Solved

User Module

Posted on 2006-07-10
6
353 Views
Last Modified: 2010-04-17
Hi guys,
I need to add some security to my application. But I don't know what could be the best option to do it. I have an application with three options, some users can access option 1 and 2 and others can access 3.
My applicacion is built in ASP.NET with sqlServer 2005.
What can I do? should I create a table and attach the info in the program? or what can I do?
0
Comment
Question by:Carolinat
  • 2
6 Comments
 
LVL 18

Expert Comment

by:JoseParrot
Comment Utility
Hi,

It is difficult to bound relative security, as it depends on individual point of views. By assuming your application doesn't need a 128 bits cryptographic key, you can chose from simple algorithm to create a two collums list (ID and password), storing each data by using boolean operations with your own key to more intricated algorithm with real security at varying levels. There is a good paper on that second approach at http://csrc.nist.gov/nissc/1997/proceedings/128.pdf

A very basic simple (easy to hackers open, but enough for elementary protection) is given in the following pseudocode:

KEY ENTRY
1. You create a 32 ASCII key. It is the byte array KEY[1...4]
2. Call verify(key,32)
3. If OK, go ahead. Go 1 otherwise.

USER PASSWORD ENTRY
1. User enters an 8 ASCII password. It is userPW.
2. call verify(password,8)
3. If OK, go ahead. Go to 1 otherwise.
4. For each byte key of your 32 bits key do:
   SecureByteUser[1] = userPW XOR KEY[1]
   SecureByteUser[2] = userPW AND KEY[2]
   SecureByteUser[3] = userPW OR KEY[3]
   SecureByteUser[4] = sum(SecureByteUser[1,2,3]

function verify(string, len)
if compliant to rules return TRUE else return FALSE
(rules: 8 chars, must have 1..9, must have lower and upper case, etc.)

You can improve that by using the directions on the paper. As is, this is a extreme primitive algorithm, but it is a beggining. BTW, you will store the list in a SQLServer table just accessed by you (or by Admin).

Another strategy is to create groups with specific profiles such that the application checks for permissions, based on the groups. This is applicable if each user has his/her own SQL password or the application has different levels for each group.

Hope helps.

Jose
0
 
LVL 7

Expert Comment

by:yotamsher
Comment Utility
Hey  Carolinat

It is not clear what you are asking for.
My guess is that you are talkin about permissioning mechanism + user authentication, meaning user has to pass through a login screen, and then only get the appropriate option.
Is that correct?
how secure should it be?
are you moving some web application to the internet?
Is the computer containing the DB gonna be exposed to the internet?

sorry to ask so many questions, but well Servers security is tricky

Yotam
0
 

Author Comment

by:Carolinat
Comment Utility
hi Yotam,

Here are my answers:

My guess is that you are talkin about permissioning mechanism + user authentication, meaning user has to pass through a login screen, and then only get the appropriate option.
Is that correct? YES

how secure should it be? FOR NOW IT'S FOR INTERNAL USE BUT IN A COUPLE MONTHS IT WILL HAVE TO BE FOR INTERNET ACCESS. I HAVE THE APPLICATION IN MY PC AND I NEED TO MOVE IT TO THE SERVER FOR TESTING AND FOR PRODUCTION.

are you moving some web application to the internet? NO

Is the computer containing the DB gonna be exposed to the internet? THE SERVER WILL HAVE BOTH THE APPLICATIONS AND  THE DATABASE.

WHAT IS THE BEST OPTION TO ADD SECURITY TO THE APLICATION?
0
 
LVL 18

Accepted Solution

by:
JoseParrot earned 500 total points
Comment Utility
Hi Carolinat,

First, the 2 layers architecture is best solved by 2 separate servers: one for the application and the 2nd for the database. To be less expensive, we can run both database and application in just one server, but it is more exposed to security issues.

If the users log directly in the SQL Server base, then the permissions are set in the application commands to SQL. It is a simple solution.

If your application logs in SQL, your application must identify the users and grant them access to the application. In general, developers make a separate Access Module or Authentication Module. Even in this case, the access control by SQL Server is better.

So, you can create two user groups: user12 and user3. Each one has a login in the SLQ database. The Database Administrator, by using definitions created by the application owner, grants access to each table to the groups. In the application login, the individual user is identified as member of one or other group. From this point the SQL Server assumes the access control.

This way, the only you have is let SQL do the job.

Regards,

Jose
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
thread-safe code in c++ 2 69
Order table with macro 3 74
Path of Workbook 3 44
drawing animated level bar based on numbers 3 71
A short article about a problem I had getting the GPS LocationListener working.
Whether you’re a college noob or a soon-to-be pro, these tips are sure to help you in your journey to becoming a programming ninja and stand out from the crowd.
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now