Last week I showed a peculiar XML Signature that validates even though the containing document was changed. The reason is that the signature lacks References. Before explaining what’s wrong with the signature – and with the validation code, we’ll have a look at how XML Signatures work. XML DSig Primer XML in general is a… Continue reading XML Signatures and References
Tag: Security
An Always Valid XML Signature
XML Signatures are powerful, but also a bit tricky to get right. Here’s a challenge: I have a signature that will validate, even though the contents of the XML document are altered. This is the “magic” signature that validates regardless of what XML document it is placed in. <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod… Continue reading An Always Valid XML Signature
Secure Account Activation with ASP.NET Identity
Distribution of credentials to new users of a system is often done in an insecure way, with passwords being sent over unsecure e-mail. With ASP.NET Identity, the password recovery functionality can be used to create a secure account activation mechanism. The scenario for ASP.NET Identity, in the default MVC template is to let users self… Continue reading Secure Account Activation with ASP.NET Identity
SAML2 for Thinktecture IdentityServer 3 with Kentor.AuthServices
Using the Kentor.AuthServices SAML2 Service Provider with Thinktecture IdentityServer 3 bridges the gap between SAML2 and OAuth2/OpenID Connect. Thinktecture IdentityServer 3 support clients using the modern OAuth2 and OpenID Connect protocols. It can either have a local account database through e.g. ASP.NET Identity, or use external authentication services. By registering Kentor.AuthServices with IdentityServer, IdentityServer can… Continue reading SAML2 for Thinktecture IdentityServer 3 with Kentor.AuthServices
Catching the System.Web/Owin Cookie Monster
Cookies set through the Owin API sometimes mysteriously disappear. The problem is that deep within System.Web, there has been a cookie monster sleeping since the dawn of time (well, at least since .NET and System.Web was released). The monster has been sleeping for all this time, but now, with the new times arriving with Owin,… Continue reading Catching the System.Web/Owin Cookie Monster