• Welcome to Valhalla Legends Archive.
 

Server App Security Ideas/Problem

Started by Dyndrilliac, March 30, 2005, 05:47 PM

Previous topic - Next topic

Topaz

It really shouldn't lag too much if they can only check for auth and product key.

Lenny

#16
Well there really isn't a 'best' solution to your problem simply because it's somewhat a contradiction in itself. 

You're trying to offer a service (connection) that is publicly accessible and at the same time trying to prevent certain users from accessing it.  The only way you could really prevent an attack is by disabling the service.  But that unfortunately is usually the goal of those 'certain users'.

As we've seen in the past with Blizzard and even this website, there is no perfect way  to prevent users from flooding a server with requests when given the scenario in your first post you can't identify them uniquely.

But to be more helpful, I recommend you have two obstacles for allowing a valid user though.  The first would be a connection validation to verify he isn't an attacker from a list of IPs.  There are several ways to make this process more efficient (binary searching, hash tables, etc).  Then go through your validation procedure....You shouldn't be allowing everyone a chance to go through your validation procedure.



 
The Bovine Revolution
Something unimportant

Live Battle.net:

WARNING: The preceding message may have contained content unsuitable for young children.


Dyndrilliac

#18
Well here's how the process is gonna work.

- Client sends connection request to  the server.
- Server requests the Encryption CodeKey for the rest of the transmission's encryption.
- Client replies.
- Server then requests the clients MD5 Hash signature and authorization key for verification.
- Client replies.

Depending on if the information is good, the server sends the client a success or failure message. If the client recieves a failure message, it shuts down.
Quote from: Edsger W. DijkstraIt is practically impossible to teach good programming to students that have had a prior exposure to BASIC; as potential programmers they are mentally mutilated beyond hope of regeneration.

R.a.B.B.i.T


Adron

Quote from: Dyndrilliac on April 02, 2005, 03:23 PM
Well here's how the process is gonna work.

- Client sends connection request to  the server.
- Server requests the Encryption CodeKey for the rest of the transmission's encryption.

That's gonna be sent using an assymetrical cipher?

Lenny

#21
I was also wondering what you meant by those two lines Adron is pointing out.

Are you only encrypting one end of the stream or are you using one key to encrypt for both the client and the host (symmetrical).  If you're not using an asymmetrical cipher to send the key over, I don't understand why the encryption would be useful at all to begin with...

Regardless, I still don't see how this would prevent an attacker from 'flooding' the server with verification requests.  Also, if your server asks for a key first, wouldn't you be forcing the server to go through a tedious encryption algorithm only to find out the user was never valid afterwards?
The Bovine Revolution
Something unimportant

Live Battle.net:

WARNING: The preceding message may have contained content unsuitable for young children.

Dyndrilliac

@Rabbit: If the client cannot connect, the client shutsdown.

@Adron: The encryption key is sent using RSA-256.

@Lenny: I never said this solved my problem. That was the point of asking the question in this thread. The encryption's purpose is to keep people from reversing the packet structure, and finding out the correct md5 hash.
Quote from: Edsger W. DijkstraIt is practically impossible to teach good programming to students that have had a prior exposure to BASIC; as potential programmers they are mentally mutilated beyond hope of regeneration.

Adron

Quote from: Dyndrilliac on April 03, 2005, 11:00 AM
@Adron: The encryption key is sent using RSA-256.

RSA is an OK cipher, but shouldn't you be using something a bit stronger than 256-bit?

R.a.B.B.i.T

Quote from: Dyndrilliac on April 03, 2005, 11:00 AM
@Rabbit: If the client cannot connect, the client shutsdown.
So?  Somone can write a basic server which follows protocol (sort of) and always returns a positive acceptance, then shuts down.  Modifying the hosts file to point to localhost then running the self-made server fixes the disconnect problems.

Lenny

Also, to add to what Adron has said, I don't think VB is a good language to implement RSA.
The Bovine Revolution
Something unimportant

Live Battle.net:

WARNING: The preceding message may have contained content unsuitable for young children.

UserLoser.

Quote from: Lenny on April 03, 2005, 01:33 PM
Also, to add to what Adron has said, I don't think VB is a good language to implement RSA.

why?  just use cryptoapi stuff

Lenny

He's using an API to handle his encryption?

Well, that does take care of not having to implement the RSA algorithm which involves a good amount of complicated math.  Most of which is beyond my understanding.

But it is nice to know what RSA does, and it does add a good amount of overhead to a program.
The Bovine Revolution
Something unimportant

Live Battle.net:

WARNING: The preceding message may have contained content unsuitable for young children.

dxoigmn

Quote from: Lenny on April 04, 2005, 01:42 PM
Well, that does take care of not having to implement the RSA algorithm which involves a good amount of complicated math.  Most of which is beyond my understanding.

But it is nice to know what RSA does, and it does add a good amount of overhead to a program.

RSA is pretty easy to understand and doesn't require "complicated math," whatever that means. I agree that it's implementation may be difficult though depending on what you have at your disposal (e.g. an arbitrary integer library).

Lenny

#29
Well the algorithm is fairly simple, but why the algorithm is so secure is beyond me.  Knowing how relative primes, phi's, euler algorithms work is not a problem, but why they were used is completely different.

Notice I said 'what RSA does', not how or why it works.

Perhaps I should restate my earlier post, let's replace 'complicated' with monotonous...
The Bovine Revolution
Something unimportant

Live Battle.net:

WARNING: The preceding message may have contained content unsuitable for young children.

|