FreeOrion

Forums for the FreeOrion project
It is currently Tue Oct 17, 2017 11:39 am

All times are UTC




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Sun Jul 30, 2017 8:32 am 
Offline
Space Squid

Joined: Sat Dec 10, 2011 5:46 am
Posts: 52
I'm going to implement digest authentication based on algorithm described in https://tools.ietf.org/html/rfc7616 and sha265 digest. Which library better to use for cross-platform as it should be used on both server and client side and should be added to freeorion-sdk?

I propose to use Crypto++ but may be there are other lighter libraries exist like https://github.com/okdshin/PicoSHA2.

_________________
Gentoo Linux amd64, gcc-5.4.0, boost-1.62.0
Ubuntu Server 16.04.3 x64, gcc-5.4, boost-1.58.0
Welcome to multiplayer public server at 78.47.71.237. Version 2017-10-16.e3039ca
SMAC participant: play multiplayer with us!


Top
 Profile  
 
PostPosted: Sun Jul 30, 2017 9:09 am 
Offline
Programmer
User avatar

Joined: Fri Mar 01, 2013 9:52 am
Posts: 1040
Location: Germany
> I'm going to implement digest authentication

That's out of scope for this game.

_________________
Resident code gremlin
Attached patches are released under GPL 2.0 or later.
Git author: Marcel Metz


Top
 Profile  
 
PostPosted: Sun Jul 30, 2017 9:24 am 
Offline
Space Squid

Joined: Sat Dec 10, 2011 5:46 am
Posts: 52
> That's out of scope for this game.

Why? Most multiplayer games supports authentication for players.

_________________
Gentoo Linux amd64, gcc-5.4.0, boost-1.62.0
Ubuntu Server 16.04.3 x64, gcc-5.4, boost-1.58.0
Welcome to multiplayer public server at 78.47.71.237. Version 2017-10-16.e3039ca
SMAC participant: play multiplayer with us!


Top
 Profile  
 
PostPosted: Mon Jul 31, 2017 3:42 pm 
Offline
Release Manager, Design
User avatar

Joined: Wed Nov 16, 2011 12:56 pm
Posts: 4221
Location: Sol III
@ o01eg, the question is, what exactly is it you want to achieve? Authentication only makes sense if you want to restrict access to shared resources/assets. So, my guess is you want to make sure no player can take the save file of a game they've been playing with other human players, and try to cheat by loading that game and taking over as another empire.

For that to work they need the save file in the first place, which they don't have, except the game host. So unless the game host distributes the save file, no player can cheat that way.

With the noteable exception of the game host themself of course. However, protecting a savegame against "unauthorized" access by the game host requires far more than just simple authentication (you need to encrypt the savegame, the game state of each empire would need to be encrypted with player specific keys, key generation, exchange and management needs to be done in a way that isn't easy to hack, otherwise the whole effort is pointless, and at that point we already need something so complicated that adrian_broher's assessment applies).

So, if we leave protecting against cheating by the game host aside, what would we need authentication for? When continuing a saved game, it's the game host's responsibility to assign the correct players to their empires, so no cheating possible here.

I too know 4X games that use authentication, but the cases (or better, the one case) I know of needs that because each player gets the entire savegame, not just their own gamestate (which also means the savegame was encrypted IIRC). As this isn't the case with FO, we don't have that issue.

Or did you have something entirely different in mind?


Top
 Profile  
 
PostPosted: Mon Jul 31, 2017 5:49 pm 
Offline
Space Squid

Joined: Sat Dec 10, 2011 5:46 am
Posts: 52
Vezzra wrote:
@ o01eg, the question is, what exactly is it you want to achieve? Authentication only makes sense if you want to restrict access to shared resources/assets. So, my guess is you want to make sure no player can take the save file of a game they've been playing with other human players, and try to cheat by loading that game and taking over as another empire.

The main goal is to restrict one player connect as another player.
Vezzra wrote:
So, if we leave protecting against cheating by the game host aside, what would we need authentication for? When continuing a saved game, it's the game host's responsibility to assign the correct players to their empires, so no cheating possible here.

