I am maintaining a C# app that's been cracked by people creating spoof auth servers.
I want to encrypt all the communications between the client and server to prevent this happening to my next release.
I can see that PHP has a way to secure stuff.
http://www.php.net/manual/en/function.openssl-private-decrypt.php
What I can't find is the C# that will allow me to use the same built in libraries.
Can anyone help?
Did you look into SslStream?
Related
Is there a way to create a C# application and a Server side API where the server side API will only allow data from the C# app?
The problem with .Net apps is you can decompile them and then recompile to make them send different data than what you are expecting. In my case the data is not secret, only the ability to write the data to the server side API is the trust issue.
What if I want the application to report back to the server if a certain hot fix is presently installed and then make a server side decision on that info? If an insider threat recompiles the code and modifies it to report false info then the data cannot be trusted. If only the un-modified application can communicate with the API then the data can be trusted and decisions can be made upon it.Can the application use the digital signature it gets signed with to perform a trusted hand shake to the server API?
Any ideas or conversation on the subject may prove helpful. Thank you.
Well, virtually nothing is "hackproof". Security is a game of cat and mouse.
That said I would suggest SslStream. Fairly easy to use.
It's .NET's implemention of SSL (Secure Sockets Layer), which is used in combination with HTTP very commonly seen as HTTPS all over the web.
I have a Client & Server application set, both written in C# but some client versions might be distributed in other languages in the future. I want to protect my applications.
I was looking for some kind of advice to stop just random people sending messages to a server and acting like a client, what kind of validation can I put in place?
My client applications I distribute will be obfuscated but is this enough? I'm just looking for some advice in this situation, is it wise for me to add some kind of encryption other than SSL, or am I just being over protective and over curious? Any input is welcomed & accepted.
It is impossible to determine if you are communicating remotely with "your client" or another piece of software that also knows how to communicate in the way that your client does.
What you can do is ensure that you are communicating with someone that is authorized to communicate with you by using client certificates for your SSL session.
The server proves who it is to the client and the client proves who it is to your server. The security then rests in whoever holds the private key to the client certificate (and the password for this key file).
The C# SslStream Class has support for this. Namely the AuthenticateAsClient method is relevant here.
In summary, if your software is only secure when communicating with a client you wrote, then your software isn't secure period. Instead, design your server in such a way that you can serve client requests securely. Using authentication is one of these ways.
You would want to do two things....one is look up certificate pinning. Your app will validate your SSL cert to thwart man in the middle attacks and it makes it hard to circumvent. The other is when making requests to the server have some type of user name / password block on the server side script before the server side does anything so the requests will simply be discarded by the server if they are from an unknown source.
I have a specialist web app written in C# - my C# code acts as a web server, accepts connections from browsers, and presents the app as web pages.
The existing app uses SSL to secure the connection from the browser, but I am concerned about BEAST, which renders many of the older SSL ciphers insecure. I therefore want to ensure that I only accept connections using TLS1.1 or later, and/or secure cyphers like RC4.
I have already accepted that I will have to ditch the SSL library I was using, and probably switch to .NET 4.5 with SslStream.
Although I see how I can check the cypher for a stream using SslProtocol and CipherAlgorithm, I cannot find a way to force a connection to prefer one of the more secure algorithms. Am I missing something?
For the avoidance of doubt, this is nothing to do with ASP - this server is written in raw C#. I need a programatic way of making SslStream prefer particular ciphers. It is unlikely that I will have the necessary permissions to alter ssl registry settings on the host server.
I have an application that provides real time log messages for users. Currently the application works by having the server listen on a straight forward TCP socket and the users can use a telnet client to connect. Once connected they get asked for their username, password and can then set a filter for the realtime events they want sent to them.
While no sensitive information is sent over the telnet session the application is getting to a stage where it's increased use warrants tightening up on security.
Ideally the console should be universally accessible from a shell on Windows, Linux and Macs. The only options that came to mind for that are telnet and ssh. As far as I know there's no way to increase security using a standard telnet client so that leaves ssh. Has anyone got any experience with an C# SSH server library or know of a different solution I could use? Is there some clever trick where a WCF endpoint can process ssh clients?
There is a mostly working C# SSH server over at CodePlex that I wrote: NSsh
It currently supports password based authentication. I was looking at extending it to support certificate based authentication but it is a bit tricky under Windows.
Can anyone give me pointers on how to achieve the above - I am familiar with the C# libraries and database connectivity but have never had to use a secure channel.
What do I need to do in C# and on the database side to force connections to always be encrypted??
See this Microsoft KB for details on how to do this.
A reliable way to secure communication without SSL certs between a web server and SQL Server machine is to use IPSec.
http://msdn.microsoft.com/en-us/library/aa302366.aspx