Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Client Server Authentication

I am creating a client server communication based on Asynchronous Sockets, my client will send the username and password to the server then the server will replay whether the account is valid, so i want to secure this steps so no one could record the conversation and keep sending it to my client to achieve illegal entry to the secret data

[The Question {Simplified}] How to securely authenticate the client to the server ... ?

[NOTE] I know SSL but i cant afford paying for a certificate so i need a free alternative to provide secure communication between my client and server.

like image 874
Roman Ratskey Avatar asked Dec 03 '22 02:12

Roman Ratskey


1 Answers

As always, the most secure password is the one, that the server doesn't know, and that is never transmitted. So what you could do is:

  • On the server, store the username, a random salt ("account salt") and a secure hash of the salted password ("server shared secret").
  • On login, in a first step let the client transmit only the username (not secret)
  • The server should reply with the account salt (not secret) and a randomly generated session salt (not secret). It is important, that the server generates the session salt.
  • On the client, salt the password with the account salt and hash it (keep this as " client shared secret"), then salt the result with the session salt and hash it again. Transmit this as an authentication token (not secret)
  • On the server, take the salted hash from your DB, salt it with the session salt and hash it - if this matches the authentication token, the connection is authenticated. (Client is authenticated to server)

  • if you want to additionaly authenticate the server to the client, you repeat the procedure: Client generates a salt, server creates token from it by salting/hashing the stored secret.

  • If you want to authenticate the single requests (not only the connection), salt them with the shared secret and hash them, send this as a per-request authentication field. Since in a valid login server shared secret and client shared secret are identical,both sides should come to the same result, thus verifying the authentication field.

enter image description here

like image 93
Eugen Rieck Avatar answered Dec 24 '22 22:12

Eugen Rieck