I'm wondering if theres already a combo let say jQuery - Some C# DLL to proive a secure both way communication between ASPX forms with jQuery and a control layer based on ashx files with C# classes...
[From comment below]
Well I see I have to be more specific. The are things like sniffers on simple network analysis tools even like Firebug that let you see the data transfered via POST or GET. The idea to secure a Server Client application is to ensure that data isn't corrupt and compromised, and to achive that you have to make imposible to an atacker to report false info so the best is to have improved some cryptographyc algorithms both on client and server to crypt decrypt encode decode data...
The only way you can ever make web communication secure between a client and a server is by using SSL.
Here is a Javascript AES engine.
However, you really should use SSL instead.
Related
I am trying o figure out how CoAP server handles authentication. DTLS seems to be the only option. However I could not find any clear example of it for .NET. I have also seen a mention about cookie on server side but that is all, no more information.
https://github.com/chkr1011/CoAPnet seems to be a good library. They also have a client example but I sould not find server example of it. Projest seems to have CoAP server as well, however I could not find it in source code.
Can any client send requests to the server if url is known? Is DTLS the way to go? Is there any server/client example of DTLS in C#?
If a java server will also help, have a look at eclipse/californium. We run a sondbox at "californium.eclipse.org" and if you want to "connect" a client, you may just use the "openssl" PSK demo credentials "Client_identity" and "secretPSK".
Can any client send requests to the server if url is known?
That depends on the protocol variant. Without encryption (plain coap), yes. Some projects then use a "token" in the request, to authenticate the request (see ThingsBoard). With encryption (DTLS, coaps), you need valid credentials, e.g. PSK (as above), a x.509 certificate or a Raw Public Key certificate. There are also setups, where only the server authenticates itself using x.509, and the client then uses the already encrpyted communication to authenticate with an other mechanism (e.g. username/password, so very similar to the model, mostly used with https).
The most pain is usually to find implementations, which could be used in the intended/wanted way. Maybe some projects helps you, to adapt the implementation.
Is DTLS the way to go?
In my opinion, yes. The alternative with OSCORE (payload encryption) are currently in development, we will see, if that changes the game.
Is there any server/client example of DTLS in C#?
I don't know that. Maybe you ask that the project you already found. Or ask here CoAP-CSharp
I have the following concern about security in server-client models...
Imagine the following:
I have an C# WinForms client that wants to communicate with a server (PHP GET-POST Requests, Socket or WebSocket in a Console App C# (Net Framework) running on a Debian under Mono, instead of using ASP.NET).
The first problem that arises is that whether the server (written in PHP or C #) must have some kind of control for the anonymous requests that the client generates, for this, we will have to use some type of token generated by the server to every request.
The problem isn't related to the token (my plan is to use HTTPS (PHP) or SSL / TLS + Certificates in WebSockets (C#) for client-server communications at the network level, to avoid Spoofing or MitM).
The problem arises when the server has to give to a "client" (we need to check its validity, that the main concern) a token to allow the client do requests. It would be very easy to any client to give a token from the server (How? Replicating (inverse ingeenering) a client that makes requests to the server to try to obtain valid tokens, at least, as I plan to implement it, hence the need for help).
In what I was thinking, is to generate a md5 or sha hash for the assembly file of the client. So, if anyone tries to replicate those steps, it will be difficult. Because he/she will need to modify the source code of the assembly or make a malicious assembly and obtain the same hash by collision (this is difficult).
I do not know how efficient is this system, so I need you to guide me a bit in this aspect.
I've been looking at OAuth, and I think that this type of implementation is not the one I'm looking for, because this kind of implementations is for the user level (to avoid that another user violates the main user data), not for the client (application).
So if someone can guide on this issue it would be of great help.
You can't authenticate the client, it is not possible. Anything in the client is known to the user (attacker), any secret, anything you have there. The only question is difficulty, but anything you do, it will not be very difficult.
Also in your hashing scheme, what would you do with the hash, send it to the server? Why would a different client have to match the hash, when it can send whatever it wants (ie. the correct hash, as sniffed from the network)?
