initial sending password to SFS/DB

[rav]

I want to register new user in game (there is no password in DB yet), how can I send password to SFS in encrypted mode? (i don't want use registration via http server or something like that)

I see such way:
1.
user side: user clicks registration button and see registration form.
server side: logs user to some LoginZone (without authorization) and send to user public key
2.
user side: user fill up form and send to SFS this data with password encrypted via public key (recived from server)
server side: recive encrypted password and decrypt it via private key and save it to DB. and may be relogin user to GameZone

[BigFIsh]

This is what I do: I encrypt the password using MD5 and send it to the server along with other registration data. The password will then be stored in the database as a MD5 hash string.

[rav]

This is what I do: I encrypt the password using MD5 and send it to the server along with other registration data.

Seems this is unsecure. If hacker intercept/read your message he'll be able to use this MD5 hash as your password after.

[BigFIsh]

But the hacker would have to decrypt the password in order to find out the original password. You can make the MD5 more secure by adding a 'key' of some sort when generating the MD5 for a password.

[rav]

But there will be just MD5 hash (not original password) in the DB on the server side because "I encrypt the password using MD5 and send it to the server", so hackers do not need to know the original password. Just send this MD5 hash and server will match them (MD5 hash in DB is equal MD5 hash stolen by hacker)

[BigFIsh]

When 'logging' in, the password would be mixed with the randomKey received from the server plus an additional unique local key stored inside the client swf. Thus, only sending the hash password won't work.

For example.. md5.hash(md5.hash(raw_password) + SFSRandomKey + localKey)

Then compare that password via server side by

_server.md5(databaseHashPassword + SFSRandomKey + localKey)

[rav]

Ok, can you please explain how the 'originalPass' (which used in checkSecurePassword) will be passed to server DB?

boolean checkSecurePassword(ISession session,
String originalPass,
String encryptedPass)

be sure 'SFSRandomKey' and 'localKey' are known for hackers (SFSRandomKey - intercepted, localKey - decompiled)

I suppose that there is only one really secure way to transmit your 'originalPass' to server: encrypt it with something what could be decrypted ONLY on server side.
Usage 'SFSRandomKey' with 'localKey' looks like attempt to implement sequrity via algorithm.

[BigFIsh]

Is this for SFS2X?

[rav]

yep, but I suppose this is suitable for 1.x too

[BigFIsh]

Okay, just that maybe SFS2X does it all differently. I'm not sure as I haven't played around with SFS2X yet. So I don't know what checkSecurePassword do.

localKey would be known if a hacker decodes the file, that's correct. But, if you use a strong swf encryption such as SWFEncrypt - it would prove difficult to do so. Hackers wouldn't know what SFSRandomKey does unless he knew how the system works.

The 'original password' (without localKey and SFSRandomKey) will be sent as a raw MD5 string which in turn get stored in the database. It doesn't matter if a hacker knows this MD5 unless it was decoded. It's impossible to decode a MD5 unless it was a 'common' word in which there would be a database containing linkage between each common word and MD5.

[rav]

here (http://forums.smartfoxserver.com/viewto ... 9&start=15) with Lapo we came to some conclusion, there was a bit of misunderstanding between 'loggin in' and 'registration'