Module 5: Secure Coding Practices for Authentication and Authorization
1.Which of the following security features can .NET applications avail?
以下哪一項是 .NET 應用程式可以使用的安全性功能?
A.PIN Security
B.Code Access Security
C.Role Based Security
D.Authentication Security
Option A is INCORRECT because, while PIN Security is a security feature, it is not tied specifically to .NET applications and is more associated with device or system access than application security.
PIN 安全性是存在的,但主要用於裝置或系統層級的存取控制,不專屬於 .NET 應用程式的功能。
Option B is INCORRECT because Code Access Security (CAS) was declared obsolete in .NET Framework 4.8. It was once a feature in .NET for limiting the operations that a program could perform, but it is not relevant for current .NET applications.
Code Access Security 曾經是 .NET Framework 的一部分,但從 .NET Framework 4.8 起已被標記為過時(obsolete),在新的 .NET(如 .NET Core/.NET 5/6/7)中已經不再使用,因此不算是現行 .NET 應用程式的可用功能。
Option C is CORRECT because Role Based Security (RBS) is a security feature provided by .NET framework. RBS restricts access to resources based on the role of the user, which contributes to secure application development.
角色型安全性(RBS)是 .NET 框架提供的功能,可以根據使用者所屬角色進行授權,是一個標準的 .NET 安全機制。
Option D is INCORRECT because, while authentication security is a crucial part of application security, it is not a feature provided solely by .NET. It's a general security measure applicable across different platforms and not exclusive to .NET applications.
驗證安全性(Authentication Security)雖然非常重要,但它是所有應用程式平台(不只 .NET)通用的安全措施,因此不是 .NET 獨有特性。
2.What is the recommended method for securing sensitive connection string information?
A.Encrypting the data in the application configuration file
B.Using a code obfuscator
C.Using Integrated Security (Windows Authentication)
D.Querying the user for his or her credentials at run time
Option A is INCORRECT because,
While encrypting the data in the application configuration file can provide an additional layer of protection, it will not completely secure sensitive connection string information. If the encryption key is compromised, the data can be decrypted.
Option B is INCORRECT because,
Using a code obfuscator can make the code more difficult to understand, but it does not protect the actual data. Code obfuscation is commonly used to protect intellectual property and to deter reverse engineering.
Option C is CORRECT,
Using Integrated Security (Windows Authentication) is recommended by Microsoft for the management and access control of SQL Server. This authentication method allows Windows to validate user identity, offering a more secure method to protect sensitive connection string information.
Option D is INCORRECT because,
Querying the user for his or her credentials at run time implies the sensitive information is directly input by users. This may expose sensitive connection string information through key logging or shoulder surfing attacks.
3.How many types of authentication ASP.NET supports?
A.Windows Authentication.
B.NET Passport Authentication.
C.Forms Authentication.
D.All of the above.
4.Which authentication does use secret key cryptography to encrypt the credentials to be sent from the browser to the web server to prove identity?
哪一種認證方式會使用「秘密金鑰加密」來加密從瀏覽器傳送到網頁伺服器的認證資訊,以驗證身分?
A.Basic Authentication
B.Windows Authentication
C.Forms Authentication.
D.Integrated Windows Authentication
Option A is INCORRECT because Basic Authentication does not use secret key cryptography. Instead, it sends user credentials in an unencrypted form, such as base64 encoded, making it vulnerable to interception.
Basic 認證不使用秘密金鑰加密,它只是將使用者憑證(帳號密碼)進行 Base64 編碼(不是加密!),很容易被攔截,安全性低。
Option B is INCORRECT because Windows Authentication, while more secure than Basic authentication, does not use secret key cryptography for encrypting credentials. It relies on built-in Windows methods for authenticating users.
Windows Authentication 本身是安全的,但它並不是專門靠秘密金鑰加密來加密憑證,而是利用 Windows 系統的登入機制。
Option C is INCORRECT because Forms Authentication typically uses a user-specified credential (like a username or password) to authenticate and does not rely on encrypting these credentials with a secret key for validation.
Forms 認證通常是用自訂的表單登入(帳號/密碼),傳輸過程不自動用秘密金鑰加密,除非你自己加上 HTTPS 傳輸。
Option D is CORRECT because Integrated Windows Authentication (IWA) is the only option that uses secret key cryptography. It uses a cryptographic exchange with the client to confirm the identity of the user, thus making it the most secure type of authentication among these given options.
整合式 Windows 認證(IWA)使用秘密金鑰加密技術(例如 Kerberos、NTLM),在客戶端與伺服器之間進行加密認證交換,是選項中唯一真正使用秘密金鑰加密來保護認證過程的方式。
5.Which type of authentication does perform remote procedure call that uses Security Service Provider Interface(SSPI) api of the operating system?
A.Enterprise Services Authentication
B.Windows Authentication
C.Forms Authentication.
