Namespace System.Security.Authentication.ExtendedProtection
This namespace provides types that enable the implementation of channel binding and extended protection for network authentication.
Summary
The System.Security.Authentication.ExtendedProtection namespace allows developers to enhance the security of network authentication by providing a mechanism for binding authentication tokens to specific communication channels. This helps to prevent man-in-the-middle attacks by ensuring that the authentication context is tied to the underlying transport, such as a TCP connection.
Classes
| Name | Description |
|---|---|
| ChannelBinding | Represents a channel binding token that can be used to bind authentication to a specific communication channel. |
| ContiguousArrayOfBytes | Represents an array of bytes that is contiguous in memory. |
| ExtendedProtectionPolicy | Specifies the policy that is used for extended protection. |
| ProtectionLevel | Specifies the level of protection that is applied to a network connection. |
| ServiceBinding | Represents a service binding that can be used to establish a channel binding token. |
Introduction to Extended Protection
Extended protection is a security feature that helps protect against authentication relay attacks, also known as man-in-the-middle attacks. It works by requiring clients and servers to establish an authentication context that is bound to the specific communication channel. This ensures that authentication credentials used for one connection cannot be replayed for another.
Important
Implementing extended protection requires careful consideration of both client and server-side configurations. Ensure that the appropriate ExtendedProtectionPolicy is set for your application to leverage this security feature effectively.
Channel Binding
Channel binding is the core mechanism of extended protection. It involves obtaining a token that represents the underlying communication channel (e.g., a TLS/SSL session or a named pipe). This token is then incorporated into the authentication process. The server can verify that the token presented by the client matches the channel it is using for communication.
ChannelBinding Class
The ChannelBinding class provides a way to represent and manage these channel binding tokens. It typically holds the raw bytes of the token and offers methods for serialization and deserialization.
// Example usage (conceptual)
byte[] tokenBytes = GetChannelBindingToken();
ChannelBinding binding = new ChannelBinding(tokenBytes);
Extended Protection Policy
The ExtendedProtectionPolicy class allows you to configure how extended protection is applied. You can specify the required level of protection, whether to use channel binding, and if so, which mechanisms to use.
ExtendedProtectionPolicy Properties
ProtectionLevel: Specifies the desired level of protection (e.g.,ProtectionLevel.None,ProtectionLevel.Sign,ProtectionLevel.EncryptAndSign).Enabled: A boolean indicating whether extended protection is enabled.ChannelProtectionPolicy: Defines the policy for channel binding.
ProtectionLevel Enum
The ProtectionLevel enum defines the security guarantees that can be applied to a communication channel:
None: No protection is applied.Sign: The integrity of messages is protected.EncryptAndSign: The confidentiality and integrity of messages are protected.
Tip
For most server applications that handle sensitive data, it is recommended to enable extended protection with a ProtectionLevel of Sign or EncryptAndSign, provided the underlying channel supports it.
Service Binding
The ServiceBinding class is used on the server side to provide the necessary information for clients to construct a matching channel binding token. This often involves specifying the service name or other identifying information.
Creating a ServiceBinding
// Example usage (conceptual)
string serviceName = "myservice.example.com";
byte[] blob = GetServiceBindingBlob(serviceName);
ServiceBinding serviceBinding = new ServiceBinding(blob);
Best Practices
- Always enable extended protection on servers that handle authentication.
- Configure the
ExtendedProtectionPolicyappropriately for your application's security requirements. - Ensure that the client and server agree on the channel binding mechanisms.
- Test your implementation thoroughly to confirm that extended protection is working as expected.