Script Verification

Corvan corvan at otherother.com
Wed Dec 23 08:49:17 PST 2009


Challenge/response systems can handle this reasonably well, and  
Timeless's description is pretty good, but I think it's okay to snoop  
chat and still avoid replay or man-in-the-middle attacks. Hmm, come to  
think of it, because you're using the key from the listen I don't  
think a MITM is even possible. Here's how I would do it:

Client: Authenticate me please.
Server: Okay, here's a random value for you to hash.
Client: Hashes password and key and random value, sends that back
Server: Performs same hash and compares results. Match = authentic

Because we're talking MD5 and because the password is never sent in  
the clear, it shouldn't matter whether or not someone snoops since all  
they are learning is a particular response to a particular challenge.  
If the space of possible challenges is large enough, then the attacker  
really learns nothing other than that an authentication occurred.

Cheers,
Corvan

On Dec 23, 2009, at 8:31 AM, Timeless Prototype wrote:

> Ordinal, this might be vulnerable to a replay attack if the person can
> put a new script in the same prim or take the original script into  
> their
> own prim before adding an additional one. I seem to recall you'd  
> posted
> a challenge/response technique in the SL forums. Do you recall it? I
> prefer that one. It sends some random hash to the client, if the  
> client
> uses that as the salt and hashes the key+password correctly then it's
> cool. I do think this is only effective via llEmail because it will  
> only
> allow one email receiver script in the client prim. Chat will allow
> snooping.
>
> On 23/12/2009 15:49, ordinal.malaprop at fastmail.fm wrote:
>> On 23 Dec 2009, at 15:41, Joe Etten wrote:
>>
>>
>>> ok here's a bigger picture. I'm creating a device that will  
>>> recieve it settings from a sort of "server" module which resides  
>>> in the sim. The device sends out a request for its settings, the  
>>> server replies and the user can go merrily on using said device.  
>>> What I want to do is provide a way to prove or disprove that a  
>>> user is using my device.
>>>
>>> I already have a built in authentication process for the  
>>> communication. I suppose I could just add in another listen and  
>>> have the server verify that the device can authenticate. However,  
>>> the user could simply have my device attached but not actually be  
>>> using it. I'm starting to think I can't make the process totally  
>>> secure.
>>>
>> I may be missing something here. If the request for settings is  
>> already authenticated, how could somebody not be using your device?  
>> Presumably your script is the only one which can pass authentication.
>>
>> (Using the method I attached for authentication, by the way, I'd  
>> require that the hash be sent along with the request for settings;  
>> "give me settings|" + llMD5String(PASSWORD + (string)llGetKey()) or  
>> something like that, an incorrect hash meaning no settings are sent.)
>> _______________________________________________
>> Click here to unsubscribe or manage your list subscription:
>> https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters
>>
>>
>>
> _______________________________________________
> Click here to unsubscribe or manage your list subscription:
> https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters



More information about the secondlifescripters mailing list