[MUD-Dev] strong encryption for authentication

Edward Glowacki glowack2 at msu.edu
Fri Jul 13 07:57:28 New Zealand Standard Time 2001

Quoted from Caliban Tiresias Darklock on Wed, Jul 11, 2001 at
09:13:06PM -0700:
> On Wed, 11 Jul 2001 15:02:44 -0400, Travis Casey
> <efindel at earthlink.net> wrote:
>> If you're not using some form of encryption, then what good does
>> a cookie-based OTP scheme do?  If someone running a sniffer
>> intercepts the cookie

> ...it will be worthless.
> The cookie is randomly generated by the server when the password
> prompt is presented. It is then hashed into the player's password
> and returned.  The player still provides his password on every
> login, but the data sent to the server is dependent on the cookie,
> and the cookie is random. If the password provided is wrong, he
> will be presented with a different cookie at the next password
> prompt. It will ONLY work for *this* player on *this* socket at
> *this* password prompt, and only if he enters the correct
> password.

"hashed into the player's password" could mean anything.  Is this a
true encryption (using a known and tested algorithm)?  If it's not,
then it is still possible to sniff both the cookie the server sends
and the response the client sends, and with a little analysis of
those pieces the password should be easy to retrieve.  Of course,
analysis might require first ripping the hash algorithm from the
client code, but that's doable I think.

Edward Glowacki			glowack2 at msu.edu
"Speak softly and carry a +6 two-handed sword."  --fortune
MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the MUD-Dev mailing list