?
Solved

User Module

Posted on 2006-07-10
6
Medium Priority
?
408 Views
Last Modified: 2010-04-17
Hi guys,
I need to add some security to my application. But I don't know what could be the best option to do it. I have an application with three options, some users can access option 1 and 2 and others can access 3.
My applicacion is built in ASP.NET with sqlServer 2005.
What can I do? should I create a table and attach the info in the program? or what can I do?
0
Comment
Question by:Carolinat
  • 2
4 Comments
 
LVL 18

Expert Comment

by:Jose Parrot
ID: 17073350
Hi,

It is difficult to bound relative security, as it depends on individual point of views. By assuming your application doesn't need a 128 bits cryptographic key, you can chose from simple algorithm to create a two collums list (ID and password), storing each data by using boolean operations with your own key to more intricated algorithm with real security at varying levels. There is a good paper on that second approach at http://csrc.nist.gov/nissc/1997/proceedings/128.pdf

A very basic simple (easy to hackers open, but enough for elementary protection) is given in the following pseudocode:

KEY ENTRY
1. You create a 32 ASCII key. It is the byte array KEY[1...4]
2. Call verify(key,32)
3. If OK, go ahead. Go 1 otherwise.

USER PASSWORD ENTRY
1. User enters an 8 ASCII password. It is userPW.
2. call verify(password,8)
3. If OK, go ahead. Go to 1 otherwise.
4. For each byte key of your 32 bits key do:
   SecureByteUser[1] = userPW XOR KEY[1]
   SecureByteUser[2] = userPW AND KEY[2]
   SecureByteUser[3] = userPW OR KEY[3]
   SecureByteUser[4] = sum(SecureByteUser[1,2,3]

function verify(string, len)
if compliant to rules return TRUE else return FALSE
(rules: 8 chars, must have 1..9, must have lower and upper case, etc.)

You can improve that by using the directions on the paper. As is, this is a extreme primitive algorithm, but it is a beggining. BTW, you will store the list in a SQLServer table just accessed by you (or by Admin).

Another strategy is to create groups with specific profiles such that the application checks for permissions, based on the groups. This is applicable if each user has his/her own SQL password or the application has different levels for each group.

Hope helps.

Jose
0
 
LVL 7

Expert Comment

by:yotamsher
ID: 17073843
Hey  Carolinat

It is not clear what you are asking for.
My guess is that you are talkin about permissioning mechanism + user authentication, meaning user has to pass through a login screen, and then only get the appropriate option.
Is that correct?
how secure should it be?
are you moving some web application to the internet?
Is the computer containing the DB gonna be exposed to the internet?

sorry to ask so many questions, but well Servers security is tricky

Yotam
0
 

Author Comment

by:Carolinat
ID: 17074189
hi Yotam,

Here are my answers:

My guess is that you are talkin about permissioning mechanism + user authentication, meaning user has to pass through a login screen, and then only get the appropriate option.
Is that correct? YES

how secure should it be? FOR NOW IT'S FOR INTERNAL USE BUT IN A COUPLE MONTHS IT WILL HAVE TO BE FOR INTERNET ACCESS. I HAVE THE APPLICATION IN MY PC AND I NEED TO MOVE IT TO THE SERVER FOR TESTING AND FOR PRODUCTION.

are you moving some web application to the internet? NO

Is the computer containing the DB gonna be exposed to the internet? THE SERVER WILL HAVE BOTH THE APPLICATIONS AND  THE DATABASE.

WHAT IS THE BEST OPTION TO ADD SECURITY TO THE APLICATION?
0
 
LVL 18

Accepted Solution

by:
Jose Parrot earned 2000 total points
ID: 17156378
Hi Carolinat,

First, the 2 layers architecture is best solved by 2 separate servers: one for the application and the 2nd for the database. To be less expensive, we can run both database and application in just one server, but it is more exposed to security issues.

If the users log directly in the SQL Server base, then the permissions are set in the application commands to SQL. It is a simple solution.

If your application logs in SQL, your application must identify the users and grant them access to the application. In general, developers make a separate Access Module or Authentication Module. Even in this case, the access control by SQL Server is better.

So, you can create two user groups: user12 and user3. Each one has a login in the SLQ database. The Database Administrator, by using definitions created by the application owner, grants access to each table to the groups. In the application login, the individual user is identified as member of one or other group. From this point the SQL Server assumes the access control.

This way, the only you have is let SQL do the job.

Regards,

Jose
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
If you are a mobile app developer and especially develop hybrid mobile apps then these 4 mistakes you must avoid for hybrid app development to be the more genuine app developer.
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question