2

ANSWER: I'm using Mutual SSL Authentication. Now there isn't any problem :)

I'm working on a server project. I've tried authenticate client with a XOR encrypt-decypt method but this isn't secure enough. I decided to use SSL with my sockets but I can't do it. I've a System.Net.Sockets.Socket based connection. Namely I want this: if a Tcp connection is incoming, authenticate is it our client's socket connection. (every socket can't connect our server socket from our port). Can anybody give me a start point or some examples? (This is the dead point of my server. if I can't do it, it'll be cancelled!)

EDIT1: My system currently working like that:

  • Client connected to server.

  • Server created 16byte long random key and crypted it with serverKey (XOR), sent it to client

  • Client decrypted data with serverKey and crypted it with clientKey and sent it back

  • Server decrypted data and checked are there same

    (When client connected, a timer started for auth timeout)

EDIT2: Now I'm using an other cryptology. When a client connected, it'll be sent and client will decrypt it and sends back. Cryptology working like this:

Encrypt byte[] with a special method (not professional). After, get a hash code of byte[]. This hash algoritm is written by me, and if anybody don't know it, never understand our encrypted byte[]. (already hash outputs can't came back). And finally it combines hash and crypted (like a XOR, a special method).

With this method, nobody gets decrypted/cracked data. Otherwise there is a asymmetric encrypt/decrypt method (http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange). I can upgrade my auth system with a (hard) asymmetrice cryptology later (if it isn't enough).

Mehmet Fatih Marabaoğlu
  • 181
  • 1
  • 3
  • 18
  • So, in short, you want to ensure that only *your* client can connect to your server but no other client that speaks the same protocol? – dtb Apr 06 '13 at 21:09
  • See the answer here for some considerations: http://stackoverflow.com/questions/12356785 – Paul Sasik Apr 06 '13 at 21:12
  • @PaulSasik It's not for me. I want a system like dtb's. – Mehmet Fatih Marabaoğlu Apr 06 '13 at 21:19
  • Short answer: You can't. If your client can connect to the server, so can any other client. See http://gamedev.stackexchange.com/q/33922 http://gamedev.stackexchange.com/q/1520 – dtb Apr 06 '13 at 21:21
  • @dtb SmartFox server can do it. if you want to connect a SmartFoxServer from a telnet like TCP client, it drops it but if you want to connect with SmartFox's Client library, you can connect. There is a authentication. So, I can't make a system like that, huh? – Mehmet Fatih Marabaoğlu Apr 06 '13 at 21:26
  • You can make it difficult, for example, by letting the server drop the connection if the client doesn't send a certain magic sequence of bytes within a few seconds. But you cannot prevent a dedicated person from finding out that magic sequence of bytes and putting it into their own client. – dtb Apr 06 '13 at 21:30
  • @dtb I've updated my post. I wrote how my system works. Is it true (safe) way to authenticate client? – Mehmet Fatih Marabaoğlu Apr 06 '13 at 21:36
  • @MehmetFatihMarabaoğlu why don't you use `https`? Instead of TcpListener, you need only HttpListener. – I4V Apr 06 '13 at 22:16
  • @I4V This is a mmo server project. not a web or mail server. EDIT: and I'm using System.Net.Sockets.Socket instead of TcpListener – Mehmet Fatih Marabaoğlu Apr 06 '13 at 22:23
  • @MehmetFatihMarabaoğlu What is mmo? – I4V Apr 06 '13 at 22:23
  • @I4V massive multiplayer online game server. yes this is true. not very big but it's for a online game project. (MMORPG) – Mehmet Fatih Marabaoğlu Apr 06 '13 at 22:25
  • @MehmetFatihMarabaoğlu just assume, you replaced your TcpListener with HttpListener and, TcpClient with WebClient. you have now the same model communicating over a secure channel. There is no `web or mail server` – I4V Apr 06 '13 at 22:28
  • @I4V HttpListener and WebClient huh? There is some headers and there is some different data posting types, am I right? I'll use TCP & UDP. I'll make a online game (MMO). Maybe it can be easy but not suitable with my systems. Still, thanks! – Mehmet Fatih Marabaoğlu Apr 06 '13 at 22:31
  • @MehmetFatihMarabaoğlu and you don't also want to use `System.Net.Security.SslStream` ? – I4V Apr 06 '13 at 22:37
  • @I4V err, yes. I want to use something like asymmetric cryptology. Encrypt with A key, decrypt with B key. (http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange) – Mehmet Fatih Marabaoğlu Apr 06 '13 at 22:44
  • Let's say you invent your own super-secret algorithm. You include it in your client, so people using your client can connect to your server. But by giving your client to the people, you also give the secret algorithm to the people. So it's not secret anymore and any dedicated person can extract it from your client to build their own client. All cryptography and SSL/TLS secure the connection *between* the client and the server, but doesn't help with your problem. – dtb Apr 07 '13 at 09:09

3 Answers3

1

I think a good approach for you would be to use SSL with client certificates for authentication.

You would operate a Certificate Authority and issue a server cert for your server. You would also issue a client certificate for each client. Then in the server, you would restrict connections to only those that are signed by your CA.

This is a standard approach and should work with basically any SSL implementation. Is there a reason it's not acceptable for your situation?

vipw
  • 7,593
  • 4
  • 25
  • 48
0

The answer to your question is to use SSL with mutual authentication. You've tagged your question 'SSL' so presumably that's an admissible solution.

You will have to explain what you mean by "I can't do it".

user207421
  • 305,947
  • 44
  • 307
  • 483
0

I'm using Mutual SSL Authentication. It is best way to do it. (Sorry for other problems like "SSL not works with my systems")

Mehmet Fatih Marabaoğlu
  • 181
  • 1
  • 3
  • 18