Development: Game Secure Login Feture...
Posted: Wed Mar 07, 2018 05:15 UTC
Sorry not been around, not been too well and also been looking up spec sheets etc.
So I am still deciding on how to handle the Authentication side of things.
Now I could use the standard HTTPS so things would be secure, but could things be more secure?
YES.
I have been looking into SRP (Secure Remote Password) where a user can login without the need to send their password to the server.
You might say WTF, how?
Well SRP uses Huge Prime Numbers along with Mathematical and Hashes etc to do this and it does work.
Take a look here: http://srp.stanford.edu/design.html for more details, my explaining doesn't do it justice.
Now, here is the Gotcha, PHP cannot do this without the need to install loads of crap to do it, which leads me to the following:
I use the Web Service over TLS (i.e. HTTPS) for players creating and login into their account (only to change profile settings), this Web Service will locally log into the Authentication Server which will do all the SRP Stuff.
I hear you say Why use SRP if you are using HTTPS which is secure.
This is true, but for players to login via the game client it would have to first connect to the Web Service and then the Lobby then onto the chosen Game Server.
But for this to work I would have to create another client service into the game.
Now doing it the way I am hoping for:
Players could create, login via the site and change their profile settings etc.
Player could login via the Game Client where it connects directly to the Authentication Service using SRP, I chose this so I don't have to securely encrypt TCP or UDP Network Messages.
And having to encrypt and Decrypt every Network Message adds CPU Cycles resulting in less players being able to play.
So at this point of time I am doing tests to see if this is worth doing.
So I am still deciding on how to handle the Authentication side of things.
Now I could use the standard HTTPS so things would be secure, but could things be more secure?
YES.
I have been looking into SRP (Secure Remote Password) where a user can login without the need to send their password to the server.
You might say WTF, how?
Well SRP uses Huge Prime Numbers along with Mathematical and Hashes etc to do this and it does work.
Take a look here: http://srp.stanford.edu/design.html for more details, my explaining doesn't do it justice.
Now, here is the Gotcha, PHP cannot do this without the need to install loads of crap to do it, which leads me to the following:
I use the Web Service over TLS (i.e. HTTPS) for players creating and login into their account (only to change profile settings), this Web Service will locally log into the Authentication Server which will do all the SRP Stuff.
I hear you say Why use SRP if you are using HTTPS which is secure.
This is true, but for players to login via the game client it would have to first connect to the Web Service and then the Lobby then onto the chosen Game Server.
But for this to work I would have to create another client service into the game.
Now doing it the way I am hoping for:
Players could create, login via the site and change their profile settings etc.
Player could login via the Game Client where it connects directly to the Authentication Service using SRP, I chose this so I don't have to securely encrypt TCP or UDP Network Messages.
And having to encrypt and Decrypt every Network Message adds CPU Cycles resulting in less players being able to play.
So at this point of time I am doing tests to see if this is worth doing.