[Q] Practical Work 3 - UDP Authentication

[knownasred]

I've recently wandered through the grading criteria for practical work 3, and I wanted to know if they are up-to-date, especially the following:

• 14 -> Some actions are private (unique to one user), some actions are common (affect all users)
• 15 -> No one can manipulate items from another client if it is not authorized

If that is required, would source IP-based authentication be enough? Even if it can be spoofed, especially in intranets, it can be hard when going through the WAN.

(cc @AlexandrePhilibert)

[ludelafo]

Hi!

What we wanted to illustrate with these criteria are more in the architecture/design of the application more than the security aspect of it.

If we take the demonstration made by @hadrylouis, the emitters emit messages (temperature, humidity, pressure) for all other users to use ("affect all users"). The clients can retrieve/ask the receiver to send its data individually and the receiver will send the data to them ("unique to one user").

Retrieving the data from a receiver shouldn't affect the other clients: if one client asks for the temperature average, another client should be able to request the exact same data without any issue. It's not because one client did ask for the data that the common data are gone/lost for the other clients ("no one can manipulate items from another client if it is not authorized").

Depending on your use-case (I don't have your project in mind at the moment, I'm sorry), an authentication/authorization system might be needed. However, as we haven't seen any authentication/authorization mechanisms during the course, you can go for the easiest way to implement it in the best-case scenario.

TL;DR: Go for the easiest way to manage your use-case, we will not penalize you if some security concerns are omitted.

Does that answer your question?

[knownasred]

Hi,

Thanks a lot for your response !
It's a lot clearer now :)

[ludelafo]

Perfect! Have a nice week-end :)