Handling User Authentication in .NET?

Question

I am new to .NET, and don't have much experience in programming. What is the standard way of handling user authentication in .NET in the following situation?

1. In Process A, User inputs ID/Password

2. Process A sends the ID/Password to Process B over a nonsecure public channel.

3. Process B authenticates the user with the recieved ID/Password

what are some of the standard cryptographic algorithms I can use in above model?

The users(customers that bought my company's software) will be running the software(Process A) locally in their computer(connected to internet). I need to authenticate the users from Process B which is running at company's server so that only registered users can run the program.

Answer 1

ASP.NET成员资格提供程序

Answer 2

While security is definitely not my strong suit the main issue you have concern here over is the fact that in step 2 the data is transferred through a public channel, since this is the case you would need to implement a PGP key passing scenario or equivalent system so that process B is capable of decrypting your content from process A without the ability for an attacker to compromise the private key resulting in decryptable information.

The more preferable way would be to change this so step 2 transfers by a secured channel, this would generally be accomplished with a SSL connection.

Answer 3

What you are trying to implement is called DRM, presumably in an attempt to prevent people from running copies of your software that have not been registered.

It's a losing battle. No matter how you implement it, the end result is that somewhere in your code you will have something like this:

if (authenticationSucceeded) {
    // Allow access to program
} else {
    // Show error and quit.
}

All someone has to do is to decompile this function, insert a ! in the if statement and recompile it again (or modify the intermediate language code directly). If they do this then they will have broken your security.

With this in mind, you might as well use a very simple, cheap to implement system. Just have list of plain-text registered keys on your server and have the client send their key over HTTPS (to prevent eavesdropping). Adding more security than this is probably not worth it as it will be so trivial to workaround anyway as described above.

---

Update: The poster says in a comment that the program is useless without access to a remote database. In this case it can make sense to prevent unauthorized use of the software, or more precisely - to prevent unauthorized access to your database. You can use WCF to make a secure connection to the server and require sending your username and password-hash before allowing access to the rest of the interface. If the the username/password is not correct the server will disallow further calls to your service. On the server you can store the allowed usernames and password hashes in the database.