Unfortunately I have zero idea how to code any kind of system like you're describing. Guess I'll just develop this for my own use on my own server.
----- Original Message ----- From: "Jonah Sherman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, June 16, 2002 5:24 PM Subject: Re: [hlcoders] Client commands > It is generally better for the client to do the updating, as alot of servers > have firewalls to prevent extraneous socket communications(why > cheating-death was more popular than paladin). Also, there is no way a > client hack could do anything with the system I described without breaking > your master server's signature keys. Actually, the system I described is > *exactly* how the WON authentication works, you send a crypted version of > cdkey to won with timestamp, it sends back your wonid as well as a hash of > your wonid+ip+timestamp signed, then when you connect to a server the client > sends the wonid+signed hash in the second packet(you can packet sniff and > see this, it will say \uniqueid\12345\raw\AABBCCDDEEFF112233445566778899\ > where the uniqueid is your wonid and the raw is a signed hash of the wonid + > ip + timestamp. The only way for someone to spoof their wonid is either > with a keygen or by breaking WON's signature keys(something that wont be > happening in the next 10^27 years given current technology). It is almost > always better to use an existing protocol than to develop your own. Existing > protocols, such as kerberos, have been torn apart by security experts and > still held strong. Also, it wont be much different for the clients now. In > addition to connecting to the won master server, they connect to your > server..thats all thats required. > > > >From: "Paul Samways" <[EMAIL PROTECTED]> > >Reply-To: [EMAIL PROTECTED] > >To: <[EMAIL PROTECTED]> > >Subject: Re: [hlcoders] Client commands > >Date: Sun, 16 Jun 2002 08:53:04 +0100 > >I was intending to make the master server allow updates only from > >registered > >'trusted' IP addresses. Whats trusted and whats not would be down to me > >trusting an admin. > > > >Since I'm pretty much the only admin for our mod (no-one else ever seems to > >run a dedicated server) it's why I'm not overly worried about this being a > >chore. > > > >If I have select trusted game servers then I can relax a lot of the > >concerns. I'm intending for the client to have no interaction with the > >database server, but instead to send username/password to the game server, > >which then either gets their data or makes a new database entry if they > >don't exist (or tells them where to go if the password is wrong). This > >reduces the amount of places I need to trust, and also means clients have > >no > >power to change their stats with clientside hacks. > > > >Opinions? > > > >----- Original Message ----- > >From: "Jonah Sherman" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Saturday, June 15, 2002 9:47 PM > >Subject: Re: [hlcoders] Client commands > > > > > >For that, the most secure way would be something like... > >Master server contains users keys(passwords), and data > >When connecting to a server, the client connects to the master server, and > >gives its login name. The server sends back the clients name, its data, > >and > >a timestamp, encrypted with the clients password. It also sends a SHA1 hash > >of an unencrypted version of what it sent to the client, digitally signed > >with the master servers private key. The client decrypts the data packet, > >then sends this to the server, the server checks the timestamp is recent, > >and that the signed hash matches the data. If so, all is well and the > >client is authenticated. > > > >This only covers GETTING the data. As for updating it..there is no real > >secure way to do that. Any method you do would rely both on a secure > >client > >and a secure server, neither of which could exist in reality. The server > >could spoof whatever it wants to the master server, and the master server > >has no way of verifying this. So, anyone could just make a server and send > >spoofed updates the master server. There is absolutely no way to prevent > >this whatsoever. > > > > >From: "Paul Samways" <[EMAIL PROTECTED]> > > >Reply-To: [EMAIL PROTECTED] > > >To: <[EMAIL PROTECTED]> > > >Subject: Re: [hlcoders] Client commands > > >Date: Sat, 15 Jun 2002 21:32:21 +0100 > > >All servers. Master DB server kind of thing. And please drop the > > >patronising > > >tone, I will understand your answer. The reason I'm asking for > > >clarification > > >is I want to make find out if what you're thinking of is something I've > > >already thought of or not. > > > > > >----- Original Message ----- > > >From: "Jonah Sherman" <[EMAIL PROTECTED]> > > >To: <[EMAIL PROTECTED]> > > >Sent: Saturday, June 15, 2002 8:20 PM > > >Subject: Re: [hlcoders] Client commands > > > > > > > > >You wont understand what i said untill you answer my question: > > >Is this persistent data for a player just on that server