All geek questions in one place

Login Authentication

First of all, I will say that I am completely new to coding security. I am currently helping a friend develop a small game (in Python) that will have a login server. I have little security knowledge, but I know that many games have problems with this. Everything from third-party applications (bots) to processing WPE packages. Given how small this game is and the limited user base, I doubt that we will have serious problems, but we would like to try our best to limit the problems. I'm not sure where to start or what methods I should use, or what it costs. For example, sending data to a server, such as username and password.

I was told that his information should be encrypted when sending, so if someone was viewing it (in any way), they could not get into the account. However, if someone can capture an encrypted string, will this string always work on the decrypted side of the server? In other words, can someone just grab the package, reuse it and still access the account?

The main goal I'm really looking for is to make sure that the players enter the game with the client that we provide, and to make sure that he is “protected” (broadly, I know). I looked at various methods, such as Public and Private Key encryption, and I'm sure that any hex editor can be found anyway. At the moment there are many other methods that seem to me on my head and leave the impression of being superfluous.

I understand that nothing is 100% safe. I am just looking for any input or reading material (link) to achieve the main goal mentioned above. Thanks for any help, thanks.

+4
source share
4 answers

This is a difficult problem because the code runs on the client. The playback problem can be solved by using a task that allows the server to send a random token, which the client adds to the string that must be encrypted. Thus, the password string will be different each time, and the repeated play of the encrypted string will not work (since the server checks if the encrypted password has the last sent token)

The problem is that the encryption key must be stored on the client, and this key can be retrieved.

+1
source

Although this particular application may be redundant (a small game, a limited user base), you should seriously consider using oAuth , as this application gives you a great chance to learn this technology (which is really strong and widespread and spreading more and more!) to apply it in the future - it was developed and implemented by excellent programmers with strong protection. You can study their tutorial to get a clear understanding and background, and then use libraries like python-oauth2 to implement oauth simply and productively on your desktop application.

+1
source

A simple answer to the question of how to protect the password passing through the wire, repeated attacks and falsification of messages: use SSL. Yes, there are other things you can do with request response schemes for the login part, but it looks like you really want the entire channel to be protected anyway. Use SSL at the socket level, and then you don’t need to do anything complicated in the way you send your credentials.

+1
source

How to protect the client ... The most realistic is to say that you do not. When you write server code, never trust any data that the client sends to you. Never give the customer any information that you do not want to have.

In some games, such as chess (or really something turn-based), this actually works very well, because it is very easy for the server to verify that the move the client has completed is a legal step.

In other games, these restrictions are not so practical, and then I do not know what you would do, in terms of code. I would try to shift this problem to the social one: to bring other dice to other players you trust to the game table? If not, can you play with someone else?

+1
source

Source: https://habr.com/ru/post/1305248/

More articles:


All Articles