1. Trang chủ
  2. » Công Nghệ Thông Tin

Professional Microsoft Smartphone Programming phần 8 docx

53 233 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 53
Dung lượng 1,7 MB

Nội dung

} } private void mnuQuit_Click(object sender, EventArgs e) { Application.Exit(); } } } Because accessing a database is normally error prone, it is always a good practice to put the database- related operations in the try block and handle possible exceptions in the catch block. Figures 13-5 and 13-6 show the running results of the application. The preceding example demonstrates how to protect a database with a password and encryption. Note that the application is expected to run only once because you don’t want to create the same database or table repeatedly. Figure 13-5 345 Data and Communication Security 19_762935 ch13.qxp 11/20/06 7:59 AM Page 345 Figure 13-6 Securing Communication Channels The thin-client nature of Smartphone devices means that they are constantly talking to various servers to access information. When passing sensitive data over a network, especially a wireless network, it is extremely important to secure the communication at both ends. Network Authentication Network authentication should be applied before a user can access any information. The .NET Compact Framework 2.0 supports both the Microsoft NTLM and Kerberos authentication protocols. Microsoft NTLM, or Windows NT LAN Manager, is a network authentication protocol based on challenge and response. The server stores a user’s password in an encrypted format. The client machine initiates the authentication process with a negotiate message, and then the server sends a challenge message that con- tains the message type, the security signature, and the negotiation type. The client then encrypts the chal- lenge message with the user’s password, typically using the DES algorithm. The encrypted message is then sent out to the server as the response message. The same algorithm is applied on the server side. The result is then compared to the response from the client. If they match, the authentication is successful. An advan- tage of NTLM is that the user’s password is not sent over the network during the authentication process. 346 Chapter 13 19_762935 ch13.qxp 11/20/06 7:59 AM Page 346 Kerberos involves a much more complicated process, but it offers a more secured communication chan- nel. Because of its better security, it will be picked during the authentication negotiation process when both NTLM and Kerberos are supported. NTLM is mainly used in Microsoft’s early products, such as Windows NT 4.0. The System.Net.NetworkCredential class can create credentials to authenticate the user with the most secure method supported by the server. The code to generate the network credential is as follows: using System.Net; NetworkCredential myCredentials = new NetworkCredential(“myUserName”, “MyPasswd”, “myDomainName”); You can then use the generated credentials to secure network applications that require user authentica- tion, such as web services. Note that the NetworkCredential class is not available on the .NET Compact Framework 1.0 and 1.1. You need to install the .NET Compact Framework 2.0 to leverage this service for network authentication. Secure Sockets Layer (SSL) Secure Sockets Layer (SSL) is the industry standard for secure web communications. It is used widely in today’s e-communication to transmit sensitive information, such as credit card numbers and online banking, over the Internet. Essentially, SSL is the technology that involves encrypting and decrypting messages between a web browser and the web server. SSL does not prevent hackers from eavesdropping, but the encrypted message makes it much harder for hackers to access the message. Typically, message communication in SSL proceeds as follows: 1. The client initiates SSL communication, such as an HTTPS request. 2. The client starts an SSL session with a unique public key that is created for the client’s web browser. 3. The message is encrypted with the server’s public key and sent to the web server. 4. The web server decrypts the information with its private key, which is kept secret; no one else has the knowledge of this private key. This process is considered fairly secure because each SSL session generates a unique public key that a hacker is unlikely to guess. The message is encrypted with the server’s public key, which (in theory), only the web server itself is able to decrypt. The length of the key in SSL communication is either 40-bit or 128-bit. The longer the key length, the harder it is to crack the message. To enable SSL communication, you need to install certificates on the server side. Certificates can be obtained from different certificate authorities, such as VeriSign and GeoTrust. The certificate application 347 Data and Communication Security 19_762935 ch13.qxp 11/20/06 7:59 AM Page 347 process is normally pretty straightforward and requires a certificate signing request (CSR) file. On an IIS Server, the steps to generate the CSR file are as follows: 1. Select Start➪Run, and type compmgmt.msc to launch the Computer Management console. 