|
You last visited: Today at 01:40
Advertisement
[OFF-TOPIC] How to secure client-server connection...
Discussion on [OFF-TOPIC] How to secure client-server connection... within the CO2 Private Server forum part of the Conquer Online 2 category.
08/21/2012, 03:21
|
#1
|
elite*gold: 0 
Join Date: May 2008
Posts: 477
Received Thanks: 178
|
[OFF-TOPIC] How to secure client-server connection...
As i can't get help in any place i will ask CO2 professionals [ i am so sorry for the off topic, but i am sure i will find best help here ] i am developing a client-server application and i will demonstrate what is the client \ server role just to make things clear
When client is opened it creates a connection to the server [which is a socket server that listens and handles received packets - you may think of it like CO2 server] Then asks for a username and password
When the user types his\her username and password the client sends it to the server, here comes the server role. The server compares them to the ones in the database then sends back the response which is either Login Fail packet or Login Succeed packet
So what i want to achieve here is how to make this process secured so no one could easily log my login succeed packet and sends it to my client to fool it and gain access with any Invalid username and password
Please i want the best security for my app cuz it will handle crucial information
[NOTE] : i implemented DH Key Exchange to secure my connection once but i found that it is very vulnerable to MITM attacks
|
|
|
|
08/21/2012, 04:21
|
#2
|
elite*gold: 20
Join Date: Jan 2008
Posts: 2,012
Received Thanks: 2,885
|
everything is susceptible to MITM, its simply a matter of making it more difficult to reverse your encryption lol
|
|
|
|
|
08/21/2012, 07:14
|
#3
|
elite*gold: 0
Join Date: Dec 2011
Posts: 1,537
Received Thanks: 785
|
#Edit I misunderstood OP's question.
|
|
|
|
|
08/21/2012, 11:08
|
#4
|
elite*gold: 20
Join Date: Mar 2006
Posts: 6,126
Received Thanks: 2,518
|
Your looking at it in the wrong way currently anyway, irrelevant of how you secure your data.
If the client's requested username and password arnt in the database the server should reject the client and disconnect them. The client should never EVER be allowed to just continue onwards after being rejected on the servers side, irrelevant of what packets you send to the client.
Christ, forget about securing your connection until you've got into your head this simple fact, the client that connects to your server can never be trusted. You give the client the smallest amount of information that you can get away with, and give it as little control as possible. You never ever allow the client to continue onwards if it happens to receive a packet, the server is the one which should be in control of the flow of information at all times. The client is merely informed of changes on the server, that's as far as it goes.
|
|
|
|
|
08/21/2012, 12:55
|
#5
|
elite*gold: 0
Join Date: May 2008
Posts: 477
Received Thanks: 178
|
Quote:
Originally Posted by Korvacs
Your looking at it in the wrong way currently anyway, irrelevant of how you secure your data.
If the client's requested username and password arnt in the database the server should reject the client and disconnect them. The client should never EVER be allowed to just continue onwards after being rejected on the servers side, irrelevant of what packets you send to the client.
Christ, forget about securing your connection until you've got into your head this simple fact, the client that connects to your server can never be trusted. You give the client the smallest amount of information that you can get away with, and give it as little control as possible. You never ever allow the client to continue onwards if it happens to receive a packet, the server is the one which should be in control of the flow of information at all times. The client is merely informed of changes on the server, that's as far as it goes.
|
I understand you but let's give you an example
In a bot like Conquer AI the user must enter a valid [payed] account in order to use the bot how could the owners make sure at least 90% that their client is not being fooled with a fake server [ which handles the authentication instead of the real server ]
My problem is not with rejecting the client if there is a wrong id and pw my problem is if some one got a payed account to log the login succeed packet out of my server and when his\her account expires he do the following [ i know that cuz i used this trick before with another game's Bot ]
1- using the loopback adapter to redirect the bot connection to 127.0.0.1
2- creating a TcpListener to listen for the bot connection
3- once the username and passwords are sent to the server, the server replays with Login Succeed packet ...
And i log in !
|
|
|
|
|
08/21/2012, 12:58
|
#6
|
elite*gold: 20
Join Date: Mar 2006
Posts: 6,126
Received Thanks: 2,518
|
The client would need to be protected against external debugging and memory alterations and then hard code the client to connect to a global server of yours, thats the only way to secure it, any encryption on data transfer is pointless if the client isnt protected as you can just use a memory hook to get the sent and received data after decryption.
|
|
|
|
|
08/21/2012, 13:02
|
#7
|
elite*gold: 0
Join Date: May 2008
Posts: 477
Received Thanks: 178
|
Quote:
Originally Posted by Korvacs
The client would need to be protected against external debugging and memory alterations and then hard code the client to connect to a global server of yours, thats the only way to secure it, any encryption on data transfer is pointless if the client isnt protected as you can just use a memory hook to get the sent and received data after decryption.
|
I will get Themida license i think it is a good obfuscator ?
I don't want this to happen to my app
Quote:
My problem is not with rejecting the client if there is a wrong id and pw my problem is if some one got a payed account to log the login succeed packet out of my server and when his\her account expires he do the following [ i know that cuz i used this trick before with another game's Bot ]
1- using the loopback adapter to redirect the bot connection to 127.0.0.1
2- creating a TcpListener to listen for the bot connection
3- once the username and passwords are sent to the server, the server replays with Login Succeed packet ...
