jimb

Hiya, I understand how the client is authenticated using SRP by the Realm/Auth server. Could anyone explain briefly how the world server authenticates the client? I'm having a little trouble understanding the code, but it looks like the relevant method is WorldSocket::HandleAuthSession() - specifically, it's checking that the key and account name are the same on both client and server using a 'seed value' supplied by the client. Not sure what this is? Any help is really appreciated! Cheers, Jim

Hiya I just downloaded Mangos to have a look through, I'm interested in how the authentication works. As far as I can see, the login protocol functions like this: - Client connects to realmd and authenticates using SRP6. - As part of SRP6 the account both parties calculate the new session key, which realmd stores in the DB. - Realmd passes the client a list of realms. - The client disconnects from realmd and connects to a chosen mangosd server. - The client sends a seed value (calculated for SRP6 earlier?) and mangosd verifies that they have both calculated the same session key (i.e. both know the password). - All further communication between the client and mangosd is carried out by encrypting the packet headers using the session key, with the RC4 system. - If the client logs out from a session, it reconnects to the realmd server using original session key to authenticate. I've only had a quick look at the code, but as far as I can see that's right... If anyone knows... what were to happen if a client bypasses the realmd server and authenticates directly with mangosd using it's previous session key? I can't see that the key is ever cleared in the DB, for example when an account is logged out, so I assume it would authenticate OK. Is that an issue? Or is it unnecessary to use a new session key every time the client connects? Any thoughts or help would really be appreciated Cheers! [Edit] Also regarding key-length... the session key is 80 bits I believe? Is this secure for a symmetric algorithm like RC4?