I am currently implementing SRP on a game I am developing. However, I will be distributing this game server and client, so I would like registration to be allowable on-the-fly, without requiring the host to use some sort of forum or email communication to pre-register the account before the first login. I'll go over the basic flow of SRP, and then my registration changes.
SRP Documentation: Found Here
- The User enters their username and password into the client.
- The client sends the username and a randomly generated value to the server.
- The server gets the salt and password verifier (which is the result of a function on the password, both stored externally) of the user and sends the salt and another randomly generated value to the client.
- Each side now independently calculates a strong shared session key, and proves that key to each other.
- If both proofs match, the user has successfully authenticated.
To add the registration functionality, here are my proposed changes.
- The User enters their username and password into the client.
- The client sends the username and a randomly generated value to the server.
- The server checks to see if there currently exists a user with the username sent from the client.
- If no user exists, the server sends the RSA Public key to the client, requesting the client to generate a salt, and verifier.
- The client sends the salt and verifier to the server, and encodes it with the public key.
- The server decodes the salt and verifier with the private key.
- Each side now independently calculates a strong shared session key, and proves that key to each other.
- If both proofs match, the user has successfully authenticated.
- If the user has authenticated sucessfully, the salt and verifier are saved to the database, or file for the user.
Would this be an acceptable, secure form of on-the-fly registration? Or are there some things that I haven't considered?
Aucun commentaire:
Enregistrer un commentaire