I hope UrT authentication communication is properly encrypted (no, simple XOR will not do). If that's not the case, it is a matter of time before someone starts maliciously messing with it.
Any software developer worth their salt will not claim their software is absolutely bug free and working 100% as intended as only a limited set of scenarios can be thought of when designing it. That's why there is a testing phase, which could be longer than a developing phase, then there is a user feedback, which usually points to problem scenarios missed by developers and QA. That's the essence of a good, reliable software development. Anything else is arrogance, or incompetence. Or both.
Advertisement
AUTH logged me in as a random player
Rate Topic:
No, I haven't touched my authkey
MultiQuote
#32
bArgh 
Posted 19 November 2013 - 07:05 PM
It gets better. Conducted an experiment. Started UrT4.2 and I was authenticated ("Welcome back bArgh" in the bottom left corner of the main menu screen). Pulled network cable out and changed my nickname to "test" in setup -> player menu, then quit the game. Confirmed my new nickname was "test" in "q3config.cfg" file. Plugged the network cable in, then started the game. "Welcome back bArgh" in the bottom left corner of the screen. Checked my nickname in the menu and it was "test". Repeated the experiment with an empty string as my nickname and I was authenticated again.
This is unacceptable. Minimum requirement for any login is a 2-point login, usually requiring a username AND password. That's the case with my UrT online account, that's the case with my ISP login, that's the case with my email. I know that authkey has a huge number of combinations, but its format is known and its length is known. This is equivalent to logging into a google account with a random string as username and correct password, which does not work and should not work. If authkey is the only credential required for authentication in game, what is to stop someone changing few bits trying to harvest nickname/authkey pairs? Maybe create a software generating authkeys of correct format and length and throw them at the authentication server and see what sticks? Despite huge number of combinations it is much easier to stumble across a valid authkey than a pair nickname/authkey. This is seriously undermining the integrity of authentication.
This could explain the issues some players are having with being assigned someone else's authname on some servers. There is a possibility authkey gets corrupted during authentication process and if the corrupted authkey matches one on the auth server, then they are assigned a wrong (still valid) authname. By using nickname/authkey pair for authentication this problem is avoided, but it may increase number of failed authentication attempts due to data corruption. To avoid this an error correction system would be required during authentication process.
This is unacceptable. Minimum requirement for any login is a 2-point login, usually requiring a username AND password. That's the case with my UrT online account, that's the case with my ISP login, that's the case with my email. I know that authkey has a huge number of combinations, but its format is known and its length is known. This is equivalent to logging into a google account with a random string as username and correct password, which does not work and should not work. If authkey is the only credential required for authentication in game, what is to stop someone changing few bits trying to harvest nickname/authkey pairs? Maybe create a software generating authkeys of correct format and length and throw them at the authentication server and see what sticks? Despite huge number of combinations it is much easier to stumble across a valid authkey than a pair nickname/authkey. This is seriously undermining the integrity of authentication.
This could explain the issues some players are having with being assigned someone else's authname on some servers. There is a possibility authkey gets corrupted during authentication process and if the corrupted authkey matches one on the auth server, then they are assigned a wrong (still valid) authname. By using nickname/authkey pair for authentication this problem is avoided, but it may increase number of failed authentication attempts due to data corruption. To avoid this an error correction system would be required during authentication process.
#33
karnute
community dev
Posted 19 November 2013 - 09:15 PM
bArgh, on 19 November 2013 - 07:05 PM, said:
"Welcome back bArgh" in the bottom left corner of the screen. Checked my nickname in the menu and it was "test". Repeated the experiment with an empty string as my nickname and I was authenticated again.
Your authentication identifier is "bArgh" and it is attached to your authkey in the FS server. Your nickname in the menu is irrelevant for the authentication.
bArgh, on 19 November 2013 - 07:05 PM, said:
Despite huge number of combinations it is much easier to stumble across a valid authkey than a pair nickname/authkey.
UrT authkey has 128 bits, this means 2^128 > 3.4 x 10^38 combinations [10^38 means the number 1 followed by 38 zeros]. This is such a huge number that you must think it carefully. Suppose FS could have 100 million players registered (=10^8). By trying authkeys you could find by chance 1 real player key in every 10^30 tries. Suppose you can check 1 key every 10 milisec. (excelent good ping), that means 100 tries per second. You should check that fast during 10^28 seconds to find 1 real key by chance. That time is 10^20 years, or 1 followed by 20 zeros, try writing it in a paper... and remember the estimated age of the universe is only 10^10 years.
P.S.: by the way, the authentication process usually involves a digital signature, so the authkey is not transmitted, it is used just to sign different messages each time.
This post has been edited by karnute: 19 November 2013 - 09:29 PM
FS artist
1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users
Advertisement