Encrypted Login

From HEWIKI
Jump to: navigation, search

Contents

He server.png Documentation on this page is intended for customers of HeroEngine managing their own server(s).

Overview

HeroEngine supports two separate encryption technologies which shield client/server communication from eavesdroppers. Encrypted login uses RSA public/private key encryption to protect the user's password. Further client/server communication is not encrypted.

Creating Public and Private Key Pairs

The HeroEngine code base includes a utility program to generate public/private key pairs and signatures. This application is called KeyGenerator. Follow these steps to generate the files with public keys, private keys, and signatures. The names of the files may be changed as appropriate, if they are changed, make sure to use the changed names in the next two steps.

  1. If a master key has not yet been generated, run the KeyGenerator to create it.
    • KeyGenerator create -private master_key.pv -public master_key.pb -length 2048
  2. Create a key pair for the world.
    • KeyGenerator create -private world_key.pv -public world_key.pb -length 2048
  3. Create a signature for the world's public key with the master key's private key.
    • KeyGenerator sign -private master_key.pv -public world_key.pb -signature world_key_signature.sig

Modify Deploys to Include Key and Signature Files

The files need to be distributed to the servers and with the client.

  1. Place the following files into the FireStorm Daemons executables directory, or include them with the deploy
    • world_key.pv
    • world_key.pb
    • world_key_signature.sig
  2. Place the following files into the HJServers executables directory, or include them with the deploy
    • world_key.pb
    • world_key_signature.sig
  3. Add the following file to the Client installation
    • master_key.pb

The file which contains the private master key, master_key.pv, should be secured against all outside access to prevent man in the middle attacks on encrypted passwords.

Modify Configuration Values to Enable Encryption

After adding the keys to the installs, configuration values must be changed to enable Encrypted Login.

  1. In Master Control, edit the configuration for the world
    • Add the configuration parameter AuthenticationPublicKeyFile with the value of "world_key.pb" to the world's Universe configurations
    • Add the configuration parameter AuthenticationPublicKeySignatureFile with the value of "world_key_signature.sig" to the world's Universe configurations
    • Add the configuration parameter AuthenticationPrivateKeyFile with a value of "world_key.pv" to the Process level configuration parameters of the Authenticator process
  2. In Master Control, change Client Configuration Values
    • Add a configuration parameter PublicAuthenticationCertificate with a value of "master_key.pb" to the client configuration values of the world.

Appendix: Generating and Signing Keys Programmatically

Keys can be created by using the Crypto++ library.

This is example code to generate a key.

void makeKeys()
{
  std::string PrivateKeyFile = "current_key.pv";
  std::string PublicKeyFile  = "current_key.pb";

  CryptoPP::AutoSeededRandomPool rng;

  // Specify 512 bit modulus, accept e = 17
  CryptoPP::RSAES_OAEP_SHA_Decryptor Decryptor( rng, 512 /*, e */ );
  CryptoPP::HexEncoder privFile(new
    CryptoPP::FileSink( PrivateKeyFile.c_str() )
    ); // Hex Encoder

  Decryptor.DEREncode(privFile);
  privFile.MessageEnd();

  CryptoPP:: RSAES_OAEP_SHA_Encryptor Encryptor(Decryptor);
  CryptoPP::HexEncoder pubFile(new
    CryptoPP::FileSink( PublicKeyFile.c_str() )
    ); // Hex Encoder

  Encryptor.DEREncode(pubFile);
  pubFile.MessageEnd();
}

This code can sign a public key file.

void signPublicKey()
{
  CryptoPP::AutoSeededRandomPool rng;
  std::string publicKeyFile = "current_key.pb";

  // Input: Private Key
  std::string PrivateKeyFile = "master_key.pv";

  // Output: Signed Message M
  std::string SignedFile = "current_key_signature.sig";

  CryptoPP::FileSource privFile( PrivateKeyFile.c_str(), true,
    new CryptoPP::HexDecoder);
  CryptoPP::RSASSA_PKCS1v15_SHA_Signer priv(privFile);

  // Sign Away...
  CryptoPP::FileSource( publicKeyFile.c_str(), true,
    new CryptoPP::HexDecoder( new CryptoPP::SignerFilter( rng, priv,
      new CryptoPP::HexEncoder(
        new CryptoPP::FileSink( SignedFile.c_str() )
        ) // HexEncoder
      ) // SignerFilter
    ) // HexDecoder
  ); // FileSource
}

See also

(Review page and help with the 1.21 feature blurb)

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox