At this point,
The file can be found here:
I have not been keeping track of this new format, I busted it out this past week, again I went too fast for my own good. The registration system is theoretically done. I am no longer going to have a timestamp for every little thing I do, but will still keep updating this with color normally and bumping.
Client creates a 16 byte 50/50 cipher and this will be KeyA
Client creates another 16 byte 50/50 cipher and this will be KeyB
Client will choose a symmetric method of encrypting (right now I have XOR and ADD/SUB, but I plan to implement rotation and possibly multiples of such)
Client creates a 16 byte packet by Encrypt(KeyA, KeyB) and sends it to server
Server then creates a 16 byte 50/50 cipher and this will be KeyC
Server will use the xor method (saves on processing of server)
Server creates a 16 byte packet by Xor(KeyC, Encrypt(KeyA, KeyB)) and sends it to client
Client reverses the encryption scheme that it used by Decrypt(Xor(KeyC, Encrypt(KeyA, KeyB)), KeyB)
This will result in an answer of Xor(KeyC, KeyA), and sends this to server
Server uses the symmetry rule to arrive at KeyA
Both of which will do an md5 on KeyA to become the MasterKey
The Client then can XOR encrypt the md5(password) with MasterKey and send it to server along with name chosen (plain text is fine), the MasterKey is then discarded
As for an eavesdropper, all they will know is:
Xor(KeyC, Encrypt(KeyA, KeyB))
Even if you were to Xor the last 2, you end up with Xor(KeyA, Encrypt(KeyA, KeyB)), and without knowing the method the client used, you can't reverse it any further (although you can have multiple "guesses" to try brute force, but by then IP can be logged along with other methods).
This security has a fault in it on simple eavesdropping tactics. Plus the symmetric keys do not work properly. See below for addition.
Anonymous security is extremely difficult to overcome
Update 07/07/2010: Above links have been changed to suit the new format. Since anonymous key creation is extremely difficult (to the point where there's practically a million-dollar reward for finding an uncrackable scheme that no one has yet to claim), I have decided on a much simpler approach (one similar to SSL). It goes as follows:
Client sends 16 byte random string during a SEC code
Server sends 16 byte random string during its SEC code for acknowledgement
Both server and client create a 16 byte string from the md5 hash of both combined keys
Client sends the XOR encrypt of the md5 hash of his password with this 16 byte string
Server XOR decrypts using the same master key to get the md5 of password (which is stored in player's database)
This is NOT secure, but it's better than plain text and doesn't take up too much processing/bandwidth. I will leave it up to the programmer on how he secures the comms in getting the player's password-hash, but for now, this will do. The login method will be much more secured because I can use asynchronous key swapping (the server will already have the player's password as the key)....more on this later as I develop this project.
As you may notice, I stripped almost everything of the previous engine, for simplicity. It's hard to use the KISS method with network programming.
Note to Mods: BlaXun currently has his online engine in this same category, so I hope you guys don't delete/move this, it would be much appreciated. I just need a little bit more time and I'll have this finished.
Edited by sabriath, 07 July 2010 - 10:51 PM.