Yes, but it won't be TCP, strictly speaking. The approach to such things is considered in the following way: you create another protocol over TCP, the one of the
application layer:
http://en.wikipedia.org/wiki/Application_layer[
^].
And this protocol could be custom or standard (see the list on the article referenced above), but it should have provisions for your username/password. There is always an application layer of the protocols on this layer, even if you don't call it a protocol, but you better do.
Now, in this feature, there is nothing going beyond just one TCP connection. Two parts of connected hosts exchange messages in dialog-like manner.
Now, the authentication itself is a big security issue. If a user sends a password directly, it always can be eavesdropped. If your service host stores the passwords in their original form, someone can steel them. But password belongs only to a user who created it; no one, even the administrator, has no right to know passwords. Are these problems resolvable? This is very non-trivial question, but the answer is: yes!
(In fact, passwords should never be stored. This is absolutely not needed for authentication. If you are surprised, keep reading.)
There are somewhat different approaches, but the most usual approach is based on the combination of two encryption technologies:
http://en.wikipedia.org/wiki/Public-key_cryptography[
^],
http://en.wikipedia.org/wiki/Cryptographic_hash_function[
^].
You dialog should resemble the dialog between Alice and Bob explained in the first article referenced above. Your service and client parts should create a brand-new pairs of keys each in every authentication act. This way, even of someone permanently listens to the packets being sent/received, it cannot make it possible to impersonate the client. This is basically similar to how HTTPS with SSL work. And second technology allows to avoid sending any password in their original form through the network at all.
See also:
http://en.wikipedia.org/wiki/HTTPS[
^],
http://en.wikipedia.org/wiki/Secure_Sockets_Layer[
^].
On the topic of password storage and hash functions, please see my past answers:
storing password value int sql server with secure way[
^],
Decryption of Encrypted Password[
^],
i already encrypt my password but when i log in it gives me an error. how can decrypte it[
^].
By the way, keep in mind that your custom connection might not pass firewalls. Just think about it.
—SA
Submit an article or tip