EdgeMan
asked on
Secure Handshake WIth Delphi & Indy
Hi All,
What is the best way for a client to authenticate with a server using the TCP/IP components of Indy (standard TCP client and server components)?
The server has a list of users and passwords, the client software needs to authenticate through the server with that list. It is VITAL that any transmission that is captured between the client and server cannot be used to authenticate by someone else on the network (for example someone using a network tool to capture network traffic).
I am trying to get my head around how this would work with Indy / Delphi.
I have read one entry on experts exchange about "secure handshake with TCP/IP", but it looks like the way that is done is by sending a random string to the client in clear text, then the client hashes it and sends it back, and the server compares the hashed values. However, can't someone capture the first "random string" and then do the same hashing to "fake" a session?
Tough one for me :-)
What is the best way for a client to authenticate with a server using the TCP/IP components of Indy (standard TCP client and server components)?
The server has a list of users and passwords, the client software needs to authenticate through the server with that list. It is VITAL that any transmission that is captured between the client and server cannot be used to authenticate by someone else on the network (for example someone using a network tool to capture network traffic).
I am trying to get my head around how this would work with Indy / Delphi.
I have read one entry on experts exchange about "secure handshake with TCP/IP", but it looks like the way that is done is by sending a random string to the client in clear text, then the client hashes it and sends it back, and the server compares the hashed values. However, can't someone capture the first "random string" and then do the same hashing to "fake" a session?
Tough one for me :-)
I'm back but it's hard to know where to start. If you go to Google and enter the search term "+pgp +delphi", you'll find a number of Delphi interfaces to PGP, e.g., http://dmoz.org/Computers/Programming/Languages/Delphi/Cryptography/.
One of the principles of computer security is that nothing is ever absolutely secure. All one can do is raise the "work factor" in compromising a security system to be so high that a potential cracker would choose other mechanisms to break in - e.g., by bribing an employee of the target company.
You should do a risk assessment. What is the potential cost of compromised security? What damage could be done if a userid/password pair were to be discovered by a snooper?
Then you should estimate the probability of such an occurrence. Encryption can halp to decrease this probability.
The product of the two (damage cause by compromise) * (probability of compromise) is a good number to conside as worth expending on protecting your system (like buying insurance).
Without knowing more about your risk assessment, it's difficult to make specific recommendations, although there are now interfaces within most operating systems to provide a good degree of protection.
How much do you want to spend on this? (Rhetorical question).
One of the principles of computer security is that nothing is ever absolutely secure. All one can do is raise the "work factor" in compromising a security system to be so high that a potential cracker would choose other mechanisms to break in - e.g., by bribing an employee of the target company.
You should do a risk assessment. What is the potential cost of compromised security? What damage could be done if a userid/password pair were to be discovered by a snooper?
Then you should estimate the probability of such an occurrence. Encryption can halp to decrease this probability.
The product of the two (damage cause by compromise) * (probability of compromise) is a good number to conside as worth expending on protecting your system (like buying insurance).
Without knowing more about your risk assessment, it's difficult to make specific recommendations, although there are now interfaces within most operating systems to provide a good degree of protection.
How much do you want to spend on this? (Rhetorical question).
ASKER
Good points.
The problem is that the system will transmit confidential information across the Internet. So, the more security the better.
What about if I deploy all client software with the public key of a keypair, the server will have the private key. That way I could send the authentication request from the client to the server encrypted. The problem is if the server needs to send some information back to the client software, I think (correct me if I am wrong) that the information from the server to the client can NOT be encrypted in this scenario because the client is unable to decrypt any information.
The plot thickens!
The problem is that the system will transmit confidential information across the Internet. So, the more security the better.
What about if I deploy all client software with the public key of a keypair, the server will have the private key. That way I could send the authentication request from the client to the server encrypted. The problem is if the server needs to send some information back to the client software, I think (correct me if I am wrong) that the information from the server to the client can NOT be encrypted in this scenario because the client is unable to decrypt any information.
The plot thickens!
You might be able to tackle this from two different layers.
The first is with a virtual private network (VPN). This would be independent do anything you do with the application but might be beyond your control. If the client and server can be brought into a VPN, then your application software need not have any further protection (unless there's a threat on the LAN at either end).
Assuming that you cannot establish a VPN, a public key approach could work both ways. If you distribute your software with a pre-configured key pair, unique for each client, then your problem is solved because you will have established a trusted connection.
