Session Keys?

[jimb]

Hiya

I just downloaded Mangos to have a look through, I'm interested in how the authentication works.

As far as I can see, the login protocol functions like this:

- Client connects to realmd and authenticates using SRP6.

- As part of SRP6 the account both parties calculate the new session key, which realmd stores in the DB.

- Realmd passes the client a list of realms.

- The client disconnects from realmd and connects to a chosen mangosd server.

- The client sends a seed value (calculated for SRP6 earlier?) and mangosd verifies that they have both calculated the same session key (i.e. both know the password).

- All further communication between the client and mangosd is carried out by encrypting the packet headers using the session key, with the RC4 system.

- If the client logs out from a session, it reconnects to the realmd server using original session key to authenticate.

I've only had a quick look at the code, but as far as I can see that's right...

If anyone knows... what were to happen if a client bypasses the realmd server and authenticates directly with mangosd using it's previous session key? I can't see that the key is ever cleared in the DB, for example when an account is logged out, so I assume it would authenticate OK.

Is that an issue? Or is it unnecessary to use a new session key every time the client connects?

Any thoughts or help would really be appreciated

Cheers!

[Edit]

Also regarding key-length... the session key is 80 bits I believe? Is this secure for a symmetric algorithm like RC4?