Jump to content

Session Keys?


jimb

Recommended Posts

Hiya :)

I just downloaded Mangos to have a look through, I'm interested in how the authentication works.

As far as I can see, the login protocol functions like this:

- Client connects to realmd and authenticates using SRP6.

- As part of SRP6 the account both parties calculate the new session key, which realmd stores in the DB.

- Realmd passes the client a list of realms.

- The client disconnects from realmd and connects to a chosen mangosd server.

- The client sends a seed value (calculated for SRP6 earlier?) and mangosd verifies that they have both calculated the same session key (i.e. both know the password).

- All further communication between the client and mangosd is carried out by encrypting the packet headers using the session key, with the RC4 system.

- If the client logs out from a session, it reconnects to the realmd server using original session key to authenticate.

I've only had a quick look at the code, but as far as I can see that's right...

If anyone knows... what were to happen if a client bypasses the realmd server and authenticates directly with mangosd using it's previous session key? I can't see that the key is ever cleared in the DB, for example when an account is logged out, so I assume it would authenticate OK.

Is that an issue? Or is it unnecessary to use a new session key every time the client connects?

Any thoughts or help would really be appreciated :)

Cheers!

[Edit]

Also regarding key-length... the session key is 80 bits I believe? Is this secure for a symmetric algorithm like RC4?

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Privacy Policy Terms of Use