or for all > > >servers? > > > > > > >From: "Paul Samways" <[EMAIL PROTECTED]> > > > >Reply-To: [EMAIL PROTECTED] > > > >To: <[EMAIL PROTECTED]> > > > >Subject: Re: [hlcoders] Client commands > > > >Date: Sat, 15 Jun 2002 19:04:03 +0100 > > > >But your argument there can be applied to anything. Yes, someone can > > > >intercept the username and hashed password, but that can be said for > > >pretty > > > >much everything I log onto on the web. There's no way to prevent that > > > >without me putting SSL code in and rewriting the database server code > >as > > > >well (like I'm gonna do that). > > > > > > > >And what exactly do you mean by "just sending a hash of your password > >to > > > >the > > > >server isnt secure, as the server can just replay that hash and act as > > > >you..." ?. Not sure which server you mean by 'server' and also how you > > > >think > > > >they'd use this to their advantage? > > > > > > > >----- Original Message ----- > > > >From: "Jonah Sherman" <[EMAIL PROTECTED]> > > > >To: <[EMAIL PROTECTED]> > > > >Sent: Saturday, June 15, 2002 6:11 PM > > > >Subject: Re: [hlcoders] Client commands > > > > > > > > > > > > > Actually, this isnt as much of a problem as you might think. ALL HL > > >data > > > >is > > > > > encrypted before being sent over the network.. Are you planning on > > > >storing > > > > > player data for just that server or globally? If you planning on > > >having > > > >a > > > > > master server store everyones info, you might want to rethink your > > > >protocol, > > > > > just sending a hash of your password to the server isnt secure, as > >the > > > > > server can just replay that hash and act as you... > > > > > > > > > > > > > > > >From: "Paul Samways" <[EMAIL PROTECTED]> > > > > > >Reply-To: [EMAIL PROTECTED] > > > > > >To: <[EMAIL PROTECTED]> > > > > > >Subject: [hlcoders] Client commands > > > > > >Date: Fri, 14 Jun 2002 18:54:21 +0100 > > > > > >Is it possible to preprocess client commands being sent to the > >server > > > > > >before > > > > > >they're sent? > > > > > > > > > > > >I'd like to run an md5digest on a password argument before it flys > > >off > > > >over > > > > > >the internet to the server. Is this possible? > > > > > > > > > > > >I was going to have players persistent info stored against AuthID, > > >but > > > >then > > > > > >I realised it'd be nice to be able to log in at someone elses > >machine > > > >and > > > > > >still get your stats/score updated. So now I need some way of a > > >player > > > > > >entering a username/password combo and not have a plaintext > >password > > > >either > > > > > >travel across the network or be stored in a text file (which would > > > >happen > > > > > >if > > > > > >I used a cvar wouldn't it?). > > > > > > > > > > > >Any suggestions to throw into the pot? > > > > > > > > > > > >Paul > > > > > > > > > > > >_______________________________________________ > > > > > >To unsubscribe, edit your list preferences, or view the list > > >archives, > > > > > >please visit: > > > > > >http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _________________________________________________________________ > > > > > Chat with friends online, try MSN Messenger: > >http://messenger.msn.com > > > > > > > > > > _______________________________________________ > > > > > To unsubscribe, edit your list preferences, or view the list > >archives, > > > >please visit: > > > > > http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > > > > > > > > > > >_______________________________________________ > > > >To unsubscribe, edit your list preferences, or view the list archives, > > > >please visit: > > > >http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > > > > > > > > > > > > > > > > >_________________________________________________________________ > > >Join the world's largest e-mail service with MSN Hotmail. > > >http://www.hotmail.com > > > > > >_______________________________________________ > > >To unsubscribe, edit your list preferences, or view the list archives, > > >please visit: > > >http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > > > > > > >_______________________________________________ > > >To unsubscribe, edit your list preferences, or view the list archives, > > >please visit: > > >http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > > > > > > > > > > >_________________________________________________________________ > >Join the world's largest e-mail service with MSN Hotmail. > >http://www.hotmail.com > > > >_______________________________________________ > >To unsubscribe, edit your list preferences, or view the list archives, > >please visit: > >http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > > > >_______________________________________________ > >To unsubscribe, edit your list preferences, or view the list archives, > >please visit: > >http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlcoders > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlcoders
