Java-Gaming.org Hi !
Featured games (83)
games approved by the League of Dukes
Games in Showcase (522)
Games in Android Showcase (127)
games submitted by our members
Games in WIP (589)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: 1 [2]
  ignore  |  Print  
  Online secure databank for usernames and their passwords?  (Read 2172 times)
0 Members and 1 Guest are viewing this topic.
Offline Riven
« League of Dukes »

« JGO Overlord »


Medals: 833
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #30 - Posted 2013-08-06 13:22:00 »

The nice thing of a hash challenge is that the 'shared secret' doesn't go over the wire - whether that is a password or passhash doesn't matter. The shared secret shouldn't be revealed to a man in the middle, as that allows a replay attack.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline jonjava
« Reply #31 - Posted 2013-08-06 15:13:11 »

Also:

<a href="http://www.youtube.com/v/YEBfamv-_do?version=3&amp;hl=en_US&amp;start=" target="_blank">http://www.youtube.com/v/YEBfamv-_do?version=3&amp;hl=en_US&amp;start=</a>

And:

<a href="http://www.youtube.com/v/dleUxfghd5I?version=3&amp;hl=en_US&amp;start=" target="_blank">http://www.youtube.com/v/dleUxfghd5I?version=3&amp;hl=en_US&amp;start=</a>

Offline delt0r

JGO Knight


Medals: 27
Exp: 18 years


Computers can do that?


« Reply #32 - Posted 2013-08-06 15:23:46 »

I have done it as Riven described for a few years now. Hashes need to be fast. If you want them to go slow, do it a million times. Or a billion. There has been some papers on using hashes in a way that current GPU's (and bitcoin) hardware would be slow at. Typically something that requires a lot of branching. No idea of the security communities response.

Of course you don't need much to be pretty good for online only attacks. But these days every expert are calling passwords broken in the offline attack vector.

Securing a server these days is not easy if you don't know what your doing. Anyone who says different is lying or ignorant.

Then there is this https://xkcd.com/792/.

I have no special talents. I am only passionately curious.--Albert Einstein
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Riven
« League of Dukes »

« JGO Overlord »


Medals: 833
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #33 - Posted 2013-08-08 05:38:06 »

The passhash itself is not stored as-is in the database, it is salted.

Table: Account [username, salt, saltedpasshash]
1  
saltedpasshash = hash(hash(salt)+"::"+hash(passhash));
passhash is generated clientside, using hasher that takes ~1s

So server has salt, hash(hash(salt)+"::"+hash(passhash)), challenge, and needs to verify submitted value of hash(passhash+"::"+hash(challenge))? That doesn't seem possible unless the hash is open to being extended in both directions.

I forgot to add that the server sending the salt to the client is part of the hash challenge.

Both parties can calculate the shared secret (saltedpasshash) and therefore the answer to the hash challenge.

A MITM attack would be successful if the passhash is intercepted during registration and the salt is intercepted during the hash challenge. That's why registration has to be done over a secured channel, while there is no such need for the hash challenge, nor for any further communication using nonce-based access tokens.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Pages: 1 [2]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

xFryIx (62 views)
2014-11-13 17:34:49

digdugdiggy (41 views)
2014-11-13 02:11:50

digdugdiggy (36 views)
2014-11-13 02:10:15

digdugdiggy (30 views)
2014-11-13 02:09:33

kovacsa (53 views)
2014-11-08 00:57:14

TehJavaDev (56 views)
2014-11-04 03:04:50

BurntPizza (55 views)
2014-11-03 23:54:52

moogie (70 views)
2014-11-03 11:22:04

CopyableCougar4 (71 views)
2014-11-02 04:36:41

DarkCart (156 views)
2014-11-01 19:51:03
Understanding relations between setOrigin, setScale and setPosition in libGdx
by mbabuskov
2014-10-10 03:35:00

Definite guide to supporting multiple device resolutions on Android (2014)
by mbabuskov
2014-10-03 03:36:02

List of Learning Resources
by Longor1996
2014-08-16 15:40:00

List of Learning Resources
by SilverTiger
2014-08-06 00:33:27

Resources for WIP games
by CogWheelz
2014-08-01 21:20:17

Resources for WIP games
by CogWheelz
2014-08-01 21:19:50

List of Learning Resources
by SilverTiger
2014-07-31 21:29:50

List of Learning Resources
by SilverTiger
2014-07-31 21:26:06
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!