2. On the left panel, expand the Services and Applications and then expand Internet Information Services. 3. Expand Web Sites, right-click Default Web Site, and then choose Properties (see Figure 13-7). 4. Select the Directory Security tab in the Default Web Site Properties window and click the Server Certificate button (see Figure 13-8). 5. Choose “Create a new certificate” from the IIS Certificate Wizard (see Figure 13-9) and input the required information, such as country, website name, and the name of the certificate file. Figure 13-7 348 Chapter 13 19_762935 ch13.qxp 11/20/06 7:59 AM Page 348 Figure 13-8 Figure 13-9 When going through the wizard, you need to provide organizational information, geography informa- tion, and so on. Remember that the common name has to be the DNS name or NetBIOS name (normally the computer name) of the web server, as illustrated in Figure 13-10. 349 Data and Communication Security 19_762935 ch13.qxp 11/20/06 7:59 AM Page 349 Figure 13-10 You can use the CSR file created by the wizard to request the certificate from your CA. Once the request is granted, follow the certificate authority’s instructions to install the certificate on the web server. Most of the work to set up and enable SSL communication is on the server side. If the web server is cor- rectly installed and protected with SSL, you simply specify an HTTPS request on the client side. For example, the following code will start an SSL-enabled HTTPS request with a SSL-enabled web server named mySecureServer.Com: using System.Net; WebRequest webReq = WebRequest.Create(“https://mySecureServer.com”); Likewise, if you want to protect SQL Server Mobile database replication, use https in the InternetURL property: using System.Data.SqlServerCe; repl = new SqlCeReplication(); repl.InternetUrl = “https://spirit/sqlmobile/sqlcesa30.dll”; Virtual Private Networks A virtual private network (VPN) is a common network mechanism to provide secure end-to-end network connections. The idea is to first negotiate and set up a network tunnel between the two communication nodes. Usually, a VPN server also connects to a RADIUS server, allowing only authorized users to have the permissions to establish such tunnels. The data is then encrypted before it is transmitted over the net- work. Then it will be decrypted on the receiver side. Compared to a dedicated private leased line, a VPN is preferred by many companies because of its low cost. 350 Chapter 13 19_762935 ch13.qxp 11/20/06 7:59 AM Page 350 Consider a corporate network without the support VPN. As shown in Figure 13-11, a remote user needs to dial up the corporate Remote Access Server (RAS) to get access the servers. This could be very pricey if users are trying to make a data connection through long-distance calls. Similar problems also exist on the remote offices and mobile users. Figure 13-11 With a VPN, however, users do not need to directly dial to the corporate headquarters. A remote user can simply dial into the local access server and rely on the local ISPs to package the data and route the data through a “tunnel” to the remote servers. Of course, you need to pay for the tunnel services offered by the ISPs, but it is typically less than half of what you pay for leased lines or long-distance phone calls. Three major tunneling protocols are supported via the Internet: ❑ IP Security (IPSec) —Developed by the Internet Engineering Task Force (IETF), this protocol operates at the network layer and can be implemented independent of application layer. ❑ Point-to-point Tunneling Protocol (PPTP) —This is the protocol developed by Microsoft, 3Come, and Ascent Communications. It works at the data link layer and is preferred for Microsoft Windows–based network traffic. ❑ Layer 2 Tunneling Protocol (L2TP) —This is the implementation of Cisco, which combines their previously proposed Layer 2 Forwarding with PPTP. It offers more flexibility than PPTP, but need supports from the underlying network devices, such as routers and switches. Server 1 Server 3 Server 2 Firewall Corporate Headquarters The Internet Remote Office Mobile User Remote User VPN Gateway VPN Tunnel VPN Tunnel VPN Tunnel VPN Server 351 Data and Communication Security 19_762935 ch13.qxp 11/29/06 3:26 PM Page 351 The advantages of a VPN include reduced cost, effective use of bandwidth, enhanced scalability, and enhanced connectivity. With added-on services, it also offers better security than conventional Internet protocols. The drawback of a VPN is also obvious: It is highly dependent on the Internet and lacks inter- operability of devices and