It's true while we have a game host's who could provide this responsibility. If a game host will be a bot on remote server it cann't check who is who without authentication.
Vezzra wrote:
I too know 4X games that use authentication, but the cases (or better, the one case) I know of needs that because each player gets the entire savegame, not just their own gamestate (which also means the savegame was encrypted IIRC). As this isn't the case with FO, we don't have that issue.

Or did you have something entirely different in mind?

Also if we have a remote server it should distinguish those who can control server from whose who cann't control server.

_________________
Gentoo Linux amd64, gcc-5.4.0, boost-1.62.0
Ubuntu Server 16.04.3 x64, gcc-5.4, boost-1.58.0
Welcome to multiplayer public server at 78.47.71.237. Version 2017-10-16.e3039ca
SMAC participant: play multiplayer with us!


Top
 Profile  
 
PostPosted: Fri Aug 04, 2017 10:06 am 
Offline
Release Manager, Design
User avatar

Joined: Wed Nov 16, 2011 12:56 pm
Posts: 4221
Location: Sol III
Ah ok, now I understand. However, what you're talking about here is the authentication required for a "meta-server": a server that allows you to create/spawn and manage games, and where the host not necessarily sits directly in front of the server machine (meaning, a remote game server).

While that is something we might have at some point in the future, the current FO "server" isn't anything like that. The server process can only handle one game, and gets launched by the game host on their local machine. Currently it's not possible to have a bot control the server (AFAICT), so you'd always need a human game host to launch the server and manage a multiplayer game. And that human can easily ensure no one takes over the empire of another player (unless they allow it of course).

So, adrian_broher's assessment still stands. The way things are set up currently wrt multiplayer games, user/player authentication is beyond the scope of this game. Unless we decide to extend FO with more sophisticated server capabilities that would allow to manage (multiplayer) games remotely, it makes no sense to just add authentication. I'd only do that as part of a remote game server implementation.


Top
 Profile  
 
PostPosted: Fri Aug 04, 2017 6:37 pm 
Offline
Space Squid

Joined: Sat Dec 10, 2011 5:46 am
Posts: 52
Vezzra wrote:
Ah ok, now I understand. However, what you're talking about here is the authentication required for a "meta-server": a server that allows you to create/spawn and manage games, and where the host not necessarily sits directly in front of the server machine (meaning, a remote game server).

Yep. Although I've seen "meta-server" term uses for non-game server which just manages only list of already running servers, not spawns or stops them.
Vezzra wrote:
While that is something we might have at some point in the future, the current FO "server" isn't anything like that. The server process can only handle one game, and gets launched by the game host on their local machine. Currently it's not possible to have a bot control the server (AFAICT), so you'd always need a human game host to launch the server and manage a multiplayer game. And that human can easily ensure no one takes over the empire of another player (unless they allow it of course).

So, adrian_broher's assessment still stands. The way things are set up currently wrt multiplayer games, user/player authentication is beyond the scope of this game. Unless we decide to extend FO with more sophisticated server capabilities that would allow to manage (multiplayer) games remotely, it makes no sense to just add authentication. I'd only do that as part of a remote game server implementation.

Ok, may be I'm just implementing features in the wrong order.

_________________
Gentoo Linux amd64, gcc-5.4.0, boost-1.62.0
Ubuntu Server 16.04.3 x64, gcc-5.4, boost-1.58.0
Welcome to multiplayer public server at 78.47.71.237. Version 2017-10-16.e3039ca
SMAC participant: play multiplayer with us!


Top
 Profile  
 
PostPosted: Sat Aug 12, 2017 1:02 pm 
Offline
Programmer
User avatar

Joined: Fri Mar 01, 2013 9:52 am
Posts: 1040
Location: Germany
Aside from Vezzra said there is no need to pull in any dependency for authentication. Send the password just plain text over the net.

You only want to keep people out of a game session, not using this for authorizing access to some private data.

_________________
Resident code gremlin
Attached patches are released under GPL 2.0 or later.
Git author: Marcel Metz


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group