[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

User Module

Posted on 2006-07-10
6
Medium Priority
?
398 Views
Last Modified: 2010-04-17
Hi guys,
I need to add some security to my application. But I don't know what could be the best option to do it. I have an application with three options, some users can access option 1 and 2 and others can access 3.
My applicacion is built in ASP.NET with sqlServer 2005.
What can I do? should I create a table and attach the info in the program? or what can I do?
0
Comment
Question by:Carolinat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 18

Expert Comment

by:Jose Parrot
ID: 17073350
Hi,

It is difficult to bound relative security, as it depends on individual point of views. By assuming your application doesn't need a 128 bits cryptographic key, you can chose from simple algorithm to create a two collums list (ID and password), storing each data by using boolean operations with your own key to more intricated algorithm with real security at varying levels. There is a good paper on that second approach at http://csrc.nist.gov/nissc/1997/proceedings/128.pdf

A very basic simple (easy to hackers open, but enough for elementary protection) is given in the following pseudocode:

KEY ENTRY
1. You create a 32 ASCII key. It is the byte array KEY[1...4]
2. Call verify(key,32)
3. If OK, go ahead. Go 1 otherwise.

USER PASSWORD ENTRY
1. User enters an 8 ASCII password. It is userPW.
2. call verify(password,8)
3. If OK, go ahead. Go to 1 otherwise.
4. For each byte key of your 32 bits key do:
   SecureByteUser[1] = userPW XOR KEY[1]
   SecureByteUser[2] = userPW AND KEY[2]
   SecureByteUser[3] = userPW OR KEY[3]
   SecureByteUser[4] = sum(SecureByteUser[1,2,3]

function verify(string, len)
if compliant to rules return TRUE else return FALSE
(rules: 8 chars, must have 1..9, must have lower and upper case, etc.)

You can improve that by using the directions on the paper. As is, this is a extreme primitive algorithm, but it is a beggining. BTW, you will store the list in a SQLServer table just accessed by you (or by Admin).

Another strategy is to create groups with specific profiles such that the application checks for permissions, based on the groups. This is applicable if each user has his/her own SQL password or the application has different levels for each group.

Hope helps.

Jose
0
 
LVL 7

Expert Comment

by:yotamsher
ID: 17073843
Hey  Carolinat

It is not clear what you are asking for.
My guess is that you are talkin about permissioning mechanism + user authentication, meaning user has to pass through a login screen, and then only get the appropriate option.
Is that correct?
how secure should it be?
are you moving some web application to the internet?
Is the computer containing the DB gonna be exposed to the internet?

sorry to ask so many questions, but well Servers security is tricky

Yotam
0
 

Author Comment

by:Carolinat
ID: 17074189
hi Yotam,

Here are my answers:

My guess is that you are talkin about permissioning mechanism + user authentication, meaning user has to pass through a login screen, and then only get the appropriate option.
Is that correct? YES

how secure should it be? FOR NOW IT'S FOR INTERNAL USE BUT IN A COUPLE MONTHS IT WILL HAVE TO BE FOR INTERNET ACCESS. I HAVE THE APPLICATION IN MY PC AND I NEED TO MOVE IT TO THE SERVER FOR TESTING AND FOR PRODUCTION.

are you moving some web application to the internet? NO

Is the computer containing the DB gonna be exposed to the internet? THE SERVER WILL HAVE BOTH THE APPLICATIONS AND  THE DATABASE.

WHAT IS THE BEST OPTION TO ADD SECURITY TO THE APLICATION?
0
 
LVL 18

Accepted Solution

by:
Jose Parrot earned 2000 total points
ID: 17156378
Hi Carolinat,

First, the 2 layers architecture is best solved by 2 separate servers: one for the application and the 2nd for the database. To be less expensive, we can run both database and application in just one server, but it is more exposed to security issues.

If the users log directly in the SQL Server base, then the permissions are set in the application commands to SQL. It is a simple solution.

If your application logs in SQL, your application must identify the users and grant them access to the application. In general, developers make a separate Access Module or Authentication Module. Even in this case, the access control by SQL Server is better.

So, you can create two user groups: user12 and user3. Each one has a login in the SLQ database. The Database Administrator, by using definitions created by the application owner, grants access to each table to the groups. In the application login, the individual user is identified as member of one or other group. From this point the SQL Server assumes the access control.

This way, the only you have is let SQL do the job.

Regards,

Jose
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
We live in a world of interfaces like the one in the title picture. VBA also allows to use interfaces which offers a lot of possibilities. This article describes how to use interfaces in VBA and how to work around their bugs.
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
Simple Linear Regression

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question