marinedestroyer2
asked on
Password for Server
How do you set a password for the server in a typical tcp/ip client server connection such that the client must type in the correct password to access the server's files etc???
To access files you need another protocol (FTP ot HTTP, at least). There the standart is username:pas@server[.domai
Yh... error. ftp://marine:hardtoknowpassword@secret.yahoo.com/
marinedestroyer2, you need to give more details on what kind of client/server connection you're talking of. Most protocols have mechanisms to provide a login with a password already defined in the protocol, so the way to do things is given (for instance in a RFC).
If you want to implement your own password checking for a proprietary protocol, I'd use a hash approach instead of plain text passwords. MD5 is made just for that and is easy to use and implement.
If you want to implement your own password checking for a proprietary protocol, I'd use a hash approach instead of plain text passwords. MD5 is made just for that and is easy to use and implement.
ASKER
Sorry, I'm pretty new to Delphi so you have to help me along. I'm just using a standard client/server socket connection where the client sends commands to client and client respond. Could you tell me how to add a login type of thing such that the client has to input a password to login to the server? Could you also tell me more about MD5.
thanx
thanx
Ok, I'm assuming that you're using a proprietary protocol. In this case, a very very simple method of authentication would be (plain text):
SERVER acceps connection
CLIENT sends: username password
SERVER closes connection if bad username/password
It's obvious that this method is not very secure since anyone listening on the network (packet sniffer, routers etc.) would be able to clearly see both username and password and use them on their own.
MD5 is a hashing algorithm which creates a 512 bit hash sequence for any given bit stream. It is designed in such a way that even if you see the hash, you will not be able to reverse-engineer the original value except with brute force (e.g. trying every possible combination).
So, a much more secure authentication could go like this:
SERVER acceps connection
CLIENT sends: username
SERVER sends: a random sequence of chars
CLIENT internally adds the password to that sequence and applies the MD5 algorithm, then sends the 512 bit hash back to the server
SERVER also internally the correct password to the sequence generated, computes the hash and compares it wth the client's hash
SERVER closes connection if the hashes are not the same
The password is never send as clear text over the network, and since the random sequence is different everytime the client connects, the hash also changes everytime. Since the hash is designed so that you cannot trace back the contents it was created from even if you knew part of the sequence used (that is, the random sequence), it's quite secure.
You can find an implementation of the MD5 algoritm here:
http://www.fichtner.net/delphi/md5.delphi.phtml?download=md5.pas
What it is and how it works is described here:
http://www.rfc-editor.org/rfc/rfc1321.txt
SERVER acceps connection
CLIENT sends: username password
SERVER closes connection if bad username/password
It's obvious that this method is not very secure since anyone listening on the network (packet sniffer, routers etc.) would be able to clearly see both username and password and use them on their own.
MD5 is a hashing algorithm which creates a 512 bit hash sequence for any given bit stream. It is designed in such a way that even if you see the hash, you will not be able to reverse-engineer the original value except with brute force (e.g. trying every possible combination).
So, a much more secure authentication could go like this:
SERVER acceps connection
CLIENT sends: username
SERVER sends: a random sequence of chars
CLIENT internally adds the password to that sequence and applies the MD5 algorithm, then sends the 512 bit hash back to the server
SERVER also internally the correct password to the sequence generated, computes the hash and compares it wth the client's hash
SERVER closes connection if the hashes are not the same
The password is never send as clear text over the network, and since the random sequence is different everytime the client connects, the hash also changes everytime. Since the hash is designed so that you cannot trace back the contents it was created from even if you knew part of the sequence used (that is, the random sequence), it's quite secure.
You can find an implementation of the MD5 algoritm here:
http://www.fichtner.net/delphi/md5.delphi.phtml?download=md5.pas
What it is and how it works is described here:
http://www.rfc-editor.org/rfc/rfc1321.txt
ASKER
yes......but how do you add the function where
CLIENT sends: username password
SERVER closes connection if bad username/password
and also, how do I make sure that the client isn't able to send a command to the server to do something.For instance, if there is a function copyfile in the server,like this
if ReceiveCommandsFromClient=
begin
CopyFile...........etc
end;
How do I prevent the Client from sending the 'Copy file' command to the server unless the client has sent the correct password to the server FIRST. I hope you can help me.THanx
CLIENT sends: username password
SERVER closes connection if bad username/password
and also, how do I make sure that the client isn't able to send a command to the server to do something.For instance, if there is a function copyfile in the server,like this
if ReceiveCommandsFromClient=
begin
CopyFile...........etc
end;
How do I prevent the Client from sending the 'Copy file' command to the server unless the client has sent the correct password to the server FIRST. I hope you can help me.THanx
Where and how to add it depends on the sockets library you're using as well as if it is asynchroneous or not. As general rule, the server will be in a loop waiting for client commands to come in, and at the beginning the server should only accept the authenciation commands, later on only the normal ones.
You cannot prevent the client from sending any unallowed commands; doing so would also make your server very unsecure (imagine some hacker writing a client which does not respect these rules...). The *server* will have to reject the action asked by the client if the client is not yet (client has not authenticated) or not (client has authenticated but the authenticated user has insufficient rights) allowed to do it.
You cannot prevent the client from sending any unallowed commands; doing so would also make your server very unsecure (imagine some hacker writing a client which does not respect these rules...). The *server* will have to reject the action asked by the client if the client is not yet (client has not authenticated) or not (client has authenticated but the authenticated user has insufficient rights) allowed to do it.
ASKER
ok........so what type of loop should I add
Why don't you post some code of yours? As written before, it's impossible to give you a correct hint without knowing what tools you're using (what components to use TCP/IP, whether you're running asyncroneous or not, etc.).
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
PAQ/Refund
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Thank you,
Russell
EE Cleanup Volunteer
I will leave a recommendation in the Cleanup topic area that this question is:
PAQ/Refund
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Thank you,
Russell
EE Cleanup Volunteer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.