Results 1 to 24 of 24

Thread: Network Logic

  1. #1

    Thread Starter
    Fanatic Member AccessShell's Avatar
    Join Date
    Oct 2013
    Posts
    678

    Question Network Logic

    I need some help with logic, not code. I can work the code out later.

    I am writing a chat program. It is the first step in writing a game. This program and the companion program (server & client) may not run on the same LAN.
    I need to prevent anyone searching for an open port and getting in. I really donít know what someone like that can do, but I donít want it happen.

    So, I thought I would write a verification system. I would require a UserName and a password, as well as their IP address (the 192. number). Nice concept, but I donít know how to deploy it.

    During registration, how do I get these items over to the host side. I cannot send it because the connection has not been made.

    OK, somehow we got past that. The client is logging on. How can I verify username, the password and the IP address before connecting?

    Just thinking. What if I open another port, send the data, close the port, all in less than 1 second. Then verify and allow entry of the client. Maybe thatís overkill. Maybe, Iím too nervous about this. Maybe it reduces the chances of someone entering on the verify port, and the using port.

    Iíd be interested in reading your thoughts.

    Thanks

  2. #2
    Angel of Code Niya's Avatar
    Join Date
    Nov 2011
    Posts
    7,802

    Re: Network Logic

    Please clarify what you mean by this:-
    I need to prevent anyone searching for an open port and getting in.
    Treeview with NodeAdded/NodesRemoved events | BlinkLabel control | Calculate Permutations | Object Enums | ComboBox with centered items | .Net Internals article(not mine) | Wizard Control | Understanding Multi-Threading | Simple file compression | Demon Arena

    Copy/move files using Windows Shell | I'm not wanted

    C++ programmers will dismiss you as a cretinous simpleton for your inability to keep track of pointers chained 6 levels deep and Java programmers will pillory you for buying into the evils of Microsoft. Meanwhile C# programmers will get paid just a little bit more than you for writing exactly the same code and VB6 programmers will continue to whitter on about "footprints". - FunkyDexter

    There's just no reason to use garbage like InputBox. - jmcilhinney

    The threads I start are Niya and Olaf free zones. No arguing about the benefits of VB6 over .NET here please. Happiness must reign. - yereverluvinuncleber

  3. #3

    Thread Starter
    Fanatic Member AccessShell's Avatar
    Join Date
    Oct 2013
    Posts
    678

    Re: Network Logic

    What is preventing someone searching for an open port and connecting. I don't even know if that can happen, or if any damage can be done.

  4. #4
    Frenzied Member PlausiblyDamp's Avatar
    Join Date
    Dec 2016
    Location
    Newport, UK
    Posts
    1,925

    Re: Network Logic

    Quote Originally Posted by AccessShell View Post
    I need some help with logic, not code. I can work the code out later.
    I am writing a chat program. It is the first step in writing a game. This program and the companion program (server & client) may not run on the same LAN.
    I need to prevent anyone searching for an open port and getting in. I really donít know what someone like that can do, but I donít want it happen.
    Normally you would be looking a some sort of firewall between your application and the internet, this could be a software solution, might be built in to your router, could be a 3rd part device if you were willing to pay.

    Quote Originally Posted by AccessShell View Post
    So, I thought I would write a verification system. I would require a UserName and a password, as well as their IP address (the 192. number). Nice concept, but I donít know how to deploy it.

    During registration, how do I get these items over to the host side. I cannot send it because the connection has not been made.
    Not sure what your are asking here...

    When a client wants to connect to a server there is typically some sort of handshaking process involved. The client would send a request to the server to establish a connection, as part of this process the server would then know the client's ip address and could reject / accept the initial request accordingly.

    Once this initial connection is established you would then need to define how the client and server would exchange information (including credentials etc.), typically the first things done after the initial connection would be for the client to provide the credentials and for the server to validate them. IF the credentials don't match then reject the login request.

    Quote Originally Posted by AccessShell View Post
    OK, somehow we got past that. The client is logging on. How can I verify username, the password and the IP address before connecting?
    You don't - this is part of the connection process.

