Encryption Help

badguy4you · 07/30/2012, 01:04

{NOTE : I Tried to google this first but sorry i did not get to my specific point}

In the following few lines i will explain the trick that i am worry about , and an explanation for my exact problem

Trick :
Past i used to crack a program using fake server response

1- Looping back the connection of the program (client) to my computer
2- Sniffing the Login successful packet from the real server
3- Creating a fake server (listener) that listens for a connection from the client and sends back the fake response ( that i sniffed )

But it has not been alot of time since they changed something and my trick did not work any more

(Every time i try to send some sniffed login packet the client crashes and no longer accepts the fake server responses)
________
Problem :
Now i am creating my own client server communication and i want to prevent my client from getting fooled by the fake server response trick (anyone can login with any username and password) and provide the best security from eavesdropper

(How to make sure that this packet came from my server and not from other fake server that just sends the sniffed login succeed packet to fool my client and login)
(In another way How to prevent the client from being fooled but a fake server (emulator))

Note : i mean by prevent not to make it 100% secure cuz everything can be cracked but to avoid this kind of silly things that destroys the whole project
_________

I Hope i did not went away from the point but i just wanted to explain every single point clearly

Over 110 views !! and no single replay , i think i am more than clear in my question

badguy4you · 08/01/2012, 18:10

SO ?

kissein · 08/01/2012, 20:12

*just some brainstorming*
generate an random secret key //edit: in most cases just a bunch of random bits
use RSA for secret key & handshake
use two-factor authentication
use AES for message
use TLS protocol to send it

Syn0tix · 08/01/2012, 20:20

just crypt an string (ip or hwid from server) and encrypt it in client & check it! ( i also would crypt the tool with an good crypter )

tnd0 · 08/02/2012, 11:58

find a static function which is necessary for you client inside your clients memory. copy the byte-data and remove it from the client. let your server send this function to your clients.

also encrypt your traffic with a volatile-key encryption (like adding the current unixtime to your key), so packets with static content like 'login ok' look different everytime.

only someone who has the time, skill and will to re-engineer your encryption methods would be able to setup a fake server. if you intend to target windows-only you could also experiment with storing private/public keys in the windows cryptoAPI keychain-thingy, but I have no experience with that.

badguy4you · 08/02/2012, 18:03

Quote:

Originally Posted by kissein

*just some brainstorming*
generate an random secret key //edit: in most cases just a bunch of random bits
use RSA for secret key & handshake
use two-factor authentication
use AES for message
use TLS protocol to send it

The problem is that not good documentation for TLS Protocol could you provide me good links to understand how to use it in basic server client

Also if i understand you well is that what you mean

RSA Generates the secret key then AES encrypts all messages using the key generated by RSA , then to send the message i use TLS -NOTE : THE SERVER I MEAN IS NOT A WEBSERVER ITS A .EXE SERVER LIKE (GAME SERVERS) THAT WILL HANDLE ALL CONNECTIONS

Quote:

Originally Posted by tnd0

find a static function which is necessary for you client inside your clients memory. copy the byte-data and remove it from the client. let your server send this function to your clients.

also encrypt your traffic with a volatile-key encryption (like adding the current unixtime to your key), so packets with static content like 'login ok' look different everytime.

only someone who has the time, skill and will to re-engineer your encryption methods would be able to setup a fake server. if you intend to target windows-only you could also experiment with storing private/public keys in the windows cryptoAPI keychain-thingy, but I have no experience with that.

Very nice idea to use the unixtime to hide the static messages , Also how i send a FUNCTION to my client and use it in the client i doubt this !