And i log in !
|
|
|
|
|
|
08/21/2012, 13:11
|
#8
|
elite*gold: 20
Join Date: Mar 2006
Posts: 6,126
Received Thanks: 2,518
|
Obfuscator is great if you dont want your application reversed, but it wont protect against a memory based attack.
|
|
|
|
|
08/21/2012, 13:13
|
#9
|
elite*gold: 0
Join Date: May 2008
Posts: 477
Received Thanks: 178
|
Quote:
Originally Posted by Korvacs
Obfuscator is great if you dont want your application reversed, but it wont protect against a memory based attack.
|
So i need your advice in both this things
1- How to protect against Fake Server Responses, Is using RSA public key encryption enough to prevent that ?
2- How to protect against Memory Based Attacks
Another things was you playing Guide Wars 2 ? 
|
|
|
|
|
08/21/2012, 14:47
|
#10
|
elite*gold: 20
Join Date: Mar 2006
Posts: 6,126
Received Thanks: 2,518
|
I have never really needed to look into either of those things so my knowledge is limited in these areas, you need to do your own research into it.
And yeah i recorded some 27 hours of GW2 and its all on my youtube (Fusion Gaming bellow)
|
|
|
|
|
08/21/2012, 15:05
|
#11
|
elite*gold: 0
Join Date: May 2008
Posts: 477
Received Thanks: 178
|
Quote:
Originally Posted by Korvacs
I have never really needed to look into either of those things so my knowledge is limited in these areas, you need to do your own research into it.
And yeah i recorded some 27 hours of GW2 and its all on my youtube (Fusion Gaming bellow)
|
Was that private server or something cuz i wanna try GW2 but when i navigate to their website i see it still Pre-register your copy
|
|
|
|
|
08/21/2012, 15:11
|
#12
|
elite*gold: 28
Join Date: Jun 2010
Posts: 2,225
Received Thanks: 868
|
So you rant your *** off in another thread saying the section is to be deleted and that noone here gives a **** and noone here helps.
And you then make a new thread asking for help?
What the ****?
|
|
|
|
|
08/21/2012, 15:12
|
#13
|
elite*gold: 20
Join Date: Mar 2006
Posts: 6,126
Received Thanks: 2,518
|
No it was the beta and stress testing for GW2, not a private server.
|
|
|
|
|
08/21/2012, 15:13
|
#14
|
elite*gold: 0
Join Date: May 2008
Posts: 477
Received Thanks: 178
|
Quote:
Originally Posted by _DreadNought_
So you rant your *** off in another thread saying the section is to be deleted and that noone here gives a **** and noone here helps.
And you then make a new thread asking for help?
What the ****?
|
Go read my thread and see the list of "people i respect" before posting here and assuming yourself a genius...
Quote:
People i respect here and i don't mean them by this thread
1-Zeroxelli
2-2slam
3-impulse
4-diedwarrior
5-InfamousNoone
6-shadowman123
7-Korvacs
|
Hence i excluded some people from the thread before i opened it to prevent some people like you from come and tell me
Quote:
|
"You are now asking for help ..."
|
|
|
|
|
|
08/21/2012, 18:19
|
#15
|
elite*gold: 0
Join Date: Dec 2011
Posts: 1,537
Received Thanks: 785
|
Quote:
Originally Posted by Korvacs
Obfuscator is great if you dont want your application reversed, but it wont protect against a memory based attack.
|
To an extend.
I'd suggest a paid one, the free ones are usually bad or has already been proved easy reversable.
Also inb4crackingapaidone What good is there in a security application that has been cracked?
|
|
|
|
 |
|
Similar Threads
|
How to:Secure client
01/24/2010 - Dekaron Private Server - 19 Replies
Can anyone tell me how to encrypt or secure ur client of getting leeched or copied? Im not talking about packing it up only.
Im talking even if people unpack it they still cant do shit with the files.
How can this be realised?
Very helpfull to me and many others i think.
Thanks
|
Connection between server and client.
10/16/2009 - Silkroad Online - 1 Replies
Hello everyone, who reads my post,
Today, I started to look at code how many sro-private server's are build;
I have a question to proffessional's how to change the client's sro files, so that they start connecting to my server, not the off sro ip?
Where can I modify file's(silkroad.exe, or different file?) so that all packet's would go to my server.
(How to do it from server side I understood while looking on source code's)
Thank you for your answers.
|
connection to the server has ended with noparameters client. any solutions?
07/22/2009 - S4 League - 4 Replies
so ive been trying to hack s4league for a few weeks now and when ever i found a working bypass and tried to open s4league.exe with cheatengine it always said error. so i found the noparameters client and its great.but one huge problem it always dces are there any solutions?:confused:
|
All times are GMT +1. The time now is 01:41.
|
|
![[OFF-TOPIC] How to secure client-server connection...](https://www.elitepvpers.com/forum/iconimages/co2-private-server/off-topic-how-secure-client-server-connection_ltr.gif){kind=small}
