internal md5() of client.ckey for remote login security

BYOND Forums

Announcements · BYOND Help · Bug Reports · Feature Requests · Beta Testers · Beta Bugs · Developer Help · Design Philosophy · Demos & Libraries · Tutorials & Snippets · Art & Sound · Classified Ads · Game Updates · Contests & Events · Linux Talk · On Topic · Off Topic

ID:92088

Feb 25 2010, 2:44 am

Gakumerasara

Redundant

Effectively solved with issue 2050

Applies to:

DM Language

Status:

Redundant

This feature has already been implemented, or is already achievable with existing methods.

Tom wrote:

The basic idea is to have two DM functions:

* Function #1: given a client and a seed, return a unique value. This value would basically be an internal md5() of the corresponding ckey and the seed, salted with some arbitrary values and thus obfuscated (let's call that internal_hash(ckey,seed)). It would only be useable with active clients, even though it is based of the ckey.

* Function #2: given a ckey, a seed, and a value, run internal_hash(ckey,seed) and return 0/1 if it matches/doesn't match value.

To use this, the outside server could send a (random) seed to the BYOND program, which could then perform function #1 on a live client and send the result back to the server. The server could run function #2 to see if the results match; if they do, it could send whatever data the game originally requested (in Gaku's case, a list of forum notifications for the requesting client/ckey). A malicious game could spoof this info, but only for clients currently logged in (and if the seed changes when they aren't, spoofing would fail).

Feb 25 2010, 11:33 am
Tom	This is easy to implement and we'll do it in a future release. My only hangup at the moment is coming up with a slightly better presentation than two obscure functions.