Authentication and Authorization
-
hey my[Hope not to bother anyone] people, I would like to Authenticate a user in the main form application[client] and then in the server. And also i would like to authorize the users. I don't have webforms... i have desktop applications which connects to the Internet and communicate one to each other. Say i would like to: 1 - Send the SID of each computer where the client is running 2 - Send the login information of the current user 3 - Verify the current user of the Client has Administrator rights from the server 4 - Verify the publisher of the application. I am thinking that if i verify the publisher i can use the certificate, is that right? 5 - Digitally sign and verify all data that is being sent over the network. I know how to sign all data but i am not so sure how to verify it. would this be possible: . . . byte[] toSend = Encoding.ASCII.GetBytes(Convert.ToString(WindowsIdentity.GetCurrent())); NetworkStream net = ClientTCP.GetStream(); try{ net.Write(toSend,0,toSend.Length); } catch{} finally { net.Close(); ClientTcp.Close(); } ... in the other side i would have a receiving part but i would like to do this: try{ int bytes = net.Read(toRead,0,toRead.Length); string iden = Encoding.ASCII.GetString(toRead,0,bytes); //assuming that i have all the bytes of the windows identity WindowsIdentity W_iden = (WindowsIdentity) iden; } would that code help me send a windows identity over the network???? thanks all... regards
The way of the code warrior is... SO beginning of the legacy starts now!
-
hey my[Hope not to bother anyone] people, I would like to Authenticate a user in the main form application[client] and then in the server. And also i would like to authorize the users. I don't have webforms... i have desktop applications which connects to the Internet and communicate one to each other. Say i would like to: 1 - Send the SID of each computer where the client is running 2 - Send the login information of the current user 3 - Verify the current user of the Client has Administrator rights from the server 4 - Verify the publisher of the application. I am thinking that if i verify the publisher i can use the certificate, is that right? 5 - Digitally sign and verify all data that is being sent over the network. I know how to sign all data but i am not so sure how to verify it. would this be possible: . . . byte[] toSend = Encoding.ASCII.GetBytes(Convert.ToString(WindowsIdentity.GetCurrent())); NetworkStream net = ClientTCP.GetStream(); try{ net.Write(toSend,0,toSend.Length); } catch{} finally { net.Close(); ClientTcp.Close(); } ... in the other side i would have a receiving part but i would like to do this: try{ int bytes = net.Read(toRead,0,toRead.Length); string iden = Encoding.ASCII.GetString(toRead,0,bytes); //assuming that i have all the bytes of the windows identity WindowsIdentity W_iden = (WindowsIdentity) iden; } would that code help me send a windows identity over the network???? thanks all... regards
The way of the code warrior is... SO beginning of the legacy starts now!
The only true way to authenticate is if two parties know who they should be talking to prior to initiating the conversation. Then, both parties can sign all communications between them with their "private key" to ensure they are who they say they are. Other schemes have been produced which attempt to get around knowing anything about someone else before communicating, but they are all able to be cracked in one way or another. The most secure way to set it up would be to store all user public keys, and have all users store the server public key. Then, each user communicates by hashing the message, signing the hash, creating a symmetrical key, encrypting the sym key with the other party's public key, then encrypting the message with the symmetrical key, and sending the information to the other party. Jeff