Securing a VB6 TCP Connection[RESOLVED]

[WeezelDS]

Hello,
I'm currently testing a simple VB6 app that just sends text between a client and a server app after connecting on a local network. Currently, it just accepts any connection, but i'd like to secure it w/ a (hopefully encrypted) password. This will not be used for credit cards or anything, so I dont think I need to go through a Certificate Authority or anything. The server app will also need to securely store the password for future use. How can I do all of this w/ VB6?

Thanks in advance,
WeezelDS

[Brin]

Hey,

This isn't exactly "Encryptiong" or anything but its an idea... I've never tried it. but you can :P Here it is:
use the Replace command to change "a" to "2765" or something. Then move that data into a different text.box. A different one form the one you type the password to. When you send this data if intercepted it'll look like numbers, and at the server side you can again use the replace command to change the number values back.

While sending the data you have to make sure that it doens't get jumbled up. You have to send them one by one, or send them with a ; in between each number... Or if the numbers get jumbled up your program might have problems changing this back to real letters...

Hope it helps, somehow...

[WeezelDS]

Thanks, but i'm looking for more security than that...a hacker could easily get the program and sniff the outgoing messages to quickly decode that...

[dglienna]

You could use Capicom, which is microsofts dll that encrypts and decrypts strings. You supply a passphrase and then its used it to decode and encode whatever goes over the connection. Search for maven, he has code showing how to use it. I think now, you have to download the SDK for W2K3, but if you pm me with your email address, I could send you the 2mb file instead of the large download for the sdk.

[Brin]

Hmm now that you mentioned it how can you actually sniff outgoing packets using vb winsock? I mean I know that you can do I just don't have any idea how, the commands...

Maybe setting the remote host, port as the one you want to listen to. ANd when you recieve data, the data going out from their port you can display it on a textbox or something. The data probably is encrypted if around sensitive content but I would still wanna know how to be able to make it harder for it to happen, when vb winsock is used. Which happens to be very unsecure...

Ok try this.

Multiply all of the values of the letters by an X number. This will be like the "key" of the "mini encryption method" Then enter the key on the server side the divide the data by that, and then convert.

A person can also hack this if they know how to program, which many hackers do, but if they don't and if You use larger X Key numbers it will be harder for them to crack this. Other then that I dunno how else you can use vb to encrypt. I mean this is how SSL encryption works, just it uses more complex algorithms and such...

You can multiply, devide, and use any math command to do this. The more you do it the more secure. Once compiled if the person gets ahold of this program theyd either have to Brute-Force and try to get the Key OR turn the .exe into machine code, and then try to change that back to vb code. And Ive never heard that being done :P

Id say this is secure enough for chats and such. For credit card numbers you should use nothing less then a 128-bit SSL encryption... Or someone would actually want to hack the transmission, to get the card number.


You can even send different numbers on different winsocks. Lets say your gonna send a credit card number and the number is X-X1. then send X on one port and X1 on another, the more ports you use, and the more numbers you send the harder it is the crack...

of course nothing is uncrackable

Good Luck! Thats about all I can think of, and I put eveyrthing i could think of there :P

[WeezelDS]

Thanks dglienna...I'll be playing around w/ that Capicom component now, that should do the trick ...if anybody is interested the post about Microsoft's encryption component is at http://www.vbforums.com/showthread.p...hlight=Capicom
Also, thanks for the offer, but I just got the installer off Microsoft...

Thanks for the input Brin...incidentally, i dont plan on doing any port sniffing....i just know thats a common hacker tactic to get ahold of sensitive information...and i doubt they use vb ....but because of this potential threat, i dont want any simple encryption sheme like multiplying the messages by some number cuz i think a hacker could crack that relatively easily....so i'm gonna try out this Capicom component

Thanks guys,
WeezelDS

[dglienna]

Cool. Last time I looked, it was in a HUGE SDK for Windows 2003. I mean many gigabytes just for the 2mb file. That's the only reason I was going to save you the grief.

[CodeBlock]

Hi!

If you are implementing any code that involves Password checking over the network, My post might help!

When it comes to checking Passwords, it is not the issue of only encryption (though it is one part), but the neccessity to use a Key. Using One-way-Only encryption methods like MD5 or SHA1 (i prefer MD5), you can secure your data. This way if your original password is "test123" your MD5 result might be:

cc03e747a6afbbcbf8be7668acfebee5

Its so impossible to get the source string that made it: "cc03e747a6afbbcbf8be7668acfebee5" by anybody (thats y it is called one-way encryption, which has no decryption)

This raises a Question!

So, how do u check for your password??

Suppose, you have this MD5 encrypted password stored in your database (its better to store sensitive things in encrypted form). Ask the client to encrypt the password before sending over the Network. So the Server will check whether the stored "cc03e747a6afbbcbf8be7668acfebee5" and the incoming "cc03e747a6afbbcbf8be7668acfebee5" are the same. Since MD5 encryption is always the same in any OS, this will work.

If your password is stored unencrypted (that is as "test123" itself. RAW) in your database, follow this method:

The Server sends a key (any random generated string) to the client. The client then appends (or prepends or manipulates somehow) with the original password "test123" and then applies the encryption and sends it back. This way, the encryption is always different each time, even though the password is the same. In the meantime the server also does the same process of appending the key with the original password and keeps it ready with encryption for checking. An example might clear this more properly:

Original password in Server Database: "test123"
Server generates a random key: "hsozjr15sd86e"
Server Sends it to -> Client
Client receives "hsozjr15sd86e"
Client prompts for the password from user.
User Enters: "test123"
Client joins the password and the key: "test123hsozjr15sd86e"
The result is encrypted with MD5: "4a5f6722b66de40dffe0a3e2028bf6a6"
Client Sends the encrypted pass&key to server "4a5f6722b66de40dffe0a3e2028bf6a6"
Server does the same procedure (both have to match)
Server appends the key with password(from database): "test123hsozjr15sd86e"
Server makes MD5: "4a5f6722b66de40dffe0a3e2028bf6a6"
Server checks with the client data: "4a5f6722b66de40dffe0a3e2028bf6a6"="4a5f6722b66de40dffe0a3e2028bf6a6"
Server confirms, creates a Session and grants access!

HTH
Neo