Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I have an application running on a server, that has an exposed socket to the Int

ID: 660159 • Letter: I

Question

I have an application running on a server, that has an exposed socket to the Internet to communicate with client that is/are application(s) on a phone. How would one go about properly securing the access to the server, if one is not sure he could trust the client to store secrets?

What I mean by not trusting, is that for example if I don't want to store symmetric encryption key on the device, and I'm not sure encrypting messages with public RSA key is good enough since someone could just repeat message to the server..

TSL on the other hand seems to be geared towards client recognizing whether he can trust some server..

What would be a good way to start implementing a secure access from the client towards the server, and server to be able authenticate the client ?

Explanation / Answer

Authentication is about reliably recognizing who is at the other end. Since, from the server, you "see" the client only through network packets, and since everybody can buy the same kind of hardware, you may hope to properly authenticate a specific client only if that client is able to compute things that other systems would not. This implies that the client must know some "secret". There is no avoiding it. If no secret can be stored client-side, then authentication from the server is hopeless.

Now, it so happens that in the case of a phone, the client system comes with an appendage usually designated as "human". There is a (loosely maintained) one-to-one relationship between a phone and its owner. This means, in your context, that the client-side secret can be stored in the device itself, but also in the brain of the human user. We call that, technically, a "password".

Alternatively, there is a reliably stored secret value stored on the phone side: it is the key in the SIM card. That specific secret is what is used by phone companies to distinguish phones from each other, and all the billing is based on it. You might be able to leverage that authentication, but only by integrating with the phone companies; you don't do that with a mere "server on the Internet". A practical implementation would be the following:

Related Questions

I have already sent this, and after an hour of waiting, I still have yet to rece
Question #3313293
I have already solved the first 3 out of 4 questions, but I need help solving th
Question #2765030
I have already submitted this question and I only got the answer to numer 1 but
Question #2076713
I have already submitted this, but the answers were not explained and not all of
Question #3037047
I have already tried the answers: -29.42, +29.42, and -10.579. The standard enth
Question #893756
I have already written a Date class and a Person class that compiles, my employe
Question #3625318
I have already written a program for the query below. I need your help to c hang
Question #3680184
I have also been working on this for almost an hour. Please help! Consider the p
Question #2234526
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I have an application in c# that displayed image and allow to zoom in and zoom o
Next
I have an application that runs on some host machine and generates logs. Later i

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.