Solved

User Module

Posted on 2006-07-10
6
394 Views
Last Modified: 2010-04-17
Hi guys,
I need to add some security to my application. But I don't know what could be the best option to do it. I have an application with three options, some users can access option 1 and 2 and others can access 3.
My applicacion is built in ASP.NET with sqlServer 2005.
What can I do? should I create a table and attach the info in the program? or what can I do?
0
Comment
Question by:Carolinat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 18

Expert Comment

by:Jose Parrot
ID: 17073350
Hi,

It is difficult to bound relative security, as it depends on individual point of views. By assuming your application doesn't need a 128 bits cryptographic key, you can chose from simple algorithm to create a two collums list (ID and password), storing each data by using boolean operations with your own key to more intricated algorithm with real security at varying levels. There is a good paper on that second approach at http://csrc.nist.gov/nissc/1997/proceedings/128.pdf

A very basic simple (easy to hackers open, but enough for elementary protection) is given in the following pseudocode:

KEY ENTRY
1. You create a 32 ASCII key. It is the byte array KEY[1...4]
2. Call verify(key,32)
3. If OK, go ahead. Go 1 otherwise.

USER PASSWORD ENTRY
1. User enters an 8 ASCII password. It is userPW.
2. call verify(password,8)
3. If OK, go ahead. Go to 1 otherwise.
4. For each byte key of your 32 bits key do:
   SecureByteUser[1] = userPW XOR KEY[1]
   SecureByteUser[2] = userPW AND KEY[2]
   SecureByteUser[3] = userPW OR KEY[3]
   SecureByteUser[4] = sum(SecureByteUser[1,2,3]

function verify(string, len)
if compliant to rules return TRUE else return FALSE
(rules: 8 chars, must have 1..9, must have lower and upper case, etc.)

You can improve that by using the directions on the paper. As is, this is a extreme primitive algorithm, but it is a beggining. BTW, you will store the list in a SQLServer table just accessed by you (or by Admin).

Another strategy is to create groups with specific profiles such that the application checks for permissions, based on the groups. This is applicable if each user has his/her own SQL password or the application has different levels for each group.

Hope helps.

Jose
0
 
LVL 7

Expert Comment

by:yotamsher
ID: 17073843
Hey  Carolinat

It is not clear what you are asking for.
My guess is that you are talkin about permissioning mechanism + user authentication, meaning user has to pass through a login screen, and then only get the appropriate option.
Is that correct?
how secure should it be?
are you moving some web application to the internet?
Is the computer containing the DB gonna be exposed to the internet?

sorry to ask so many questions, but well Servers security is tricky

Yotam
0
 

Author Comment

by:Carolinat
ID: 17074189
hi Yotam,

Here are my answers:

My guess is that you are talkin about permissioning mechanism + user authentication, meaning user has to pass through a login screen, and then only get the appropriate option.
Is that correct? YES

how secure should it be? FOR NOW IT'S FOR INTERNAL USE BUT IN A COUPLE MONTHS IT WILL HAVE TO BE FOR INTERNET ACCESS. I HAVE THE APPLICATION IN MY PC AND I NEED TO MOVE IT TO THE SERVER FOR TESTING AND FOR PRODUCTION.

are you moving some web application to the internet? NO

Is the computer containing the DB gonna be exposed to the internet? THE SERVER WILL HAVE BOTH THE APPLICATIONS AND  THE DATABASE.

WHAT IS THE BEST OPTION TO ADD SECURITY TO THE APLICATION?
0
 
LVL 18

Accepted Solution

by:
Jose Parrot earned 500 total points
ID: 17156378
Hi Carolinat,

First, the 2 layers architecture is best solved by 2 separate servers: one for the application and the 2nd for the database. To be less expensive, we can run both database and application in just one server, but it is more exposed to security issues.

If the users log directly in the SQL Server base, then the permissions are set in the application commands to SQL. It is a simple solution.

If your application logs in SQL, your application must identify the users and grant them access to the application. In general, developers make a separate Access Module or Authentication Module. Even in this case, the access control by SQL Server is better.

So, you can create two user groups: user12 and user3. Each one has a login in the SLQ database. The Database Administrator, by using definitions created by the application owner, grants access to each table to the groups. In the application login, the individual user is identified as member of one or other group. From this point the SQL Server assumes the access control.

This way, the only you have is let SQL do the job.

Regards,

Jose
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A short article about a problem I had getting the GPS LocationListener working.
Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question