I am trying o figure out how CoAP server handles authentication. DTLS seems to be the only option. However I could not find any clear example of it for .NET. I have also seen a mention about cookie on server side but that is all, no more information.
https://github.com/chkr1011/CoAPnet seems to be a good library. They also have a client example but I sould not find server example of it. Projest seems to have CoAP server as well, however I could not find it in source code.
Can any client send requests to the server if url is known? Is DTLS the way to go? Is there any server/client example of DTLS in C#?
If a java server will also help, have a look at eclipse/californium. We run a sondbox at "californium.eclipse.org" and if you want to "connect" a client, you may just use the "openssl" PSK demo credentials "Client_identity" and "secretPSK".
Can any client send requests to the server if url is known?
That depends on the protocol variant. Without encryption (plain coap), yes. Some projects then use a "token" in the request, to authenticate the request (see ThingsBoard). With encryption (DTLS, coaps), you need valid credentials, e.g. PSK (as above), a x.509 certificate or a Raw Public Key certificate. There are also setups, where only the server authenticates itself using x.509, and the client then uses the already encrpyted communication to authenticate with an other mechanism (e.g. username/password, so very similar to the model, mostly used with https).
The most pain is usually to find implementations, which could be used in the intended/wanted way. Maybe some projects helps you, to adapt the implementation.
Is DTLS the way to go?
In my opinion, yes. The alternative with OSCORE (payload encryption) are currently in development, we will see, if that changes the game.
Is there any server/client example of DTLS in C#?
I don't know that. Maybe you ask that the project you already found. Or ask here CoAP-CSharp
Related
I have the following concern about security in server-client models...
Imagine the following:
I have an C# WinForms client that wants to communicate with a server (PHP GET-POST Requests, Socket or WebSocket in a Console App C# (Net Framework) running on a Debian under Mono, instead of using ASP.NET).
The first problem that arises is that whether the server (written in PHP or C #) must have some kind of control for the anonymous requests that the client generates, for this, we will have to use some type of token generated by the server to every request.
The problem isn't related to the token (my plan is to use HTTPS (PHP) or SSL / TLS + Certificates in WebSockets (C#) for client-server communications at the network level, to avoid Spoofing or MitM).
The problem arises when the server has to give to a "client" (we need to check its validity, that the main concern) a token to allow the client do requests. It would be very easy to any client to give a token from the server (How? Replicating (inverse ingeenering) a client that makes requests to the server to try to obtain valid tokens, at least, as I plan to implement it, hence the need for help).
In what I was thinking, is to generate a md5 or sha hash for the assembly file of the client. So, if anyone tries to replicate those steps, it will be difficult. Because he/she will need to modify the source code of the assembly or make a malicious assembly and obtain the same hash by collision (this is difficult).
I do not know how efficient is this system, so I need you to guide me a bit in this aspect.
I've been looking at OAuth, and I think that this type of implementation is not the one I'm looking for, because this kind of implementations is for the user level (to avoid that another user violates the main user data), not for the client (application).
So if someone can guide on this issue it would be of great help.
You can't authenticate the client, it is not possible. Anything in the client is known to the user (attacker), any secret, anything you have there. The only question is difficulty, but anything you do, it will not be very difficult.
Also in your hashing scheme, what would you do with the hash, send it to the server? Why would a different client have to match the hash, when it can send whatever it wants (ie. the correct hash, as sniffed from the network)?
So again, because the software needs to run on the client machine, anything that runs there or is sent on the network is disclosed to the user, and he can replicate it in a different client. It is not possible to securely prevent this. Also ssl/tls doesn't help here, if you control one of the endpoints (ie.the client).
Imagine if it was possible somehow, software piracy would not be a thing - but it very much is.
I am building a program for myself that will save my passwords. Now I have the following questions. Because I have a lot of computers (one for work, three for myself), I want to keep the passwords in sync with a server. But now my question is what is the safest way to send data over the internet with c#? Is it possible to make the connection so safe that I can send passwords over it? And maybe any suggestions for the app.
Yes, you can make it reasonably secure. First, I would recommend against writing your own protocol stack, simply because it is so incredibly easy to make a simple mistake that would make it trivial to hack the security.
( Obviously there are plenty of already existing services (like 1password, passpack, etc) but I assume you know that already. )
I would recommend that you focus on the syncing and UI and leave the security to alredy proven libraries. One such solution is to use SSH with RSA authentication and known host keys. This is in use on many production sites and AFAIK considered reasonably secure (though there was one hole in one of the most popular implementations, OpenSSH, some years ago that was pretty bad). The SSH protocol can be used as a carrier for all kinds of different protocol, including your own password-syncing protocol (for that you could just use SOAP or JSON-RPC or something similar that there are plenty of libraries for).
You can then integrate directly with C# by using a SSH client library (https://sshnet.codeplex.com was the first Google hit). I have no experience using C# directly to talk SSH, though. What I usually do is to let an existing SSH client (PuTTY, for example) open up a port forward and then use regular TCP sockets. It all depends on how slick you want the sync app, but since you are writing it for yourself only, I would go with the latter.
