0n/bqZEoE=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>D/Z9ZyH7P+9e3kDi5gLevpdqbjwia0uQ/cOB0gHVXc8=</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20


Sometimes you just need to map the operation direct to the application physical path. This would be useful if you are using ASP.NET Development Server instead of IIS.
aspnet_regiis.exe -pef connectionStrings E:\Projects\SecureWebProj

Encrypting the configuration sections won't prevent you to access the configuration values from your code. If you have already completed the project and you need to encrypt some sections inside the configuration files, you don't have to modify your application code anymore. The code will still run properly and won't be affected by the encryption changes.

The nice part is that you can encrypt the web.config sections even within your code. The following sample encrypts the connectionStrings section in the web.config of SecureWebProj:

Configuration cfg = WebConfigurationManager.OpenWebConfiguration("/SecureWebProj");
ConnectionStringsSection section = (ConnectionStringsSection)(cfg.GetSection("connectionStrings"));
section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
cfg.Save();
1
2
3
4


You may ask: This is an encryption operation, so where the encryption keys? Actually, each .NET installation will create by default a new key container in your machine formally called: NetFrameworkConfiguarationKey. This will contains the needed keys for the providers to work. However, you can create a new key container using aspnet_regiis as well.
aspnet_regiis.exe -pc SecureKeyContainerName -exp

You may find more about securing your key containers in this MSDN entry: Securing ASP.NET Configuration. In the later command line, -exp attribute means that the key container is exportable. You can export this container to XML file and use it in any other machine. This would be useful if your application is running in a web farm and you want to share the encrypted configurations across the farm machines.

DZone


Thursday, February 14, 2008

Mohammed Hossam @ Microsoft

Great news! My dear friend, Mohammed Hossam, will join Microsoft Live Team in the next May. Mohammed is one of the best techinical professionals I have ever met. You can find that from his blog posts, sessions, initiatives and technical side talks. Mohammed is so effective in his work and his knowledge is always spread among the team. You can feel his innovation, spirit and knowledge when you work with him. He is one of the few guys who is always up-to-date with the new technologies and not always that he tries to use it in real projects if it really fit the needs.

We will miss you Mohammed. We wish you all the best of luck in Microsoft. Keep in touch!


Sunday, February 03, 2008

Survey Results

In December 29th, a survey were published for public to answer - for more details check this post. Here is the results of the survey:

Download the Survey Results: 2008_Survey_Results.zip

[Update] The attempt should be considered as a start to confirm the benefits of these kind of surveys. The results may appear to have some illogical information. Unfortunately, we have only 150 participants. Needless to say that the more you get participations, the more you get accurate results. But still I promised to publish the results even with this small number of participation. I hope to find more similar and effective attempts in the future from authorized and independent organizations in Egypt.