protocols. The .NET Compact Framework 2.0 supports PPTP, L2TP, and IPSec (as opposed to the .NET Compact Framework 1, which supports only PPTP). To set up a VPN connection on a Smartphone device, perform the following steps: 1. Choose Start➪Settings➪Connections➪VPN. 2. Click the Menu button and choose Add from the popup menu. 3. In the Add VPN screen, shown in Figure 13-12, enter a description for your VPN. Figure 13-12 Besides setting up the VPN connection correctly at the Smartphone end, you should also make sure that the VPN server is running properly at the other end and that the VPN technology is supported by the underlying networks. Data communication using a VPN is highly recommended for Smartphone appli- cations to enhance communication security. 352 Chapter 13 19_762935 ch13.qxp 11/20/06 7:59 AM Page 352 Wi-Fi The IEEE 802.11 wireless network, also known as Wi-Fi, is operating at the unlicensed 2.4 GHz band. The nature of radio waves enables it to travel through walls, and therefore makes the indoor and outdoor wireless communication fairly convenient. However, it also imposes a severe network security threat because messages are broadcasted over the air between client and base station. Anyone with a proper device can intercept and tamper with the message. In 1999, Wired Equivalent Privacy (WEP) was proposed and implemented on Wi-Fi networks. It uses a shared secret key and RC4 algorithm with a key length of 40 bits. Researchers later identified the security flaws of WEP and it is no longer considered secure. The extension of WEP—namely, WEP2 —addresses some of the early concerns and increases the key size to 128 bits. However, for network experts, WEP2 is also flawed and can only be categorized as a weak security protocol. If you have a choice, don’t use WEP. Instead, you should use protocols defined in IEEE802.11i, such as Wi-Fi Protected Access (WPA), Extensible Authentication Protocol (EAP), or Protected Extensible Authentication Protocol (PEAP). Securing Web Services with SOAP Headers When deploying web services, one way to implement security is to enforce user authentication from the web server. The Microsoft Internet Information Services (IIS) server provides the following four options for user authentication: ❑ Anonymous access —No authentication is required to access the web resources. ❑ Basic authentication —A user is authenticated by sending his or her username and password to the web server over the network in clear text. This is not a recommended authentication method. It exists simply as a fallback authentication protocol if a more secured authentication protocol is not supported. ❑ Digest authentication for Windows domain servers —This option is enabled if the IIS server is a member server of a Windows domain. A user’s password is not sent over the network in this authentication process; rather, the MD5 hash value of the password, termed a digest, is transmit- ted through the network and compared with the digest stored in the domain controller. ❑ Integrated Windows authentication —This uses the NTLM authentication protocol and requires a Windows user account on the machine on which the IIS server is installed. To change the authentication method for an IIS server, launch the IIS service management console by clicking Start ➪Settings➪Control Panel➪Administrative Settings➪Internet Information Services. On the left panel, expand the name of the IIS server, followed by Web Sites. Right-click Default Web Site and choose Properties. In the Directory Security tab, click the Edit button in Anonymous access and user authentication control. An Authentication Methods window will appear, as shown in Figure 3-13. 353 Data and Communication Security 19_762935 ch13.qxp 11/20/06 7:59 AM Page 353 Figure 13-13 Because different web servers have different ways to handle user authentication, it makes sense to authenticate a user without relying on a particular platform or version of the web server. One approach is to customize authentication by using SOAP headers in a XML web service. Note that you should set the user authentication to allow anonymous user logins. Using a custom SOAP header alone is not a secured solution because usernames and passwords are transmitted over the Internet as clear text. You should apply this approach only in a secured communi- cation channel, such as SSL or a VPN. In the following two subsections, you are going to learn how to build and publish an ASP.NET web ser- vice on the server side and how to connect to the web service from the client side. Server Side Following are the major steps to perform to create a web service with an authentication SOAP header on the server side: 1. Create a new website from Visual Studio 2005 with ASP.NET web services. 2. Write a simple web service function that can authenticate a user using the SOAP header. 3. Build and publish the website. 