Java-Gaming.org    
Featured games (79)
games approved by the League of Dukes
Games in Showcase (477)
Games in Android Showcase (106)
games submitted by our members
Games in WIP (533)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: 1 [2]
  ignore  |  Print  
  Online secure databank for usernames and their passwords?  (Read 1790 times)
0 Members and 1 Guest are viewing this topic.
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 743
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #30 - Posted 2013-08-06 15:22:00 »

The nice thing of a hash challenge is that the 'shared secret' doesn't go over the wire - whether that is a password or passhash doesn't matter. The shared secret shouldn't be revealed to a man in the middle, as that allows a replay attack.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline jonjava
« Reply #31 - Posted 2013-08-06 17:13:11 »

Also:

<a href="http://www.youtube.com/v/YEBfamv-_do?version=3&amp;hl=en_US&amp;start=" target="_blank">http://www.youtube.com/v/YEBfamv-_do?version=3&amp;hl=en_US&amp;start=</a>

And:

<a href="http://www.youtube.com/v/dleUxfghd5I?version=3&amp;hl=en_US&amp;start=" target="_blank">http://www.youtube.com/v/dleUxfghd5I?version=3&amp;hl=en_US&amp;start=</a>

Offline delt0r

JGO Knight


Medals: 26
Exp: 18 years


Computers can do that?


« Reply #32 - Posted 2013-08-06 17:23:46 »

I have done it as Riven described for a few years now. Hashes need to be fast. If you want them to go slow, do it a million times. Or a billion. There has been some papers on using hashes in a way that current GPU's (and bitcoin) hardware would be slow at. Typically something that requires a lot of branching. No idea of the security communities response.

Of course you don't need much to be pretty good for online only attacks. But these days every expert are calling passwords broken in the offline attack vector.

Securing a server these days is not easy if you don't know what your doing. Anyone who says different is lying or ignorant.

Then there is this https://xkcd.com/792/.

I have no special talents. I am only passionately curious.--Albert Einstein
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 743
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #33 - Posted 2013-08-08 07:38:06 »

The passhash itself is not stored as-is in the database, it is salted.

Table: Account [username, salt, saltedpasshash]
1  
saltedpasshash = hash(hash(salt)+"::"+hash(passhash));
passhash is generated clientside, using hasher that takes ~1s

So server has salt, hash(hash(salt)+"::"+hash(passhash)), challenge, and needs to verify submitted value of hash(passhash+"::"+hash(challenge))? That doesn't seem possible unless the hash is open to being extended in both directions.

I forgot to add that the server sending the salt to the client is part of the hash challenge.

Both parties can calculate the shared secret (saltedpasshash) and therefore the answer to the hash challenge.

A MITM attack would be successful if the passhash is intercepted during registration and the salt is intercepted during the hash challenge. That's why registration has to be done over a secured channel, while there is no such need for the hash challenge, nor for any further communication using nonce-based access tokens.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Pages: 1 [2]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

pw (26 views)
2014-07-24 01:59:36

Riven (25 views)
2014-07-23 21:16:32

Riven (20 views)
2014-07-23 21:07:15

Riven (22 views)
2014-07-23 20:56:16

ctomni231 (51 views)
2014-07-18 06:55:21

Zero Volt (46 views)
2014-07-17 23:47:54

danieldean (37 views)
2014-07-17 23:41:23

MustardPeter (40 views)
2014-07-16 23:30:00

Cero (57 views)
2014-07-16 00:42:17

Riven (55 views)
2014-07-14 18:02:53
HotSpot Options
by dleskov
2014-07-08 03:59:08

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:58:24

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:47:22

How do I start Java Game Development?
by ra4king
2014-05-17 11:13:37

HotSpot Options
by Roquen
2014-05-15 09:59:54

HotSpot Options
by Roquen
2014-05-06 15:03:10

Escape Analysis
by Roquen
2014-04-29 22:16:43

Experimental Toys
by Roquen
2014-04-28 13:24:22
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!