Hi, so first time posting, long time user of Love2d.
I'm currently playing round with an MMO idea, and with this in mind have looked at both the enet and the socket libraries that come bundled with love2d. Both are supposed to be (and are) relatively thin wrappers to provide the essential back and forth of data across a network and this I'm comfortable with.
What I'm struggling with is how to persist user data in a secure way. A problem for which I have 2 theoretical solutions but no practical implementation for either.
Option 1 - hashed GUID as an initial setup (the incorrect but easy way)
When the player first downloads and install the game, I generate a guid for their machine and hash it, creating a fairly reliable unique token for identifying them on the server. They then connect, I take this token as a means to identify their peer and give them access to whatever inventory, items etc.
This method lacks security in that sending through a UDP wrapper will send their token unencrypted and as a result make them vulnerable to a man in the middle attack. On the flip side, I haven't taken their password or any secret information, therefore the loss of their token or any hacking of the main server results in no personal information being lost, just perhaps a loss of account (equally annoying, but not anywhere near as damaging). It doesn't allow them to transfer between machines unless you allow them to copy and paste their token into another copy of the game on another machine.
This can be implemented, Love2d has the necessary networking library, and there are pure lua libraries for hashing, making it possible and easily platform independent
Option 2 - traditional security architecture
When the player starts the game, the game connects to the server, which does a key exchange (something I would have to implement). The player then uses or creates login credentials of which we hash the password and encrypt and send all of it to the server. The server verifies it (assuming it's a login) generates a Json web token for the play session and then the player includes the token with important payloads (important payloads being defined as actions that might damage the players account - loss of ingame currency, items etc.). The token is only valid for a period of time and has to be reissued by the server.
There are libraries out there that already provide most of the provisions for this, primarily I'm thinking LuaSec because it integrates right into LuaSocket (hooray).
The question
My problem is delivery, getting the luasec library included is relatively easy, but how do I provide access the openSSL libraries it depends on and do so in a relatively platform independent way.
I assume people have used C libraries on here before, how difficult is it to package all of this together into one simple executable, with or without addition lib files include? Are there tutorials specific to love development to help with this?
In particular, I'm curious about windows support, as whilst I am comfortable with and use linux, a lot of people (noteably, players) don't. I realise this might be quite a meaty question, so thank your for any answer even if they're only partial
Secure networking for user login
Forum rules
Before you make a thread asking for help, read this.
Before you make a thread asking for help, read this.
Re: Secure networking for user login
I don't have much experience in regards to including luasec. Though love-imgui is included just as a dll (quite sure about linux).
So that shouldn't be too much of a problem to get in if need be.
However I can say a bit more about the exchange part.
First. Definitely take a look at hashing and salting. The more users you have the easier it will get to identify their password. This is avoided with a salt. A random token that you use for hashing ontop of the password. Making the hashed passwords unique even if multiple users are using the same one. Also make sure to use a non broken hashing algorithm (for example md5 is not secure).
Once the initial handshake is over you can provide a token. But since you have an active connection it won't be needed most of the time (since you can safely assume that your ssl session hasn't been hijacked).
Only when traveling from server to server or to instantly reconnect when you timeout / login again soon after logging out.
So that shouldn't be too much of a problem to get in if need be.
However I can say a bit more about the exchange part.
First. Definitely take a look at hashing and salting. The more users you have the easier it will get to identify their password. This is avoided with a salt. A random token that you use for hashing ontop of the password. Making the hashed passwords unique even if multiple users are using the same one. Also make sure to use a non broken hashing algorithm (for example md5 is not secure).
Once the initial handshake is over you can provide a token. But since you have an active connection it won't be needed most of the time (since you can safely assume that your ssl session hasn't been hijacked).
Only when traveling from server to server or to instantly reconnect when you timeout / login again soon after logging out.
Who is online
Users browsing this forum: Ahrefs [Bot] and 2 guests