48 replies to this topic

[sabriath]

Ok, for v2 authentication, I have come up with this scheme so far:

Client creates random number for 'A' and solves 'G^A mod P', sending answer to server
Server gets this and stores in 'B'
Server creates random number for 'A' and solves 'G^A mod P', sending answer to client
Server solves 'B^A mod P' and stores this in 'KEY'
Client gets answer and stores in 'B'
Client solves 'B^A mod P' and stores this in 'KEY'
Client creates a 16 byte random cypher 'C' with 'KEY' randomly distributed inside
Client sends {(KEY # Name) + (hash(password) # C)} to server
Client searches 'C' and removes 'KEY' and stores back in 'C'
Server gets data, looks up "Name" in database and gets the "hash(password)" for it
Server creates 'C' from (hash(password) # data) and removes 'KEY' from it
Server creates 16 byte random cypher 'D' with 'KEY' randomly distributed inside
Server sends {hash(password) # D}
Server searches 'D' and removes 'KEY' and stores back in 'D'
Server combines 'C + D' into 'A'
Client gets data, restores 'D' from (hash(password) # data) and removes 'KEY' from it
Client combines 'C + D' into 'A'
Both create an 8 byte random cypher 'B' and send (B # C) to the other
Both get it, and store (data # C) into 'E'
Both send (E # D) to the other
Both get it, and check if (data # D) = 'B' for verification
Server creates 'CYPHER' from hash(A + B + E)
Client creates 'CYPHER' from hash(A + E +

During the lifetime of the session, a specific code will sometimes be generated that can add to the beginning or end of the 'CYPHER' with or without shifting out, so increasing security. This code is 2 bytes long and is inserted by the server at random intervals in random positions within a codesend.

This involves several methods, the first of which is a D-H method to secure a transmission session, but leaves it open for man-in-the-middle (MITM) attacks. The second method will hide the key inside an encrypted hash of your password, without prior knowledge of your password, there is no way the MITM can decypher this crypt, therefore cannot falsify information to the server. The server will drop the MITM if it cannot find its KEY within the cyphered hash. Because it was a random generation from the client, the server has no way of telling if the client has actually given the proper hash (which means proper password), so sends back another randomly created encryption of the hash....if the client doesn't know the proper hash (because of bad password), then it cannot recreate the proper cypher from the server and will get terminated when it cannot update it's encryption methods for verification. The last step is just a quick cypher exchange to bump up the security as well as test the previous encryptions authentication. Once this is finished, all blocks will just be cyphered with xor.

*note: "^" is the power function above, not the xor function in GM..."#" is the xor function above.

It looks like this method will thwart any attempts of any kind of attack I can think of, aside from the user blatently giving up their user name and password information to someone outright. I would like any feedback from anyone knowledgeable in this field. I've researched and have not found anyone using this method as far as I know, so please give credit if you do use it with success and report any failures.

Now onto the old stuff:

39DLL Lib v1.0



Download 12.1KB zip

Here it is guys, using as much of my abilities on multiplayer ability as I could into an easy to use d&d lib for you. I'm not going to pester you further, I will get around to writing a tutorial on how to use it, but for now the tutorial files that come with it should help you understand the structure.

You can also read my tutorial here if you want to learn from scratch. True Valhalla has one here. This lib uses the 39dll.dll file included in the .zip file, you can find that post here by 39ster.

This includes (looking at image left to right top to bottom:

Initialize DLL

Just like running dllinit()
Can even change the name of the dll file
All functions no longer require the scripts (all built-in)
You will need the scripts if you use them directly

Add Group Type

Used in the initialization of the server
Creates a group the joins players together as a common send thread
You can set up a number of subgroups for each group
Players will only be allowed in 1 subgroup at a time
Automatically degroups player when setting to a different subgroup
This is similar to zones in MMO, or even "Trade Channel"

Clean up DLL

Used to free the dll
Should be the last thing called in your game before game_end
Same thing as dllfree()

-Server-
Open Port for Listening

Same thing as tcplisten()
Can define how many players you want to allow on at any given time
Runs a string you define if there's an error

Accept Connection

Connects an incoming request
Automatically transfers information to the authentication device you choose

