hplus' Authentication for Games

Sprangle · 2013-09-09T15:50:49

Hi, I am making a persistent online multi-player game and am currently looking at basic security. I have some questions after reading this: http://www.mindcontrol.org/~hplus/authentication.html This is where I'm at so far: By day I'm a .NET web developer and this project is all in C#. Main game communications happen over UDP, provided by lidgren. Lidgren provides per-message encryption options (Xtea, AES, DES, Triple DES, RC2...). I already have Awesomium integrated into my client to provide the user interface. A web service provides the back end for non-action related UI such as mail and trade. It always runs over HTTPS. The web server and game server share a SQL database. Passwords are salted, hashed (bcrypt), and stored in the database. I plan to also use the secure web service as the login server. All that is reasonably straight forward and I've done most of it before. My questions are when I try and work through the 'sufficient implementation' provided in hplus' conclusion: Client connects to game server and transmits the auth ticket. Doesn't this already need to be encrypted to prevent against sniffing on open networks? But the server apparently doesn't retrieve the encryption key till later, so what is stopping someone else grabbing the ticket and connecting as you? Is there any reason not to start the sequence numbers at 0 given we already using a random encryption key? Aren't sequence numbers going to be fairly useless with UDP unreliable messages? What is a suitable hash for ongoing messages once authentication has been established? I assume this is really just a checksum to make sure the data hasn't been tempered with. Also, would you still give the same advice today? Reading the archives here I get the feeling should really be looking at TCP/TLS instead, if at all possible... Thanks for any help you can offer.

Networking and Multiplayer Programming

Started by Sprangle September 07, 2013 07:23 AM

11 comments, last by hplus0603 10 years, 7 months ago

Bacterius

13,181

September 08, 2013 10:26 AM

Btw; using md5 for the HMAC algorithm would let someone inject data as well, because creating 16 bytes at the end of a packet that achieves the HMAC you want with MD5 is no longer a computationally hard problem

Actually, it still is. Using MD5 with HMAC is at present knowledge absolutely fine from a functional point of view, but it's really not something you would want to do anyway because:

A) it's bad for PR, because by now the only reaction you will get from people is "why are you using MD5, it's broken" even though in this particular instance none of its effective weaknesses matter

B) you can possibly get better performance using a more modern algorithm with less overhead when fingerprinting small messages - such as network packets - repeatedly with the same key (the SHA-3 finalists are pretty good at it since they have built-in HMAC functionality which aims to optimize this kind of processing, but they aren't standardized yet so it's probably best to go with SHA-256 at the moment)

C) eventually it will no longer be secure, as attacks only get better

So to conclude, HMAC does not rely on collision resistance of the underlying hash function, therefore, as paradoxal as it may seem, using it with MD5 is currently "as secure" as using it with SHA-1 from a technical point of view (ignoring the difference in fingerprint length - 128 bits is enough anyway). But that doesn't mean you should do it.

Either way, you need to build a threat model for your application first. Any work done prior to the assessment of what you are trying to protect against is misguided.

“If I understand the standard right it is legal and safe to do this but the resulting value could be anything.”

hplus0603

11,916

September 08, 2013 07:25 PM

There are two main concerns in the model you suggest:

1) How do I prevent users-on-open-WiFi from having their sessions stolen?

2) How do I make sure that a connection that comes back to a different server is in fact the user it claims to be?

Implementing the "authentication-for-games" mechanism (which can be summariezed as "a basic ticket mechanism a la Kerberos") on top of TCP/TLS will work just fine for these vectors.

So, from clients' point of view:

1) connect with TLS, provide name & password; receive ticket with some lifetime

2) each new connection, still use TLS, provide ticket as proof-of-identity-and-authorization

The benefit of using the ticket instead of just keeping name & password around in the client is that:

a) wiping the password in RAM after sending it is somewhat more secure against accidental disclosure on the client machine

b) each server that gets the ticket only needs a copy of the server-side secret, not actually re-do the user database lookups

For long-lived TCP connections, b) isn't as important (but a may still be); for UDP connections, b) is a real win!

enum Bool { True, False, FileNotFound };

Sprangle

128

Author

September 08, 2013 09:08 PM

/me nods.

OK I'm taking the TCP model from above and adding auth tickets so we can wipe passwords in the client and still handle quick reconnects (connection dropped, server switches etc).

I notice this ends up being quite similar to the forms authentication set up in ASP.NET which is probably a good sign. Given they already have the infrastructure for generating and verifying tickets using a cluster secret, expirations etc I'll have to look at whether borrowing some of that makes sense.

hplus0603

11,916

September 09, 2013 03:50 PM

I'll have to look at whether borrowing some of that makes sense

If there exists working, tested, code, on the platform/language you're already using, I would assume doing so makes a lot of sense :-)

enum Bool { True, False, FileNotFound };

hplus' Authentication for Games

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

hplus' Authentication for Games

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

Reticulating splines