c# - Dangerous to store a well hashed password and the method used to hash it in plain sight? -

-

i developing client-side application in c# communicate server (php page) credentials , critical services. wondering if it's dangerous store hashed password on client's machine? "well hashed", mean random seed using well-known secure hashing function. purposes of discussion, assume source freely available (as binaries can reverse engineered).

my thought store username , hashed password on user's computer , username , hash sent in plain text on unencrypted http connection server validation. of course not prevent hacker using else's username , password hash own without knowing source password (with code tweaks).

  1. would malevolent individual able hashed password , code used produce hash? (other log in other user if obtained information)
  2. what other client-side applications prevent 1 user logging in other user, if hacker not have access source password? (for example steam)
  3. is there easy, cheap (both cost , time), more secure way handle this?

example of how hacker spoof else's login credentials using current logic:

  1. legit user signs in first time, credentials stored
  2. hacker gains access file system, locates username , hashed password
  3. hacker modifies source code (or uses code injection) send acquired username , hashed password instead of program do

the product producing not going next ebay, facebook, or stackexchange, , low budget. not need top notch, , don't care thefts planing use "pay want" model. posting curiosity's sake.

first off, let me not competent implement system securely. i'm not either. almost no 1 is. you need security professional work; if try roll own security wrong , produce system can compromised attackers.

that out of way: have identified weakness of system. storing password equivalent; if attacker obtains password equivalent not matter whether have password or not; have information sufficient impersonate user.

the solution clear. if hurts when that, don't that. not store password equivalent if system stores cannot trusted robust against attack.

if hell bent on storing password equivalent store in storage more difficult attackers obtain access file system. if determined store dangerous stuff on behalf of user can use windows data protection api store in encrypted storage encrypted user's credentials:

http://msdn.microsoft.com/en-us/library/ms995355.aspx

but better not store password equivalent in first place.

suppose not store password equivalent. not done yet. still need consider replay attacks. suppose attacker eavesdrops upon unsecured channel. user types in password, hashed , sent server. eavesdropper records hashed password, , have it.

to solve this, server sends random number client. number never used again; one-time-only. client xors hashed password random number , encrypts result public key of server. encrypted xor'd message sent server.

the server decrypts hash using private key, xors random number sent previously, , determines decrypted hash matches password equivalent storing. eavesdropper cannot replay captured password equivalent because never see same random number again.

now, vulnerable man-in-the-middle attack if client not know public key of server! if server sends public key client man-in-the-middle can intercept server's public key , replace his public key. man-in-the-middle can provide public key and "random" challenge, , client give password equivalent.

like said, hard stuff. don't try yourself. get professional.


Comments

Post a Comment

Popular posts from this blog

java - SNMP4J General Variable Binding Error -

-
i trying use snmp4j snmp bulkget. when ever use snmp4j make call returned responseevent error says "general variable binding error" , data returned equal null. to debug: print out, console, exact oid , version number using in snmp4j. use printed out data snmpwalk on command line. valid results. know sending snmp4j correct pdu correct oid, version number, max repititions, etc. i have used snmp4j , code wrote succesffuly monitor other devices years. don't know different time. leaving me stumped. why "general variable binding error?" causes error? ideas debug? can reproduced? if so, first action should using wireshark or microsoft network monitor capture network packets. my guess agent gives generr response, not surprising, http://www.ietf.org/rfc/rfc1157.txt
Read more

windows - Python Service Installation - "Could not find PythonClass entry" -

-
i working on building python service. inducing error, not sure inducing it. ps c:\...> python .\file.py debug debugging service myservice - press ctrl+c stop. error 0xc00000f4 - not find service's pythonclass entry in registry error 1814 - specified resource name cannot found in image file. error 0xc0000080 - not locate module name in python class string (ie, no '.') this error coming pythonservicemessages.mc in pythonwin32. it turns out error result caused exception being thrown , python script dying off.
Read more

Determine if a XmlNode is empty or null in C#? -

-
the following code takes xmlnode data type , populates dataset object xmlnode content. write dataset's content file. public void populatedataset(xmlnode node) { xmlnodereader reader = new xmlnodereader(node); dataset ds = new dataset(); ds.readxml(reader); system.guid guid = system.guid.newguid(); string name = string.format("{0}{1}_{2}.xml", utility.xmloutputpath, utility.xmloutputfilename, guid.tostring()); //need write "node empty" file if xmlnode object empty of null ds.writexml(name, xmlwritemode.ignoreschema); } the problem encountered 1 scenario not write content file. how determine if xmlnode object null or empty? you can check if node parameter null or has innertext or innerxml properties null or empty, when enter method before creating xmlnodereader .
Read more