Designing a Secure Client-Server System

Abstract

This report describes and discusses the design of a client-server system from a security point of view. The main topics are authentication and data security which can be divided into secure transfer and secure storage. Authentication is the act where the server and the user prove their knowledge of a shared secret to each other. The shared secret can be of three different types, something you know, something you have or something you are. When talking about a software system a combination of something you know and something you have, for example a password and a hardware token, is the best choice for a system where high security is important. To be able to authenticate without revealing the secret to the other party or any external party an algorithm that uses techniques from public key cryptography and have a similar design as a Diffie-Hellman Key Exchange is used. Data security is dependent on mainly two properties, confidentiality and integrity, and if both of them can be guaranteed the data is considered secure. Confidentiality is provided by symmetric key encryption and integrity is provided by either a message digest or a MAC.