System specs: C# client using .NET 3.0. WCF services hosted as windows services on App Servers. MSSql Server 2008R2 DB for data storage.
Hashes of user passwords are stored in the DB for authenticating users. My problem is, I do not know how to securely authenticate the client to the server, using the hash of the client's password.
Having read similar questions on SO, I saw that a challenge-response mechanism was recommended. Could some one give any good coding examples of how this can be done?
Also, if we can securely generate private-public key p开发者_运维问答air on the server and distribute the public key to all the clients, would using a public key encryption for passing information from the client and server suffice instead of using challenge-response.
EDIT: By Client I meant the user who will be actually using the client machine for logging in.
Use SSL for your client-server communication and your public key (AKA asymmetric) encryption is taken care of. You don't need to code it yourself just configure it to use SSL.
If you client and server are on same AD domain the simplest option is to use net.tcp transport with AD authentication. The user kerberos token is presented to the service and can be authenticated using AD roles.
If you cannot use integrated AD authentication and have to use the scheme you can use a custom username validator
The process would look like this :-
Server generates a challenge and sends to client. e.g. X
At Client
passwordHashed = Hash(password) challengeHashClient = Encrypt(X, passwordHashed) //passwordHashed is the key
send challengeHashClient to server.
At the server
get passwordhashed from database challengeHashServer = Encrypt(X, passwordhashed)
Match challengeHashServer with challengeHashClient
Also there has to be a timeout for this operation to prevent replay attack.
However if you are using Windows Environment why not think of using Windows Kerberos Authentication ?
精彩评论