corvan at otherother.com
Wed Dec 23 08:49:17 PST 2009
Challenge/response systems can handle this reasonably well, and
Timeless's description is pretty good, but I think it's okay to snoop
chat and still avoid replay or man-in-the-middle attacks. Hmm, come to
think of it, because you're using the key from the listen I don't
think a MITM is even possible. Here's how I would do it:
Client: Authenticate me please.
Server: Okay, here's a random value for you to hash.
Client: Hashes password and key and random value, sends that back
Server: Performs same hash and compares results. Match = authentic
Because we're talking MD5 and because the password is never sent in
the clear, it shouldn't matter whether or not someone snoops since all
they are learning is a particular response to a particular challenge.
If the space of possible challenges is large enough, then the attacker
really learns nothing other than that an authentication occurred.
On Dec 23, 2009, at 8:31 AM, Timeless Prototype wrote:
> Ordinal, this might be vulnerable to a replay attack if the person can
> put a new script in the same prim or take the original script into
> own prim before adding an additional one. I seem to recall you'd
> a challenge/response technique in the SL forums. Do you recall it? I
> prefer that one. It sends some random hash to the client, if the
> uses that as the salt and hashes the key+password correctly then it's
> cool. I do think this is only effective via llEmail because it will
> allow one email receiver script in the client prim. Chat will allow
> On 23/12/2009 15:49, ordinal.malaprop at fastmail.fm wrote:
>> On 23 Dec 2009, at 15:41, Joe Etten wrote:
>>> ok here's a bigger picture. I'm creating a device that will
>>> recieve it settings from a sort of "server" module which resides
>>> in the sim. The device sends out a request for its settings, the
>>> server replies and the user can go merrily on using said device.
>>> What I want to do is provide a way to prove or disprove that a
>>> user is using my device.
>>> I already have a built in authentication process for the
>>> communication. I suppose I could just add in another listen and
>>> have the server verify that the device can authenticate. However,
>>> the user could simply have my device attached but not actually be
>>> using it. I'm starting to think I can't make the process totally
>> I may be missing something here. If the request for settings is
>> already authenticated, how could somebody not be using your device?
>> Presumably your script is the only one which can pass authentication.
>> (Using the method I attached for authentication, by the way, I'd
>> require that the hash be sent along with the request for settings;
>> "give me settings|" + llMD5String(PASSWORD + (string)llGetKey()) or
>> something like that, an incorrect hash meaning no settings are sent.)
>> Click here to unsubscribe or manage your list subscription:
> Click here to unsubscribe or manage your list subscription:
More information about the secondlifescripters