|
Posted by robert on 09/28/19 11:48
"Gernot Frisch" <Me@Privacy.net> wrote in message
news:4dev7lF1a54inU1@individual.net...
| Hi,
|
| I want my users to make games using a higscorelist in internet. I want
| to send them license-keys for their games, so they can implement
| these.
| However, that code can be transmitted/viewed with a packet sniffer
| thingy.
|
| What is the best way to encrypt/decrypt such a password (the users
| must be able to generate the password easily). What do I have to take
| care about? Is there already sample code? Or even freeware highscrore
| servers?
run it over ssl.
you could also follow the same example that the POP3 rfc has for the APOP
command...when a client connects, the server issues a string of any
characters (apop usually returns a unix time stamp string from the server).
that string can be saved as a session variable to be recalled later by the
server. the client takes the user supplied password and server supplied time
stamp string and concatenates them and finally md5 encrypts them and submits
that value to the server along with a user name. the server looks up the
user name being passed, gets the associated password and concatenates the
session time stamp string with it, then md5 encrypts it all. if the client
encrypted string and the server encrypted string match, then the password is
valid. that way, the raw password is never actually transmitted...plus if
you do this over ssl, it is all the more secure.
Navigation:
[Reply to this message]
|