dcsimg
Results 1 to 4 of 4

Thread: Validate that network data came from my program

  1. #1

    Thread Starter
    Pro Grammar chris128's Avatar
    Join Date
    Jun 2007
    Location
    England
    Posts
    7,604

    Validate that network data came from my program

    I'm considering building a client/server system where the client running on workstation PCs in a network would need to send data to a central server in a secure way. When I say secure, I don't mean the data needs to be encrypted (although that would be good, but I know how to do that), what I mean is that I need to be sure the data being sent to the server came from the client program and not some other program. Basically the data would be important data about each user that is logging on to the PC, so it would be used as an audit trail and needs to be 100% reliable. But if I have a web/WCF service running on a central server waiting for data to be sent from each PC, how can I be sure the data actually came from the client software on each machine and is not data from a malicious user submitting fake data about themselves? Yes 99.9% of users would not know how to do that, or even be aware of the client software on their PC, but when it comes to security and auditing reliability, 99% is not good enough.

    I can't really think of any way that I could do this because even if my client software uses some special key or digital certificate to identify that the data is legitimate, what is to stop the user either decompiling the program to get that key/certificate information and then just submitting their own fake data? All the examples I can find of how to protect your data seem to be for the scenario where you trust the user of the PC and you are defending against other malicious software or man in the middle attacks... but in this case I need the software to be protected against the user of the PC. I can think of ways to do it if the end user did not have local Administrator permissions on their PC (i.e. just store the secure data in a folder that they don't have permission to access) but I need this to be secure even if the user is a local admin.

    So is this possible? The fact that there are other programs out there that run on PCs and claim to submit secure audit data to central servers makes me think that it must be possible but I don't see how.

    EDIT: Would a Public/Private key pair using RSACryptoServiceProvider work for this? If the server knows the private key and the client software only knows the public key... but then, again if the client program knows the public key then a malicious user decompiling the client program can also get the public key. This is the problem: whatever "secret" the client software uses to identify itself as legitimate, the user can get hold of as well.

    Thanks
    Chris
    Last edited by chris128; Nov 9th, 2014 at 08:34 PM.
    My free .NET Windows API library (Version 2.2 Released 12/06/2011)

    Blog: cjwdev.wordpress.com
    Web: www.cjwdev.co.uk


  2. #2
    Fanatic Member Toph's Avatar
    Join Date
    Oct 2014
    Posts
    655

    Re: Validate that network data came from my program

    There isn't anything you can do that can't be replicated by a skilled coder/hacker.
    My suggestion is to use encryption and what not, and use cstom http webrequests. Send a custom header that your webserver would understand. And if it understands then allow the application to connect.

  3. #3
    PowerPoster
    Join Date
    Oct 2010
    Posts
    2,141

    Re: Validate that network data came from my program

    Hi Chris,

    I am just going to through this out for your consideration and to be honest I not sure that it will work across a network. A while ago I developed some code for serializing a method definition from a secondary AppDomain to the primary AppDomain and then reconstructing that into a Dynamic method. This code was based on the work of Haibo Luo (Turn MethodInfo to DynamicMethod). The source method was dynamically generated via CODEDOM.

    My idea is that the client application would request a method from the server. The server would generate and return a serialized method with an embedded unique identifier (GUID?) that would it then store and wait for receipt of data with that identifier. The client application would execute that method and it would be responsible for transmitting the data back to the server. This is the concept in its simplest form, but you could easily add to its complexity by varying the structure of the method code.

  4. #4
    PowerPoster SJWhiteley's Avatar
    Join Date
    Feb 2009
    Location
    South of the Mason-Dixon Line
    Posts
    2,256

    Re: Validate that network data came from my program

    No, there is no way of doing it unless you have full and known control of the client computer. This would be done by having a password transmitted using public key encryption, or a hardware dongle.

    What is it you are trying to protect against? Is it simply data returned based on a request using a specific protocol?
    "Ok, my response to that is pending a Google search" - Bucky Katt.
    "There are two types of people in the world: Those who can extrapolate from incomplete data sets." - Unk.
    "Before you can 'think outside the box' you need to understand where the box is."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Featured


Click Here to Expand Forum to Full Width