i m using java,gwt.while login or creating account when user will enter the password,on server side i m encrypting it but i also want to apply encryption to passord on client side.which i will decrypt on server side and will use it for further process.
i googled but i m not getting which technique should i use for encryption on client side.
Thanks in advance.
Client side encryption in javascript will not be secure because you must somehow provide the key to the client and server. So key will need to be sent over unencrypted network.
This scheme is really a security through obscurity and is not secure, because someone could reverse engineer your protocol and get the key.
The only way to secure data on the web is HTTPS. You can simply configure this on the server without changing your code.
GWT-Crypto is what you need.
Hope this helps.
Related
I'm writing an Android app that talks with my php backend server. I want to give sha1 fingerprint to server everytime when i make a request, in this way server will know it's my app and will answer the request. But as you know, apk datas will reverse engineered easly and the sha1 fingerprint can be discovered and can be hardcore written.
How can i really be sure that request comes from my app?
Thanks in advance
edit: to that s.. o. a b.... that dislikes my question. please come here and write why you disliked my question. thanks
You can't really do it as you don't have control over the application nor the network traffic. But here is some tricks :
Put HTTPS in the server so network traffic cannot be spoofed easily with an external app.
Create a HMAC from your server or SSL certificates (need an authority CA) and pass it to the application. Send the HMAC only if you have a specific MAC or PC id or IP address, you can check with files and so on that everything is okay but with reverse engineering, it can be reverted. You can use hash_hmac in PHP.
You should not keep sensitive information in your application but rely on your server-side for all sensitive informations and check.
If you need some data to be kept on the application and sent back afterwards, you can also use PGP keys to sign or encrypt data and then send it back to the sever, verify and/or decrypt it. You can do with GnuPG module or use pass_thru to pass shell args. As the application does not have access to keys, your data cannot be altered nor decrypted.
I have an applet that communicates with php through http post requests and then my php script inserts data in a mysql database. So the problem is that i guess anyone can make a http post requests and add data to my mysql database if they now the "post" names and of course i dont want that.
So i would like to have som solution where my php can be sure that the http requests are really from my applet and no one else. I would be grateful for ideas on how to solve this. The data being sent contains no secrets so it dont need to be encrypted if it can be solved with no encryption that is.
Thanks in advance.
If you can't use encryption while communicating , so the answer is simply you can't make sure.
In fact, even with encryption, it is impossible to determine whether a request was made by your applet or by something else that is perfectly mimicing its behavior. You will need to build your application such that it can deal with this.
Encryption will help secure any methodology you will put into place in order to achieve what you want, but it will do nothing on its own.
What you want is to authenticate the post message. This is usually achieved by having your client (here, applet) sign (HMAC) the POST message using a key that only the applet AND the server knows. The challenge here is that you need to securely store the key on the client side.
If I were you I would check into authenticating the users and hosting the applet in a secured area of your site, making sure your applet is re-using the HTTP session of the authenticated user when performing POST requests. Add to this basic safeguards against standard attacks (ie Cross Site Request Forgery, Replay attack, etc). This setup would make sure your requests come from your site by authorized users.
You could have the applet register by generating an RSA key pair on the client and sending the public key to the server. The server then keeps track of the public key of each registered client.
On each POST the client signs some piece of data using the private key, and includes the signature and the public key (or a hash of the public key) to identify itself. The server verifies that the public key is registered, and verifies the signature.
There would be no way to mimic this short of stealing the private key from the client, or breaking RSA encryption. Well, I guess you could record and replay somebody else's POST. There is that problem to solve.
However, you could have a fake client follow the steps of registration and send a public key, and then that fake client would be free to POST along with all valid clients. So there is that problem to solve, too.
I am developing an Android app. The app communicates with a server through a PHP API. Each user must create an account. So, the app has a login functionality. I am doing further research on how to be able to securely transfer data between client (Android app) and server. For example, a user sends, through a POST, request his username/password in order to login.
Based on what I have read, I can safely assume that in case someone “listens” the transaction between client and server he could steal the username/password combination and use it on order to login to the legitimate user’s account. Is that correct?
The solution to this problem is to encrypt the data (eg username and password) before sending them either from client or server. The data will be then decrypted by the recipient (client or server). I do that by using crypt/decrypt functions both on client (written in Java) and server (written in PHP). Each function has the same IV (initialization vector) and Secret Key (to be honest, I do not know much about the IV’s usage so forgive me if I say something wrong. I google around for information but any useful links would be really appreciated).
From what I read, the problem with this implementation is that the APK file could be decompiled from client side and get the IV and Secret Key. As a result, a listener could decrypt the data sent. Is that correct?
