- Client-side security
- .NET security architecture and services
- Practical cryptography
Client-side security
- JavaScript security
- Same Origin Policy
- Simple requests
- Preflight requests
- Clickjacking
- Clickjacking
- Exercise – IFrame, Where is My Car?
- Protection against Clickjacking
- Anti frame-busting – dismissing protection scripts
- Protection against busting frame busting
- AJAX security
- XSS in AJAX
- Script injection attack in AJAX
- Exercise – XSS in AJAX
- XSS protection in AJAX
- Exercise CSRF in AJAX – JavaScript hijacking
- CSRF protection in AJAX
.NET security architecture and services
- .NET architecture
- Code Access Security (optional)
- Full and partial trust
- Evidence classes
- Permissions
- Code access permission classes
- Deriving permissions from evidence
- Defining custom permissions
- .NET runtime permission checking
- The Stack Walk
- Effects of Assert()
- Class and method-level declarative permission
- Imperative (programmatic) permission checking
- Exercise – sandboxing .NET code
- Using transparency attributes
- Allow partially trusted callers
- Exercise – using transparency attributes
Practical cryptography
- Rule #1 of implementing cryptography
- Cryptosystems
- Elements of a cryptosystem
- .NET cryptographic architecture
- Symmetric-key cryptography
- Providing confidentiality with symmetric cryptography
- Symmetric encryption algorithms
- Modes of operation
- Encrypting and decrypting (symmetric)
- Other cryptographic algorithms
- Hash or message digest
- Hash algorithms
- SHAttered
- Hashing
- Message Authentication Code (MAC)
- Providing integrity and authenticity with a symmetric key
- Random number generation
- Random numbers and cryptography
- Cryptographically-strong PRNGs
- Weak PRNGs in .NET
- Strong PRNGS in .NET
- Hardware-based TRNGs
- Asymmetric (public-key) cryptography
- Providing confidentiality with public-key encryption
- Rule of thumb – possession of private key
- The RSA algorithm
- Introduction to RSA algorithm
- Encrypting with RSA
- Combining symmetric and asymmetric algorithms
- Digital signing with RSA
- Asymmetric algorithms in .NET
- Exercise Sign
- Exercise – using .NET cryptographic classes
- Public Key Infrastructure (PKI)
- Man-in-the-Middle (MitM) attack
- Digital certificates against MitM attack
- Certificate Authorities in Public Key Infrastructure
- X.509 digital certificate