Re: [GD-General] Authentication security
Brought to you by:
vexxed72
Menu
▾
▴
Re: [GD-General] Authentication security
|
From: Aaron D. <ri...@in...> - 2004-02-03 01:17:27
|
You realise that you can't chain together encrypted packets in CBC mode if you are using UDP for unreliable communications. If you intended on just encrypting the packets individually, make sure you include a sequence number or else you may be prone to replay attacks. On Sun, 1 Feb 2004, Dan Thompson wrote: > Hello again, everyone. I'm looking for a way to pass credentials securely > over the wire. Here's what I'm planning, but I'm not sure how well this will > work under UDP, if at all ( I don't think so). > > 1) Users connect to an SSL port in the server, and submit credentials > (hashed) > 2) The server authenticates, and if successful, sends back some kind of huge > session key over the secure link. > 3) The client drops the SSL connection, and connects back on a standard > port, and uses the session key as authentication over TCP. All semi > sensitive data is sent across this link. (Anything critical is done over > SSL). > > Now I can see that this is completely pointless with UDP. Session keys only > work with a connection based protocol. I also know that this is by no means > bulletproof - TCP hijacking and whatnot on the semi-sensitive link. However > for a game... heh. Hopefully you don't need any more than this. However I > still am up in the air on how to deal with authenticity of UDP packets. > Since its all based on source IP/port and player IDs, it seems like it would > be fairly trivial to forge the source ip on a packet and move other people > around. Of course, this requires knowing the other player's IP... but still. > > This seems like to me to be a fairly important issue - especially with > MMORPGs these days. Without a good authentication scheme, people could > delete characters, etc, and people put a *lot* of time into those things. > > As per usual, the archives search was worthless. *twitch* > > Any ideas/comments? > -Dan > > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > Gamedevlists-general mailing list > Gam...@li... > https://lists.sourceforge.net/lists/listinfo/gamedevlists-general > Archives: > http://sourceforge.net/mailarchive/forum.php?forum_id=557 > |
