[OFF-TOPIC] How to secure client-server connection...

As i can't get help in any place i will ask CO2 professionals [ i am so sorry for the off topic, but i am sure i will find best help here ] i am developing a client-server application and i will demonstrate what is the client \ server role just to make things clear

When client is opened it creates a connection to the server [which is a socket server that listens and handles received packets - you may think of it like CO2 server] Then asks for a username and password

When the user types his\her username and password the client sends it to the server, here comes the server role. The server compares them to the ones in the database then sends back the response which is either Login Fail packet or Login Succeed packet

So what i want to achieve here is how to make this process secured so no one could easily log my login succeed packet and sends it to my client to fool it and gain access with any Invalid username and password

Please i want the best security for my app cuz it will handle crucial information

[NOTE] : i implemented DH Key Exchange to secure my connection once but i found that it is very vulnerable to MITM attacks

everything is susceptible to MITM, its simply a matter of making it more difficult to reverse your encryption lol

#Edit I misunderstood OP's question.

Your looking at it in the wrong way currently anyway, irrelevant of how you secure your data.

If the client's requested username and password arnt in the database the server should reject the client and disconnect them. The client should never EVER be allowed to just continue onwards after being rejected on the servers side, irrelevant of what packets you send to the client.

Christ, forget about securing your connection until you've got into your head this simple fact, the client that connects to your server can never be trusted. You give the client the smallest amount of information that you can get away with, and give it as little control as possible. You never ever allow the client to continue onwards if it happens to receive a packet, the server is the one which should be in control of the flow of information at all times. The client is merely informed of changes on the server, that's as far as it goes.

Quote:

Originally Posted by Korvacs Your looking at it in the wrong way currently anyway, irrelevant of how you secure your data. If the client's requested username and password arnt in the database the server should reject the client and disconnect them. The client should never EVER be allowed to just continue onwards after being rejected on the servers side, irrelevant of what packets you send to the client. Christ, forget about securing your connection until you've got into your head this simple fact, the client that connects to your server can never be trusted. You give the client the smallest amount of information that you can get away with, and give it as little control as possible. You never ever allow the client to continue onwards if it happens to receive a packet, the server is the one which should be in control of the flow of information at all times. The client is merely informed of changes on the server, that's as far as it goes.

I understand you but let's give you an example
In a bot like Conquer AI the user must enter a valid [payed] account in order to use the bot how could the owners make sure at least 90% that their client is not being fooled with a fake server [ which handles the authentication instead of the real server ]

My problem is not with rejecting the client if there is a wrong id and pw my problem is if some one got a payed account to log the login succeed packet out of my server and when his\her account expires he do the following [ i know that cuz i used this trick before with another game's Bot ]

1- using the loopback adapter to redirect the bot connection to 127.0.0.1

2- creating a TcpListener to listen for the bot connection

3- once the username and passwords are sent to the server, the server replays with Login Succeed packet ...

And i log in !

The client would need to be protected against external debugging and memory alterations and then hard code the client to connect to a global server of yours, thats the only way to secure it, any encryption on data transfer is pointless if the client isnt protected as you can just use a memory hook to get the sent and received data after decryption.

Quote:

Originally Posted by Korvacs The client would need to be protected against external debugging and memory alterations and then hard code the client to connect to a global server of yours, thats the only way to secure it, any encryption on data transfer is pointless if the client isnt protected as you can just use a memory hook to get the sent and received data after decryption.

I will get Themida license i think it is a good obfuscator ?

I don't want this to happen to my app

Quote:

My problem is not with rejecting the client if there is a wrong id and pw my problem is if some one got a payed account to log the login succeed packet out of my server and when his\her account expires he do the following [ i know that cuz i used this trick before with another game's Bot ] 1- using the loopback adapter to redirect the bot connection to 127.0.0.1 2- creating a TcpListener to listen for the bot connection 3- once the username and passwords are sent to the server, the server replays with Login Succeed packet ... And i log in !

Obfuscator is great if you dont want your application reversed, but it wont protect against a memory based attack.

Quote:

Originally Posted by Korvacs Obfuscator is great if you dont want your application reversed, but it wont protect against a memory based attack.

So i need your advice in both this things

1- How to protect against Fake Server Responses, Is using RSA public key encryption enough to prevent that ?

2- How to protect against Memory Based Attacks

Another things was you playing Guide Wars 2 ? :D

I have never really needed to look into either of those things so my knowledge is limited in these areas, you need to do your own research into it.

And yeah i recorded some 27 hours of GW2 and its all on my youtube (Fusion Gaming bellow)

Quote:

Originally Posted by Korvacs I have never really needed to look into either of those things so my knowledge is limited in these areas, you need to do your own research into it. And yeah i recorded some 27 hours of GW2 and its all on my youtube (Fusion Gaming bellow)

Was that private server or something cuz i wanna try GW2 but when i navigate to their website i see it still Pre-register your copy

So you rant your ass off in another thread saying the section is to be deleted and that noone here gives a fuck and noone here helps.

And you then make a new thread asking for help?

What the fuck?

No it was the beta and stress testing for GW2, not a private server.

Quote:

Originally Posted by _DreadNought_ So you rant your ass off in another thread saying the section is to be deleted and that noone here gives a fuck and noone here helps. And you then make a new thread asking for help? What the fuck?

Go read my thread and see the list of "people i respect" before posting here and assuming yourself a genius...

Quote:

People i respect here and i don't mean them by this thread 1-Zeroxelli 2-2slam 3-impulse 4-diedwarrior 5-InfamousNoone 6-shadowman123 7-Korvacs

Hence i excluded some people from the thread before i opened it to prevent some people like you from come and tell me

Quote:

"You are now asking for help ..."

Quote:

Originally Posted by Korvacs Obfuscator is great if you dont want your application reversed, but it wont protect against a memory based attack.

To an extend.

I'd suggest a paid one, the free ones are usually bad or has already been proved easy reversable.

Also inb4crackingapaidone What good is there in a security application that has been cracked?