Encrypting data before transfering?
by Stefan Lundmark · in General Discussion · 06/23/2004 (9:59 am) · 6 replies
I was thinking today about our way of letting users log onto their accounts. Is it really safe to send a clean password over the wire to the server?
Does it matter if I encrypt the data on the drive?
I've heard all about how it's possible to sniff for stuff like that, but on the other hand - I have also heard encryption is pretty breakable as well, if the malicious user can make his own password and see how it looks encrypted?
Any thoughts about this?
How do the usual communities (maybe GG for that matter too?) do this, you think?
Does it matter if I encrypt the data on the drive?
I've heard all about how it's possible to sniff for stuff like that, but on the other hand - I have also heard encryption is pretty breakable as well, if the malicious user can make his own password and see how it looks encrypted?
Any thoughts about this?
How do the usual communities (maybe GG for that matter too?) do this, you think?
About the author
#2
I'll check the resource out, it sounds like it could bring up some ideas and help! Thanks alot
Edit: I just realised that the resource was only for HTTPObject. I'm using MySQL with Torque directly, but the client never has any connection with the MySQL server.
06/23/2004 (10:27 am)
Ouch Harold, ain't that VERY advanced? I know a bit MD5, but the rest is pure greek to me.I'll check the resource out, it sounds like it could bring up some ideas and help! Thanks alot
Edit: I just realised that the resource was only for HTTPObject. I'm using MySQL with Torque directly, but the client never has any connection with the MySQL server.
#3
The problem with this scheme is the sniffer can sniff the hashed password off the network and then just send that over using a hacked client to log in as the real user. The server would have no idea he was just parroting the CRC and not generating it him/herself from a valid password.
For most games, though, I'd say don't worry too much about it. Unless you're storing accessible financial information of your players through this system, they won't expect it to be *super* secure.
06/23/2004 (10:59 am)
Quote:
and from then on all logins would only pass the CRC value of the password to the server
The problem with this scheme is the sniffer can sniff the hashed password off the network and then just send that over using a hacked client to log in as the real user. The server would have no idea he was just parroting the CRC and not generating it him/herself from a valid password.
For most games, though, I'd say don't worry too much about it. Unless you're storing accessible financial information of your players through this system, they won't expect it to be *super* secure.
#4
I did a quick proof of concept with Davis of MRT and it worked fairly well, although my backed was a IIS server using a .net C# web application to validate the password against a MS SQL table.
Once I get off my lazy can I'll post the code as a resource, very basic stuff
I originaly was using libtom, but instead went with something else. Needs a major second set of eyes to ensure its security etc...
-Ron
06/23/2004 (11:04 am)
I have a resource that has yet to be posted, it addes an ecipher/decipher to the console class so that one can ecncrypt/decrypt any string.I did a quick proof of concept with Davis of MRT and it worked fairly well, although my backed was a IIS server using a .net C# web application to validate the password against a MS SQL table.
Once I get off my lazy can I'll post the code as a resource, very basic stuff
I originaly was using libtom, but instead went with something else. Needs a major second set of eyes to ensure its security etc...
-Ron
#5
Straight encryption or password hashing doesn't help all that much. Of course, _anything_ is better than sending passwords over the wire in clear text.
06/23/2004 (11:22 am)
You need some kind of a challenge response system. The server sends a bit of data over the line that's used in the hash computation. Prevents simple replay exploits. There are various key exchange and authentication protocols that you can look up. My advice is to pick one and follow it rigidly - it's really easy to make encryption useless because of minor implementation quirks.Straight encryption or password hashing doesn't help all that much. Of course, _anything_ is better than sending passwords over the wire in clear text.
#6
Thanks Harold, George, Ron and Mark for the insight.
06/23/2004 (12:05 pm)
Of course, anything can be hacked. But something is better than nothing, just like you said Mark. :)Thanks Harold, George, Ron and Mark for the insight.
Torque Owner Harold "LabRat" Brown
This resource: www.garagegames.com/index.php?sec=mg&mod=resource&page=view&qid=4085 includes an example of that by adding a stringCRC function that is compatible with the one used with PHP.
With that method accounts could be created via an SSL webpage, and from then on all logins would only pass the CRC value of the password to the server.
You could also add any other hash method you wished to the source, MD5, SHA, etc.
For further security your login process could be a multi-step process where the client contacts the server to request authentication protocol specifications. This could be a bit flags that would tell the client what hash method to use, if a seed text should be added to the password, and if that seed text should be pre- or post- appended to the password.
This would give you a constantly shifting authentication system, for even more fun you could add in a flag to designate different orders that the bit flags would appear in.