Answer the question
In order to leave comments, you need to log in
Is the remote access implementation secure enough?
I implement software for remote management of a fleet of machines from a server, as a practice of programming and solving some applied task at work, like monitoring + machine control agents. Interested in the issue of security, tk. the agent has system access on local hosts, and I had no experience with the implementation of application security of this kind.
At the moment, a similar security system is being implemented:
The server generates a unique id and a random multi-digit password, generates an agent .exe file with an irreversible hash sum of the given password and its id. Next, the exe is downloaded and installed on the machine and the agent periodically knocks on the server's network socket (it needs to be initiated from the agent because they can be behind nat) with an attempt to connect. If the server is available, then the agent and the server give the public key generated by RSA, both generate a random number and encrypt with the key, give it to each other, decrypt it and use the sum of the numbers as the key for AES encryption, further exchange takes place using this key. The agent gives the server a new generated number encrypted with the hash sum of the password, the server, knowing the password, calculates the hash sum of the password and calculates this number, then using this number encrypts the password and sends it to the agent, he checks his hash sum and, if successful, it issues a temporary token to the server for a day, after which the procedure is repeated. How unsafe is this in terms of data transfer? we agree that the attacker has no access to the machine or the server
Answer the question
In order to leave comments, you need to log in
Not secure simply because you invented lisaped instead of SSL.
At a minimum, there is no tight protection against MitM
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question