hi guys ...
Im developing a Client-Server system which will be used through regular internet. My development environment would be VB.NET 2003 & 2005. I would be communicating using regular Sockets & TCP. The client would be running on Windows Pocket PC 2003/Mobile Edition PDA's & connecting to the server through GPRS. The server would be a running on regular Windows 2k or 2k3.
I want to secure my communication from prying eyes & at the same time protect my server. All this should be cost effective including time spent on development. At the moment Im not sending Credit Card information on this - so that level of secure comm is not required. What would be the best possible secure method to achieve an otherwise normal devlelopment scenario
best practice advice for secure socket comms ..
Hot Topic
- Event handler and disappearing desktop icons...
- How do I find out location of toolstrip in VB.NET 2005
- is it possible to check "download group" or dll. file version before download
- task notification service?
- Weird VS 2005 crash
- PictureBox GotFocus/Enter events
- Registering .NET Windows Forms User Control like DLLRegisterServer
- Buttons in form's titlebar
- TextBox control without caret
- Close multiple forms
Windows Forms
- How do I limit file types on my drag and drop?
- How to access DataRow.rowID?
- How to make the end of TextBox.Text in view?
- Treestyleview in a datagridview?
- How do I pop up/show a form at the mouse coordinates - like a context menu?
- Please, Help!
- Deploy Project built in XP won't run on Server 2003
- xsd files create typed dataset in beta 2 but not in VS 2003
- Canceling the "close" event prevents Windows from shutting down
- Output in label
best practice advice for secure socket comms ..
batman900
thanks stefano ...
the idea of running a web service sounds good. But how to integrate this with my desktop server & clients service. can you be a bit more clear ...
Cant my custom desktop server & client interact through a secure/encrypted socket comms
thanks
Capistrc
Hello,
I don't know if it's the best method but I've done something similar in this way:
on th server you put a web service under SSL protocol and you add to your web service a custom SOAP header with login information so every method call is authenticated and authorized, possibly against a separate web serivce or windows service which only your exposed web service can gain access to.
So now your communications are encrypted, your operations are authenticated and authorized and in my opinion you should be safe enough
HTH
Stefano
mcmcom
Hello,
if you must use regular Socket, TCP communication then my guess is that the easyest method to obtain secure communication is to implement a class which encrypts/decrypts your data (there's plenty of support for doing this in the framework) so your remote call from the client should do something like this: get login information and request parameters into a serializable class or structure; serialize and encrypt this information; send the encrypted data to the server. Now the server wil decrypt and deserialize the data; authenticate and authorize the client based on the login information; if everything's all right process the request; get the results into a serializable class or structure; serialize and encrypt the answer class or structure; send the answer data to the client. The client will then decrypt the answer; deserialize it and use it.
Really this is more or less the same thing that a web service through SSL protocol does (my description is actually more simplified).
Moreover the details of your encryption strategy depends also from some issues as: how do you deploy your client software the client software, once deployed can be considered safe from reverse engeneering attempts etc... So it should be your task then to decide if standard encryption or public key /private key encryption is requested.
HTH
Stefano
Jorge Lalinde
thanks stefano ...
i think this way is more practical for me ... with SSL, certificates come into the picture ... and the customer really doesnt understand or like the idea of having to maintain something ... they just want to plug-play & run for ever - no maintenece & renewals ... dont have much choice when sales teams agree on funny things ...
as of now reverse engineering is not a major issue. since its a pdt & it'll be given only to trusted users. On top of that we have an agreement that fiddling around with the device - the software or hardware part of it - will void any warranty. So atleast for now i dont have to be concerned with reverse engineering. (I know its not in the best interest of the customer bit maybe in the next project we'll cover up on that - right now im looking for an easier and faster way out). the client will be running on a max of 25 devices - starting with aroud 10-15 devices.
" ...get login information and request parameters into a serializable class or structure; serialize and encrypt this information; send the encrypted data to the server."
Can you lead me to any working samples of the above method you suggested for me to show as a demonstration of concept ...
higgins427
Hello,
I'm sorry but I don't know where you can find a working example similar to what we are discussing. I think you have to write it from scratch. It's not that long. Try consulting the msdn documentation of the cryptographic classes there should be some examples there.
PS
You can achieve SSL communication without having to buy a certificate from some certification authority, if your server is running Win 2003 you can issue certificates which are perfectly sound for what you need, only they themselves are not certified but you can tell your code to ignore this condition....
HTH
Stefano