Development: Game Secure Login Feture...

For announcing, describing and discussing code changes to BNT.

Post Reply
User avatar
TheMightyDude
Site Admin
Posts: 311
Joined: Thu Apr 17, 2014 09:15 UTC

Development: Game Secure Login Feture...

Post by TheMightyDude » Wed Mar 07, 2018 05:15 UTC

Sorry not been around, not been too well and also been looking up spec sheets etc.

So I am still deciding on how to handle the Authentication side of things.

Now I could use the standard HTTPS so things would be secure, but could things be more secure?
YES.

I have been looking into SRP (Secure Remote Password) where a user can login without the need to send their password to the server.
You might say WTF, how?

Well SRP uses Huge Prime Numbers along with Mathematical and Hashes etc to do this and it does work.
Take a look here: http://srp.stanford.edu/design.html for more details, my explaining doesn't do it justice.

Now, here is the Gotcha, PHP cannot do this without the need to install loads of crap to do it, which leads me to the following:
I use the Web Service over TLS (i.e. HTTPS) for players creating and login into their account (only to change profile settings), this Web Service will locally log into the Authentication Server which will do all the SRP Stuff.

I hear you say Why use SRP if you are using HTTPS which is secure.
This is true, but for players to login via the game client it would have to first connect to the Web Service and then the Lobby then onto the chosen Game Server.
But for this to work I would have to create another client service into the game.

Now doing it the way I am hoping for:
Players could create, login via the site and change their profile settings etc.
Player could login via the Game Client where it connects directly to the Authentication Service using SRP, I chose this so I don't have to securely encrypt TCP or UDP Network Messages.

And having to encrypt and Decrypt every Network Message adds CPU Cycles resulting in less players being able to play.

So at this point of time I am doing tests to see if this is worth doing.
TheMightyDude::Blacknova Development.
Development Blog YouTube Dev Channel Twitter Twitch

thekabal
Posts: 100
Joined: Sat Apr 19, 2014 22:32 UTC

Re: Development: Game Secure Login Feture...

Post by thekabal » Sun Mar 11, 2018 22:54 UTC

While this implementation requires a few PHP libraries ( mcrypt, mhash, gpm, bcmath, json, mysql): https://github.com/baryluk/srp_php

This one does not: https://github.com/RuslanZavacky/srp-6a-demo

Looks relatively straight-forward to implement, although doing so in BNT would take some extra effort. Good luck on your project! :)

User avatar
TheMightyDude
Site Admin
Posts: 311
Joined: Thu Apr 17, 2014 09:15 UTC

Re: Development: Game Secure Login Feture...

Post by TheMightyDude » Mon Mar 12, 2018 01:55 UTC

thekabal wrote:While this implementation requires a few PHP libraries ( mcrypt, mhash, gpm, bcmath, json, mysql): https://github.com/baryluk/srp_php

This one does not: https://github.com/RuslanZavacky/srp-6a-demo
Well I did see both of them in my searches, the first one does require to install some PHP Libraries, but after some checking I only needed to install GMP so not all bad.

The second one requires Composer with PHP Classes, while not that bad, I don't really want to rely on a 3rd party PHP Classes, been burnt too many time going down that route (i.e. ADODB) plus GMP is still being developed and works with PHP 7 if or when we upgrade down the line.

So I will try the first one on my Dev Server and see how it goes.

The only issue(s) I have with the first one is that the developer of the PHP code has coded it in their own language, sure I could just translate, but the only issue I had with PHP doing the SRP stuff was the Large Prime Numbers etc, where those PHP Libs resolve, so I might just write my own SRP using those PHP Libraries, I did it for C# from scratch using Mono.Math.

Also they state that you don't need to use Certificates or need to send the users password, when in fact you need to use both in their code.
This is due to their code is all in PHP and you are required to supply the users password on the client side of the code.
But that isn't an issue for me due to I am using a Certificate so I can send the password.

I hear you say "Yeah but SRP is there so that you don't need to send your password", this is true, but browser don't support SRP so we cannot, we could use JavaScript to be run on the users browsers, but what if they have scripts disabled, plus I have heard some browsers are slow doing this.

All I need is for the user to be able to create their account and be able to login on to it and be able to change their information securely, they can do this already via HTTPS (TLS) and at the same time be able to have the Game Client login Securely via TCP which is not encrypted which was why I needed SRP to work, which in my test dev code works fine atm.

Up to this point the only issue was that I had to be able to create the Password Verifier HASH along with the Salt which required Large well huge Prime Numbers and that PHP code using GMP should resolve that issue.
thekabal wrote:Looks relatively straight-forward to implement, although doing so in BNT would take some extra effort. Good luck on your project! :)
Yeah it is once you understand what it is exactly doing and depending on the actual SRP Version that is being implemented.

As for adding it in BNT would still require sending the username and password via HTTPS (TLS) so its still secure, the main reason for doing it would be to be able to store non password information but still be able to prove that the connecting user and including the server know the password is valid.

I currently use BCRYPT which currently uses CRYPT_BLOWFISH which is good enough for now for the current BNT.

So if I was to update current BNT Code to work with SRP, then yes it would require a fair amount of code change but also might break stuff.

But since this is for new version I am working on, then I can work around what is used.

The main thing is to be able to get the Game Client using its own client side SRP stuff as well as getting the PHP client SRP stuff working with the server side SRP stuff.

So they both need to talk to each other.
TheMightyDude::Blacknova Development.
Development Blog YouTube Dev Channel Twitter Twitch

Post Reply