trying to implement a basic authentication mechanism

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hi all,
I am trying to implement some form of basic authentication mechanism.
Suppose I have a server process A, to which other client process B, C,
D etc connect using some form a IPC.
I want to allow only genuine client process to connect to server
process A, if any Malicious or unknown process tries to connect,  it
should deny/close the connection.
So in order to provide such mechanism. I took two numbers one as
"server_id" and other as "salt/cipher". Using "server_id" and "salt",
I create a set of keys based on "client_ids". Now on client side, I
take its "id" and using "server_id" and "salt", I create a unique
"identifier", which is encrypted using setkey() and encrypt()
function. This "encrypted string" is then sent to server process for
authentication. On server side using key , "encrypted string" is
decrypted and the value is compared against the set of keys, which
were previously generated based on client ids.
Since, the "encrypted key" is generated using three numbers i.e.
"client id", "salt" and "server_id", the malicious program cannot
connect until unless, it knows all three numbers.
However, the problem is I donno how can I possibly store these
numbers? Client ids need not to be stored, since they are based on
client numbers. However client and server both should know these keys
in order to generate(or verify against) encrypted string.
For now I have hardcoded both number in code(server and client side)
as "automatic const", but that is a very bad idea.  I cannot generate
random or timebased keys, since sync between client and server is
difficult to implement.

I have very little familiarity with security mechanisms(implementation
or usage). Can anyone suggest a better way of doing this?


Re: trying to implement a basic authentication mechanism

Quoted text here. Click to load it

What's a client number?

I'm rather confused by your terminology here, but this seems to be
wide open to replay attacks. All you seem to be doing is sending a
password in clear text. It doesn't matter that the password has been
generated using some fancy mathematics.

The right answer is probably to use SSL with server and client
certificate validation - but without knowing the constraints its hard
to say.


Re: trying to implement a basic authentication mechanism

Quoted text here. Click to load it

Use SSH or SSL. Register the public hostkeys if you wish to desire end-
to-end authentication. And pick up a copy of the O'Reilly book on SSH
to learn more about how to do this sort of thing robustly with
existing tools, instead of trying to invent it from scratch and
leaving yourself vulnerable to old attacks.

Site Timeline