tags:

views:

106

answers:

3
Q: 

Handling User Authentication in .NET?

I am new to .NET, and don't have much experience in programming. What is the standard way of handling user authentication in .NET in the following situation?

  1. In Process A, User inputs ID/Password

  2. Process A sends the ID/Password to Process B over a nonsecure public channel.

  3. Process B authenticates the user with the recieved ID/Password

what are some of the standard cryptographic algorithms I can use in above model?

The users(customers that bought my company's software) will be running the software(Process A) locally in their computer(connected to internet). I need to authenticate the users from Process B which is running at company's server so that only registered users can run the program.

+1  A: 

ASP.NET membership provider

Dustin Laine  2010-04-09 02:58:44
A: 

While security is definitely not my strong suit the main issue you have concern here over is the fact that in step 2 the data is transferred through a public channel, since this is the case you would need to implement a PGP key passing scenario or equivalent system so that process B is capable of decrypting your content from process A without the ability for an attacker to compromise the private key resulting in decryptable information.

The more preferable way would be to change this so step 2 transfers by a secured channel, this would generally be accomplished with a SSL connection.

Chris Marisic  2010-04-09 03:01:03
A: 

What you are trying to implement is called DRM, presumably in an attempt to prevent people from running copies of your software that have not been registered.

It's a losing battle. No matter how you implement it, the end result is that somewhere in your code you will have something like this:

if (authenticationSucceeded) {
    // Allow access to program
} else {
    // Show error and quit.
}

All someone has to do is to decompile this function, insert a ! in the if statement and recompile it again (or modify the intermediate language code directly). If they do this then they will have broken your security.

With this in mind, you might as well use a very simple, cheap to implement system. Just have list of plain-text registered keys on your server and have the client send their key over HTTPS (to prevent eavesdropping). Adding more security than this is probably not worth it as it will be so trivial to workaround anyway as described above.

Update: The poster says in a comment that the program is useless without access to a remote database. In this case it can make sense to prevent unauthorized use of the software, or more precisely - to prevent unauthorized access to your database. You can use WCF to make a secure connection to the server and require sending your username and password-hash before allowing access to the rest of the interface. If the the username/password is not correct the server will disallow further calls to your service. On the server you can store the allowed usernames and password hashes in the database.

Mark Byers  2010-04-09 05:26:35
what about obscuring the code so that no one can decompile it at client end? i think if you can handle decompilation issue, a WCF service over https is a good way to communication over nonsecure channels.
Shoaib Shaikh  2010-04-09 05:51:10
@Shoaib: I wouldn't bother obfuscating the client code. But good idea with WCF, especially as I just noticed the poster's comment that the client is useless without access to the server.
Mark Byers  2010-04-09 06:25:12

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?