For that, the most secure way would be something like... Master server contains users keys(passwords), and data When connecting to a server, the client connects to the master server, and gives its login name. The server sends back the clients name, its data, and a timestamp, encrypted with the clients password. It also sends a SHA1 hash of an unencrypted version of what it sent to the client, digitally signed with the master servers private key. The client decrypts the data packet, then sends this to the server, the server checks the timestamp is recent, and that the signed hash matches the data. If so, all is well and the client is authenticated.
This only covers GETTING the data. As for updating it..there is no real secure way to do that. Any method you do would rely both on a secure client and a secure server, neither of which could exist in reality. The server could spoof whatever it wants to the master server, and the master server has no way of verifying this. So, anyone could just make a server and send spoofed updates the master server. There is absolutely no way to prevent this whatsoever. >From: "Paul Samways" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: <[EMAIL PROTECTED]> >Subject: Re: [hlcoders] Client commands >Date: Sat, 15 Jun 2002 21:32:21 +0100 >All servers. Master DB server kind of thing. And please drop the >patronising >tone, I will understand your answer. The reason I'm asking for >clarification >is I want to make find out if what you're thinking of is something I've >already thought of or not. > >----- Original Message ----- >From: "Jonah Sherman" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Saturday, June 15, 2002 8:20 PM >Subject: Re: [hlcoders] Client commands > > >You wont understand what i said untill you answer my question: >Is this persistent data for a player just on that server or for all >servers? > > >From: "Paul Samways" <[EMAIL PROTECTED]> > >Reply-To: [EMAIL PROTECTED] > >To: <[EMAIL PROTECTED]> > >Subject: Re: [hlcoders] Client commands > >Date: Sat, 15 Jun 2002 19:04:03 +0100 > >But your argument there can be applied to anything. Yes, someone can > >intercept the username and hashed password, but that can be said for >pretty > >much everything I log onto on the web. There's no way to prevent that > >without me putting SSL code in and rewriting the database server code as > >well (like I'm gonna do that). > > > >And what exactly do you mean by "just sending a hash of your password to > >the > >server isnt secure, as the server can just replay that hash and act as > >you..." ?. Not sure which server you mean by 'server' and also how you > >think > >they'd use this to their advantage? > > > >----- Original Message ----- > >From: "Jonah Sherman" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Saturday, June 15, 2002 6:11 PM > >Subject: Re: [hlcoders] Client commands > > > > > > > Actually, this isnt as much of a problem as you might think. ALL HL >data > >is > > > encrypted before being sent over the network.. Are you planning on > >storing > > > player data for just that server or globally? If you planning on >having > >a > > > master server store everyones info, you might want to rethink your > >protocol, > > > just sending a hash of your password to the server isnt secure, as the > > > server can just replay that hash and act as you... > > > > > > > > > >From: "Paul Samways" <[EMAIL PROTECTED]> > > > >Reply-To: [EMAIL PROTECTED] > > > >To: <[EMAIL PROTECTED]> > > > >Subject: [hlcoders] Client commands > > > >Date: Fri, 14 Jun 2002 18:54:21 +0100 > > > >Is it possible to preprocess client commands being sent to the server > > > >before > > > >they're sent? > > > > > > > >I'd like to run an md5digest on a password argument before it flys >off > >over > > > >the internet to the server. Is this possible? > > > > > > > >I was going to have players persistent info stored against AuthID, >but > >then > > > >I realised it'd be nice to be able to log in at someone elses machine > >and > > > >still get your stats/score updated. So now I need some way of a >player > > > >entering a username/password combo and not have a plaintext password > >either > > > >travel across the network or be stored in a text file (which would > >happen > > > >if > > > >I used a cvar wouldn't it?). > > > > > > > >Any suggestions to throw into the pot? > > > > > > > >Paul > > > > > > > >_______________________________________________ > > > >To unsubscribe, edit your list preferences, or view the list >archives, > > > >please visit: > > > >http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > > > > > > > > > > > > > > > > > _________________________________________________________________ > > > Chat with friends online, try MSN Messenger: http://messenger.msn.com > > > > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > >please visit: > > > http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > > > > >_______________________________________________ > >To unsubscribe, edit your list preferences, or view the list archives, > >please visit: > >http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > > > > >_________________________________________________________________ >Join the world's largest e-mail service with MSN Hotmail. >http://www.hotmail.com > >_______________________________________________ >To unsubscribe, edit your list preferences, or view the list archives, >please visit: >http://list.valvesoftware.com/mailman/listinfo/hlcoders > > >_______________________________________________ >To unsubscribe, edit your list preferences, or view the list archives, >please visit: >http://list.valvesoftware.com/mailman/listinfo/hlcoders > _________________________________________________________________ Join the world�s largest e-mail service with MSN Hotmail. http://www.hotmail.com _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlcoders
