Jump to content
  • Advertisement
Sign in to follow this  
rpiller

.NET SSL login security

This topic is 2499 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Just wanted to ask if anyone has any pointers with my idea for login. I'm going to use a WCF webservice over SSL to do the login system. The client will make the connection, BCrypt the pw on the client side, send the username and BCrypt'd pw to the server via the web service, have the server web service check against the database and return FAILURE if incorrect match OR a GUID as the session ID if successful match. After that all other data will be sent over a non encrypted channel as it's not critical.

Is this enough security around this? Am I missing any holes? My biggest fear with this stuff is I miss a big security hole and something gets compromised and people sue me if the game becomes popular enough. Seems you could go from hero to zero in a matter of hours with online games and security around them.

Share this post


Link to post
Share on other sites
Advertisement
I think you probably want to do challenge-response on the password. Send a one-time code to be hashed with the password (the challenge), and check that it matches what the server expects (the response). This avoids sending any sensitive info over the wire.

Share this post


Link to post
Share on other sites
So I don't want to store their clear text password in my database. When they signup from the website I would like to BCrypt their PW with their own custom salt. Then store the BCrypt'd value along with the salt in the database.

So given that, now when they sign in from the client application I couldn't just send a challenge down to the client to hash and send back. Wouldn't I have to send the original salt and a challenge code. BCrypt their password with the salt to get the same value stored in the database, then hash with the challenge code and send back to the server. Then the server would take their BCrypt'd pw in the database and hash it with the same challenge code to compare.

Is that valid and secure?



Also, is there any way I can let them signup securely from a client program instead of a website? I'd prefer to do it that way personally. How do things like Steam keep it secure since it's a client install?

Share this post


Link to post
Share on other sites
The point of requiring bcrypt is to force the SERVER to do a lot of work to verify the password. This is so that any brute-force attacker would similarly have to use that same amount of work to brute-force a password.
You can receive the password unencrypted from the client, if you use SSL/TLS for the communication, such as with HTTPS. Then you can use bcrypt on the server, with salt, and you'll be good.
Challenge/hash for passwords is only required if you are communicating over a clear channel, and in that case, you really need to store something equivalent to the clear-text password in the database. If you store a hash, and verify that the client can calculate hash(challenge, hash(password)), then the client can solve the challenge without knowing password, only hash(password) (which you store in the database).

Share this post


Link to post
Share on other sites

Also, is there any way I can let them signup securely from a client program instead of a website?
[/quote]
Sure. Exactly what you need to do depends on your definition of "securely". Ensuring the client details are encrypted is relatively easy. However, there are other issues:

  • How are you going handle certificate renewal and revocation?
  • What about requiring users to have a valid email address (e.g. requiring the user to click on a link delivered to said address to activate their account).
  • If not, how are you going to manage an "I forgot my password" system?
  • Do you want to require a CAPTHCA to prevent automated account creation?
  • Does account sign-up involve sensitive personal information or banking details, or is it just nickname/password?
  • ...

    These issues are solvable in both a custom client and a browser, but probably a lot more work in a custom client than in a website / browser situation.


    How do things like Steam keep it secure since it's a client install?
    [/quote]
    I don't understand your question. The browser is also a "client install". They are both equally secure or insecure, depending on your point of view.

    From the user's point of view, their machine is the most trusted. From the server's point of view, the client's machine cannot be trusted (without evidence, e.g. username/password). From an attackers point of view, the client's machine is often the vulnerable "weak link" that can be compromised to steal an account.

    Again, you need to define the properties of a "secure" sign-up before we can start talking about it.

Share this post


Link to post
Share on other sites

You can receive the password unencrypted from the client, if you use SSL/TLS for the communication, such as with HTTPS. Then you can use bcrypt on the server, with salt, and you'll be good.
[/quote]

Thanks, that's what I was looking for.


Thanks for the thoughts rip-off

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!