Tech Off Thread

6 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Randomal String for authenticating a client

Back to Forum: Tech Off
  • User profile image
    Shark_M

    hi guys,
       here is a senario, you have a client and a server,
    you want the client and the server to do a handshake, that will confirm that the client has not been altered in anyway

    i want to do an encrypted randomally generated string (a hash) this string is sent to the client, and the client processes and generate a new randomal string (a hash) and then sends it to the server,

    the server then based on the string response from the client, decide to accept the client or not


    how do i implement this in C#?

  • User profile image
    Maurits

    .NET 2.0 has the SSLStream class

  • User profile image
    jdewalt

    SSLStream is a great option. 

    When dealing with encryption, authentication, and authorization as a rule of thumb, try to use existing frameworks.

    A lot of bad security implementation result from programmers trying to build their own mechanisms.  If you must do your own try to build on top of another so you have layers of security rather than just your default. 

    An item of note, you should always salt your randomly generated data if possible when using it for hashing and encryption.

    An example of salting is if my random generator gives me 234981989, i add it with a secret key "MySecretyKey@#$(12md0d982347VDSFAAMmik2m34(%#$*@%()" So that the item you are encrypting/hashing is longer.

    If i use 128 bit encryption or hashing on a 64 bit password (8 chars), i only have 64 bits of encryption or hashing, because a brute force iterator only has to go through 2^64 iterations rather than 2^128.


  • User profile image
    Shark_M

    jdewalt wrote:
    SSLStream is a great option. 

    When dealing with encryption, authentication, and authorization as a rule of thumb, try to use existing frameworks.

    A lot of bad security implementation result from programmers trying to build their own mechanisms.  If you must do your own try to build on top of another so you have layers of security rather than just your default. 

    An item of note, you should always salt your randomly generated data if possible when using it for hashing and encryption.

    An example of salting is if my random generator gives me 234981989, i add it with a secret key "MySecretyKey@#$(12md0d982347VDSFAAMmik2m34(%#$*@%()" So that the item you are encrypting/hashing is longer.

    If i use 128 bit encryption or hashing on a 64 bit password (8 chars), i only have 64 bits of encryption or hashing, because a brute force iterator only has to go through 2^64 iterations rather than 2^128.




    okay, but how can i use SSLSTREAM to authenticate that the client being used to logon to my system is the very same client that was released by me and not a tamered one or a zombie or some other software?

  • User profile image
    jdewalt

    SSLStream provides support for authenticating clients using x.509 certificates.  Check out the link posted above.

    If you are releasing a client and server side app public private key pairs (certificates) should be the way to go for verifying identity. 

    Server can send a string encrypted with client public key.

    Client decrypts string with its private key.  Based on the key it rencrypts something using the server public key and sends it to the server.

    Server decrypts string with its private key and has verified identity of client (client is only one with clients private key which was needed to decrypt the data to create the string server just recieved)

    Server then sends information encrypted with the last recieved information from the client (unique to client because the client private key was required to get this far) which verifies server identity because only the server could decrypt to use this value as a salt for encryption.

    If you must use a symmetric algorithm look at rijndael in CBC (Cipher Block Chaining) mode.  Rigndael is part of the .net framework.  Avoid DES (although 3DES is probably ok).  But try to use asymettric if you can.

  • User profile image
    Shark_M

    how can i generate randomal Private/Public keys at server runtime?

    can you show me an example?

    also, i have implemented SSLStream to my Async Socket Server

    that is one layer of protection,

    Now i need to implement what you said, i am taking baby steps as i am relatively new to C# programming, and is adapting slowly Smiley

    if you can show me example of this would be cool

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.