views:

44

answers:

2

I have a client/server application and I'm wondering what is a secure method to implement registration of new clients with the server.

So far, I have the following:

A user downloads the client from them web, and installs it. During the installation the client registers with the server and receives a secret key (certificate). Each following client request is then encrypted / signed with that key.

My question is how to secure the initial transaction? How to make sure that I don't have hackers spoofing registration requests, fooling my server, and using up my server resources?

Thanks

+1  A: 

A simple CAPTCHA might be enough to prevent hackers from creating fake registrations.

davogones
A: 

Have you considered using https? Https (http over SSL) can help prevent hackers spoofing requests allowing you to securely exchange messages between the client and server. This would eliminate the need for you to have a secret key to encrypt/decrypt messages.

Authentication must be dealt with separately. While https can prevent eavesdropping, if you wish to limit access to your server to identified users, you'll need to implement an authentication mechanism using, for instance, username and password. Perhaps as part of the initial registration with your web site, users would be required to create a user account. To use the services from your site, users will there after be required to submit a valid credential (username/password) which you could check against a database.

Here's another useful link if you are willing to spend some time reading on this topic.

Mystic
How can I use https to authenticate my client?
DanJ
I edited the answer above to elaborate on a possible solution. Hope this sheds some light.
Mystic