Solved

Password for Server

Posted on 2001-06-20
11
163 Views
Last Modified: 2010-04-06
How do you set a password for the server in a typical tcp/ip client server connection such that the client must type in the correct password to access the server's  files etc???
0
Comment
Question by:marinedestroyer2
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 2

Expert Comment

by:FrodoBeggins
ID: 6210355
To access files you need another protocol (FTP ot HTTP, at least). There the standart is username:pas@server[.domain] (e.g. ftp://marine@hardtoknowpassword:secret.yahoo.com/). But if you make your own protocol on the base of TCP/IP you choose the way. I'm not sure, but I think the tcp protocol have no account management implemented.
0
 
LVL 2

Expert Comment

by:FrodoBeggins
ID: 6210359
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6215427
marinedestroyer2, you need to give more details on what kind of client/server connection you're talking of. Most protocols have mechanisms to provide a login with a password already defined in the protocol, so the way to do things is given (for instance in a RFC).

If you want to implement your own password checking for a proprietary protocol, I'd use a hash approach instead of plain text passwords. MD5 is made just for that and is easy to use and implement.
0
 

Author Comment

by:marinedestroyer2
ID: 6217329
Sorry, I'm pretty new to Delphi so you have to help me along. I'm just using a standard client/server socket connection where the client sends commands to client and client respond. Could you tell me how to add a login type of thing such that the client has to input a password to login to the server? Could you also tell me more about MD5.
thanx
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6220420
Ok, I'm assuming that you're using a proprietary protocol. In this case, a very very simple method of authentication would be (plain text):
SERVER acceps connection
CLIENT sends: username password
SERVER closes connection if bad username/password

It's obvious that this method is not very secure since anyone listening on the network (packet sniffer, routers etc.) would be able to clearly see both username and password and use them on their own.

MD5 is a hashing algorithm which creates a 512 bit hash sequence for any given bit stream. It is designed in such a way that even if you see the hash, you will not be able to reverse-engineer the original value except with brute force (e.g. trying every possible combination).

So, a much more secure authentication could go like this:
SERVER acceps connection
CLIENT sends: username
SERVER sends: a random sequence of chars
CLIENT internally adds the password to that sequence and applies the MD5 algorithm, then sends the 512 bit hash back to the server
SERVER also internally the correct password to the sequence generated, computes the hash and compares it wth the client's hash
SERVER closes connection if the hashes are not the same

The password is never send as clear text over the network, and since the random sequence is different everytime the client connects, the hash also changes everytime. Since the hash is designed so that you cannot trace back the contents it was created from even if you knew part of the sequence used (that is, the random sequence), it's quite secure.

You can find an implementation of the MD5 algoritm here:
http://www.fichtner.net/delphi/md5.delphi.phtml?download=md5.pas

What it is and how it works is described here:
http://www.rfc-editor.org/rfc/rfc1321.txt
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:marinedestroyer2
ID: 6222305
yes......but how do you add the function where
CLIENT sends: username password
SERVER closes connection if bad username/password

and also, how do I make sure that the client isn't able to send a command to the server to do something.For instance, if there is a function copyfile in the server,like this
if ReceiveCommandsFromClient='Copy file' then
begin
CopyFile...........etc
end;
How do I prevent the Client from sending the 'Copy file' command to the server unless the client has sent the correct password to the server FIRST. I hope you can help me.THanx
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6222438
Where and how to add it depends on the sockets library you're using as well as if it is asynchroneous or not. As general rule, the server will be in a loop waiting for client commands to come in, and at the beginning the server should only accept the authenciation commands, later on only the normal ones.

You cannot prevent the client from sending any unallowed commands; doing so would also make your server very unsecure (imagine some hacker writing a client which does not respect these rules...). The *server* will have to reject the action asked by the client if the client is not yet (client has not authenticated) or not (client has authenticated but the authenticated user has insufficient rights) allowed to do it.
0
 

Author Comment

by:marinedestroyer2
ID: 6222801
ok........so what type of loop should I add
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6224413
Why don't you post some code of yours? As written before, it's impossible to give you a correct hint without knowing what tools you're using (what components to use TCP/IP, whether you're running asyncroneous or not, etc.).
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 8685035
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

PAQ/Refund

Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
Thank you,
Russell

EE Cleanup Volunteer
0
 

Accepted Solution

by:
PashaMod earned 0 total points
ID: 8812307
PAQ'ed and points not refunded,

PashaMod
Community Support Moderator @Experts Exchange
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

In this tutorial I will show you how to use the Windows Speech API in Delphi. I will only cover basic functions such as text to speech and controlling the speed of the speech. SAPI Installation First you need to install the SAPI type library, th…
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now