(Partially) security client-server communications

From: Mike Hunson (mike_at_nospammingallowed.com)
Date: 01/12/05 

Date: Tue, 11 Jan 2005 18:23:36 -0800

I'm looking for a way to secure (ok, partially secure) communications
between a software product (client) and our website (server).

Here's what I mean:
The software product we have will grab information from a website (a PHP
script on our website, specifically), connecting via HTTP.

However, we want to try to prevent other applications or even casual users
from getting this information without using our application. We don't care
if the information in transmit is plaintext, we just want to make sure that
only our client can communicate with the server.

My understanding is that NOTHING we can do will offer 100% security, because
somebody can always reverse engineer our application to see what is going
on.

However, if we can just make it reasonably difficult, that would be fine.

I'm guessing we want some sort of challenge-response protocol. Right now,
the application calls the script:
http://xyzsite.com/getinfo.php&userid=20digituserid&query=term

and the script returns information, which the application then displays to
the user.

However, as you can see, nothing is really there that can prevent somebody
from accessing this (if they know the userid).

So I was thinking something like this:
1. Application calls login script:
http://xyzsite.com/login.php&userid=20digituserid
2. Script returns some sort of number based on, say, rand() | userid. Let's
call this number challenge_number.
3. Application runs some sort of mathematical algorithm on this number.
This algorithm should be broken up between several different functions.
Something like:
sha1( ((challenge_number % 93132) * 9) | userid );
Application then uses this number in all subsequent calls to server for next
12 hours?
After 12 hours, client initiates this procedure again (and server discards
old number/information).

This doesn't exactly seem ideal to me, but it will prevent people from just
using their web browser to access our script (unless they know the protocol,
which of course we will try to hide).

Any thoughts or ideas? The simpler the better.

Thanks,

Mike

Relevant Pages

  • Re: Banana Republic (was Re: OpenVMS Book Wins award)
    ... overtaken by the more prosaic aspects of supporting WASD. ... for example), that it is better economy, if a client breaks the ... to allow a script to run to completion rather than try and ... The server just throws away ...
    (comp.os.vms)
  • Re: Regarding a selection for mobile code/scripting language
    ... Client Side scripting, so the server can send script commands to the client. ... I decided they should be scripted and mobile code. ...
    (Vuln-Dev)
  • Re: HTTPSConnection script fails, but only on some servers (long)
    ... (HTTP/CONNECT + switch to HTTPS) ... wget and my python script. ... >>The python script works with server A, ... the problem seems to depend on both the client ...
    (comp.lang.python)
  • Re: SBS mit Isa-Server erricht Webseite von internen Clients nicht
    ... mach mal ein ipconfig /flushdns auf dem Client und auf dem Server. ... MVP ISA Server ... Browser auf dem Server kann man nun die Website anzeigen und im ... Versuche ich die Site von einem Client aufzurufen steht im Protokoll ...
    (microsoft.public.de.german.isaserver)
  • Re: secure transfers and authentication
    ... Thanks james that looks to be a really handy guide on the whole thing. ... On a side note does anyone know why i have problems posting to the list using the reply function in my mail client? ... From the server ssh to your clients and save the rsa keys ... You could create a script like this: ...
    (Security-Basics)
Loading