Java-Gaming.org Hi !
Featured games (90)
games approved by the League of Dukes
Games in Showcase (739)
Games in Android Showcase (224)
games submitted by our members
Games in WIP (820)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  [solved] [Kryonet] Register and login with username/password  (Read 1117 times)
0 Members and 1 Guest are viewing this topic.
Offline Emmsii
« Posted 2017-09-26 18:39:46 »

I'm working on a small multiplayer game with Kryonet that would require a login with a username and password. I'm wondering what a safe way to handle this would be.

Obviously I won't be storing plain text passwords on the server database, most likely they will be encrypted with a salt (this article seems useful). If I let the server do the encryption it means I'm sending plain text passwords over the network. Would letting the client encrypt passwords be better? Are they any issues with this method?
Offline VaTTeRGeR
« Reply #1 - Posted 2017-09-27 08:32:05 »

You could use public key (assymetric) encryption to send the critical data.
Or use public key encryption to send a key for symmetric encryption so that you don't have to as much computation on your server, public key encryption is damn slow.

You cannot use symmetric encryption right away, because you need to have a shared key between server and client, if this key is stored in your code than it's not safe at all.

Shameless plug: http://www.java-gaming.org/topics/thread-safe-rsa-de-encryption-utility-for-byte-arrays/37770/view.html
This is proven to work with Kryonet easily.

However you do it, you should definitely encrypt your user data traffic.
Offline Emmsii
« Reply #2 - Posted 2017-09-27 10:42:37 »

Thanks! Just so I understand this, will the server generate the public/private keypair, send the public key to clients, clients use the public key to encrypt the data and send it to the server, the server then decrypts the data?
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline VaTTeRGeR
« Reply #3 - Posted 2017-09-27 11:17:41 »

Exactly Wink this can be done for both server->client and client->server.
But it's best to just transmit a shared-key for symmetric encryption via this method if you want to transmit more than just login data.
Offline Emmsii
« Reply #4 - Posted 2017-09-28 17:29:46 »

Thanks for your help! I think I've figured a system out.

When a player connects, the server generates a public private key for that user. When the player enters a password it is encrypted with the public key and sent to the server. The server then decrypts the password and hashes it with a salt, then stores the hashed password + salt in the database.

When a player wants to login, the server hashes the password sent from the login request with the users salt and compares it to the original hashed password.

Hopefully this is decent enough.
Offline VaTTeRGeR
« Reply #5 - Posted 2017-09-28 19:24:24 »

That certainly works, though you might want the client to hash his password himself for login/register, not on the server, or else a fake server can easily grab a users plain-text password. This is bad because many just reuse passwords, you don't want to leak that.

Sounds good to me otherwise.
Offline Emmsii
« Reply #6 - Posted 2017-09-28 19:25:41 »

Ah so you'd recommend hashing on the client. I'm guessing the hashing of the password + salt would happen before then encryption?

Would it be wise to send the client their salt? The salt is generated by the client the first time they register, when the player wants to login again they will need the same salt to hash their password. Would I need to send the player the salt, to hash the login password, to send to the server, to compare to the stored hashed password?
Offline VaTTeRGeR
« Reply #7 - Posted 2017-09-28 22:07:38 »

Yes, the salt doesn't need to be secret in your case, you can safely send it to the user on request, just like you described.

I'm suggesting this clumsy mess because you're likely not using SSL, so your client never knows if it's really the server, it's better to just lose your hash+salt to a faked server than to lose the password, which can be reused to attack other accounts the user has elsewhere.
Offline Emmsii
« Reply #8 - Posted 2017-09-29 06:10:58 »

Okay, that seems to work fine! Yeah it's not SSL, I'm not sure how to implement SSL with kryonet, and the testing server I bought can't do Https as it's an IP I connect to, not a domain name.

Thanks for your help!
Offline KaiHH

JGO Kernel


Medals: 446



« Reply #9 - Posted 2017-09-29 10:36:29 »

Just fyi: There is a fantastic class in Java, the SSLEngine, which allows you to integrate SSL into any underlying transport mechanism. It provide a very thorough documentation and acts as a "black box" which you pump sent packets into and pop received packets out of. You just need to provide it certificates in order to verify at least the server (in order to avoid man-in-the-middle attacks). You don't need to have a server URL or anything. The private and public certificate keys only must match and be trusted (the trust store can be configured on the SSLContext of the SSLEngine).
See this example: https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/samples/sslengine/SSLEngineSimpleDemo.java

I've integrated this in a project in the past implementing secure RTSP and RTP over a reliable UDP protocol using Netty to provide the transport mechanism and integrating the SSLEngine into Netty's pipeline/upstream/downstream architecture, making it completely transparent to any upper OSI application layer.
Pages: [1]
  ignore  |  Print  
 
 

 
Ecumene (52 views)
2017-09-30 02:57:34

theagentd (76 views)
2017-09-26 18:23:31

cybrmynd (183 views)
2017-08-02 12:28:51

cybrmynd (182 views)
2017-08-02 12:19:43

cybrmynd (189 views)
2017-08-02 12:18:09

Sralse (197 views)
2017-07-25 17:13:48

Archive (747 views)
2017-04-27 17:45:51

buddyBro (881 views)
2017-04-05 03:38:00

CopyableCougar4 (1429 views)
2017-03-24 15:39:42

theagentd (1319 views)
2017-03-24 15:32:08
List of Learning Resources
by elect
2017-03-13 14:05:44

List of Learning Resources
by elect
2017-03-13 14:04:45

SF/X Libraries
by philfrei
2017-03-02 08:45:19

SF/X Libraries
by philfrei
2017-03-02 08:44:05

SF/X Libraries
by SkyAphid
2017-03-02 06:38:56

SF/X Libraries
by SkyAphid
2017-03-02 06:38:32

SF/X Libraries
by SkyAphid
2017-03-02 06:38:05

SF/X Libraries
by SkyAphid
2017-03-02 06:37:51
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!