RPC authenthification explained with windows api - windows

I would like to make a IPC between two processes using Windows RPC. Please explain me like I am five how my application should achieve good security. I want to use ncalrpc protocol (processes on the same computer). More exactly:
How my client application knows that the server is trusty?
How my server know if the callee is the trusted one?
What options do I have? I didn't get RpcBindingSetAuthInfo function.
Thanks

For a local connection having the client authenticate the server is fairly hard (for example confirming that some other service did not start in place of the desired program) but having the server identify the client is not, call RpcBindingInqAuthClient and use the username to determine what action to take, or just use RpcImpersonateClient if you can rely on existing secured objects. Most of the RPC security apparatus is for remote connections rather than ncalrpc.

Related

How do I respond to multiple gRPC clients?

I am building an application which can have multiple gRPC servers and definitely will have multiple gRPC clients, I wanted to know, how to identify on server side that this is the client I am talking to and only send data to that client. I am using bidirectional streaming RPC and right now the data gets broadcasted to every client and I don't want that. What functions in go gRPC make it possible or how can I implement it?
There are two ways to read this question. One way is to read it as the auth problem as answered before. The second way is how I read it, as a connection/session problem.
When the client connects, the grpc server will invoke a function to implement the call in its own goroutine, and that function will be only talking to the client that initiated that call. So, the struct you registered as your grpc server will be shared among many connections, but each connection will run in its own goroutine, and will only talk to the client that initiated it. That also means you have to make sure the grpc server implementation is thread-safe.
You mentioned data is being broadcasted to every client? There is no broadcast in grpc, are you sure that's what's happening?
This sounds like a common authentication/authorization problem that ultimately won't have much to do with gRPC or Go.
You need a way for a client to indicate who they are. Personally I'm a fan of JWTs. In a standard HTTP request, there are authorization headers that can indicate who is making the request. Similarly, gRPC supports meta data attached to each remote call. In my current work project, every call must have a JWT in the meta data or else I don't process the request. Every call except the login endpoint that is.
I haven't looked into how to get details like a gRPC client's IP address or other information about a client's connection but chances are that anything provided by gRPC's generated code is something potentially faked by the client. When architected correctly, JWTs can offer cryptographic confidence that the client is who they claim to be.

p2p direct data exchange...via HTTPS?

Is there any protocol, API or software in existence that can send data/IM/etc directly from one device to another with no server?
Can you not use HTTP GET/POST/DELETE directly between two devices when their device data is known to the user(s)?
I would very much like to know if there is ANY software/protocols that can do this.
thank you!
The internet is build on the Internet Protocol suite. This suite has 5 different layers of protocols: The physical layer, the link layer, the network layer, the transport layer and the application layer. Each depends on the one before.
If you just use the browser, by default HTTP (application layer) is used, which relies on TCP (transport layer), which relies on IP (v4 or v6, network layer), which relies on ethernet (link layer), which finally relies on the actual cable that's plugged into your computer (for WiFi, the first three are the same but the last two differ if I'm not mistaken).
Now to your question: Is there any protocol, API or software in existence that can send data/IM/etc directly from one device to another with no server?
Yes there is. I suggest you start looking at protocols that are in the application layer. To highlight a few standards next to HTTP(S): FTP is for file transfer, IMAP is for emails clients, SMTP is for email servers and SSH is a secure shell which can also be used to tunnel data through.
For your specific case, I think either FTP (FTPS if you want it over SSL), or SSH can be a solution, but it's hard to know for sure without the specifics.
The only thing that these protocols have in common is that one of the two computers will act like server and the other computer as client. This has as downside that port-forwarding might be necessary.
If you've chosen the protocol you'd like to use, then you're up for the next step, selecting a program that can do that for you. For HTTP(S), I'd recommend Apache. If you're using Linux and chose SSH, then you're in luck, there is a build in SSH server in Linux, you can use that. For other protocols, you might just want to search yourself, as I do not have any suggestions.
I hope this answers most of your questions!
Desirius
In browser context, WebRTC is probably what you are looking for: It allows user to user communications.
https://en.wikipedia.org/wiki/WebRTC
https://webrtc.org/

Verifiying answers from application to web service and vice versa

Scenario:
My Application stands in connection to Web service (Master Server). Sometimes i make calls like login on application startup, where my application sents user credentials to the master server for validating.
So, how do i 1st validate that the answer is from my real server and not a fake local webserver with routed hosts file? And 2nd how do i parse this answer?
I always parsed like this (dummy code):
if($answerFromWebserver == "LOGIN_OK") {
doLogin();
}
Are there better, more safe solutions?
some of the security feature I see/use,
You can allow specific IPs to server, can setup firewall for this.
Setting up SSL/HTTPS will be great benefit to secure transport level.
You can send username/password encrypted with every message, so at server side authentication will took place each time. You can use SOAP header for this.
You can read huge article from ms here on securing services..

VNC connection brokering (RFB protocol server)

Please consider the following scenario:
VNC Client try to connect with a VNC Server which is behind a NAT.
I have written a port forwarder in java which help me achieving above task, and it works fine.
Now I need to, somehow, add a connection brokering functionality within this forwarder so that I can also intercept the communication between VNC Client – Server, and authenticate the VNC Client within the forwarding utility as well.
You may have guessed that actually I am using the password received from VNC Client for some authentication in my app. As the RFB Server can be implemented at application layer, I guess this interception is possible... VNCAuthentication (DES encryption/decryption) is used in all above communication. Upon successful authentication within the forwarding utility I shall just let the forwarding continue for that respective client, else I can close it (stop forwarding).
I have tried some implementation, also tried customizing a java implementation of rfb server... but still not able to get there. It will take some time, I know, but need to confirm if I am thinking straight.
Please let me know if the implementation of above scenario is ambiguous, not possible, or illegitimate and if this is possible, let me have some guild lines...
This seems like a good implementation. Think of it like a VNC proxy, just like an HTTP(S) proxy. There are also HTTP authenticating proxies. You're implementing part of the VNC protocol to create an authenticating VNC proxy.
Maybe you can get some inspiration from VNCProxy, an existing Java VNC proxy.

How to create a messaging service?

I want to create a messaging service that uses the XMPP protocol. How would I implement the server-side as well as the client side aspects of this service? I know I would need a server (like Jabberd 2) that runs the messaging framework. How hard would this be to set up and get running? Also what would be the best way to hook up a client program into this service? How would i start pushing messages from one client, through the server, to another client?
Server: there are many out there, see http://xmpp.org/software/servers.shtml for a list.
I've used OpenFire in the past, it's fairly straightforward to set up.
You can add a library like xmppframework to your Cocoa project to make it a client, and configure it to talk to your XMPP server.
Each client gets an identifier (called a 'jid') of the form: uniquetext#xmppserver.name, and you send messages from one client to the other by addressing them to the jid of the intended recipient.
If you want to play around with simple examples in a scripting language, you can use something like the examples in the python xmpp library to see how it all works. Use an xmpp client like psi to connect as one jid and use the examples to connect as another jid to send/receive messages through the server.

Resources