Remote access between Windows-based computers using the RSA authentication algorithm
In this post, I decided to share the implementation of additional user authentication when accessing a computer through a remote Windows-based desktop, using the RSA-algorithm
Provide access to a remote computer only to specific users.
Habrayuzer, for sure, will immediately say that it is possible to restrict access using the built-in authentication methods. I agree, but the customer did not agree to such conditions relying on keyloggers, password pickups and more.
And then he offered him authentication using an asymmetric algorithm.
')
To read
Required:
1. The generator of the public key (OK) and the secret key (IC);
2. The server part, which will run when passing windows authentication, and wait for the IC user;
3. User part - sends to the server part of the IC.
They organized a VPN connection to work under the terminal.
1. Install the server part;
2. We generate OK and SK;
3. We prohibit editing, reading the file for everyone except the user, under which the server part runs;
4. In the user settings when working through remote desktop, we indicate that the server part should be immediately started when the user logs in:
I'll tell you more about the server part, or rather what happens after its launch.
First of all - blocking mouse movements and ignoring keystrokes on the keyboard. The user can easily work on his computer, but in the terminal the remote computer ignores the user's actions until the user sends him the correct IC. Timeout is 3-5 minutes. If during this time the IC was not sent, the server ends the remote desktop session.
If the IC is correct, the user is granted access.
1. Install the client part;
2. Configure remote desktop;
3. Copy to removable media SC.
The user opens a remote desktop session and passes windows authentication:
After that, the server immediately starts our server part and blocks any actions, sends an array of random bytes to the client (clear text) , starts the timer 3-5 minutes.
The user starts his part, specifies the secret key with which the OT encryption occurs and the encryption result sent to the server.
The server, using OK, decodes the ciphertext and compares it with OT.
If the key fits or does not fit, the user is given this information on the screen. In this case, the IC came up and the user can work on a remote computer.
You can restrict access to your computer or, as in this situation, between offices in different places.
Sources lay in the evening.
UPD: Reading the comments, Habrachitelu could not understand why it was all done so. I will make a small digression:
It was rightly said that it can be implemented using different technologies, but the main problem, even the requirement that was put forward, is the speed of deployment on a new machine and providing access to a specific user, not a computer. Yes, you can configure IP access, but the human factor will be present. In my case too - but here it comes down to the loss / transfer of the SC to a third party
Task
Provide access to a remote computer only to specific users.
Habrayuzer, for sure, will immediately say that it is possible to restrict access using the built-in authentication methods. I agree, but the customer did not agree to such conditions relying on keyloggers, password pickups and more.
And then he offered him authentication using an asymmetric algorithm.
')
To read
Idea
Required:
1. The generator of the public key (OK) and the secret key (IC);
2. The server part, which will run when passing windows authentication, and wait for the IC user;
3. User part - sends to the server part of the IC.
Implementation
Stage One
They organized a VPN connection to work under the terminal.
Stage two - setting up a remote computer
1. Install the server part;
2. We generate OK and SK;
3. We prohibit editing, reading the file for everyone except the user, under which the server part runs;
4. In the user settings when working through remote desktop, we indicate that the server part should be immediately started when the user logs in:
I'll tell you more about the server part, or rather what happens after its launch.
First of all - blocking mouse movements and ignoring keystrokes on the keyboard. The user can easily work on his computer, but in the terminal the remote computer ignores the user's actions until the user sends him the correct IC. Timeout is 3-5 minutes. If during this time the IC was not sent, the server ends the remote desktop session.
If the IC is correct, the user is granted access.
Stage three - setting up a custom computer
1. Install the client part;
2. Configure remote desktop;
3. Copy to removable media SC.
How it all works
The user opens a remote desktop session and passes windows authentication:
After that, the server immediately starts our server part and blocks any actions, sends an array of random bytes to the client (clear text) , starts the timer 3-5 minutes.
The user starts his part, specifies the secret key with which the OT encryption occurs and the encryption result sent to the server.
The server, using OK, decodes the ciphertext and compares it with OT.
If the key fits or does not fit, the user is given this information on the screen. In this case, the IC came up and the user can work on a remote computer.
Specifications
- Key length: 128 bytes
- Use to use any port
- Opportunities to keep logs
Where to apply
You can restrict access to your computer or, as in this situation, between offices in different places.
Sources lay in the evening.
UPD: Reading the comments, Habrachitelu could not understand why it was all done so. I will make a small digression:
It was rightly said that it can be implemented using different technologies, but the main problem, even the requirement that was put forward, is the speed of deployment on a new machine and providing access to a specific user, not a computer. Yes, you can configure IP access, but the human factor will be present. In my case too - but here it comes down to the loss / transfer of the SC to a third party
Source: https://habr.com/ru/post/86474/
All Articles