If you are clever writing your app, you don't need a server part except of your own (for example, SSH implements SFTP for file storage).
A similar idea is to use SSL. If you pre-trust the certificate chain, this can be made secure enough but my experience is that the default SSL socket API in C# is way too much tied into the Windows architecture, making things like custom certificate validation trickier. Using a publicly exposed server to your service (directly of via IIS) also opens up a lot of new attack vectors.
This is my first post at stackoverflow.com, so if i do something wrong just let me know. So onto the problem.
I have a C# server currently running System.Net.Socket Sockets similar to the sample code Microsoft provided here.
I also have an Objective-C iPad client running NSInputStream/NSOutputStream bound to CFReadStream/CFWriteStream.
At present with only username/password authentication sent via an XML Serialized Object the client and server can communicate without any issues.
The problem I now have is that the communication has to be secure, and talking to clients, SSL encryption would be acceptable. However, I don't think they would accept just the "Server Certificate" as good enough. So I am trying to get the iPad client to use a "Client Certificate". I would like to enable true mutual authentication.
If I can't achieve mutual authentication, a third party VPN Software could be the better solution to secure the communication.
I haven't completed the conversion yet, but I have found a few articles that give me good examples of this, but there are no examples that fit my situation for client side certificates on the iPad.
The samples that i have found are:
C# SSL Tcp Server
Apple Developer site that shows how to use SSL, but no client certificate
iPad SSL Stream without client certificate.
iPad SSL Stream without client certificate
iPad HTTP Client that uses client certificate
Basically the system must eventually run TCP communication with SSL embedded with the ability to manage certificates. Not sure if it makes a difference, but as this would be going to many different clients, it is preferable to be compatible with SSL 3.0 and TLS(any version).
As I have only been dabbling in Objective-C for the past 6 months and am more familiar with C#, I will probably need you to explain your answer in simpler terms.
Edit:
I am more concerned with the Objective-C side of the equation, as I am fairly sure the C# side will be simple. Basically I need someone to explain how to implement client side certificates on a TCP NSStream in Objective-C or point me in the direction of possible solutions or approaches to the problem.
Any help will be greatly appreciated.
Chris
I cannot answer your question with regards to how to implement this on the objective-c side as what you ask is beyond what a single application can achieve on IOS devices. Thinking outside the box..
From Apple:
iOS supports the Simple Certificate Enrollment Protocol (SCEP). SCEP
is an Internet draft in the IETF, and is designed to provide a
simplified way of handling certificate distribution for large-scale
deployments. This enables over-the-air enrollment of identity
certificates to iPhone and iPad that can be used for authentication to
corporate services.
Knowing this and searching for SCEP in the developer library points me to this page - https://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html
This page will be of interest, notice that Microsoft Server supports this:-
https://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html#//apple_ref/doc/uid/TP40009505-CH3-SW1 and it even has some sample client/server code.
My interest is generally in the field of Mobile-Device-Management and have been looking into this.
Hope this helps.
Check out CFSocket and/or CkoSocket
I'd need to establish my XMPP connection on the server side of a .net C# web application and then pass the RID and the SID to the client to allow a BOSH connection to be established.
Problem is, I am finding it impossible to get the RID and the SID from any of the C# XMPP Libraries.
Can anyone tell me how to obtain these? Also.... do I need to establish a BOSH connection server-side or will a normal connection do?
Using Strophe and ejabberd does not require you to attach, you can use a normal connection if you wish so. Attaching has the following advantages:
It allows you to authenticate with the server and pass the RID, SID to strophe avoiding the js knowing the user password.
It allows you to reattach on a later request.
Attachment is described in detail in XEP-0206
It's a lengthy but straightforward process, but I have no idea whether your C# libray supports it. It uses standard HTTP so you should be able to write it yourself or use a library (punjab comes to mind). If you can follow python, here is how I am doing it in a project of mine.
I just blogged about this topic here:
http://www.ag-software.de/2012/01/31/bosh-prebind-in-matrix-and-attach-to-strophe/
MatriX supports what you are looking for.
Alex
I am trying to send information (in the form of an mime file) to a third party host server that uses two way authentication. After much coaxing I got enough information from their non technical help desk staff to figure out that it is most likely a type of TLS/SSL communication. They use client and server handshakes. I found the following example:
sslstream example. But am having problems using it (TcpClient refuses to see the host adddress).
Before I get too far I was hoping some one could point me in the direction of some good examples or more information on this process. I'm feeling pretty lost.
By two way authentication, probably they mean that they require a client certificate. This means that during the handshake, the client side has to present a certificate to the server as well. The most common SSL behavior is that only the server part presents a certificate, such as when you go to a normal site that is using HTTPS.
As for SslStream, it is quite straightforward to use. To be able to present a client certificate, you need to have a certificate in the certificate store or a pfx file that you can load into memory during runtime.
I found this sample which seems good enough. Here is another one. The second one doesn't use client certs, but you can add them as a parameter to the the AuthenticateAsClient call.
If the TcpClient is refusing to see the host address, then this is most likely some kind of connectivity issue and not related to the actual SSL implementation.