    Quote Originally Posted by AccessShell View Post
    Just thinking. What if I open another port, send the data, close the port, all in less than 1 second. Then verify and allow entry of the client. Maybe thatís overkill. Maybe, Iím too nervous about this. Maybe it reduces the chances of someone entering on the verify port, and the using port.
    Probably not worth the effort, you would now have to open / forward two ports rather than just one- plus both ports would now be a potential way into the system.

    There is an awful lot of background to this kind of problem that you might find worth reding up on https://en.wikipedia.org/wiki/Authentication_protocol isn't too bad of an overview of the various approaches.

  5. #5

    Thread Starter
    Fanatic Member AccessShell's Avatar
    Join Date
    Oct 2013
    Posts
    678

    Re: Network Logic

    I read the Wikipedia article suggested in the last post. I partially understand the concept, not the implementation. What struck me while reading the article is that none of the code samples I found in the forums has examples of this process. I see "Connect", and I see "ConnectionRequest" routines. I don't think this is what you call handshaking. I see no challenges, no pswd verifications, no nothing.

    So, unlike when you sign in to an account online, such as bank, a store, a credit card, the registering can happen "now", and right away logging in to your account. I imagine the credentials are encrypted on transmission, either when registering or just logging in. Now, I think I need an encryption/decryption routine. This is getting bigger than I ever anticipated. Now, I can't even decide if I should have any verification. I do know, I don't want any unwanted person from getting in, even though I don't know what they can do.

  6. #6
    PowerPoster
    Join Date
    Nov 2017
    Posts
    2,152

    Re: Network Logic

    Quote Originally Posted by AccessShell View Post
    I read the Wikipedia article suggested in the last post. I partially understand the concept, not the implementation. What struck me while reading the article is that none of the code samples I found in the forums has examples of this process. I see "Connect", and I see "ConnectionRequest" routines. I don't think this is what you call handshaking. I see no challenges, no pswd verifications, no nothing.
    The password verification, etc. would be done by your code, not before your code. So, if you want a username and password to be required before the user can chat, your client side code needs to send a username and password to the server, and the server side code needs to be able to recognize incoming credentials, look them up, and react appropriately.

    If you've not done much with networking related code in the past, or with firewall setup, and you are writing this from scratch...good luck.

  7. #7
    PowerPoster
    Join Date
    Nov 2017
    Posts
    2,152

    Re: Network Logic

    Quote Originally Posted by AccessShell View Post
    I need some help with logic, not code. I can work the code out later.

    I need to prevent anyone searching for an open port and getting in. I really donít know what someone like that can do, but I donít want it happen.

    OK, somehow we got past that. The client is logging on. How can I verify username, the password and the IP address before connecting?
    You seem to be mistaken in your understanding of a "connection". A connection doesn't imply that any and all access has been granted.

    Think of it like calling a bank on the phone. The fact that a bank publishes their phone number doesn't suddenly mean anyone can call in and access the bank account for anyone else. And, you don't do anything to notify your bank in advance that you are calling them about your bank account. You call (make the connection), and you are challenged to identify yourself, and if you fail to do so, the call is ended (the connection is terminated). If you successfully identify yourself, the call continues (access is granted).

    Good luck.

  8. #8

    Thread Starter
    Fanatic Member AccessShell's Avatar
    Join Date
    Oct 2013
    Posts
    678

    Re: Network Logic

    That's me
    If you've not done much with networking related code in the past, or with firewall setup, and you are writing this from scratch...good luck.

    OK, so my interpretation of this is (more detail)
    The password verification, etc. would be done by your code, not before your code. So, if you want a username and password to be required before the user can chat, your client side code needs to send a username and password to the server, and the server side code needs to be able to recognize incoming credentials, look them up, and react appropriately.
    The server side code and the client side code are the same program. A copy of the executable is on the client's computer.

    The Host starts everything by "listening" - opens a port
    The client "connects" to the open port - either send a username & pswd, or registers with a username & pswd. In both cases the IP addrr is sent - all enrypted
    All encrypted means that the code encrypts the data and sends it.
    The receiving program treats this first receipt of data (winsockConnection & DataArrival), does the verification and accepts or rejects the user anyway the server wants to - rudely disconnects.