Clean up Port

Closes the socket for listening

-Server Auth-
Initialize Authenticator

Sets up object for authentication purposes

Authenticate

Automatically handles authentication
Performs several handshakes with encryption keys attached
Automatically handles encryption schemes
Automatically handles queue if too many players are online
Automatically handles "keep alive" communications while waiting in queue
Automatically loads into player object you define, passing encryption key

Clean up Authenticator

Releases all authentication devices

-Server Player-
Initialize Player Object

Sets up player data
Sets up outbound buffer and inbound buffers
Places object id onto the outbound buffer first

Update

Sends outbound data to player
Receives data into inbound buffer
Handles encryption schemes both directions
Unravels the inbound data into a queue buffer for easy access

Clean up Player Object

Releases all buffer memory
Releases socket

Put Player in Group

Will check if player is in group/subgroup, skips if so
Checks if player is in group, automatically degroups them
Handles grouping into subgroup

Remove Player from Group

Removes player from group/subgroup completely

Write Message

Adds an evaluation of an expression onto Group buffer

Send Message to Group

Automatically adds the Group buffer onto every player linked to a specific group/subgroup
Clears the Group buffer

-Client-
Connect to Server

Same thing as tcpconnect()
Executes a string that you can define if there is an error

Authenticating?

Handles the authentication process in FSM fashion
Handles outbound and inbound data automatically after authentication has completed
Places inbound data into a queue for easy access
Returns true if it is still in authentication mode
Returns false if not

Clean up Connection

Closes socket automatically
Clears buffers
Clears queues

-Messages-
Message ID?

Checks if next number on stack is equal to the ID
Also checks if there are enough arguments to handle event (good for splitting data if need be).
Automatically pops number off stack if it is and returns true, false otherwise

Send Message

Evaluates an expression and places it on the outbound data stack

Receive

Gets the next piece of data off stack and stores it in a variable you designate

Clean up Messages

If a full cycle has lapsed without any messages being popped, it will pop first value
This should never happen if programmed properly, but it's there just in case

Please report any bugs with precise error and code file so that I may fix it. Please feel free to leave comments/ideas good or bad. Also...please give credit if you use my code (even if you rip it). All icons have been made by me of my own idea, they count as credit needing too if you take them. If you make money off it, I do not ask for any, but know that I'm poor and if you'd like to donate, you can ask me for my paypal account information. Thanks in advance!

Edited by sabriath, 07 November 2011 - 04:43 AM.

[Joshyboshy09]

on the server AND client example it says "defining external fuction" look at the code again!

Edited by Joshyboshy09, 28 September 2009 - 12:22 AM.

[sabriath]

on the server AND client example it says "defining external fuction" look at the code again!

I'm not sure I understand the problem? If you mean you get an error trying to define an external function, that's because you have to have the 39dll.dll file in the same directory as the server and client programs.

The little gearcog at the very top left before any headers is the initialization d&d command....it loads all the functions of the 39dll.dll into global variables, so it has be the first thing run in both client and server programs. It also has to be cleaned up last. I have successfully run 1 server and 3 clients with no problems.

I appreciate the shot at commenting, I need as much as I can, it seems not many people are interested and I can only post every 48 hours if no one says anything.

[The Game Makin Guy]

Ive Got The 39dll but it still joshyboshy09's problem on the examples, "error defining ext. function"

[sabriath]

Ive Got The 39dll but it still joshyboshy09's problem on the examples, "error defining ext. function"

Hmm...Well...I just redownloaded it from the link, backed up my old stuff and reinstalled it from the zip file on this thread and it worked fine out of the box. Are you guys using the same 39dll.dll file that I have supplied or are you guys using an older version of 39dll? Also, are you changing ANYTHING in the example files?

This is the process I JUST did:

backed up my lib
downloaded the .zip
extracted the .zip
moved the lib into the lib folder
opened the server.gmk file (since it extracted in the same directory with the 39dll I don't need to move it)
ran it
unblocked the connection
opened the client.gmk file
ran it
moved around
closed both

No error.

Please specify the directions you took and update your 39dll file if it's old.

[The Game Makin Guy]

nah, i dont really need this lib anyways but good work!

[sabriath]

nah, i dont really need this lib anyways but good work!

Would you like it better in script form? I'm just trying to make it easier for people to make online games faster....this is only a first version....any ideas will be appreciated!

