Advertisement
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Potential Authentication System

Comments in 'General Discussion' started by Falk, Nov 6, 2014.

  1. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    @Falk If you can't explain more in details then I don't understand how it is any better than a password system. A UUID system... So what? What is it bound to? Their IP? IPs can be dynamic, not to mention there can be several users per IP. The main problem with MCPE is that there is no login.
  2. Falk
    Offline

    Falk Staff Member Global Moderator

    Joined:
    Sep 2, 2013
    Posts:
    1,706
    Plugins:
    22
    Minecraft User:
    Falkirknh
    It's hard for me to explain especially first thing on the morning. Each MCPE client has their own client token (provided in the unique hostname) which can be used to open 1 session with 1 IP. The username that they open the session with will be attached to the player who the client belongs to. When the client joins a supported server, the server will send off the IP and username and then the central server will verify them. Of course, another person on the WIFI could use their account, that personally doesn't concern me, but if they are concerned they can switch to a one time authentication mode, which will only allow them to login once for every session they start.
    PEMapModder and MegaSamNinja like this.
  3. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    This is the part that confuses me. How do you differentiate between one client and another from the same IP? If you have no unique identifier to get from the player somehow, then this is flawed and a password system is pretty much equally secure and reliable.

    Edit:
    It also seems like a first-come first-served solution. And when a session ends, is it (the username) up for grabs?
  4. Falk
    Offline

    Falk Staff Member Global Moderator

    Joined:
    Sep 2, 2013
    Posts:
    1,706
    Plugins:
    22
    Minecraft User:
    Falkirknh
    On the authentication server we have a client token but when they join the MCPE server it's just guessing. Usernames are unique in the database so that makes it possible although not optimal. Also, their might be some device unique property in the protocol (maybe the cookie), that I could hash up with the IP.
  5. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    But this is entirely generated on your end? If so, my statement still stands in regards to the system being flawed by design.
    This is absolutely required for this system to work. You need something unique about each installation of MCPE.
  6. Falk
    Offline

    Falk Staff Member Global Moderator

    Joined:
    Sep 2, 2013
    Posts:
    1,706
    Plugins:
    22
    Minecraft User:
    Falkirknh
    Thanks for your concern, I will do some looking in the protocol for an identifier of some sort.
    LDX likes this.
  7. LDX
    Offline

    LDX Notable Member Plugin Developer

    Joined:
    Oct 2, 2013
    Posts:
    1,397
    Plugins:
    14
    Oh, I read the whole thread, I just didn't understand most of it. :p
  8. Dalton
    Offline

    Dalton Banned

    Joined:
    Jul 7, 2014
    Posts:
    38
    Minecraft User:
    DALTONTASTIC
    Well guys my authentication plugin requires passwords, and everything is encrypted with industry strength SSL and other forms of encryption. This isn't full-proof, but neither is the UDID concept. Also keep in mind that there's always a slight risk of a compromised login even if you are a big tech giant like Facebook or Google..... OR ICLOUD (LOL)..

    On that note this site doesn't even use SSL.... Speaking of the possibility of stolen passwords. Anybody with a point to prove could intercept your login information and possibly login to all of your accounts if you use the same password everywhere. There is a lot of flawed statements being thrown around.

    EDIT: In an earlier post I was told that my method was "insecure" because people on their wifi network could intercept their password, which firstly isn't even true because it's encrypted. Secondly, the UDID method lets anybody on the wifi connect via your account WITHOUT EVEN ENTERING A PASSWORD. Soooooooooooooooooooooooooooooooooooooooooooooooooo where's the logic?
    SpiderPig likes this.
  9. Falk
    Offline

    Falk Staff Member Global Moderator

    Joined:
    Sep 2, 2013
    Posts:
    1,706
    Plugins:
    22
    Minecraft User:
    Falkirknh
    Usernames are locked to the account until they use another one.
  10. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    Which they would lose as soon as their IP changes? :rolleyes:

    I talked to shogs and there are absolutely nothing unique about any client. As a result there's not much to do. The closest you can get is a combination of IP and client ID in the login packet, but even that can be spoofed.
    Falk likes this.
  11. Falk
    Offline

    Falk Staff Member Global Moderator

    Joined:
    Sep 2, 2013
    Posts:
    1,706
    Plugins:
    22
    Minecraft User:
    Falkirknh
    No, because of my fake client token in the middle. You are entirely right though, I won't push this further.
  12. LDX
    Offline

    LDX Notable Member Plugin Developer

    Joined:
    Oct 2, 2013
    Posts:
    1,397
    Plugins:
    14
    I had thought in the past that maybe we could make an official PocketMine auth server until Mojang makes one for the client itself.
    iJoshuaHD likes this.
  13. iJoshuaHD
    Offline

    iJoshuaHD Notable Member Plugin Developer

    Joined:
    Nov 7, 2013
    Posts:
    1,167
    Plugins:
    4
    Minecraft User:
    iJoshuaHD
    is it safe to show the public of custom hashed encrypted password?
    LDX likes this.
  14. Humerus
    Offline

    Humerus Staff Member Plugin Reviewer

    Joined:
    Aug 23, 2013
    Posts:
    114
    Plugins:
    1
    This idea doesn't have to be shot down. I had plans for an OAuth esque authentication method, but never had a chance to continue my plans. You could look at that approach to find something feasible.
    LDX and Falk like this.
  15. Humerus
    Offline

    Humerus Staff Member Plugin Reviewer

    Joined:
    Aug 23, 2013
    Posts:
    114
    Plugins:
    1
    I've created an authentication plugin that eliminates the need for a user to enter a password into any server. The system can be decentralized (each server handles their own users and info) or can be centralized (meaning the servers are connected by a single API which handles single sessions, banned (for extenuating situations) and user aliasing). I don't know when a release will occur but I plan on deploying it on a test server with instructions on how to use it.
  16. Dalton
    Offline

    Dalton Banned

    Joined:
    Jul 7, 2014
    Posts:
    38
    Minecraft User:
    DALTONTASTIC
    How exactly does it work though if there's no password involved?
  17. Humerus
    Offline

    Humerus Staff Member Plugin Reviewer

    Joined:
    Aug 23, 2013
    Posts:
    114
    Plugins:
    1
    I implemented the OAuth-esque system I was thinking about doing a while ago.
  18. Dalton
    Offline

    Dalton Banned

    Joined:
    Jul 7, 2014
    Posts:
    38
    Minecraft User:
    DALTONTASTIC
    Could we possibly message about this concept.. If it's secure I would love to implement it into my upcoming plugin to avoid any possible sensitive information leaks.
  19. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    If it is secure you shouldn't need to keep the information private.
  20. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    I promise you that you are not "twice as secure as tech giants like Facebook or Google". Just saying that you use SSL does not make it secure.

    https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
    http://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html

    Pointing out things does not make it passive aggressiveness and it is more harmful to spread inaccurate information than it is to point it out.
    Dutok, codmadnesspro and Falk like this.

Share This Page

Advertisement