    All other DataArrival goes thru normal processing.

    Do you agree?

  9. #9

    Thread Starter
    Fanatic Member AccessShell's Avatar
    Join Date
    Oct 2013
    Posts
    678

    Re: Network Logic

    The more I think about this the more confused I get.

    Case 1. Send an open pswd. Can the pswd be grabbed by someone else to use later?

    Case 2. Send a one way hash string and verify against the stored hash. Same question as in step 1. Can the hashed pswd be grabbed by someone else to use later?

  10. #10
    Angel of Code Niya's Avatar
    Join Date
    Nov 2011
    Posts
    7,802

    Re: Network Logic

    This thread gave me an idea. It's been a while since I posted something in the CodeBank. I think I'll do a chat application for my next one. Just for fun, I'll handroll my own encryption protocol and login scheme. This will be in VB.Net though. No chance I'm gonna do this in VB6.
    Treeview with NodeAdded/NodesRemoved events | BlinkLabel control | Calculate Permutations | Object Enums | ComboBox with centered items | .Net Internals article(not mine) | Wizard Control | Understanding Multi-Threading | Simple file compression | Demon Arena

    Copy/move files using Windows Shell | I'm not wanted

    C++ programmers will dismiss you as a cretinous simpleton for your inability to keep track of pointers chained 6 levels deep and Java programmers will pillory you for buying into the evils of Microsoft. Meanwhile C# programmers will get paid just a little bit more than you for writing exactly the same code and VB6 programmers will continue to whitter on about "footprints". - FunkyDexter

    There's just no reason to use garbage like InputBox. - jmcilhinney

    The threads I start are Niya and Olaf free zones. No arguing about the benefits of VB6 over .NET here please. Happiness must reign. - yereverluvinuncleber

  11. #11

    Thread Starter
    Fanatic Member AccessShell's Avatar
    Join Date
    Oct 2013
    Posts
    678

    Re: Network Logic

    That's great. I hope I can translate into VB6

  12. #12
    Frenzied Member PlausiblyDamp's Avatar
    Join Date
    Dec 2016
    Location
    Newport, UK
    Posts
    1,925

    Re: Network Logic

    This is why you would also want to use some form of encrypted connection, https is an example of this.

  13. #13

    Thread Starter
    Fanatic Member AccessShell's Avatar
    Join Date
    Oct 2013
    Posts
    678

    Re: Network Logic

    OK, you guys(?). I write for fun. I write to keep the cobwebs out.
    When I worked, many, many years ago, I tried to learn VB.NET. No luck. At this point I am happy to write in VB6.
    Maybe you all didn't mean it, but I interpreted the remarks as rather disparaging.

    Some of your remarks have more than one meaning. I'm still trying to figure out the technical meaning.

  14. #14
    Angel of Code Niya's Avatar
    Join Date
    Nov 2011
    Posts
    7,802

    Re: Network Logic

    Quote Originally Posted by AccessShell View Post
    That's great. I hope I can translate into VB6
    I wouldn't dare do this in VB6 is for 3 reasons. One, I need multi-threading, two, I need Async/Await to keep the code neat and easy to follow and three, I need encryption and hashing functions. All 3 of these requirements are standard in .Net. VB6 can do all these things, but it would take 10x the effort on my part. This is just me though. I'm not suggesting you don't do it in VB6.

    I need to review and study HTTPS a bit as I want my own encryption protocol to resemble that. After that, I could bang this out in less than a day in .Net.
    Treeview with NodeAdded/NodesRemoved events | BlinkLabel control | Calculate Permutations | Object Enums | ComboBox with centered items | .Net Internals article(not mine) | Wizard Control | Understanding Multi-Threading | Simple file compression | Demon Arena

    Copy/move files using Windows Shell | I'm not wanted

    C++ programmers will dismiss you as a cretinous simpleton for your inability to keep track of pointers chained 6 levels deep and Java programmers will pillory you for buying into the evils of Microsoft. Meanwhile C# programmers will get paid just a little bit more than you for writing exactly the same code and VB6 programmers will continue to whitter on about "footprints". - FunkyDexter

    There's just no reason to use garbage like InputBox. - jmcilhinney

    The threads I start are Niya and Olaf free zones. No arguing about the benefits of VB6 over .NET here please. Happiness must reign. - yereverluvinuncleber

  15. #15

    Thread Starter
    Fanatic Member AccessShell's Avatar
    Join Date
    Oct 2013
    Posts
    678

    Re: Network Logic

    Well, I have to do mine in VB6.
    I found some code that does the hashing with API calls. I hope that would not compromise my efforts.

