NetworkProgramming代写:CSE320WolfieChatPart5


Introduction

这是这一系列作业的最后一部分了,这部分包括用户账户管理以及安全的实现,此外还有一些杂项和收尾工作。

User Accounts & Basic Security

Now it is time to add persistence to your server by creating user accounts.
The user can then login and out of the server using a password. The server
must be modified to contain a shared resource which holds user account
information. Additionally, the login protocol must be updated to allow for
account validation, eg. passwords.

You will replace the login protocol from Part I with the account login
protocol.

Password Criteria

Passwords must meet the following criteria to be valid:

  • Must be at least 5 characters in length
  • Must contain at least 1 uppercase character
  • Must contain at least 1 symbol character
  • Must contain at least 1 number character

    Example: Cool320!
    When the user types in the password, use the gctpass function so the password
    is not displayed as it is typed.

Server

Usage updated:
./server [-hv] PORT_NUMBER MOTD [ACCOUNTS_FILE]
-h Displays help menu & returns EXIT_SUCCESS.
-v Verbose print all incoming and outgoing protocol verbs & content.
PORT_NUMBER Port number to listen on.
MOTD Message to display to the client when they connect.
ACCOUNTS_FILE File containing username and password data to be loaded upon execution.
The server will request a password when a user attempts to log in. Also, it
will create a new password for new users when they identify themselves upon
login. There should now be two data structures central to your program: a
Users list and an Accounts list. The Users list is a list of the users
currently logged into the server. The Accounts list is the persistent list of
users and their passwords loaded and saved to a file on the server’s execution
and termination respectively. If an accounts file is provided on the command
line, your server should load this file into the accounts list upon start-up.
If no file is provided, the server should start with no existing accounts.

Do not use an array for either of these data structures, it MUST be an
extendable format such as a linked list within your server program.

Added Server Command

/accts

When /accts is typed into the server’s terminal it should dump a list of all
user accounts and information. This printout should be similarly formatted to
the output of the /users command.

Client

To add user authentication we will modify the client program to take an
additional argument for creating a new user on the server. When the optional
-c argument is included, the client will attempt to create a new user on the
server. If the argument is not provided, the client will attempt to login to
the server as an existing user with an account.
Usage updated:
./client [-hcv] NAME SERVER_IP SERVER_PORT
-h Displays this help menu, and returns EXIT_SUCCESS.
-c Requests to server to create a new user
-v Verbose print all incoming and outgoing protocol verbs content.
NAME This is the username to display when chatting.
SERVER_IP The ipaddress of the server to connect to.
SERVER_PORT The port to connect to.

User Authentication Protocol

The protocol for logging into the server will now additionally include user
creation. We will introduce new verbs IAMNEW, HINEW, NEWPASS.

Remember when the client prompts the user to enter their password, use the
getpass function so the password is not displayed as it typed.
Once a user account has been established with the server, on subsequent client
connections the user must be validated. We will introduce new verbs AUTH,
HINEW, NEWPASS.

User Authentication

Since you will be storing sensitive information, such as passwords, we should
employ techniques to help protect the users login information. It is always
bad practice to store an actual user password in your database, even if it is
encrypted. Instead you should store a 1-way crytographic hash of the password.
When a user attempts to login, the password is sent over the network, and is
hashed by the server. Then the server will compare the stored hashed value
with the hash value it just generated. If they are the same then the user is
authenticated. If it is not, then authentication fails.
This of course only protects against attacks which dump the database. Its
still possible for someone to intercept the plaintext password over the
network, but this out of scope for this assignment.
Even though a hash should be a 1-way function, it is possible to reverse/crack
a hash eventually with enough computation power and time. If a hash can be
cracked quickly, this is bad because if multiple users in your database have
the same password, then they will have the same hash. So once you crack that
password for one user you crack that password for all users with the same
password. This compounds for an attacker since many users use the same
password over multiple user accounts. Say for example, that you use the same
password for google and the 320 webform. If the password gets stolen from the
320 webform because we have bad security practices, the attacker can now
compromise the google account by simply just testing to see if that password
works.
To help defend against a cracked password compromising everyone else’s
password, you should add what is called a salt to your account’s password
before hashing it. This salt should be a value generated by a random function
which is considered cryptographically secure.
Upon the creation of a new account you should generate the salt and store it
in your authentication database. Then when you perform the hash, you should
append the salt to the password before hashing. This will result in the same
password being hashed differently for each user.
The combination of forcing the user to select a strong password, hashing, and
salting will give you the time to alert your users of a possible breach and
allow them to act accordingly.

Use the hash function sha256 available in openssl/sha.h
Install openssl and openssl-dev
sudo apt-get install openssl libssl-dev
Use the rand to generate the salt available in openssl/rand.h
Although not required for the assignment, you can still go one step further
and do key streching to help defend against brute force attacks, by making
the cracking process take more time.
You must use a shared resource, plaintext file or database (see extra
credit) for storing the salt and hash per user.

Error Code Table

The following lists the error codes and associated messages.

ERR Code Message
00 USER NAME TAKEN
01 USER NOT AVAILABLE
02 BAD PASSWORD
100 INTERNAL SERVER ERROR
The default error message should be used for any other conditions which were
not characterized.

Extra Credit

  • (15-20 pts) Create a user interface for the client and chat using ncurses. The points allocated will depend on the complexity of interface. Impress us, nothing trivial. You must not interfere with the assignment functionality and implementation.
  • (10 pts) Make your server run on the OSX platform.
  • (5 pts) Create the ability on the client to display the chat history per each user to user chat. When a chat window opens, display all previous messages exchanged before accepting new messages.
  • (5 pts) Use sqlite3 to store the user information for authentication.
  • (2 pts) Customize your xterm chat windows. Impress us, nothing trivial.

文章作者: SafePoker
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 SafePoker !
  目录