[Freeciv-Dev] Re: (PR#14350) RSA based authentication
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
|
Subject: |
[Freeciv-Dev] Re: (PR#14350) RSA based authentication |
|
From: |
"Mateusz Stefek" <mstefek@xxxxxxxxx> |
|
Date: |
Sun, 16 Oct 2005 10:06:05 -0700 |
|
Reply-to: |
bugs@xxxxxxxxxxx |
<URL: http://bugs.freeciv.org/Ticket/Display.html?id=14350 >
Dnia 2005-10-16 18:10:42, Jason Short napisał(a):
>
> <URL: http://bugs.freeciv.org/Ticket/Display.html?id=14350 >
>
> Mateusz Stefek wrote:
> > <URL: http://bugs.freeciv.org/Ticket/Display.html?id=14350 >
> >
> > This patch encrypts passwords sent to the server using RSA algorithm
> and
> > openSSL library.
> >
> > The patch misses a feature of reading a key from external file.
> > Currently the key is regenerated every time the server is run.
>
> Doesn't that mean the password will be different every time the server
> is run? Or is the key that is generated always the same?
I don't understand you. I said that the RSA private key of the server
is always regenerated. This is bad for security reasons. Ideally the
private key should be generated only once to prevent man-in-the-middle
attacks.
> The latter
> would be fine as all that's needed for passwords is a simple one-way
> encryption.
>
> Also, there shouldn't be needed any server changes for such a patch.
> All that's needed is to encrypt one text password into another text
> password at the client side.
That doesn't prevent reply attacks, which are the easiest.
> Finally, the feature should perhaps be a compile-time option.
Maybe. There are some licensing problems with openSSL. I'm quite sure
we can use it under Linux. I'm not sure about Windows platform, since
openSSL can't be considered a "natural" part of this system.
--
mateusz
|
|
