[Freeciv-Dev] Re: (PR#14350) RSA based authentication
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
<URL: http://bugs.freeciv.org/Ticket/Display.html?id=14350 >
Mateusz Stefek wrote:
> <URL: http://bugs.freeciv.org/Ticket/Display.html?id=14350 >
>
> Dnia 2005-10-16 18:10:42, Jason Short napisał(a):
>
>><URL: http://bugs.freeciv.org/Ticket/Display.html?id=14350 >
>>
>>Mateusz Stefek wrote:
>>
>>><URL: http://bugs.freeciv.org/Ticket/Display.html?id=14350 >
>>>
>>>This patch encrypts passwords sent to the server using RSA algorithm
>>
>>and
>>
>>>openSSL library.
>>>
>>>The patch misses a feature of reading a key from external file.
>>>Currently the key is regenerated every time the server is run.
>>
>>Doesn't that mean the password will be different every time the server
>>is run? Or is the key that is generated always the same?
>
>
> I don't understand you. I said that the RSA private key of the server
> is always regenerated. This is bad for security reasons. Ideally the
> private key should be generated only once to prevent man-in-the-middle
> attacks.
Ahh, the server key; I understand.
As I said I feel a one-way encryption would be sufficient. This doesn't
prevent someone from taking over your account but it does prevent your
password from being compromised - since many people may (foolishly) use
the same password this is probably the most important goal.
Using TLS prevents passwords from being taken en-route. But if the
password is still stored in plain-text in the database it may still be
stolen from there. Using a fixed one-way encryption (hash) would
prevent these from being stolen. This hash may be done at either server
or client.
>>Finally, the feature should perhaps be a compile-time option.
>
> Maybe. There are some licensing problems with openSSL. I'm quite sure
> we can use it under Linux. I'm not sure about Windows platform, since
> openSSL can't be considered a "natural" part of this system.
gnutls is better I think.
-jason
|
|
