Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

trying to implement a basic authentication mechanism

From: Anuz Pratap Singh Tomar <chambilkethakur () gmail com>
Date: Wed, 26 May 2010 09:55:51 +0530
Hi all,
I am trying to implement some form of basic authentication mechanism.
Suppose I have a server process A, to which other client process B, C,
D etc connect using some form a IPC.
I want to allow only genuine client process to connect to server
process A, if any Malicious or unknown process tries to connect,  it
should deny/close the connection.
So in order to provide such mechanism. I took two numbers one as
"server_id" and other as "salt/cipher". Using "server_id" and "salt",
I create a set of keys based on "client_ids". Now on client side, I
take its "id" and using "server_id" and "salt", I create a unique
"identifier", which is encrypted using setkey() and encrypt()
function. This "encrypted string" is then sent to server process for
authentication. On server side using key , "encrypted string" is
decrypted and the value is compared against the set of keys, which
were previously generated based on client ids.
Since, the "encrypted key" is generated using three numbers i.e.
"client id", "salt" and "server_id", the malicious program cannot
connect until unless, it knows all three numbers.
However, the problem is I donno how can I possibly store these
numbers? Client ids need not to be stored, since they are based on
client numbers. However client and server both should know these keys
in order to generate(or verify against) encrypted string.
For now I have hardcoded both number in code(server and client side)
as "automatic const", but that is a very bad idea.  I cannot generate
random or timebased keys, since sync between client and server is
difficult to implement.

I am novice in using these apis and mechanisms. Can anyone suggest a
better way of doing this?

Thanks
Anuz

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: