Global ID and md5 authentication

For all the help you need with Armagetron!
ilo
Posts: 3
Joined: Sat Dec 05, 2009 10:39 am

Global ID and md5 authentication

Post by ilo »

can anyone confirm md5 authentication with empty prefix and suffix is working? I tried several combinations and was unable to make it work. I could authenticate however when prefix is not empty, so I guess my code is not wrong (it is copied from the http auth). It was just that I always get PASSWORD_FAIL when trying to authenticate users using md5 and prefix is empty.
ilo
Posts: 3
Joined: Sat Dec 05, 2009 10:39 am

Re: Global ID and md5 authentication

Post by ilo »

Steps to reproduce the problem..

Get the authentication reference implementation (there is a copy here http://moosnet.homelinux.net/armaauth/0.1/index.php)

put (as index.php) into http://X/armaauth/0.1/index.php

Try to authenticate user test@X with password 'password'.

Go to GetPrefix(), replace %u:aaauth: prefix string with "" (or with '', better).

Try to login again..
User avatar
Tank Program
Forum & Project Admin, PhD
Posts: 6711
Joined: Thu Dec 18, 2003 7:03 pm

Re: Global ID and md5 authentication

Post by Tank Program »

Have you looked at the newer implementation on launchpad?
Image
ilo
Posts: 3
Joined: Sat Dec 05, 2009 10:39 am

Re: Global ID and md5 authentication

Post by ilo »

Thanks tank program. I did try with the latest version of the script, and also tried with my own implementation following the same authentication logic. I did found that 2.8.3 and 3 series of the game performs different on global id authentication. I guess it is something in the client, but I can't be sure.

When using a 3 version server, the path in the URL of the authority is ignored, so if you try to login using [email protected]/path, the server tries to find the folder host.com/armaauth/1.0/ . Using a 2.8.3 server this does not fail.

Anyway, when using empty prefix, this is the request I do get in my server..

http://localhost.int/aad6/armaauth/0.1? ... 1c801ce0c0

So, being 'password' the password string and not using prefix, neither suffix, according the the authentication logic, we should compute this as:

$computedHash = md5( pack("H*", 'password') . pack("H*", $salt) );

Client submitted hash: ae67adc53e1838828c04801c801ce0c0
Our computed hash: ad07d70b301e951c4869dd0a1bdd28cb

I've done several tests with empty prefix, I tried with NULL, '', "", no luck. I've to say, that I'm testing this on windows (all : client, server and php).
User avatar
Tank Program
Forum & Project Admin, PhD
Posts: 6711
Joined: Thu Dec 18, 2003 7:03 pm

Re: Global ID and md5 authentication

Post by Tank Program »

I can't tell from your code clips, but the packed password you're using should be the packed md5sum password. One of the big things between 0.2.x clients and 0.3 clients would be the bmd5 method. That's md5ing 0x00.'password' rather than just 'password'.
Image
epsy
Adjust Outside Corner Grinder
Posts: 2003
Joined: Tue Nov 07, 2006 6:02 pm
Location: paris
Contact:

Re: Global ID and md5 authentication

Post by epsy »

Tank Program wrote:That's md5ing 0x00.'password' rather than just 'password'.
er, it's the other way around:

Code: Select all

'password'.char(0)
User avatar
Jip
Round Winner
Posts: 397
Joined: Sat Sep 26, 2009 5:32 pm

Re: Global ID and md5 authentication

Post by Jip »

I got the same problem, has anyone solved it yet? I tried with and without pre/suffix and always get different hashes from server <-> client.
User avatar
Jip
Round Winner
Posts: 397
Joined: Sat Sep 26, 2009 5:32 pm

Re: Global ID and md5 authentication

Post by Jip »

Thanks for your quick reply :)
In the bug report ilo wrote:
When using any string for prefix this fail doesn't happen. I've tested with variations of suffix, and it is working in all cases.
But for me even this doesnt work. Just to make sure that I am doing it right. I choose my password "test". In the config.php I define the prefix "123". I store md5("123test") in my DB and should be able to log in with user Jip and password test. Is that right?
User avatar
Jip
Round Winner
Posts: 397
Joined: Sat Sep 26, 2009 5:32 pm

Re: Global ID and md5 authentication

Post by Jip »

Sorry for double post just wanted to bring this up again...
Has nobody an idea why the stuff is not working for me? Would be very helpfull :)
If its helpfull I can post the generated hashes from client and auth server...
I am using this script: http://bazaar.launchpad.net/~armagetron ... ork/files/ maybe there is a newer version?
epsy
Adjust Outside Corner Grinder
Posts: 2003
Joined: Tue Nov 07, 2006 6:02 pm
Location: paris
Contact:

Re: Global ID and md5 authentication

Post by epsy »

That is always the latest stuff, but I can't help you if you don't tell me what's the problem.
User avatar
Infa(mous)
Round Winner
Posts: 255
Joined: Thu Aug 14, 2008 11:27 pm

Re: Global ID and md5 authentication

Post by Infa(mous) »

The problem is that we don't understand the md5 hashing logic. How should the hash go? md5(username . password)? Something more complex?
-Infamous
epsy
Adjust Outside Corner Grinder
Posts: 2003
Joined: Tue Nov 07, 2006 6:02 pm
Location: paris
Contact:

Re: Global ID and md5 authentication

Post by epsy »

Code: Select all

md5( prefix . clear_password . suffix )
prefix and suffix have %u substituted to the user's username
(If you use %u, that forces usernames to be case-sensitive)
User avatar
Infa(mous)
Round Winner
Posts: 255
Joined: Thu Aug 14, 2008 11:27 pm

Re: Global ID and md5 authentication

Post by Infa(mous) »

So it would be md5( clear_password ) with no prefix and suffix? Or would it be md5 ( username . clear_password . username )?
-Infamous
User avatar
Z-Man
God & Project Admin
Posts: 11585
Joined: Sun Jan 23, 2005 6:01 pm
Location: Cologne
Contact:

Re: Global ID and md5 authentication

Post by Z-Man »

For empty prefix and suffix, it would be md5( password ). But you need to know that not incuding %u in either suffix or prefix makes your passwords more vulnerable to rainbow table type attacks (if your database gets into the wrong hands). Of course, you don't need the cleartext password to log in, just said md5 hash, so if your database gets stolen, you have that to worry about.
Post Reply