0

I am new to .NET, and don't have much experience in programming. What is the standard way of handling user authentication in .NET in the following situation?

  1. In Process A, User inputs ID/Password

  2. Process A sends the ID/Password to Process B over a nonsecure public channel.

  3. Process B authenticates the user with the recieved ID/Password

what are some of the standard cryptographic algorithms I can use in above model?

The users(customers that bought my company's software) will be running the software(Process A) locally in their computer(connected to internet). I need to authenticate the users from Process B which is running at company's server so that only registered users can run the program.

Improve this question
5
  • @Daniel: there's no such thing as "C#.NET". Commented Apr 9, 2010 at 3:17
  • @Daniel: what's the context? ASP.NET? Commented Apr 9, 2010 at 3:18
  • @Daniel: is it acceptable that the program cannot be run without internet access? Commented Apr 9, 2010 at 5:32
  • @davidsleeps Yes, it is acceptable. in fact, the program is useless without internet connection because it needs to connect to the database server running at my company. Commented Apr 9, 2010 at 5:36
  • I just noticed your comment 'the program is useless without internet connection because it needs to connect to the database server running at my company' and this affects my answer. See the update. Commented Apr 9, 2010 at 6:23

3 Answers 3

Reset to default
1

ASP.NET membership provider

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

What you are trying to implement is called DRM, presumably in an attempt to prevent people from running copies of your software that have not been registered.

It's a losing battle. No matter how you implement it, the end result is that somewhere in your code you will have something like this:

if (authenticationSucceeded) {
    // Allow access to program
} else {
    // Show error and quit.
}

All someone has to do is to decompile this function, insert a ! in the if statement and recompile it again (or modify the intermediate language code directly). If they do this then they will have broken your security.

With this in mind, you might as well use a very simple, cheap to implement system. Just have list of plain-text registered keys on your server and have the client send their key over HTTPS (to prevent eavesdropping). Adding more security than this is probably not worth it as it will be so trivial to workaround anyway as described above.

Update: The poster says in a comment that the program is useless without access to a remote database. In this case it can make sense to prevent unauthorized use of the software, or more precisely - to prevent unauthorized access to your database. You can use WCF to make a secure connection to the server and require sending your username and password-hash before allowing access to the rest of the interface. If the the username/password is not correct the server will disallow further calls to your service. On the server you can store the allowed usernames and password hashes in the database.

Improve this answer

2 Comments

what about obscuring the code so that no one can decompile it at client end? i think if you can handle decompilation issue, a WCF service over https is a good way to communication over nonsecure channels.
@Shoaib: I wouldn't bother obfuscating the client code. But good idea with WCF, especially as I just noticed the poster's comment that the client is useless without access to the server.
0

While security is definitely not my strong suit the main issue you have concern here over is the fact that in step 2 the data is transferred through a public channel, since this is the case you would need to implement a PGP key passing scenario or equivalent system so that process B is capable of decrypting your content from process A without the ability for an attacker to compromise the private key resulting in decryptable information.

The more preferable way would be to change this so step 2 transfers by a secured channel, this would generally be accomplished with a SSL connection.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.