So again, because the software needs to run on the client machine, anything that runs there or is sent on the network is disclosed to the user, and he can replicate it in a different client. It is not possible to securely prevent this. Also ssl/tls doesn't help here, if you control one of the endpoints (ie.the client).
Imagine if it was possible somehow, software piracy would not be a thing - but it very much is.
I'm currently making a game with my friends. It will be mmorpg so I need a game launcher which will display news, update the game and allow login. All this things needs a connection to take information. At first I thought that I will have to make my custom server with custom protocol. Then I found that for checking the version for update I could use HTML and then download new files from ftp. Then I had an idea in mixing ftp with database such as MySQL which will contain passwords, news and versions of game. The problem of ftp is that it will have to download the database to read it which is very unsafe with passwords. Is there any way to make a server which will contain all those things above (news, password check, game version and update files) and allow users to login safely and fast?
I don't know if this would be an option, but it seems you need to implement a client-server architecture, or, client-server (for authorization and coordination) combined with P2P here (for playing).
You could try to create a web service on a server (WebApi or WCF service hosted on an IIS, for instance or a cheaper PHP on an nginx server) that would handle the login logic and client authorization.
This way, you won't need to download the database, just to synchronize the logic with the players. The server would tell you the connection info of your mates, and you could connect to them via P2P, or relay the communication in case you will be playing behind firewalls.
On the other hand, you may try to implement this solely via P2P.
You shouldn't be downloading passwords. You should be hashing/salting as well as encrypting the password on the client before sending it up to the server.
The client should not even know there is a sql database on the backend.
As for a good encryption solution, check out this: Hash and salt passwords in C#
I am creating a website where I need to have access to the clients files. I know that the client will have to accept some warning message and also run my progam.
I have reaserched on the internet and I know that I can acomplish this with Web Sockets. I have been able to establish a tcp connection localy from c# and google chrom html 5 websocket. the problem with websockets is that it did not work with other browsers.
Another solution that I was thinking was to use cookies to exchange messages. I havent tried that and I dont think that will be efficient.
Some websites when giving them privilades are able to use java. I have no idea how they exchange messages but maybe there is a similar way of doing it with c#
Look at SignalR -- https://github.com/SignalR/SignalR. Be careful though, web sockets (and any other "per user" type connection has server resource implications -- see http://robrich.org/archive/2012/04/05/The-real-time-web-in-ASP-NET-MVC.aspx
Does ASP.NET use a mechanism for disallowing manipulation of data between client and server?
If not, does it mean we should use SSL? What kind of attacks can SSL prevent?
If yes what is this mechanism?
No, the ASP.NET webforms and mvc frameworks do nothing to protect transport of data between client and server. The viewstate is an encrypted piece of data in webforms, but that does not mean it can't be tampered with on the way to the server or client. The short answer is to use at least 128 bit ssl using a CA signed certificate if you want to prevent man in the middle attacks.
ASP.Net uses Viewstate on the client side to retain values - which is practically unbreakable. However, any web application passes (posts) data to server via webbrowser which is passed in the chunks of packet data using TCP/IP protocol. This information can be easily monitored using some software to see what data is being transmitted (however, changing this data while being transmitted to server seems very very difficult in real time). SSL simply encrypts the data (say your user name and password you typed in the login box) before browser sends it the server; this data while being transmitted on TCP/IP channels can be monitored but it would be in encrypted format. Thus, secure.
However you can make your application secure by taking care of the points from this links:
http://ethicalhackingaspnet.codeplex.com/
http://msdn.microsoft.com/en-us/library/ms972969
To disallow data manipulation between client and server, you have to have a way for the server to detect such manipulation. For viewstates this can be enabled in asp.net by making sure the viewstates have mac and encryption enabled. Oh, and you should also set a viewstateuserkey.
For other parameters however, an attacker can manipulate the parameters. So use SSL/TLS. SSL/TLS sets up a encrypted connection between your client and server, making it impossible (unless poorly configured) for an attacker to sniff out data or manipulate the content.
Not using SSL/TLS, allows all sorts of attacks (sniffing session cookies on open wireless networks, injecting packets and manipulating the returned web page etc.)