Please suggest a secure way to transfer data from one computer to another.

Question

I want "A" computer to responsible for execute the command, and "B" computer will send the command to "A" computer. I have some ideas on the implementation.

Way1: The "A" computer have a while true loop to listen for "B" computer's command, when it is received, it execute.

Way2: Using a FTP Server, that store information that about the command. The "A" computer have a while true loop to check whether the "B" computer uploaded any new information about the command. if yes, reconstruct the command and execute. After executed, the file on FTP Server will be deleted. And store a copy the "A" computer.

Way3: this is similar to way2, but using database to store. After the command is executed, it will made as executed.

What is your suggestion about these 3 ways? Is that secure enough?

Answer 1

You're assuming a trust relationship without giving any clues as to how you know that the payload from computer A is benign. How do you plan to prevent computer A from sending a task that says "reformat your hard drive after plundering it for all bank accounts and passwords?

1. AKA write a socket listener on computer B and let computer A connect to it. No security here.
2. FTP just saves you from having to write the transport protocol.
3. Database for persistence instead of file store - nothing new here.

None of your options have any security, so it's hard to say which one is more secure. FTP requires that the user know the URL of your FTP server and, if you aren't allowing anonymous access, a username and password. That makes 2 more secure than 1. 2 and 3 are equally (in)secure.

All can work, but all are risky. I see little or no security here.

Answer 2

Without more details, all I can suggest for security is to use SSL.

Using FTP or a database server will just add needless complexity, potentially without gaining any real value.

If you want a secure solution, you will need to carefully describe your environment, risks, and attackers.

Are you afraid of spoofing? Denial of service? Information disclosure? Interception?

Answer 3

A generic way: ssh and scp.

Reliable secure database specific: depends on the platform: Service Broker, Oracle AQ, MQSeries.

Not so good idea: write a socket program w/o knowing anything about security.

Answer 4

• 1 has nothing to do with security.
• 2 uses FTP and not FTPS? Anyone and their grandparents can sniff the username/password. Do not use.
• 3 depends on how securely you connect to the database --- on both ends. Also, how can you be sure what's inserted into the database if from your trustee?

What are you really implementing here? With all due respect, it sounds like you should pick up at least an introductory book on information security.

Answer 5

From your examples it seems that you aren't so much interested in securing against malicious attacks and bit manipulation but what you want is reliable delivery.

Have a look at a message queue solution, for example MSMQ.

Answer 6

It depends what kind of security you need. if it is guaranteed delivery - anything way that makes the message stored and approve the storing before deletion will do. if it's about the sender and the receiver id you should use certificates. if it's about the line security - you should encrypt the message.

All things can be achieve using WCF if you're on the Microsoft world. and there are other libraries if you're on the Linux world. (you can use https post for example).