  16. #16

    Thread Starter
    Fanatic Member AccessShell's Avatar
    Join Date
    Oct 2013
    Posts
    678

    Re: Network Logic

    I just remembered - I can't translate it - I can't open it. I have no IDE for net

  17. #17
    Angel of Code Niya's Avatar
    Join Date
    Nov 2011
    Posts
    7,802

    Re: Network Logic

    Quote Originally Posted by AccessShell View Post
    I just remembered - I can't translate it - I can't open it. I have no IDE for net
    Community Edition is free to download and use.
    Treeview with NodeAdded/NodesRemoved events | BlinkLabel control | Calculate Permutations | Object Enums | ComboBox with centered items | .Net Internals article(not mine) | Wizard Control | Understanding Multi-Threading | Simple file compression | Demon Arena

    Copy/move files using Windows Shell | I'm not wanted

    C++ programmers will dismiss you as a cretinous simpleton for your inability to keep track of pointers chained 6 levels deep and Java programmers will pillory you for buying into the evils of Microsoft. Meanwhile C# programmers will get paid just a little bit more than you for writing exactly the same code and VB6 programmers will continue to whitter on about "footprints". - FunkyDexter

    There's just no reason to use garbage like InputBox. - jmcilhinney

    The threads I start are Niya and Olaf free zones. No arguing about the benefits of VB6 over .NET here please. Happiness must reign. - yereverluvinuncleber

  18. #18

    Thread Starter
    Fanatic Member AccessShell's Avatar
    Join Date
    Oct 2013
    Posts
    678

    Re: Network Logic

    I remember that is was a major chore to install VB6 on WIN10. You could NOT follow the normal install procedure. Is VB.NET different, or is a normal install possible?

  19. #19
    Angel of Code Niya's Avatar
    Join Date
    Nov 2011
    Posts
    7,802

    Re: Network Logic

    It's 100x easier to install than VB6. Just a couple clicks, set and forget basically.
    Treeview with NodeAdded/NodesRemoved events | BlinkLabel control | Calculate Permutations | Object Enums | ComboBox with centered items | .Net Internals article(not mine) | Wizard Control | Understanding Multi-Threading | Simple file compression | Demon Arena

    Copy/move files using Windows Shell | I'm not wanted

    C++ programmers will dismiss you as a cretinous simpleton for your inability to keep track of pointers chained 6 levels deep and Java programmers will pillory you for buying into the evils of Microsoft. Meanwhile C# programmers will get paid just a little bit more than you for writing exactly the same code and VB6 programmers will continue to whitter on about "footprints". - FunkyDexter

    There's just no reason to use garbage like InputBox. - jmcilhinney

    The threads I start are Niya and Olaf free zones. No arguing about the benefits of VB6 over .NET here please. Happiness must reign. - yereverluvinuncleber

  20. #20
    Frenzied Member PlausiblyDamp's Avatar
    Join Date
    Dec 2016
    Location
    Newport, UK
    Posts
    1,925

    Re: Network Logic

    Quote Originally Posted by AccessShell View Post
    I remember that is was a major chore to install VB6 on WIN10. You could NOT follow the normal install procedure. Is VB.NET different, or is a normal install possible?
    VB.Net is the current release, you just install it - no fuss, no workarounds. VB6 has issues because when it officially left support in 2008 Windows Vista was the current OS and no further updates have been made since then.

  21. #21

    Thread Starter
    Fanatic Member AccessShell's Avatar
    Join Date
    Oct 2013
    Posts
    678

    Re: Network Logic

    I am still very confused.
    I am told (or read somewhere) never, never send an unsecured password through winsock. It seems to me that means that a bad actor can 'somehow' capture that password and use it to gain entry.

