Just wanted to ask if anyone has any pointers with my idea for login. I'm going to use a WCF webservice over SSL to do the login system. The client will make the connection, BCrypt the pw on the client side, send the username and BCrypt'd pw to the server via the web service, have the server web service check against the database and return FAILURE if incorrect match OR a GUID as the session ID if successful match. After that all other data will be sent over a non encrypted channel as it's not critical.
Is this enough security around this? Am I missing any holes? My biggest fear with this stuff is I miss a big security hole and something gets compromised and people sue me if the game becomes popular enough. Seems you could go from hero to zero in a matter of hours with online games and security around them.
1
.NET SSL login security
Started by rpiller, Feb 11 2012 08:30 AM
6 replies to this topic
Ad:
#3 Moderators - Reputation: 1822
Posted 11 February 2012 - 02:39 PM
I think you probably want to do challenge-response on the password. Send a one-time code to be hashed with the password (the challenge), and check that it matches what the server expects (the response). This avoids sending any sensitive info over the wire.
#4 Members - Reputation: 128
Posted 11 February 2012 - 03:03 PM
So I don't want to store their clear text password in my database. When they signup from the website I would like to BCrypt their PW with their own custom salt. Then store the BCrypt'd value along with the salt in the database.
So given that, now when they sign in from the client application I couldn't just send a challenge down to the client to hash and send back. Wouldn't I have to send the original salt and a challenge code. BCrypt their password with the salt to get the same value stored in the database, then hash with the challenge code and send back to the server. Then the server would take their BCrypt'd pw in the database and hash it with the same challenge code to compare.
Is that valid and secure?
Also, is there any way I can let them signup securely from a client program instead of a website? I'd prefer to do it that way personally. How do things like Steam keep it secure since it's a client install?
So given that, now when they sign in from the client application I couldn't just send a challenge down to the client to hash and send back. Wouldn't I have to send the original salt and a challenge code. BCrypt their password with the salt to get the same value stored in the database, then hash with the challenge code and send back to the server. Then the server would take their BCrypt'd pw in the database and hash it with the same challenge code to compare.
Is that valid and secure?
Also, is there any way I can let them signup securely from a client program instead of a website? I'd prefer to do it that way personally. How do things like Steam keep it secure since it's a client install?
#5 Moderators - Reputation: 1805
Posted 12 February 2012 - 10:16 PM
The point of requiring bcrypt is to force the SERVER to do a lot of work to verify the password. This is so that any brute-force attacker would similarly have to use that same amount of work to brute-force a password.
You can receive the password unencrypted from the client, if you use SSL/TLS for the communication, such as with HTTPS. Then you can use bcrypt on the server, with salt, and you'll be good.
Challenge/hash for passwords is only required if you are communicating over a clear channel, and in that case, you really need to store something equivalent to the clear-text password in the database. If you store a hash, and verify that the client can calculate hash(challenge, hash(password)), then the client can solve the challenge without knowing password, only hash(password) (which you store in the database).
You can receive the password unencrypted from the client, if you use SSL/TLS for the communication, such as with HTTPS. Then you can use bcrypt on the server, with salt, and you'll be good.
Challenge/hash for passwords is only required if you are communicating over a clear channel, and in that case, you really need to store something equivalent to the clear-text password in the database. If you store a hash, and verify that the client can calculate hash(challenge, hash(password)), then the client can solve the challenge without knowing password, only hash(password) (which you store in the database).
enum Bool { True, False, FileNotFound };
#6 Moderators - Reputation: 2482
Posted 13 February 2012 - 04:20 AM
Quote
Also, is there any way I can let them signup securely from a client program instead of a website?
- How are you going handle certificate renewal and revocation?
- What about requiring users to have a valid email address (e.g. requiring the user to click on a link delivered to said address to activate their account).
- If not, how are you going to manage an "I forgot my password" system?
- Do you want to require a CAPTHCA to prevent automated account creation?
- Does account sign-up involve sensitive personal information or banking details, or is it just nickname/password?
- ...
Quote
How do things like Steam keep it secure since it's a client install?
From the user's point of view, their machine is the most trusted. From the server's point of view, the client's machine cannot be trusted (without evidence, e.g. username/password). From an attackers point of view, the client's machine is often the vulnerable "weak link" that can be compromised to steal an account.
Again, you need to define the properties of a "secure" sign-up before we can start talking about it.
#7 Members - Reputation: 128
Posted 13 February 2012 - 08:45 AM
Quote
You can receive the password unencrypted from the client, if you use SSL/TLS for the communication, such as with HTTPS. Then you can use bcrypt on the server, with salt, and you'll be good.
Thanks, that's what I was looking for.
Thanks for the thoughts rip-off
