[crossfire] Challenge-Response login, proof of concept implementation ready

AnMaster anmaster at tele2.se
Tue Jun 10 13:38:42 CDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Seems this didn't get through first time so trying again.

Rick Tanner wrote:
| AnMaster wrote:
| |
| | Backward compatibility would be supported by plain text login once and
| then upgrade
| | password in player file to store the "shared secret", then HMAC-SHA256
| would be used in
| | future to log in. I feel that it is less of an issue storing an
| unencrypted shared secret
| | on the server than, as we currently do, sending it in plain text over
| network.
|
| What about password resets in cases where a player returns from a long
| hiatus and can't remember their password?
|
| Under the current system, a person with server/shell access can reset
| that players password.  Would this new system prevent this?
|
No. As it is a shared secret, it would actually have to be stored in plain text on the
server, (still less of an issue than sending it unencrypted, or if that is considered a
very bad issue, I could use a more sophisticated protocol, like that SSH uses).

And yes resetting password on server would be possible both ways.

Regards,

Arvid Norlander
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREKAAYFAkhOyjAACgkQWmK6ng/aMNkHLACfff9dwQCC2u/7ILwLzKStkGII
Bw4AoKPghXqt4L2WYuPSIWMIuYp9AJW3
=XBxi
-----END PGP SIGNATURE-----



More information about the crossfire mailing list