Android Question Is it possible to add authentication to Cloud KVS?

[Widget]

I want to have secure access to a Cloud KVS server where the application has to enter a username, pw (hashed?)before it is allowed to connect to the server. I was hoping the KVS class would already have a connection username, pw properties already defined. The server would have a list of defined usernames/pw combinations either in a map or a db table and would let only those users connect.

Without authentication it would be easy enough to reverse engineer the code to get a list of possible user names or pw in an attempt to hack the server.

TIA

 

[Erel]

There are several ways to implement it and it really depends on your use case.

Without authentication it would be easy enough to reverse engineer the code to get a list of possible user names or pw in an attempt to hack the server.

Not really. The server never returns a list of users. So the client will need to guess the other user values. You can use any value you like for the user field. You can for example use the hash of the username and password as the 'user' value.

 

[Widget]

There are several ways to implement it and it really depends on your use case.


Not really. The server never returns a list of users.

I would prefer the server have its own list of user names/passwords (map or DB Table) and not allow the user to connect if the user tries to sign in with an invalid pair. The client would be sent back an error code "Unable to connect with username/pw".

So the client will need to guess the other user values. You can use any value you like for the user field. You can for example use the hash of the username and password as the 'user' value.

Unfortunately guessing" is how hackers get into computer systems. They already have a list if hashes ready to try out and it will be easy enough to reverse engineer the code to see how the hashing was performed.

What's going to happen if someone comes up with their own username/pw pair and starts adding millions of rows of random data to the server? Is there a way to prevent this?

TIA

 

[Erel]

Unfortunately guessing" is how hackers get into computer systems. They already have a list if hashes ready to try out and it will be easy enough to reverse engineer the code to see how the hashing was performed.

Not if it is implemented correctly. You can let the server assign a unique user string for each user (with 5000 characters).

I agree that you will need to add a protection layer if you intend to deploy CloudKVS in an untrusted environment. You can use FirebaseAuth to authenticate the user locally and then on the server.

 

[Widget]

Not if it is implemented correctly. You can let the server assign a unique user string for each user (with 5000 characters).

I still don't see how I can use Cloud KVS to create a unique user string on the Cloud KVS server and when the user connects to the server, use Cloud KVS to validate the connecting user string to the User strings stored on the server.

I agree that you will need to add a protection layer if you intend to deploy CloudKVS in an untrusted environment. You can use FirebaseAuth to authenticate the user locally and then on the server.

I don't trust Google or any 3rd party source to validate who can access my server. Not with all of the data leaks going around and it takes years for them to be disclosed. They could easily lose the information or shut down their operation leaving me in the lurch. (Google has done this before with some of their services) If I wouldn't trust Google with the key to my house, why would I trust them with the key to my servers?

 

[Erel]

CloudKVS is a B4J server solution. You will need to extend it to handle the user strings. The first step will be the authentication and only then you should enable CloudKVS feature.