Difference between revisions of "XMPP Based Authentication"
| Line 33: | Line 33: | ||
=== Spam Attack === | === Spam Attack === | ||
| − | + | An evil server sets some innocent bystander's IM address as its own, clients will try to send messages to it, the bystander complains, and the players' accounts get suspended. | |
| − | |||
| − | |||
Revision as of 03:28, 7 March 2006
This page is intended for fleshing out the details of a simple authentication scheme.
The Authentication
- The client logs into the player's IM account and sends a join request to the game server's IM address.
- The game server sends a random session identifier, along with its connection information (hostname/IP and port) to the client.
- The client connects to the game server's supplied connection info.
- The client sends the session identifier back to prove it is the original player to contact the game server.
- The server now knows that the client indeed represents the player it claims to.
Stats and Conversation
The game server deals primarily with an IM address or, in the case of an anonymous player, a guest name, which is enclosed in double-quotes. All conversation and stats are recorded by this identifier. For example, when sending a chat message to another player, the server will transmit something along the lines of: luke@dashjr.org says, "Hi!"
Displaying Names For Players (Name Resolution)
If the IM address luke@dashjr.org appears on the player's roster/buddy list, the associated nickname is displayed instead. If not, the full IM address is displayed.
Attack Vectors
All possible security issues of the used IM system will be inherited.
The Phishing Server
I can't see a possibility here.
Faking the Authentication Server
DNS poisoning.
Spam Attack
An evil server sets some innocent bystander's IM address as its own, clients will try to send messages to it, the bystander complains, and the players' accounts get suspended.
