Re: Password Security

From: Callum Winter (callum_at_REMOVE_THISwinter9999.fsnet.co.uk)
Date: 09/08/04 

Date: Wed, 8 Sep 2004 13:39:39 +0100

Hi Alun,

First thankyou for your reply.

Basically, Im working on an internet game, so good security isnt required
much past the login process, the rest is general protocol packet tampering
detection or prevention code, so really doesnt need encryption.

Yes the server will keep a database of users who have signed up to play, and
obviously paying customers wont want their password cracked after some
hacker has used a packet sniffer to get hold of a login packet. The database
also will need to be encrypted just in case any hacker manages to get
through our data server defences. Hopefully they wont as they wont know of
this server, only the game hosting servers(which are middle men in the
link), but safe is better than sorry.

We could of course prompt users to change their password on a regular basis,
but the point is to make it difficult for hackers to crack passwords in the
first place.
I understand IE has security built in (i think). Is it possible to use the
alogorithms in IE, somehow hook TCP to IE's security features maybe.
(without having to learn java, or code to work within a web browser).

I will of course look round for some books. Are there any in particular
(ISBN code if you know it) of a book that will cover my problem. Like you
say it would be overkill to go much past securing login packets (which wont
include much more than username and password), and the database of users on
our data server, So the book must at least cover these topics and how to
plug these features into C++ TCP/UDP code, including any interfaces required
and where to get them.

One final question. If one can get hold of a secure transport interface then
i assume a hacker could do the same and reverse engineer the algorithms and
still manage to decode the login packets, so what Im asking is how secure is
all this secure transport stuff in the first place. How long would it take
to decode the encryption in a packet if they did manage to write a
decriptor. Im quite new to all this so just want to get things clearer in my
head.

Hope you can provide that little bit more info for me.
Many thanks in advance.

Callum.

"Alun Jones [MSFT]" <alunj@online.microsoft.com> wrote in message
news:eCQBtmTlEHA.1656@TK2MSFTNGP09.phx.gbl...
> "Callum Winter" <callum@REMOVE_THISwinter9999.fsnet.co.uk> wrote in
message
> news:eGr#NOPlEHA.2868@TK2MSFTNGP11.phx.gbl...
> > How do i get winsock to encrypt the packet so people cant rip off other
> > peoples passwords??
> > Does winsock include encryption?? is it automatically done as part of
the
> > TCP protocol.
>
> No, Winsock doesn't include encryption. There are several different
> encryption methods you can choose to implement on top of Winsock, of
course.
> Many applications currently use SSL / TLS, for instance, using the
SChannel,
> or SSPI, interfaces. This may be overkill for what you need.
>
> As I said, there are many different ways to solve the problem of verifying
> your identity to a server, and which one you choose will depend largely on
> what you intend to do. Does the server need to impersonate the client's
> Windows user account, or merely verify that the client is likely to be
> listed in a database of users somewhere? Does the server / client
exchange
> need to be encrypted after the logon has occurred? How much data is
> expected to be encrypted?
>
> There are a number of books on the subject of secure network
> communications - it really isn't a small topic - I would suggest you visit
> your local library or book store and see what they have for you to check
> out.
>
> Alun.
> ~~~~
>
>

Relevant Pages