I'm also thinking of going into other areas with libs and scripts like platforming, TDS, and RPG stuff.....heck, maybe even WoW Interface stuff lol.

[The Game Makin Guy]

i said i don't need it, if thats ok with you

[sabriath]

i said i don't need it, if thats ok with you

That's fine. Good luck.


Anyway, I am looking for someone to help me create an authenticated protocol using only the rc4 and md5 methods of 39dll. So far I have a D-H method for creating an encryption scheme, but it leaves it open for man-in-the-middle attacks. I need to know if D-H is good enough or if MitM attacks are more serious than I am thinking.

A D-H method works like this (for my purposes):

Both client and server contain 2 public values 'G' (which is 2) and 'P' that is prime (which is 251)

Client requests connection with Server
Server accepts connection
Server creates a random number 'a' that is from 10 to over 1000000.
Server creates 'A' that is evaluated from 'G^a mod P' (2^a mod 251), send that value to client.
Client stores that number as 'A'
Client creates a random number 'b' that is from 10 to over 1000000.
Client creates 'B' that is evaluated from 'G^b mod P' (2^b mod 251), send that value to server.
Client creates 'E' that is evaluated from 'A^b mod P' (A^b mod 251), keep it secret.
Server stores value from client as 'B'
Server creates 'E' that is evaluated from 'B^a mod P' (B^a mod 251), keep it secret.

Server and Client now has a secret key 'E' that are equal to each other, it is used to encrypt a password used for further encryptions.

Again, MitM attacks would follow that a key is created for both to server and to client and messages will be translated in between...I need some authentication means (without using a PKI). I'm thinking sending a half encrypt message back and forth, but again, the MitM can still create his own....pretty frustrating. I need fresh set of eyes.

{edit} the 'G' and 'P' values may change later.

Edited by sabriath, 30 September 2009 - 07:49 AM.

[Recreate]

Wow, That is amazing, Finally someone makes a 39.dll Library!
Good work

[sabriath]

Wow, That is amazing, Finally someone makes a 39.dll Library!
Good work

Let me know what you think if you try it out.


I have updated my main post, so this is kind of a bump for it.

[Postality]

I'll give this a try tomorrow (I don't really need it but...) I'd also like to give it a try just to help the project out. I'm not really into LIB's BUT for those that are it's nice to have someone that's intermediate with game maker debug releases like this if there is any.

sure helps those not so tuned with GML / DLL's the opportunity to get games online.

Very nice job bro. I'll bug test it later (tomorrow etc.)

Edited by Postality, 01 October 2009 - 05:19 AM.

[sabriath]

Just a bump and addition to my current progress on version 2 in the original post.

Would like some feedback on any of it. Thanks!

[GameMakerAnonymous]

id love this lib if you made it connect, create a session, get players etc.......... all into 1 Or 2 Libs!

[sabriath]

id love this lib if you made it connect, create a session, get players etc.......... all into 1 Or 2 Libs!

The first version can do all that, in 1. Comes with example, but I've put this on hold for right now. I have the login database stuff ready to go for version 2, but like I said, it's on hold for right now.

[GameMakerAnonymous]

no, i mean put it all into one action (or 2)

[sabriath]

no, i mean put it all into one action (or 2)

There is a LOT less actions in my second version...but you cannot possibly expect to have 1 action be so versatile that it can be used in EVERY game type that could possibly come out. There will be an extensive guide to show how to put together the actions in each type of game to make it work for you, but again, that's not until later. For now you can check my signature for 2 tutorials to see how to make a multiplayer game.

[GameMakerAnonymous]

cool

[lap202]

I am in love with you! I have so many resources.... when i thought multiplayer game creation was gohna be super super hard, this makes it feel so much easier!

I'll try it out soon!

[sabriath]

I am in love with you! I have so many resources.... when i thought multiplayer game creation was gohna be super super hard, this makes it feel so much easier!

I'll try it out soon!

This library is outdated, it does not contain any authentication security and is a crude design (very memory hoggish). After my examples and tutorial is finished I will be coming back to incorporate my scripts into this library for a second version.

For everyone: Please refer to my scripts instead until I get around to fixing this, the link is in my signature, thanks.