Alternatively, if you must create a key-pair dynamically, you have the choice of using a company that provides a PKI (public key infrastructure) or exchange keys through some other mechanism (say a hard-coded symmetric algorithm, using some characteristic derived by the client environment to build the PK key pair).
Once again, it all comes down to the work factor (risk).
In the deployment scenario you described, you could send an encryption key pair to the client using the server's keys, unique to the client and assumed for all reverse traffic.
The first is with a virtual private network (VPN). This would be independent do anything you do with the application but might be beyond your control. If the client and server can be brought into a VPN, then your application software need not have any further protection (unless there's a threat on the LAN at either end).
Assuming that you cannot establish a VPN, a public key approach could work both ways. If you distribute your software with a pre-configured key pair, unique for each client, then your problem is solved because you will have established a trusted connection.
Alternatively, if you must create a key-pair dynamically, you have the choice of using a company that provides a PKI (public key infrastructure) or exchange keys through some other mechanism (say a hard-coded symmetric algorithm, using some characteristic derived by the client environment to build the PK key pair).
Once again, it all comes down to the work factor (risk).
In the deployment scenario you described, you could send an encryption key pair to the client using the server's keys, unique to the client and assumed for all reverse traffic.
Edgeman...
Wot r u trying to do ?
A Database Application that transfer data between client and server..?
some kind of a Client Server that ll connect to a server and retrieve any kind of data ?
Or u just want to Connect to a server in a encrypted way .. ?
They all change the way u take ...
If u ll only connect to a server in a encrypted way .. u can use Ras to create a encrypted VPN connection ..
Or if u ll transfer data .. create a encrypted connection Again with ras and sedn ur data ..
or if u ll make an Database application .. Which collects and sends data to a specific server.. Use Midas type applications... It has its own Encrytion method..
Wot r u trying to do ?
A Database Application that transfer data between client and server..?
some kind of a Client Server that ll connect to a server and retrieve any kind of data ?
Or u just want to Connect to a server in a encrypted way .. ?
They all change the way u take ...
If u ll only connect to a server in a encrypted way .. u can use Ras to create a encrypted VPN connection ..
Or if u ll transfer data .. create a encrypted connection Again with ras and sedn ur data ..
or if u ll make an Database application .. Which collects and sends data to a specific server.. Use Midas type applications... It has its own Encrytion method..
ASKER
I need to transmit confidential information and files, so I could use Midas (DataSnap), although the file transfer would still need to be encrypted (files are not stored in a database on the server).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ok..
make Connection via Encrypted VPN.
Use datasnap for DB Operations..
and with the encryption of the VPN everything thats is send by the server ll be secure ..And u dont ave to encrypt something with codes..
Best way is that ..
Install RAS on ur server.. Enable VPN Connections. Add Accounts.. And Create a Group for accounts.. Than Crate a Group policy for ur VPN Connection Accounts.. Set the parameters in this GP. Allow only Encrypted Connections..
And Transfer wot ever u want in a secure way ..
make Connection via Encrypted VPN.
Use datasnap for DB Operations..
and with the encryption of the VPN everything thats is send by the server ll be secure ..And u dont ave to encrypt something with codes..
Best way is that ..
Install RAS on ur server.. Enable VPN Connections. Add Accounts.. And Create a Group for accounts.. Than Crate a Group policy for ur VPN Connection Accounts.. Set the parameters in this GP. Allow only Encrypted Connections..
And Transfer wot ever u want in a secure way ..
You need a protected mechanism for authentication. This will involve encryption.
Encryption falls into two categories - symmetric and asymmetric.
With symmetric encryption, the sender and receiver share a secret, delivered ideally over a different channel (e.g., email). This is the realm of DES and XOR with a one-time pad.
Asymmetric encryption relies on "Public Key Encryption", in which each correspondent hold half of the answer - a private and a public key. Both are required to transform an encrypted message into clear text.
Emphasis in recent years has been on the latter end there are many ways of doing the necessary secured "handshaking". You could, for example, use PGP or a certificate from one of the 1st-line PKI (Public Key Infrastructure) companies, who establish a degree of "trust".
This is a very complex issue and I recommend that you adopt something very simple. You could go whole hog and try something like Microsoft's "Passport" but you're probably better off with something like PGP.
I'm afraid I can't put much more time into this particular posting but I'll try to expand on the topic a bit later. There is a PGP interface for Delphi and I'll find it for you.
Alan