I regret I still don't get it...

My #1 priority is ensuring that baddies can not trick my server into doing bad things. I assume that baddies own my client and everything in it. ...

... the client and the server are running in the same machine, communicating using Unix Sockets. If the bad people "own" the client, what is to stop them sending well formed messages to the server, whatever format you choose ? Since they own the client, they own all the required code... Shirley ?

Your authentication presumably is expected to prevent a bad person from connecting to the server ? If so, then the threat is the bad person injecting requests into an existing open conversation ? You say you don't need to worry about encryption... you may be missing the dual purpose of encrypting. The first, and obvious, purpose is to prevent someone who can intercept the conversation from being able to read it. The second, and not so obvious, purpose is to detect attempts to (a) inject stuff into, or (b) remove stuff from, or (c) tamper with the conversation. Obviously, you arrange for both ends to establish a session key during the authentication step, in such a way that the bad person cannot know it. Now, if each message is transmitted with the length of the data, the data and a crc -- where the data is encrypted -- then only after decrypting the data will the crc pass. Which implies that only people with a copy of the session key can send a valid message, or mess with a message and have it still be valid. To detect removed messages you need to include a sequence number in each one.

I'm still struggling to understand the objective, though. As I said, if the bad people can get to own the client, it's hard to see what you can do to prevent them using it to send bad stuff to the server, simply by using the client... Even if every request requires username & password, if the bad people own the client, they just capture the credentials ?

In reply to Re: IPC Messages Redux by gone2015
in thread IPC Messages Redux by pileofrogs

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.