??????
You are not logged in.
I was toying with a private server implementation today and was surprised to see the game client tries to login with my (secret) account key no matter the server it is talking to. Wouldn’t this make for a possible attack vector?
While it would take a while to crack the HMAC (even though we know the key is 20 base-32 ASCII characters) couldn’t the private server start working as a proxy? It could be feeding the client a dummy play while using the HMACs sent by the client to start talking to the actual server. I haven’t tried to implement this yet, I simply do not have the time, but it feels possible.
It seems a good idea for the application to store account settings (email, accountKey, possibly serverPublicKey) on a per server (reflectorURL) basis to protect people from leaking data when switching game servers.
Offline
Well, you have to muck around in the settings folder to switch servers (by changing the reflector), so I figure that anyone doing that will clear their account details, too.
There are no official instructions about any of this yet, of course. I simply haven't written the "how to run your own server" document yet. There were some server instructions that shipped with The Castle Doctrine that pretty much apply (but you don't need to do the ticketServer part for this game). You can look in the mercurial repository for The Castle Doctrine on SourceForge, or you can see a mirror of this text in the wiki:
http://thecastledoctrine.gamepedia.com/ … p_a_Server
I'm planning on hosting tournaments on a separate server someday, and for that I will simply ship out alternative client bundles that point to that server (to make it easy for people).
Offline
There is slightly more non-PHP works going on here, but I figured most of it out. Mainly doing it so it would be possible to play friendly games over LAN for those dark winter nights.
Well, you have to muck around in the settings folder to switch servers (by changing the reflector), so I figure that anyone doing that will clear their account details, too.
You might clear the account details, but would John Doe do this if he is just told to switch the reflector URL? It sounds like the easiest piece of social engineering in the world:
Play Cordial Minuet right now and get 5 USD free! Open reflectorURL.ini and change the .com to .tk. Time to multiply free money!
To me it just seems like a lot of pain could be prevented if the game client didn’t sent out the account key without second thought.
Offline
Well, the client NEVER sends out the account key. It assumes that someone is listening on the wire at all times (so it's safe to play over coffee shop wifi).
It does send the HMAC_SHA1 of the account key, and the account key itself is 100 bits.
So, you're really talking about a kind of pass-through replay attack here. I'm not worried about someone reversing the HMAC to get the account key (40 billion years if you test a trillion account keys per second).
Hmm... what if the server URL itself was included in the HMAC? That would ensure that messages sent by a deceived client would be rejected by the server. I'll add this to the list.
Offline