4. Test the web service. To create a new website from Visual Studio 2005, click File ➪New➪Web Site, as shown in Figure 13-14. 354 Chapter 13 19_762935 ch13.qxp 11/20/06 7:59 AM Page 354 [...]... Figure 13-19, the web service can be launched from the web browser by entering the correct URL In our example, the IP address of the server is 192.1 68. 0 .88 The virtual directory of the web service is WebServices Therefore, the URL is http://192.1 68. 0 .88 /webServices/service.asmx Figure 13-19 359 19_762935 ch13.qxp 11/20/06 7:59 AM Page 360 Chapter 13 Client Side On the client side, you need to create... 0x7c04 zh-CHT Chinese (Traditional) 950 950 0x0009 en English 1252 85 0 0x0309 en-ZW English (Zimbabwe) 1252 437 0x0409 en-US English (United States) 1252 437 0x 080 9 en-GB English (United Kingdom) 1252 85 0 0x0c09 en-AU English (Australia) 1252 85 0 0x1009 en-CA English (Canada) 1252 85 0 0x1409 364 Culture Name en-NZ English (New Zealand) 1252 85 0 20_762935 ch14.qxp 11/20/06 7:59 AM Page 365 Globalization... 19_762935 ch13.qxp 11/20/06 7:59 AM Chapter 13 Figure 13-16 3 58 Figure 13-17 Page 3 58 19_762935 ch13.qxp 11/20/06 7:59 AM Page 359 Data and Communication Security The next window, Publish Web Site (shown in Figure 13- 18) , enables you to configure a number of features In our example, you can simply use the default setting and click OK Figure 13- 18 As shown in Figure 13-19, the web service can be launched... (For a full list of the table, please refer to the home page of Microsoft s Global Developer Center at www .microsoft. com/globaldev/default.mspx.) Table 14-1 Information of CulturesLocalized Cultural Codes LCID (HEX) Locale ANSI Code Page OEM Code Page 0x0004 zh-CHS Chinese (Simplified) 936 936 0x0404 zh-TW Chinese (Taiwan) 950 950 0x 080 4 zh-CN Chinese (People’s Republic of China) 936 936 0x0C04 zh-HK... SoapAuthenHeader : SoapHeader { public string username; public string password; } 356 19_762935 ch13.qxp 11/20/06 7:59 AM Page 357 Data and Communication Security [WebService(Namespace = “http://192.1 68. 0 .88 /webServices”)] [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] public class Service : System.Web.Services.WebService { public SoapAuthenHeader UserAuthen; public Service () { //Uncomment... Globalization and Localization //Change labels accordingly displayLabel(selectedCulture); } } } Figure 14-8a illustrates the execution results of this application when zh-CHS is selected from the regional setting And Figure 14-8b shows the language changes to English when en-US is selected Figure 14 -8 Some additional issues are worth mentioning You do not need to add culture-specific resources for the... When a user changes the culture preferences, the UI will display a welcome message in the language the user specified To highlight the programming techniques, this sample application will enable the user to switch between English and Chinese Start a new Windows Mobile 5.0 Smartphone device application from Visual Studio 2005 and name the project MUIWelcome Rename the default Form1 to MUIForm and change... represents time in divisions, such as weeks, months and years Even though the NET Framework offers a variety of culture-specific calendars, only the following five are available on Windows Mobile for Smartphone: ❑ ❑ 3 78 GregorianCalendar JapaneseCalendar 20_762935 ch14.qxp 11/20/06 7:59 AM Page 379 Globalization and Localization ❑ ThaiBuddhistCalendar ❑ KoreanCalendar ❑ TaiwanCalendar As an aside, it’s a pity... how to format data for an Italian (Switzerland) culture (Italian-speaking Switzerland): Cultureinfo sw = new CultureInfo (“it-CH”); double aNumber = 1234567 .89 ; string swFormat = aNumber.ToString(sw); 379 20_762935 ch14.qxp 11/20/06 7:59 AM Page 380 Chapter 14 The signature of the ToString() method in this example is as follows: System.Double.ToString(System.IFormatProvider) The IFormatProvider interface... to present a double type number in a different format: using System; int MyDouble = 987 65.4321; Console.WriteLine(MyDouble.ToString(“C”)); Console.WriteLine(MyDouble.ToString(“E”)); Console.WriteLine(MyDouble.ToString(“F”)); Console.WriteLine(MyDouble.ToString(“G”)); Console.WriteLine(MyDouble.ToString(“N”)); 380 . OK. Figure 13- 18 As shown in Figure 13-19, the web service can be launched from the web browser by entering the correct URL. In our example, the IP address of the server is 192.1 68. 0 .88 . The virtual. English 1252 85 0 0x0309 en-ZW English (Zimbabwe) 1252 437 0x0409 en-US English (United States) 1252 437 0x 080 9 en-GB English (United Kingdom) 1252 85 0 0x0c09 en-AU English (Australia) 1252 85 0 0x1009. AM Page 357 Figure 13-16 Figure 13-17 3 58 Chapter 13 19_762935 ch13.qxp 11/20/06 7:59 AM Page 3 58 The next window, Publish Web Site (shown in Figure 13- 18) , enables you to configure a number of

Ngày đăng: 12/08/2014, 23:23

TỪ KHÓA LIÊN QUAN