Author Topic: Change PvPGN Encryption to something more secure  (Read 5100 times)

Offline WarMapper

  • Peon
  • **
  • Posts: 21
    • View Profile
Change PvPGN Encryption to something more secure
« on: June 15, 2015, 04:27:49 PM »
I saw tupac post a thread about this but looks like its gone now.

Here's what I was going to add

From this May 2002 interview with a BNETD developer, he described encryption as the most difficult task in making BNETD, he also admits the encryption is weak (by 2002's standards!)

I dont totally understand what he's saying, but I think he means the War2 Client itself is doing the hashing. If so we wouldnt be able to change it ever...

I'll have to look into it more. If the passwords could be made more secure, that would be good tho .. not a huge priority for a little circa 1995 game server, but other PvPGN servers could benefit from better password security, particularly servers with games like WC3 that require an email address at registration. With databases of emails and passwords leaking, can cause real problems for other PvPGN servers


"Probably the most daunting task was figuring out any part of the protocol that involved encryption. Thankfully, the server works without supporting any of those packet types. But that meant going without passwords on the player accounts. Not having passwords was OK for LAN parties and systems behind firewalls, but some people wanted to allow logins from the Internet. Once we implemented account profiles, it became even more important so that players couldn't destroy each other's ratings.

Thankfully, the hash size was the same as SHA1 and [we were] sent an example hashing function. The hashed password was sent in the plain to the server where it was stored for later logins. We figured out that the login hash used the session key and a random value (actually a timestamp), plus that hashed password, and then hashed it again.

The server performs the same operation and compares the results. It's not the greatest scheme (knowledge of single-hashed password is the same value as knowing the password), but it was good enough for a game server. There was some further complication because the hash is performed in an endian-dependent way and it doesn't use the standard initialization or padding."

Offline Delete mine too

  • Death Knight
  • *********
  • Posts: 2652
  • http://meatspin.com
    • View Profile
    • http://meatspin.com
Re: Change PvPGN Encryption to something more secure
« Reply #1 on: June 15, 2015, 04:31:28 PM »
Delete his account and this thread. He reads shit and steal idea, etc. Fuck off
http://forum.war2.ru/index.php/topic,1032.0.html

Offline WarMapper

  • Peon
  • **
  • Posts: 21
    • View Profile
Re: Change PvPGN Encryption to something more secure
« Reply #2 on: June 15, 2015, 04:35:16 PM »
i just said i saw u post a thread, but i thought u deleted it. I added to your thread.

not trying to "steal" your COMPLETELY ORIGINAL idea of fixing server password hashing lol

delete this thread

Offline Rit

  • Grunt
  • ***
  • Posts: 245
    • View Profile
    • Rit's Youtube
Re: Change PvPGN Encryption to something more secure
« Reply #3 on: June 15, 2015, 04:38:39 PM »
i just said i saw u post a thread, but i thought u deleted it. I added to your thread.

not trying to "steal" your COMPLETELY ORIGINAL idea of fixing server password hashing lol

delete this thread

Still awaiting your response to the questions I had PM'd you.

Offline Delete mine too

  • Death Knight
  • *********
  • Posts: 2652
  • http://meatspin.com
    • View Profile
    • http://meatspin.com
Re: Change PvPGN Encryption to something more secure
« Reply #4 on: June 15, 2015, 04:43:58 PM »
Answer rits questions like a man.

I'm not trying to fix the problem I broke it already problem solved.

Offline Warchief Lightbringer-

  • Server Admin
  • Axe Thrower
  • *****
  • Posts: 428
    • View Profile
Re: Change PvPGN Encryption to something more secure
« Reply #5 on: June 16, 2015, 04:43:17 AM »
Locked. None of your ideas.
aka DeaDLyGaMeS