Hi !
Featured games (84)
games approved by the League of Dukes
Games in Showcase (601)
Games in Android Showcase (171)
games submitted by our members
Games in WIP (649)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
    Home     Help   Search   Login   Register   
Pages: 1 [2]
  ignore  |  Print  
  Online secure databank for usernames and their passwords?  (Read 3467 times)
0 Members and 1 Guest are viewing this topic.
Offline Riven
« League of Dukes »

« JGO Overlord »

Medals: 1019
Projects: 4
Exp: 16 years

Hand over your head.

« Reply #30 - Posted 2013-08-06 13:22:00 »

The nice thing of a hash challenge is that the 'shared secret' doesn't go over the wire - whether that is a password or passhash doesn't matter. The shared secret shouldn't be revealed to a man in the middle, as that allows a replay attack.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings!
Offline jonjava
« Reply #31 - Posted 2013-08-06 15:13:11 »


<a href=";hl=en_US&amp;start=" target="_blank">;hl=en_US&amp;start=</a>


<a href=";hl=en_US&amp;start=" target="_blank">;hl=en_US&amp;start=</a>

Offline delt0r

JGO Knight

Medals: 33
Exp: 18 years

Computers can do that?

« Reply #32 - Posted 2013-08-06 15:23:46 »

I have done it as Riven described for a few years now. Hashes need to be fast. If you want them to go slow, do it a million times. Or a billion. There has been some papers on using hashes in a way that current GPU's (and bitcoin) hardware would be slow at. Typically something that requires a lot of branching. No idea of the security communities response.

Of course you don't need much to be pretty good for online only attacks. But these days every expert are calling passwords broken in the offline attack vector.

Securing a server these days is not easy if you don't know what your doing. Anyone who says different is lying or ignorant.

Then there is this

I have no special talents. I am only passionately curious.--Albert Einstein
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Riven
« League of Dukes »

« JGO Overlord »

Medals: 1019
Projects: 4
Exp: 16 years

Hand over your head.

« Reply #33 - Posted 2013-08-08 05:38:06 »

The passhash itself is not stored as-is in the database, it is salted.

Table: Account [username, salt, saltedpasshash]
saltedpasshash = hash(hash(salt)+"::"+hash(passhash));
passhash is generated clientside, using hasher that takes ~1s

So server has salt, hash(hash(salt)+"::"+hash(passhash)), challenge, and needs to verify submitted value of hash(passhash+"::"+hash(challenge))? That doesn't seem possible unless the hash is open to being extended in both directions.

I forgot to add that the server sending the salt to the client is part of the hash challenge.

Both parties can calculate the shared secret (saltedpasshash) and therefore the answer to the hash challenge.

A MITM attack would be successful if the passhash is intercepted during registration and the salt is intercepted during the hash challenge. That's why registration has to be done over a secured channel, while there is no such need for the hash challenge, nor for any further communication using nonce-based access tokens.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings!
Pages: 1 [2]
  ignore  |  Print  
You cannot reply to this message, because it is very, very old.

Jesse (11 views)
2015-07-29 04:35:27

Riven (33 views)
2015-07-27 16:38:00

Riven (16 views)
2015-07-27 15:35:20

Riven (20 views)
2015-07-27 12:26:13

Riven (10 views)
2015-07-27 12:23:39

BurntPizza (28 views)
2015-07-25 00:14:37

BurntPizza (39 views)
2015-07-24 22:06:39

BurntPizza (22 views)
2015-07-24 06:06:53

NoxInc (26 views)
2015-07-22 22:16:53

NoxInc (17 views)
2015-07-22 22:13:39
List of Learning Resources
by gouessej
2015-07-09 11:29:36

How Do I Expand My Game?
by bashfrog
2015-06-14 11:34:43

List of Learning Resources
by PocketCrafter7
2015-05-31 05:37:30

Intersection Methods
by Roquen
2015-05-29 08:19:33

List of Learning Resources
by SilverTiger
2015-05-05 10:20:32

How to: JGO Wiki
by Mac70
2015-02-17 20:56:16

2D Dynamic Lighting
by ThePixelPony
2015-01-01 20:25:42

How do I start Java Game Development?
by gouessej
2014-12-27 19:41:21 is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!