> I've designed an HR system for the company that I work for and part of > the system is a server application which allows for program updates to > be downloaded, messages to be sent to users and provides the ability to > kick users. For this, I've developed my own protocol running on port > 7282/tcp. Since this server is what I use for authentication, I had to > build some encryption into the protocol so that usernames and passwords > weren't being transmitted cleartext. My question is, how safe am I > using this encryption? .... > EB 03 00 00 = "Send me a key" if from a client and "Here's your key" if > from a server. When the server sends this message, it's followed by 10 > bytes of data to be used for encryption. Seems to me that it's open to an extreemly trivial man-in-the-middle attack. If a rogue machine can convince the client that it's the server (dns spoofing/arp poisoning/etc) then it can easily pretend it's the server. It creates it's own key, the client takes it and 'encrypts' the username/password with it. Bingo, the rogue machine has the password and can connect to the actual server using it. To provide transparent access, it'll want to impersonate the server to the client, and shuttle the data (decrypting from client, encrypting to the server) back and forth. No one would be the wiser. You'd want some sort of authentication of the server. SSL does this using X509 certificates, for example. You could do something similar, or perhaps just hard code the server's pub key in the client app. (Which would be hard to manage when you want to change the key, of course.) -- Brian Hatch ASCII stupid Systems and question, get Security Engineer a stupid ANSI. http://www.ifokr.org/bri/ Every message PGP signed
This archive was generated by hypermail 2b30 : Fri Sep 06 2002 - 14:09:39 PDT