[MUD-Dev] strong encryption for authentication

Caliban Tiresias Darklock caliban at darklock.com
Wed Jul 11 21:13:06 New Zealand Standard Time 2001

On Wed, 11 Jul 2001 15:02:44 -0400, Travis Casey
<efindel at earthlink.net> wrote:

> 1 - In a commercial game, you may want users to be able to pay their
> account within the game, change their billing address, update
> credit card information, update their real email address, etc.
> Encryption for any such personal or financial info is a good idea,
> and *not* encrypting it could potentially form a basis for
> negligence lawsuits... or at least require you to add some scary
> language to your user agreement.

Encryption of THAT data makes sense. Encryption of ALL data really

> If you're not using some form of encryption, then what good does a
> cookie-based OTP scheme do?  If someone running a sniffer
> intercepts the cookie

...it will be worthless.

The cookie is randomly generated by the server when the password
prompt is presented. It is then hashed into the player's password
and returned.  The player still provides his password on every
login, but the data sent to the server is dependent on the cookie,
and the cookie is random. If the password provided is wrong, he will
be presented with a different cookie at the next password prompt. It
will ONLY work for *this* player on *this* socket at *this* password
prompt, and only if he enters the correct password.

Any client-side strategy the player adopts to save that password for
automatic hash calculation and response is, of course, his own

> (On the other hand, though, why re-invent the wheel?

My point exactly. If you have a special purpose use, you will need
special purpose software -- which, in most cases, already exists. ;)

MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the MUD-Dev mailing list