Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Client Server Authentication

Tags:

c#

authentication

sockets

client

communication

I am creating a client server communication based on Asynchronous Sockets, my client will send the username and password to the server then the server will replay whether the account is valid, so i want to secure this steps so no one could record the conversation and keep sending it to my client to achieve illegal entry to the secret data

[The Question {Simplified}] How to securely authenticate the client to the server ... ?

[NOTE] I know SSL but i cant afford paying for a certificate so i need a free alternative to provide secure communication between my client and server.

like image 874
Roman Ratskey Avatar asked Dec 03 '22 02:12

Roman Ratskey

1 Answers

As always, the most secure password is the one, that the server doesn't know, and that is never transmitted. So what you could do is:

  • On the server, store the username, a random salt ("account salt") and a secure hash of the salted password ("server shared secret").
  • On login, in a first step let the client transmit only the username (not secret)
  • The server should reply with the account salt (not secret) and a randomly generated session salt (not secret). It is important, that the server generates the session salt.
  • On the client, salt the password with the account salt and hash it (keep this as " client shared secret"), then salt the result with the session salt and hash it again. Transmit this as an authentication token (not secret)

  • On the server, take the salted hash from your DB, salt it with the session salt and hash it - if this matches the authentication token, the connection is authenticated. (Client is authenticated to server)

  • if you want to additionaly authenticate the server to the client, you repeat the procedure: Client generates a salt, server creates token from it by salting/hashing the stored secret.

  • If you want to authenticate the single requests (not only the connection), salt them with the shared secret and hash them, send this as a per-request authentication field. Since in a valid login server shared secret and client shared secret are identical,both sides should come to the same result, thus verifying the authentication field.

enter image description here

like image 93
Eugen Rieck Avatar answered Dec 24 '22 22:12

Eugen Rieck
Sign in to Comment

Related questions

Can we add new elements to a list using Parallel.ForEach()?
Only the last Cell gets added to the Row
How do I find all CR+LF's in a string?
Is there a better method to structure this if statement
What do CanRead and CanWrite mean for a PropertyInfo?
Update single row in a WPF DataGrid
Incorrect return value when using ExecuteNonQuery()
.NET Dynamic method. Best performance
foreach over anonymous types
How to convert hexadecimal "string" into actual hexadecimal value in .NET? [duplicate]
Is there a tool for parsing a string to create a C# func?
copy all type format file from folder in c#
How to check if a class instance has been created or is null C#
Interface implementation confusion
Is there a way to shorten the condition if it always compares to the same thing?
Get specific column with NHibernate Query
Comparison between time of 2 DateTime c#
Automatically define the DataTable in C# from the schema of SQL server tables?
How do I declare a variable with hyphen on it
How do I find all occurrences of a specific sentence within a string?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!