In the following few lines I will explain the trick that I am worry about, and an explanation for my exact problem
Trick :
Past I used to crack a program using fake server response
- Looping back the connection of the program (client) to my computer
- Sniffing the Login successful packet from the real server
- Creating a fake server (listener) that listens for a connection from the client and sends back the fake response ( that I sniffed )
But it has not been alot of time since they changed something and my trick did not work any more
(Every time i try to send some sniffed login packet the client crashes and no longer accepts the fake server responses)
Problem :
Now I am creating my own client server communication and i want to prevent my client from getting fooled by the fake server response trick (anyone can login with any username and password) and provide the best security from eavesdropper
(How to make sure that this packet came from my server and not from other fake server that just sends the sniffed login succeed packet to fool my client and login)
(In another way How to prevent the client from being fooled but a fake server (emulator))
Note : I mean by prevent not to make it 100% secure because everything can be cracked but to avoid this kind of silly things that destroys the whole project
I Hope I did not went away from the point but I just wanted to explain every single point clearly
If I understand what you may be going for, using TLS is a convenient way to give confidence that the client is connecting to the right party.
By validating the server’s certificate against the local root trusted certificates or peer trusted certificates, you can validate that the server’s certificate was issued by a “trusted” third party and that the host name being connected to is the intended party. If such a validation fails, you can prevent communication to the server.
Of course, this is only useful if the client has not entirely been compromised.
The following may help you a bit:
Understanding Authentication
Transport Layer Security
If setup correctly, SSL can go a long way to ensure the client is connecting to the correct server. Its the same technology used to make sure you are submitting your login information to stackoverflow or gmail or most any other website. The server will send its certificate to the client. The client will take that certificate and use some math magic to make sure it was issued by one of the certificates in the machines trusted store. Embedded in that certificate is the hostname. If the hostname matches what was connected to by he client and the certificate was issued by a certificate in the trusted store then the connection will be made. Since you are trusting the entities in your trusted store to know who they issued certificates to, the servers certificate cannot be faked. However if the machine the client was running on was fully compromised they could install their own trusted certificate into he trusted store, allowing them to pretend to be the server to clients connecting from the compromised machine. Decompiling the source in this case would not allow the attacker to pretend to be the server. The simplest way for you to take advantage of SSL is to have your server run as a web service. I’m sure there are likely libraries out there that implement TLS as well.