[Suggestion] Hash UID with server's host

Started by EK.IceFlake, Jun 06, 2017, 12:21 PM

Previous topic - Next topic

EK.IceFlake

It would be cool if UID was hashed with the server's IP and port as it would prevent people from capturing others' UIDs and using them to log in to their accounts and potentially wreck havoc.

.

this can be done manually through some script. However, many people here host on their home PC which may have a dynamic IP address. Therefore, preventing the developers from enforcing such thing. Not to mention that if you migrate your server to a new host, you end up with a database full of these incorrect UIDs. Which is why the developers (probably) chose to make this optional via scripts.
.

EK.IceFlake

Quote from: . on Jun 06, 2017, 07:41 PMthis can be done manually through some script. However, many people here host on their home PC which may have a dynamic IP address. Therefore, preventing the developers from enforcing such thing. Not to mention that if you migrate your server to a new host, you end up with a database full of these incorrect UIDs. Which is why the developers (probably) chose to make this optional via scripts.
Doing it through scripts would defeat the purpose of it. Someone could make a server which doesn't hash players' UIDs and instead saves them raw to a database and then change their UID to it and join a server which authenticates on UID. The server might hash it with its own host, but the actual UID given is the same thing and the server's host doesn't change so the hash is the same and the hacker is authenticated.

KAKAN

Server owners need to use their salt and peeper to prevent them from happening...
oh no

EK.IceFlake

#4
Quote from: KAKAN on Jun 07, 2017, 03:45 PMServer owners need to use their salt and peeper to prevent them from happening...
Read my post above. It will only work if it is salted with the server's host client-side.

This is what I'm talking about:

I have level 24 on VKs official server and it uses UID for autologin.
I join a newly created server.
The newly created server captures my UID.
The owner of the newly created server changes their UID to mine.
The owner of the newly created server joins VKs official server.
The owner of the newly created server autologs in wrecks havoc.

Let's say VKs official server salts the UID:

I have level 24 on VKs official server and it uses UID for autologin.
I join a newly created server.
The newly created server captures my UID. This UID is not salted.
The owner of the newly created server changes their UID to mine.
The owner of the newly created server joins VKs official server. VKs official server salts the same UID.
The owner of the newly created server autologs in wrecks havoc. This is because the UID given to the server is the same, salting ABC with DEF will result in ABCDEF, if someone captures ABC and the server salts it with DEF, it will still result in ABCDEF.

As you can see, the owner of that newly created server isn't affected in any way.

Let's see what will happen if we salt it with the host's UID and hash it:

I have level 24 on VKs official server and it uses UID for autologin.
I join a newly created server.
The newly created server captures my UID. This UID is salted client-side with 66.66.66.66.
The owner of the newly created server changes their UID to mine.
The owner of the newly created server joins VKs official server.
The owner of the newly created server fails to autolog. This is because VKs official server had my UID with it salted with 46.105.184.128 and the newly created server had it salted with 66.66.66.66.

Basically this turns the actual UID into a private key (not to be confused with private key in assymmetric encryption).

ysc3839

Since UID can be spoofed, servers should not allow UID login!!!

EK.IceFlake

Quote from: ysc3839 on Jun 08, 2017, 01:08 PMSince UID can be spoofed, servers should not allow UID login!!!
This suggestion is due to this exact reason.

maxorator

UID is indeed unsuitable for authentication (that was actually never its intended use case).

For authentication/autologin, actual PKI would be more suitable. With that it might be fine to not have a password at all, as people can copy their private key to any computer they use.