Advertisement
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Potential Authentication System

Comments in 'General Discussion' started by Falk, Nov 6, 2014.

  1. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    You gotta take into account the endpoint and not just the transport layer.
    Also you're at fault for the confusion here. You say SSL instead of TLS. It is true that SSL 3.0 was the basis for TLS 1.0 but that's where it ends.
    Dutok likes this.
  2. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    Sorry what? You're the 17 year old kid coming here saying that you know security better than mega corporations such as Google.
    I never said that I am better than everybody else. I corrected an inaccuracy and that was it. The harm here is to leave up information that confuse the many young hobbyist programmers on this site to believe that A is secure when A is not and they should be using B instead.

    Because PocketMine is written in PHP it has a extremely low learning curve for people who barely have any experience in programming, because of this you have to be extremely clear (leave no inaccuracies) when you type and not have a sarcastic tone like a major part of your posts are. It will confuse them.
  3. williamtdr
    Offline

    williamtdr Staff Member PocketMine Team

    Joined:
    Aug 22, 2013
    Posts:
    23
    Interesting, but too complicated and inconvenient for the end user. Also presents problems for new players wanting to join.
    Smarticles101, Falk and LDX like this.
  4. williamtdr
    Offline

    williamtdr Staff Member PocketMine Team

    Joined:
    Aug 22, 2013
    Posts:
    23
    SSL has nothing to do with how secure your data actually is, btw. It's client <-> server encryption, what matters more is how it's being stored on the server, as we've found with numerous data breaches and account info leaks, because the sensitive information wasn't encrypted right. Not to mention POODLE proved that SSL is vulnerable too. And SSL doesn't matter when it comes to MCPE, as the client can't transmit it. On the server side, if there's a central network your data sources should be binding internally anyway.
    iJoshuaHD and LDX like this.
  5. xFlare
    Offline

    xFlare Active Member Plugin Developer

    Joined:
    Sep 28, 2014
    Posts:
    199
    Plugins:
    1
    Minecraft User:
    xFlare
    One problem, What if this authentication system was down? All server will suffer from players not being able to be authenticated.
  6. SpiderPig
    Offline

    SpiderPig Active Member

    Joined:
    Sep 21, 2013
    Posts:
    128
    Minecraft User:
    SpiderPig
    Yeah that is True...
    xFlare likes this.
  7. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    This is probably the main issue with a centralised solution. It will always be vulnerable to attacks.
  8. SpiderPig
    Offline

    SpiderPig Active Member

    Joined:
    Sep 21, 2013
    Posts:
    128
    Minecraft User:
    SpiderPig
    If someone DDOS the main hub everyone wouldn't be able to login
    Smarticles101 and iJoshuaHD like this.
  9. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    Exactly. You need fallback solutions so that in the even that one server goes down, another one needs to step in.
  10. PEMapModder
    Offline

    PEMapModder Notable Member Plugin Developer

    Joined:
    Oct 9, 2013
    Posts:
    7,294
    Plugins:
    11
    Minecraft User:
    PEMapModder
    I don't quite understand.
    1. What are the variables for generating UUIDs?
    2. What is the "Login MCPE Server"?
    3. For the second method, how is that different from only authenticating by IP?
  11. PEMapModder
    Offline

    PEMapModder Notable Member Plugin Developer

    Joined:
    Oct 9, 2013
    Posts:
    7,294
    Plugins:
    11
    Minecraft User:
    PEMapModder
    Then do it like bitcoin?
  12. PEMapModder
    Offline

    PEMapModder Notable Member Plugin Developer

    Joined:
    Oct 9, 2013
    Posts:
    7,294
    Plugins:
    11
    Minecraft User:
    PEMapModder
    I think I got your concept. But I still don't understand about these:
    How is the UUID generated? Is it a new ID (like $id++) from a database, or is it a token like a SHA, or is it something created upon the IP or the username, or something else?
    If the player connects on a new account, by what method can he connect to his old account?
  13. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    I already debunked this. The issue is that there is NO uniqueness to MCPE installations. You cannot make a decent authentication system because of this.
    PEMapModder likes this.
  14. codmadnesspro
    Offline

    codmadnesspro Notable Member Plugin Developer

    Joined:
    Sep 11, 2013
    Posts:
    551
    Plugins:
    1
    Minecraft User:
    Codmadnesspro
    Problem is there couldn't be any unique in it because say someone wanted to get on a old server that wasn't updated to the latest version and wanted to use the old mcpe app then people who shared the app would give its uniqueness away allowing others to take over the account?
    Just a theory...
  15. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    Installations does not equal APK. Anyway sharing it is illegal.
  16. Falk
    Offline

    Falk Staff Member Global Moderator

    Joined:
    Sep 2, 2013
    Posts:
    1,706
    Plugins:
    22
    Minecraft User:
    Falkirknh
    The UUID's are database tokens. The old account will be linked to the new one by joining the login server (which contains the ID in the hostname).

    @ProjectInfinity is correct in saying that they don't provide much uniqueness :)
  17. sekjun9878
    Offline

    sekjun9878 Staff Member PocketMine Team

    Joined:
    Aug 22, 2013
    Posts:
    108
    Plugins:
    1
    Minecraft User:
    sekjun9878
    Why not make it so that the username field is used as a secret unique identifier? We can give the user a custom "hash" + salt/password of a username, and then they can use that secret to join servers. After they join, a plugin on the server can query a main server with the secret, and get their real username.

    This way the user only needs to enter a one-time password to their username box, while their real identity can be kept secure because only him knows the secret string to enter to the username box to authenticate for his username.
    Falk likes this.
  18. Humerus
    Offline

    Humerus Staff Member Plugin Reviewer

    Joined:
    Aug 23, 2013
    Posts:
    114
    Plugins:
    1
    The server still sees the users hash, meaning a untrustworthy server owner can still auth as the user/create a list of known usernames to hashes.
  19. PEMapModder
    Offline

    PEMapModder Notable Member Plugin Developer

    Joined:
    Oct 9, 2013
    Posts:
    7,294
    Plugins:
    11
    Minecraft User:
    PEMapModder
    Don't you think entering a hash is user unfriendly?
    Smarticles101 and iJoshuaHD like this.
  20. ServerKart_Rod
    Offline

    ServerKart_Rod Active Member Plugin Developer

    Joined:
    Jul 7, 2014
    Posts:
    110
    Plugins:
    1
    Minecraft User:
    Advocaite
    you could always build a session server and have people register there usernames and passwords and they are given UUID and stored on session server and use the offline / online option in server.properties like PC servers do, if online pocketmine checks the session server for that name and then if found soon as you join you must put in your password whitch is checked to be true or false if false disconnect them if true keep them in server.

    it be sorta hard as ou dont need to register accounts like mojang PC version, but not impossible either I think there is more important things like finishing pocketmine and then worry about it

Share This Page

Advertisement