[crossfire] Challenge-Response login, proof of concept implementation ready

AnMaster anmaster at tele2.se
Tue Jun 10 13:13:53 CDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Rick Tanner wrote:
| AnMaster wrote:
| |
| | Backward compatibility would be supported by plain text login once and
| then upgrade
| | password in player file to store the "shared secret", then HMAC-SHA256
| would be used in
| | future to log in. I feel that it is less of an issue storing an
| unencrypted shared secret
| | on the server than, as we currently do, sending it in plain text over
| network.
|
| What about password resets in cases where a player returns from a long
| hiatus and can't remember their password?
|
| Under the current system, a person with server/shell access can reset
| that players password.  Would this new system prevent this?
|
No. As it is a shared secret, it would actually have to be stored in plain text on the
server, (still less of an issue than sending it unencrypted, or if that is considered a
very bad issue, I could use a more sophisticated protocol, like that SSH uses).

And yes resetting password on server would be possible both ways.

Regards,

Arvid Norlander
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREKAAYFAkhOxGAACgkQWmK6ng/aMNkfnQCfUaqPsCqIOaSzNStCdSOfH+Eh
S5EAoLf77b3C1TyQqO7BYvv7D150cH0K
=O4wC
-----END PGP SIGNATURE-----



More information about the crossfire mailing list