June 08, 2023, 12:55:25 pm

The Gang Garrison 2 Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

NOTICE: Due to a rise in bot activity, new posters need to be approved before posting.

Join the community Discord server!

Pages: [1] 2

Author Topic: Haxxy identification not secure!  (Read 7980 times)

nightcracker

  • NC
  • Full Member
  • ***
  • Karma: 0
  • Offline Offline
  • Posts: 517
  • PyGG2 dev
    • NC Labs
Haxxy identification not secure!
« on: October 16, 2011, 10:49:33 am »

I was talking to Orpheon on IRC and I asked how the haxxy golden statue award was put in the game. He told me award winners got a secret key. So I challenged myself and see if I could break the encryption.

After looking I saw that currently the game uses as identification a public MD5 key which can be checked with the private key, but the md5 algorithm doesn't use a salt. This isn't secure. If you use md5 (not truly cryptographically secure) without a salt it means standard rainbow tables can be used to brute force it.

And indeed, after 30 minutes of brute-forcing I found the key (no I'm not going to post it).

Perhaps this should be fixed to used sha1 with salt instead?
Logged

cats4gold

  • Seasoned Member
  • *****
  • Karma: 0
  • Offline Offline
  • Posts: 1224
    • cats4gold.net
Re: Haxxy identification not secure!
« Reply #1 on: October 16, 2011, 10:54:28 am »

its not worth it
Logged

nightcracker

  • NC
  • Full Member
  • ***
  • Karma: 0
  • Offline Offline
  • Posts: 517
  • PyGG2 dev
    • NC Labs
Re: Haxxy identification not secure!
« Reply #2 on: October 16, 2011, 10:55:50 am »

It takes about 10 minutes to fix...
Logged

cats4gold

  • Seasoned Member
  • *****
  • Karma: 0
  • Offline Offline
  • Posts: 1224
    • cats4gold.net
Re: Haxxy identification not secure!
« Reply #3 on: October 16, 2011, 10:56:35 am »

nooooot woooooooorth iiiiit
Logged

Saniblues

  • Onion Knight
  • Administrator
  • *****
  • Karma: -1305
  • Offline Offline
  • Posts: 12409
Re: Haxxy identification not secure!
« Reply #4 on: October 16, 2011, 11:09:31 am »

The haxxy was supposed to be a short-term prize that was to be removed in the next update. However, by popular demand, it's being kept in. The system has already been exploited in the past, so it's not news to us, really.

We could fix it, of course.
Logged
Quote from: mop
Quote from: MR MAGN3TIC
I don't like it.  :nah:
Oh, well, you might as well pack up and stop now, because he doesn't like it
I'm bored out of my skull, Lets play a different game!
Lets take a visit down below And cast the world in flames!

I_am_awesome

  • Guest
Re: Haxxy identification not secure!
« Reply #5 on: October 16, 2011, 11:27:55 am »

if you really want the key, can't you just host a server (or maybe just join a server if the key is sent to everyone in the server), wait for a haxxy dude to join and let the game write the key he sends to a text file?

or does the server only recieve the encrypted key?
Logged

MedO

  • Owns this place
  • *****
  • Karma: 151
  • Offline Offline
  • Posts: 1751
Re: Haxxy identification not secure!
« Reply #6 on: October 16, 2011, 04:42:12 pm »

I didn't actually think it could be bruteforced that easily, interesting. I know md5 is not considered secure anymore, but still. I used md5 because there is a GML implementation that I could just copy in, I didn't find one for SHA.

Anyway, I did know you can just grab the the key as server, although i tried obfuscating that a bit with the bogus "challenge" thingie. I just accepted it since it's only a short-term thing and no need for big security. Solving that problem would be far more difficult than making the key longer (which would prevent the bruteforce / rainbow table attack), since you would either need asymmetric keys or a trusted party that performs the authentication, and I don't fancy implementing public key crypto in GML.
Logged
Quote from: Alfred North Whitehead
It is the business of the future to be dangerous; and it is among the merits of science that it equips the future for its duties.

Quote from: John Carmack
[...] if you have a large enough codebase, any class of error that is syntactically legal probably exists there.

BassMakesPaste

  • Guest
Re: Haxxy identification not secure!
« Reply #7 on: October 16, 2011, 05:50:00 pm »

grab the the key as server
I tried that, but I can't host for extended periods of time.
Logged

NAGN

  • Developer
  • ******
  • Karma: 146
  • Offline Offline
  • Posts: 16385
  • Yeah so now I have an idea
Re: Haxxy identification not secure!
« Reply #8 on: October 16, 2011, 08:53:28 pm »

The key was released to everyone anyways when a winner leaked it to archer (This is unavoidable as well)
Logged

BillyBobJoe

  • Guest
Re: Haxxy identification not secure!
« Reply #9 on: October 16, 2011, 08:58:20 pm »

who cares? Who wants to turn gold when dead? Just get flaw's Haxxy Garrison 2 mod
Logged

NAGN

  • Developer
  • ******
  • Karma: 146
  • Offline Offline
  • Posts: 16385
  • Yeah so now I have an idea
Re: Haxxy identification not secure!
« Reply #10 on: October 16, 2011, 09:00:11 pm »

There's a difference between a client sided novelty and a required novelty shared by all clients
Logged

Sentry

  • Seasoned Member
  • *****
  • Karma: 1
  • Offline Offline
  • Posts: 1276
  • Bring back spinjumping
Re: Haxxy identification not secure!
« Reply #11 on: October 16, 2011, 09:46:56 pm »

so how did the winners 'activate' the key?
and could this system be used for other things e.g.  hats?

just curious and I don't know how it works
Logged

Saniblues

  • Onion Knight
  • Administrator
  • *****
  • Karma: -1305
  • Offline Offline
  • Posts: 12409
Re: Haxxy identification not secure!
« Reply #12 on: October 16, 2011, 09:52:06 pm »

The prize for the mini haxxy is a hat, but closer to a full-blown costume really. That is, if enough people enter (...!!!)

So the answer is yes, it could.
Logged
Quote from: mop
Quote from: MR MAGN3TIC
I don't like it.  :nah:
Oh, well, you might as well pack up and stop now, because he doesn't like it
I'm bored out of my skull, Lets play a different game!
Lets take a visit down below And cast the world in flames!

Sentry

  • Seasoned Member
  • *****
  • Karma: 1
  • Offline Offline
  • Posts: 1276
  • Bring back spinjumping
Re: Haxxy identification not secure!
« Reply #13 on: October 16, 2011, 10:17:05 pm »

Well I would enter but I don't know much about modding

I just read the actual post.  :ninja:
« Last Edit: October 16, 2011, 10:17:44 pm by Sentry »
Logged

Saniblues

  • Onion Knight
  • Administrator
  • *****
  • Karma: -1305
  • Offline Offline
  • Posts: 12409
Re: Haxxy identification not secure!
« Reply #14 on: October 16, 2011, 10:28:41 pm »

Its open to art, too.

And you can work in teams.
Logged
Quote from: mop
Quote from: MR MAGN3TIC
I don't like it.  :nah:
Oh, well, you might as well pack up and stop now, because he doesn't like it
I'm bored out of my skull, Lets play a different game!
Lets take a visit down below And cast the world in flames!

Pages: [1] 2
 

Page created in 0.039 seconds with 35 queries.