Difference between CryptEncryptMessage EncryptMessage(Negotiat

Difference between CryptEncryptMessage EncryptMessage(Negotiat

Post by mario.beut » Fri, 15 Dec 2006 17:32:23



Eric, thank you very much for your answer! It is hard to find an expert
for such special security questions - so I'm happy that you answered
me.
Perhaps you can tell me your opinion about the following questions:
What is the best and secure way to send data from a client to a server
in Windows XP Pro? My idea: My client software is a service and collect
some information and creates a local Named Pipe (there the services
writes the collected and crypted information). The server software
reads from this Named Pipe via CreateFile(\\Client\PipeName). The
client doesn't connect to the server - I think so I avoid a lot of
security flaws. But the client could be cracked or replaced and I can
not checked if the information from the Named Pipes comes really from
my client.
Perhaps the client should send the data via EncryptMessage or (secure)
RPC to the server software. Is would be great if an administrator
doesn't change the network setting to run my software (open new ports,
active OS services) - I think my solution based on Named Pipes will
work in the most networks because Named Pipes has the least
requirements.

Mario
 
 
 

Difference between CryptEncryptMessage EncryptMessage(Negotiat

Post by RXJpYyBQZX » Sat, 16 Dec 2006 06:51:00

That's an unusual design in my personal opinion.
I'm not really sure I understand how the server knows which client to
contact...
I'm not a big fan of named pipes. They're hard to secure properly (you could
have squatting of the pipe name on the client in your case), and you need to
marshall your own data manually.
Straightforward RPC is not that hard after the initial bump, and is very
portable.
It offers privacy too through the QoS (quality of service) parameters.
DCOM offers similar capabilities.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Eric Perlin [MSFT]

 
 
 

Difference between CryptEncryptMessage EncryptMessage(Negotiat

Post by mario.beut » Sat, 16 Dec 2006 23:59:42

Hello Eric,

thank you for your answer.


The client software is installed on all client computers. The advantage
is the server polls the data - there is no change for Denial of Service
attacks and there is no open door on the server (ports,pipes..). A
other advantage is that Named Pipes are available on almost all network
(server service is running). But I'm not sure if some administrators
(or firewalls) deactivate the RPC service - on in such networks my
application fails.


CreateNamedPipe has a LPSECURITY_ATTRIBUTES parameter - I'm not sure if
I can use it.

Mario
 
 
 

Difference between CryptEncryptMessage EncryptMessage(Negotiat

Post by mario.beut » Sun, 17 Dec 2006 01:42:34

Hello Eric,

thank you for your answer.


The client software is installed on all client computers. The advantage
is the server polls the data - there is no change for Denial of Service
attacks and there is no open door on the server (ports,pipes..). A
other advantage is that Named Pipes are available on almost all network
(server service is running). But I'm not sure if some administrators
(or firewalls) deactivate the RPC service - on in such networks my
application fails.


CreateNamedPipe has a LPSECURITY_ATTRIBUTES parameter - I'm not sure if
I can use it.

Mario