Creating Elliptical Curve Keys using OpenSSL

20 July 2020 OpenSSL

Recently, I have been using OpenSSL to generate private keys and X509 certificates for Elliptical Curve Cryptography (ECC) and then using them in ASP.NET Core for token signing.

In this article, I’m going to show you how to use OpenSSL to generate private and public keys on the curve of your choice.

Continue reading...

Adding Tailwind Utility Classes to your Bootstrap Website

10 July 2020 General

Tailwind is a utility-first CSS framework that one of my colleagues has been advocating internally at Rock Solid Knowledge for some time. After using Bootstrap’s utility classes on my own website, I’m finally sold on the benefits of using utility classes for web design.

Bootstrap’s utility classes are relatively basic, and I soon became jealous of some of the utility classes found in Tailwind, especially the ability to prefix any utility class with a breakpoint name (e.g. md:w-3/4).

Continue reading...

Using Biometrics in ASP.NET Core

06 July 2020 FIDO

Physical biometrics are awesome. If only we could use them to log into a website...

Physical biometrics, such as fingerprint or facial recognition, are super useful when logging into mobile apps. It allows the user to prove their presence without having to manage a password or go through a Multi-Factor Authentication (MFA) process. So why can’t you use biometrics in the browser?

Continue reading...

EdDSA for JWT Signing in .NET Core

01 June 2020 C#

Edwards-curve Digital Signing Algorithm (EdDSA) is the new hotness in digital signing algorithms. From what I’ve seen, it’s the current recommendation from the cryptography community and generally preferred over your typical Elliptic Curve Digital Signature Algorithm (ECDSA).

I’ve had a few chances to play with EdDSA as part of my work with FIDO2 and PASETO, so I’m going to solidify that by writing up my high-level understanding of EdDSA, how to use EdDSA in .NET with Bouncy Castle, and how to sign a JWT with EdDSA using ScottBrady.IdentityModel.

Continue reading...

Replacing JWTs with Branca and PASETO in .NET Core

12 May 2020 C#

In my previous article I discussed the criticisms surrounding JSON Web Tokens (JWTs) and some of their alternatives. Some of these alternatives had merits, however, many of the implementations that I found neglected to include the payload validation that we are used to in JWT libraries.

I’ve implemented some of these JWT alternatives as a side project, with a focus on including JWT payload validation. Thankfully, the Microsoft.IdentityModel libraries were extensible enough for me to build on top of the existing JWT validators. This means that protecting your APIs with PASETO can look as simple as...

Continue reading...

Alternatives to JSON Web Tokens (JWTs)

28 April 2020 JOSE

JSON Web Tokens (JWTs) get a lot of hate from the wider crypto community, but what are the alternatives? In this article, I am going to give a high-level overview of some of the recommended alternatives mentioned in Twitter rants and attempt to provide an opinion on whether or not they can replace JWTs.

I in no way want to become the defender of JWTs; this is not the hill I want to die on. However, with the increasing hate on JWTs and what I see as misunderstandings around them and their alternatives, I felt that I had to put something into writing to clear my head.

Continue reading...

Outsourcing IdentityServer4 Token Signing to Azure Key Vault

30 March 2020 Identity Server

Azure Key Vault is a great way to store your IdentityServer4 signing keys; it is secure, versioned, and gives you access to robust access control mechanisms. However, I keep seeing many Azure Key Vault integrations that miss many of its features by storing the private key as a secret and then downloading the private key on application startup.

In this article, I’m going to walk through an IdentityServer4 proof of concept in which the private keys never leave Azure Key Vault.

No private keys were downloaded in the making of this article.

Continue reading...

Building a FIDO Authenticator with OpenSK

10 February 2020 FIDO

Last week Google released an open-source FIDO2 authenticator called OpenSK, implemented in Rust.

OpenSK is not too dissimilar to the Solo Key, but unlike Solo, it is not yet suitable for everyday usage. It is not FIDO certified, and at the time of writing, it uses Rust implementations of the required cryptographic algorithms (e.g. ECDSA), as opposed to using available hardware-accelerated cryptography. For now, OpenSK is for research purposes only.

In this article, I’m going to talk through my creation of a security key using OpenSK (I am a Windows user, and this is all new to me). I’m also going to see how well the current implementation works with a FIDO conformant relying party (registration and authentication) such as FIDO2 for ASP.NET Core.

Continue reading...

IdentityManager2 2020 Update

27 January 2020 ASP.NET Identity

In that strange period between Christmas and New Years, I finally had a chance to finish off some long-running dev tasks for IdentityManager2. This means that IdentityManager2 now targets ASP.NET Core 3.1, has dropped the beta suffix, and is now contains less legacy code from v1.

It would be wrong not to thank ChaosEngine who’s pull requests and gentle nudging helped make this release happen.

Continue reading...

Defeating Phishing with FIDO2 for ASP.NET

23 January 2020 FIDO

Evilginx is a tool that allows you to create phishing websites capable of stealing credentials and session cookies. It does this by simply proxying HTTP requests between the browser and the targeted site. To the user, it seems like they are using the legitimate website, but little do they know there is a man-in-the-middle. As a result, this style phishing attack even works against 2FA approaches such as TOTP and push notifications.

So, how can you defend against this kind of phishing attack? Security training your users is a good first step, but a phishing domain using a deceptive Unicode character can fool the best of us.

The only way to truly protect your users from this kind of phishing attack is using FIDO.

Continue reading...