I will like to create a service with custom authentication. The way I will like to authenticate users is as:
-
Client connects to service.
-
Service generates a random number lets say 1234 and sends that number to client
-
Client then is supposed to add the numbers (Latter I will use a better hash) so the client sends 10
-
The Server performs the same hash algorithm and expects to receive 10
-
server received 10 it then authenticates the user and the user is able to start consuming the service.
I have some basic question though. If I uses security = “none” then will the messages be encrypted? In other words if I use security = “none” I know that the user will not have to be authenticated but are the messages sent to the service in plain text? How can I force the connection to be encrypted without having to authenticate the user? I will like to restrict users from sniffing packages. I don’t mind them connecting to the service. If they connect to that service I will only want to let them see the messages they send but not other’s people messages.
For encrypted communication with server without authenticating the user you can use Transport or Message level security.
Refet to the following articles for details:
And a general advise: don’t invent your own authorization/authentication/encryption protocols, unless you are one of the greatest information security/crypthography experts in the world. Use the protocols already present on the market.
What have you described is not a handshake at all, since it’s protected only by the fact, that an attacker does not now your hash function. Such an assumption considered quite bad basement for the cryptographic/authentication protocol.