[MUD-Dev] strong encryption for authentication
Edward Glowacki
glowack2 at msu.edu
Fri Jul 13 07:57:28 CEST 2001
Quoted from Caliban Tiresias Darklock on Wed, Jul 11, 2001 at
09:13:06PM -0700:
> On Wed, 11 Jul 2001 15:02:44 -0400, Travis Casey
> <efindel at earthlink.net> wrote:
>> If you're not using some form of encryption, then what good does
>> a cookie-based OTP scheme do? If someone running a sniffer
>> intercepts the cookie
> ...it will be worthless.
> The cookie is randomly generated by the server when the password
> prompt is presented. It is then hashed into the player's password
> and returned. The player still provides his password on every
> login, but the data sent to the server is dependent on the cookie,
> and the cookie is random. If the password provided is wrong, he
> will be presented with a different cookie at the next password
> prompt. It will ONLY work for *this* player on *this* socket at
> *this* password prompt, and only if he enters the correct
> password.
"hashed into the player's password" could mean anything. Is this a
true encryption (using a known and tested algorithm)? If it's not,
then it is still possible to sniff both the cookie the server sends
and the response the client sends, and with a little analysis of
those pieces the password should be easy to retrieve. Of course,
analysis might require first ripping the hash algorithm from the
client code, but that's doable I think.
--
Edward Glowacki glowack2 at msu.edu
"Speak softly and carry a +6 two-handed sword." --fortune
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev
More information about the mud-dev-archive
mailing list