d2jsp
Log InRegister
d2jsp Forums > Off-Topic > Computers & IT > Programming & Development > Advice Please Encryption > C# And Php
12Next
Add Reply New Topic New Poll
Member
Posts: 8,679
Joined: May 7 2009
Gold: 330.75
Aug 26 2017 01:32am
I am developing a multiplayer game, there are some systems that go directly from the client to our web server instead of the game server

network security question
any suggestions on encryption of usename password and other string data from a www c# call to a php script on the web server?
Member
Posts: 3,197
Joined: May 4 2013
Gold: 1,457.00
Aug 26 2017 06:25am
You mean user's name/password? Just normal TLS transport will do. Just call it via https

but if you mean some hardcoded encrypted secret in the binary - forget it, if game can decode it, so can people interested in it, more so in C# that's trivial to decompile into almost usable code.
Member
Posts: 1,039
Joined: Jul 8 2008
Gold: 1,939.50
Aug 26 2017 10:44am
Don't ever send the password over http or https. Don't ever save the password in your database. You should be saving a hash of the password in your database and you should be using SHA256 or higher to hash. You hash the password client side before sending it over https. You then verify it against the hash you have in your DB. This way if the traffic is intercepted or your database is compromised the attacker doesn't get the password.

edit: This is a pretty good guide as what to do and what not to do: https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/

This post was edited by waraholic on Aug 26 2017 10:46am
Member
Posts: 3,197
Joined: May 4 2013
Gold: 1,457.00
Aug 27 2017 03:58pm
Quote (waraholic @ Aug 26 2017 09:44am)
Don't ever send the password over http or https.


Guess how you login to most services, websites etc.

Unless they employ certificates for login, but honestly outside of very enterprisey stuff I have never ever seen this.
Member
Posts: 36,123
Joined: Jul 18 2008
Gold: 2,407.00
Aug 28 2017 04:11am
Quote (waraholic @ Aug 26 2017 11:44am)
Don't ever send the password over http or https. Don't ever save the password in your database. You should be saving a hash of the password in your database and you should be using SHA256 or higher to hash. You hash the password client side before sending it over https. You then verify it against the hash you have in your DB. This way if the traffic is intercepted or your database is compromised the attacker doesn't get the password.

edit: This is a pretty good guide as what to do and what not to do: https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/



If you really want to secure passwords properly, salt them and use a key stretching hashing algorithm like bcrypt to protect against
rainbow tables and brute force respectively.

But using https is fine.
Member
Posts: 1,039
Joined: Jul 8 2008
Gold: 1,939.50
Aug 29 2017 10:43am
Quote (Mastersam93 @ Aug 28 2017 05:11am)
If you really want to secure passwords properly, salt them and use a key stretching hashing algorithm like bcrypt to protect against
rainbow tables and brute force respectively.

But using https is fine.


You missed my point. My point is that using https isn't secure if you're sending the password. Like you and the article I posted earlier state you should be using a hashing algorithm / hmac.

Quote (nuvo @ Aug 27 2017 04:58pm)
Guess how you login to most services, websites etc.

Unless they employ certificates for login, but honestly outside of very enterprisey stuff I have never ever seen this.


Most websites have poor security. That doesn't mean you should too.
Member
Posts: 3,197
Joined: May 4 2013
Gold: 1,457.00
Aug 30 2017 03:05pm
Please tell me how is sending password over TLS insecure?

Hashing it will accomplish exactly nothing. If you're being MITM-ed and ignore all ceertificate errors, someone will log the hash your client sent ... and what then? He can just send this hash again. No difference.

Member
Posts: 1,039
Joined: Jul 8 2008
Gold: 1,939.50
Aug 30 2017 03:59pm
Quote (nuvo @ Aug 30 2017 04:05pm)
Please tell me how is sending password over TLS insecure?

Hashing it will accomplish exactly nothing. If you're being MITM-ed and ignore all ceertificate errors, someone will log the hash your client sent ... and what then? He can just send this hash again. No difference.


They don't have your password. The password you likely use for more than one purpose. Sure they can send the hash again if you're getting mitm'd, but if you change the salt or hashing algorithm you can still use the same password and the hacker won't know what the new hash is. The most secure way is to use the password as part of the hashing and you never actually send it except for when you first set it. Read the article. It goes over all of this better than I can in a few minutes when I don't care to 'win' some online confrontation.

TLS 1.0 is considered insecure. 1.1/1.2 are okay.
Member
Posts: 3,197
Joined: May 4 2013
Gold: 1,457.00
Aug 31 2017 01:11am
But wait are you still talking about one central password that he wants secured or account passswords? Like, you create account, pick password and then login to it? If in the latter case you send password hash then that hash IS ultimately THE password.

The article is about how to store password, not how to send it. My passwords are also unique FYI.

But I'd like to know an example site where you login without sending over the password... ?
Member
Posts: 8,679
Joined: May 7 2009
Gold: 330.75
Sep 5 2017 12:59pm
thank you very much!
Go Back To Programming & Development Topic List
12Next
Add Reply New Topic New Poll