Server App Security Ideas/Problem

Topaz · April 02, 2005, 01:07 AM

It really shouldn't lag too much if they can only check for auth and product key.

Lenny · April 02, 2005, 02:46 AM

Well there really isn't a 'best' solution to your problem simply because it's somewhat a contradiction in itself.

You're trying to offer a service (connection) that is publicly accessible and at the same time trying to prevent certain users from accessing it. The only way you could really prevent an attack is by disabling the service. But that unfortunately is usually the goal of those 'certain users'.

As we've seen in the past with Blizzard and even this website, there is no perfect way to prevent users from flooding a server with requests when given the scenario in your first post you can't identify them uniquely.

But to be more helpful, I recommend you have two obstacles for allowing a valid user though. The first would be a connection validation to verify he isn't an attacker from a list of IPs. There are several ways to make this process more efficient (binary searching, hash tables, etc). Then go through your validation procedure....You shouldn't be allowing everyone a chance to go through your validation procedure.

R.a.B.B.i.T · April 02, 2005, 01:52 PM

Quote from: Dyndrilliac on March 30, 2005, 08:48 PMlegitimate [...] game hack

PAH!

Dyndrilliac · April 02, 2005, 03:23 PM

Well here's how the process is gonna work.

- Client sends connection request to the server.
- Server requests the Encryption CodeKey for the rest of the transmission's encryption.
- Client replies.
- Server then requests the clients MD5 Hash signature and authorization key for verification.
- Client replies.

Depending on if the information is good, the server sends the client a success or failure message. If the client recieves a failure message, it shuts down.

R.a.B.B.i.T · April 02, 2005, 06:43 PM

Owned@modifing hosts file.

Adron · April 02, 2005, 07:03 PM

Quote from: Dyndrilliac on April 02, 2005, 03:23 PM
Well here's how the process is gonna work.

- Client sends connection request to the server.
- Server requests the Encryption CodeKey for the rest of the transmission's encryption.

That's gonna be sent using an assymetrical cipher?

Lenny · April 02, 2005, 07:45 PM

I was also wondering what you meant by those two lines Adron is pointing out.

Are you only encrypting one end of the stream or are you using one key to encrypt for both the client and the host (symmetrical). If you're not using an asymmetrical cipher to send the key over, I don't understand why the encryption would be useful at all to begin with...

Regardless, I still don't see how this would prevent an attacker from 'flooding' the server with verification requests. Also, if your server asks for a key first, wouldn't you be forcing the server to go through a tedious encryption algorithm only to find out the user was never valid afterwards?

Dyndrilliac · April 03, 2005, 11:00 AM

@Rabbit: If the client cannot connect, the client shutsdown.

@Adron: The encryption key is sent using RSA-256.

@Lenny: I never said this solved my problem. That was the point of asking the question in this thread. The encryption's purpose is to keep people from reversing the packet structure, and finding out the correct md5 hash.

Adron · April 03, 2005, 11:33 AM

Quote from: Dyndrilliac on April 03, 2005, 11:00 AM
@Adron: The encryption key is sent using RSA-256.

RSA is an OK cipher, but shouldn't you be using something a bit stronger than 256-bit?

R.a.B.B.i.T · April 03, 2005, 12:23 PM

Quote from: Dyndrilliac on April 03, 2005, 11:00 AM
@Rabbit: If the client cannot connect, the client shutsdown.

So? Somone can write a basic server which follows protocol (sort of) and always returns a positive acceptance, then shuts down. Modifying the hosts file to point to localhost then running the self-made server fixes the disconnect problems.

Lenny · April 03, 2005, 01:33 PM

Also, to add to what Adron has said, I don't think VB is a good language to implement RSA.

UserLoser. · April 04, 2005, 02:17 AM

Quote from: Lenny on April 03, 2005, 01:33 PM
Also, to add to what Adron has said, I don't think VB is a good language to implement RSA.

why? just use cryptoapi stuff

Lenny · April 04, 2005, 01:42 PM

He's using an API to handle his encryption?

Well, that does take care of not having to implement the RSA algorithm which involves a good amount of complicated math. Most of which is beyond my understanding.

But it is nice to know what RSA does, and it does add a good amount of overhead to a program.

dxoigmn · April 04, 2005, 03:21 PM

Quote from: Lenny on April 04, 2005, 01:42 PM
Well, that does take care of not having to implement the RSA algorithm which involves a good amount of complicated math. Most of which is beyond my understanding.

But it is nice to know what RSA does, and it does add a good amount of overhead to a program.

RSA is pretty easy to understand and doesn't require "complicated math," whatever that means. I agree that it's implementation may be difficult though depending on what you have at your disposal (e.g. an arbitrary integer library).

Lenny · April 04, 2005, 04:00 PM

Well the algorithm is fairly simple, but why the algorithm is so secure is beyond me. Knowing how relative primes, phi's, euler algorithms work is not a problem, but why they were used is completely different.

Notice I said 'what RSA does', not how or why it works.

Perhaps I should restate my earlier post, let's replace 'complicated' with monotonous...

Server App Security Ideas/Problem

Topaz

R.a.B.B.i.T

R.a.B.B.i.T

R.a.B.B.i.T

UserLoser.