    So we need one way password conversions - that called hashing. So, on the client side we hash the password (SHA256 as an example). This is what we send. This is what we compare to our DB stored password for the client. What's the point. If the bad actor can grab the unsecured password, why can't he grab the hashed password and send that for the login credentials. I don't see why this makes it more secure!

    Finally I read about salting the unsecured password. This just reduces the probability of password collisions. This does not help the problem I stated above.

    As a side note: How should you send the UserName? Open or hashed or encrypted?

  22. #22
    Frenzied Member PlausiblyDamp's Avatar
    Join Date
    Dec 2016
    Location
    Newport, UK
    Posts
    1,925

    Re: Network Logic

    Quote Originally Posted by AccessShell View Post
    I am still very confused.
    I am told (or read somewhere) never, never send an unsecured password through winsock. It seems to me that means that a bad actor can 'somehow' capture that password and use it to gain entry.

    So we need one way password conversions - that called hashing. So, on the client side we hash the password (SHA256 as an example). This is what we send. This is what we compare to our DB stored password for the client. What's the point. If the bad actor can grab the unsecured password, why can't he grab the hashed password and send that for the login credentials. I don't see why this makes it more secure!

    Finally I read about salting the unsecured password. This just reduces the probability of password collisions. This does not help the problem I stated above.

    As a side note: How should you send the UserName? Open or hashed or encrypted?
    If a hashed password is all it takes to authenticate then you are correct, this is no more secure than not hashing - someone who can intercept the hash can impersonate the account.

    This is why you are better off also using an encrypted network connection, rather than just encrypting parts of the connection. Again this is more complicated than just sending some bits of data encrypted.

    Depending on just what you want your system to do the difficulty of achieving an encrypted connection might be easy or difficult. If you can utilise https then most of the hard work is built in, although you might need valid certificates to help with the encryption. If you are going to be working with lower level socket connections then you might have to implement more of this encryption logic yourself.

    https://www.vbforums.com/showthread....-File-Transfer might be worth looking at as it seems to cover the important areas.

  23. #23

    Thread Starter
    Fanatic Member AccessShell's Avatar
    Join Date
    Oct 2013
    Posts
    678

    Re: Network Logic

    So after the last post I am even more confused. I think we need to back to before my last post. What am I trying to do? and, what can a bad actor do.

    I am NOT a bank. I don't need ultra security. I am not using any web pages. I just have s simple winsock program. The first step is a chat program. The a two, or more, person game over the web. I think I don't care if a bad actor gets into the program. I care if that person, once they arae in can go beyond the program into my computer. I h ave no understanding what my malware r virus checkers do. I have no understanding what my router does.

    Please keep your answers simple and unambiguous. Without the client code, I don't know what they can do. I don't even know what a person can beyond the program, into the computer.

    Maybe I don't need to write any code for login credentials? Maybe, I'm overthinking this?

  24. #24
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    4,287

    Re: Network Logic

    Quote Originally Posted by AccessShell View Post
    The more I think about this the more confused I get.

    Case 1. Send an open pswd. Can the pswd be grabbed by someone else to use later??
    Possible but not that easy. The internet is full of protocols which send credentials in plain text. For a beginner, designing the first cut of the chat protocol with plain text password is good enough IMO. You can bolt a challenge-response authentication later on.

    Quote Originally Posted by AccessShell View Post
    Case 2. Send a one way hash string and verify against the stored hash. Same question as in step 1. Can the hashed pswd be grabbed by someone else to use later?
    This is more complicated -- you send hash of the hash of the hash you get from the password. You don't send any hash which is persisted in a file or in a column in a DB.

    The idea is that you get a small random dynamic piece (called "challenge") and another small static random piece (called "salt") from the server and then you return H(challenge + H(salt + H(password))) where H is your hash function of choice.

    This way you can implement "Save password" on your logon screen (persist H(password) somewhere in registry) and the server can keep the password salted in the DB (persist H(salt + H(password)) in a column) while the outer hash H(challenge + ...) is completely random/new on each logon so cannot be replayed by an attacker.

    cheers,
    </wqw>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width