Results 1 to 4 of 4

Thread: Validate that network data came from my program

Threaded View

  1. #1

    Thread Starter
    Pro Grammar chris128's Avatar
    Join Date
    Jun 2007
    Location
    England
    Posts
    7,604

    Validate that network data came from my program

    I'm considering building a client/server system where the client running on workstation PCs in a network would need to send data to a central server in a secure way. When I say secure, I don't mean the data needs to be encrypted (although that would be good, but I know how to do that), what I mean is that I need to be sure the data being sent to the server came from the client program and not some other program. Basically the data would be important data about each user that is logging on to the PC, so it would be used as an audit trail and needs to be 100% reliable. But if I have a web/WCF service running on a central server waiting for data to be sent from each PC, how can I be sure the data actually came from the client software on each machine and is not data from a malicious user submitting fake data about themselves? Yes 99.9% of users would not know how to do that, or even be aware of the client software on their PC, but when it comes to security and auditing reliability, 99% is not good enough.

    I can't really think of any way that I could do this because even if my client software uses some special key or digital certificate to identify that the data is legitimate, what is to stop the user either decompiling the program to get that key/certificate information and then just submitting their own fake data? All the examples I can find of how to protect your data seem to be for the scenario where you trust the user of the PC and you are defending against other malicious software or man in the middle attacks... but in this case I need the software to be protected against the user of the PC. I can think of ways to do it if the end user did not have local Administrator permissions on their PC (i.e. just store the secure data in a folder that they don't have permission to access) but I need this to be secure even if the user is a local admin.

    So is this possible? The fact that there are other programs out there that run on PCs and claim to submit secure audit data to central servers makes me think that it must be possible but I don't see how.

    EDIT: Would a Public/Private key pair using RSACryptoServiceProvider work for this? If the server knows the private key and the client software only knows the public key... but then, again if the client program knows the public key then a malicious user decompiling the client program can also get the public key. This is the problem: whatever "secret" the client software uses to identify itself as legitimate, the user can get hold of as well.

    Thanks
    Chris
    Last edited by chris128; Nov 9th, 2014 at 08:34 PM.
    My free .NET Windows API library (Version 2.2 Released 12/06/2011)

    Blog: cjwdev.wordpress.com
    Web: www.cjwdev.co.uk


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width