Trying to find a solution to this problem I have a suggestion and I would like your opinion. What if during user’s registration a unique IV and secret key are given to the each user. These values are stored both to a MySQL database (server side) and a SQLite database (client side). Whenever data needs to be sent trough a post request, the user’s id (could be something simple as an integer) and the data to be sent are encrypted using the unique IV/Secret Key for the individual user. These are stored locally so the “listener” has no access to them. Even if he decompile the APK he will just have access to his own IV/Secret Key that he already knows. Then on server side the data are decrypted using the same IV/Secret Key stored on the server. The same procedure is applied when data are sent from server to client.
Is this a correct approach?
Reusing the same symmetric key and same IV is extremely incorrect approach and must not be used ever.
Reusing the same key and IV will enable attacks where the attacker will be able to recover your secret key just be eavesdropping on the encrypted traffic for long enough. And when the attacker has your key he will be able to decrypt all and every past and future communications.
To secure the data transfer you should use HTTPS (or SSL/TLS directly if your data transfer protocol is not HTTP-based).
If your only concern is to securely communicate with the server i suggest you to install a ssl certificate to your server. Doing this way the communication will be secured by the underlying protocol. To facilitate your communication with the server for implementing ssl communication i suggest you to use aquery library, here's a link!.
Also dont forget to see the ca compatibility list for android.
Hope it helps.
This is a rather old question so i'm surprised it didn't have a more complete response. It seems you understand the concepts of symmetric encryption but you are missing knowledge of public/private key encryption. Look up RSA for a method of achieving public/private key encryption. With this, you can generate (via the assistance of a cryptographically secure RNG) new random keys as well as IVs at the start of each session to feed to your symmetric encryption system. This means that anyone listening from start to finish will not be able to make sense of your system short of brute forcing the RSA key or the symetric(AES?) key.
I have an assignment called "Write a client server socket program in Java in which server will authenticate client using authentication algorithm." How do I get started? Which are the prerequisites of knowledge of computer security and socket programming to implement this? Any links to good tutorials?
EDIT: Using Caesar Cipher
Maybe this can help you:
http://www.javaworld.com/jw-12-1996/jw-12-sockets.html
The authentication can be a simple username/password scheme.
Sockets
Authentication Algorithm
This requirement is vague. I will give you the simplest possible answer:
write the server in such a way, that it requires a username and password with every request.
Are your using an authentication algorithm or are you just encrypting the message?
If you just have to encrypt the message then make sure both ends have the same cypher stored in them (Two arrays of characters should work ) and encrypt the string character by character before you send the message then decrypt it character by character on the other end.
You don't use a Caesar Cypher for authentication merely encryption. If you want authentication then separately you can have the first message of the socket connection be a username/password both of which you can encrypt client side and decrypt server side, then check they are valid. For the simplest example of this just hard code an acceptable username and password on the server and have the username and password on the client be entered on the command line.
For anybody that Googled their way here, an example of an authentication algorithm or "handshake" is more than a username and password. It would be a challenge sent from the server to the client, such as a random string; and the client performs an algorithm on the challenge, such as bit wise operations for example, and sends it back to the server. The server then does this same thing to the challenge and compares with the one the client sent before verifying the log in.
This is used to create a more arcane protocol to deter 3rd party developers such as bot makers from creating unauthorized software. Often times the handshake procedure is very difficult, not only in operation but also using complex functions of the used language to make porting very difficult.
A friend and me are working on a Java Game with a client/server - architecture.
It is working well, but i ran into a problem.
We use TCP Sockets for networking between server and client.
Our network protocol isnt encrypted and can just be read by anone who bothers to watch the stream.
We thought about how we could apply some kind of cryptography to it to hide login information and prevent people to write their own clients. But basic things like adding/substracting bytes seems pretty easy to figure out.
What are the usual methods used to encrypt network communication for games( or at least game login information )? And having written the server and client in java, are there any useful java libraries?
Use public-key encryption (RSA for example) and implement something like the SSL Handshake, or of course use SSL - here you can see an example.
Here's a simplified sequence:
the server sends his public RSA key to the client
the client generates a symmetric key (using AES for example)
the client encrypts the symmetric key with the server's public key and sends it to the server
the server decrypts the received symmetric key
Now both the client and the server have a key which no one eavesdropping can know. Then use that key to encrypt all data.
SSL(Secure Sockets Layer) is popular to handle this kind of problem.
Look at the javax.crypto library or bouncyCastle.
Both provide cryptographic primitives, also for encryption. Depending on how secure you want to have it, you can use symmetric or assymetric crypto. However, also think about key management in advance. Where do you store your private/shared key.
If it is a client-server, the best way would be to use assymetric crypto (i.e. RSA, Elliptic Curve) and give every user a certificate signed with the key of the server (note, this is TLS (formerly called SSL)). This way you can check if the user logging on is authentic. However, you dont prevent custom clients since the user has to have everyone can just copy the certificate.
In practice, it is quite hard to prevent custom clients.
You can use Ciphers. Some more examples here and here