D.Basic Authentication
- 認證過程是透過 RPC(Remote Procedure Call,遠端程序呼叫)來實踐的,並使用作業系統的 SSPI(Security Service Provider Interface,安全服務提供者介面) API。
- 使用 Kerberos 或 NTLM 認證 來驗證企業服務應用程式的用戶端身分。
- 被服務的元件(Serviced Component)是內嵌在 Library Application(函式庫應用程式) 中,這些 Library Application 是在用戶端的程序中執行,有助於辨識用戶端身分。
- 相同的服務元件也可以內嵌在 Server Application(伺服器應用程式) 中,這會在伺服器上以"獨立Process"的方式執行,具有獨立的身分識別。
Option A is CORRECT because Enterprise Services Authentication is a mechanism that uses the Security Service Provider Interface (SSPI) of the operating system to provide remote procedure calls. It implements distributed transactions and provides security services.
Option B is INCORRECT because Windows Authentication is a Microsoft mechanism that authenticates a user based on their Windows account. It doesn't necessarily involve remote procedure calls or utilize the SSPI.
Option C is INCORRECT because Forms Authentication is a mechanism used in .NET applications where user credentials are collected via a form and authentication is done against a credential store. It doesn't involve SSPI or remote procedure calls.
Option D is INCORRECT because Basic Authentication is a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the word Basic. This method doesn't utilize SSPI or involve remote procedure calls.
6.Which is the official certified authentication provider by OpenID Foundation in Asp.net core?
哪一個是在 ASP.NET Core 中由 OpenID Foundation 正式認證的認證提供者?
A.ASOS
B.IdentityServer4
C.OpenIdDict
D.Pwdless
IdentityServer4 is an open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core. It is officially certified by the OpenID Foundation and is the most popular OpenID Connect server on the .NET platform.
It provides a secure and easy way to add authentication and authorization to web applications and services.
It supports a wide range of clients, including mobile, web, and native applications. It also supports a wide range of authentication protocols, including OpenID Connect, OAuth 2.0, and WS-Federation.
IdentityServer4 is designed to be extensible and customizable, allowing developers to easily add custom authentication and authorization logic.
IdentityServer4 是一套專門為 ASP.NET Core 打造的 OpenID Connect 與 OAuth 2.0 框架,已經獲得 OpenID Foundation 官方認證。功能齊全,且是 .NET 平台最流行的 OpenID Connect Server。
AspNet.Security.OpenIdConnect.Server (ASOS) 是一個 OpenID Connect Server 函式庫,但它沒有獲得 OpenID Foundation 官方認證。主要是輔助建構 OpenID Connect Server,不是完整認證伺服器。
OpenIdDict 是另一個 OpenID Connect Server 實作,它提供簡化版的建構方式,但沒有通過 OpenID Foundation 官方認證。適合簡單專案,但不是正式認證的。
Pwdless 是一種無密碼(passwordless)登入方案,不是 OpenID Connect Server,也沒有獲得 OpenID Foundation 認證。
7.How to prevent session hijacking?
A.UseURI
B.UseCookies
C.AutoDetect
D.Device
Session hijacking is a type of attack where an attacker takes control of a user's session by stealing their session ID. To prevent session hijacking, it is important to use cookies to store session IDs.
Cookies are small pieces of data that are stored on the user's computer and are sent to the server with each request. This allows the server to identify the user and verify that the user is authorized to access the requested resource.
By using cookies to store session IDs, the server can ensure that the user is the same user who originally logged in and that the session ID has not been stolen. This helps to prevent session hijacking and ensures that the user's session is secure.
8.Why is it crucial to distinguish between authentication and authorization in secure coding practices?
Response:
A. Authentication verifies user identity, while authorization determines access levels.
B. Authentication increases system performance, while authorization enhances UI design.
C. Authentication applies to databases only, while authorization is for UI elements.
D. Authentication is a one-time process, while authorization occurs at every system interaction.
Authentication(認證)= 誰?
➔ 驗證使用者身分(例如帳號密碼、指紋、臉部辨識)
Authorization(授權)= 能做什麼?
➔ 確認這個身分擁有什麼權限(例如可否讀取資料、是否可以刪除資料)
「先認證身分,再授權行動」
(Who you are → What you can do)
9.In MVC architecture, where is it most appropriate to implement authorization checks?
Response:
A. Within the model, to ensure data integrity
B. In the view, to control visible elements based on user roles
C. Within the controller, to prevent unauthorized access to actions
D. In external libraries, to ensure separation of concerns
10.What is a best practice for implementing authorization in an MVC application?
Response:
A. Using static roles and permissions hardcoded within the application
B. Applying attribute-based authorization on controllers and actions
C. Allowing users to define their access levels at runtime to increase flexibility
D. Implementing authorization logic within each view for better user experience
11.Which are core principles of secure authentication and authorization in Web Forms?
(Select two)
Response:
A. Storing passwords in plain text for transparency
B. Implementing role-based access control
C. Using HTTPS for sensitive data transmission
D. Allowing automatic login with persistent cookies only
12.What are effective methods for implementing secure authentication in ASP.NET Core?
(Select two)
Response:
A. Utilizing the Identity framework for user management and authentication
B. Implementing custom encryption for all transmitted authentication tokens
C. Enabling automatic authentication via shared network drives
D. Using third-party identity providers for OAuth 2.0 or OpenID Connect
留言
張貼留言